National+Cyber+Security+Strategy

7/30/2019 National+Cyber+Security+Strategy

1/16

1

The National CyberSecurity Strategy(NCSS)

Strength through cooperation


2/16

2


3/16

3

1 Inroducion

The Neherlands suppors sae and reliable ICT1 and he proecion o an open, ree inerne. Socieys

growing dependence on ICT makes i increasingly vulnerable o he misuse and disrupion o ICT

sysems. For his reason, he Governmen has launched a Naional Cyber Securiy Sraegy, wih inpu

rom a wide range o public and privae paries, knowledge insiuions, and civil sociey

organisaions. The Sraegy consiues he Governmens response o Parliamenary moions abled

by Raymond Knops and Marcial Hernandez.2 I also embodies he inegraed approach o cybercrime

announced in he 2010 coaliion agreemen.

Structure of the Strategy

This Sraegy is divided ino wo pars. The rs par (Chapers 2 o 4) presens an analysis o heproblem, describes policy principles or cyber securiy, and ses ou objecives. The second par

(Chaper 5) ses ou a number o lines o acion, each conaining prioriy aciviies or improving

cyber securiy aciviies ha will be implemened by he Governmen, and in collaboraion wih

oher paries.

2 Developmens ha call or acion

ICT is essential for our society and economy.

Sae and reliable ICT is essenial or our prosperiy and well-being, and serves as a caalys or urhersusainable economic growh. In Europe, 50% o produciviy growh is due o he use o ICT.3 The

Neherlands aims o lead he world in he use o ICT while guaraneeing he saey o digial sociey.

The Neherlands wans o become he Digial Gaeway o Europe.

Society is vulnerableICT oers opporuniies, bu also increases vulnerabiliies in a sociey where criical goods and

services are increasingly inerrelaed. A deliberae or accidenal breakdown caused by echnical/

human error or naural causes could lead o social disrupion. The complexiy o ICT sysems and our

growing dependence on hem are leading o new vulnerabiliies ha could aciliae misuse and

disrupion. Examples include he rapid developmens in mobile daa ransmission and cloud

compuing, which give way o new vulnerabiliies and opporuniies or misuse. The growing use o

inerne services involving he enry o personal deails and he rise in he populariy o social media

are also creaing new orms o misuse, such as ideniy he.

1

ICT is an umbrella erm reerring o digial inormaion, inormaion inrasrucures, compuers, sysems, applicaions, plus heineracion beween inormaion echnology and he physical world ha is he subjec o communicaions and inormaion

exchange.

2 Moion abled by Raymond Knops, House o Represenaives, 2009-2010, 32 123 X, no. 66; moion abled by Marcial Hernandez,

House o Represenaives, 2010-2011, 32 500 X, no. 76.

3 European Commissioner Neelie Kroes a he opening o he 2010 World Congress on Inormaion Technology in Amserdam.


4/16

4

Recent examplesThree recen incidens illusrae hese vulnerabiliies and orms o misuse:

In he second hal o 2010, cyber securiy expers idenied Suxne, an advanced malware program

ha disrups he auomaion o indusrial processes. Analysis showed ha Suxne mus have been

expensive o develop. I is suspeced ha he Suxne atack was nanced by a sae and aimed a he

criical inrasrucure o anoher sae, leading o global side-eecs on oher criical organisaions.

In an inernaionally coordinaed operaion in lae 2010, he Naional Police Services Agency (KLPD)

worked wih parners in he Neherlands and abroad o dismanle a large bone: a collecion o

compuers misused remoely, oen or criminal purposes and usually wihou he knowledge o heir

owners. The bone, known as BredoLab, was maserminded rom Armenia, is operaions were

concenraed in he Neherlands, and i was presen in several oher counries. Worldwide, millions

o compuers were aken over by BredoLab, which disribued spam and denial-o-service atacks.

The measures aken by a number o companies agains Wikileaks promped is supporers o carry

ou worldwide denial-o-service atacks agains Paypal, Masercard, public prosecuors, and hepolice. The hackers emporarily disabled hese organisaions websies, demonsraing he plainness

o hackivism.

Cyber securityis reedom rom danger or damage due o he disrupion, breakdown, or misuse o ICT.

The danger or damage resuling rom disrupion, breakdown, or misuse may consis o limiaions o

he availabiliy or reliabiliy o ICT, breaches o he condenialiy o inormaion sored on ICT media,

or damage o he inegriy o ha inormaion.

Existing parties in digital society need to cooperate nationally and internationally

When cyber atacks occur, i is oen difcul o ideniy he perperaor, who may be a loner,an organisaion, a sae, or a combinaion o all hree. The naure o he cyber hrea4 is also

oen unclear. Bu many cyber atacks involve he same echniques and mehods5 illusraing he

imporance o urher cooperaion among paries concerned wih cyber securiy, including public

bodies working on paricular ypes o hrea, businesses ha mainain he nework and inormaion

inrasrucure, and knowledge insiuions concerned wih cyber securiy and he public.

Digial sociey is global. Cyber atacks and disrupions insananeously ranscend naional borders,

culures, and legal sysems. I is oen unclear which jurisdicion applies o daa ransmission,

and i is oen uncerain wheher he law can always be eecively applied. The Governmen wans

o make i easier o comba he misuse o ICT, wherever i occurs.

4 cybercrime, cyber errorism, cyber acivism, cyber espionage, and cyber conic

5 such as malware, bones, spam, phishing, and argeed aacks


5/16

5

3 Basic principles

Invesing in cyber securiy means invesing in our uure, our economic growh, and our

innovaiveness no only because sae ICT and he sae use o ICT are possible in he Neherlands,

bu also because he Neherlands is a major cenre o knowledge and developmen in cyber securiy.

We need o prioriise cooperaion hroughou he enire securiy sysem beween civilian and miliary

paries, public and privae paries, and naional and inernaional paries. Only hen can we ensure

he resilience o our ICT inrasrucure in criical secors, a rapid and eecive response o cyber

atacks, and appropriae legal proecion in digial domains. The ollowing principles underlie

our Sraegy:

Interlinking and strengthening initiativesA grea deal is happening in he area o cyber securiy. Bu consisency is lacking in several areas.

This observaion is borne ou by he ndings o he 2010 Naional Repor on Trends in Cybercrime

and Digial Securiy and he Naional Securiy Think Tanks repor on ICT Vulnerabiliy and Naional

Securiy. As a resul, duplicaions will be removed and iniiaives pooled. Wherever possible,

he Governmen will build on exising iniiaives and, wherever necessary, develop new ones.

Public-private partnershipsICT inrasrucure, goods, and services are largely provided by he privae secor. Coninuiy and

securiy o supply are essenial or he secors survival and or sociey as a whole, because he

disrupion o supply can also lead o social disrupion. Muual rus beween he public and privae

secors is essenial i we are o work ogeher and share inormaion as equal parners. Every pary

concerned mus gain value rom paricipaion in join iniiaives an oucome ha will be aciliaedby an eecive cooperaion model wih clearly dened asks, responsibiliies, powers, and guaranees.


6/16

6

Individual responsibilityAll users (individuals, businesses, insiuions, and public bodies) should ake appropriae measures

o secure heir own ICT sysems and neworks and o avoid securiy risks o ohers. They should ake

care when soring and sharing sensiive inormaion and respec he inormaion and sysems o oher

users.

Division of responsibilities between ministriesThe Miniser o Securiy and Jusice is, in accordance wih he Naional Securiy Sraegy, responsible

or coherence and cooperaion on cyber securiy. A he same ime, each pary in he cyber securiy

sysem has is own asks and responsibiliies.

Active international cooperationThe cross-border naure o hreas makes i essenial o promoe inernaional cooperaion. We mus

aim or an inernaional level playing eld. Many measures can be eecive only i hey are aken orcoordinaed inernaionally. The Neherlands suppors and acively conribues o eors such as he

EUs Digial Agenda or Europe and Inernal Securiy Sraegy, NATOs developmen o cyber deence

policy as par o is new sraegic vision, he Inerne Governance Forum, and oher parnerships.

The Neherlands advocaes he widespread raicaion and implemenaion o he Council o Europes

Convenion on Cybercrime.

Measures must be proportionateThere is no such hing as 100% securiy. When underaking cyber securiy aciviies, he Neherlands

makes choices based on risk assessmen. In doing so, i aims o proec our socieys core values, such

as privacy, respec or ohers, and undamenal righs such as reedom o expression and inormaion

gahering. We sill need a balance beween our desire or public and naional securiy and or

proecion o our undamenal righs. Measures mus be proporionae. To his end, we will apply,and where necessary srenghen, saeguards and esing mechanisms, including he exising

supervisory insrumens.

Self-regulation if possible, legislation if necessaryThe public and privae secors will achieve he ICT securiy hey seek primarily hrough

sel-regulaion. I sel-regulaion does no work, he Governmen will examine he scope or

legislaion. Bu legislaion would have o mee hree condiions: i should no unduly disor

compeiion and, as ar as possible, should ensure a level playing eld; he adminisraive burden

should no be disproporionaely increased; and he coss should be in reasonable proporion o

he benes.

We live in a as-moving world, and legislaion can soon become obsolee. The Governmen

will consider wheher legislaion needs o be ailored o developmens in ICT.


7/16

7

4 The Sraegys goal

Security and trust in an open and free digital societyThe Sraegys goal is o srenghen he securiy o digial sociey in order o give individuals,

businesses, and public bodies more condence in he use o ICT. To his end, he responsible public

bodies will work more eecively wih oher paries o ensure he saey and reliabiliy o an open and

ree digial sociey.

This will simulae he economy and increase prosperiy and well-being. I will ensure legal proecion

in he digial domain, preven social disrupion, and lead o appropriae acion i hings go wrong.


8/16

8

5 The working plan: work in progress

To achieve he objecives o he Naional Cyber Securiy Sraegy, he ollowing lines o acion

have been drawn up. The Neherlands will:

ensure an inegraed approach by public and privae paries;

ensure appropriae and up-o-dae hrea and risk assessmens;

srenghen resilience agains ICT disrupions and cyber atacks;

srenghen our capaciy o respond o ICT disrupions and cyber atacks;

inensiy he invesigaion o cybercrime and prosecuion o is perperaors;

promoe research and educaion in cyber securiy.

To implemen each line o acion, prioriy aciviies have been devised.

Work in progressThe Neherlands is doing a grea deal o ensure cyber securiy. Below, we describe a number o prioriy

aciviies, some new and some ye o be developed in ull. They vary in he deail o which hey have

been worked ou. Some are sill a he blueprin sage, so ha i is no ye possible o describe hem in

ull. They are clearly sill work in progress. They will be described in deail aer he Sraegys

publicaion.


9/16

9

5.1 Seing up he Cyber Securiy Council and heNaional Cyber Securiy Cenre

Responsibiliy or digial securiy in he Neherlands lies wih many paries. There is sill insufcien

cohesion beween policy iniiaives, public inormaion, and operaional cooperaion. The

Governmen hereore considers i essenial o oser a collaboraive approach beween he public

secor, he privae secor, and knowledge insiuions. The goal is o srenghen he nework and

ensure coordinaion rom sraegic o operaional level.

The Governmen considers a new nework-cenred orm o collaboraion essenial o achieve

an inegraed and coheren approach o cyber securiy. I aims o se up a Cyber Securiy Council,where sraegic-level represenaives rom all relevan paries will si and iron ou he conen and

implemenaion o his Sraegy. In he nex ew monhs, in consulaion wih all he relevan

paries, he Governmen will decide how he Council is o be ormed. The Council will be aciliaed

by he responsible public bodies.

The Governmen wans public and privae paries, acing wihin heir sauory scope, o collec

inormaion, knowledge and experise in a Naional Cyber Securiy Cenre, which will help improve

undersanding o developmens, hreas, and rends and help paries deal wih incidens and make

decisions in crises. The Governmen is inviing public and privae paries o join he Cenre. To his

end, i is devising a parnership model.

The Governmen will also expand GOVCERT.NL,6

srenghen i, and incorporae i ino he Cenre.

The Governmen wans he Council o sar work on 1 July 2011 and he Cenre o come ino operaion

on 1 January 2012.

5.2 Seing up hrea and risk analyses

Srenghening securiy begins wih undersanding vulnerabiliies and hreas. By gahering and

analysing knowledge and inormaion rom naional and inernaional public and privae paries,7

we will gain a beter undersanding o curren and poenial new hreas and vulnerabiliies. The

Naional Cyber Securiy Cenre will adop he working mehods se ou in his Sraegy, caaloguing

risks and ideniying capaciies ha need o be srenghened in order o preven hreas and respond

o disrupions. The knowledge hus gained will make i possible o ake argeed measures hroughou

he cyber securiy sysem, rom prevenion o response and rom invesigaion o prosecuion.

One o he asks o he Naional Cyber Securiy Cenre is o creae a single comprehensive picure o

he curren ICT hreas, including a repor on rends in cybercrime and digial securiy (he rs ediion

o which was published in 2010).

6 GOVCERT.NL aims o srenghen inormaion securiy wihin he Duch public secor by monio ring sources on he inerne, by issuinghrea warnings and advisory opinions on ICT vulnerabiliies, and by helping public auhoriies deal wih ICT-relaed incidens.

7 Including GOVCERT.NL, he AIVD (General In elligence and Securiy Service) and he MIVD (Miliary I nelligence and Securiy Service),

he police, special invesigaive services (such as he FIOD and SIOD), regulaors (such as OPTA and he Neherlands Consumer

Auhoriy), governmen inspecoraes (such as he Healh Care Inspecorae), privae paries (such as ISPs and securiy vendors), and

naional and inernaional knowledge and research insiuions.


10/16

10

The AIVD and MIVD8 will conribue o his picure. Where necessary, hey will srenghen heir cyber

capaciy.

The Governmen is inormed o hreas o naional securiy by he annual Naional Risk Assessmen.9

Cyber securiy will receive exra atenion in his Assessmen.

5.3 Increasing he resilience o criical inrasrucure

We mus preven social disrupion due o ICT breakdowns or cyber atacks. Various paries, rom

individuals o suppliers, have a responsibiliy in his regard. The user mus be conden ha an ICT

good or service can be used saely. Suppliers mus hereore oer sae ICT goods and services. Usersmus also ake necessary securiy measures.

In 2011, he Telecommunicaions Ac is being amended. This will provide a legislaive basis or a

number o exising agreemens wih he larges elecommunicaions companies abou he

coninuiy o heir criical elecommunicaions inrasrucure. Areas covered include he reporing

o disrupion or breakdown o services, minimum requiremens or he coninuiy o services, and

compliance wih inernaional sandards. Wherever possible, he Neherlands will work or a join

European approach in hese areas.

The Cybercrime Inormaion Hub will coninue is operaions as par o he Cenre or he

Proecion o Naional Inrasrucure (CPNI).10 This year, he Governmen will examine how he

CPNI and he Naional Cyber Securiy Cenre can work ogeher.

The responsible public bodies will work wih hese organisaions o encourage compliance wih he

curren minimum ICT securiy sandards based on good pracices. The Governmen will work wih

criical secors o learn more abou poenial measures o preven he disrupion o heir criical ICT

aciliies. On his basis, he responsible public bodies will urge criical secors o ake he same

measures. One example is he Emergency Communicaions Faciliy (NCV), which rom 1 May 2011

will replace he curren emergency nework. Criical organisaions will be able o join he NCV.

The Governmen has developed a package o measures specically geared o prevening digial

espionage. I has published a manual eniled Analysis o Vulnerabiliy o Espionage o help

businesses increase heir resilience o espionage.

8 The AIVD and MIVD occupy a unique posiion wih regard o inormaion on cyber hreas (such as digial espionage, cyber errorism

and cyber exremism) by conducing research in he ineress o naional securiy.

9 The Naional Risk Assessmen analyses various ypes o hrea o naional securiy using a uniorm mehod or consrucingmiddle-erm scenarios wih scores or probabiliy and poenial impac. I hen makes proposals or srenghening capaciy in order

o lessen he impac o hreas.

10 The CPNI is a platorm where criical secors and public bodies can share inormaion in a rused environmen on incidens, hreas,

vulnerabiliies, and good pracices in he areas o cybercrime and cyber securiy. The goal is o increase hese paries resilience o

disrupions.


11/16

11

Public bodies mus improve heir own resilience. For his reason, he Governmen aims o ensure

ha, by he end o 2011, 80% o he criical organisaions in he criical secors public adminisraion

and public order and saey have coninuiy plans in place. These will include scenarios o

widespread disrupion o ICT and he elecriciy supply.

In mid-2011, he Governmen will draw up an inormaion securiy ramework or he civil service

and a new regulaion governing he proecing o classied inormaion.11 I will also insiue a

public-secor-wide audi cycle or inormaion securiy.

During he course o 2011, he Governmen will decide wheher an elecronic ideniy card ha

would be accepable o he public will be incorporaed ino ravel documens. Individuals will hen

be able o ideniy hemselves reliably on he inerne, enering an elecronic signaure ha

guaranees heir privacy.

Public auhoriies will ull he European obligaion o repor he leaking o daa in he

elecommunicaions secor. And pursuan o he coaliion agreemen, he Governmen is

developing a proposal o make i compulsory or all ICT paries o repor he loss, he, or misuse o

personal deails.

In 2011, he Governmen will make choices abou securiy in relaion o he processing o personal

deails. I will be guided by European developmens in privacy legislaion. The Governmen will

shorly inorm Parliamen o is posiion on privacy, including he obligaion o repor.

The Governmen wans o consul wih ICT vendors o seek ways o improving he securiy o

hardware and soware. I is also commited o esablishing inernaional agreemens in his area.

In addiion, he Neherlands will paricipae acively in he Inerne Governance Forum, aciliaedby he Unied Naions. The Governmen inends o play an acive par in he global open and

ransparen dialogue by broaching issues ha can conribue o his Sraegy, such as improving he

rules or inerne use and combaing misuse.

The Governmen wans o consul wih suppliers o improve user inormaion on he securiy o ICT

goods and services.12 The responsible public bodies will work wih suppliers o ICT goods and services

o develop naional campaigns on curren developmens and vulnerabiliies argeed a individuals,

businesses, and public bodies hemselves.13

11 The AIVDs Naional Communicaions Securiy Agency (NBV) promoes he proecion o special inormaion by providing approved

securiy producs and ones developed in-house, by assising in heir implemenaion, by conribuing o policy and regulaions in his

area, and by giving advice on inormaion securiy.12 Four good examples: he Three Times Righ campaign, aimed a banks and individuals; he Proec Your Business iniiaive,

launched by he ICT rade associaion ICT Ofce o encourage SMEs o conduc a risk analysis and proec heir daa appropriaely;

he Cyber Sae Yoursel campaign, or colleges and universiies; and he Bis o Freedom Webwijs campaign.

13 Examples include he Sae I nerne, and Digi-Skilled and Digi-Aware campaigns (by ECP-EPN). The Waarschuwingsdiens.nl

(GOVCERT.NL) serves he same purpose.


12/16

12

5.4 Capaciy or responding o ICT disrupions andcyber aacks

An ICT disrupion or atack needs o be me wih various responses beore sabiliy can reurn.

ICT incidens ha lead o a breach in he availabiliy, inegriy, or exclusiviy o he nework or

inormaion inrasrucure mus be addressed primarily by he organisaion aeced. Wherever

incidens could resul in social disrupion or damage o criical aciliies, processes or persons,

he responsible public bodies will respond appropriaely.

In summer 2011, he Governmen will launch is Naional ICT Crisis Plan, which includes a plan

o coordinae naional and inernaional exercises.

The ICT Response Board (IRB), a public-privae parnership ha gives advice on measures o

counerac major ICT disrupions o decision-making organisaions, will come ino operaion

in 2011 under he auspices o he Naional Cyber Securiy Cenre.

Inernaionally, he Governmen will ocus on srenghening cooperaion in operaional responses

beween he CERT organisaions in Europe. I will also aim o srenghen he Inernaional Wach

and Warning Nework (IWWN), which now operaes as an inormal orum on global ICT incidens.

A major erroris atack on or via he inerne could have a signican impac on sociey.

The Governmen is hereore expanding he Counererrorism Aler Sysem (ATB) o include

cyber hreas, which will hen be par o he exercise programme.

The Minisry o Deence is developing knowledge and capaciies o be able o operae eecively in

he digial domain. I is doing is umos o maximise is opporuniies or sharing knowledge and

experise wih civilian and inernaional parners. A he same ime, he Minisry is examining how

i can make knowledge and capaciies available or is hird primary ask under he Civil-Miliary

Cooperaion Inensicaion Projec (ICMS).

A cyber securiy educaion and raining cenre is being esablished.

To make is own neworks and sysems more resilien, he Minisry will, in he nex ew years,

urher expand he responsibiliies o he Deence Compuer Emergency Response Team (DeCERT).

In addiion, he Minisry will inves in increasing securiy awareness among sa and work o

achieve accrediaion o sysems and processes.

A docrine or cyber operaions is being developed o proec he Minisrys own resources

and unis.


13/16

13

5.5 Inensiying he invesigaion o cybercrimeand he prosecuion o is perperaors

The rapid growh in cybercrime calls or eecive enorcemen o mainain condence in digial

sociey. The implemening organisaions in he criminal jusice sysem (primarily he police and oher

invesigaive services plus he Public Prosecuion Service and he judiciary), which share responsibiliy

or combaing cybercrime, will need o have sufcien specialiss on board. Such expers can deal wih

complex cases involving high-ech crime as well as high-volume cases ha hreaen o diminish

condence in ICT among he public, small businesses, and he privae secor as a whole. The goal is o

increase willingness o repor incidens and apprehend perperaors. Inernaional cooperaion also

improves our abiliy o solve cross-border crime.

The Governmen aims o creae a pool o regisered expers rom he public and privae secors and

knowledge insiuions, so ha scarce experise can be shared and specialiss can be oered

challenging career prospecs.

As o enorcemen, he Governmen aims o encourage more cross-border invesigaion wih

enorcemen agencies rom oher European counries and inernaional parners. The Governmen

is also examining he scope or urher inernaional legislaion on cybercrime.

A naional level, he Governmen will se up a seering commitee on prioriy crime, wih a view o

providing he enire criminal jusice sysem wih sufcien specialiss o deal wih cybercrime. The

chair o his commitee will also be a member o he Cyber Securiy Council. The Public Order andSaey Inspecorae will examine he perormance o he police in invesigaing cybercrime.


14/16

14

During he nex ew years, wihin he ramework o is curren budge, he police will gain more

invesigaive capaciy, especially or he invesigaion o cybercrime and apprehension o is

perperaors. The regional police orces will have cybercrime invesigaors and specialiss, and he

Naional Police Services Agency will have a high-ech crime eam. The high-ech crime eam should

be dealing wih around 20 cases by 2014. The invesigaion and prosecuion services will ake par in

he aciviies o he Naional Cyber Securiy Cenre.

In he nex ew years, he exising programme-based approach o cybercrime (PAC) will play a

cenral par in creaing a police knowledge cenre, srenghening he polices organisaional sysem,

and shiing emphases wihin exising capaciies. The Public Prosecuion Service and he judiciary

will have sufcien prosecuors, suppor sa, judges and examining magisraes wih specialis

knowledge o cybercrime.


15/16

15

5.6 Encouraging research and educaion

The ques or cyber securiy is driven by scienic research and he developmen o innovaive securiy

soluions. Proper raining a all levels is essenial o mainain he reliabiliy o ICT sysems and uure

resisance o hreas. The Neherlands needs a subsanial occupaional group o ICT proessionals i

our digial economy is o grow.

Via he Naional Cyber Securiy Council, he Governmen will improve coordinaion beween

research programmes in he public secor and, wherever possible, beween hese programmes and

hose in he privae secor and knowledge insiuions. The responsible public bodies will assis

paries more acively in raising money or research rom Euroregion and European unds.

Srenghening educaion and raining a all levels is essenial i we are o resis hreas and coninue

using ICT reliably. I is also a prerequisie or expanding he Duch digial economy. The

Governmen is developing a plan wih educaors and he proessional groups concerned o increase

he cyber securiy componen in educaional programmes. I will also coninue o sudy he scope

or ceriying qualied ICT securiy proessionals which includes ensuring clariy on he conen o

courses. A good example has been se by he iniiaive o an exising group o ICT securiy

proessionals, who have se ou he eaures o such courses.

6. Financial consequences

The above aciviies will be absorbed wihin exising budges.


16/16

PublicaionMinisry o Securiy and Jusice

P.O.Box 20301 | 2500 EH | The Hague

The Neherlands

June 2011 | J-9228

Documents

National+Cyber+Security+Strategy