Public-private cooperation is often suggested as one response to an increasingly volatile digital security environment. But there has been little attention paid to how outcomes at the EU level are influenced by how such cooperation is organised in practice, what its drivers are and specific models of organising relations between the public and private sector. By making a distinction between public and private governance ecosystems, this article illuminates the varying cybersecurity approaches of France, Italy and the UK. It also shows how the political economy approach helps make sense of European divergences in managing the 5G dossier and the overall trajectory of EU cybersecurity policy.
Recent data from the European Union Agency for Cybersecurity (ENISA) highlighted that cyberattacks against critical economic and industrial sectors have doubled in the past two years. In addition, during the dramatic COVID-19 emergency, the agency reported a 47% rise in attacks on hospitals and health care networks. At the same time, Europol’s 2021 Serious and Organised Crime Threat Assessment warned of a notable increase in ransomware attacks on public institutions and large companies. Cybersecurity – now at the centre of the European political agenda – is an extremely complex governance challenge for public and private actors. Digital networks show incredibly high levels of global interconnectedness and most critical infrastructures and digital and Internet providers are owned by the private sector. Additionally, private firms in an increasing number of economic and industrial sectors have themselves become targets of cyberattacks with country-wide repercussions.
Looking at how European governments and industries are responding to cybersecurity challenges, scholars have so far identified two main trends. Some experts argue that – due to the distinctive features of cyberspace, its links to global information exchange and the private ownership of computer networks and infrastructures – the private sector must be the key player in the regulation and governance of cybersecurity. This approach may eventually challenge the state’s traditional role as a security guarantor and threatens to create a “sovereignty gap”. Others suggest that the politicisation of cyberspace – now a low-grade yet persistent feature of geopolitical competition – is accelerating the public-led centralisation of cybersecurity governance.
This commentary suggests a middle ground, employing a political economy approach to examine how European governments and industries are responding to cyber challenges. A political-economic lens helps shed light on three key aspects of the current cybersecurity debate: how states organise cybersecurity governance at the domestic level; how they respond differently to international cybersecurity challenges; and how domestic political economies affect EU-wide cybersecurity policy.
Public and Private Governance of Cybersecurity
Scholars have long strived to distinguish among different models of political economy and varieties of capitalism. Drawing on this literature, two predominant macro-patterns of relationships between the public and the private sector, between states and industries, can typically be identified.
Public governance ecosystems are characterised by centralised institutions, a high degree of government market protection and very close and informal relations between public and private actors. France, an example of a public governance ecosystem, has organised its cybersecurity sector around consensus-based and informal relationships between the state, the centralised cybersecurity agency (ANSSI) and its domestic industry. These relationships have been built around privileged public actors’ interactions with some large (and partially state-owned) companies (Airbus, Thales, Orange) and oiled by educational and professional homogeneity between political, bureaucratic and corporate actors. Italy – another example of a public governance ecosystem – has organised its cybersecurity governance through a process of increasing institutional centralisation, forged by constant formal and informal interactions between political actors, intelligence services and domestic industrial groups. Both countries tend to favour national firms in the domestic market.
Private governance ecosystems are characterised by less centralised institutions, a lower degree of government market protection and more arm’s-length relations between national institutions and industries. Instead of informal public-private relations, private governance ecosystems feature detailed legal frameworks set by the state, which businesses must operate within. The UK – associated with private governance ecosystems – is less involved in the cybersecurity market than France or Italy, and has not expressed concern about procuring cybersecurity equipment and network components “off-the-shelf”. For instance, the Minister for the Armed Forces acknowledged that the risks associated with outsourcing to foreign firms need to be balanced against cost, speed and efficiency of delivery. British firms, for instance BAE Systems, have explicitly complained about the poor market protection provided by the government to domestic companies. In these ecosystems, once the legal standards are set, it is up to firms (both domestic and foreign) to conform and provide the most efficient solutions.
This typological distinction, commonly used to distinguish countries with a strong presence of the state from more liberal and market-friendly ecosystems, sheds light on cross-national variations in cybersecurity governance. In other words, predominant models of political economy decisively shape legal, institutional and political arrangements in governing cybersecurity.
The Political Economy of 5G
A political economy approach can also be employed to understand Europeans’ different responses to international cybersecurity challenges. Currently at the centre of the technological competition between China and the United States is 5G technology, which enables high-density connections (including machine-to-machine communications) with potentially disruptive effects on state-of-the-art telecommunications. For the first time since the end of World War II, a non-American, non-Western company is the market leader in a disruptive technological field.
Despite Washington’s warning, European states have responded in a variety of ways to this complex economic and geopolitical challenge. Many have tried to reconcile a market approach (Huawei is the most competitive player; a ban on its access to 5G might spur Chinese retaliation in other market sectors) and a security perspective (European states have close security and intelligence relations with the US). To strike a difficult balance between market and security priorities, European states mobilised tools that were already present within their own political-economic frameworks. In France, the government first tried to leverage its strong informal relations with the semi state-owned telecoms operator Orange to limit the entry of Chinese giants into French 5G networks. Later, the government, with the support of ANSSI, centralised the decision-making process through the so-called “anti-Huawei” law, which aims to limit partnerships between domestic companies and the Chinese giant. In Italy, the government relied on its privileged relationship with the former state-owned Telecom Italia and extended the pre-existing golden power mechanisms to protect its 5G networks from “high risk” vendors. In both cases, following their public governance arrangements, the two states capitalised on the privileged and informal relationships that existed between the state and semi-public and private telecoms groups.
In the UK, the Huawei case triggered dramatic political consequences and a series of course changes within the Theresa May and Boris Johnson governments, particularly because of the difficulty of reconciling the country’s traditional market-led approach with the need to directly intervene to regulate the 5G market. Moreover, telecom giants such as British Telecom and Vodafone complained about the lack of consultation with public authorities, given the delicacy of the dossier, and the government’s decision to rely on formal market contracts and the legal framework.
The European Approach to Cybersecurity
Domestic political economies also affect the European approach to cybersecurity. Both France and the UK have tried to “upload” their political economies models to shape EU cybersecurity policy. More specifically, France has tried to bring its centralised and dirigiste approach to Europe, pushing for the protection of European products and services vis-à-vis extra-EU competitors, especially through the introduction of very demanding security certifications, which would create high barriers to entry for extra-EU cybersecurity products. The UK, prior to Brexit, had tried to bring its own market-related approach to shape important pieces of European cybersecurity legislation, such as the EU’s NIS Directive. The consequences of Brexit may include a more centralised and dirigiste approach to EU cybersecurity policy. The 2019 Cybersecurity Act, the increased role of ENISA in drawing up EU cybersecurity certification schemes and the creation of a Cybersecurity Competence Centre and Network (to support the competitiveness of the Union’s industry and support procurement of cybersecurity products and solutions) seem to be three clear steps in this direction. This does not mean that intra-European divisions over the industrial aspects of cybersecurity have disappeared with Brexit. Scholars have highlighted, for instance, that France and Germany (the latter supported by more free-market ecosystems such as the Netherlands and the North-European countries) prefer, respectively, a more closed or more open European industrial bloc in the cybersecurity market.
The debate over EU cybersecurity policy is also directly linked to the current state of broader EU industrial policy. European states fear that US-China competition and the consequent creation of two distinct “techno-spheres”, each with its own products and standards, may lead to Europe being caught between these two spheres and constant pulling in both directions. These considerations are currently at the top of the agenda of the in terms of industrial policy and technological sovereignty. This process is strongly supported by France, which has placed strategic autonomy in the industrial and technological sphere as the top priority of its current presidency of the Council of the EU.
However, other countries are more sceptical on this front. For instance, the free-trading Nordic and Baltic countries see the approach as a political way to create European champions predominantly based in larger European countries. Brexit has undermined the position of these states, as London could have been counted on to oppose collective industrial policies and champion open markets and free competition. Swedish Trade Minister Anna Hallberg declared that, “The political landscape in Europe has been totally reshaped by Brexit. For Sweden, as a country which always wants to promote free trade, it is very important for us now, when we have lost one of our closest allies, to shape new groups.” The calls of these countries to turn the debate towards open strategic autonomy should be read as part of this complex political mediation between different models of political economy. The political compromise between a more dirigiste or a more market-friendly political economy will decisively influence the role of Europe in the fast-evolving geopolitical scenario.
These limited examples demonstrate that political economy is a useful approach to understand the evolution of the EU’s cybersecurity policies. Distinguishing between different political economy models among the member states helps to shed light on how states organise cybersecurity at the domestic level, how they respond to international pressures and how different political economies are influencing EU policy in this area.
But a political economy perspective alone cannot fully explain decisions taken in Brussels, which are increasingly influenced by the broader political and geo-strategic evolution of the cybersecurity sector. However, as highlighted by Jeffry Frieden, “the way a political economy is organized affects who wins the battle over policy”. This is also true when it comes to cyberspace, where pre-existing models of political economy shape, by creating constraints and opportunities, the set of choices governments and firms have to deal with cybersecurity decisions that have fundamental economic and geopolitical implications.
This work opens up two interesting avenues for future research. First, more research is needed to refine the two general political economy ecosystems identified here. The public or private governance, ideal-typical characterisations do not always align with complex realities on the ground. A more systematic study of the cybersecurity market, which is characterised by the simultaneous presence of traditional defence contractors and of medium and small firms and startups dealing with data analytics, machine learning and zero-days vulnerabilities solutions, would be helpful to better link theoretical models and states’ practices.
Second, any reflection on European cybersecurity cannot be de-contextualised from the broader ongoing technological competition between the US and China. How European institutions and states will mediate between different political economy approaches and models of technological innovation and industrial policy will be key to understanding Europe’s future role in tomorrow’s cybersecurity competition.
About the Author
Dr Antonio Calcara is a Post-Doctoral Researcher at the University of Antwerp. He is the author of 'European Defence Decision-Making: Dilemmas of Collaborative Arms Procurement' (Routledge). His research has appeared in such journals as Security Studies, Review of International Political Economy, Governance, Journal of European Integration, European Security.