Patching security governance: an empirical view of emergent governance mechanisms for cybersecurity
| Date | 11 September 2017 |
| Published date | 11 September 2017 |
| DOI | https://doi.org/10.1108/DPRG-05-2017-0029 |
| Pages | 429-448 |
| Author | Michel van Eeten |
| Subject Matter | Information & knowledge management,Information management & governance,Information policy |
Patching security governance: an
empirical view of emergent governance
mechanisms for cybersecurity
Michel van Eeten
Michel van Eeten is
based at Delft University
of Technology, Faculty of
Technology, Policy and
Management in The
Netherlands.
Abstract
Purpose –The issue of cybersecurity has been cast as the focal point of a fight between two conflicting
governance models: the nation-state model of national security and the global governance model of
multi-stakeholder collaboration, as seen in forums like IGF, IETF, ICANN, etc. There is a strange
disconnect, however, between this supposed fight and the actual control over cybersecurity “on the
ground”. This paper aims to reconnect discourse and control via a property rights approach, where
control is located first and foremost in ownership.
Design/methodology/approach –This paper first conceptualizes current governance mechanisms
through ownership and property rights. These concepts locate control over internet resources. They
also help us understand ongoing shifts in control. Such shifts in governance are actually happening,
security governance is being patched left and right, but these arrangements bear little resemblance to
either the national security model of states or the global model of multi-stakeholder collaboration. With
the conceptualization in hand, the paper then presents case studies of governance that have emerged
around specific security externalities.
Findings –While not all mechanisms are equally effective, in each of the studied areas, the author
found evidence of private actors partially internalizing the externalities, mostly on a voluntary basis and
through network governance mechanisms. No one thinks that this is enough, but it is a starting point.
Future research is needed to identify how these mechanisms can be extended or supplemented to
further improve the governance of cybersecurity.
Originality/value –This paper bridges together the disconnected research communities on
governance and (technical) cybersecurity.
Keywords Internet, Governance, Data security
Paper type Research paper
1. Main paper
In recent years, cybersecurity has been framed as one of “the most important areas” of the
broader “global war” around internet governance (De Nardis, 2014, p. 88). Mueller (2017)
characterized it as a battle between two conflicting governance models: the nation-state
model of national security and the global governance model of multi-stakeholder
collaboration, as codified in global and transnational institutions like IGF, IETF, ICANN, etc.
Other authors also observe processes of “securitization” and “militarization” at work (Hurel,
2017). Cybersecurity threats are interpreted in terms of foreign policy and military conflict,
which enable state actors to encroach on cooperative forms of global governance. To
Mueller (2017), the danger is clear: “the equation of cybersecurity with state responsibility
and national security/military responsibilities means that a large chunk of global Internet
policy making is in danger of being pushed out of the open, multistakeholder model”.
There is a strange disconnect, however, between this so-called battle and the actual
provisioning of cybersecurity “on the ground”. While the trend of militarization can be
© Michel van Eeten.
Published by Emerald
Publishing Limited. This article
is published under the
Creative Commons Attribution
(CC BY 4.0) licence. Anyone
may reproduce, distribute,
translate and create derivative
works of this article (for both
commercial and
non-commercial purposes),
subject to full attribution to the
original publication and
authors. The full terms of this
licence may be seen at: http://
creativecommons.org/licences/
by/4.0/legalcode
Received 29 May 2017
Revised 25 June 2017
Accepted 27 June 2017
DOI 10.1108/DPRG-05-2017-0029 VOL. 19 NO. 6 2017, pp. 429-448, Emerald Publishing Limited, ISSN 2398-5038 DIGITAL POLICY, REGULATION AND GOVERNANCE PAGE 429
clearly observed in the policy discourse on governance, the same cannot be said of the
actual governance of the networks, systems and services that make up the internet.
Remarkably little has changed in the past decade, with one important exception: offensive
operations by nation states. Headlines alone are enough to see this shift. The Snowden
revelations have exposed a plethora of offensive operations by the USA; the attacks on
Sony, the Bangladesh Central Bank and the Wannacry outbreak have been attributed to
North Korea; the Chinese intelligence services have been observed hacking NGOs; and
the attack on the DNC during the US elections has been attributed to Russia. States are
now widely seen as one of the most dangerous threat actors.
Offense is not cybersecurity, however – it is the opposite: cyber-insecurity. On the side of
defense, we have not seen changes of even remotely similar magnitude. In the West, at
least, the actual policies of states to protect the internet – or perhaps, one should say,
“their” internet – are still remarkably hands off. National cybersecurity strategies still rely
heavily on voluntary action of the private actors that operate the networks, systems and
services that are loosely summarized as “the Internet”. Public-private partnerships have
been the go-to phrase for at least a decade now. Around this core tenet, a few new
developments have emerged, such as intelligence agencies sharing information with
selected private companies, mandatory breach notification laws, centralized information
sharing mechanisms and sectoral regulation in health and finance requiring the adoption of
basic security standards. These do not qualify as a proof of militarization or securitization
in the governance landscape, however.
Beyond actual changes, there even seems to be a dearth of concrete policy proposals in
the direction of increased state control. To illustrate: US President Trump, who has come to
power on a decidedly nationalist platform, has not put forward an alternate, more
state-centric approach. His recent “Presidential Executive Order on Strengthening the
Cybersecurity of Federal Networks and Critical Infrastructure” has been widely
characterized as a continuation this status quo. Also note the rather narrow scope
articulated in the title: federal networks and critical infrastructure. That puts out of scope
most of what is commonly understood as the internet. Few people would argue that these
two areas – the government’s own systems and critical infrastructures like energy and
transportation – are not within the purview of state regulation.
What about the earlier draft of Trump’s executive order, though? Was that not evidence of
a push for militarization or more state control? It is not clear. Yes, the language seemed to
provide legitimacy for a larger role of the state. But legitimacy for a role is not the same as
instrumenting that role, let alone actually performing the role. This is more than an
academic distinction. Look at the discrepancy between the alarming description of the
security threats faced by the USA and the actual actions proposed in the earlier draft order:
a series of reviews.
In short, there is remarkably little evidence of a government takeover of internet governance
in the name of security. In this light, the so-called “global war” or “battle” over cybersecurity
governance looks rather confusing. What is it really about? To a certain extent, it seems to
confuse talking about governance with actual governance.
This paper has a threefold aim. First, it distinguishes between governance as discourse
and governance as control. The “war” is taking place at the level of discourse, which is at
best loosely coupled to actual control over resources, systems and services. Second, the
paper asks: how is cybersecurity governance actually changing? It defines governance as
policy-driven control over internet resources, systems and services. As control emanates,
first and foremost, from ownership, we can rephrase the question to: how are property
rights changing because of security threats, and vice versa? Third, the paper surveys a
range of empirical case studies to study how the institutional landscape of security
PAGE 430 DIGITAL POLICY, REGULATION AND GOVERNANCE VOL. 19 NO. 6 2017
To continue reading
Request your trial