Towar Towards Stronger Cyber Security Public Private Partnerships … · Towar Towards Stronger...

Towar Towards Stronger Cyber Security Public Private Partnerships in Developing Countries – June 2017

CSP3s – UOG/FCO/BoE Final Copy

1



2

Table of Contents EXECUTIVE SUMMARY .......................................................................................... 3

LIST OF KEY CONTRIBUTORS .................................................................................. 4

LIST OF FIGURES .................................................................................................... 5

LIST OF TABLES ..................................................................................................... 5

1. INTRODUCTION AND SCOPE .............................................................................. 6 1.1 The Research Questions.......................................................................................................................... 6 1.2 Key Findings ................................................................................................................................................ 6 1.3 Methodology ................................................................................................................................................ 6 1.4 Structure of this Report ............................................................................................................................ 6

2. PUBLIC PRIVATE PARTNERSHIPS ........................................................................ 8 2.1. What is a CSP3? .......................................................................................................................................... 8 2.2. Characteristics of CSP3s ......................................................................................................................... 8

2.2.1 Governance Structure: ....................................................................................................................... 9 2.2.2 Target ........................................................................................................................................................... 9 2.2.3 Setting ........................................................................................................................................................ 10

2.3 What makes a P3 work? ........................................................................................................................ 10 2.4 P3s’ Enabling Environment ................................................................................................................ 11

2.4.1 Policy Formulation.............................................................................................................................. 11 2.4.2 A Legal and Regulatory Framework ........................................................................................ 11 2.4.3 The Institutional Arrangements ................................................................................................ 11 2.4.4 Financial Support ................................................................................................................................ 12

3. CRITICAL SUCCESS FACTORS FOR CSP3s ........................................................... 13 3.1 Trust Between Partners and its Impact on Information Sharing ........................................ 13 3.2 Clarity of Roles and Responsibilities .............................................................................................. 16 3.3 Commitment and Buy-in ..................................................................................................................... 16

4. CSP3s’ ENABLING ENVIRONMENT ................................................................... 17

5. CASE STUDIES .................................................................................................. 19 5.1 Example CSP3s in Europe ................................................................................................................... 19 5.2 CSP3s in Africa ......................................................................................................................................... 21

5.2.1 KENYA......................................................................................................................................................... 21 5.2.2. REPUBLIC OF SOUTH AFRICA (RSA) ........................................................................................ 22 5.2.3. NIGERIA .................................................................................................................................................... 22

6. CONCLUSION & RECOMMENDATIONS ............................................................. 24

References & Bibliography .................................................................................. 26

APPENDIX 1 Exemplar of a Non-Disclosure Agreement Between Two English Organisations. .................................................................................................... 31

APPENDIX 2 Example Cyber Security Public Private Partnerships in the UK and Europe ................................................................................................................ 35



3

EXECUTIVE SUMMARY

This report presents the findings of a research commissioned by the Foreign and Commonwealth Office (FCO) and jointly funded by the FCO and the Bank of England (BoE). The aim of the research is to identify critical success factors for cyber security public private partnerships (CSP3s), with a view to inform UK foreign policy on cyber capacity building in developing countries. The work focused examples of Public Private Partnerships (P3s) and Cyber Security Public Private Partnerships (CSP3s) in select countries in the UK, Europe and Africa. The desktop research and the interviews we conducted with a number of cyber companies suggest that there are mainly three critical success factors:

Trust between partners

Clarity of roles

Commitment of all parties to the partnership‟s aims The analysis carried out as part of this work confirms that these inter-related critical success factors have a direct impact on the success/failure of the partnership. The research also finds that these factors require an Enabling Environment that provides a platform for Clarity of Roles and fosters Commitment to the partnership and Trust between the partners. It is on this basis that we recommend that for CSP3s in developing countries to succeed an Enabling Environment is a prerequisite for the above three factors. The Enabling Environment will need to be contextualised based on local needs and circumstances but for any national cyber strategy the government should develop a clear national framework and an implementation timetable for achieving the following:

An institutional body that oversees CSP3s

An investment plan that combines public and private resources

A legal framework covering the laws and regulations governing CSP3s

Guidelines on aligning the CSP3s‟ objectives to the national strategy (e.g. training and education; protection of critical infrastructure, crime prevention)

A contractual framework detailing the roles and responsibilities of the partners as well as reporting and monitoring structures

Safe and secure communication channels to maintain commitment and trust amongst the parties involved.



4

LIST OF KEY CONTRIBUTORS Professor Kamal Bechkoum is an experienced senior leader and academic in Higher Education with an international background and an in depth knowledge and understanding of the UK HE sector. He held senior positions at several UK universities leading major change programmes successfully. Professor Bechkoum is currently Head of The Business & Computing School at The University of Gloucestershire. He is the University lead of a £3m Cyber Security project, working with organisations such as Raytheon, Northrop Grumman, GCHQ, Qinetiq and the National Cyber Skills Centre to produce highly skilled cyber professionals in Gloucestershire and beyond. His specialism is Artificial Intelligence and its applications. He holds a PhD in Software Techniques for Computer Aided Engineering from the University of Cranfield, UK, is a Fellow of the British Computer Society and a Chartered IT Professional.

Lee Campbell is a cyber security lecturer with twenty-five years experience in IT with 15 years experience in the sphere of cyber security. Lee has held a number of roles during this time, including the Senior Systems Architect for a number of multi-national financial organisations. Recently, he created the National Archives “Responsible for Information” online training programme for SMEs. He also advised the UK Government, Department for Business, Innovation and Skills (BIS) to establish the preferred cybersecurity organisational standard, now known as Cyber Essentials.

Paula Thomas is a senior academic in Higher Education with significant experience in researching and lecturing on Cyber Security and Forensics. Paula‟s current role is that of Director of the Institute of Cyber Security and Risk Assessment where she leads on a number of research projects for both industry and academia. Paula also works with Professor Kamal Bechkoum to develop and promote cyber security skills in academia.

Michael Brown is a Postgraduate Assistant aiding in with both lecturing and research activities. Michael holds a BSc Hons and an MSc in Cyber Security and Computer Forensics as well as the CSTM (CHECK Scheme Team Member) Certification. Research interests include penetration testing and reverse engineering as well as Teaching and training using interactivity and games.

Acknowledgment: We are grateful for the much-valued contributions of the following colleagues from the Foreign and Commonwealth Office (FCO) and Bank of England:

Robert Collett, Head of Capacity Building,

Prosperity, Cyber Crime, Cyber Policy

Department, FCO,

Patrick Mulcahy, Deputy Programme

Manager and Finance Manager, FCO,

Douglas Taylor, Research Analyst,

National Security Research Group, FCO, and

Professor Buck Rogers, Chief

Information Security Officer, Bank of England.

The figures in this report were produced by

Sam Madden, student on the BSc (Hons)

Games Design programme.

Towar Towards Stronger Cyber Security Public Private Partnerships in Developing Countries - June 2017

CSP3s – UOG/FCO/BoE – Final Copy

5

LIST OF FIGURES Figure 1. Cyber Security Public-Private Partnerships‟ Environment for Success ……..…7 Figure 2. Characteristics of a Cyber Security Public-Private Partnership ….……..……. 9 Figure 3. The Four Key Dimensions of

Public-Private Partnerships‟ Enabling Environment …………………......…. 11 Figure 4. Trust: a pre-requisite for successful CSP3s ....……………………………….. 16 Figure 5. Clarity of Roles & Commitment: Two Critical Factors for Effective CSP3s… 16 Figure 6. The Seven Dimensions of CSP3s‟ Enabling Environment ………………..… 18 Figure 7. The Enabling Environment for the Three Critical Success Factors:

Clarity of Roles, Commitment and Trust …………………………….…….. 18

LIST OF TABLES

Table 1. CSP3 Organisations and the Enabling Environment Dimensions they specifically need . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Table 2. Readiness of Kenya, South Africa and Nigeria in

Developing an Enabling Environment for Successful CSP3s . . . . . . . . . . . . . . . 23



6

1. INTRODUCTION AND SCOPE Strong partnerships between the public and private sectors are essential for effective cyber security. In the UK, US and Europe national cyber security and anti-cybercrime efforts are built upon a constant exchange of knowledge and day to day collaboration between the two sectors, also bringing in academia and civil society where appropriate. There is a need to identify the lessons of what has worked well in cyber security public private partnerships (CSP3s) in select countries with a view to inform cyber capacity building projects. The focus is on the UK experience, but also looks at a few other cyber-advanced and cyber-advancing partners from Africa.

1.1 The Research Questions The aim of this research is therefore to identify the key ingredients for a successful CSP3 in select countries to inform foreign policy on cyber security capacity building. For this we focused on the following questions:

What are the critical success factors of CSP3s?

What are the dimensions of the enabling environment that leads to the formation and development of a successful CSP3?

What can we learn from the above when setting up CSP3s in developing countries?

1.2 Key Findings Initial findings indicate that the presence of an Enabling Environment is crucial to the success of CSP3s. This is an environment that provides the frameworks, platforms and tools to foster information sharing, the fuel that energises the development of public-private partnerships (P3s). This Enabling Environment should: nurture mutual trust; encourage commitment; and help clarify roles and responsibilities, three of the key critical ingredients for efficacious CSP3s. This research finds that whilst CSP3s in developing countries share the same critical success factors with CSP3s in developed countries, there are essential differences in prioritising the dimensions of the Enabling Environment, due the variety in the levels of advancement of IT infrastructures, legal frameworks, and other factors such as political stability.

1.3 Methodology In attempting to answer the above questions we reviewed a number of related publications covering national cyber strategies (UK, US, Estonia, EU, Kenya, South Africa, Botswana and Asia), EU Reports, scholarly articles and books/theses. We also consulted a number of video clips and media articles published in social media (mainly YouTube, twitter and LinkedIn). We have furthermore conducted conversations (informal interviews) with some of our partner organisations, including Raytheon, BT, GCHQ, National Cyber Skills Centre, Qinetiq and Surevine. We also received input from representatives of the cyber business community in Nigeria, South Africa and Botswana. Given the sensitivities surrounding the issue, participants requested that the information they share is anonymised.

1.4 Structure of this Report In addition to these introductory notes (Section 1), the next section introduces Public Private Partnerships (P3s) and related definitions. This provides a theoretical framework for P3s in general and CSP3s in particular. A definition of P3 is provided and a



7

description is given of what makes P3s succeed or fail, in general terms. Section 2 goes on to argue that for P3s to be successful they need an Enabling Environment. A working definition of a CSP3 is then proposed before describing the characteristics of CSP3s and identifying what makes them different from one another. Section 3 is dedicated to CSP3‟s key success factors. These are described in the context of the findings of this study based on the literature review, desktop research and interviews/conversations with a select number of businesses from the public and private sector. This section argues that three success factors are fundamental for any CSP3, namely: Trust, Commitment and Clarity of Roles and Responsibilities (see figure 1 below). The Section then presents the CSP3Enabling Environment that fosters these three CSFs.

Figure 1: Cyber Security Public-Private Partnerships’ Environment for Success Section 4 describes the building blocks, or dimensions, of CSP3s‟ Enabling Environment. Section 5 provides examples of CSP3s from UK/EU and Africa. In this section an attempt is made to show how successful CSP3s benefitted from a rich Enabling Environment (one that provides all the dimensions required by the CSP3) and how an inadequately developed Enabling Environment can hamper CSP3s progress.

Conclusions and recommendations are to be found in Section 6 summarising the key outputs of this research and a clear set of recommendations that can be used to inform strategic plans for setting up CSP3s in developing countries. This section also points at potential future research in this area. All the references used, a bibliography and appendices are listed at the end of the document.



8

2. PUBLIC PRIVATE PARTNERSHIPS For the purpose of this report, we are drawing upon the US National Council for Public Private Partnerships‟ definition of a public-private partnership as: (NCPPP, 2016):

a contractual arrangement between a public agency (federal, state or local) and a private sector entity. Through this agreement, the skills and assets of each sector (public and private) are shared in delivering a service or facility for the use of the general public. In addition to the sharing of resources, each party shares in the risks and rewards potential in the delivery of the service and/or facility.

P3s are different from contractual agreements whereby the public sector (or government) sub-contracts a private company to deliver a specific product (e.g. build a bridge or a building). The key difference for a P3 stems from the fact that the partners share Resources (assets, skills, expertise, and financing); Risk and Reward.

2.1. What is a CSP3? For the purposes of this work we define a cyber security public private partnership (CSP3) as follows:

2.2. Characteristics of CSP3s The above definition applies to all the examples cited in the case studies (see section 5) but the partnerships themselves are different and come in a variety of shapes and forms depending on their “raison d‟être” and the enabling environment within which they were formed. The European Union Network and Information Security Agency (ENISA) defines a taxonomy of the different components that characterise the collaborative agreements in a CSP3 (ENISA, 2011). ENISA‟s preliminary taxonomy comprises seven components, each with a set of characteristics that could guide the implementation choices for a CSP3. Taking this taxonomy into account, and the interviews with our partner organisations, we describe below the principal characteristics of a CSP3 based on three main components, namely: governance structure, target and setting as illustrated in figure 2. All three components combine to define the nature of the CSP3 and its specific characteristics.

A CSP3 is a collaborative agreement whereby government or public organisations engage in cooperative ventures with industry or academia to mitigate cyber security risks through enhancing cyber defence capabilities, cooperation and information sharing.



9

2.2.1 Governance Structure: This component covers how the P3 is organised, its rules and financing and how partners work together. There are mainly two types of governance models as described in the literature (Clark & Hakim, 2017), (Carr, 2016), (Hodge & Greve, 2005) and (Klijn et al., 2008). The first type is hierarchical. The government defines the requirements of the task and the other partners collaborate to deliver those requirements. (Osborne and Gaebler, 1992) used a „rowing and steering metaphor‟ to illustrate this model of governance: government should steer, while other actors should row. This is not very dissimilar from a government-supplier relationship. The second type of governance is horizontal. In this model, the public and private actors jointly formulate a problem and work together to achieve a solution. In both models of governance, roles and responsibilities, goals, timelines, finances and expectations and protocols, in relation to information and resource sharing, need to be explicitly agreed and reviewed regularly as the project progresses.

2.2.2 Target The second component covers the scope, services and the nature of threat that the partnership is dealing with. The Scope covers what aspects of security and resilience the P3 addresses. The Services are the goals or the “raison d‟être‟” of the partnership. The Services element describes, in as much detail as possible, the aims and objectives of the work that the partners would like to achieve as part of this partnership. Such services cover, for example, training/education, protecting critical infrastructure, and innovation. The Threat covers the types of security threats that the P3 considers within its scope and which helps define the detail in the services provided. When looking at the UK/Europe CSP3s we identified six key areas around which the partnership targets are defined (see Appendix 2):

FigureFigure 2: Characteristics of a Cyber Security Public-Private Partnership



10

Encouraging the improvement of cyber security awareness and understanding across organisations and citizens.

Initiatives designed to identify, inspire and enable more people to become

cyber security professionals. Improving the national pool of cyber skills.

Research and development in the sphere of cyber security.

Crime prevention and Action Fraud.

Cyber security certification and accreditation.

Connection and collaboration of cyber security organisations.

2.2.3 Setting This third component specifies the nature of environment in terms of coverage, start-up, links and timeline. The coverage specifies whether the P3 involves partners at a national, pan- European or International level, as well as whether its focus is thematic, sectoral or cross-sectoral. Start Up describes how the P3 was initiated; how it evolved and grew as well as incentives used to encourage participation. Links describes what relationships the P3 has with other P3s and organisations outside its immediate membership. Finally, the timeline describes whether the P3 is time-bound with a specific date of completion or one that can be on-going. The way the three components (Governance, Target and Setting) are put together has an impact on what the CSP3 will require in terms of legal aspects, financial support, and other operational procedures. In Section 2.4 below, we describe these requirements in more detail as part of the Enabling Environment within which P3s are formed. Before describing this Enabling Environment we briefly outline the key ingredients of effective P3s.

2.3 What makes a P3 work? A number of published reports provide guidance on forming successful P3s. In 2003, the European Commission Directorate-General (Regional Policy) issued guidelines for successful P3s, which stress the importance of flexibility from all partners involved, as well as transparency, an effective legislative and control framework and for each partner to recognise the objectives and needs of the other (ECDG, 2003). These guidelines are presented in the context of influencing the successful integration of public grants, private funds, and European Commission financing. At the Women Deliver 2013 conference in Kuala Lumpur, Malaysia, during a plenary session on “The Challenges and Benefits of Partnership.” leaders from government, corporations and the non-profit sector looked to answer this same question. During a Q&A Panel discussion Klaus Brill, Vice President of Corporate and Commercial Relations at Bayer Healthcare Pharmaceuticals, identified four broad factors necessary for any partnership to succeed (Brill, 2013):

Ownership of your goals A clear commitment to achieving them Mutual reliance and trust among the partners Accountability and clarity on the partners‟ roles

These factors are not very dissimilar from the ones outlined by the European Commission (ECDG, 2003) but apply to any type of partnership. We mention them here



11

because the same, and similar, factors are identified by this research as having a significant impact on the success or failure of CSP3s (see Section 3). However, the presence or otherwise of these factors depends greatly on the environment within which the P3 is formed.

2.4 P3s’ Enabling Environment P3s need the right environment within which to flourish. They cannot be set-up in an ad-hoc manner. Governments play a principal role in setting up an Enabling Environment to facilitate the development of successful P3s. The United Nations Economic and Social Commission for Asia and the Pacific (ESCAP) programme summarises the four key enablers of P3s as depicted in figure 3 below.

Figure 3: The Four Key Dimensions of Public-Private Partnerships’ Enabling Environment (Adapted from: http://www.unescap.org/our-work/transport/financing-and-private-sector-participation)

2.4.1 Policy Formulation This is required to define the long-term vision and strategy. This helps to build consensus internally and secure high-level political support.

2.4.2 A Legal and Regulatory Framework This provides a clear legal basis, mechanisms for dispute resolution, a fair and transparent procurement framework and methodologies for tariff setting. Once in place, the framework speaks directly to the main success factors of P3s, particularly trust and commitment.

2.4.3 The Institutional Arrangements These enable the clear allocation of responsibilities - who is approving what and when, who is in charge of promoting P3 solutions, screening of P3 applications, performance monitoring, technical support, etc. They should also cover details of where the expertise is coming from. Some governments set-up a P3 Unit to establish and oversee these



12

arrangements. A selection of P3 Units in different countries around the world is published by the World Bank and can be found here: https://ppp.worldbank.org/public-private-partnership/overview/international-ppp-units.

2.4.4 Financial Support Financial Support mechanisms are required to develop a P3 programme. Part of the development costs might be coming from the private bidders but there needs to be additional support to ensure that the partnership is financially attractive. Examples of such support can include tax incentives or guarantees to cover risks that the private partner is not able to take. For examples of Enabling Environments, please see section five „Case Studies‟.

https://ppp.worldbank.org/public-private-partnership/overview/international-ppp-units

https://ppp.worldbank.org/public-private-partnership/overview/international-ppp-units



13

3. CRITICAL SUCCESS FACTORS FOR CSP3s There is no intention here to provide a comprehensive guide to all the constraints that affect the delivery of successful CSP3s. The desktop research and the interviews we conducted with a number of cyber and technology companies indicate that there are mainly three critical success factors that have a significant impact on the results achieved by CSP3s. These are:

Trust between partners

Clarity of roles

Commitment of all parties to the partnership‟s aims These are inter-related and inter-dependant. The absence of one can impact the others leading to difficulties in implementing the objectives of the CSP3s. Below is a summary of our findings in relation to each of these success factors.

3.1 Trust Between Partners and its Impact on Information Sharing When entering into a strategic partnership, both public agencies and private companies need trust built on openness, fairness and mutual respect. In the case of CSP3s a significant test to the issue of trust is information sharing. Participants need to feel that they gain additional useful information by being part of the partnership and, at the same time that their data is safe and secure. This is particularly difficult in the case of CSP3s given the sensitivities surrounding the information that needs to be shared. From the private sector point of view the sharing of information can be difficult due to the following reasons:

information held by the organisation is an asset. It is often sold as a service. Therefore, any sharing of information should contribute, directly or otherwise, to the organisation‟s growth.

limited guarantees that the information shared by private companies would not end up in the hands of their competitors.

there is also an issue about the image of the business if it elects to share its vulnerabilities (White, 2016).

From a government point of view, sharing information in a timely manner is not always easy for reasons that include:

security clearance, notwithstanding its crucial role, can become a barrier that hampers or delays the process of sharing information.

The public sector cannot always vouch for the accuracy of the information that it shares, especially when collected from other sources. This is not helped by the fact that there are fewer ways for government to share unverified information on a „user beware‟ basis, hence the need for revisions and checks that delay the process of releasing the information in a time-critical sector.



14

Human/personal relationships play an important role in alleviating some of these difficulties. One of the interviewees we spoke to has more than a decade working in the field of cyber research and speaks passionately about the importance of this bond:

“You need to create an emotional bond with people over security, make it resonate with them. You need to talk in a language they understand, whether that be risk, revenue, compliance, the impact on them personally – whatever it is, you need to make that connection.”

There are a number of partnerships that demonstrated that Trust has been, or can be, achieved. Below are examples of such partnerships:

The UK National Innovation Centre in Cheltenham (aka the Accelerator), and the CSP3 between WAYRA (a branch of Telefonica), GCHQ and the Department of Culture, Media & Sport. The Accelerator acts as an “interface platform” (or a “platform of trust”) between government secret zones and the public/private sector. This platform of trust, set on neutral grounds, enables members of the public/private sector to collaborate closely with GCHQ‟s experts on start-up projects that have potential to create cyber solutions to acute cyberspace problems.

Recognising the need for such a platform of trust, The Council of Europe’s Budapest Convention on Cyber Crime created the foundation of trust relationships amongst the signatories, whereby information and best practice is shared safely and securely.

The US National Institute of Standards and Technology (NIST) developed the Cyber Security Framework for improving critical infrastructure (NIST, 2014). The framework comprises simple guidelines that help communicate risk in ways that everyone understands from the server room to the boardroom. The framework acts a platform of trust and although voluntary it has been widely used by different segments of the private sector, including Microsoft, Intel, various banks and energy companies.

The Information Security Forum (https://www.securityforum.org/) prides itself in providing its members with a trusted and confidential environment that

People are more inclined to share information with colleagues who they trust and with whom

they have a professional bond.

Sharing information is key to effective Cyber Security Partnerships. This can be fostered

through “platforms of trust” within which

all parties have guarantees that

information is shared in a safe, secure and

confidential manner.



15

enables them to share information and best practice covering a number of cyber-related areas including Critical Infrastructure Protection.

Cyber Defence Unit (CDU) of the Estonian Defence League, a voluntary organisation, consisting of experts from governmental agencies as well as private companies with a mission to protect Estonia‟s high-tech way of life, including protection of information infrastructure and supporting broader objectives of national defence. By participating in the various activities organised by the CDU, members not only refine their knowledge and skills but create informal communication channels and relationships of trust that are central to effective collaboration in the future.

The Global Forum on Cyber Expertise (GFCE, https://www.thegfce.com/), a platform for countries, international organisations and private companies to exchange best practices and expertise on cyber capacity building. Launched in April 2015, the GFCE‟s primary objective is to provide a dedicated, informal platform for policymakers, practitioners and experts from different countries and regions to facilitate sharing experience, expertise and assessments on key regional and thematic cyber issues. The initial focus areas for capacity and expertise building are cyber security, cybercrime, data protection and e-governance.

Sharing information, knowledge and good practice is crucial to the success of CSP3s. This behaviour must be underpinned by trust and buy-in from all parties. The above examples show how platforms can be facilitated to foster trust between the partners. Such platforms can be online or physical face-to-face environments within which all parties have guarantees that information is shared in a safe, secure and confidential manner. The challenge lies in the difficulties inherent to the timely exchange of information while at the same time protecting data‟s confidentiality, safeguarding civil liberties, and managing competing financial and human resources and interests. To lessen some of these difficulties and foster greater trust between the participants, and in addition to human relationships, formal arrangements are used between partners. These arrangements may assign a particular grading to information, which defines how and when information can be used. Examples of such arrangements include:

On-line platforms. Examples include the Austrian ICT Security Portal or the Belgian B-CCENTRE (Belgian Cybercrime Centre of Excellence for Training, Research and Education) which are used as platforms for sharing cyber security assets within the public and private sectors (ITU, 2015). The level of sensitivity of the information is defined using mechanisms such as the Traffic Light Protocol, which classifies information into four levels: red, yellow, green, and white.

Traditional Non-Disclosure Agreements (NDAs). One example is the U.S. Defense Security Information Exchange (DSIE). This is an information exchange network for U.S. Defense Industrial Base companies to share information on cyber-related events and attacks. In order to facilitate sharing, DSIE members sign a NDA, which states that all information is non-attributional and that only DSIE members can view the information (Vasquez, 2012). An exemplar NDA is provided in Appendix 1.



16

However, regardless of the mechanism used, open and frequent communication is crucial. Participants‟ trust in each other increases over time as they build a rapport with one another. For this, there is little evidence to support substituting face-to-face meetings with other means of communication, particularly in the early stages of the partnership.

Figure 4: Trust: a pre-requisite for successful CSP3s

3.2 Clarity of Roles and Responsibilities Right from the start the roles and responsibilities of each partner should be clearly defined and agreed before the start of the partnership, then reviewed and monitored throughout the duration. These should be as unambiguously defined and agreed and should form part of a contractual agreement (in the form of a Memorandum of Understanding or other collaboration arrangement) detailing the different phases of the project, the organisation structure (committees, chairs, secretariat, coordination, other membership) and what each partner is expected to deliver and by when.

3.3 Commitment and Buy-in Once roles and responsibilities are identified and agreed they must be adhered to throughout the duration of the partnership, except where changes are needed as part of cyclic reviews. Representatives of the cyber security industry have underscored the importance of securing commitment from all parties to the agreed goals and objectives through securing the necessary resources and assets required for the successful completion of the project. Some of our partners, interviewed as part of this research, indicated that a factor that affects the success of CSP3s is the ambiguity that can arise from the level of resource dedicated to a specific task (e.g. the government reduces the funding allocated to a P3 half way through the programme, or expectations of what needs to be achieved keep changing/growing – achieve more with less). This can lead to members of the partnership disengaging (partly or wholly) with the project. Partners expressed strong views about the need to adhere to what is agreed and that any changes are discussed with all participants, through the CSP3‟s agreed communication mechanisms. Funding mechanisms should be flexible to deal with late delivery of the project for reasons outside one partner‟s control.

Figure 5: Clarity of Roles & Commitment: Two Critical Factors for Effective CSP3s



17

4. CSP3s’ ENABLING ENVIRONMENT Section 2.4 introduced the Enabling Environment as an essential requirement for fostering the three critical success factors of effective P3s in general. In this section we revisit this environment with a specific focus on CSP3s. The Global Cyber Security Capacity Centre at the University of Oxford, UK (GCSCC, 2014) devised a five-dimension model describing the environment required for an effective and efficient national cyber security capacity. The Cybersecurity Capacity Maturity Model enables policy makers to define priorities for capacity building and investments. The model‟s five dimensions are:

1. Policy and Strategy 2. Standards, Control and Technology 3. Law and Regulation 4. Education and Training 5. Culture and Society

Although the GCSCC model is not specific to CSP3s it does describe an environment for an effective cyber security capacity. On the other hand, the Enabling Environment introduced in Section 2.4 is one that is suitable for P3s but is not specific to CSP3s. A mapping between the GCSCC model and the Enabling Environment for P3s introduced in Section 2.4, shows that in the specific case of CSP3s the Enabling Environment should cover the GCSCC‟s five dimensions above as well as an explicit reference to two further dimensions, namely:

6. Institutional Arrangements 7. Financial Support

These two further dimensions are particularly needed to ensure that within the partnership, and amongst the partners, there exist Clarity of Roles & Responsibilities and Commitment. The Institutional Arrangements for CSP3s enable clear allocation of responsibilities within government departments and amongst partners (who is approving what and when, who is in charge of promoting CSP3s solutions, screening of CSP3s applications, allocation of budgets, performance monitoring, technical support, etc.). The GCSCC Policy and Strategy model proposes the setting up of a national body to oversee the national cybersecurity strategy. A department/section within this national body could take on the specialist role of overseeing CSP3s institutional arrangement. Some governments set-up a P3 Unit to establish and oversee these arrangements. The same unit, or a branch of it, can manage these institutional arrangements for CSP3s. Financial Support mechanisms are required to be in place for CSP3s as per P3s (see section 2.4). Such mechanisms will nurture greater commitment and mutual trust. For example, the government can introduce financial enticements such as providing free training or tax incentives. Figure 6 depicts what we believe to be the seven fundamental dimensions of CSP3s Enabling Environment. It is worth noting, however, that these dimensions do not



18

necessarily have the same importance for the success of a CSP3. Depending on the nature of the partnership (see figure 2 and section 2.2) a dimension may be a prerequisite whilst another may not be necessary at all.

Figure 6: The Seven Dimensions of CSP3s’ Enabling Environment.

Figure 7 below shows the inter-relationship between the three critical success factors and their Enabling Environment. The Enabling Environment provides the foundation without which it would be very hard to achieve any of the three critical success factors. Moreover, it can be argued that all three factors are inter-related and the absence of one will affect the other two.

Figure 7: The Enabling Environment for the Three Critical Success Factors: Clarity of Roles, Commitment and Trust

The Enabling Environment creates the

necessary structures, which will provide a basis for

Clarity of Roles,

Commitment and Trust.



19

5. CASE STUDIES Given the fundamental requirement of an Enabling Environment that is fit for purpose, in this section, we attempt to identify the dimensions that formed the basis of such an environment in the case of a few example CSP3s from the UK and Europe and a selection of countries from Africa. Because we were able to obtain more details on the Enabling Environments of UK/Europe CSP3s we present them in a tabular form showing what dimensions are required for which CSP3. For Africa we present a table showing the readiness of the Enabling Environment in each of the countries we looked at (Kenya, South Africa and Nigeria).

5.1 Example CSP3s in Europe For their existence and success, different CSP3s require different dimensions of the Enabling Environment. Table 1 shows however, that all CSP3s require Policy & Strategy and Culture & Society. In other words, none of the CSP3s would be effective if there was no national will, which is defined by a clear long-term vision and strategy. None of the CSP3s would also be as effective if business and industry have no or little recognition of the need for prioritising a cyber security mind-set (Culture & Society). That is to say that, for any CSP3 to exist and flourish, at least these two dimensions are required at national level and must be supported by both the government and the public sector. There are CSP3 organisations that require all seven dimensions. The case of the UK NCSC and the European CSO is highlighted below. The table shows that the UK National Cyber Security Centre (NCSC) requires all seven dimensions. The NCSC brings together the UK‟s cyber expertise working alongside industry, academia and international partners. The setting up of the NCSC is part of the UK Government‟s £1.9bn investment in cyber security. It is one of the UK Government institutions that are set to play a major role in the nation‟s defences against cyberspace threats. It is therefore no surprise that the NCSC requires, and benefits from, all seven dimensions. Indeed the UK Cyber Security Strategy 2016-2021 refers to each of the seven dimensions in one form or another. Another CSP3 organisation that requires, and is benefitting from, all seven dimensions is the European Cyber Security Public Private Partnership. The ESC-PPP is an alliance between the European Commission and the European Cyber Security Organisation (ECSO). This alliance is focused on promoting strategic research and innovation and

developing cyber solutions for the protection of European critical infrastructures. (https://www.safercybergloucestershire.uk/page/the-european-cyber-security-organisation) A third example CSP3 that covers all seven dimensions is the German UP KRITIS. UP KRITIS is a public-private collaborative initiative between critical infrastructure operators, their professional associations and the relevant government agencies. The aim of this cooperation is to maintain the supply of critical infrastructure services in Germany (https://www.cyberwiser.eu/germany-de).

https://www.safercybergloucestershire.uk/page/the-european-cyber-security-organisation

https://www.safercybergloucestershire.uk/page/the-european-cyber-security-organisation

https://www.cyberwiser.eu/germany-de



20

Nomenclature: D1: Policy & Strategy D2: Standards, Control & Technology D3: Law & Regulation D4: Education & Training D5: Institutional Arrangements D6: Culture & Society D7: Financial Support

Dimension Required

UK/EU CSP3 (See Appendix 2)

The Seven Dimensions of the Enabling Environment

D1 D2 D3 D4 D5 D6 D7

Cyber Security Information Sharing Partnership (CiSP)

Get Safe Online

TECH (UK)

The UK National Cyber Security Centre

Cyber Security Challenge (UK)

Internet Watch Foundation (IWF)

Child Exploitation and Online Protection Centre

National Computing Centre (UK)

IASME

CyberExchange

Niteworks

ADS

The UK National Crime Agency (NCA)

The UK National Cyber Crime Unit (NCCU)

Cyber Aware Limited

European Cyber Security Organisation (ECSO)

European Financial Coalition (EFC)

European Union Agency for Network and Information Security (ENISA)

UP KRITIS

Table 1: CSP3 Organisations and the Enabling Environment Dimensions they specifically need



21

5.2 CSP3s in Africa CSP3s in developing countries are primarily concerned with increasing cyber security awareness or ensuring that the cyber security capability of the country is robust. We reviewed three countries in particular, namely Kenya, South Africa and Nigeria. The choice of country is mainly based on the original research aim to focus on a group of select UK partner countries from Africa. In our review we looked for the presence of any of the dimensions of the Enabling Environment and how this presence (or lack of) is affecting cyber security in the country and CSP3s in particular.

5.2.1 KENYA Kenya has developed a national framework for cyber security and is being supported by organisations such as International Telecommunications Unit (ITU) and IMPACT to increase resilience in the cyber arena. The Kenyan national cyber security strategy covers most of what is required to achieve successful CSP3s. Below is a selection of relevant notes from the strategy document (Government of Kenya, 2014):

The Government of Kenya will continue to partner with government, private sector, academia, and other non-government entities to implement our Strategy in the most efficient and effective way possible.

Build national capability by raising cyber security awareness and developing Kenya’s workforce to address cyber security needs.

Facilitate an information-sharing environment focused on achieving the Strategy’s goals and objectives.

Provide national leadership by defining the national cyber security vision, goals, and objectives and coordinating cyber security initiatives at the national level.

The above gives an indication of the Kenyan Government‟s intent on cyber security. One can argue that the strategy document also provides a basis for setting up a strong Enabling Environment that has the potential to nurture all three critical success factors namely, commitment, clarity of roles and trust. The Kenyan Government set up a P3 Unit (PPPU, http://www.pppunit.go.ke/). This is an important cornerstone of an Enabling Environment for establishing P3 projects. In 2013, the Government of Kenya published the Public Private Partnership Act. This provides a good basis for developing a fully-fledged CSP3 legal framework. For instance, the Act‟s mechanism for dispute resolution is by way of arbitration with no reference to any other steps that need to be taken should the arbitration fail to achieve the desired outcome. Another area that needs looking into is Data Protection, which is not covered within the Act.

http://www.pppunit.go.ke/



22

5.2.2. REPUBLIC OF SOUTH AFRICA (RSA) In late 2015 and 2016 the RSA put forward plans for national cybercrime and cyber security. Section 11.2.2 (bullet point a) of the National Cyber Security Policy Framework (NCPF, 2015) states that:

“Inclusion of the industry and creating an enabling environment for a successful partnership” The NCPF document gives no details about what the enabling environment should be. There is however enough evidence in the literature pointing to the fact that, in comparison with other developing countries, the RSA is fairly well advanced in enabling effective P3s. A P3 Unit within the Treasury governs all aspects of public-private partnerships, including legislation and financial mechanisms. Something additional that the RSA government could consider implementing is a financial incentive for further collaboration with the private sector. The country‟s existing legal and regulatory framework can also be enhanced to cover legislation that is specific to CSP3s. Adekilekun carried out a doctoral research looking into the legal and regulatory framework for P3s in three African countries (Nigeria, Ghana and South Africa). For the RSA Adekilekun states that “the apparent conflicting provisions between the period for conducting feasibility studies in the Municipal Finance Management Act and the Municipal Systems Act should be harmonized” (Adekilekun, 2014).

5.2.3. NIGERIA The Government of Nigeria entered into partnership with Oracle Corporation to address the dearth of ICT skills. There is also evidence of some form of P3 involving industry and the government. For example, the i-HQ Project is an industry led initiative that aims to accelerate the growth of technology innovation and entrepreneurship for economic prosperity in Nigeria. The project is a partnership between MainOne, Technovision and Lagos State Government. It provides an innovation hub (YABA) for some 30 companies as well as fibre optics connectivity to academic institutions, schools and hospitals. The i-HQ Project should inform the formation of successful CSP3s in the country. Like South Africa, and perhaps more so, Nigeria should also ensure that the legal framework is fit for CSP3s. In particular, the framework should cover legislation on:

Fair competition, to promote transparency and accountability

Procurement

Mechanisms for resolving CSP3s disputes Table 2 below summarises the readiness of each of the above African countries in developing the Enabling Environment required.



23

Nomenclature: D1: Policy & Strategy D2: Standards, Control & Technology D3: Law & Regulation D4: Education & Training D5: Institutional Arrangements D6: Culture & Society D7: Financial Support

African Country

The Seven Dimensions of the Enabling Environment

D1 D2 D3 D4 D5 D6 D7

Kenya

South Africa

Nigeria

Table 2: Readiness of Kenya, South Africa and Nigeria in Developing an Enabling Environment for Successful CSP3s

Dimension fairly well developed

Dimension requires serious attention

Dimension exists but needs attention

Dimension exists but not effective



24

6. CONCLUSION & RECOMMENDATIONS In this section, we summarise the key lessons learned from the CSP3s that worked (mainly in the UK/Europe) and those that have not been as effective. We considered examples of CSP3s from the UK, Europe and Africa. We believe that there is enough evidence to make the following recommendations:

Recommendation 1: For any CSP3 to succeed Trust is crucial, otherwise the partnership will fail before it starts (or soon after) for the parties involved will not be willing to share information to support the work of the CSP3

Recommendation 2: Trust cannot be achieved without an Enabling Environment that provides a basis for a legal framework, institutional arrangements (e.g. a P3 Unit) and an investment scheme for the finances required

Recommendation 3: Different CSP3s and different countries will perhaps need to place different weights on the importance of the dimensions of the Enabling Environment. However, based on the work done to-date, we recommend the following as pre-requisites:

Formulation of a policy and strategy, with a clear implementation plan

A P3 Unit, or equivalent, that sits within a government ministry (e.g. Ministry of Finance/Interior) but whose membership comprises members of the private and public sectors. Part of the remit of the P3 Unit is to:

o Ensure CSP3s are aligned with the national strategy and policy

o Clarify roles and responsibilities o Create communication platforms o Monitor and communicate progress

A contextualised legal framework, and one that encompasses all the laws and regulations that are pertinent to CSP3s (e.g. Data Protection Act, Dispute Resolution, Fair Competition)

A Finance Scheme outlining how the CSP3s will be funded supported by public and private investment and financial incentives (e.g. tax incentives for private investors)

An education and training programme to improve general awareness but also to build capacity, including skills and the development of innovative solutions to combat cybercrime



25

Agencies across all levels of government as well as the private sector (including all SMEs) must foster a proactive cyber security mind-set leading to cyber security becoming a standard item in the organization‟s strategic thinking and planning.

Recommendation 4: Communication should be continuous. Communication is not an event (e.g. a strategy launch). Communication is a crucial process upon which depends the success of the CSP3. Although online platforms (using traffic light protocols for example) are helpful and should be organised whenever possible, the importance of face-to-face meetings and personal bonds cannot be emphasised enough.

There is however more work to be done, particularly to develop a deeper understanding of the different dimensions of the Enabling Environment. More research is needed to understand how the dimensions relate to one another and to ascertain to what extent there is a level of prioritisation in the implementation of these dimensions. This should lead to an implementation framework that can be used to support the execution of cyber strategies through successful CSP3s in developing countries.



26

References & Bibliography

Abdulkareem, A.K., 2015. Challenges of E-Government Implementation in the Nigerian Public Service. Journal of Creative Writing, 1(4), pp.45–56.

Adekilekun, M. T., 2014. Legal and Regulatory Framework for Public-Private Partnerships in Infrastructure Development: A Case Study of Three African Models and Core International Frameworks. PhD Thesis, Faculty of Law, University of Malaya, Kuala Lumpur, 2014.

Boeke, S., Heinl, C.H. & Veenendaal, M.A., 2015. Civil-Military Relations and International Military Cooperation in Cyber Security: Common Challenges & State Practices Across Asia and Europe. In M. Maybaum, A.-M. Osula, & L. Lindström, eds. 7th International Conference on Cyber Conflict. Tallinn: NATO CCD COE Publications, pp. 69–80.

Brill K. 2013. What makes a public-private partnership work? Leaders share lessons learned at Women Deliver 2013, Kuala Lumpur. http://www.ipmglobal.org/publications/what-makes-public-private-partnership-work-leaders-share-lessons-learned-women-deliver. Accessed 15 December 2016.

Carr, M., 2016. Public-private partnerships in national cyber-security strategies. International Affairs, 92(1), pp.43–62.

Cavelty, M.D., 2015. Cyber Security. In A. Collins, ed. Contemporary Security Studies. Oxford: Oxford University Press, pp. 400–416.

Choucri, N., Madnick, S. & Ferwerda, J., 2014. Institutions for Cyber Security: International Responses and Global Imperatives. Information Technology for Development, 20(2), pp.96–121.

Chukwuemeka, F., A. (2017). State of Nigeria’s Cyber Security. 7 March 2017. Article available at: https://cfatech.ng/state-nigeria-cyber-security/

Clinton, L., 2015. Best Practices for Operating Government-Industry Partnerships in Cyber Security. Journal of Strategic Security, 8(4), pp.53–68.

Clinton, L., 2011. A Relationship on the Rocks: Industry-Government Partnership for Cyber Defense. Journal of Strategic Security, 4(2), pp.97–112.

Council for Scientific and Industrial Research, 2011. Proceedings of the First IFIP TC9 / TC11 Southern African Cyber Security Awareness Workshop 2011. In Southern African Cyber Security Awareness Workshop 2011. Gaborone, Botswana, p. i-65.

Dlamini, I., Taute, B. & Radebe, J., 2011. Framework for an African Policy Towards Creating Cyber Security Awareness. In Southern African Cyber Security Awareness Workshop. pp. 15–31.

Daily News, 2017. http://www.dailynews.gov.bw/news-details.php?nid=1819. Accessed on 23 March 2017.

http://www.ipmglobal.org/publications/what-makes-public-private-partnership-work-leaders-share-lessons-learned-women-deliver

http://www.ipmglobal.org/publications/what-makes-public-private-partnership-work-leaders-share-lessons-learned-women-deliver

http://www.dailynews.gov.bw/news-details.php?nid=1819



27

Dupré, L., Falessi, N. & Liveri, D., 2011. Cooperative Models for Effective Public Private Partnerships, Heraklion.

ECDG, 2003, Guidelines for Successful Public Private Partnerships. Available at: http://ec.europa.eu/regional_policy/sources/docgener/guides/ppp_en.pdf

Economic Commission for Africa & African Union Commission, 2011. Draft African Union Convention on the Establishment of a Credible Legal Framework for Cyber Security in Africa,

Electronic Communications Resilience & Response Group, Telecommunications Networks – a vital part of the Critical National Infrastructure, Available at: https://whitehall-admin.production.alphagov.co.uk/government/uploads/system/uploads/attachment_data/file/86097/telecommunications-sector-intro.pdf.

ENISA, 2011. Cooperative Models for Effective Public Private Partnerships, Desktop Research Report. Available at https://www.enisa.europa.eu/publications/copy_of_desktop-reserach-on-public-private-partnerships

ENISA, 2014. An Evaluation Framework for National Cyber Security Strategies, Heraklion: ENISA. Available at: http://www.enisa.europa.eu.

Espelt, R., 2015. Lessons Learned And Best Practices in Public-Private Partnership Projects, Washington, D.C.

European Commission, 2015. Public Private Partnership on CYBER SECURITY.

Farwell, J.P., 2012. Industry‟s Vital Role in National Cyber Security. Strategic Studies Quarterly, Winter, pp.10–41.

Fick, J., 2009. Cyber Crime in South Africa: Investigating and Prosecuting Cyber Crime and the Benefits of Public-private Partnerships, London. Available at: http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Reports-Presentations/2079if09pres_JaquiFick_southafrica.pdf.

GCSCC, 2014. Cyber Security Capability Maturity Model (CMM) – V1.2, Globa Cyber Security Capacity Centre, University of Oxford, 15-12-2014.

Government of Kenya, 2014. Cyber Security Strategy, Nairobi, Kenya.

Hakim, S. & Clark, R.M., 2017. Cyber-Physical Security R. M. Clark & S. Hakim, eds., Cham, Switzerland: Springer International Publishing.

Hammami, M., Ruhashyankiko, J.-F. & Yehoue, E.B., 2006. Determinants of Public-Private Partnerships in Infrastructure.

Hare, F.B., 2010. The Interdependent Nature of National Cyber Security: Motivating Private Action for a Public Good. George Mason University.

http://ec.europa.eu/regional_policy/sources/docgener/guides/ppp_en.pdf

https://whitehall-admin.production.alphagov.co.uk/government/uploads/system/uploads/attachment_data/file/86097/telecommunications-sector-intro.pdf



https://www.enisa.europa.eu/publications/copy_of_desktop-reserach-on-public-private-partnerships

https://www.enisa.europa.eu/publications/copy_of_desktop-reserach-on-public-private-partnerships

http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Reports-Presentations/2079if09pres_JaquiFick_southafrica.pdf

http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Reports-Presentations/2079if09pres_JaquiFick_southafrica.pdf



28

Hathaway, M. et al., 2015. Cyber Readiness Index 2.0, A Plan for Cyber Readiness: A Baseline and an Index, Arlington, VA. Available at: http://www.potomacinstitute.org/images/CRIndex2.0.pdf.

Heal, G. et al., 2006. Interdependent security in interconnected networks. In P. E. Auerswald et al., eds. Seeds of Disaster, Roots of Response: How Private Action Can Reduce Public Vulnerability. Cambridge: Cambridge University Press, pp. 258–275.

HM Government, 2013. National Cyber Security Strategy 2016-2021, Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf.

HM Government, 2016. National Cyber Security Strategy 2016-2021, Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf.

Intelligence and National Security Alliance, 2009. Addressing Cyber Security Through Public-

Private Partnership : An Analysis of Existing Models, Arlington, VA. Available at: http://www.insaonline.org/assets/files/CyberPaperNov09R3.pdf.

Intelligence and Security Committee, 2013. Foreign involvement in the Critical National Infrastructure The implications for national security, Norwich: The Stationery Office Limited. Available at: https://books.google.co.uk/books?id=rJBKnQEACAAJ.

ITU, 2015. Global Cyber Security Index & Cyber-Wellness Profile Report, Geneva.

Kaijankoski, E.A., 2015. Cyber security Information Sharing Between Public–private Sector Agencies. Naval Postgraduate School.

Kelly, T.K. & Hunker, J., 2012. Cyber Policy: Institutional Struggle in a Transformed World, Available at: https://kb.osu.edu/dspace/bitstream/handle/1811/73108/ISJLP_V8N2_210.pdf?sequence=1.

Kinstler, L., 2015. Here’s What the US Could Learn From Estonia About Cyber Security. Available at: http://www.nextgov.com/cyber security /2015/01/heres-what-us-could-learn-estonia-about-cyber security /103959/ [Accessed September 7, 2016].

Klimburg, A. & Zylberberg, H., 2015. Cyber Security Capacity Building : Developing Access, Oslo, Norway.

Kuriyan, R. & Ray, I., 2009. Outsourcing the State? Public–Private Partnerships and Information Technologies in India. World Development, 37(10), pp.1663–1673.

Levi, M. & Leighton Williams, M., 2013. Multi-agency partnerships in cybercrime reduction. Information Management & Computer Security, 21(5), pp.420–443.

Lewis, J.A. & Neuneck, G., 2013. The Cyber Index, International Security Trends and Realities, Geneva. Available at: www.unidir.org.



29

Luiijf, E. & Besseling, K., 2013. Nineteen national cyber security strategies. International Journal of Critical Infrastructures, 9(1/2), pp.3–31.

NCPPP, 2016. 7 Keys to Success, http://www.ncP3.org/P3-basics/7-keys/. Accessed on 5 November 2016.

NIST, 2014. Framework for improving national infrastructure cybersecurity. Version 1.0, 12 February 2014.

Manley, M., 2015. Cyberspace’s Dynamic Duo: Forging a Cyber security Public-Private Partnership. Journal of Strategic Security, 8(3), pp.85–98.

Melby, A., 2016. Discourse Analysis and Small State “Cyber Norms”: Estonia’s Views on Benefits, Limitations, and Cooperation. University of Tartu.

Min, K.-S., Chai, S.-W. & Han, M., 2015. An International Comparative Study on Cyber Security Strategy. International Journal of Security and Its Applications, 9(2), pp.13–20.

Estonia‟s Ministry of Economic Affairs and Communication, 2014. Cyber Security Strategy 2014 – 2017,

Muller, L.P., 2015. Cyber Security Capacity Building in Developing Countries: Challenges and Opportunities,

Okuku, A., Renaud, K. & Valeriano, B., 2015. Cyber security Strategy’s Role in Raising Kenyan Awareness of Mobile Security Threats. Information & Security: An International Journal, 32, pp.1–20.

Olesen, N., 2016. European Public-Private Partnerships on Cyber security - An Instrument to Support the Fight Against Cybercrime and Cyberterrorism. In B. Akhgar & B. Brewster, eds. Combatting Cybercrime and Cyberterrorism. Advanced Sciences and Technologies for Security Applications. Brussels: Springer International Publishing, pp. 259–278.

Optimity Advisors, 2016. Study on Synergies between the civilian and the defence cyber security markets - Final Report, Luxembourg: Publications Office of the European Union.

Pawlak, P. & Wendling, C., 2013. Trends in cyberspace: can governments keep up? Environment Systems and Decisions, 33(4), pp.536–543.

Peters, M.A., 2015. Education As the Power of Partnership: the Context of Co-labor-ation. Knowledge Cultures, 3(5), pp.16–30.

Rosenzweig, P., 2010. The Organisation of the United States Government and Private Sector for Achieving Cyber Deterrence. In Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy. National Academy of Sciences. Available at: http://www.nap.edu/catalog/12997.html.

Shackelford, S.J. et al., 2015. Toward a Global Cyber security Standard of Care?: Exploring the Implications of the 2014 NIST Cyber security Framework on Shaping Reasonable National and International Cyber security Practices. Texas International Law Journal, 50(2), pp.303–353.

http://www.ncppp.org/ppp-basics/7-keys/



30

Shafqat, N. & Masood, A., 2016. Comparative Analysis of Various National Cyber Security Strategies. International Journal of Computer Science and Information Security (IJSIS), 14(1), pp.129–136.

State Security Agency, 2015. National Cyber security Policy Framework for South Africa,

Stavridis, J. & Farkas, E.N., 2012. The 21st Century Force Multiplier: Public–Private Collaboration. The Washington Quarterly, 35(2), pp.7–20.

Standard Reporter, 2017. “Government in Covert Talks to Eavesdrop”. Standard Reporter, 27 March 2017, Gaborone, Botswana.

The European Files, 2016. Cybercrime Cyber Security. Cyberdefence in Europe, (40). Available at: http://www.europeanfiles.eu/wp-content/uploads/issues/2016-january-40.pdf.

Twaakyondo, H.M., Bhalalusesa, E.P. & Ndalichako, J.L., 2002. Factors Shaping Successul Public Private Partnership in the ICT Sector in Developing Countries The Case of Tanzania,

Vaks, T., Summary of the Estonian Information System’s Authority on Ensuring Cyber Security in 2012. , pp.1–5.

Vázquez, D.F. et al., 2012. Conceptual Framework for Cyber Defense Information Sharing within Trust Relationships. In C. Czossek, R. Ottis, & K. Ziolkowski, eds. 2012 4th International Conference on Cyber Conflict. Tallinn: NATO CCD COE Publications, pp. 429–445.

Watkins, B., 2014. The Impact of Cyber Attacks on the Private Sector, Available at: http://pdc.ceu.hu/archive/00007108/01/AMO_cyber-attacks_2014.pdf.

White, L. 2016. British banks keep cyber attacks under wraps to protect image. Available at: http://uk.reuters.com/article/us-britain-banks-cyber-idUKKBN12E0NQ?il=0 dated 14 October 2016, Accessed 11 June 2017.

White, R.H. et al., 2015. Cyber security and National Defense : Building a Public-Private Partnership, Available at: http://digitalcommons.law.uga.edu/rusk_oc/9.

http://pdc.ceu.hu/archive/00007108/01/AMO_cyber-attacks_2014.pdf

http://uk.reuters.com/article/us-britain-banks-cyber-idUKKBN12E0NQ?il=0



31

APPENDIX 1 Exemplar of a Non-Disclosure Agreement Between Two English Organisations.

THIS AGREEMENT is made the Date PARTIES: (1) Organisation A whose registered office is at Address and

(2) Organisation B whose registered office is at Address (the “Company”)

(each a “Party” and together referred to as the “Parties”)

RECITALS: Each Party has agreed to disclose to the other Party without charge and has agreed to keep confidential certain Confidential Information (as defined in this Agreement) subject to the terms and conditions hereinafter contained for the purpose of entering into agreements for the supply of goods and/or services to Organisation A and / or Organisation A’s clients in respect to the procurement of services from the Company (“the Purpose”). In consideration of the mutual covenants and promises contained this Agreement NOW IT IS HEREBY AGREED as follows:- 1. The following expressions shall unless the context otherwise admits have the

following meanings:-

“Authorised Person” means, in relation to either Party, a Representative of such

Party to whom disclosure of Confidential Information is necessary to fulfil the

Purpose;

“Confidential Information” means the financial, business and technical or other data and all other information (whether written, oral or on magnetic or other media) disclosed or furnished by either Party (the “Disclosing Party”) to the other Party (the “Receiving Party”), or any company within the Receiving Party’s Group or its Representatives which is either designated by Disclosing Party as being proprietary or confidential or which, given the circumstances surrounding disclosure ought reasonably to be deemed to be proprietary or confidential; “Group” shall mean the group composed of any Party, its ultimate Holding Company, and all Subsidiary Companies of the Party’s ultimate Holding Company as such expressions are defined in Section 1159 Companies Act 2006; “Purpose” has the meaning in the Recital; “Representative” shall mean any director, officer, employee, agent, advisor, contractor or consultant of either Party or any company in such Party’s Group.

2. This Agreement shall remain in force until terminated by either Party giving to the

other one month’s notice of termination.

3. In consideration of the disclosure of Confidential Information by the Disclosing Party

to the receiving party, each Party agrees that, as the receiving party, it:



32

3.1 shall keep the Confidential Information confidential subject to the terms and

conditions of this Agreement;

3.2 shall not use the Confidential Information or any part of it for any purpose other

than the Purpose;

3.3 shall not disclose the Confidential Information or any part thereof to any person

other than an Authorised Person and shall require that each such Authorised

Person shall comply with confidentiality provisions sufficient to enable the

Receiving Party to comply with the provisions of this Agreement;

3.4 shall not take any copies or make any summaries or transcripts of the whole or

any part of the Confidential Information save as is strictly necessary for the

Purpose and all such copies, summaries and transcripts shall be deemed to be,

and shall be clearly identified as being, Confidential Information;

3.5 shall notify the Disclosing Party immediately it becomes aware that any

Confidential Information has been disclosed to or is in the possession of any

person who is not an Authorised Person and assist the Disclosing Party to

recover such Confidential Information if required by the Disclosing Party; and

3.6 shall keep all Confidential Information in a safe and secure place and shall treat

all Confidential Information in a manner which is no less secure than the manner

in which it treats its own confidential and/or proprietary information.

4 Notwithstanding any other provisions hereof, the Receiving Party shall not be liable

for release or disclosure of, and the confidentiality obligations hereunder shall not

apply to, any Confidential Information that:-

4.1 is required by law or any government or other regulatory authority to be disclosed,

provided that the Receiving Party has provided the Disclosing Party with

reasonable notice prior to such disclosure in order to give the Disclosing Party a

reasonable opportunity to seek a protective or equivalent order;

4.2 is or becomes into the public domain through no fault of the Receiving Party;

4.3 is known to the Receiving Party prior to the disclosure by the Disclosing Party

without obligation to keep such Confidential Information confidential;

4.4 is subsequently obtained by the Receiving Party from a third party without breach

of any obligation of confidentiality owed to any third party or the Disclosing Party;

4.5 is independently developed or acquired by the Receiving Party or a company

within the Receiving Party’s Group without any breach of this Agreement; or

4.6 is approved for public release by the Disclosing Party, such consent to be specific

and in writing.

5 Upon termination of this Agreement, or upon the request of the Disclosing Party, the

Receiving Party shall return all the materials, data, documents, papers and all copies

thereof containing the Confidential Information or any part thereof (hereinafter called

“Materials”) received by it or supplied to it by the Disclosing Party’s or (if so required



33

by the Disclosing Party) shall destroy the Materials and shall give written confirmation

that is has destroyed the Materials pursuant to this Clause 5.

6 Notwithstanding the termination for whatever reason of this Agreement the

obligations of confidentiality shall, unless otherwise agreed in writing, continue for a

period of five (5) years in respect of Confidential Information disclosed pursuant to

this Agreement from the date of the disclosure of the Confidential Information.

7 All Confidential Information shall be deemed (and all copies thereof or any part or

parts thereof shall become upon the creation thereof) and shall remain the property

of the Disclosing Party.

8 This Agreement shall not operate as an assignment or grant of licence to the

Receiving Party of any patents, copyrights, registered designs, unregistered designs,

trademarks, trade names or other rights of the Disclosing Party as may subsist in or

be contained in or reproduced in the Confidential Information.

9 The Disclosing Party makes no representations or warranties to the accuracy or

completeness of the Confidential Information disclosed.

10 Nothing in this Agreement shall impose or be deemed to impose on either Party an

obligation to disclose Confidential Information or to enter into any agreement or

transaction and in particular shall not oblige either Party to enter into any agreement

pursuant to the Purpose.

11 The invalidity or unenforceability of any part of the Agreement for any reasons

whatsoever shall not affect the validity or unenforceability of the remainder.

12 Each Party to keep confidential the existence of and the contents of this Agreement

and all negotiations relating to this Agreement and/or the Purpose and shall not use

or permit to the other Party to use the name of the other Party in any advertisement

or publicity campaign or other disclosure without the prior written consent of the other

Party.

13 The Parties agree that money damages would not be a sufficient remedy if a Party is

in breach and the Disclosing Party will be entitled to seek any legal remedy or relief

to prevent any breach, or anticipated breach, by the Receiving Party as is deemed

proper by a court of competent jurisdiction. This right shall be in addition to the

Disclosing Party’s other rights in law or in equity.

14 This Agreement constitutes the entire Agreement and understanding between the

Parties with respect to its subject matter and replaces all previous agreements

between, or understandings by, the Parties with respect to such subject matter. This

Agreement cannot be varied except by written agreement signed on behalf of both of

the Parties.

15 This Agreement shall be construed and governed by the laws of England and the

Parties hereby irrevocably submit to the exclusive jurisdiction of the English Courts.

16 None of the provisions of this Agreement shall be deemed to have been waived by

any act or acquiescence by a Party, its agents or employees, but only by an

instrument in writing signed by the Parties. No waiver of any provision of this



34

Agreement shall constitute a waiver of any other provision(s) or of the same provision

on another occasion.

17 If any provision of this Agreement shall be held by a court of competent jurisdiction to

be illegal, invalid or unenforceable, the remaining provisions shall remain in full force

and effect.

18 Neither Party may assign this Agreement, in whole nor in part, without the prior

written consent of the other Party, such consent not to be unreasonably withheld.

AS WITNESS whereof the Parties or persons duly authorised on their behalf has executed this Agreement the day and year before written.

Signed by: …………………………………………..

For and behalf of:

ORGANISATION A

PRINT NAME:

POSITION:

Signed by: …………………………………………..

For and on behalf of

ORGANISATION B

PRINT NAME: Name

POSITION: Position



35

APPENDIX 2 Example Cyber Security Public Private Partnerships in the UK and Europe Cyber Security Information Sharing Partnership (CiSP) CiSP is a joint industry and government initiative set up to exchange cyber threat

information in real time, in a secure, confidential and dynamic environment,

increasing situational awareness and reducing the impact on UK business.

[https://www.ncsc.gov.uk/cisp]

To become a registered CiSP member you must be:

A UK registered company or other legal entity which is responsible for the

administration of an electronic communications network in the UK sponsored by

either a government department, existing CiSP member, or a trade

body/association.

Benefits of CiSP: Engagement with industry and government counterparts in a secure

environment early warning of cyber threats ability to learn from

experiences, mistakes, successes of other users and seek advice an improved

ability to protect their company network access to free network

monitoring reports tailored to your organisations’ requirements.

Some Industry Partners Include:

Babcock

BAE Systems

BT

EE

FireEYE

Fujitsu

KPMG

Lloyds Banking Group

Microsoft

QinetiQ

TechUK

Virgin



36

CiSP was launched in March 2013.

[https://www.ncsc.gov.uk/cisp]

Get Safe Online Get Safe Online provide practical advice on how to protect yourself, your

computers and mobile devices and your business against fraud, identity theft,

viruses and many other problems encountered online. It contains guidance on

many other related subjects too – including performing backups and how to

avoid theft or loss of your computer, smartphone or tablet.

Get Safe Online also organise national events - such as Get Safe Online week - and

work closely with law enforcement agencies and other bodies in support of their

outreach activity, internal awareness and customer online safety.

Get Safe Online is a public / private sector partnership supported by HM

Government and leading organisations in banking, retail, internet security and

other sectors.

Get Safe Online is a Cyber Essentials and IASME certified organisation.

Some Industry Partners Include:

Barclays

CERT-UK

City of London Police

National Crime Agency

National Police Chiefs’ Council

National Trading Standards

HM Government

HSBC

Lloyds Bank, Halifax and Bank of Scotland

Gumtree

Paypal

TalkTalk

Tesco

Get Safe Online was launched on 13th June 2005. [https://www.getsafeonline.org/]

https://www.getsafeonline.org/about-us/





37

TECH (UK) INFORMATION TECHNOLOGY TELECOMMUNICATIONS AND ELECTRONICS ASSOCIATION TechUK represents the companies and technologies that are defining today the

world that we will live in tomorrow. The tech industry is creating jobs and

growth across the UK. In 2015 the internet economy contributed 10% of the UK’s

GDP. 900 companies are members of TechUK. Collectively they employ more

than 700,000 people, about half of all tech sector jobs in the UK. These

companies range from leading FTSE 100 companies to new innovative start-ups.

The majority of our members are small and medium sized businesses.

TechUK is committed to helping its members grow, by:

Developing markets;

Developing relationships and networks;

Reducing business costs;

Reducing business risks.

TechUK is the trading name for Information Technology Telecommunications

and Electronics Association, a company limited by guarantee. Registered in

England number 1200318.

[http://www.techuk.org/about]

The National Cyber Security Centre The NCSC acts as a bridge between industry and government, providing a unified

source of advice, guidance and support on cyber security, including the

management of cyber security incidents. NCSC’s vision is to help make the UK the

safest place to live and do business online.

Who are NCSC? The National Cyber Security Centre (NCSC) is the UK’s authority on cyber

security. As part of GCHQ the NCSC brings together and replaces CESG (the

information security arm of GCHQ), the Centre for Cyber Assessment (CCA),

Computer Emergency Response Team UK (CERT UK) and the cyber-related

responsibilities of the Centre for the Protection of National Infrastructure

(CPNI).



38

The NCSC has access to some of the most sophisticated capabilities available to

government. We acknowledge the sensitivity of these resources, whilst

working to make the benefits of our expertise as widely available as possible.

How NCSC Work?

The NCSC is open and accessible. Working collaboratively with other

government agencies and departments, law enforcement, defence, the UK’s

intelligence and security agencies and our international partners. The NCSC

recognises the value of diversity and different perspectives and brings together a

unique range of talents, skills and experience to tackle the hardest cyber security

challenges that we face.

Purpose The NCSC’s main purpose is to reduce the cyber security risk to the UK by

improving its cyber security and cyber resilience. We work together with UK

organisations, businesses and individuals to provide authoritative and coherent

cyber security advice and cyber incident management. This is underpinned by

world class research and innovation.

The NCSC recognises that, despite all efforts to reduce risks and enhance

security, incidents will happen. When they do, the NCSC will provide effective

incident response to minimise harm to the UK, help with recovery, and learn

lessons for the future.

The NCSC was launched on 1st October 2016.

[https://www.ncsc.gov.uk/about-us] Cyber Security Challenge (UK) They are a private company sponsored (paid for) by the UK Government to

conduct cyber security challenges in the UK to recruit people into the industry.

Cyber Security Challenge UK is a series of national competitions, learning

programmes, and networking initiatives designed to identify, inspire and enable

more people to become cyber security professionals.

Established to bolster the national pool of cyber skills, it offers a unique

programme of activities to introduce sufficient numbers of appropriately skilled

individuals to learning and career opportunities in the profession.



39

Some of the organisations sponsoring the Cyber Security Challenge:

BT

Cabinet Office

Northrop Grumman

SANS

UKCLOUD

IRM

AIRBUS

BAE

Bank of England

Barclays

GCHQ

NCC Group

National Grid

National Cyber Security Centre

National Crime Agency

Cyber Security Challenge (UK) with BT are developing free cyber security plans for Computer Science GCSEs. [https://cybersecuritychallenge.org.uk/about]

Internet Watch Foundation (IWF) The IWF work in partnership with the online industry, law enforcement,

government, and international Hotlines and partners to minimise the availability

of criminal online content, specifically:

Child sexual abuse content hosted anywhere in the world;

Criminally obscene adult content hosted in the UK;

Non-photographic child sexual abuse images hosted in the UK.

The IWF is funded by the EU and Member organisations from the online

industry, including internet service providers (ISPs), mobile operators,

content providers, hosting providers, filtering companies, search providers,

trade associations and the financial sector. We work together to ensure UK

networks provide a hostile environment for hosting child sexual abuse images

and to protect UK internet users from inadvertent exposure to such content.

Industry self-regulation and multi-stakeholder partnership is at the core of the

IWF’s model, operations and success.



40

IWF work with UK government to influence initiatives developed to combat

online abuse and this dialogue goes beyond the UK and Europe to promote

greater awareness of global issues, trends and responsibilities. We work

nationally and internationally with a range of organisations and stakeholders to

encourage united global responses to the problem and wider adoption of good

practice in combating child sexual abuse images on the internet.

Our donors provide us with a range of services.

[https://www.iwf.org.uk/partnerships] Donors include: ComRes: www.comres.co.uk Reconnix: www.reconnix.com

Salesforce:

www.salesforce.com/uk

Some IWF Partnerships:

European Union

UK Safer Internet Centre

Child Exploitation and Online Protection Centre

Nominet

UK Council for Child Internet Safety

European Financial Coalition

Company Information: Company number: 03426366.

Registered office address: Discovery House Chivers Way, Histon, Cambridge,

CB24 9ZR.

Incorporated on 29th August 1997.

[https://www.iwf.org.uk/about-iwf]



41

Child Exploitation and Online Protection Centre The NCA's CEOP Command (formerly the Child Exploitation and Online

Protection Centre) works with child protection partners across the UK and

overseas to identify the main threats to children and coordinates activity against

these threats to bring offenders to account. We protect children from harm

online and offline, directly through NCA led operations and in partnership with

local and international agencies.

[https://www.ceop.police.uk/Partnerships/] IASME IASME is one of the four Cyber Essentials accreditation bodies appointed by the

UK Government. Together with our Certification Body companies, we can certify

you to the Cyber Essentials scheme required for many government tenders.

IASME is one of just four companies appointed as Accreditation Bodies for

assessing and certifying against the Government's Cyber Essentials Scheme. The

Scheme focuses on the five most important technical security controls. These

controls were identified by the government as those that, if they had been in

place, would have stopped the majority of the successful cyber-attacks over the

last few years.

[https://www.iasme.co.uk/]

CyberExchange As part of the Cyber Growth Partnership, the Cyber Exchange provides a focal

point for UK organisations connected with, or with an interest in, cyber security

to connect, engage and collaborate.

The Cyber Exchange is a not-for-profit initiative. A simple registration enables

participants across industry, academia and government to interact, providing the

opportunity to place their organisations at the forefront of this UK cyber security

shop window free of charge. Once a member, the crowd-sourcing nature of the

site means organisations can list news, events and resources, raising their profile

and providing opportunities across the whole cyber sector.



42

Non-cyber organisations accessing the Cyber Exchange will be better able to

understand cyber security and how to protect themselves. Using the intuitive

search facility, they can find out what they may need to protect themselves from,

as well as the breadth of help available to provide that protection.

The Cyber Growth Partnership (CGP) will provide oversight and give strategic

guidance to the Government on supporting the development of the UK cyber

security ecosystem with the aim of growing a vibrant cyber security sector. This

will help to ensure that initiatives led by government are progressed with the

input and support of the cyber security industry, and take full consideration of

key stakeholders' views to maximise the benefit of the sector. The CGP will also

advise on initiatives that could address barriers to growth challenges and

provide guidance on exports. The CGP will not have a direct delivery

responsibility, but will guide, influence and oversee the work of delivery bodies.

Some CyberExchange Partnerships:

ATKINS

BAE Systems

Barclays

BT

Cabinet Office

Cisco

DCMS

GCHQ

KPMG

Queen’s University Belfast

TechUK

[https://cyberexchange.uk.net/#/about]

Niteworks Niteworks was established by the Ministry of Defence (MOD) to help make

better, faster and more informed decisions on complex issues through a

partnership between MOD, industry and academia. Niteworks is owned by BAE

Systems.

The Niteworks partnership is based on a commercial model that facilitates

collaboration, innovation and acceleration of acquisition. The partnership

consists of the major defence companies, a diverse community of small and



43

medium sized enterprises and a range of specialists together with MOD and

Defence Science and Technology Laboratory (Dstl).

Niteworks adopts a systems approach and works at all levels, including

capability, enterprise, system-of-systems and system. Niteworks provides

support across all areas of the Defence Operating Model.

Niteworks is a partnership between MOD, including the Defence Science &

Technology Laboratory (Dstl), and more than 170 Partner and Associate

organisations.

[http://www.niteworks.net/]

Some Niteworks Partnerships:

Airbus

BAE systems

CGI

HP

Lockheed Martin UK

Northrop Grumman

QinetiQ

Raytheon

Thales

[http://www.niteworks.net/membership/a-z-of-partners-and-associates] ADS ADS is the Premier Trade Organisation for companies in the UK Aerospace,

Defence, Security and Space Sectors. Membership is made up of 1000 UK

registered businesses.

ADS activities are focused around the following key areas:

Influencing the policy debates of most importance to our industries;

Supporting UK manufacturing and our industries’ supply chains;

Encouraging investments in technology and innovation;

Supporting business development opportunities;

Increasing Member value through a range of services;

Enhancing the profile of our industries.

[https://www.adsgroup.org.uk/about/]



44

Some ADS Members:

ADS have many private member across industry sectors. They have offices in the

UK, France, India and Japan.

Department of Economic Development – ISLE of MAN Government

National Crime Agency (NCA) The NCA has a wide remit. We tackle serious and organised crime, strengthen

our borders, fight fraud and cyber-crime, and protect children and young people

from sexual abuse and exploitation.

We provide leadership in these areas through our organised crime, border

policing, economic crime and CEOP commands, the National Cyber Crime Unit

and specialist capability teams.

The NCA works closely with partners to deliver operational results. We have an

international role to cut serious and organised crime impacting on the UK

through our network of international liaison officers. They have 4,200 officers

based across the UK and in strategic locations around the world.

[http://www.nationalcrimeagency.gov.uk/about-us/what-we-do] The National Cyber Crime Unit (NCCU) is a unit within the NCA. The NCCU is responsible for leading, supporting and co-ordinating the UK’s

response to tackling cyber-crime. The NCCU’s response to the cyber-dependent

threat is a collaborative response structured around the Serious and Organised

Crime Strategy’s 4P approach – Pursue, Prevent, Protect and Prepare. This is

delivered using a wider range of capabilities and in conjunction with UK and

international law enforcement and Industry Partners.

Working closely with the Regional Organised Crime Units (ROCUs), the MPCCU

(Metropolitan Police Cyber Crime Unit), partners within Industry, Government

and International Law Enforcement, the NCCU has the capability to respond

rapidly to changing threats.

[http://www.nationalcrimeagency.gov.uk/about-us/what-we-do/national-

cyber-crime-unit]



45

Cyber Aware Limited Cyber Aware (formerly Cyber Streetwise) aims to drive behaviour change

amongst small businesses and individuals, so that they adopt simple secure

online behaviours to help protect themselves from cyber criminals: use strong

passwords made up of three random words and always download the latest

software updates as soon as they appear. This is based on expert advice from the

National Cyber Security Centre, a part of GCHQ.

Cyber Aware is a cross-government awareness and behaviour change campaign

delivered by the Home Office in conjunction with Department of Culture, Media

& Sport alongside the National Cyber Security Centre, and funded by the National

Cyber Security Programme in the Cabinet

Office.

[https://www.cyberaware.gov.uk/about-us] Some Cyber Aware Partnerships:

ActionFraud Barclays CIFAS Experian FSB GetSafeOnline HP National Crime Agency Sophos Symantec [https://www.cyberaware.gov.uk/our-partners]

Registered office address: Kemp House, 152 City Road, London, EC1V 2NX

Incorporated on: 25th March 2013 According to Companies House the accounts are overdue. [https://beta.companieshouse.gov.uk/company/08459507]



46

Europe European Cyber Security Organisation (ECSO)

The European Cyber Security Organisation (ECSO) ASBL is a fully self-financed

non-for-profit organisation under the Belgian law, established in June 2016.

ECSO represents an industry-led contractual counterpart to the European

Commission for the implementation of the Cyber Security Contractual Public-

Private Partnership (cPPP). ECSO members include a wide variety of

stakeholders such as large companies, SMEs and Start-ups, research centres,

universities, end-users, operators, clusters and association as well as European

Member State’s local, regional and national administrations, countries part of the

European Economic Area (EEA) and the European Free Trade Association

(EFTA) and H2020 associated countries.

ECSO is engaged in taking concrete actions to achieve these objectives by:

Collaborate with the European Commission and national public

administrations to promote Research and Innovation (R&I) in cybersecurity;

Propose a Strategic Research and Innovation Agenda (SRIA) and a

Multiannual Roadmap with its regular updates;

Foster market development and investments in demonstration projects and

pilots to facilitate bringing innovation to cybersecurity market;

Foster competitiveness and growth of the cybersecurity industry in Europe

(large companies and SME) as well as end users / operators through

innovative cybersecurity technologies, applications, services, solutions;

Support the widest and best market uptake of innovative cybersecurity

technologies and services for professional and private use;

Promote and assist in the definition and implementation of a European

cybersecurity industrial policy to encourage the use of cybersecurity

solutions as well as secure and trustworthy ICT solutions to increase digital

autonomy;

Support the development and the interests of the entire cybersecurity and ICT

security ecosystem (including education, training awareness, etc.);

Areas of interest:

CT Infrastructure (including cloud, mobile, networks, etc);

Smart Grids (Energy);

Transportation (including Automotive / Electrical Vehicles);

Smart Buildings and Smart Cities;

Industrial Control Systems (Industry 4.0);



47

Public Administration and Open Government;

Healthcare;

Finance and Insurance;

[https://ecs-org.eu/about]

European Financial Coalition (EFC)

The European Financial Coalition against Commercial Sexual Exploitation of

Children Online (EFC) brings together key actors from law enforcement, the

private sector and civil society in Europe with the common goal of fighting the

commercial sexual exploitation of children online. Members of the EFC join

forces to take action on the payment and ICT systems that are used to run these

illegal operations.

[http://www.europeanfinancialcoalition.eu/]

Some EFC Partnerships:

Europol

Google

PayPAL

MasterCard

European Police College

Missing Children Europe



48

Address: ECS – Europol, Eisenhowerlaan 73, 2517KK The Hague, Netherlands.

[http://www.europeanfinancialcoalition.eu/efc_members.php]

European Union Agency for Network and Information Security (ENISA) The European Union Agency for Network and Information Security (ENISA) is a

centre of expertise for cyber security in Europe. The Agency is located in Greece

with its seat in Heraklion, Crete, and an operational office in Athens.

ENISA is actively contributing to a high level of network and information security

(NIS) within the Union, since it was set up in 2004, to the development of a

culture of NIS in society and in order to raise awareness of NIS, thus contributing

to proper functioning of the internal market.

The Agency works closely together with Members States and private sector to

deliver advice and solutions. This includes, the Pan-European Cyber Security

Exercises, the development of National Cyber Security Strategies, CSIRTs

cooperation and capacity building, but also studies on secure Cloud adoption,

addressing data protection issues, privacy enhancing technologies and privacy

on emerging technologies, eIDs and trust services, and identifying the cyber

threat landscape, and others. ENISA also supports the development and

implementation of the European Union's policy and law on matters relating to

NIS.

ENISA's approach is illustrated below by presenting its activities in three areas:

Recommendations

Activities that support policy making and implementation

‘Hands On’ work, where ENISA collaborates directly with operational teams

throughout the EU

[https://www.enisa.europa.eu/about-enisa]



49

UP KRITIS UP KRITIS is a German public-private collaborative initiative between critical

infrastructure operators, their professional associations and the relevant

government agencies. The aim of this cooperation is to maintain the supply of

critical infrastructure services in Germany. The organisations involved

cooperate on the basis of mutual trust. They exchange ideas and experience(s)

and are learning from each other with respect to the protection of critical

infrastructure. Together, all parties are thus finding better solutions. Within the

framework of the UP KRITIS, concepts are developed, contacts established,

exercises held and a joint approach for (IT) crisis management developed and

launched.



Towar Towards Stronger Cyber Security Public Private Partnerships … · Towar Towards Stronger...

Documents

Transcript of Towar Towards Stronger Cyber Security Public Private Partnerships … · Towar Towards Stronger...