CyberSecurityReference.pdf

Public–private partnerships in

national cyber-security strategies

MADELINE CARR

International Affairs 92: 1 (2016) 43–62
© 2016 The Author(s). International Affairs © 2016 The Royal Institute of International Affairs. Published by John Wiley & Sons
Ltd, 9600 Garsington Road, Oxford ox4 2dq, UK and 350 Main Street, Malden, MA 02148, USA.

Cyber security is emerging as one of the most challenging aspects of the infor-
mation age for policy-makers and scholars of International Relations (IR). It
has implications for national security, the economy, human rights, civil liberties
and international legal frameworks. Although politicians have been aware of the
threats of cyber insecurity since the early years of internet technology,1 anxiety
about the difficulties in resolving or addressing them has increased rather than
abated.2 In response, governments have begun to develop national cyber-security
strategies to outline the ways in which they intend to address cyber insecurity. In
many states where critical infrastructural systems in areas such as utilities, finance
and transport have been privatized, these policy documents are heavily reliant
upon what is referred to as the ‘public–private partnership’ as a key mechanism
through which to mitigate the threat. In the United States and United Kingdom,
the public–private partnership has repeatedly been referred to as the ‘cornerstone’
or ‘hub’ of cyber-security strategy.3

While public–private partnerships have often been developed as an appro-
priate means to address both non-traditional and traditional security threats,4 in
the context of national cyber security this arrangement is uniquely problematic.
There has been a persistent ambiguity with regard to the parameters for such a
partnership. The reluctance of politicians to claim authority for the state to intro-
duce tougher cyber-security measures by law, coupled with the private sector’s
aversion to accepting responsibility or liability for national security, leaves the
‘partnership’ without clear lines of responsibility or accountability. Questions are
now being raised (by, among others, President Obama) about the efficacy of a
market-driven approach to cyber security, though in liberal democratic states at

1 William J. Clinton, A National Security Strategy for a new century (Washington DC: The White House, Oct.
1998), p. 17.

2 Barack Obama, ‘Remarks by the President on securing our nation’s cyber infrastructure’ (Washington DC:
The White House, 29 May 2009).

3 William J. Clinton, National Plan for Information Systems Protection Version 1.0: an invitation to a dialogue (Wash-
ington DC: The White House, 2000); George W. Bush, The National Strategy to Secure Cyberspace (Washington
DC: The White House, 2003); Francis Maude, The UK Cyber Security Strategy: protecting and promoting the UK
in a digital world (London: Cabinet Office, 2011).

4 Max G. Manwaring, ‘The new global security landscape: the road ahead’, Low Intensity Conflict and
Enforcement 11: 2–3, Winter 2002, pp. 190–209; Barack Obama, US National Security Strategy (Washington DC:
The White House, 2012).

INTA92_1_FullIssue.indb 43 18/12/2015 10:19:57

Madeline Carr

44
International Affairs 92: 1, 2016
Copyright © 2016 The Author(s). International Affairs © 2016 The Royal Institute of International Affairs.

least, any alternative has yet to emerge.5 Crucially for IR scholars, questions arise
here about the extent to which the state can be seen to be abdicating not just
authority but responsibility for national security. As Dunn Cavelty and Suter point
out in their article on this topic, ‘generating security for citizens is a core task
of the state; therefore it is an extremely delicate matter for the government to
pass on its responsibility in this area to the private sector’.6 Essentially, this raises
questions about how well the state is equipped to provide national security in
this context and about how existing policies and practices of national security are
being challenged by this new threat conception.

This article develops a comprehensive understanding of how policy-makers
and the private sector are conceptualizing their respective roles in national cyber
security, where there may be disparity in these conceptions and what implica-
tions this may have for national and international cyber security. To this end,
it begins with some necessary background to the establishment of the public–
private partnership in national cyber-security strategies. It then analyses the
conceptions of security that are evident in these policy documents. Unpacking
the assumptions about security that drive these policies is essential to developing
an understanding of the goals, objectives and embedded interests that shape the
partnership. The article then moves on to analyse the public–private partner-
ship from the perspectives of both partners. It finds that there is a fundamental
disjuncture between the expectations of the two ‘partners’ in terms of roles,
responsibility and authority. Disjuncture in such relationships is certainly not
unique to this context, but the particular significance here arises from the fact
that what is at stake is not (for example) a civil engineering project but a national
security concern. The conclusion is not that no kind of public–private partnership
can be central to national security in the US and UK, but rather that the partner-
ship referred to in the policy documents is deeply flawed and that, unless the
problems identified here are acknowledged and addressed, it is unlikely that this
arrangement will prove a durable or effective means of promoting national cyber
security.

Methodology

Many states have recently produced national cyber-security strategies that place
an emphasis on some kind of public–private partnership. Those examined in the
course of the research underlying this article include Austria, Australia, Canada,
the Czech Republic, Estonia, Finland, France, Hungary, India, Japan, Lithuania,
the Netherlands, New Zealand, the Slovak Republic, South Africa, the United
Kingdom and the United States. The analysis in the article itself focuses exclu-
sively on the UK and the US. The US is an essential case because it is here that
cyber-security strategies based on the public–private partnership were developed
5 Obama, ‘Remarks by the President on securing our nation’s cyber infrastructure’.
6 Myriam Dunn Cavelty and Manuel Suter, ‘Public–private partnerships are no silver bullet: an expanded

governance model for critical infrastructure protection’, International Journal of Critical Infrastructure Protection
2: 4, 2009, p. 181.

INTA92_1_FullIssue.indb 44 18/12/2015 10:19:57

Public–private partnerships in national cyber-security strategies

45
International Affairs 92: 1, 2016
Copyright © 2016 The Author(s). International Affairs © 2016 The Royal Institute of International Affairs.

in 2000 under President Clinton. Over the ensuing 15 years, the public–private
partnership has been described by successive US presidents as the ‘cornerstone’
of national cyber security, though none has yet explicitly defined the parame-
ters, extent or nature of the relationship between the parties. The UK, for its
part, provides a correlate case-study. Cyber-security policy in the UK has been
modelled on and influenced by US policy though it is, of course, distinct. The
purpose of looking closely at two states with similar approaches, similar security
cultures and close ties between their intelligence communities, commercial sectors
and defence relations is to look for subtle differences. An examination of two
more radically different states, such as the United States and China, would be
expected to show significant differences; but in such a comparison there are so
many factors that could play a part that a close analysis could be difficult to pursue
in a focused way. It is anticipated that this research may provide a foundation for
further work in this area (a point to which I return below).

It should be noted also that the public–private partnership in national cyber
security is multifaceted. Governments have diverse relations with internet service
providers (ISPs), multinational information corporations (Google, Facebook, etc.),
private cyber-security firms, promoters of human and civil rights, law enforcement
agencies and civil society. However, both within the relevant policy documents
and within the cyber-security discourse generally, the public–private partner-
ship is often referred to as a single entity, ignoring this complexity. Unpacking
the term is therefore one of the contributions this article seeks to make. In the
course of doing so, it becomes clear that despite this complexity and diversity, the
core focus in the strategies (and consequently in this article) is on the relationship
between the government and the owners/operators of critical infrastructure—the
rationale being that, while the many other aspects of cyber security are regarded
as linked to the national interest, critical infrastructure protection is unequivocally
and intrinsically linked to national security.

A number of informal interviews were conducted for this research over an
18-month period. Representatives from the British and American public sector
entities responsible for national cyber security were asked to comment on how
effective they felt the public–private partnership was in terms of critical infrastruc-
ture protection, what problems they had observed with it and how they thought
it might be improved. Interviews were also conducted with representatives of
the private sector in the UK and US, with a particular concentration on two
specific sectors: those working for critical infrastructure owners and operators,
and those working for private cyber-security firms. Relationships between the
public and private sectors in this area are sensitive, particularly from the private-
sector perspective. Although the comments made by private-sector participants
were often mutually corroborated, being made in several interviews (as well as in
those with representatives of the public sector), private-sector participants were
reluctant to be identified and the interviews have therefore been anonymized.
Consequently, they serve here to enhance the research findings rather than to
drive them in a more substantive way.

INTA92_1_FullIssue.indb 45 18/12/2015 10:19:57

Madeline Carr

46
International Affairs 92: 1, 2016
Copyright © 2016 The Author(s). International Affairs © 2016 The Royal Institute of International Affairs.

The reluctance of key actors to speak openly about the problems with this
particular public–private partnership is one of the constraints on researching these
issues. A second constraint is that it is difficult to look in the same detail at states
that are less open about their policies and practices—as is, of course, often the case
with defence or intelligence research. In order to develop our understanding of
the implications for International Relations of the public–private partnership in
cyber security, it would be illuminating to extend this research project to look at
a very different case-study. China is a major power in global cyber security, and
differs markedly from the US and UK in both the relationship between its public
and private sectors and its ownership of critical infrastructure. Having looked
closely at these two similar states to discern the distinctive nuances in their respec-
tive approaches, it would be useful to conduct the same study in China in order to
extend the analysis of potential implications for global security in the twenty-first
century.

Background to the public–private partnership in national cyber-security
strategy

Dunn Cavelty and Brunner have observed that one of the dominant arguments in
the literature on the implications of the information age for international politics
is that ‘technological development enhances two trends that diminish the impor-
tance of the state, both of which have implications for security: increasing interna-
tionalisation and increasing privatisation’.7 These two trends unite in the approach
of the US and UK to national cyber security, and become manifest in the form
of the public–private partnership. Understanding the history and background to
this approach is important in providing context for the tensions now evident in
this partnership, because these tensions embody a whole set of beliefs about the
respective roles of the state and of the private sector, and about the interrelation-
ship between economic promotion and national security.

An important catalyst for this trajectory can be traced back to the end of
the Cold War, which ‘decreased the demand for defense research and made
national security a less compelling reason to support [technology research and
development]’.8 President Clinton’s foreign policy and economic policy were to
form a close and symbiotic (although not always comfortable) relationship as his
ideas about democratic enlargement through trade, the promotion of human rights,
and globalizing and liberating markets combined to form a kind of ideological/
economic grand strategy.9 Clinton was in favour of spending the ‘peace dividend’,

7 Myriam Dunn Cavelty and Elgin M. Brunner, ‘Introduction: information, power, and security—an outline
of debates and implications’, in Myriam Dunn Cavelty, Victor Mauer and Sai Felicia Krishna-Hensel, eds,
Power and security in the information age: investigating the role of the state in cyberspace (Aldershot: Ashgate, 2007), pp.
8–9.

8 Joseph E. Stiglitz and Scott J. Wallsten, ‘Public–private technology partnerships: promises and pitfalls’, Ameri-
can Behavioral Scientist 43: 35, Sept. 1999, p. 57.

9 In September 1993, President Clinton gave a speech to the UN General Assembly outlining this strategic
framework, which was reiterated in several subsequent speeches by senior officials including the Secretary
of State and the National Security Advisor: William J. Clinton, ‘Remarks to the 48th Session of the United

INTA92_1_FullIssue.indb 46 18/12/2015 10:19:57

Public–private partnerships in national cyber-security strategies

47
International Affairs 92: 1, 2016
Copyright © 2016 The Author(s). International Affairs © 2016 The Royal Institute of International Affairs.

and by 1992 he was explicit about how it should be applied: ‘Every dollar we
take out of military R&D [research and development] in the post-Cold War era
should go to R&D for commercial technologies, until civilian R&D can match
and eventually surpass our Cold War military R&D commitment.’10 Stiglitz and
Wallsten write that these conditions ‘led to a new push for public–private partner-
ships intended to support commercial [technology research and development]’.11
Much of the groundwork for these partnerships was laid in the 1980s, but the
Clinton administration made them ‘the centrepiece of its technology program’.12

It was in this climate that the Clinton–Gore administration invested so heavily
in internet technology. Though they were clear from the beginning about their
intention that the private sector should play a primary role, they also acknowl-
edged the value of government input. The new administration believed that
‘only the private sector has the skills and abilities to manage the complex process
of developing new technologies and bringing them to market, while . . . [the]
government plays a vital role in enabling the private sector’s efforts’.13 By the
mid-1980s, the internet infrastructure was fiscally supported and administered
by the federal government through the National Science Foundation (NSF),
though this was regarded by the government as an interim measure on the way
to full private ownership and management.14 The National High-Performance
Computing Act of 1990 specified that the NSF was to support the establishment of
a high-speed national network ‘in a manner which fosters and maintains competi-
tion and private sector investment in high speed data networking’,15 and that the
involvement of the NSF ‘be phased out when commercial networks can meet the
networking needs of American researchers’.16

A number of policy initiatives focused on stimulating private-sector invest-
ment as well as the development of network management capability. One of these
initiatives was the enforcement of the ‘Acceptable Use Policy’ (AUP) drawn up by
the NSF. This policy dictated that network traffic should be restricted to ‘open
research and education’, specifically prohibiting commercial activity until such
time as the infrastructure was privatized.17 Through this ‘carrot and stick’ policy

Nations General Assembly’, New York, 27 Sept. 1993; Anthony Lake, ‘From containment to enlargement’,
speech to the Johns Hopkins University School of Advanced International Studies, Washington DC, 21 Sept.
1993; Warren Christopher, ‘Building peace in the Middle East’, speech at Columbia University, 20 Sept. 1993.

10 William J. Clinton, remarks at Wharton School of , University of Pennsylvania, Philadelphia, 16
April 1992, http://www.ibiblio.org/nii/econ-posit.html, accessed 4 Nov. 2015.

11 Stiglitz and Wallsten, ‘Public–private technology partnerships’, p. 57.
12 Stiglitz and Wallsten, ‘Public–private technology partnerships’, p. 57.
13 Technology in the National Interest (Washington DC: NSTC Committee on Civilian Industrial Technology,

1996), p. 42, cited in Stiglitz and Wallsten, ‘Public–private technology partnerships’, p. 63.
14 For an account of how the funding was organized in 1990, see Brian Kahin, ‘RFC1192—commercialization of

the internet, summary report’, issued as a ‘request for comments’ by the Network Working Group, Harvard
University, Nov. 1990, http://www.faqs.org/rfcs/rfc1192.html, accessed 4 Nov. 2015.

15 S.1067, National High-Performance Computing Act of 1990, 101st Congress, 2nd Session, as marked up 3
April 1990. The Federal Research Internet Coordinating Committee, established to coordinate networking
research activities, issued a report in 1989 stating that the network would ‘be implemented and operated so
that [it] can become commercialized’: Federal Research Internet Coordinating Committee, Program plan for
the National Research and Education Network (Washington DC, 23 May 1989), pp. 4–5.

16 S.2918, National High-Performance Computing Act of 1988, 100th Congress, 2nd Session, 19 Oct. 1988.
17 For background on this, see the NSF website, ‘The internet: changing the way we communicate’, http://

www.nsf.gov/about/history/nsf0050/internet/internet.htm, accessed 4 Nov. 2015.

INTA92_1_FullIssue.indb 47 18/12/2015 10:19:57

Madeline Carr

48
International Affairs 92: 1, 2016
Copyright © 2016 The Author(s). International Affairs © 2016 The Royal Institute of International Affairs.

approach, the government sought to stimulate necessary private-sector invest-
ment—and indeed, this policy did have the intended effect.18

The public–private partnership is not, of course, unique to cyber security. It
has been employed widely by states including the US and UK as a mechanism to
deal with a range of other issues, including security-related ones. The practice
intensified from the 1990s, when the privatization of critical infrastructure was
regarded as economically beneficial to the state, freeing up capital and drawing
more heavily on the efficiencies and business practices of the private sector. In the
wake of this shift, an extensive body of literature developed that examines the
public–private partnership in all kinds of contexts. It deals with the background
of these partnerships,19 the range of different approaches,20 how to measure success
and failure,21 and how responsibility and authority are delegated.22 There has also
been some examination of the public–private partnership in cyber security, most
notably by Dunn Cavelty and Suter, but this focuses on ways to improve it rather
than critically analysing its political implications.23 Combined, this literature
provides a solid foundation for the present research project, proving particularly
useful in highlighting the ways in which this partnership is distinct but also in
outlining common assumptions and expectations that run through public–private
partnerships more generally.

In addition to the political history outlined above, it should be noted that for
many public policy scholars, the history of public–private partnerships is in large
part one of discourse. Although they are often portrayed as a ‘new’ management
approach designed to blend the best of both sectors, examples of public–private
partnerships have been traced back to biblical times.24 Without going back quite
so far, Wettenhall uses the example of Drake’s fleet which defeated the Spanish
Armada in the sixteenth century, highlighting the fact that most of the ships were
privately owned and operated though they were serving under contract to the

18 See NSF website, http://www.nsf.gov/od/lpa/nsf50/nsfoutreach/htm/n50_z2/pages_z3/28_pg.htm; also
Barry M. Leiner, Vinton G. Cerf, David D. Clark, Robert E. Kahn, Leonard Kleinrock, Daniel C. Lynch,
Jon Postel, Larry G. Roberts and Stephen Wolff, ‘A brief history of the internet, part 1’, On the Internet (The
Internet Society), May–June 1997, http://www.isoc.org/oti/articles/0597/leiner.html (both accessed 4 Nov.
2015).

19 Stephen H. Linder, ‘Coming to terms with the public–private partnership: a grammar of multiple mean-
ings’, American Behavioral Scientist 43: 1, Sept. 1999, pp. 35–51; Roger Wettenhall, ‘The rhetoric and reality of
public–private partnerships’, Public Organization Review: A Global Journal 3: 1, 2003, pp. 77–107.

20 Stiglitz and Wallsten, ‘Public–private technology partnerships’, pp. 52–73; James A. Dunn, ‘Transportation:
policy-level partnerships and project-based partnerships’, American Behavioural Scientist 43: 1, Sept. 1999, pp.
92–106; Philip E. Auerswald, Lewis M. Branscomb, Todd M. LaPorte and Erwann O. Michel-Kerjan, Seeds of
disaster, roots of response: how private action can reduce public vulnerability (Cambridge: Cambridge University Press,
2007).

21 Graeme A. Hodge and Carsten Greve, ‘Public–private partnerships: an international performance review’,
Public Administration Review 67: 3, May–June 2007, pp. 545–58; Michael J. Garvin and Doran Bosso, ‘Assessing
the effectiveness of infrastructure public–private partnership programs and projects’, Public Works Management
and Policy 13: 2, Oct. 2008, pp. 162–78.

22 Nutavoot Pongsiri, ‘Regulation and public–private partnerships’, International Journal of Public Sector Manage-
ment 15: 6, 2002, pp. 487–95; Marco Schaferhoff, Sabine Campe and Christopher Kaan, ‘Transnational public–
private partnerships in International Relations: making sense of concepts, research frameworks, and results’,
International Studies Review 11: 3, Sept. 2009, pp. 451–74.

23 Dunn Cavelty and Suter, ‘Public–private partnerships are no silver bullet’.
24 Wettenhall, ‘The rhetoric and reality of public–private partnerships’.

INTA92_1_FullIssue.indb 48 18/12/2015 10:19:57

Public–private partnerships in national cyber-security strategies

49
International Affairs 92: 1, 2016
Copyright © 2016 The Author(s). International Affairs © 2016 The Royal Institute of International Affairs.

Admiralty, to demonstrate that the practice of governments cooperating with
private actors has a long historical pedigree.25 What appears to be ‘new’ is the
discourse around it, which Reijniers argues has reflected trends in management
reform from the early 1990s that saw a turn away from ‘leadership and behavioural
principles and toward more structural emphases on flexibility and innovation—
reinforcing partnership ideals’.26 Linder sees the growing discourse on partner-
ships as a retreat from the ‘hard-line advocacy of privatization’ of the Reagan and
Thatcher years.27 From this perspective, he argues, they are accommodationist;
‘they hold back the spectre of wholesale divestiture and, in exchange, promise
lucrative collaboration with the state’.28 Wettenhall also points out that the term
has a positive relationship with the discourse on ‘third way’ economics and is
associated with expectations of ‘mutual obligation and trust’.29

All of this suggests a discursive and practical breaking down of boundaries or
borders at a domestic level which, of course, is very much in keeping with the
broader discourse around the internet. The observation by Hess and Adams that
public–private partnerships emerge from ‘loss of faith in both state and market’
can go some way to explaining this discursive and policy shift.30 Despite the fact
that internet technology was heavily supported and promoted by the US govern-
ment (and indeed, the private sector had to be pressured to some extent to take it
over), there quickly developed a kind of expectation that governments had only a
limited role to play in further development of the technology. However, Wetten-
hall argues that there is a persistent lack of precision in how the term ‘partnership’
is employed, and ‘belief that what it refers to is “a good” thing seems much more
a matter of faith than of science’.31

What is meant by ‘cyber security’?

Just as in the 19th century we had to secure the seas for our national safety and prosperity,
and in the 20th century we had to secure the air, in the 21st century we also have to secure
our position in cyber space.32

‘Cyber security’ is almost as broad and indistinct a term as ‘security’ itself;
and there are a number of reasons for this. First, the implications of internet
technology are highly diverse because they penetrate many critical systems and
practices on multiple levels. Cyber security is used to refer to the integrity of our
personal privacy online, to the security of our critical infrastructure, to electronic

25 Wettenhall, ‘The rhetoric and reality of public–private partnerships’, p. 92.
26 J. J. A. M. Reijniers, ‘Organization of public–private partnership projects’, International Journal of Project

Management 12: 3, 1994, pp. 137–42, cited in Linder, ‘Coming to terms with the public–private partnership’,
p. 39.

27 Linder, ‘Coming to terms with the public–private partnership’, p. 41.
28 Linder, ‘Coming to terms with the public–private partnership’, p. 41.
29 Wettenhall, ‘The rhetoric and reality of public–private partnerships’, p. 78.
30 Michael Hess and David Adams, ‘Community in public policy: fad or foundation?’, Australian Journal of Public

Administration 60: 2, 2001, p. 13.
31 Wettenhall, ‘The rhetoric and reality of public–private partnerships’, p. 80.
32 Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space (London: Cabinet Office,

June 2009), p. 5.

INTA92_1_FullIssue.indb 49 18/12/2015 10:19:57

Madeline Carr

50
International Affairs 92: 1, 2016
Copyright © 2016 The Author(s). International Affairs © 2016 The Royal Institute of International Affairs.

commerce, to military threats and to the protection of intellectual property. These
areas range extremely widely, and are united only by the technology with which
they engage. This of course, is also a problem with ‘security’ that has been recog-
nized by scholars in IR for many years.33 In order to arrive at some clarity about
what cyber security means in the context of national cyber-security strategies, it
is useful to turn to the three fundamental questions that guide those working in
many areas of security studies: for whom? from what? and by what means? When
these national cyber-security strategy documents refer to ‘cyber security’, whose
security are they referring to? Exactly what threats are they responding to? And
by what means do the strategies propose to mediate those threats?

Cyber security for whom?

The referent object in these strategy documents is typically ‘the state’, which
in turn is conceived of as comprising three main component parts: individuals,
businesses and the internet itself. The way in which the individual (or citizen) is …