Briefing

The Netherlands has strong information technology capabilities. According to the World Economic Forum, the country ranks 6th in the world as one of the most advanced and technology-enabled nations. In 2018, the Netherlands imported €61.2 billion euros worth of ICT goods and services. In the same year, exports of ICT-related goods and services (including re-exports) stood at €74.6 billion euros. The Netherlands’ technological environment is anchored by a robust digital infrastructure. The Dutch rank 2nd in the world for online connectivity, with over 98% of households having broadband connection. The Netherlands is a leading cybersecurity hub in Europe, home to Europe’s largest security cluster, The Hague Security Delta (HSD). HSD is a national network of more than 300 public and private organisations working together to accelerate cybersecurity solutions. The Netherlands is home to one of the largest internet exchanges in the world, the Amsterdam Internet Exchange (AMS-IX), and has one of the highest rates of internet connectivity in the world.  The Amsterdam region houses nearly a third of Europe’s data centres, with growth expanding to Groningen and Middenmeer. The country is also home to Europol’s European Cyber Crime Center (EC3), NATO Communications and Information (NCI) Agency and the Global Forum for Cyber Expertise (GFCE) in The Hague.

The Netherlands ranks 4th out of 28 countries (27 EU member states and the UK), in the European Commission Digital Economy and Society Index (DESI) 2020. This ranking is based on pre-coronavirus pandemic analysis.  It is a leading country in the EU for the adoption and use of digital technologies. Several of the world’s largest technology companies are headquartered in the country, including key data centres. Demonstrating cybersecurity resilience in the country’s networks, information systems, private sector and public services is very important for national security, economic growth, investment, trust, and innovation. Companies and organisations can also use this information to set expectations and risk levels.

Putting Cybersecurity on the Agenda

In 2018, the Dutch National Cybersecurity Agenda was adopted to allow the Netherlands to benefit from the economic and social opportunities of digitalisation in a secure way and to protect national security in the digital world. Seven ambitions were outlined to allow the Netherlands to:

1. Have strong digital capabilities to detect, mitigate and respond decisively to cyber threats;

2. Contribute to international peace and security in the digital space;

3. Be at the forefront of digitally secure hardware and software;

4. Have resilient digital processes and a robust infrastructure;

5. Have successful barriers against cybercrime;

6. Lead the way in the field of cybersecurity knowledge development; and

7. Have an integrated and strong public-private approach to cybersecurity.

From Agenda to Reality: Key Points from Cyber Security Assessment Netherlands 2021

The Netherlands has moved from setting agendas and ambitions to becoming more proactive in European (and global) cybersecurity efforts. It also seeks to assess the national picture every year so that stakeholders can know the trends, risks, threats, strengths and areas for improvement. This shows both a proactive and transparent approach. The Cyber Security Assessment Netherlands 2021 (CSAN 2021 / CSAN) explains the active cyber threats, the likely impacts, resilience approaches and the risks. CSAN focuses on national security, which is defined annually by the National Coordinator for Security and Counterterrorism (NCTV) and the National Cyber Security Centre (NCSC NL).

The NCTV is the central government body responsible for counterterrorism, cybersecurity, national security, crisis management and state threats. NCTV’s core focus is to prevent and minimise social disruption. The NCSC NL is the central information hub and centre for expertise for cybersecurity in the Netherlands. NCSC NL helps to boost cyber resilience in society, specifically within central government and among critical providers.

  • Risks to National Security

Four risks to national security have been identified in CSAN:

1. Unauthorised access to information and its publication, particularly through espionage. For example, espionage targeting communications within the central government or the development of innovative technologies.

2. The inability to access processes, due to sabotage or the use of ransomware. For example, the infiltration of processes that ensure the distribution of electricity.

3. Major security breaches, such as through the abuse of global IT supply chains.

4. Large-scale outages: for example, where one or more processes are disrupted due to natural activity, technical interference or unintentional human action.

  • Differences in the Levels of Resilience

The CSAN reveals that there are significant differences in levels of resilience in the Netherlands. Large companies can invest in cybersecurity knowledge and skills. Suppliers of essential services and digital service providers also have a statutory duty of care, set out in the Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen, Wbni). However, small businesses, including small and medium-sized enterprises (SMEs), often lack the expertise and resources to substantially upgrade their resilience efforts. SMEs are often targeted by sophisticated actors. This resilience gap has been identified as a work in progress to be solved, in part, by greater capacity building and information sharing.

  • Key Messages from CSAN

There is a clear acknowledgement that cyber incidents can paralyse society, and in particular:

  1. Cybersecurity is a precondition for the functioning of society.
  2. The digital threat is permanent.
  3. Digital resilience is not yet in order everywhere because of the lack of basic measures.
  4. Boosting resilience is the most important tool for managing cyber risks.
  5. A complete and accurate picture of the resilience of critical processes is still missing.
  6. Cyber risks are as great as ever and cannot be separated from other risks.
  7. The Netherlands’ dependence on countries with offensive cyber programmes is a risk-increasing factor.
  8. The main risks to national security are sabotage and espionage by states and the failure of systems. Also, cyberattacks by criminals (cybercrime).
  • The Covid-19 Effect

CSAN notes that since the start of the coronavirus pandemic, several COVID-19 themed cyberattacks have been observed, using a range of tool and tactics. Cyberattacks have been carried out on hospitals, research institutes and the World Health Organisation (WHO). Not only has the healthcare sector been targeted, but governments and companies had to deal with various attacks. The Police, the Public Prosecutor’s Office and Europol warned of the various forms of misuse, ranging from cybercriminal attacks to distribution of disinformation. COVID-19 also lends itself to social engineering attacks.

  • Disrupting Ransomware

CSAN sets out a robust strategy for dealing with all forms of ransomware. It suggests that the most promising solution lies in structurally increasing the costs to the criminals against the benefits gained from ransomware attacks. It suggests that this can only be done if the Police, NCSC NL, the Public Prosecution Service, the public services, private partners and potential victims, unite and stand together. These stakeholders should proactively work together and share information and insights in a targeted manner. Information sharing is the key.

  • Cloud Services and Virtualisation: Questions for Companies and Organisations

In a unique approach, CSAN directedly addresses companies and organisations with key questions about digital transformation and the emerging risks. It focuses on cloud services and the cybersecurity risks associated with virtualisation. The key questions it asks are:

  1. When designing your cloud environment, did you take the failure of this infrastructure into account (design for failure)?
  2. What activities does your organisation perform in the cloud environment and how sensitive are these processes to interruption?
  3. How is the data processed in the cloud environment stored? For complex or sensitive data processing, has replication at multiple data centre locations or ‘availability zones’ been considered? Note: Replication can ensure that important data are not lost in the event of disruption at one location but remains available at another location.
  4. Do you know the basis upon which your organisation chose a public, private or hybrid cloud environment? Does this include the complex data processing and sensitive or unique data that plays a role in your organisational processes?

By asking these questions of all companies and organisations, NCTV and NCSC NL spark a debate but also places the onus on each entity to actively reduce their cyber risks and build resilience. It asks questions of individual entities, so that collective and national data security resilience can be increased.

Action Plan: Monitor the Cybersecurity threat landscape, Participate in Public/Private Cybersecurity efforts and Review Annual Assessments to influence corporate strategy

Companies, organisations, the public sector and investors must monitor the development of the Cybersecurity Agenda and the annual Dutch CSAN analysis. The Netherlands is vital for European data flows, global information technology and international supply chains. The role of Small and Medium Sized Enterprises (SMEs) and their position in supply-chain cybersecurity resilience, should also be constantly assessed as this has been highlighted in the CSAN. NCSC NL has a strong reputation at home and abroad, especially working with the UK, Germany, USA and bodies such and the European Union Agency for Cybersecurity (ENISA), EUROPOL and NATO.

The Netherland’s data protection approach should also be monitored in conjunction with the National Cyber Security Agenda and CSAN. This completes the information security and data governance picture. Autoriteit Persoonsgegevens (also called The Dutch DPA), is the data protection and General Data Protection Regulation (GDPR) regulator. It is relatively large, sufficiently funded, consistent and adopts an analytical risk-based approach. It leads with education, guidance and recommendations but will issue fines where it considers these are appropriate. Recently, it has used its strongest penalties to respond to data breaches, data about children, health data (including Covid-19 data), intrusive new technologies and surveillance.

The Netherlands stands as a good example of a transparent, effective and active cybersecurity strategy. The agenda and strategy have been operationalised and is assessed annually. The country has championed the multidisciplinary and cross-sector approach to building resilience. Its data protection regulatory system is also stable, consistent and set to expand to respond to new technology, European co-operation, global initiatives and the intensifying cybersecurity landscape.