Global governance and regulation of cybersecurity: Towards coherence or fragmentation?
Tatiana Nascimento Heim is a PhD student in the department Public Administration. (Co)supervisors are prof.dr. R.A. Wessel, prof.dr. R. Torenvlied and dr. C. Matera from the faculty of Behavioural, Management and Social Sciences and dr. J.J. Cardoso de Santana from the faculty of Electrical Engineering, Mathematics and Computer Science.
Cybersecurity governance is defined as a system of multiple levels and multiple actors, disorganized and fragmented. The lack of a clear understanding of how the instruments and actors operate creates regulatory uncertainty which delays the development of effective regulatory solutions and leaves stakeholders in the dark as to the applicable instruments. The purpose of this study is to question the aforementioned backdrop and to consider the extent to which cybersecurity governance is actually more coherent than it appears by providing a holistic perspective on the connections, relations, and interrelations between the norms and the main actors involved. The study can be classified as exploratory and descriptive research following an inductive logic which starts by collecting data, analysing it and then making descriptive inferences. In order to draw conclusions from the thesis, we analyze the findings using the dimensions of cybersecurity outlined in the classification scheme (namely, data protection, critical infrastructure, and cybercrime). In the case of critical infrastructure, where the national states have more sovereign control, we found mostly informal instruments and a shared understanding that the main vital infrastructure covers the health, economic and security sectors. In the same sense, the instruments selected have a more or less consistent understanding that the effect of an attack on a critical infrastructure would cause a negative consequence for the infrastructure. For this reasons, we perceived that critical infrastructure has a high coherence. Concerning data protection, the instruments, establish by the western states, are coherent because they establish similar principles and arrangements about how data is processed. On the other end of the spectrum, this personal data protection model clashes with the one presented by the SCO Agreement where data, as a whole rather than only personal data, can be controlled by the state to maintain regime legitimacy and domestic stability. Due to this fact, we observed deep inconsistencies regarding data sovereignty which impacts the low coherence of the instruments. Nonetheless, our perspective about coherence is much more aligned with compatibility and a shared goals rather than deep uniformity, which is a broader quest for a pluralist society. In other words, we considered that this dimension has low coherence because the SCO agreement shares overall the same goals with the other data protection instruments which are protecting information against cyberthreats, advocating for the creation of a system of joint monitoring and response to cyberthreats and requesting the development of coherent policies and technical procedures. Finally, the category cybercrime involves sovereignty control and low participation of the private sector in terms of sharing responsibilities. The instruments contain similar structures and offences, in particular provisions related to electronic fraud, forgery and content-related offences, which helps us concluded that the dimension cybercrime has a high coherence. In conclusion, the study revaled that there is ‘unity in diversity’ because, even though there are a plural normative system with cultural values, ideological and political differences, overall the instruments reinforce each other, rather than the other way around. We argue that the way to deal with this plural normative system is to take into account a “rich coherence”, seeking equilibrium with a plural set of beliefs. Therefore, requires taking into account the diversity and complexity of different cultural perspectives and address global challenges through procedures and mechanisms which facilitate the coordination and accommodation of conflicting instruments and institutions.