© The Author(s) 2015Tatiana Tropina and Cormac CallananSelf- and Co-regulation in Cybercrime, Cybersecurity and National SecuritySpringerBriefs in Cybersecurity10.1007/978-3-319-16447-2_1
1. Public–Private Collaboration: Cybercrime, Cybersecurity and National Security
Max Planck Institute for Foreign & International Criminal Law, Freiburg, Baden-Württemberg, Germany
This chapter analyses theoretical and practical implications of different forms of self- and co-regulation in the field of cybersecurity. In the past decade, the approaches to cybersecurity and critical information infrastructure protection have been based on the notion of the necessity for public–private collaboration, multifaceted strategies and recognition of the significant role that industry plays in securing the information networks. However, with the raise of cybersecurity on the top of the policy agenda, many governments and academics are concerned with the possible failure of the private sector in delivering acceptable level of security in the information networks without governmental intervention. This shift of the concept has lead to the proposals to legislate cybersecurity in the form of mandatory reporting of security incidents and obligations to share information, security standards and compliance procedures. One of such proposals is currently being discussed as EU NIS directive. These developments raise many concerns about shifting the balance in cybersecurity from bottom-up voluntary approaches and collaboration to a heavier regulation. This chapter argues that this turn can have negative consequences and that the best way to provide cybersecurity is the evolvement of the existing channels for collaboration and building trust between industry and governments.
The ecosystem of fighting cybercrime and maintaining cybersecurity nowadays consists of interdependent international and national actors linked to national information infrastructure networks and services, including financial and banking systems, energy supply and communication networks. The overall development and innovation of the ICT networks has been, and is largely, dominated and controlled by private industry with little or no regulation or statutory intervention involved. As a result, private rather than public actors often fund, manage and run Internet and communication networks, including critical information infrastructure. This situation calls for new cooperative models of regulation and enforcement between governments and private industry on different levels—national, regional and international. It raises the challenge of developing effective approaches to co- and self-regulation to address offences in cyberspace and make information infrastructure resilient and safe.
With the technical, legal, business complexity of the environment, cybersecurity regulation looks like an intricate riddle. International organisations, national governments, academics, businesses and technical communities are trying to bring the pieces of this puzzle together and reach an agreement on how and who should regulate and protect the cyberworld. Though there is a common understanding that governments cannot supply an adequate level of cybersecurity and fight cybercrime on their own without an involvement of the private sector, there are still fierce discussions on how the industry shall be involved, what is the role of the direct government intervention in this regard, whether the industry should be encouraged or coerced to cooperate and if multi-stakeholder bottom-up approaches can guarantee an adequate level of security of the information networks. The policy dilemma continues brewing without clarity: with all the efforts taken to find a solution to a cybersecurity regulation in the recent years, there is neither a general agreement nor clear answers. The current state of cybersecurity regulation looks like a patchwork of solutions found out rather as a response to the urgent problems than any structured approaches.
Since the 1990s, with the involvement of the Internet service providers (ISPs) to the voluntary cooperation on fighting illegal content online, many forms of public–private collaboration, such as hotlines, industry codes of conducts, awareness raising programs, cooperation agreements between industry and the governments and—later—some successful attempts to establish wide-national cross-sector cooperation in some countries gave a promise of the possible supply of cybersecurity in a form of public–private partnerships. In this regard, the common notion, which dominated in the past several years on the policy making and business level, is that cybersecurity and critical information infrastructure protection require public–private collaboration, multifaceted strategies, hands-off regulation and recognition of the significant role that industry plays in securing the information networks. However, the raising dependency on critical information infrastructures and concerns about the consequences of possible disruptions to the point of catastrophic scenarios made a turn in the policy making and made for the calls for hierarchical top-down command-and-control solutions. The recent discussions and legislative developments, especially on the level of the EU and its member states, raise many concerns among industry and academics about shifting the balance in cybersecurity from bottom-up voluntary approaches and collaboration to a heavier regulation. The rationale behind the attempts of some governments and supranational organisations like the EU to find a regulatory solution to protect critical information infrastructure and the safety of the citizens online is quite reasonable. Cyber-threats have become a reality, and they can possibly have drastic consequences. However, there is still a debate if the move away from voluntary collaboration to a statutory intervention could have even more negative effect to the supply of cybersecurity than no regulation at all.
The current policy and academic discussions in context of the new regulatory developments are mostly debating the issue of the efficiency of public–private partnerships. What gets missing and overlooked in this debate is that there are other forms of co- and self-regulation that have proven to be successful models of industry involvement in cybersecurity. Existing channels of cooperation, information sharing and enforcement might still be in their infancy, suffer from imperfections and be in a need for improvements. However, any debate on whether self- and co-regulation is efficient should, first of all, take into account the existence of different forms of collaboration in addition to public–private partnerships, and, secondly, recognise that cybersecurity includes different domains and areas, which require complex solutions. There is no single “one-size-fits-all” approach.
This chapter analyses the current and potential approaches to self- and co-regulation in fighting cybercrime and providing cybersecurity. It analyses different forms of cooperation—from ad hoc and accidental collaboration to the structured approaches. Furthermore, it examines the issue of the balance between hands-off regulation and statutory intervention and analyses the problems and drawbacks of different forms of regulation.
Section 1.2 of this chapter discusses misconceptions related to the terms “cybercrime”, “national security”, “cyberwar” and consequences of the lack of clear distinction between them. It frames further discussion on the self- and co-regulatory measures in the field of cybersecurity by referring to various domains of regulation and highlighting the problems, which arise from the blurring borders between law enforcement and civil and military defence.
Section 1.3, firstly, provides insights into the historical development of co-regulation and self-regulation as forms of public–private collaboration against cybercrime in the multi-stakeholder environment. It refers to the evolving nature of cyber-threats and explains the complexity of the cybersecurity ecosystem. Secondly, it analyses the differences between theoretical approaches to self- and co-regulation and practical implications of public–private collaboration. Thirdly, it analyses the emerging trend of legislating cybersecurity.
Section 1.4 examines existing types of collaboration between governments and industries at the national and international levels, such as national public–private cybercrime platforms, public–private partnerships on tackling particular problems, industry codes of conduct and emerging models of wide-national and international public–private cooperation initiatives in cybersecurity.
Section 1.5 discusses the problems that existing forms of public–private collaboration may encounter. One of the main issues covered in this section is the degree of governmental intervention and the disadvantages of the recent turn from collaborative bottom-up approach to the statutory intervention. It expresses concerns that the shift from encouraging voluntary collaboration to coercion is a dangerous setback in fighting cybercrime and maintaining cybersecurity. Furthermore, the section analyses such problems of public–private cooperation as limitations related to the mandate of the governments, human rights and safeguards, transparency, accountability, costs and incentives. Finally, the section concludes with answering the question where governmental intervention is an option for making cyberworld safe and secure.
1.2 Cybersecurity, Cybercrime, Cyberwar? Terminology and Misconceptions
Public–private collaboration in the field of cybersecurity includes many private stakeholders involved in a broad range of activities—from hotlines for takedown of illegal content to wide-nation programmes on critical information infrastructure protection, from ad hoc collaboration on tracing child abuse online rings to the jointly funded projects on botnet mitigation. However, despite the success of many of the public–private cooperation projects, there are currently debates about inefficiency of the public–private collaboration and the need of tougher regulatory schemes in cybersecurity. Sceptical voices are mostly raised because of national security concerns. While in the field of fighting cybercrime there is a general agreement that public–private collaboration is the only way to tackle various form of online criminal activity, the discussions on public–private partnerships in cybersecurity are bringing and supporting the opposite point of view: according to some studies, industry is rather reluctant to participate in joint activities, the goals of the public and private sectors are not matching, and public–private partnerships have more limitations that benefits. This discussion will be further addressed in the chapter on the forms of government intervention. However, before starting any debate, it is necessary to understand which domain the “cybersecurity” cooperation actually belongs to. The mixed opinions about benefits of public–private partnerships in cybersecurity come from the misunderstanding of the fact that such partnerships are operating in distinct areas that represent different, though overlapping due to the nature of cyberspace, domains of various governmental bodies.
As is it pointed out by Nye , despite the attempts to picture a cyberspace as an “ungoverned lawless Wild West” [1: p. 14], the cyber domain involves various forms of regulation—from strict forms such as government-lead control by the means of criminal law and criminal procedure law related to cybercrime to multidimensional multi-stakeholder forms of governance such as ICANN and Internet Engineering Task Force. Cybersecurity is one of the domains where frameworks for governance do exist, though being managed by different public and private stakeholders. The problems of collaboration in providing cybersecurity arise because the security of information networks is a very complex and multifaceted matter, which has, depending on the field governed, different dimensions and various implications for the governance.
One of the biggest issues in any cybersecurity governance debate is the use of the generic term “cybersecurity”. This “umbrella” term can conflate security problems that might be similar in their technical nature but will have very different consequences in terms of law and regulation and, thus, different set of solutions . The cybersecurity-related terms, such as “cybercrime”, “cyberwar”, “cyberattack” and “cyberterrorism”, in the absence of a clear consensus with regard to their meaning and relative novelty of these terms, are used interchangeably  and “with little regard for what they are meant to include” . This practice creates confusion and misunderstanding as to what the issue actually is and which form of legal and regulatory response shall address it. “Sensationalisation”  and exaggeration [5: 2] of certain cybercrimes which come from the overuse of terms such as “cyberwar” and “cyber-weapons”, the tendency to “view the situation in catastrophic terms” , further contribute to the confusion in distinguishing law enforcement and national security domains.
This perplexity has negative consequences for public–private collaboration, because the forms of cooperation, which are successful in one of the areas of law and regulation, can fail or can hardly be leveraged to another domain. The areas of regulation, such as law enforcement, civil defence and military defence, do overlap because of the nature of cyberspace; however, confusing them can cause misinterpretation with regard to the goals of collaboration, set of stakeholders involved and incentives for both public and private parties. Thus, in the debate on the successfulness of cooperation between governments and private sector in the field of cybersecurity, it is very important to understand in which field cooperation is being carried out.
The misinterpretation of different terms and domains, such as fighting cybercrime, protecting critical information infrastructure and national security, worsens due to the absence of a fine line between these fields. The same technical tools can be used in cyberspace to commit profit-driven crimes and carry out the acts that can be legitimately treated as national security concerns by many governments. For example, the botnets are widely used for committing profit-driven crimes and are one of the tools the cybercrime industry uses to flourish; however, they have also been used for politically motivated attacks and cyber-espionage . The problem of blurring boundaries further contributes to the uncertainty as to how and who shall govern cybersecurity, what are the applicable legal and regulatory regimes and which roles private stakeholders will be playing in safeguarding cyberspace.
Analysis provided in this chapter does not serve the purpose to define cybercrime, cybersecurity and cyberwar—this task would require much more space since, first of all, there is no agreed definition of all those terms [8, 9], and, secondly, there are still debates on the applicability of the term cyberwar in the framework of international law . Further discussion serves the purpose to show the blurring borders between different cybersecurity-related domains and confusions associated with this uncertainty.
1.2.1 Cybersecurity: Different Dimensions and Blurring Borders
The set of threats emerging in cyberspace blurs the boundaries between several areas, which traditionally were considered to be distinct fields of policy and regulation. First of all, the division between internal and external order , and as a result of the dichotomy of internal and external policies , is being undermined due to the transnational nature of cyberspace. Traditionally, maintaining the public order required law enforcement and criminal justice for internal order and military force and international agreements for mitigation of external threats . Cyber-threats, which can originate from abroad or from the same city and target both external and internal order, are sometimes very hard to be clearly attributed to one of the policy domains.
Secondly, this complexity further increases with the blurring borders between the fields that traditionally used to have a clear distinction: civil defence, military defence and criminal justice (law enforcement) [11, 12]. The fading of boundaries in this field has been caused by the change that cyberspace brings to the concept of aggression and crime. The traditional notion mostly referred to aggression and acts committed in the physical world for both crimes and war. In the case of breach of criminal law, there was a clear domain for criminal justice and policing to prevent crime and to prosecute the offender with the ultimate dominance of reactive approach . This sphere of responsibility was clearly defined by the statutory regulation. It mostly required application of the national law of the sovereign state, and, if there was international component, collaboration between law enforcement agencies across the borders. Mutual legal assistance treaties were mostly enough as a mechanism for assistance in the case of cross-border crime.
The same concept of physical aggression played an important role in the field of war conflict between the states. Brenner [10: 403] highlights that “war is unambiguous in the real-world because it is unique; only nation-states can summon the resources needed to launch a physical land, sea, or air attack on another nation-state”. Aggression for the purpose of military defence meant a physical attack or a threat of it, referred to the territorial issues. This concept allowed for defining the regulatory and policy domain responsible for defence and the applicable legal regime in the case of war.
However, nowadays, because of the anonymity of the Internet and the blurring borders between state and non-state actors, it is much more difficult to make a clear distinction both for the purpose of prevention of and reaction to the cybersecurity threats. States can initiate cybercrimes and cyber-espionage, politically motivated individuals can launch cyberattacks that cannot be attributed to any foreign governments and organised crime groups can tackle businesses to the degree that make it a threat to economic well-being of the nation. The questions that rise in this regard still remain unanswered. How to attribute the cyber-espionage to a particular state? How to distinguish prevention of hacker attacks, which are not backed by state parties (hacktivism) or from state-organised cyber-aggression? Does cross-border surveillance or breaking into the networks carried out by a foreign government constitute a crime or an act of aggression or is there no legal regime applicable to this kind of behaviour?
Theoretically, the domains can be distinguished based on the nature of threats and approaches to addressing them. One of the ways to draw a line is the “two-stream” model suggested by Maurer . His research differentiates two international (on the level of the UN) approaches to the cybersecurity issues: the politico-military stream and the economic stream. The former refers to the use of information technologies for undermining international stability, and the latter includes the criminal misuse of information technologies . This distinction is further supported by Jang and Lim , who discuss two main common approaches to the cyber-threats: security-oriented approach that considers cyberattacks as a threat to national security and law enforcement approach that brings the issue of attacks to the domain of criminal justice. The former relates to the efforts to deter and prevent, and the latter focuses on investigation, attribution and prosecution.
While this distinction certainly exists and, moreover, allows drawing a line for the purpose of this analysis, some of the types of “crimes” are debatable concerning how they fall into either economic crime or national security category. For example, while economic espionage can be attributed to cybercrime  when it is profit-driven, there are growing concerns that this type of spying on companies can threaten national security, especially when committed by state-sponsored actors . In May 2014, US Department of Justice charged five Chinese citizens with hacking into the networks of the US companies. The indictment linked the espionage to the Chinese government and named members of Unit 61,398 and identified them as the members of the Shanghai-based cyberunit of the People’s Liberation Army.1 This has been the first attempt so far to attribute economic espionage to people “behind the screen” and, moreover, to link the acts not only to particular people, but also to the foreign government. It is outside of the scope of this chapter to make political or legal judgements of this case. However, it does show how the borders between the “national security” stream and the “crime” stream are blurring.
Another example of the efforts to bring national security case to the domain of criminal justice is the investigation into electronic mass surveillance of EU citizens carried out by the Committee on Civil Liberties, Justice and Home Affairs of the EU Parliament. At one of the hearings on the allegations of NSA tapping into the SWIFT database, issues were raised with regard to the involvement of Europol in investigation of the NSA activities and the mandate of Europol in cybercrime investigations. Answering the questions, the Director of Europol, Rob Wainwright, stated that, firstly, no EU member state had made a request to investigate NSA activities, and, secondly, Europol has no mandate to investigate any state espionage allegations. As a result of the inquiry, the European Parliament adopted a resolution of 12 March 2014 “On the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs [2013/2188(INI)]” calling for the “full use” of the mandate of Europol for requesting the competent authorities of the member states to investigate cyberattacks with cross-border impact and, if necessary, enhancing this mandate to allow initiation of Europol’s own investigations.2 In addition to illustrating the tension between mandates of criminal law and national security, this case constitutes yet another attempt to bring two domains together and investigate the national security threats under the mandate of criminal justice.
Some of the experts even say that the distinction is not relevant anymore because the focus should be put on the methodology of the attacks, targets and consequences . This assertion can, to some extent, be true concerning the tools and consequences of the attacks, especially for the private sector in relation to damage control and risk mitigation . However, there is still a relevance of drawing if not clear, but a cleaner line between law enforcement and national security to clarify the “ownership of cybersecurity”  to understand which entities should deal with the incident: national security agencies, military or law enforcement .
One of the possible options to make a relevant distinction is a criminal attribution. However, attribution also represents a certain challenge due to anonymity of the Internet. Evidently, it is only attribution that can provide the information on whether the source of attack is a criminal or a state actor and define the domain of criminal justice and national security according to the nature of the threat . Yet there is one factor that is difficult to find out, namely motivation of the criminal. Motivation plays an important role: a person behind the cyberattack might be stand-alone criminal backed up by the government or politically motivated hacktivist, or someone with terrorist motives.
Does attribution help to separate domains for the purpose of providing cybersecurity? On one hand, it might be (theoretically) useful to use the attribution for distinguishing different types of security threats, such as national security and crime—this will at least allow defining the domain of cooperation such as criminal justice/national security. On the other hand, attribution itself is in many cases difficult, if not impossible because of the anonymity of the Internet and its transborder nature. Furthermore, attribution requires some efforts of investigating the attack. It means that in order to be attributed and to fall within one of the domains, be it national security or law enforcement, the attack should be investigated first, but it is unclear whether law enforcement or national security entities have to carry out the investigation. Thus, the question of attribution, though being very important for practical purposes—from investigation and prosecution of cybercrime to identifying the risk trends and developing adequate responses in the national security area—can be only of theoretical importance when it comes to drawing a clear distinction between different domains.
It is evident that, despite all the attempts to draw distinction between security mandates using the concepts of criminal law, law of armed conflict and public international law, the whole concept of cybersecurity does not fit traditional concepts used for this distinction . There is a complex set of factors, which assigns a particular problem to the law enforcement or to the agencies responsible for the national security: seriousness of the threat, possible consequences and the scale of the particular problem, just to name a few. Moreover, both national security and crime control bodies may consider the same cybersecurity issue from different angles as a part of their domain. Again, one of the good examples is the risks associated with the use of botnets: they are considered to be a concern for law enforcement agencies because of being used for commission of profit-driven crimes and for national security agencies due to the role they can play in politically motivated attacks and economic espionage .
1.2.2 Areas of Public–Private Collaboration on Cybersecurity
The uncertainty, which arises from the blurring borders between cybercrime and national security, has negative effects on the progress of the public–private collaboration in the field of cybersecurity on both policy and operation levels. With blurring borders, ambiguous domains, absence of clear definitions of what crime and cyberwar are and attribution issues, it is hard to develop successful frameworks for collaboration. To understand clearly which private entities and in what way should be involved in addressing particular problem, it is necessary to have an idea which government entities are responsible for a particular issue.
There have been attempts to distinguish domains by, for example, identifying priority areas, like it has been done by the EU Cybersecurity Strategy, which sets several priorities: achieving cyber-resilience, reducing cybercrime, developing cyber defence policy and capabilities; developing industrial and technological resources for cybersecurity and establishing a coherent international cyberspace policy. This division is pretty much in line with the distinction made in academic literature for example, Klimburg  distinguishes several mandates in national cybersecurity: military cyber, countering cybercrime, intelligence and counter-intelligence, critical information infrastructure protection, cyber diplomacy and Internet governance, with each of them being addressed by different departments within the nation state. Klimburg  argues that despite the fact that the areas of cybersecurity represent different facets of the same problem, each of the fields has its distinct focus and lexicon.
Further difficulties arise from lack of the agreement on what constitutes cybersecurity and what this term actually encompasses. There is no internationally accepted definition of cybersecurity (for example, EU Cybersecurity Strategy does not define it), so the understanding of this term differs from one nation state to another. Cybersecurity can be referred to as a broad concept, which includes security both in online and offline world, or narrowed down only to online safety . Confusion might grow when the meaning of cybersecurity is limited to safeguards and actions to protect networks and information infrastructure with regard to their integrity, availability and confidentiality (CIA crimes). For example, some studies  in this regard contend that cybersecurity should be focused on technology-based and code-based threats and should be limited to the crimes that are committed against computers (CIA crimes) and with exclusion of the crimes, which are merely facilitated by the use of computers. If we apply this theory to the public–private collaboration in cybersecurity, the concept of CIA threats covers a wide range of activities related both to civilian and military fields. However, it excludes some very important forms of cooperation related to the illegal content crimes such as online child abuse images and terrorist content. Illegal content does not represent a technical cybersecurity threat since it does not interfere with networks and systems. However, hardly anyone would debate the importance of the fight against child abuse. When cooperation in the field of cybersecurity is limited to technical threats only, a wide range of activities can be excluded and overlooked despite the fact that the initial involvement of the private industry in fighting cybercrime started with creation of hotlines for removal of child abuse content.
Collaboration in the field of cybercrime does not always include technical aspects of cybersecurity and protection of networks and systems. For example, fighting online child abuse, despite the requirement of technical knowledge and use of the technical tools for investigating crimes and detecting offenders, has different object of legal protection than technical security of the networks and vice versa, not every cybersecurity effort would be related to cybercrime. Investigation and prosecution of crimes as a domain of law enforcement will represent just a narrow field in this complex issue of cybersecurity in addition to bringing criminal acts of committing the cyberattacks to criminal justice domain, the efforts of different stakeholders in cybersecurity ecosystem will include deterrence, network resilience, collection of information on the type of attacks, attribution to the source without prosecution, just to name a few.
This book chapter approaches the issue of public–private collaboration from a broad perspective and focuses on different forms and areas of cooperation, including tackling the problem of cybercrime, protection of critical information infrastructure and national security. For the purpose of this analysis, the first area—cybercrime—covers not only crimes committed against confidentiality, integrity and availability of computer systems, but also content crimes (such as child abuse images and terrorist content) and any other types of crimes committed online. Public–private cooperation in this field can be attributed to “criminal justice domain” and includes prosecution, investigation, detection and an early disruption of crimes committed online, be it crimes against confidentiality, integrity and availability of data or computer-facilitated crimes or crimes related to illegal content. Collaboration in this area is based on the criminal law and criminal procedural law, legal frameworks on the liability of the intermediaries and partially on preventive police law.
The second area of cooperation is the involvement of the private sector in national security. As a distinct field from the criminal justice, it refers to collaboration between industry and governments on such security concerns as politically motivated attacks, economic espionage and serious threats. The third field is alliances between private stakeholders and regulators on cyber-resilience and critical information infrastructure protection. The distinct feature of this area, though it can be considered as part of national security concerns, is that the threats for critical information do not necessarily involve malicious intent. Critical information infrastructure protection includes resilience to weather disasters, technical failures and human errors.
It is hard to separate these three fields clearly, because they are overlapping. However, with this separation (even if the borders are blurring), a certain field of regulation can at least be distinguished and attributed to the particular agencies depending on the country: cybercrime to law enforcement, national security to the governmental bodies such as foreign ministries and intelligence services and critical information infrastructure protection to certain type regulators.
Another important factor is that the same private stakeholders can play multiple roles: one global service provider or financial institution can be a part of public–private partnership programmes in all three areas. For example, such global service providers such as Microsoft and Google are the owners of their internal technological infrastructure, providers of services to their customers, personal data controllers and processors; they can participate in ad hoc cooperation with law enforcement agencies on investigating a particular case, or collaborate on capacity-building programmes, or get involved in the analysis of the threats related to national security.
The participation of private industry in all three fields is necessary but has different dimensions and consequences. While there is a widely accepted notion that government cannot and shall not be expected to fight cybercrime and provide cybersecurity alone, there is a common misunderstanding about the role of the industry in the aforementioned fields, and, as a consequence, unmet expectations and the failure of leveraging good practices and core competences from one area to another. The fundamental problem is that distinct laws regulate those fields and the role of the industry would be different for each of these areas. While many public–private collaboration initiatives reached some degree of success in the criminal justice domain, they cannot yet enjoy the same level of success in the national security field, which tends to be less inclusive. Misconceptions arise when the areas of regulation are mixed, because national security tends to have higher political priority, less number of stakeholders involved in decision-making process and less transparency. According to the study carried out by OECD , businesses and civil society are concerned with the trend of increasingly blurring borders between national security and economic/social security and warfare semantics, because this absence of separation can bring “challenging consequences”, such as additional burdens, lack of transparency and less openness.
1.3 Regulating Cybersecurity: What Are the Options?
Before the evolvement of information and communication technologies, fighting crime and providing public security was mostly considered as a domain of national governments. Both criminal law and national security imply sovereignty issues, the duty of the state to protect its citizens and mechanisms of enforcement of the legal and policy frameworks, which require hierarchical structures and command-and-control approaches.
The problem of fighting cybercrime and protecting national interests in cyberspace, in the first place, reflects the tension between non-flexible legal frameworks—which, like criminal law, were not meant to be flexible by their nature—and the non-hierarchical structure and the borderless nature of the information and communication networks that do not fit the traditional top-down command-and-control models. The decentralised architecture of the Internet is eroding old paradigms of the division of responsibilities between government, private sector and civil society, also because in general, the concept of Internet governance has been largely dominated by the idea of a multi-stakeholder model. This transformation of the role of regulators and nation states in governing one of the biggest “enabler” of the modern economy and the idea of hands-off regulation for the sake of technological development allowed the Internet to flourish and penetrate all areas of business and social life.
1.3.1 Cybersecurity as a Multi-stakeholder Environment: Transformation
Until the beginning of 2000s, governments and law enforcement agencies mostly had to intervene only when information security failed and crime happened—the main agenda for the public sector was to criminalise the new types of threats, such as crimes against confidentiality, integrity and availability of computer data and systems, to equip law enforcement agencies with tools—both technical and legal—to investigate and prosecute the new types of infringements and to harmonise substantive criminal law and procedural frameworks on the international level to avoid creations of safe havens for cybercriminals. On this stage, industry was considered mostly as collaborator for investigations or for taking down illegal content online, and it was mainly the ISPs who got involved as a focal point for cooperation. With the growing number of Internet users and, as a result, increasing cybercrime rates, it was obvious that centralised state intervention can often fail to address the problem, because criminals can easily bypass traditional regulatory frameworks in transborder cyberspace [20: 1]. Due to the low reporting rates of cybercrime and cyberattacks [21: 69], it became extremely difficult for governments and law enforcement agencies to detect cybercrime on their own: due to the lack of resources, they could do little more than investigate and prosecute only a “tiny fraction” [22: 5] of cybercrime, let alone follow the complex and constantly changing landscape of cyber-threats. As a consequence, states are increasingly engaging in partnerships with the private sector to tackle cybercrime [23, 24], and co-regulatory and self-regulatory measures were sometimes appraised as being even more effective than criminal law and its enforcement . This trend started in the 1990s with the creation of the first private hotlines for reporting illegal content, mainly related to child abuse, as it will be discussed in Chap. 2 of this edition. Nowadays, self- and co-regulatory approaches exist in many areas of fighting cybercrime both on national and international levels.
However, till the end of the 1990s, when the threat of the millennium software bug attracted a lot of attention, the concept of “cybersecurity” as well as the term itself was not common [16: 12]. National governments were busy struggling with applying old legal frameworks to fighting cybercrime, striving to find new models to involve the private stakeholders in cooperation and trying to define the borders of responsibilities of the intermediaries for illegal content, were mostly leaving the issue of cybersecurity with regard to securing networks and infrastructure to the private sector. One of the important aspects, which set the paradigm for this approach, was the fact that with the commercialisation of the NSFNet in the 1990s, the US government moved the development and management of the infrastructure to the business and non-profit organisations and applied hands-off model to the internet governance, leaving the governance of the domain name system to the private entity—ICANN [26, 27].
The whole development of the Internet was dominated by commercial interests and market forces and followed by the principle of imposing no regulation for the sake of faster development. In this context, the private sector was considered to have enough knowledge and experience to provide security of its networks. Moreover, the private entities were in general opposing any attempts to regulate the Internet because of the general perception that regulation is too slow and government intervention can hamper the development of new technologies . This approach has proven to be a great success for the evolution of the information and communication technologies: in just a few years, industry has developed fast and cost-effective solutions for providing connection and services. Internet boosted economic growth, penetrated all the areas of social life and economy, and, ultimately, became an essential part of everyday life and—as a turning point—brought the growing dependency on information infrastructures. This interdependency of different critical infrastructures, both public and private (banking, energy supply, information technologies, etc.), and their increasing dependence on information networks, which made them vulnerable to crimes and attacks [28, 29], dramatically changed the cybersecurity landscape. New types of attacks such as botnets, where automation plays an important role, brought complex challenges for prevention, detection and investigation of the new types of crimes and new concerns about the possible drastic effects that even a short disruption of the functioning of critical information infrastructures can have. This can be considered as a turning point with regard to reconsidering the role of the governments in cybersecurity field and recognising the cybersecurity issues as one of the high priorities on political agenda.
The consequences of these developments are twofold. On one hand, this increasing complexity drove the development of the new cooperative models for addressing the new challenges and shifted focus from cybercrime and reactive approach (investigation and prosecution) to a far-reaching concept of cybersecurity, which includes also proactive measures such as prevention, detection, awareness raising and information sharing. On the other hand, the pictures of catastrophic scenarios “have produced a rush to regulate cybersecurity” . A possibility of a failure and drastic consequences made policy makers question the reliability of hands-off regulation and consider stronger involvement of the governments into the provision of cybersecurity .
This transformation has changed the scene of addressing the problem of cybersecurity into a “complex policy issue, which requires solutions at various levels, both national and international, and by means both non-governmental and governmental” . The ecosystem of cybersecurity itself poses a big challenge: the fast and mostly unregulated development of the information and communication technologies resulted in the “existence of myriad actors in the information security field” [30: 143]. The complexity of this ecosystem raises new issues of determining roles and domains of different stakeholders involved in tackling cybercrime and securing a safe cyber-environment. The growing number of Internet economy intermediaries—not only ISPs but also e-commerce and m-commerce companies, e-payment providers, application developers and software vendors, critical information infrastructure operators and others—became “critical nodes” for preventing and investigating cybercrime and safeguarding security of their systems and networks in their respective sectors [31: 196]. Whether governments want it or not, the fact that cyber infrastructure was built and is owned by private sector and the whole structure of decentralised networks and their history of non-hierarchical regulation make the cybersecurity ecosystem a flexible multi-stakeholder environment with no single entity on the top which can control and manage the processes. The idea that no single government can provide cybersecurity using only its own capabilities without involving private sector has thus become “conventional wisdom” [32: 85].
However, despite the general agreement that governments on their own can make only “poor enablers” of cybersecurity  and call for cooperation and multi-stakeholder approaches, there is no clear idea with regard to the models of cooperation. Technical complexity of the digital ecosystem, heterogeneity of stakeholders involved in different layers across jurisdictions, blurring borders between external and internal policy and public and private matters and absence of clear distinction between law enforcement, civil defence and military defence create the situation of regulatory uncertainty which delays the development of effective regulatory solutions [11, 34, 35]. Due to the convergence of services and uncertainty of legal regimes applicable to different cyber-threats (crime, national security, intelligence), regulatory spheres can superimpose and mandates of different agencies dealing with cybercrime and cybersecurity can overlap. Until now, there is no widely accepted model of the distribution of regulatory responsibilities in the ecosystem of cybersecurity answering the question who shall regulate and what . For example, despite the current attempts of the European Union to create homogeneous approach to cyberecurity, the system of mandates of different stakeholders and regulatory bodies in this field in the EU looks like an extremely complex puzzle, where “no-one…has a clear understanding of how all the different pieces fit together” [37: 17]. The international dimension of a problem and the fact that national states can have conflicting security interests further contribute to the increasing complexity of the regulatory challenge [38, 39: 430].
Bearing in mind this uncertainty of regulatory domains, some studies suggest that the new models of regulation should be developed to address cybersecurity problems. The World Bank Group [40: 3–4, 41] suggests that the ecosystem of cybersecurity is moving to the network model: it suggests that instead of focusing on institutions and functions (who shall do and what), the focus has to be shifted to the processes (e.g. fighting SPAM or creation of computer emergency response centres), procedures and information flows between different institutions. Network model refers, instead of specific agencies, to bodies (nodes) performing different functions in the ecosystem of cyberseurity and sharing—formally or informally—information and practices. The network model of the cybercrime and cybersecurity ecosystem, where hierarchical structures of governance are not applicable any more or have to be complemented, raises the challenge of creating better regulatory approaches in which the central question is, how cooperative governance can achieve the desired outcomes of reduction, detection and investigation of crimes. Dupont  refers to the “nodal” regulation and the concept of regulatory pluralism which is based on the belief that “by relying on diverse, complementary and self-reinforcing regulatory instruments, policies can be implemented in a manner that is more responsive to the specific context, resources and constraints of a particular sector” as to one of the possible ways to address cybersecurity problems. Gercke et al.  and Tropina  suggest the concept of “smart regulation”, which will be able to analyse the threats, to detect if intervention is needed and to develop new tools for dealing with the problems instead of applying old means that were not meant to regulate a decentralised environment. All these models assume that the gap between traditional models of governmental intervention and complex technological environment can be bridged only by approaching it with the new flexible cooperative models that include both public and private stakeholders and can combine the nodes of both legal and extra-legal regulation and facilitate the “reflexive and cohesive approach” [43: 19] to cybersecurity—necessary in a transnational decentralised network world.
While national governments have the power to establish and enforce legal and regulatory frameworks, the private sector understands the changing and converging nature of the ICT environment and has greater adaptability towards new technologies and services. Private actors have more expertise and resources and possess the necessary knowledge to investigate cybercrime and single out relevant cybersecurity threats, analyse them and produce an adequate response to them . The private sector’s knowledge and adaptability complement the resources and expertise of the government in the enforcement of criminal law, crime investigation and governments’ mandate in foreign policy and diplomacy.