Dutch National Cyber Security Strategy – Blessing or Curse?

Around September last year I wrote an article on the Dutch government promising a Cyber Security doctrine that was to determine the strategy the Netherlands was to follow in the areas of Cyber Crime, Cyber Warfare and generally all things related to Cyber Security. Well this document has finally arrived, and can be found here (PDF alert – Dutch). Its a decidedly vanilla document with not much meat to it, and the approach our government has taken looks a lot like that of the UK. That is to say: defend and extend on the commercial interests, partake in the various international initiatives pertaining to Cyber and don´t rock the boat too much (cost-wise).

The document outlines the following starting points:

  • Connect and Strengthen existing initiatives
  • Invest in Public-Private collaborations
  • Personal responsibility (referring to endusers protecting their own systems)
  • Division of Responsibilities of the various Departments
  • Active international collaboration
  • All actions to be undertaken are proportional
  • Selfregulation if possible, legislate if not

The list obviously isn´t anything new or exciting and has the added value of being very low-cost or even free. Its about what you´d expect from a government that has to take a 30 billion spending cut. One has to wonder about the effectiveness of such an approach, seeing as how most of these points have been in place (and followed) for a while and have yet to yield the desired results. Taking a look at the proposed action plan, we see corresponding initiatives:

Creation of a Cyber Security Council and National Cyber Security Center
The cabinet establishes that caring for Cyber Security is now a burden for a multitude of organizations and departments, and so they wish to unify all these efforts into two centers: The National Cyber Security Council and a National Cyber Security Center. The Security Council is the new organization where the strategy will be established by representatives of all involved parties. The Cyber Security Center will essentially be its  executing branch, and act as a place where information, knowledge and expertise is shared amongst the participants. The government urges all public and private parties to join in, and is working on a collaborationmodel to this end. They also intend to expand and strengthen GOVCERT, and to make GOVCERT a part of the Security Center.

Create Threat- and Risk analyses
By sharing information, knowledge and expertise, the cabinet aims to build threat- and risk analysis so that they can chart weak spots and strengthen the segments that need fixing. The  AIVD and MIVD (Dutch Intelligence communities) will insert their knowledge and if necessary, increase their cyber capabilities. This initiative is to yield a yearly National Threat Assessment, which is to inform the Government on current or pending risks.

Increasing resilience of critical infrastructure
The Dutch approach to Cyber Security has so far always hinged on business continuity rather than prevention or actual security. The document refers to an existing initiative from the ´old days´ called the CPNI (Informatieknooppunt Cybercrime, or Infopoint Cybercrime), and how this initiative is eventually to be folded into the Cyber Security Center. Also, the existing Telecommunications Act will be actualized in 2011 to accomodate for various new factors. Through the following measures, the government hopes to create more Cyber Security momentum:

  • A Responder Kit (accompanied by a manual) has been created for Cyber Espionage so that companies can increase their own resilience;
  • At the end of 2011, 80% of the departments, agencies and companies in the vital sector Public Order & Security (Openbare Orde en Veiligheid) as well as Public Management (Openbaar Bestuur)  should have access to a continuityplan that includes large scale internet connectivity breakdown scenarios;
  • This cabinet will establish one security framework of Information Security for all government agencies as well as creating a government-wide control cycle to enforce it;
  • Somewhere in 2011 the cabinet will decide if it is possible to include an electronic ID in travel documents that holds up to the highest security standards, so that Dutch citizens can reliably ID themselves over the Internet and digitally sign documents while safeguarding the citizens´ privacy;
  • The government will implement the European mandatory reporting of dataleaks in the Telecom sector. They will also draft a proposal for mandatory reporting of all loss, theft or abuse of personal data for all services in the ´Information Society´;
  • Choices will be made by the cabinet with regards to processing of personal data. European norms will be guiding these choices;
  • The cabinet wishes work with IT vendors to look into increasing security in hard- and software and will also look to joining international efforts in this field. The Netherlands will also play an active role in the Internet Governance Forum to increase global internet security;
  • In concert with suppliers, the government wishes to better inform its citizen users with regards to security. The result will be national ad campaigns surrounding current events or threats.

Increase response capabilities to large scale internet downtime or cyber attacks
In extention of the above list of critical infrastructure resilience, the following list of activities aims to increase response capabilities to large scale internet breakdowns or cyber attacks that threaten to disrupt society:

  • In the summer of 2011 this cabinet will release a National Crisis Plan for ICT, involving national and international training exercises;
  • A public-private collaboration effort for ICT crisis handling called the IRB will be operational in 2011 and implemented into the Cyber Security Center;
  • Strengthening of efforts towards the collaboration amongst CERTS as well as the International Watch and Warning Network (IWWN);
  • An Alerting system for Counterterrorism will updated to include a cyber component;
  • The Department of Defence will look into how information, knowledge and expertise on Cyber Security will be best exchanged, using the Initiative for Civil-Military Collaboration;
  • A Cyber Education & Training center (OTC) will be created;
  • DEFCERT will be expanded and its personnel will be trained in all things cyber;
  • A doctrine for Cyber Operations will be created in order to defend Dutch resources and units;

Intensifying tracking and prosecuting Cybercrime
The cabinet acknowledges that cyber crime is continuously evolving and its international nature makes tracking and prosecuting cyber criminals difficult. The following measures are listed to improve the situation in this area:

  • The cabinet wishes to establish an expert register so that what little knowledge there is, is shared as effectively as possible. Also, they wish to create interesting career possibilities so that the pool of experts will eventually grow;
  • In law enforcement the cabinet wishes to see even more international collaboration within the EU and connecting partners, and strives towards establishing an international legal framework for cybercrime;
  • A national steering committee will be created to establish how best to prosecute priority cybercrime cases. The goal with regards to cybercrime is to establish enough expertise all along the legal chain to adequately prosecute all cybercrime cases. The chairman of this committee will have a place in the Cyber Security Council. The Inspector of Public Order and Security will investigate the functioning of Police in handling cybercrime cases;
  • Within this years´ budget for Police, a shift will take place to increase handling of cybercrime cases. This includes detectives and internet surveillance in-country as well as the High-Tech Crime Unit of the KLPD. These various units will partake in the Cyber Security Center;
  • The Approach for Cybercrime will take a central role in the next few years, with the creation of a knowledge center for police, reinforcement of police and the effective shift towards cybercrime capabilities. The entire prosecutorial branch will be reinforced with cybercrime-skilled DA´s, bailiffs, judges and ´cyberjudges´.

Stimulation of Research and Education
Research and basic education in the area of Cyber Security are considered essential in securing our digital future. The cabinet will start synchronizing research programs between the scientific centers, corporations and the community through the National Cyber Security Center. If money is available through the EU for this, it will be found and inserted. Also, education on all levels will be reinforced to include cyber security awareness.

And now – The Budget for all this candy
None. Absolutely nothing. Zilch. Zero. Nada. The entire list of initiatives must suffice with what has already been budgetted, which is to say: Too little. As said before, this cabinet has to cut 30 billion euro´s and even though they acknowledge that Cyber Security is important, they just can´t seem to find a few pennies to make it all happen. Reliable sources even inform me that now would be an especially bad time to be working for any of the units or departments that is to be assimilated into this new National Cyber Security Center, as there are bound to be redundancies as soon as everyone is sitting inside the same building. I am all for government efficiency, but if this is indeed the case, wouldn´t that be Constructive Dismissal?

The future will tell. For now, very few experts take these measures seriously and fear that our National cyber defence posture will be weakened rather than strengthened. Let´s hope that this is not the case, because various research papers already point to The Netherlands as a haven for malware.