4.3 The Danish actors and strategies in securitizing cyber threats
4.3.1 The public securitizing actors the Centre for Cyber Security
Cyber threats have been framed as a security issue in Denmark through speech act. However, we argue that practices are a prevalent element of the securitization process in Denmark, and we will therefore elaborate on these. In an effort of effectively trying to handle the issue of cyber threats, the Centre for Cyber Security was established, which is a clear case of securitization through practice. Before CFCS was established in the beginning of 2013, the Computer Emergency Response Team for the government (GovCERT) was placed with the IT- and Telecommunications
Agency within the Ministry of Science, Technology and Development. As an effect of the Law of Finance of 2013, which was formulated by the current government2, cyber security became a separate area (Corydon, 2013). CFCS is arguably inspired by developments of the focus on cyber security in other countries, and it is the first official unit in Denmark solely focusing on cyber security. According to Kristmar, CFCS will create an easy compliance for Denmark with the proposed EU directive, while others argue that CFCS cannot be placed under the Danish Defence Intelligence Services (FE) in that case, which we will further discuss later. Nevertheless, by opening this unit, cyber security was put on the agenda and thereby securitized. The securitizing act was made by the government in an effort to accommodate the new age of cyber threats. The Centre for Cyber Security was established under the Ministry of Defence, and refers to FE. FE has been operating with the Danish armed forces outside the Danish borders. The aim of the intelligence services is very much in line with how Buzan, Wæver and de Wilde think of traditional military. The Danish Defence Intelligence Services tasks set out in the Act on defence, and they are following this legal framework:
"Military Intelligence Service is governed by and works under the authority of the Minister of Defence.
Part. 2 Our mission is to collect, process and communicate information on conditions abroad affecting Danish security, including the Danish units, etc. abroad.
Part. 3 In the first paragraph. 2, the company targeting conditions abroad service can include information about Danish nationals and persons residing in Denmark.
Part. 4 Defence Intelligence may disclose information to the Police Intelligence Service to the extent that disclosure may affect the performance of service duties” (Trøjborg, 2001: 1). This shows how the task of the Danish Defence Intelligence Services is to collect, process and disseminate information on conditions abroad affecting Denmark's security, including the Danish military units and others who are sent to solve international assignments. The intelligence activity is directed towards conditions abroad and includes transnational situations. Here the focus of the intelligence service is especially on terrorism and proliferation of weapons of mass destruction as
2 The current government of Denmark was constituted on the 3rd of October in 2011 and consists of the Social Democratic Party, the Socialist People's Party and the Social-Liberal Party.
well as military, political, economic and scientific-technical information of importance to Danish security interests. This information is obtained over a wide range of options including electronic intelligence gathering. Furthermore, FE also cooperates with foreign partners (fe-ddis.dk).
In the disruption of IT- and Telecommunication Agency, Digitaliseringsstyrelsen was established. It was placed under the Ministry of Finance and is in charge of the digital development of Denmark producing a digital strategy for Denmark from 2011-2015. One of the three main tracks is that citizens and companies will communicate with the state online and there will no longer be physical dialog, letters and other types of documents (digst.dk). This strategy forces companies to become digitalized, which can save both companies and the state large amounts of employees and money in dealing with these transactions. It thereby makes the relationship between these two actors more cost efficient. However, it leaves many companies vulnerable to potential cyber threats, because there is no alternative to the mandatory online communication with the state (Kristmar & Rytter, 2013). In line with the digitalization strategy, no security strategy was developed, which Kirstine Rytter (2013) from Digitaliseringsstyrelsen acknowledges as a problem. The potential consequences of the strategy have therefore not been considered, and the security problems of the digitalization of society are therefore not included in any strategic considerations by the Danish state, which we see as a great problem.
Another Danish actor that is expanding its capacity within cyber security is the Danish police intelligence Services (PET). PET announced on the 2nd of July 2013 the establishment of a ‘Cyber Task Force’. The number of cyber attacks in Denmark is continuously increasing, and PET therefore sees it necessary to open a special task force in order to prevent attacks and prosecute the perpetrators. It is argued by PET that the cyber threat is a concern to national security, and whether it is a case of cyber espionage, cyber-terrorism, hacker activism (hacktivism) or simple economic crime, the fundamental question is of criminal offenses, which must necessarily be subject to a comprehensive and effective police investigation (pet.dk).
The apparent strategy of the Cyber Task Force is to have representatives from PET, the national police, the local police, the general prosecutor and the regional public prosecutors. The group will act as a forum for police coordination, cooperation and exchange of information and experience concerning electronic attacks targeting information and communication systems. Information on potential criminal offenses subjected to Danish criminal jurisdiction seen by CFCS will be provided and transferred to PET's Cyber Section for police consolidation and implementation of investigative
efforts either in PET or in the rest of the police (Ibid.). This is an effort of PET wishing to extend its own reach and influencing in the awareness in the field of cyber security in Denmark, and is possibly a reaction to the placement of CFCS within the FE.
As this shows, cyber threats are securitized in Denmark and many efforts are being made by Danish authorities in order to securitize cyber threats through practices. Cyber threats have till date been securitized by numerous actors within the public sector in Denmark from FE to PET. However, in spite of the efforts made, a single coordinated national strategy on how to deal with cyber threats has not yet been made. This means that there is no agreement on how to securitize cyber threats, and we argue that this makes exceptional measures ineffective. Nevertheless, one concrete securitizing measure is GovCERT, which is placed under CFCS, as mentioned earlier. In trying to secure parts of the Danish infrastructure and Danish authorities, GovCERT is the only area where an actual effort and strategy for cooperation with private companies is made. We will therefore discuss the effectiveness of this measure in the following section by elaborating on GovCERT and its purpose.