The set of threats emerging in cyberspace blurs the boundaries between several areas, which traditionally were considered to be distinct fields of policy and regulation. First of all, the division between internal and external order [10], and as a result of the dichotomy of internal and external policies [11], is being undermined due to the transnational nature of cyberspace. Traditionally, maintaining the public order required law enforcement and criminal justice for internal order and military force and international agreements for mitigation of external threats [10]. Cyber-threats, which can originate from abroad or from the same city and target both external and internal order, are sometimes very hard to be clearly attributed to one of the policy domains.

Secondly, this complexity further increases with the blurring borders between the fields that traditionally used to have a clear distinction: civil defence, military defence and criminal justice (law enforcement) [11, 12]. The fading of boundaries in this field has been caused by the change that cyberspace brings to the concept of aggression and crime. The traditional notion mostly referred to aggression and acts committed in the physical world for both crimes and war. In the case of breach of criminal law, there was a clear domain for criminal justice and policing to prevent crime and to prosecute the offender with the ultimate dominance of reactive approach [8]. This sphere of responsibility was clearly defined by the statutory regulation. It mostly required application of the national law of the sovereign state, and, if there was international component, collaboration between law enforcement agencies across the borders. Mutual legal assistance treaties were mostly enough as a mechanism for assistance in the case of cross-border crime.

The same concept of physical aggression played an important role in the field of war conflict between the states. Brenner [10: 403] highlights that “war is unambiguous in the real-world because it is unique; only nation-states can summon the resources needed to launch a physical land, sea, or air attack on another nation-state”. Aggression for the purpose of military defence meant a physical attack or a threat of it, referred to the territorial issues. This concept allowed for defining the regulatory and policy domain responsible for defence and the applicable legal regime in the case of war.

However, nowadays, because of the anonymity of the Internet and the blurring borders between state and non-state actors, it is much more difficult to make a clear distinction both for the purpose of prevention of and reaction to the cybersecurity threats. States can initiate cybercrimes and cyber-espionage, politically motivated individuals can launch cyberattacks that cannot be attributed to any foreign governments and organised crime groups can tackle businesses to the degree that make it a threat to economic well-being of the nation. The questions that rise in this regard still remain unanswered. How to attribute the cyber-espionage to a particular state? How to distinguish prevention of hacker attacks, which are not backed by state parties (hacktivism) or from state-organised cyber-aggression? Does cross-border surveillance or breaking into the networks carried out by a foreign government constitute a crime or an act of aggression or is there no legal regime applicable to this kind of behaviour?

Theoretically, the domains can be distinguished based on the nature of threats and approaches to addressing them. One of the ways to draw a line is the “two-stream” model suggested by Maurer [13]. His research differentiates two international (on the level of the UN) approaches to the cybersecurity issues: the politico-military stream and the economic stream. The former refers to the use of information technologies for undermining international stability, and the latter includes the criminal misuse of information technologies [13]. This distinction is further supported by Jang and Lim [14], who discuss two main common approaches to the cyber-threats: security-oriented approach that considers cyberattacks as a threat to national security and law enforcement approach that brings the issue of attacks to the domain of criminal justice. The former relates to the efforts to deter and prevent, and the latter focuses on investigation, attribution and prosecution.

While this distinction certainly exists and, moreover, allows drawing a line for the purpose of this analysis, some of the types of “crimes” are debatable concerning how they fall into either economic crime or national security category. For example, while economic espionage can be attributed to cybercrime [14] when it is profit-driven, there are growing concerns that this type of spying on companies can threaten national security, especially when committed by state-sponsored actors [15]. In May 2014, US Department of Justice charged five Chinese citizens with hacking into the networks of the US companies. The indictment linked the espionage to the Chinese government and named members of Unit 61,398 and identified them as the members of the Shanghai-based cyberunit of the People’s Liberation Army.¹ This has been the first attempt so far to attribute economic espionage to people “behind the screen” and, moreover, to link the acts not only to particular people, but also to the foreign government. It is outside of the scope of this chapter to make political or legal judgements of this case. However, it does show how the borders between the “national security” stream and the “crime” stream are blurring.

Another example of the efforts to bring national security case to the domain of criminal justice is the investigation into electronic mass surveillance of EU citizens carried out by the Committee on Civil Liberties, Justice and Home Affairs of the EU Parliament. At one of the hearings on the allegations of NSA tapping into the SWIFT database, issues were raised with regard to the involvement of Europol in investigation of the NSA activities and the mandate of Europol in cybercrime investigations. Answering the questions, the Director of Europol, Rob Wainwright, stated that, firstly, no EU member state had made a request to investigate NSA activities, and, secondly, Europol has no mandate to investigate any state espionage allegations. As a result of the inquiry, the European Parliament adopted a resolution of 12 March 2014 “On the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs [2013/2188(INI)]” calling for the “full use” of the mandate of Europol for requesting the competent authorities of the member states to investigate cyberattacks with cross-border impact and, if necessary, enhancing this mandate to allow initiation of Europol’s own investigations.² In addition to illustrating the tension between mandates of criminal law and national security, this case constitutes yet another attempt to bring two domains together and investigate the national security threats under the mandate of criminal justice.

Some of the experts even say that the distinction is not relevant anymore because the focus should be put on the methodology of the attacks, targets and consequences [12]. This assertion can, to some extent, be true concerning the tools and consequences of the attacks, especially for the private sector in relation to damage control and risk mitigation [3]. However, there is still a relevance of drawing if not clear, but a cleaner line between law enforcement and national security to clarify the “ownership of cybersecurity” [4] to understand which entities should deal with the incident: national security agencies, military or law enforcement [8].

One of the possible options to make a relevant distinction is a criminal attribution. However, attribution also represents a certain challenge due to anonymity of the Internet. Evidently, it is only attribution that can provide the information on whether the source of attack is a criminal or a state actor and define the domain of criminal justice and national security according to the nature of the threat [3]. Yet there is one factor that is difficult to find out, namely motivation of the criminal. Motivation plays an important role: a person behind the cyberattack might be stand-alone criminal backed up by the government or politically motivated hacktivist, or someone with terrorist motives.

Does attribution help to separate domains for the purpose of providing cybersecurity? On one hand, it might be (theoretically) useful to use the attribution for distinguishing different types of security threats, such as national security and crime—this will at least allow defining the domain of cooperation such as criminal justice/national security. On the other hand, attribution itself is in many cases difficult, if not impossible because of the anonymity of the Internet and its transborder nature. Furthermore, attribution requires some efforts of investigating the attack. It means that in order to be attributed and to fall within one of the domains, be it national security or law enforcement, the attack should be investigated first, but it is unclear whether law enforcement or national security entities have to carry out the investigation. Thus, the question of attribution, though being very important for practical purposes—from investigation and prosecution of cybercrime to identifying the risk trends and developing adequate responses in the national security area—can be only of theoretical importance when it comes to drawing a clear distinction between different domains.

It is evident that, despite all the attempts to draw distinction between security mandates using the concepts of criminal law, law of armed conflict and public international law, the whole concept of cybersecurity does not fit traditional concepts used for this distinction [6]. There is a complex set of factors, which assigns a particular problem to the law enforcement or to the agencies responsible for the national security: seriousness of the threat, possible consequences and the scale of the particular problem, just to name a few. Moreover, both national security and crime control bodies may consider the same cybersecurity issue from different angles as a part of their domain. Again, one of the good examples is the risks associated with the use of botnets: they are considered to be a concern for law enforcement agencies because of being used for commission of profit-driven crimes and for national security agencies due to the role they can play in politically motivated attacks and economic espionage [7].

The uncertainty, which arises from the blurring borders between cybercrime and national security, has negative effects on the progress of the public–private collaboration in the field of cybersecurity on both policy and operation levels. With blurring borders, ambiguous domains, absence of clear definitions of what crime and cyberwar are and attribution issues, it is hard to develop successful frameworks for collaboration. To understand clearly which private entities and in what way should be involved in addressing particular problem, it is necessary to have an idea which government entities are responsible for a particular issue.

There have been attempts to distinguish domains by, for example, identifying priority areas, like it has been done by the EU Cybersecurity Strategy, which sets several priorities: achieving cyber-resilience, reducing cybercrime, developing cyber defence policy and capabilities; developing industrial and technological resources for cybersecurity and establishing a coherent international cyberspace policy. This division is pretty much in line with the distinction made in academic literature for example, Klimburg [16] distinguishes several mandates in national cybersecurity: military cyber, countering cybercrime, intelligence and counter-intelligence, critical information infrastructure protection, cyber diplomacy and Internet governance, with each of them being addressed by different departments within the nation state. Klimburg [16] argues that despite the fact that the areas of cybersecurity represent different facets of the same problem, each of the fields has its distinct focus and lexicon.

Further difficulties arise from lack of the agreement on what constitutes cybersecurity and what this term actually encompasses. There is no internationally accepted definition of cybersecurity (for example, EU Cybersecurity Strategy does not define it), so the understanding of this term differs from one nation state to another. Cybersecurity can be referred to as a broad concept, which includes security both in online and offline world, or narrowed down only to online safety [17]. Confusion might grow when the meaning of cybersecurity is limited to safeguards and actions to protect networks and information infrastructure with regard to their integrity, availability and confidentiality (CIA crimes). For example, some studies [18] in this regard contend that cybersecurity should be focused on technology-based and code-based threats and should be limited to the crimes that are committed against computers (CIA crimes) and with exclusion of the crimes, which are merely facilitated by the use of computers. If we apply this theory to the public–private collaboration in cybersecurity, the concept of CIA threats covers a wide range of activities related both to civilian and military fields. However, it excludes some very important forms of cooperation related to the illegal content crimes such as online child abuse images and terrorist content. Illegal content does not represent a technical cybersecurity threat since it does not interfere with networks and systems. However, hardly anyone would debate the importance of the fight against child abuse. When cooperation in the field of cybersecurity is limited to technical threats only, a wide range of activities can be excluded and overlooked despite the fact that the initial involvement of the private industry in fighting cybercrime started with creation of hotlines for removal of child abuse content.

Collaboration in the field of cybercrime does not always include technical aspects of cybersecurity and protection of networks and systems. For example, fighting online child abuse, despite the requirement of technical knowledge and use of the technical tools for investigating crimes and detecting offenders, has different object of legal protection than technical security of the networks and vice versa, not every cybersecurity effort would be related to cybercrime. Investigation and prosecution of crimes as a domain of law enforcement will represent just a narrow field in this complex issue of cybersecurity in addition to bringing criminal acts of committing the cyberattacks to criminal justice domain, the efforts of different stakeholders in cybersecurity ecosystem will include deterrence, network resilience, collection of information on the type of attacks, attribution to the source without prosecution, just to name a few.

This book chapter approaches the issue of public–private collaboration from a broad perspective and focuses on different forms and areas of cooperation, including tackling the problem of cybercrime, protection of critical information infrastructure and national security. For the purpose of this analysis, the first area—cybercrime—covers not only crimes committed against confidentiality, integrity and availability of computer systems, but also content crimes (such as child abuse images and terrorist content) and any other types of crimes committed online. Public–private cooperation in this field can be attributed to “criminal justice domain” and includes prosecution, investigation, detection and an early disruption of crimes committed online, be it crimes against confidentiality, integrity and availability of data or computer-facilitated crimes or crimes related to illegal content. Collaboration in this area is based on the criminal law and criminal procedural law, legal frameworks on the liability of the intermediaries and partially on preventive police law.

The second area of cooperation is the involvement of the private sector in national security. As a distinct field from the criminal justice, it refers to collaboration between industry and governments on such security concerns as politically motivated attacks, economic espionage and serious threats. The third field is alliances between private stakeholders and regulators on cyber-resilience and critical information infrastructure protection. The distinct feature of this area, though it can be considered as part of national security concerns, is that the threats for critical information do not necessarily involve malicious intent. Critical information infrastructure protection includes resilience to weather disasters, technical failures and human errors.

It is hard to separate these three fields clearly, because they are overlapping. However, with this separation (even if the borders are blurring), a certain field of regulation can at least be distinguished and attributed to the particular agencies depending on the country: cybercrime to law enforcement, national security to the governmental bodies such as foreign ministries and intelligence services and critical information infrastructure protection to certain type regulators.

Another important factor is that the same private stakeholders can play multiple roles: one global service provider or financial institution can be a part of public–private partnership programmes in all three areas. For example, such global service providers such as Microsoft and Google are the owners of their internal technological infrastructure, providers of services to their customers, personal data controllers and processors; they can participate in ad hoc cooperation with law enforcement agencies on investigating a particular case, or collaborate on capacity-building programmes, or get involved in the analysis of the threats related to national security.

The participation of private industry in all three fields is necessary but has different dimensions and consequences. While there is a widely accepted notion that government cannot and shall not be expected to fight cybercrime and provide cybersecurity alone, there is a common misunderstanding about the role of the industry in the aforementioned fields, and, as a consequence, unmet expectations and the failure of leveraging good practices and core competences from one area to another. The fundamental problem is that distinct laws regulate those fields and the role of the industry would be different for each of these areas. While many public–private collaboration initiatives reached some degree of success in the criminal justice domain, they cannot yet enjoy the same level of success in the national security field, which tends to be less inclusive. Misconceptions arise when the areas of regulation are mixed, because national security tends to have higher political priority, less number of stakeholders involved in decision-making process and less transparency. According to the study carried out by OECD [19], businesses and civil society are concerned with the trend of increasingly blurring borders between national security and economic/social security and warfare semantics, because this absence of separation can bring “challenging consequences”, such as additional burdens, lack of transparency and less openness.

Until the beginning of 2000s, governments and law enforcement agencies mostly had to intervene only when information security failed and crime happened—the main agenda for the public sector was to criminalise the new types of threats, such as crimes against confidentiality, integrity and availability of computer data and systems, to equip law enforcement agencies with tools—both technical and legal—to investigate and prosecute the new types of infringements and to harmonise substantive criminal law and procedural frameworks on the international level to avoid creations of safe havens for cybercriminals. On this stage, industry was considered mostly as collaborator for investigations or for taking down illegal content online, and it was mainly the ISPs who got involved as a focal point for cooperation. With the growing number of Internet users and, as a result, increasing cybercrime rates, it was obvious that centralised state intervention can often fail to address the problem, because criminals can easily bypass traditional regulatory frameworks in transborder cyberspace [20: 1]. Due to the low reporting rates of cybercrime and cyberattacks [21: 69], it became extremely difficult for governments and law enforcement agencies to detect cybercrime on their own: due to the lack of resources, they could do little more than investigate and prosecute only a “tiny fraction” [22: 5] of cybercrime, let alone follow the complex and constantly changing landscape of cyber-threats. As a consequence, states are increasingly engaging in partnerships with the private sector to tackle cybercrime [23, 24], and co-regulatory and self-regulatory measures were sometimes appraised as being even more effective than criminal law and its enforcement [25]. This trend started in the 1990s with the creation of the first private hotlines for reporting illegal content, mainly related to child abuse, as it will be discussed in Chap. 2 of this edition. Nowadays, self- and co-regulatory approaches exist in many areas of fighting cybercrime both on national and international levels.

However, till the end of the 1990s, when the threat of the millennium software bug attracted a lot of attention, the concept of “cybersecurity” as well as the term itself was not common [16: 12]. National governments were busy struggling with applying old legal frameworks to fighting cybercrime, striving to find new models to involve the private stakeholders in cooperation and trying to define the borders of responsibilities of the intermediaries for illegal content, were mostly leaving the issue of cybersecurity with regard to securing networks and infrastructure to the private sector. One of the important aspects, which set the paradigm for this approach, was the fact that with the commercialisation of the NSFNet in the 1990s, the US government moved the development and management of the infrastructure to the business and non-profit organisations and applied hands-off model to the internet governance, leaving the governance of the domain name system to the private entity—ICANN [26, 27].

The whole development of the Internet was dominated by commercial interests and market forces and followed by the principle of imposing no regulation for the sake of faster development. In this context, the private sector was considered to have enough knowledge and experience to provide security of its networks. Moreover, the private entities were in general opposing any attempts to regulate the Internet because of the general perception that regulation is too slow and government intervention can hamper the development of new technologies [27]. This approach has proven to be a great success for the evolution of the information and communication technologies: in just a few years, industry has developed fast and cost-effective solutions for providing connection and services. Internet boosted economic growth, penetrated all the areas of social life and economy, and, ultimately, became an essential part of everyday life and—as a turning point—brought the growing dependency on information infrastructures. This interdependency of different critical infrastructures, both public and private (banking, energy supply, information technologies, etc.), and their increasing dependence on information networks, which made them vulnerable to crimes and attacks [28, 29], dramatically changed the cybersecurity landscape. New types of attacks such as botnets, where automation plays an important role, brought complex challenges for prevention, detection and investigation of the new types of crimes and new concerns about the possible drastic effects that even a short disruption of the functioning of critical information infrastructures can have. This can be considered as a turning point with regard to reconsidering the role of the governments in cybersecurity field and recognising the cybersecurity issues as one of the high priorities on political agenda.

The consequences of these developments are twofold. On one hand, this increasing complexity drove the development of the new cooperative models for addressing the new challenges and shifted focus from cybercrime and reactive approach (investigation and prosecution) to a far-reaching concept of cybersecurity, which includes also proactive measures such as prevention, detection, awareness raising and information sharing. On the other hand, the pictures of catastrophic scenarios “have produced a rush to regulate cybersecurity” [6]. A possibility of a failure and drastic consequences made policy makers question the reliability of hands-off regulation and consider stronger involvement of the governments into the provision of cybersecurity [26].

This transformation has changed the scene of addressing the problem of cybersecurity into a “complex policy issue, which requires solutions at various levels, both national and international, and by means both non-governmental and governmental” [18]. The ecosystem of cybersecurity itself poses a big challenge: the fast and mostly unregulated development of the information and communication technologies resulted in the “existence of myriad actors in the information security field” [30: 143]. The complexity of this ecosystem raises new issues of determining roles and domains of different stakeholders involved in tackling cybercrime and securing a safe cyber-environment. The growing number of Internet economy intermediaries—not only ISPs but also e-commerce and m-commerce companies, e-payment providers, application developers and software vendors, critical information infrastructure operators and others—became “critical nodes” for preventing and investigating cybercrime and safeguarding security of their systems and networks in their respective sectors [31: 196]. Whether governments want it or not, the fact that cyber infrastructure was built and is owned by private sector and the whole structure of decentralised networks and their history of non-hierarchical regulation make the cybersecurity ecosystem a flexible multi-stakeholder environment with no single entity on the top which can control and manage the processes. The idea that no single government can provide cybersecurity using only its own capabilities without involving private sector has thus become “conventional wisdom” [32: 85].

However, despite the general agreement that governments on their own can make only “poor enablers” of cybersecurity [33] and call for cooperation and multi-stakeholder approaches, there is no clear idea with regard to the models of cooperation. Technical complexity of the digital ecosystem, heterogeneity of stakeholders involved in different layers across jurisdictions, blurring borders between external and internal policy and public and private matters and absence of clear distinction between law enforcement, civil defence and military defence create the situation of regulatory uncertainty which delays the development of effective regulatory solutions [11, 34, 35]. Due to the convergence of services and uncertainty of legal regimes applicable to different cyber-threats (crime, national security, intelligence), regulatory spheres can superimpose and mandates of different agencies dealing with cybercrime and cybersecurity can overlap. Until now, there is no widely accepted model of the distribution of regulatory responsibilities in the ecosystem of cybersecurity answering the question who shall regulate and what [36]. For example, despite the current attempts of the European Union to create homogeneous approach to cyberecurity, the system of mandates of different stakeholders and regulatory bodies in this field in the EU looks like an extremely complex puzzle, where “no-one…has a clear understanding of how all the different pieces fit together” [37: 17]. The international dimension of a problem and the fact that national states can have conflicting security interests further contribute to the increasing complexity of the regulatory challenge [38, 39: 430].

Bearing in mind this uncertainty of regulatory domains, some studies suggest that the new models of regulation should be developed to address cybersecurity problems. The World Bank Group [40: 3–4, 41] suggests that the ecosystem of cybersecurity is moving to the network model: it suggests that instead of focusing on institutions and functions (who shall do and what), the focus has to be shifted to the processes (e.g. fighting SPAM or creation of computer emergency response centres), procedures and information flows between different institutions. Network model refers, instead of specific agencies, to bodies (nodes) performing different functions in the ecosystem of cyberseurity and sharing—formally or informally—information and practices. The network model of the cybercrime and cybersecurity ecosystem, where hierarchical structures of governance are not applicable any more or have to be complemented, raises the challenge of creating better regulatory approaches in which the central question is, how cooperative governance can achieve the desired outcomes of reduction, detection and investigation of crimes. Dupont [34] refers to the “nodal” regulation and the concept of regulatory pluralism which is based on the belief that “by relying on diverse, complementary and self-reinforcing regulatory instruments, policies can be implemented in a manner that is more responsive to the specific context, resources and constraints of a particular sector” as to one of the possible ways to address cybersecurity problems. Gercke et al. [36] and Tropina [42] suggest the concept of “smart regulation”, which will be able to analyse the threats, to detect if intervention is needed and to develop new tools for dealing with the problems instead of applying old means that were not meant to regulate a decentralised environment. All these models assume that the gap between traditional models of governmental intervention and complex technological environment can be bridged only by approaching it with the new flexible cooperative models that include both public and private stakeholders and can combine the nodes of both legal and extra-legal regulation and facilitate the “reflexive and cohesive approach” [43: 19] to cybersecurity—necessary in a transnational decentralised network world.

While national governments have the power to establish and enforce legal and regulatory frameworks, the private sector understands the changing and converging nature of the ICT environment and has greater adaptability towards new technologies and services. Private actors have more expertise and resources and possess the necessary knowledge to investigate cybercrime and single out relevant cybersecurity threats, analyse them and produce an adequate response to them [11]. The private sector’s knowledge and adaptability complement the resources and expertise of the government in the enforcement of criminal law, crime investigation and governments’ mandate in foreign policy and diplomacy.

However, despite the clear need for mutual support between the governments and the private sector in cybersecurity and cybercrime field, the “ways and means of this assistance are fiercely debated” [16