3 August 2021
“Digitising Europe” is the new ELF Blogposts series that engage with policymakers, industry experts, and academics in order to contribute to a better understanding of how technological change is also driving social, political, and regulatory affairs.
By Ludvig Hambraeus
The covid-19 pandemic triggered a seismic shift in the way organizations came to view cybersecurity issues and the subsequent need for foolproof solutions and containment strategies skyrocketed. Today, there is an abundance of information available about the challenges of our rapid digitalization and dependency on software-based solutions. For every challenge, however, there is an equal and opposite need for policy response – the design of which is not as frequently debated, nor correctly understood as one coherent whole.
The design of policy responses is detrimental to the success of political goals, but it is only part of the accomplishment. The other part is policy implementation, or – for the purpose of this article – simply implementation. Proper policy implementation is a critical component in assuring functionality and attainability in for a political proposal and a key part of any agenda-driven set of goals brought to the floor by a nation’s lawmakers.
Proper implementation is achieved through an adequate support system having been put in place prior to the policy’s launch as part of a political program. The process of setting this type of system up helps anchor the proposed political ideas with the general public, something which in turn aids in politics becoming policy, and a policy in eventually becoming viable in the long term, effective, and – perhaps most important of all – popular amongst those it affects. Succeeding in educating and informing the general public about a certain policy or program is a major key in any political success.
A lot of academic effort has been put towards explaining how implementational policies are crafted. Way less effort, however, has been granted to the studies of how to best build and maintain a support system for implementing said policies. Continuous challenges in critical fields like for example mental health have, nevertheless, spurred on this development – something that is tremendously useful – albeit it in an analogous manner – also for those operating within the cybersphere.
Policy implementation, in practice, may be done in several ways. One if these are third-party implementation, wherein a third party – either an individual, organization, or program – works between pre-existing structures towards conceiving a tangible result through successfully implementing a certain policy objective, known collectively as EIPPs (Evidence-Informed Polices, Programs, or Practices). These actors work between elected representatives and the greater public and can be unions, researchers, activist groups etcetera. Within the cybersphere third parties are aplenty, which is why third-party implementation looks to be a particularly attractive option for lawmakers to consider when attempting to implement cyber policies.
In terms of successfully implementing well-crafted cyber policies, the use of third parties is done so that their position as neutrals between lawmakers and citizens may be utilized as a vehicle for translating political programs into enforceable policies with real and tangible grassroots-level impact. This is particularly critical when it comes to cyber policy, as the success of political programs in the area in many aspects are directly dependent on the amount of anchorage in pre-existing infrastructure – both physical and structural (i.e., the physical infrastructure, as well as the prevalent way of thinking, at the time of attempted implementation are equally critical). As such, before lawmakers even begin contemplating the roll-out of new cyber political programs, the stage must first be set in such a way so that the general public are given the tools and knowledge necessary to understand and accept the value of the suggested policies. This is, arguably, a job best suited for third parties already active within the cybersphere.
At this point, you, the reader, may ask yourself why all of this extra legwork work is necessary. Why, indeed, should any government relinquish responsibility to third parties, and cannot the general citizenry understand emerging political programs within the cybersphere as they can with most other political programs?
The answer is – put simply – that Europe is, arguably, not digitally savvy enough at a grassroots level, something which creates a major problem when it comes to successfully implementing cyber policies. Put more extensively, the perceived complexity around cyber has alienated large parts of the general citizenry from gaining further understanding of the cybersphere, something that is now a major hurdle to overcome as the reliance on software-based solutions has by far outpaced the technical know-how of the average user. This is the conundrum which third-party implementation is aimed towards resolving.
The rate of software-dependency on the continent has indeed risen continuously as we traverse the 21st century. The current reliance on digital solutions is now at a point where every user – be that a single individual or a billion-dollar corporation – can be an unforeseen target for a single attack or become an involuntary vehicle for a greater cybercrime. To counter this, automatization and augmentation (i.e., the lessening of complexity for end-users and streamlining of digital procedures) of cyber security is needed.
The notion of the cybersphere as one of unbearable complexity that in many European countries has been allowed to become the sustaining image of cyber politics has, regrettably, led to an abandonment of the issue by the greater public. Alas, this has led to cyber being seen as a mere impasse in the roster of critical areas of civic engagement – resulting in a disconnect between lawmakers and the general public regarding most aspects of cyber politics as the conversation has moved higher and higher up the rungs of government whilst the problems have moved closer and closer to the end-user.
Researchers Ghernouti and Hélie have suggested that cyberpolitical actors may be divided into three subgroups: protectors, the protected, and attackers. Effectively communicating to the general public the constitution of these groups may well lead to a greater understanding of how the individual citizen fits into the greater realm of cyber politics and what he or she can do to ensure adequate security whilst using cyber-based tools.
The ideal vehicle for such a classification is organizational structures. Both within the public and private sectors. A continuous and centralized organization where leadership and ownership over cyber issues is promoted is highly beneficial, as it lessens the risk of the human factor becoming a critical shortcoming.
In some organizational cultures, cyber training and coaching is views as a niche field, only of importance to those already actively engaged with IT matters. The fact is, however, that those already proficient enough in IT to have it as their main area of expertise are already aware of the things taught in basic cyber security courses. Instead, the employees whose main responsibility falls outside of a IT related field are those with the most need for cybersecurity training and coaching. If not – these individuals run the biggest risk of becoming exploited by cybercriminals. Indeed, the more global cyber knowledge becomes, the less the risk becomes of a single employee lacks the required knowledge to keep up in our software-dependent world. Solid training in IT should therefore not be seen as complimentary education, but as basic training.
So, how, then, can third party implementation be helpful in this regard? The answer – it can serve as the glue that ties together theory and practice in the latitudinal plane.
Ergo, by utilizing third parties as intermediaries between lawmakers and the general citizenry, the veil of complexity that long has plagued the cyber domain can be lifted to expose the nuts-and-bolts underneath. This, in turn, allows for a more transparent and easily understood cyber policy to become persistent and effective from the top down.
The complexity of the cyber issue – both real and imagined – has made it abundantly difficult to present one-size-fits-all solutions to share problems. Scholars have presented us with an analogous answer to this too, however, and that is the ontological model.
In this model, the various actors within the cyber sphere are categorized and divided into several groups, whose responsibilities, functions, and roles are depicted in detail. Visualizing the cyber sphere in this way enables lawmakers to break down the complexity of the issues at hand and deliver more easily understood policies to the general public.
The cybersphere, then, once broken down, may be described, and understood through a joint language and formalistic depictions of the relationships between its various actors and functions – something known as creating a shared domain. By conducting this exercise, further aid is given to the implementation of effective cyber policy through the improved communications and sharing of information between actors in the cyber sphere.
A formalistic depiction of the cyber sphere gives the actors within the possibility to identify a coherent and joint understanding of the cyber milieu that they share and operate in. This leads to the establishing of the aforementioned baseline needed in order to successfully implement national cyber policy. Three major areas can be found:
These steps taken together may be construed as a vehicle through which a joint understanding of the cybersphere and its most critical concepts may be widely understood, researched, and shared. One coherent model can then be created through the use of this data, through which coordination and interoperability can be reached that previously was impossible.
In summary, then, it can be said that great cyber politics does not necessarily translate automatically into great cyber policy. For this to happen, an adequate system for policy implementation has to exist. This system, more than anything else, has to be workable for third parties, as they are the ones that hold the key to coherency across the cybersphere.
In light of the above, national governments who are serious to tackle challenges in the cybersphere head-on in order to lessen negative consequences on individual rights and freedoms should:
Ludvig Hambraeus is an advisor, author, and law student at the Lund University Faculty of Law. Recent projects include authorship of the publication The American Understanding of Chinese Expansionism in Cyberspace (2020) and representation of commercial legal interests at UNCITRAL in New York. In 2021, he joined U.S. law firm Butzel Long LLP in Detroit, MI.
Published by the European Liberal Forum. The opinions expressed in this publication are those of the author(s) and do not necessarily represent those of the European Liberal Forum.