The Netherlands is currently facing serious risks through its ICT infrastructure. No national cyber security strategy is in place to secure it. While many measures have been implemented, a strategic direction is lacking. This must change.
On the opposite side of the North Sea, the United Kingdom (UK) has realised the need for strategic cyber security policy. On 18 and 19 October 2010, the UK released a new National Security Strategy and a new Strategic Defence and Security Review. In the National Security Strategy, risks emanating from cyberspace are considered a highest priority objective, in addition to terrorism, international military crises, and major accidents or natural hazards. Recognising the threat, the Home Office will soon publish a new Cyber Security Strategy.
Cyber threats are generally linked to cyber crime, a phenomenon which gravely undermines Dutch economic interests. Hackers are able to steal (banking) credentials, copy identities or directly target financial institutions for financial gain. The precise extent of the financial impact remains unknown but is estimated to amount to millions of Euros. Globally, it is estimated at $1 trillion per year. Worse still, this figure is expected to grow fast.
What adds to the damage is cyber espionage. The loss of technological, political and business intelligence jeopardises the competitive strategic advantages held not only by the national government but also by the Dutch private sector. Cyber incidents at home and abroad have already led the Dutch General Intelligence and Security Service (AIVD) to issue a public brochure explicitly warning the general public about digital espionage.
Yet, although the notion has spread that cyber crime is no abstract matter, the physical threat of cyber attacks is often overlooked. Besides attacking critical national infrastructure, with their current Stuxnet worm as a prime example, hackers may also target seemingly innocuous ICT systems such as medical aids. In 2008, US researchers demonstrated ways to hack into medical pace makers. With a growing presence of ICT in our daily lives, these kinds of illicit penetrations are bound to have drastic consequences.
The cyber threat is rapidly increasing, it is real and it is here to stay. More than ever, we need a coherent national cyber security strategy to mitigate risks from cyber space. To be effective, a cyber security strategy must at least address strategic coordination and effective response capabilities. A concerted strategic approach is of vital importance because merely parochial policies often fail to complement each other. This leaves the Netherlands unnecessarily vulnerable to security breaches, while hackers exploiting such vulnerabilities will have a strategic impact.
In short, strategic coordination is essential to obtain an overview of the threats in cyber space. However, no single actor has this overview. And what is more, existing cyber capabilities are dispersed across governmental and private actors. Still, it is not absolutely necessary to centralize these capabilities. What is in fact required is a cyber security strategy that offers actors a clear delineation of the roles and responsibilities concerned. In other words: who monitors what? Who has to respond under what circumstances? One approach involves an overseeing and coordinating agency which would harness existing knowledge and capabilities and which would guard the roles and responsibilities. For example, the United States, the United Kingdom and France, each in their own way, have appointed a designated agency or an official from the highest echelons to coordinate national cyber security. Thus, an appropriate response can be guaranteed. The Netherlands could copy this approach, or it may select an alternative option such as making an existing agency the lead actor and granting it commensurate authority. The absence of a high authority guarding clearly defined roles and responsibilities may lead to a duplication of efforts and may prevent the Dutch from formulating a timely and national response. The resulting inaction would lead to increased risks in case of a cyber attack, with grave consequences.
Furthermore, a national response capability must be coordinated centrally. What threats do we face? How can we respond to them, and what is required? The answers to these questions will (likely) point out a strategic direction for governmental and private actors to develop technologies and research programs, and they will guide the allocation of resources and funding. However, in the process, it is important to realise that full security is unlikely to be achieved. In the Cold War, for instance, it was a bomber that managed to break through our defence; today it is hackers who frustrate the system. Given the connectivity of many ICT systems it is therefore of vital importance to focus a strategy on mitigation and resilience – rather than on full-scope prevention or ’perimeter defence’.
Determining an appropriate response capability also raises questions about the nature of an appropriate response. For example, what would a counter (cyber) attack look like? Who would carry it out: the Ministry of Defence, the Ministry of the Interior or maybe even GovCert? Who has what capacities, and at what scales of conflict would different agencies be responsible? What are the legal, political and security implications of a counter cyber attack? Could developments backfire in a kinetic response? At present, these issues are far from clear. In drafting a cyber security strategy, the Dutch government and the Dutch private sector are forced to address these issues. Solutions will inherently involve multiple agencies. For this reason, formulating effective answers requires a coordinated effort from the top levels in government to streamline current and new measures.
The Netherlands needs a national cyber security strategy to protect its vital interests. The urgency of the cyber threat must be recognised. More in particular, it is high level policy makers who need to become aware of the looming risks from cyberspace. Without a clearly formulated strategic direction to counter cyber threats, the Dutch ICT infrastructure is bound to remain vulnerable to cyber attacks.