On July 10th 2014, the Dutch government published the fourth edition of the “Cyber Security Assessment Netherlands” trend report, aka “CSBN-4”. The Minister of Security & Justice responded (.pdf,in Dutch) to it. For me, these were some key takeaways:
- The Dutch central government will include security by design and privacy by design in its tenders, and calls upon other parts of government to also do that (we will have to see how this materializes);
- The government is building a National Detection Network and launched a National Response Network (some FOIA’d documents are here);
- The National Detection Network currently consists of five partners, including:
- Several other parties have signed up for the National Detection Network; based on this document I believe these could potentially include private sector parties;
- The government asked Scientific Council for Government Policy (WRR) for advice on three questions (this advice will probably take a few months):
- Is a stronger distinction needed between the access to and use of data in Big Data?
- How can it be ensured that the process of profiling, “datamining” and other analytical techniques for the purpose of security are sufficiently transparent?
- What does the advent of quantum computers mean for the process of data processing for the purpose of security?
Here is my translation of the four key findings in CSBN-4 as described by the Minister (emphasis is mine):
1. Potential impact of digital attacks and disruptions increases due to fast digitization
In CSBN-3 it was found that the dependence on ICT is significant and increasing due to development such as hyper-connectivity and cloud computing. In CSBN-4 it is evident that this trend continues unabated. This increases the potential impact of attacks and disruptions. Preventing social disruption caused by a disruption or failure of vital products and services has the constant attention of the government.
- In the context of preventing social disruption as a result of the failure of vital goods and services, the governments maps, in collaboration with vital organizations, which ICT-based services and processes are vital. This involves a program that, based on risk analysis, establishes basic requirements concerning the safety of vital services and processes. In addition, a training program or module is developed for response in major ICT incidents.
- In European context, among others, the improvement or development of standards is pursued that promote the safety of ICT products. The Global Conference on Cyber Space 2015, which takes place in the Netherlands next year, will also focus on this.
- For its own system, the (central) government takes ‘security by design’ along in tendering processes, to make systems more secure and limit the impact of a possible disruption. Other parts of government are called upon to do the same.
- An exploration is ongoing of the feasibility of separate ICT networks and services for public and private vital processes.
- 100% security does not exists. But we can pursue a strengthened commitment and cooperation in detection, analysis and response capabilities so that cyber attacks can be quickly detected and the damage is as limited as possible due to a rapid and adequate response.
- In April 2014, a pilot started in the government in the context of the development and expansion of the National Detection Network (NDN). This pilot will run for six months. At the end of 2014 there will thus be a tested and robust set-up for detection. The experiences in the pilot are leading for the next step, namely connecting new partners outside the real of the (central) government.
- The National Response Network (NRN) was launched in April 2014. The five partners agreed on cooperation covenants governing mutual assistance in case of incidents. In the fall, these partners will deliver proposals to establish joint risk assessments, exercises and reciprocal internships. From the National Cyber Security Center (NCSC), several organizations are currently supported in the design of their own response capacities to contribute to the NRN. Also a number of new potential partners signed up. Thus the NRN will be further expanded.
- The capacities and position of the NCSC are strengthened. Also, the research and analysis capacities of the NCSC, the National Police, the General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) will be strengthened to improve the understanding of threats and risks in the digital domain.
- The potential for the deployment of digital capabilities of the Ministry of Defense in preventing and fighting off attacks on critical infrastructure, under civil authority and within the applicable legal frameworks, are developed further.
2. Lack of ICT sustainability and increasing interconnection pose risk to public safety
In CSBN-4 it is again noted that the vulnerability of ICT is high due to the discovery of new vulnerabilities and the development of new services and innovative equipment. The sustainability of ICT also poses a risk to public safety as a result of the increasing interconnection of ICT. This is especially a major concern when it comes to preventing social disruption caused by the disruption of vital products and services.
- Legacy systems and other potential risks in the critical infrastructure are being mapped. These include systems where the risks related to ICT sustainability plays a role. The results will be included in the broad approach towards critical infrastructure.
- As indicated above, digital security will be considered in the approach to critical infrastructure, in which the government along with vital organizations maps risks and, among others, a program is started that establishes (basic) requirements for safety.
- The sector regulators are consulted in the establishment of security requirements for supervision. The risks related to ICT sustainability will be included in this process.
- In the third national Alert Online campaign from October 27 to November 6, attention is paid to the issue of ICT sustainability. It will also be aimed at individual users who can equally be faced with this problem. An example is the cessation of support for Windows XP, for which security updates are no longer provided. It is important that people are aware of digital risks so they can take their own responsibility for the sake of personal digital safety. In this context, the website Veiliginternetten.nl will also be launched. During the Alert Online campaign, users will be informed about the risks of using the internet. The website is a collaboration between the Ministry of Economic Affairs, the Ministry of Security and Justice and ECP platform for the information society.
3. The threat posed by criminals and state actors remains high
The number of digital espionage attacks has increased, as well as their complexity and impact. Almost every foreign intelligence service has invested in its digital capabilities in recent years. Dutch public and economic interests may be seriously harmed by digital espionage. The Netherlands should continue to be a ‘safe place to do business’.
- The government is investing in an increase in the overall digital defensibility, partly to increase defensibility against digital espionage. So this investment involves strengthening capacities aimed at the detection, fighting off and mitigation of attempts at digital espionage, such as detection, analysis and response capabilities. Also the research and analysis capabilities of the NCSC, National Police, AIVD and MIVD will be strengthened in order to gain insight into threats and risks in the digital domain such as digital espionage.
In the field of cybercrime, an increasing professionalization and internationalization is observed. This makes available (complex) digital attacks to less (digitally) experienced or resourced criminals.
- Cybercrime is vigorously addressed. For this purpose, (criminal) legislation is strengthened. Important, in this context, is the Computer Crime Act III that gives the National Police more strength in the area of cybercrime. Internationally, the strengthening of cooperations and the harmonization of legislation is pursued.
- In addition to strengthening (criminal) legislation, the capabilities of the National Police will be strengthened quantitatively and qualitatively so that more cybercrime cases can be addressed.
- The use of botnets will be addressed as well. About this approach I recently separately informed the Parliament during the General Meeting of March 27th 2014.
4. Privacy pressured by technical possibilities to collect data
In CSBN-4 it is found that due to technical possibilities to collect data, privacy is under pressure. The trend of in which increasingly more aspects of our daily lives, such as search and consuming behavior music preferences that are directly or indirectly digitally recorded will continue in the coming years. It is a development that is closely related to the business model of many popular (free) products and services. A tension exists between freedom, social growth (including economic development) and safety. This tension is also described in NCSS-2, the note “Freedom and security in the digital society, an agenda for the future” (Parliamentary Papers 26643, No.298) and the vision on e-privacy (Parliamentary Papers 32761, No.49). This trend is thus explicitly on the agenda of the government. I have asked the Scientific Council for Government Policy (WRR) for advice in relation to these issues.
- The WRR has been asked for an opinion that elaborates on three main questions:
- is a stronger distinction needed between the access to and use of data in “big data”;
- in the use of “big data”, how can it be ensured that the process of “profiling”, “datamining” and other analytical techniques for the purpose of security are sufficiently transparent; and
- what does the advent of quantum computers mean for the process of data processing for the purpose of security.
- In addition, initiatives focused on privacy by design have received additional priority:
- The (central) government takes “privacy by design” into account for its own systems, systems in which privacy aspects have been taking into account during the design, during tendering processes. Other parts of government are called upon to do the same.
- In European context, among others, the improvement or development of standards is pursued that promote privacy in ICT products.