Published online by Cambridge University Press: 20 January 2017
This article is a critical reflection on the manifoldness of the notion of “partnership” in Critical Infrastructure Protection. It is argued that the partnership arrangement can be a promising political approach to CIP if the details of public-private cooperation – that is: the participants, the duration, the responsibilities and duties, as well as possible financial compensation – are formalized. Illusionary ideas of a “partner-like” relationship between the public and the private, such as those laid down in the German “National Strategy for Critical Infrastructure Protection”, are, however, doomed to fail. State authorities have to actively offer binding regulatory arrangements to private CI firms in order to establish which companies genuinely agree to cooperate – and which do not. Due to the state's constitutional obligation to guarantee national security and protect the life and health of its citizens, introducing legal requirements is the only possible reaction to a company's refusal to cooperate. In order to avoid overly intrusive market intervention, the state's offer to private firms or their industry associations to conclude binding regulatory contracts on CIP matters may serve as a promising compromise between a laissez-faire approach and regulation.
1 For an overview of different policy approaches see E. Brunner, M. Suter, “The International CIIP Handbook 2008/2009.—An Inventory of Protection Policies in 25 Countries and 6 International Organizations”, Center for Security Studies, Zurich, 2008. Available on the Internet at < http://www.css.ethz.ch/publications/pdfs/CIIP-HB-08-09.pdf> (last accessed on 27 November 2014).
2 For an overview of German companies owning or operating CI see Wiater, Patricia, Sicherheitspolitik zwischen Staat und Markt. Der Schutz kritischer Infrastrukturen (Baden-Baden: Nomos, 2013), at pp. 40 et sqq. CrossRefGoogle Scholar
3 Under German constitutional law (Article 14 (3) Basic Law), the European Convention on Human Rights (Article 1 of Protocol No. 1) as well as under different guarantees of international law expropriation generally requires the payment of adequate damages.
4 Cavelty, Myriam Dunn and Suter, Manuel, “Public-Private Partnerships are no silver bullet: An expanded governance model for Critical Infrastructure Protection”, 2 International Journal of Critical Infrastructure Protection (2009), pp. 179 et sqq., at p. 179.CrossRefGoogle Scholar
5 This was mainly inspired by the policy approach adopted by the United States. For the development in Germany see Stefano Bruno and Myriam Dunn, “International CIIP Handbook 2002. An Inventory of Protection Policies in Eight Countries”, Center for Security Studies, Zurich, 2002, at pp. 41 et sqq. Available on the Internet at http://www.isn.ethz.ch/Digital-Library/Publications/Detail/?lng=en&id=251 (last accessed on 27 November 2014).
6 Federal Ministry of the Interior, “National Strategy for Critical Infrastructure Protection (CIP Strategy)”, Berlin, 17th June 2009, available on the Internet at <http://www.bmi.bund.de/cae/servlet/contentblob/598732/publicationFile/34423/kritis_englisch.pdf> (last accessed on 27 November 2014).
7 CIP Strategy, supra note 6, at p. 12: One of the “guiding principles” regarding critical infrastructure protection is, in particular, a “trusting co-operation between the state and business and industry at all levels”.
8 Wiater, Sicherheitspolitik zwischen Staat und Markt, supra note 2, at p. 162 et sqq. with further references.
9 By “conventional” PPPs it is referred to partnerships dealing with public procurement in areas such as urban construction or prison industry. On the characteristics of PPPs of this type see Bovis, Christopher, “Public-private partnerships in the 21st century”, 11 ERA Forum (2010), pp. 379 et sqq., at p. 384 et sqq. CrossRefGoogle Scholar
10 See the summary of CIP tasks of private operators in Germany at Wiater, Sicherheitspolitik zwischen Staat und Markt, supra note 2, at pp. 111 et sqq. with further references.
11 CIP Strategy, supra note 6, at p. 8: “As a result of this tendency towards private ownership, also the responsibility for the security, reliability and availability of such infrastructure increasingly passes to the private sector or, at least, becomes a shared responsibility.”
12 See also Dunn Cavelty and Manuel Suter, “Public-Private Partnerships are no silver bullet: An expanded governance model for Critical Infrastructure Protection”, supra note 4, p. 181; Andersson, Jan Joel and Malm, Andreas, “Public-Private Partnerships and the Challenge of Critical Infrastructure Protection”, in Dunn, Myriam and Mauer, Victor (eds.), International CIIP Handbook 2006, Vol. II: Analyzing Issues, Challenges, and Prospects (Zurich: Center for Security Studies, 2006), pp. 139 et sqq., at pp. 141 et sqq. Google Scholar Available on the Internet at < http://e-collection.library.ethz.ch/eserv/eth:31123/eth-31123-04.pdf> (last accessed on 27 November 2014).
13 The German Constitutional Court found that the state's obligation to protect the security of its population is a constitutional value of core relevance as it justifies the very existence of the state; BVerfGE 49, 24 at 56 et sq. (“Die Sicherheit des Staates als verfaßter Friedens- und Ordnungsmacht und die von ihm zu gewährleistende Sicherheit seiner Bevölkerung sind Verfassungswerte, die mit anderen im gleichen Rang stehen und unverzichtbar sind, weil die Institution Staat von ihnen die eigentliche und letzte Rechtfertigung herleitet.” See also Dietrich Murswiek, “State Duties to Protect”, unpublished draft paper submitted for the International Symposium “Risk, Responsibility and Liability in the Protection of Critical Infrastructures” on May 23 and 24, 2014 in St. Gallen; Friedrich Schoch, “Die Staatliche Einbeziehung Privater in die Wahrnehmung von Staatsaufgaben”, XVI Juridica International (2009), at pp. 17 et sqq; available at the Internet at < http://www.juridicainternational.eu/public/pdf/ji_2009_1_14.pdf > (last accessed on 2 April 2015); Sonntag, Matthias, ITSicherheit kritischer Infrastrukturen. Von der Staatsaufgabe zur rechtlichen Ausgestaltung (München: Beck, 2005), at pp. 82 et sqq.Google Scholar
14 In this regard, the German Constitutional Court found that no concrete form of action of the state can be deduced from its obligation to protect the life and health of its citizens; nevertheless, the Court requires the state's protection measures to be effective; BVerfGE 46, 160 at 164 et sq. (“Wie die staatlichen Organe ihre Verpflichtung zu einem effektiven Schutz des Lebens erfüllen, ist von ihnen grundsätzlich in eigener Verantwortung zu entscheiden.”). Guaranteeing the effectiveness of political measures requires assessing and controlling their practical effects – a duty which is neglected in the current German CIP approach.
15 Ridley, Gail, “National Security as a Corporate Social Responsibility: Critical Infrastructure Resilience”, 103 Journal of Business Ethics (2011), pp. 111 et sqq. CrossRefGoogle Scholar
16 Wiater, Sicherheitspolitik zwischen Staat und Markt, supra note 2, at pp. 224 et sqq.
17 Wiater, Sicherheitspolitik zwischen Staat und Markt, supra note 2, at pp. 247 et sqq.
18 Christopher Bovis, “Risk in Public-Private Partnerships and Critical Infrastructure”, EJRR, this issue.
19 Bovis, “Collaboration in PPPs in Critical Infrastructure”, supra note 18.
20 Bó, Ernesto Dal, “Regulatory Capture: A Review”, 22 Oxford Review of Economic Policy (2006), pp. 203 et sqq. Google Scholar
21 Bovis, “Public-private partnerships in the 21st century”, supra note 9, pp. 391 et sqq., Bovis, “Risk in Public-Private Partnerships and Critical Infrastructure”, supra note 18.
22 The law was not adopted during the last legislative period under the government of the Christian Democratic Union/Christian Social Union (CDU/CSU) and the liberal Free Democratic Party (FDP), ending in September 2013. The bill was taken up again after the election by the Federal Ministry of the Interior, still administered by a member of CDU/CSU, under the grand coalition between CDU/CSU and the Social Democratic Party (SPD). The Federal Ministry of the Interior forwarded its draft bill to the other federal ministries involved for further consultation on 19 August 2014. In the meantime, after completion of this article, the draft bill was adopted by the Federal Government (on 17 December 2014, see “Bundestags-Drucksache 18/4096”) and, subsequently, with a few changes passed by the German Bundestag (on 12 June 2014, see “Bundestags-Drucksache 18/5121”). As changes do not concern the aspects referred to in the following, the reference to the original draft bill was not altered.
23 Federal Ministry of the Interior, “Entwurf eines Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme (ITSicherheitsgesetz)“, 18 August 2014, available on the Internet at http://www.bmi.bund.de/SharedDocs/Downloads/DE/Gesetzestexte/Entwuerfe/Entwurf_IT-Sicherheitsgesetz.pdf; http://jsessionid=1561991D3361D692471345121CF795F8.2_cid364?__blob=publicationFile (last accessed on 27 November 2014).
24 For a comprehensive overview of German legal standards distinguishing among the different CI sectors see Bernd Holznagel and Christian Koenig, “Gutachten zur rechtlichen Analyse des Regelungsumfangs zur IT-Sicherheit in kritischen Infrastrukturen”, Federal Office for Information Security (BSI) (ed.), last updated on 5th May 2005, available on the Internet at https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Kritis/Regelungsumfang_ITSich_KRITIS_pdf.pdf?__blob=publicationFile (last accessed on 27 November 2014).
25 See the English Information sheet on the IT Security Act of 19 August 2014, available on the Internet at <http://www.bmi.bund.de/SharedDocs/Downloads/EN/News/informationsheet-it-security-bill.pdf?__blob=publicationFile> (last accessed on 27 November 2014).
26 Draft law on IT security, supra note 23 at p. 2.
27 Assaf, Dan, “Conceptualising the use of public-private partnerships as a regulatory arrangement in critical information infrastructure protection”, in Peters, Anne et al. (ed.), Non-State Actors as Standard-Setters (Cambridge: Cambridge University Press, 2009), pp. 61 et sqq., at pp. 64 et sqq.CrossRefGoogle Scholar
28 See on the “(minor) deviation from non-intervention” in the U.S. in the field of the chemical and the energy sector Assaf, “Conceptualising the use of public-private partnerships as a regulatory arrangement in critical information infrastructure protection”, supra note 27 at pp. 71 et sqq.
29 The governance model described is elaborated and discussed by Dunn Cavelty and Suter, “Public-Private Partnerships are no silver bullet”, supra note 4, at pp. 182 et sqq.
30 The network model links the effectiveness of control to the phenomena of “group pressure” and expertise; Dunn Cavelty and Suter, “Public-Private Partnerships are no silver bullet”, supra note 4, at p. 183: “The partners within a network know each other well and are thus able to assess whether the degree of cooperation is sufficient. (…) While companies may find it easy to gloss over their weaknesses and vulnerabilities towards the government, it may be more difficult to embellish their performance in communication with other experts.”
31 Dunn Cavelty and Suter, “Public-Private Partnerships are no silver bullet”, supra note 4, at p. 184.
32 Again, this obligation to exercise direct state control results from the constitutional duty to guarantee effective protection; see supra note 14. Effective protection requires at least that the state has knowledge about the risk situation and the level of preparedness of private CI companies to handle these risks.
33 In order to avoid standards set too low by private CI companies, public authorities have to conduct a plausibility check of the precautionary measures proposed. This can e.g. be achieved by using comparative data from other countries.
34 Draft law on IT security, supra note 23 at p. 13.
35 See the comparison of Government-Private Contracts and Regulatory Contracts by Freeman, Jody, “The Contracting State”, 28 Florida State University Law Review (2000), pp. 155 et sqq. Google Scholar
36 For an overview see Jody Freeman, “The Contracting State”, supra note 34, at. p. 196 et sq.
37 Proelß, Alexander and Blanke-Kießling, Ursula, “Der Verwaltungsvertrag als Handlungsform der Naturschutzverwaltung”, Neue Zeitschrift für Verwaltungsrecht (2010), pp. 985 et sqq., at p. 986.Google Scholar
38 Delmas, Magali and Terlaak, Ann, “Regulatory Commitment to Negotiated Agreements: Evidence from the United States, Germany, The Netherlands, and France”, 4 Journal of Comparative Policy Analysis: Research and Practice (2002), pp. 5 et sqq. at p. 6CrossRefGoogle Scholar with further references.
39 Ibidem.
40 See the legal definition of CI in the German draft law on IT security, supra note 23 at p. 9.
41 On the fuzziness of the notion “critical” in CIP see Cohen, Fred, “What makes critical infrastructures Critical?”, 3 International Journal if Critical Infrastructure Protection (2010), pp. 53 et sq. CrossRefGoogle Scholar
42 See in this regard the commentary of the federal association of smes of the it sector (bundesverband it-mittelstand e.v.) from 2 september 2014, available on the internet at < http://www.bitmi.de/custom/download/bitmi_140903_stellungnahme_it_sicherheitsgesetz_1409727767.pdf> (last accessed on 27 november 2014).
43 The Federal Association of SMEs of the IT sector (supra, note 41) criticizes, in this respect the discriminatory potential of the German draft law on IT security.
44 Bundesverband der Deutschen Industrie e.V., Updated and Extended Declaration by German Industry and Trade on Global Warming Prevention (Cologne: BDI 1996)Google Scholar; Delmas and Terlaak, “Regulatory Commitment to Negotiated Agreements: Evidence from the United States, Germany, The Netherlands, and France”, supra note 37, at p. 7 et sqq., p. 14 et sqq. On the evolution of the agreement and the criticism on it see EEA (European Environment Agency), Environmental Agreements. Case Study 3: Germany from 21 July 1999, available on the Internet at < http://www.eea.europa.eu/publications/92-9167-052-9-sum/page006.html> (last accessed on 27 November 2014).
45 Freeman, “The Contracting State“, supra note 34, at. p. 196.
46 This is the case in some of the environmental agreements discussed above.
47 Imagine a small supplier company producing bolts which are an essential element for the working of the train system. The breakdown of this small company might cause tremendous cascade effects on the network of CI which might necessitate higher security standards than those of other companies of comparable size.
48 Legally-binding environmental agreements are concluded in the Netherlands, where these agreements are linked to a permit system and have the status of contracts of civil law; see Delmas and Terlaak, “Regulatory Commitment to Negotiated Agreements: Evidence from the United States, Germany, The Netherlands, and France”, supra note 37, at p. 8.
49 Assaf, “Conceptualising the use of public-private partnerships as a regulatory arrangement in critical information infrastructure protection”, supra note 27, at p. 68.
50 Héritier, Adrienne and Lehmkuhl, Dirk, “The Shadow of Hierarchy and New Modes of Governance”, 28 Journal of Public Policy (2008), pp. 1 et sqq., at p. 2.Google Scholar
51 EEA, Environmental Agreements. Case Study 3: Germany, supra note 43.
52 Héritier and Lehmkuhl, “The Shadow of Hierarchy and New Modes of Governance”, supra note 50.
53 Givens, Austen D. and Busch, Nathan E., “Realizing the promise of public-private partnerships in U.S. critical infrastructure protection”, 6 International Journal of Critical Infrastructure Protection (2013), pp. 39 et sqq., at. p. 42CrossRefGoogle Scholar. The authors argue for “collaborative leadership” instead, see p. 46 et sqq.