The Danish state and private actors are arguably becoming increasingly interconnected due to the use of IT systems. Jack Johansen states that “we (SKAT – the Danish tax authority) are dependent on others and the collaboration with them” (Johansen, 2013). Here Johansen refers to the private companies whom SKAT outsources their operations of their systems to. This clearly shows how public and private actors are dependent on others in keeping a high level of security within IT systems. This is because private companies and public organisations are cooperating through and with many systems, which are thereby making them increasingly connected. As we argue that the ineffective exceptional measures, created by conflicting securitizations, make the actors increasingly vulnerable to incidents, we will discuss the interconnectedness between public and private actors as a result of digitalization.
Due to the high rate of digitalization of the state there has been an increase in the dependence on corporations for developing and delivering IT solutions, because it has become a commodity like many other services that the state provides through partners. Today KMD, the formally state-owned company, operates more than 400 IT systems that support the Danish welfare state and is one of many companies that do so (kmd.dk), like CSC that was mentioned earlier. There is a strong relationship between the state and a company like KMD as KMD provides the systems that ensure
that the Danish population receives key welfare benefits such as daily allowance, state pension and paternity and maternity allowances. Furthermore each month Danes working in the public and private sectors receive their salary through the payroll system provided by KMD and no longer receive the information by regular mail, but through email. This digitalization has therefore become the backbone of society, which is profoundly dependant on receiving these services on time, not just for the single individual, but for society as a whole. These systems and services tie all actors together and therefore cyber security has become an issue, not just for every single entity in the system, but for the systems to function as a whole.
The state is reliant on fully functional systems provided by KMD, amongst others. Even though KMD has the capacity and knowledge to support the state, it also makes the state more vulnerable due to the lack of the state’s control of their systems. If an incident or a cyber attack were to occur in KMDs systems, the state would be heavily affected, as we saw in the case of CSC in the summer of 2013, where over a million CPR-numbers were stolen from CSC databases from the police register (Elkær, 2013). This strongly exemplifies the increased interconnectedness and vulnerabilities the Danish society is facing. This interdependence between the private and public actors therefore requires a strong relationship, as Rasmus Theede from KMD argues;
“The fact that KMD works closely with and for the state has created a strong relationship with state entities. I am part of a variety of forums and have close communication with various government entities, also with the police and defense, whom we also have more informal communication with. We inform them on our actions in the case of a possible attack. They also have an interest in getting information from us, as this gives them knowledge on what is happening in the private sector” (Theede, 2013).
The privatization of the Danish critical infrastructure, like the energy sector, has arguably also increased the interconnected relationship between private actors and the state. The state is dependent on a functioning critical infrastructure and will therefore also be heavily affected by incidents that happen to private providers of critical infrastructure because these will compromise a well-functioning Danish society. It is by law (the Privacy Act and the Outsourcing Act) not the responsibility of the company if an incident occurs, but the state, and therefore the state is highly dependent on the level of security within a company. If companies choose to have a high level of security it is commonly considered to be a business enabler and therefore companies can experience
great financial damage if they are known for not having a high level of security within their IT services.
Based on what is currently defined as critical infrastructure (EPCIP), Henning Mortensen from DI, amongst others, argues that there is a clear interdependence between the providers of critical infrastructure. They are composed of both private and public actors, and the relationship is enhanced due to the digitalization of these actors. It is therefore important that the Danish state focuses on providers of critical infrastructure when it comes to cyber security, because the impact can have vast consequences for the society.
“There is an interdependence between the different critical infrastructures. If you for an example don’t have electricity, then you cannot retrieve gas, our hospitals and light signals wont function, we can’t pump up water and if we can’t pump up water then we have no electricity, which leads to a third thing not working. This can quickly turn into a domino effect within society, if you can shut down some of these critical infrastructure components. This is why critical infrastructure is the absolute most important and a good prioritization of the centre” (Mortensen, 2013).
The resources of the state are limited and therefore Mortensen means that taking care of the critical infrastructure is first priority. This interdependence and possible cascading effect in the Danish society in the occurrence of an incident, arguably requires close collaboration between private actors and the state. However, Henning Mortensen argues that there also are interdependencies between the state and the corporations outside the definition of the critical infrastructure, although not to the same extent as the providers of critical infrastructure. Nevertheless, the effect of a cyber attack that severely damages the IT system of a corporation can shut the operation down, which can have cascading effects on the society as a whole. According to Mortensen, this could require closer cooperation between public and private actors because “if Lego is shut down, then about 2500 people are not able to work, and that is of course not only a Lego issue but also a societal issue, because the society loose income. Here I believe that the state could play some part” (Mortensen, 2013). As he mentions, the state currently does not have resources to help companies outside the critical infrastructure, and they are not included in the strategy of CFCS and therefore they are left to care for themselves if an incident occurs. A large company might have the finances to hire consultants to help them regain their ability to function, but some smaller companies do not. This leaves a security gap, which we will go greater into depth with later.
As can be seen by the previous discussion, the private and public actors are highly interconnected. This interconnectedness is reinforced by the use of IT systems and solutions. This means that an incident can have cascading effects beyond the single actor, emphasising the need for a common securitization, and effective exceptional measures.