Knowledge sharing between private securitizing actors

As mentioned earlier, a common acknowledgement derived from the empirical data is focused on how knowledge sharing is important in creating resilience towards cyber attacks. Private and public actors are not sharing large amounts of information and knowledge, and it seems as though companies prefer sharing certain information and knowledge with other companies either within or outside their own industry. Companies rather use the many forums for Chief Information Security Officers. Here they meet and discuss current trends, issues and threats. A common finding in the empirical data is however, that most companies admit that they are generally not inclined to be very open about the attacks that the company they work for are subjected to. The reason for not sharing information on cyber attacks is caused by the non-beneficial nature of showing weaknesses in the companies’ security infrastructure. By showing weaknesses, it can cause a negative effect on stock prices, potential partnerships, loss of current partnerships, reputational damage, among other things. We argue that the lack of trust and willingness to show weaknesses hinders common securitizing practices and the implementation of effective exceptional, because full knowledge is not being transferred between actors, which are mainly left to develop strategies on the basis of own experiences. Private actors share knowledge with many different intentions. One example is when companies engage in new business opportunities. Then they are using the expertise from other companies that have had similar business ventures. However knowledge is based on how to build a resilient infrastructure, and not on showing the effects of the attacks. Here the state does not guide or help companies on how their IT infrastructure can be protected or how other companies have

acted when venturing abroad. The lack of informative structure the state has in cyber security therefore caused the companies to create informal relations and thereby guide each other (Anonymous source, 2013).

The knowledge sharing does not exist in set forums and is something shared between private networks and acquaintances across sectors, which is commonly limited to the companies who are processing large amount of data and have large annual revenues. This therefore leaves out many other smaller companies who potentially could suffer the same type of loss. Two forums that many CISOs use are the ‘Chief Information Security Officer forum’ and the ‘Information Security Forum’. These forums are often used to “share and discuss experiences and knowledge on incidents and solutions to security issues” (Olsen, 2013). They are informal forums, and

“The information we share in the forums is valuable. As corporations often meet the same challenges when for example implementing new systems, we might as well share knowledge and help each other, as well as getting others opinions and concerns on different issues. We are very open in the chief information security officer forum, because we all agree that what is being said within the forum is not communicated to third parties” (Olsen, 2013).

Søren Olsen from ATP further elaborates on the informal meetings the forums have and says that he cannot imagine having a formal collaboration with other corporations. However, one sector that is known for being the only sector that shares knowledge within the sector is the financial sector. This sector has for many years experienced coordinated attacks, and therefore the actors within this sector are well aware that it does not give them a competitive advantage not sharing obtained knowledge. According to Jørgen Sørensen from Deloitte and Jacqueline Johnson from Nordea, this is because each actor is aware that it could potentially be under attack at any point in time.

“Sharing information is a good way of helping each other and I have never heard about anyone who has misused the information, so we (within the financial sector) speak rather openly, well, we don’t have to say anything specifically, like how big our losses have been” (Johnson, 2013).

This shows how the actors in the financial sector, which have been subjected to a vast amount of attacks for many years, have found it necessary to share knowledge amongst each other. Other sectors are generally more hesitant in sharing knowledge about their security experiences like Lars

Højberg from TDC explains: “Openness is not necessarily defined in one way, one thing is openness in the public. Not a lot of companies are interested in showing their weaknesses in public, because this can influence their business” (Højberg, 2013). Because having a strong level of security is a business enabler KMD uses a general rule and do not share knowledge with competitors but:

“I can see that there are benefits from knowledge sharing with competitors, and we share knowledge to a certain extent. The corporate world of cyber security is quite small, where I obviously know and talk to many people. But we try not to share too many ideas and solutions to cyber security issues, because that is part of our know-how. So there is a certain degree of trade secrets. (…) I am part of a variety of chief information security officer forums, and if there are competitors in the forum, there are limits to what can be shared and discussed. Therefore I am attempting to be part of forums where competitors are not members” (Theede, 2013).

It thus becomes clear, that even though private actors prefer exchanging information with other private actors, the amount of knowledge shared is limited. We argue that this is hindering a successful securitization of cyber security, as well as hindering the implementation of efficient exceptional measures.

Noticeably, sharing knowledge might in theory be a good solution when trying to further develop the security within cyberspace, but are there any complications other than the hesitations from the companies? Going back to the theory of securitization, securitizing an issue causes exceptional measures to be taken. By using exceptional measures, this allows measures outside “normal” conducts to be taken. We argue that measures that are being taken are not only a result of speech act. Rather than using the services provided by GovCERT, private actors implement measures by installing software and implement surveillance. Therefore securitization is seen as a process of non- transparent practices. Thereby we see two potential problems on the issue of knowledge sharing and securitizing cyber threats. The first is that companies being monitored by the probes from GovCERT can be used for surveillance purposes if the government sees it necessary. The Danish Intelligence Services are exempt from the Privacy Act and they thereby do not need permission from the company to monitor the information flow. The second issue we find in accordance to exceptional measures and the sharing of information is that if companies are forced to share information in accordance to the EU proposal, surveillance will be used to insure that the

corporations are actually reporting all the incidents that they are suffering from. In this context, many companies are not aware of the attacks they are suffering from and some companies might be subjected to something they are not fully aware of. These two concerns are also very much in line with Jørgen Sørensens argument that there is a trust gap between the state and corporations, because knowledge sharing is a potential viability for these firms. We find that there are issues in having a completely open structure, because exceptional measures can be taken and thereby create a surveillance culture that the companies might not be interested in.

We argue that there are two main issues that are hindering efficient securitizing practices, and thereby effective exceptional measures in Denmark. We have demonstrated that the many actors, the broad range of issues and securitizations, as well as the sensitivity of cyber security have generated these issues. Firstly, there seems to be an issue with the distribution of responsibility concerning cyber security. There are uncertainties and disagreements as to what the public actors are doing, what the private actors are doing, as well as what private actors expect of the state. Moreover, there are divergent opinions as to how close the collaboration between the public and private actors should be. The security gap that has emerged, due to the lack of focus on the smaller corporations outside the critical infrastructure, is an important issue, considering the interdependence that IT systems have created. Secondly, there is a great issue of lack of knowledge sharing, based on distrust. Private actors seem reluctant to share information with the state due to issues of trust, although some would like to rely on the state in the event of an incident. And even though private actors to a greater extent share information and knowledge with each other than with the state, “the industry suffers from lack of openness from all companies” (Højberg, 2013). We have thus demonstrated divergent politics of securitization make exceptional measures difficult to agree on and ineffective, because they do not cover all issues and actors. Furthermore, there are divergent opinions on where the security responsibility should be placed, and hence also on who should securitize and how it should be done, resulting in a security gap. Additionally, we have demonstrated that the ineffective exceptional measures generate distrust and lack of knowledge sharing.

7.0 Concluding remarks - Empirical findings and theoretical contributions