THE NETHERLANDS CYBER READINESS at a GLANCE Melissa Hathaway and Francesca Spidalieri

THE NETHERLANDS CYBER READINESS AT A GLANCE Melissa Hathaway and Francesca Spidalieri

May 2017

AC INST M IT O U T B T O E

Published by Potomac Institute for Policy Studies

Potomac Institute for Policy Studies 901 N. Stuart St, Suite 1200 Arlington, VA 22203 www.potomacinstitute.org Telephone: 703.525.0770; Fax: 703.525.0299

Email: [email protected]

Cover Art by Alex Taliesen.

Acknowledgements

This country profile was made possible through funding provided by the Dutch Government’s National Coordinator for Security and Counterterrorism. The Potomac Institute for Policy Studies and the authors would like to thank the Dutch Government and other European experts who provided insights and contributions for this profile. The authors would also like to thank Alex Taliesen for cover art and Sherry Loveless for editorial and design work. THE NETHERLANDS CYBER READINESS AT A GLANCE

TABLE OF CONTENTS INTRODUCTION ...... 2 1 . NATIONAL STRATEGY ...... 8. . . 2 . INCIDENT RESPONSE ...... 14 . . 3 . E-CRIME AND LAW ENFORCEMENT ...... 20. . 4 . INFORMATION SHARING ...... 23 . . 5 . INVESTMENT IN RESEARCH AND DEVELOPMENT . . . . 25 6 . DIPLOMACY AND TRADE ...... 31 . . 7 . DEFENSE AND CRISIS RESPONSE ...... 35 CRI 2 .0 BOTTOM LINE ...... 40 . . ENDNOTES ...... 41. . . ABOUT THE AUTHORS ...... 50 . . THE NETHERLANDS CYBER READINESS AT A GLANCE

Country Population 16 .9 million

Population Growth 0 4%.

GDP at market prices (current $US) $750 .284 billion

GDP Growth 2%

Year Internet Introduced 1982

National Cyber Security Strategy 2011, 2013

Internet Domain .nl

Internet users per 100 users 93 .1

Fixed broadband subscriptions per 100 users 41 .7

Mobile cellular subscriptions per 100 users 124

Information and Communications Technology (ICT) Development and Connectivity Standing

International Telecommunications World Economic Forum’s Union (ITU) 8 11 Network Readiness Index (NRI) ICT Development Index (IDI)

Sources: World Bank (2015), ITU (2016), NRI (2016), and Internet Society.

1 INTRODUCTION riers, mobile operators, content providers, web Early instantiations of Internet services, includ- hosting and cloud coming email and a bulletin board system called panies, application pro- USENET, were first introduced in the Nether- viders, TV broadcasters, lands by the European UNIX network (EUnet) gaming companies, and in 1982.1 These first connections inspired sci- other related business- entists at the Centrum Wiskunde & Informatica es. AMS-IX has expand- (CWI)2 – the Netherlands’ national mathemat- ed to four, and soon five Netherlands Internet ics and computer science research institute – continents, and is cur- Penetration: 93.1% to accelerate Internet initiatives and create the rently the world’s largest first fiber network to operate on the Transmis- Internet exchange.3 sion Control Protocol/Internet Protocol (TCP- IP) in Europe. This first Internet infrastructure, Building on these historical foundations, and however, was not part of an overall govern- strengthened by some of the fastest and ment strategic plan for the Netherlands, rather strongest broadband connections in Europe, it was a bottoms-up initiative advanced by the Netherlands has become one of the most scientists who believed in the opportunity of technologically advanced and highly connect- the Internet. CWI and its parent organization ed countries in the world – it ranks among the – the Netherlands Organization for Scientific top 10 most connected countries globally. Research (NWO) – began to see the enormous It has an Internet penetration rate of over 93 potential of the Internet and cultivated this percent and more than 95 percent of house- nascent network, which ultimately led to the holds are connected to the Internet. Addition- establishment of NLnet. Despite the initial lack ally, the Netherlands is a frontrunner in online of Internet standards that originally hindered banking with more than 80 percent uptake, and global communications, the Netherlands es- its citizens and businesses represent the fourth tablished connectivity with the United States largest market for e-commerce in Europe.4 in November 1988 and later became one of The Netherlands’ information communications the key Internet gateways for all of Europe. technology (ICT) sector contributes to almost 5 percent of total Dutch gross domestic product Over the next decade, the Netherlands, like (GDP), and the country is one of the top 10 ex- many other countries, recognized that tele- porters of ICT goods and telecommunication communications liberalization was necessary services around the world (although the global to provide universal access at lower cost to share of export of Dutch ICT services has been consumers. The Netherlands also saw strate- decreasing in recent years).5 In 2015, it was esti- gic value in becoming the Internet gateway to mated that the Dutch broader digital economy Europe, and in the early 1990s, established the accounted for 22.9 percent or €158.01 billion Amsterdam Internet Exchange (AMS-IX) as a (~$172.2 billion) of the total Dutch economy, not-for-profit, neutral, and independent peer- and it is projected to reach 25 percent or €190.4 ing organization. Today, AMS-IX interconnects billion (~$207.5 billion) by 2020.6 more than 800 communication networks by offering professional peering services to Inter- The Netherlands, however, is not just an In- net Service Providers (ISPs), international car- ternet gateway to Europe. Rotterdam hosts

2 Europe’s largest port and the Amsterdam in turn “could result in a minimum 4 percent Schiphol Airport is one of the world’s busiest increase of EU GDP.”9 Following the objectives airports for both international passengers and set in this digital strategy, the Netherlands cargo. The government of the Netherlands un- sees its digital future through the lens of twin derstands the importance of these two other responsibilities: economic progress, under- gateways of commerce (i.e., Rotterdam and pinned by trust and resilience. Economic prog- Schiphol Airport) and is intensifying its industry ress is enabled by ICT uptake, innovation, and relationships to enhance their respective secu- infrastructure modernization, and embracing rity postures.7 As such, the Netherlands recog- the Internet of Things (IoT). Yet, to achieve its nizes that, despite its comparatively modest growth potential, Dutch infrastructure must size and population, as the country becomes become more resilient, and the Internet and more connected and its economic future be- the transactions that take place in and through comes more digitally dependent, it must also cyberspace must be secure and trusted. address cyber security and become a “safe place to do business.” The Dutch digital strategy acknowledged that the necessary prerequisites to benefit from Becoming “the” country to do business in is all possibilities ICT has to offer and “increase perhaps more important now than ever be- the competitiveness of the Netherlands” are: cause the Netherlands has the opportunity to (1) a safe, secure, and reliable ICT infrastruc- bridge the United Kingdom and Europe during ture; (2) “an open and accessible high-speed the United Kingdom’s transition with Europe, [Internet]” trusted by users; and (3) “a pop- as a result of Britain’s decision to exit the Euro- ulation with the digital skills needed to use pean Union (EU). The Netherlands has also the ICTs.” The document recognized the direct opportunity to position itself as a more polit- link between national security and economic ically stable country for conducting business well-being, and warned that “measures to ad- during a time of increased populist movements dress threats to the security and safety of the throughout Europe. Internet [were necessary to] prevent a lack of trust slowing the uptake of ICTs and thus act- The Netherlands established the foundations ing as a constraint on the pace of economic to realize these opportunities in its ambitious growth and innovation.”10 In July 2016, the 2011-2015 digital strategy – the “Digitale Dutch government submitted a report to the Agenda.” The digital strategy highlighted that Parliament indicating that many of the goals the country must “make smarter use of ICTs to and targets from the 2011 digital strategy had generate growth and prosperity, [and] boost been accomplished, and presented an updat- innovation and economic growth.”8 In line ed 2016-2017 Digital Agenda on “innovation, with the objectives set by the 2010 Europe- trust, and acceleration.” While the focus of the an Digital Agenda – one of the seven pillars previous digital strategy had been predomi- of the “Europe 2020 Strategy” – the Dutch nantly on the reinforcement of prerequisites digital strategy identified priorities and spe- for everybody to benefit from ICTs and on the cific actions to help foster wider use of ICTs, further digitization of the Dutch government enhance fast broadband connectivity, promote (i.e., e-governance services for citizens and a free and open Internet, and remove “barriers businesses), the 2016 updated version of the to international trade on the Internet,” which digital strategy included a comprehensive ap-

3 proach and a broader scope to further digitize of a National Cyber Security Center (NCSC) other sectors, such as healthcare and mobility.11 reporting to the NCTV to serve as a platform A new national digital strategy is expected to for private-public partnership. Finally, the be published in 2018 by the new government strategy advocated for the creation of a Dutch and increased funding is likely to be allocated Cyber Security Council to serve as a national for innovation and cyber security. and strategic advisory body. The strategy was put to the test when the country faced its first Yet, the Netherlands, like many other Europe- known cyber crisis. The incident occurred in an countries, faces high levels of cyber crime, June 2011 at DigiNotar – a Dutch certificate industrial espionage, disruption of critical ser- authority that issued cryptographic keys to vices, and other malicious cyber activities. In create digital (signed) certificates for “se- 2010, a study conducted by the Netherlands cure” communications, especially for domains Organisation for Applied Scientific Research owned by the Dutch government. DigiNotar’s (Nederlandse Organisatie voor Toegepast corporate network servers were successfully Natuurwetenschappelijk Onderzoek, TNO) es- breached and hackers gained administrative timated that the Netherlands lost at least €10 rights to its system, which resulted in the is- billion (~$11 billion) – or 1.5 to 2 percent of suing of fraudulent certificates that under- its national GDP – to cyber crime.12 (A similar mined the integrity, authenticity, and security estimate was published by Deloitte in April of the Dutch government’s communications.15 2016, highlighting that the Netherlands’ most DigiNotar’s fraudulent certificates were used relevant economic sectors had at least €10 in other nations as well, calling into question billion value-at-risk to cyber crime and mali- the veracity of two-factor authentication. This cious activities.)13 In response to the growing event not only raised awareness across the en- scope, volume, and sophistication of cyber tire Dutch government, but it affected citizens’ threats, the Dutch government stated its intent trust in conducting business over the Internet to protect the value of the Netherlands’ digital or sharing information with the government. investments and to preserve its national and Moreover, it accelerated the creation and op- economic security. In 2010, the Parliament of erationalization of the NCSC, which opened in the Netherlands requested the development January 2012. of a National Cyber (Defense) Strategy – re- ferred to as the Amendment Knops to create a Following the DigiNotar crisis, the Dutch gov- National Cyber Strategy. As a result, the Dutch ernment began revising its approach to cyber Ministry of Security and Justice coordinated security by embracing a risk-based approach a whole-of-government approach that result- based on balancing the protection of Dutch ed in the publication of the Netherlands’ first interests with the threats to those interests “National Cyber Security Strategy: Success and acceptable societal risks.16 It was modeled through Cooperation,” in February 2011.14 using an incident management principle that every Dutchman knows – water management This strategy appointed the Minister of Security and containing the sea. After the great flood and Justice as the lead for policy coordination, of 1953, the government launched the Delta to be executed by the office of the National Plan, which institutionalized a whole-of-nation Coordinator for Security and Counterterrorism approach and responsibility of every citizen to (NCTV). It also called for the establishment protect the Netherlands through a warning and

4 alert system to monitor water levels and contain between cyber security, economic and social the sea.17 In 2013, the Netherlands published growth, and freedom and privacy. This second its second strategy entitled, “National Cyber national cyber security strategy included a 38- Security Strategy 2: from Awareness to Capa- item action plan intended for completion by bility (NCSS2),” which expanded the country’s the end of 2016. view of cyber security beyond technology and isolated cyber incidents. The strategy tried to Subsequent to the DigiNotar crisis and con- harness that same sense of responsibility to- currently with the development of the NCSS2 ward water management for use with cyber strategy, the Dutch Ministry of Defense (MoD) security by advocating that every citizen has began to discuss publicly its role in cyber a responsibility to ensure the resilience of the defense and its plans to invest in the devel- country by preventing and containing threats opment of cyber warfare capabilities despite

Figure 1: “National Cyber Security Strategy (NCSS 2): from Awareness to Capability.”* coming over and through the Internet and budget cuts in other areas. Building upon the ensuring the viability, trust, and resilience of intentions already detailed in the 2012 Cyber the Internet as a platform for the free flow of Defense Strategy, the Netherlands reiterated goods, services, capital, and data across bor- its intentions to develop military operational ders. It was a 21st century Digital Delta Plan and offensive capabilities and announced the that is both inward and outward focused.18 creation of a dedicated Defense Cyber Com- It also established a triangular relationship mand within the Dutch MoD.19 The standing

* Image reprinted here with permission from the Dutch Ministry of Security and Justice.

5 up of this new Command led to the develop- managing the risks associated with its digital ment of robust capabilities based on the ob- agenda and strengthening the overall cyber jectives of early detection, active defense, and, resilience of the nation. if necessary, intervention.20 Moreover, the MoD recently established a dedicated Security Op- The Ministry of Security and Justice, and more eration Center, demonstrating its operational specifically the NCSC, have been challenged commitment to defending the MoD and the with mission integration. Currently, there are at Netherland’s economy in and through cyber- least 20 bodies with individual and collective space. In addition, the Dutch government has responsibilities for enhancing the cyber secu- been working to ensure that cyber security rity posture of the Netherlands, but no one is further prioritized within their intelligence agency has overarching authority to ensure the and security communities, as well as striving national cyber security architecture is achieved. to expand capabilities and provide additional Successful outcomes rest on the famous Dutch tools and authorities to investigate and com- polder model process of cooperation between bat advanced cyber attacks. The Netherlands the different ministries even when there may understands the importance to retain sufficient be differing views. As the cyber threat to the scope to carry out lawful, necessary, and pro- Netherlands continues to grow in scope, vol- portional cyber operations, and is still nego- ume, and sophistication, it will be essential to tiating two draft bills – one that would revise accelerate civil-military cooperation and per- the law governing intelligence and security haps more clearly identify responsibilities. services and another that would grant special powers to police and other investigative ser- Moreover, the Dutch government has put for- vices to remotely access suspects’ computers ward multiple plans and strategies, but often without a warrant. without allocating the necessary resources (e.g., money, materiel, and people) for the implemen- In 2015, Dutch Prime Minister Mark Rutte rec- tation of the initiatives that it deems important. ognized that the country was facing “a serious In fact, the Netherlands continues to spend less cyber security challenge” and encouraged than 0.01 percent of its GDP on cyber security – domestic and international partners, including considerably less (as a portion of national GDP) businesses, universities, and other govern- than other developed countries like the United ments “to work together … to make sure the States, United Kingdom, Australia, Germany, Internet remains free, open, and secure. … and France.22 Moreover, many organizations [in order to] protect our prosperity, our priva- in both the public and private sectors are still cy and our quality of life.”21 Yet, despite the struggling with how to replace complex and publication of two comprehensive national outdated legacy systems – upon which critical cyber security strategies, the development of a services depend – in a cost-effective way. And strong national cyber security architecture with many other organizations still lack a sufficient- military and intelligence services contributing ly qualified cyber security workforce to tackle to a whole-of-nation cyber defense, and pro- cyber threats. A shift in mind-set is needed, active efforts to shape cyber policy discussions from knowing the risks and opportunities af- in multiple international fora, the Netherlands forded by ICT innovations and Internet uptake is still grappling with how to best embrace ICT to managing those risks and investing in their technologies and IoT, while simultaneously security appropriately, so that the country can

6 continue to reap the benefits associated with while navigating its long-standing relationship the digital economy and reach the ambitious with the United Kingdom and maintaining a goals set forth in its strategies. broader leadership role in Europe.

The March 2017 national elections confirmed The Cyber Readiness Index (CRI) 2.0 meth- that four parties will be required to form a co- odology has been employed to evaluate the alition with a majority (76 seats). It is probable Netherlands’ current preparedness levels for that the incumbent Prime Minister Mark Rutte cyber risks.23 This analysis provides an action- will retain his position in the new government. able blueprint for the Netherlands to better While immigration, integration, and national understand its Internet-infrastructure depen- identity were the central issues in the electoral dencies and vulnerabilities and to assess the campaign, all four political parties of the form- country’s commitment and maturity in closing ing coalition recognized cyber security as an the gap between its current cyber security pos- important issue for national security and eco- ture and the national cyber capabilities needed nomic prosperity. The new government should to support its digital future. A full assessment provide the Netherlands with a renewed op- of the country’s cyber security-related efforts portunity to update the Dutch cyber security and capabilities based on the seven essential strategy and strengthen the overall cyber secu- elements of the CRI 2.0 (national strategy, rity capacity and resilience of the country. It will incident response, e-crime and law enforce- also test whether the Netherlands is prepared to ment, information sharing, investment in R&D, enhance its position as the gateway to Europe diplomacy and trade, and defense and crisis and become “the” country to do business in response) follows:

Na#onal Strategy

Defense & Crisis Response Incident Response

Cyber Ready

Netherlands

Diplomacy & Trade E-Crime & Law Enforcement

Cyber R&D Informa#on Sharing

The Netherlands Cyber Readiness Assessment (2017)

7 1. NATIONAL STRATEGY

In 2011, the Dutch government responded to the increasing number of device infections, The 1st Dutch National Cyber cyber crime cases, and distributed denial of Security Strategy was published service (DDoS) attacks by releasing its first “Na- in 2011 and the 2nd iteration tional Cyber Security Strategy: Success through was released in 2013. Cooperation.” The document acknowledged that a “safe and reliable ICT” was fundamental “for the prosperity and well-being” of Dutch society and should be a “catalyst for further sustainable economic growth.” The strategy also articulated the country’s ambitious goal of out a number of priorities, including reinforcing becoming the “Digital Gateway to Europe.”24 the country’s resilience against ICT disruptions and cyber attacks; developing a capacity for The 2011 strategy focused on bringing coher- rapid response; intensifying law enforcement ence and consistency into the various national capabilities; increasing cyber security aware- activities related to cyber security, clarifying the ness across society; and vigorously pursuing division of responsibilities among actors, and research, development, and education. advocating that any proposed measures taken toward ICT security be necessary and propor- Despite the long list of action lines, however, tionate.25 To achieve these goals, it laid out the strategy did not allocate dedicated funding five basic principles for the country to follow: for these initiatives in 2011. Indeed, it stated (1) linking and reinforcing existing initiatives that the activities described would “be dealt and avoiding duplication of efforts; (2) taking with within the existing budgets.”26 Some steps to strengthen private-public partnerships; institutions did re-allocate funds within their (3) promoting individual responsibility to secure existing budgets to provide for capabilities one’s own ICT systems and networks and pre- and personnel, and grow existing initiatives. vent security risks for others; (4) pursuing inter- Yet, additional progress remained difficult to national cooperation; and (5) striking a balance achieve given competing priorities and resourc- between self-regulation and legislation. It also es. Moreover, it was not until after the cyber called for the publication of annual national attack on DigiNotar and other highly publicized threat and risk analyses – known as Cyber Secu- cyber incidents27 that the government finally in- rity Assessment Netherlands (CSAN) to remain augurated the National Cyber Security Center abreast of current trends and challenges fac- (National Cyber Security Centrum, (NCSC)) in ing the country. Moreover, the strategy called January 2012 under the leadership of the Min- for the creation of a National Cyber Security istry of Security and Justice and the National Center to oversee the coordination of whole- Coordinator for Security and Counterterrorism of-nation initiatives and a Dutch Cyber Security (NCTV). The NCSC centralized cyber activities Council to serve as a national and strategic under one command and serves as a platform advisory body. The strategy’s action plan set for private-public partnership.

8 Some of the activities in the 2011 strategy, Building on the initiatives developed in the in particular the launch of the CSAN annual first national cyber security strategy, the Dutch reports and the establishment of the Dutch Ministry of Security and Justice published Cyber Security Council (Nederlandse Cyber the country’s second “National Cyber Securi- Security Raad, CSR), accelerated a strategic ty Strategy 2: from Awareness to Capability” understanding about cyber threats and vul- (NCSS 2) in 2013. The drafting process for nerabilities. These programs and advisors also this second strategy involved a number of highlighted that the Netherlands needed to different stakeholders, from the public and alter its approach and take on a stronger, more private sectors, academia, and civil society. deliberate leadership position with various ac- The new cyber security strategy clarified the tors, especially in the international arena.28 relationships between various stakeholders; encouraged private-public participation and The CSR became operational in June 2011 and international cooperation; asserted the gov- was tasked with providing strategic guidance ernment’s role in establishing the necessary to the Dutch Cabinet on cyber security mat- cyber security requirements, regulations, and ters and overseeing the implementation of the standards to protect and improve the security national cyber security strategy. This Council of ICT products and services; and adopted a is a unique private-public partnership com- risk-based approach based on balancing the prised of 18 members – seven from govern- protection of Dutch interests with the threats to ment, seven from industry, and four from the those interests and acceptable risks in society. scientific community.29 The CSR is co-chaired This new approach harnessed the same sense by the NCTV, who represents the government, of responsibility and risk awareness that made and the CEO of KPN – the Netherlands largest the 1953 Delta Plan effective and successful. telecommunications provider, who represents This strategy created a 21st century “Digital the private sector. The CSR is an independent Delta Plan,” advocating for individuals, busi- national and strategic advisory body responsi- nesses, and the government to have clear re- ble for providing guidance to the government sponsibilities in cyber security. In fact, citizens and private businesses on cyber threats and are expected to follow basic “cyber hygiene” cyber defenses. It does not have an operation- practices and take some responsibility for their al role. Rather, it advises the government on own cyber security; businesses are expected the implementation and development of the to uphold their duty of care towards their cli- national cyber security strategy; contributes to ents and offer more secure ICT products and the Dutch cyber security research agenda by services; and the government should facilitate highlighting future requirements for national these efforts by “raising awareness among research and development (R&D); and pro- citizens, businesses, and organizations” about motes cyber security awareness among senior cyber security, improving citizens’ digital skills, leaders in the private sector through a series of and increasing transparency about users’ data board room dialogues.30 collection and protection.

9 Moreover, the Dutch government declared an and social “opportunities offered by digiti- ambitious goal of further increasing its e-gov- zation to society,” and recognized that “due ernance services delivery and “enabling all to the increased complexity of, dependence citizens and businesses to digitally and safely on, and vulnerability of ICT-based products handle their affairs with the government by and services, the [country’s] digital resilience 2017.”31 Currently, the Netherlands ranks to these and other cyber threats [was still] seventh in the world and fourth in Europe for insufficient.”34 e-government development and online service delivery, falling short of its goals set to be achieved by 2017.32

The NCSS 2 reiterated the government’s The NCSS 2 Strategy recognized commitment to creating “a safe and secure that the Netherlands’ digital domain,” making the Netherlands digital resilience to cyber more “resilient to cyber attacks and [able to] threats was insufficient. protect its vital interests” in cyberspace, and strengthening and extending “alliances with public and private parties, both nationally and internationally.” It highlighted several activities to better combat the Netherlands’ cyber threat In addition, the NCSS 2 elevated the position environment and achieve the right balance be- of the NCSC to the “expert authority” for cyber tween security, freedom, and social-economic security in the Netherlands, responsible for benefits of cyber security. The underlying the digital security and cyber resilience of the fundamental principles in this strategy are: country, with a focus on central government (1) “responsibilities that apply in the physical and critical infrastructure processes. Its mission domain should also be taken in the digital do- was expanded to create “a safe, open, and sta- main,” and (2) “(self)regulation, transparency, ble information society” through three primary and knowledge development” should be at roles and divisions: (1) advising both public the base of every cyber security-related discus- and private entities, both on request and on its sion with the various stakeholders identified in own initiative, and shaping information security the strategy. It also showed a broader govern- policies and activities (Expertise and Advisory ment view of cyber security beyond an isolated Division); (2) serving as the central information technical problem and placed it in the context hub and center of cyber expertise for cyber of other foreign policy and economic issue security (Market Development and Partnership areas like human rights, Internet freedom, Division); and (3) providing operational coordi- privacy, economic growth and sustainable nation for major ICT crisis and cyber incidents development, and innovation.33 The strategy response measures for the Dutch government acknowledged the interconnections between and critical infrastructures (Monitoring and Re- “having a secure digital domain” and being sponse Division).35 able to take full advantage of the economic

10 Figure 2: Organizational Chart of the Netherlands National Cyber Security Center.

Organizationally, and in terms of mandate, the the responsibility nor the mandate to direct NCSC is a division of the Cyber Security Direc- the activities of other Ministries, such as the torate (DCS) and sits under the authority of the Ministry of Economics or the Ministry of For- National Coordinator for Security and Counter- eign Affairs. The NCSS 2 identified at least 20 terrorism (NCTV) of the Ministry of Security and bodies with individual and collective responsi- Justice. The Director of Cyber Security is also bilities for achieving the cyber security objec- the deputy National Coordinator for Security tives outlined in the document. On the gov- and Counterterrorism.36 ernment side, these include the Dutch Ministry of Security and Justice that is responsible for Yet, responsibility for cyber security does not coordinating interdepartmental cyber security solely rest with the Ministry of Security and Jus- between various civilian and military units that tice. This ministry and the NCSC oversee most have cyber responsibilities; the Ministries of of the cyber security-related initiatives occur- Interior and Kingdom Relations; Economic Af- ring in the Netherlands but, given the decen- fairs; Defense; Foreign Affairs; and Education, tralized form of government, they do not have Culture and Science; and other governmental

11 agencies like the National Police Service, and The annex to NCSS 2 contained a detailed the Intelligence and Security Services. On the 2014-2016 action plan (programme) to achieve private sector side, the bulk of responsibilities the strategic goals and long-term ambitions set defined in the NCSS 2 falls on the financial ser- forth in the strategy. The action plan itemized vices and telecommunications sectors, and to specific measures to be taken by established providers of other critical services. Academia is timelines and identified entities responsible for also involved via the Netherlands Organisation ensuring successful completion by said dates. for Scientific Research (Nederlandse Organisa- However, even this second national cyber tie voor Wetenschappelijk Onderzoek, NWO) security strategy did not pledge any specific – an independent research council under the funds to support all the initiatives and mea- auspices of the Ministry of Education, Culture sures discussed. Instead, it stated that “the and Science – and through government financ- government [would] implement the broader ing of independent research organizations strategy through participation, reprioritisation, such as the Netherlands Organisation for Ap- smart coalitions and an integrated approach” plied Scientific Research (Nederlandse Organ- with all parties involved, and that the activi- isatie voor Toegepast Natuurwetenschappelijk ties described would have to fall within “the Onderzoek, TNO). When there are this many scope of regular departmental budgets and actors working various aspects of the cyber the partners’ budgets.” Thus, it concluded mission space, it becomes critical to establish “the details regarding the implementation of a whole-of-government strategy and coordina- the actions stated in the annexes” could only tion mechanism to ensure harmony of efforts. be decided “in consultation and/or coopera-

Figure 3: Organizational Chart of the Netherlands’ Cyber Security National Architecture.

12 tion with private parties and the government nesses to invest 10 percent of their annual ICT bodies involved.”37 The distributed nature of budget for specific cyber security measures.40 the execution of the NCSS 2 objectives combined with inefficient funding mechanisms While cyber security investments are not re- can undermine the intended outcomes of the ceiving adequate funding, it is clear that the strategy. The Dutch government has stated Dutch are investing in the ICT capacity of the that cyber security is a priority, yet it is not country. Nearly 1 percent of Dutch GDP or funding the programs or institutions chartered over €23 billion (~$25 billion) are invested with the execution of those initiatives as if they by the government and private sector on ICT were strategically important to the economic infrastructure. The Dutch 2011-2015 digital well-being or national security of the country. strategy (“Digitale Agenda”) committed additional funding to the modernization of the In fact, in 2015, of the publicly announced bud- country’s ICT infrastructure and echoed similar gets,38 the Dutch government only invested elements of the 2011 and 2013 national cyber €28 million (~$30.5 million) or 0.004 percent security strategies by recognizing the impor- of its GDP in cyber security for civilian, military, tance of ICT for economic growth while also and law enforcement agencies. That year, the acknowledging the need for increased security NCSC received funding of €2.7 million (~$2.9 in cyberspace. In this document, the Dutch million) – increased to €12.4 million (~$13.5 government reaffirmed its intention to use ICTs million) in 2016 – for the forward deployment to increase economic growth and prosperity, of a national detection network. While the total and reiterated that having an open, reliable, defense budget is classified, the Dutch Min- safe, and secure ICT infrastructure, and suffi- istry of Defense received an allocation of €5 cient ICT knowledge and expertise were the million (~$5.4 million) – increased to €9 million necessary preconditions to achieve its goals. In (~$9.8 million) in 2016. The Dutch National order to increase ICT security and resilience, Police received €13.8 million (~$15 million) to nationally and internationally, both the digital combat cyber crime and strengthen its security strategy and the national cyber security strate- capabilities. Finally, the same year the Dutch gy mention the need for a comprehensive and government made a one-off investment of multi-stakeholder approach to building a safe, €6.5 million (~$7.1 million) to organize the 4th secure, free, and peaceful cyberspace. Global Conference on Cyberspace (in addition to the €2 million spent in 2014).39 All remaining Moreover, the digital strategy emphasized cyber security initiatives within the Netherlands that ICT trust is essential for digital commu- depended on off-sets from existing programs. nication, e-commerce, and the achievement At the end of the 2016 cyber security aware- of Europe’s Digital Single Market. The Dutch ness week “Alert Online,” Herna Verhagen, government acknowledged that citizens and CEO of PostNL, presented an advisory report businesses’ concerns about the security and (“Digitaal Droge Voeten”) at the request of the reliability of ICTs and doubts about the protec- CSR to Prime Minister Mark Rutte in which she tion of personal data might hamper expansion urged the Dutch government as well as busi- of e-commerce and e-governance, and stated

13 that “greater public confidence in ICT could ception. Today, the NCSC is the main body re- generate more than €1 billion (~$1.1 billion) in sponsible for cyber incident response manage- additional turnover from online trade.”41 ment and coordination for Dutch government institutions as well as for operators of critical However, despite these strategies’ close align- infrastructure (vital operators or categories of ment, there continues to be a mismatch be- vital operators of products and services whose tween the government’s current cyber security availability and reliability are of critical impor- spending and the necessary financial and hu- tance to the Dutch society). In this capacity, the man resources needed to strengthen the secu- NCSC incorporated the Computer Emergency rity and resilience of the country in the face of Response Team’s (CERT) functions of the su- emerging ICT threats related to increasing dig- perseded GOVCERT.NL.43 itization of critical services across the nation’s economy. The Dutch government has been The Netherlands’ national cyber incident re- reviewing its national cyber security strategy sponse plan (National Crisis Plan – ICT) is a for the past year and is expected to publish subset of the Manual of Decision-making in an updated version by 2018.42 Also, the publi- Crisis Situation, and has been recently up- cation of a new national digital strategy is ex- dated in March, 2017. The Manual provides pected by 2018 once the new government is in a reference guide and generic procedures for place. In addition to persistent challenges with all kinds of crisis situations including “large- funding and devising an effective execution scale cyber crises.”44 These plans are tested plan, it also remains to be seen whether the both during smaller exercises involving parts new government will be able to put forward a of the national crisis management structure more balanced approach that aligns the coun- and at the national level every two years. In try’s national economic visions with its national the event of a major ICT disruption or cyber security priorities in an increasingly intercon- crisis, the NCSC would use its decentralized nected and conflict-prone geopolitical system. structure to respond and, if required, set up ad-hoc partnerships with other institutions and 2. INCIDENT RESPONSE

As the national cyber security authority for the Netherlands, the NCSC shapes information security policies and activities through The National Cyber Security whole-of-government and whole-of-society Centre is responsible for prevention, detection, mitigation, and cyber incident response response, and serves as the central national management and coordination, cyber incident reporting office. and is the central national The NCSC became operational in January incident reporting office. 2012 and has been devoted to private-public partnerships in several capacities since its in-

14 private partners based on the type and severity an essential role in the national crisis response (e.g., duration, geographic spread, number of structure of the country. people/businesses affected) of the incident, sector(s) affected, and economic, physical, or In July 2015, the National Coordinator for societal impacts.45 The Ministry of Security and Security and Counterterrorism conducted a Justice’s Director of Cyber Security within the “Review of Policy on Critical Infrastructure.” In National Coordinator for Security and Coun- that review, the government defined critical in- terterrorism (NCTV) is the primary civil servant frastructure “as a set of products, services, and responsible for coordinating incident response underlying processes that is necessary for the activities46 and managing the crisis organiza- functioning of the country [and that] must be tion within the national crisis structure. In June secure and able to withstand and rapidly recov- 2015, the NCTV conducted a national level er from all hazards... The loss or compromise exercise to test the cyber preparedness of the of critical infrastructure affects national security Netherlands – operation ISIDOOR convened and causes detrimental impact.”50 As a result 30 public and private partners and featured a of this review, the Netherlands has updated number of simulated cyber incidents, including and conducted a more rigorous approach to data leaks and system vulnerabilities. The gov- critical infrastructure protection. This includes ernment worked with these public and private a stronger focus on the impact of criticality and parties in determining the appropriate opera- level of disruption of critical processes within tional response to each incident.47 key sectors, as well as a classification of critical infrastructure in two categories, A and B, based The Department for Cyber Security handles on the degree of criticality/impact of potential crises at strategic and tactical level, and the disruptions, to prioritize them more effectively NCSC offers incident response and operation- during incidents and to customize solutions for al coordination, in addition to its “advising resilience-enhancing measures. For example, and informing role towards the crisis deci- CATEGORY A includes infrastructure in which sion-making structure.”48 If multiple ministries disruption, damage, or failure would cause are involved in tackling a cyber incident, the approximately €50 billion (~$54.5 billion) in national crisis structure is evoked. The NCSC damage; or more than 10,000 dead, seriously would also activate the ICT Response Board injured, or chronically ill; or more than one mil- (IRB). The IRB is a private-public partnership lion afflicted by emotional problems or serious between government agencies and critical problems with basic survival; or cause disrup- sectors that was established in 2010. It serves tion or breakdown of at least two other critical as an advisory board for the national crisis sectors. A CATEGORY B infrastructure is one management structure and is charged with an- in which disruption, damage, or failure would alyzing the situation and providing recommen- cause approximately €5 billion (~$5.4 billion) dations to national crisis management bodies in damage; or more than 1,000 dead, injured, and affected parties on mitigation strategies.49 or chronically ill; or more than 100,000 people For instance, the IRB was activated during the afflicted by emotional problems or serious 2011 DigiNotar incident, and continues to play problems with basic survival.51 The planning

15 process identified 10 critical sectors under the As stated earlier, national-level cyber security authority of five different Ministries. exercises are performed every two years and include both private and public entities. In In May 2016, an international exercise was addition to the internal planning exercises conducted to help stress test the cross-border and incident response preparation, the Neth- dependency of electric utility availability. An erlands regularly participates in multi-national energy shortage – whether caused by a pow- exercises organized by the EU (e.g., Cyber er outage or other means – can have national Europe exercise), NATO (e.g., Cyber Coalition and international economic and social impacts. and Cyber Atlantic exercises), the European Accordingly, the National Coordinator for Se- Defense Agency (EDA), and the European Net- curity and Counterterrorism organized, with work and Information Security Agency (ENISA), funding for the Internal Security Fund (ISF) and the US Department of Homeland Security of the European Commission, the exercise (e.g., Cyber Storm), with the goal of strength- “VITEX 2016” to help raise awareness and test ening cyber incident response capacity among crisis management procedures of government states and improving international prepared- bodies and transport system operators across ness levels.54 the EU during circumstances of low or no pro- duction capacity of electric power utilities. The In addition to its cyber incident coordination exercise reinforced the importance of cooper- function, the NCSC issues threat alerts and ation between EU member states in protecting warnings on malware and security vulnerabil- critical infrastructures.52 ities in ICT products and services, distributes information to both concerned parties and the Building upon the review of critical infrastruc- general public, and recommends countermea- tures and understanding possible thresholds sures. The NCSC has also developed various for disruption, damage, and death, through applications to monitor large number of infor- exercises like VITEX 2016, the Dutch govern- mation sources such as websites, social media, ment realized that it needed to continue to and notifications by trusted partners, as well as plan and develop crisis scenarios. Exercises, a network of sensors and honeypots to moni- war gaming, and crisis planning mechanisms tor network traffic and analyze Internet-based help create institutional capacity to perform threats and their attack vectors. For example, incident response effectively. They also require the “Taranis” application (an open-source substantial planning and resources. In 2016, the software used by several other CERTs) is used Dutch government developed four hypotheti- internally to collect, analyze, and publish warn- cal scenarios to guide it through the planning ings about ICT vulnerabilities, while the “Beita” and development of institutional capabilities program consists of a number of honeypots and response mechanisms.53 Those scenarios and a network of sensors installed at govern- are being used to inform the development of ment organizations used to monitor automatic the new national cyber security strategy. Internet attacks on those organizations.55

16 Building on its detection capability and its launched a website (internet.nl) to enable triage role during cyber crises, the NCSC is users to check whether their Internet con- developing additional capabilities to improve nection, e-mail, or web server complies with awareness, resilience, detection, alerting, modern secure Internet standards, including reporting, and crisis management. In 2015, IPv6 (sustainable reachability), HT TPS (secure the NCSC in cooperation with the General website connections), DNSSEC (authentic do- Intelligence and Security Service (Algemene main information), DomainKeys Identified Mail de Inlichtingen- en Veiligheidsdienst, AIVD) (DKIM), a Sender Protection Framework (SPF), and the Military Intelligence and Security and a Domain-based Message Authentication Services (Militaire Inlichtingen en Veiligheids- Reporting and Conformance (DMARC) (to help dienst, MIVD) set up a National Detection Net- mitigate e-mail spoofing), and START-TLS and work (NDN) as a pilot program for the central DANE (to help mitigate e-mail eavesdrop- government and other vital sectors to provide ping).58 This website tests servers for the con- real-time analysis and sharing of cyber threat nection security of both web and e-mail traffic, information in order to prevent their cascad- and indicates the extent to which it satisfies ing effects. This network of sensors installed in the “comply or explain” list on the Dutch Stan- different organizations monitors indicators of dardization Forum.59 Moreover, the website has compromise for advanced persistent threats proved to be an effective means to help parties (APTs). The pilot program received positive improve their use of secure Internet standards, feedback, and was further extended in 2016 as and over 50 percent of the websites that were a standard managed security service offered by tested by visitors of internet.nl have improved the NCSC. Currently, approximately 30 central their security scores in the past year.60 government organizations have been attached to this network. Once fully operational, the Government entities are required to choose NDN will connect 250 organizations.56 from the open standards in the “comply or explain” list when investing in ICT systems. This In line with the objectives set in the 2013 national cyber security strategy – making the Netherlands a “safe place to do business,” increasing e-governance services delivery, and enabling all “citizens and businesses to digital- The Dutch government is ly and safely handle their affairs with the gov- promoting open standards 57 ernment” – the Dutch government has taken and implementing a form several steps to become more digitally secure and allow most government transactions with of soft regulation – a citizens and businesses to be conducted elec- “comply or explain” list – to tronically. For instance, the Internet Standards encourage quick adoption. Platform – a collaboration between the Dutch Government and the Internet community –

17 is a form of soft regulation, which means that standards, (e.g., the “Protect domain names the rules that apply to implementing these se- from phishing” and “Secure the communi- curity standards are not strongly enforced and, cations of mail servers” factsheets).61 The aside from reputation risk, there is no penalty Dutch government is also working with private for non-compliance. Moreover, all government sector partners to provide organizations with agencies are required to comply with the Inter- criteria and standards for basic cyber security national Organization for Standardization (ISO) and to help them better protect and improve and the International Electrotechnical Commis- the security of ICT products and services. For sion (IEC) “27001: Information Security Man- example, an increased number of .nl-domains agement System” standards and with some and central government’s websites in recent government specific measures contained in years have adopted DNS Security Extensions the Dutch Baseline Information Security for the (DNSSec) – a protocol for checking whether a National government (Baseline Informatiebe- domain name refers to the correct IP address veiliging Rijksoverheid, BIR), which are based – which adds extra authenticity and integrity on the ISO/IEC “27002: Information Security monitoring capability. While the Dutch govern- [Controls]” standards. State and local agencies ment has yet to provide vendors of software must comply with the measures contained in and digital services with real incentives to in- the Baseline Information Security for Local crease the security of their products, or impose Government (Baseline Informatiebeveiliging legally required minimum product liability, the Nederlandse Gemeenten, BIG). CSR has recently issued a guidance document for businesses addressing these matters.62 In 2016, the National Council for Digital Gov- There are also questions on whether EU-wide ernment agreed to include additional security regulations would be more appropriate in the standards like the ones promoted by the In- long run to help balance between Dutch eco- ternet Standards Platform to the “comply or nomic growth and security. explain” list. These requirements are intended to help authenticate senders of e-mails, ensure In order to better interact with citizens and integrity and confidentiality of e-mail traffic, businesses in an increasingly digital, secure, and combat spam and phishing. The Nation- and standardized manner, the Dutch govern- al Council for Digital Government would like ment has also expanded its eID scheme – a all government organizations to adopt these standard online identification system to se- standards by 2018. The monitoring by the curely access e-government services – and set Standardization Forum shows clear adoption up a personalized environment (MijnOverheid. growth, although it still is a challenge for the nl) to allow citizens to receive correspondence government to meet the goal set by the Na- from government agencies such as the Tax tional Council for Digital Government. and Customs Administration, electronically. An increasing number of government agencies, In addition to the “comply or explain” list, the muni cipalities, and pension funds are now us- NCSC regularly publishes guidelines and other ing this Digital Message Box to send messages factsheets for many industry-specific security to their constituencies. The ultimate goal of the

18 new eID system will be both to allow citizens of global cyber threats.66 While this is a good and businesses to select a preferred authen- example of joint work between the govern- tication solution to access digital government ment and other stakeholders and is highly val- services, and to avoid a single point of failure. ued by all partners, the CSAN reports do not Within this digital identity framework, there will appear to fulfill all the initial intentions set in be several authentication solutions available, the first NCSS – to provide an annual detailed such as DigiD (public sector), iDIN (banks), and and quantitative analysis of cyber threats faced Idensys (commercial). All these solutions would by the government, critical infrastructure, and apply with a strict set of common requirements critical commercial services networks in the if they want to be used in the public sector. Netherlands. Instead, the CSAN reports offer a qualitative overview of international cyber To counter the adverse effects of DDoS at- risks and threats and global cyber security tacks, different stakeholders and ICT providers trends and incidents, and some updates on launched two other initiatives in recent years: cyber security-related initiatives implemented the Trusted Networks Initiative (TNI), which outside the country. never became operational, and the Dutch Continuity Board (DCB) – a collaboration of In an effort to begin quantifying the costs of ISPs that also incorporated members of the cyber insecurity, a new and additional Cyber former TNI project.63 The aim of this initiative Security Risk Assessment (CSRA), submitted is to limit the impact of DDoS attacks on Dutch in July 2016 by the Dutch Central Planning critical infrastructure and make disrupted ser- Bureau for Economic Policy Analysis and the vices available again to Dutch users as soon as NCSC to the Dutch Parliament, attempted to possible. The DCB has been operational since provide an economic analysis of cyber threats the end of 2016 and offers participating parties faced by the country, “with a focus on market the possibilities to separate the communica- failure limiting cyber security and the ensuing tion between members from all other Internet risks to [Dutch] businesses and consumers.”67 traffic in the event of a large DDoS 64 attack. Another initiative launched in 2014 to handle The Netherlands is building capacity for in- large scale Internet attacks on specific targets cident response and has taken a number of – known as the NaWas initiative – has been positive steps to identify critical sectors and effective in thwarting DDoS attacks during the exercise crisis response mechanisms. Rais- recent national elections.65 ing awareness regarding the threats that are aimed at and succeeding against Dutch critical Finally, the NCSC regularly publishes cyber infrastructure and services is essential toward security-related white papers, factsheets, strengthening the country’s resilience. Mea- guidelines, and reports, such as the annu- suring the true costs of cyber insecurity in the al Cyber Security Assessments Netherlands Netherlands would also help industry prioritize (CSAN), which are drawn up in cooperation their investments and provide government with other institutions and private partners, leaders with powerful information to advo- and include cyber incident data and analyses cate for the appropriate resources needed to

19 meet an overarching national goal: to drive 2015-2018 tasked the Ministry of Security and economic progress underpinned by trust and Justice with reinforcing international efforts to resilience, while becoming “the” country to do counter cyber crime and harmonizing the ac- business in. tivities of the Dutch National Police and their national partners with other departments. 3. E-CRIME AND LAW ENFORCEMENT Domestically, the Dutch parliament is consider- ing two new laws that would expand the capa- The Netherlands has demonstrated interna- bilities of the intelligence and security commu- tional commitment to protect society against nities, and provide them with additional tools cyber crime by signing (2001) and ratifying and authorities to investigate and combat (2006) the Council of Europe Convention on advanced cyber attacks. The Data Processing Cybercrime (commonly known as the Budapest and Compulsory Reporting Cyber Security Convention), as well as by working domes- Act (Wet Gegevensverwerking en Meldplicht tically to enforce it and pass additional cyber Cybersecurity) would increase the police’s au- crime and data protection laws (e.g., Electronic thority to detect serious cyber crimes and com- Signatures Act, Personal Data Protection Act, pel key organizations to report cyber intrusions and Computer Crime Act of 2014). to the NCSC. This legislation also strengthens the legal basis of the NCSC.68 The new Com- In its 2013 national cyber security strategy puter Crime Act III (Wet Computercriminaliteit (NCSS 2), the Dutch government recognized III) would grant special powers to police and the need to make efficient use of limited re- other investigative services to remotely infil- sources to tackle cyber crime and reaffirmed trate – or hack – the computers of suspects its commitment to work toward international under certain conditions, if a crime is commit- harmonization in criminal law based on the Bu- ted. After significant criticisms that this law af- dapest Convention. In order to promote these forded broader powers to the police to exploit efforts, the Netherlands actively participates software vulnerabilities, an amendment was in various international meetings and related added requiring the police to responsibly and activities aimed at countering cyber crime immediately disclose any software vulnerability activities, enhancing effectiveness of strate- discovered, including zero day vulnerabilities, gies against cyber crime, and strengthening to the software developers. If the police want international partnerships. The NCSC and the to keep the vulnerability discovered a secret, Dutch National Police actively work with Eu- a court must give its consent and conduct an ropol’s European Cyber Crime Centre (EC3), “independent review” to make sure that the Interpol, the Council of Europe’ Committee interests of the police investigation are not of Contracting States, the EU policy cycle to unnecessarily placed above the safety of the tackle organized crime, the Organisation for software.69 Both laws have already passed in Security and Co-operation in Europe (OSCE), the House of Representatives, but have yet to and the UN Office on Drugs and Crime (UNO- pass in the Senate. DC). Moreover, the Cabinet’s Security Agenda

20 While data breach notification requirements obligation under the new Data Processing and still vary among European countries, the Dutch Compulsory Reporting Cyber Security Act ap- government has already adopted most of the plies specifically to organizations engaged in prescriptions contained in the 1995 EU Data critical infrastructure, and requires notifications Protection Directive and in the 2016 EU Net- of cyber incidents to the NCSC. work and Information Security (NIS) Directive and 2016 EU General Data Protection Regula- In terms of law enforcement capabilities, tion (GDPR), aimed at improving cyber security the Netherlands has established a mature capabilities and cooperation across Europe. institutional ability to address different el- For example, the Netherlands has already ements of cyber crime, and has made established a Data Protection Authority (DPA, several efforts to thwart cyber crimes do- former Data Protection “college”) to ensure mestically and internationally and bring compliance with laws that regulate the use of criminals to justice. The Ministry of Security personal data and has recently strengthened and Justice is responsible for combating cyber its powers. In January 2016, an extension to crime, but the Dutch National Police and the the Dutch Data Protection Act came into force, Public Prosecution Service (OM) are the main which makes data breach reporting mandato- law enforcement entities responsible for cyber ry. The new law requires all organizations in crime prevention, investigation, and prose- the Netherlands to report incidents involving cution. In recent years, they have detected, possible breaches of personal data to the arrested, and convicted a growing number Dutch DPA within 72 hours from discovery – as of people for cyber-related crimes, including mandated by the GDPR. The Dutch DPA can wire fraud, money laundering, ransomware at- initiate investigations and, where appropriate, tacks, phishing scams, swatting activities, using impose fines up to €820,000 (~$893,510) or banking malware to extort money, and launch- 10 percent of yearly revenue for violation of ing DDoS attacks.72 In addition, the Dutch certain provisions in the law.70 While thousands of reports were submitted by Dutch organizations to the DPA within a few months of passing this new law, many other organizations may still be reluctant to report incidents if they believe that the expected damages to their The Dutch National Police reputation outweigh the possible DPA fines for and the Public Prosecution failing to report them.71 Moreover, the ability Service are responsible for to fine organizations for violating this law may cyber crime prevention, be particularly troublesome for companies that investigation, and prosecution. transfer data to the United States following the invalidation of the Safe Harbor regime in 2014 and the subsequent controversy over Privacy Shield. Another data breach reporting

21 National High Tech Crime Unit (NHTCU) – a for more than 95 percent of all Internet con- team within the Dutch National Police Agency nections in the Netherlands and more than 75 dedicated to investigating advanced forms of percent of all “.nl” domain registrations. Via cyber crime – tackles cases classified as “high this platform, a large number of national and tech crime” involving forms of crime that are international sources (“reliable notifiers”) can “organized, target computer systems, and use feed information on security risks, botnet infec- sophisticated new technology or methods.”73 tions, and other Internet abuses directly into The NHTCU cooperates with international the automated incident response processes of counterparts to fight transnational cyber crime, member ISPs, who can subsequently work with and launched “the Dutch Electronic Crimes their customers on swift, targeted actions to Task Force, a new cooperation with financial clean up their machines. Similarly to the Euro- and other [private sector organizations] to pean Advanced Cyber Defence Centre (ACDC) institutionalize private-public partnership as project – a non-profit initiative funded by the a means to actively combat certain types of European Commission to improve the preven- cyber crime.”74 Additional law enforcement tion, detection, and mitigation of botnets by specialists are also being trained to investigate offering an infrastructure of interconnected online child pornography, selling of counter- support centers across Europe linked to a cen- feit or stolen merchandise online, and radical tral clearinghouse, the AbuseHUB initiative has Internet postings.75 As of 2015, the Dutch proven quite successful at mitigating botnets government had allocated €13.8 million (~$15 and lowering infection levels, and is highly val- million) to its National Police to combat cyber ued within the community.77 crime and strengthen its security capacity for multiple years. The Dutch government has also launched a “Netherlands Clean” project to raise the aware- Recognizing that cyber crime can increase as ness of hosting providers about malicious ac- high-speed Internet becomes more available tivities carried out by some of their customers and as more connected devices become ave- on their infrastructure and to encourage them nues for infection and exploitation, in 2013 the to clean-up their infrastructure. For example, Dutch Ministry of Economic Affairs, in collabo- the Netherlands is home to a large percentage ration with various ISPs, co-founded the Abuse of malicious command-and-control domains information Exchange (AbuseHUB) initiative hosted within the EU. The Netherlands also – a clearinghouse for collecting, analyzing, hosts a large percentage of the onion router and correlating information on botnet infec- (TOR) networks that enable anonymous com- tions and other Internet abuse.76 Members of munications often associated with illicit and il- AbuseHUB include the main ISPs in the Neth- legal activities.78 These types of measurements erlands, hosting providers, SIDN (the registry used to assess the “badness” of different Dutch for the “.nl” top-level domain), and SurfNet hosting providers are based on public and pri- (the national research and education network vate information. Sources of data and threat operator), which are collectively responsible intelligence are emerging everywhere, and the

22 government has strong partnerships with the 4. INFORMATION SHARING Internet Hotline against Child Pornography and the National Centre for International Legal As stated in the 2013 national cyber security Assistance (LIRC), the Dutch Public Prosecu- strategy, the Dutch National Cyber Secu- tion Office, and the Authority for Consumers & rity Centre (NCSC) is responsible for both Markets (ACM). The police have even confront- incident response coordination and infor- ed some of the top “bad” hosting providers to mation sharing. The NCSC acts as the cen- point out how they may be facilitating cyber ter point of information flow between the crime and to offer measures to take against it.79 government and private industry, manages threat information to develop new strategies The Netherlands is also working to increase its and tactics discussed with stakeholders, and capacity and has joined various law enforcement responds to reported cyber incidents.80 cyber training programs, such as the Council of Europe’s “Cybercrime@Octopus,” launched in 2014, to assist countries in implementing the Budapest Convention and strengthening data protection and rule of law safeguards. Among The Dutch National Cyber other activities, the program includes courses Security Centre is responsible for judges and law enforcement agents on cyber crime and electronic evidence. There are for both incident response also a few other domestic programs to educate coordination and whole-of- police officers, but it is unclear whether there society information sharing. are sufficient initiatives to train prosecutors, lawyers, and other investigators.

While the Netherlands is already the European center for criminal justice and capabilities to The NCSC facilitates several Information Shar- fight cyber crime, and is the home to one of ing Analysis Centers (ISACs), divided by sector, the world’s largest Internet exchanges, there is that share sector-specific threat information. still further progress to be made to successfully Shared information includes, but is not limited implement all its ambitions in this important to weaknesses and vulnerabilities of ICT-based area. The Netherlands has a tremendous op- products and services, forms of cyber attacks, portunity to pair its vision and ambitions with profiles of perpetrators, and so forth. The the capabilities that reside within the country in various sectorial ISACs are led by members order to reduce cyber crime and accelerate in- of each sector and include an Energy ISAC, novation and trust in the digital economy. The Financial ISAC, Drinking Water ISAC, Health end of 2017 will indicate to what extent the ISAC, etc. Several other liaisons between the new Dutch government will commit to work NCSC and partner organizations, both in the toward these initiatives. public and private sector, meet on a weekly ba-

23 sis to discuss and share cyber security-related guidelines “facilitate responsible reporting information. NCSC also promotes cyber se- and handling of vulnerabilities” and “help or- curity awareness and education, nationwide. ganizations draft their own responsible disclo- Other relevant cyber security and information sure policies.”84 During the Dutch Presidency sharing private-public partnerships include the of the European Union in the first semester Platform on Information Society (ECP)81 – a of 2016, the CIO-Platform Nederland and Ra- platform for promoting the safe use of ICTs in bobank initiated a mechanism of cooperation the Netherlands – and the National Continuity for coordinated vulnerability disclosure. This Forum (NCO-T) – a partnership between the process is important because more and more Dutch government and suppliers of telecom- commercial products are being targeted, ex- munication networks. ploited, and harnessed for illegal and illicit activities. This effort led to the development Moreover, the Netherlands participates in vari- and adoption of a “Coordinated Vulnerability ous intra-state and inter-agency partnerships to Disclosure Manifesto,” which recognizes the foster information sharing, such as the NATO’s importance of engaging researchers and the malware information sharing platform (MISP), hacker community in reporting vulnerabilities the EU’s initiatives to improve threat data ex- to the owner of the information system, allow- change among CERTs, the International Watch ing organizations the opportunity to diagnose and Warning Network (IWWN), the Forum for and fix vulnerabilities in an early stage. Since Incident Response and Security Teams (FIRST), its publication in May 2016, the manifesto the Task Force on Computer Security Incident has been signed by over 30 multi-national Response Teams (TF-CSIRT), and the National companies in the transportation, healthcare, Cyber Forensics and Training Alliance (NCFTA) energy, banking, and technology sectors. It – a US non-profit corporation with a mission to has also been embraced by the Global Forum facilitate collaboration among private industry, on Cyber Expertise’s initiative on Responsible academia, and law enforcement to identify, Disclosure as a global best practice.85 mitigate, and neutralize complex cyber-related threats.82 It has also signed a memorandum of Building on the responsible disclosure initia- understanding with neighboring countries Bel- tive, KPN in partnership with the NCTV began gium and Luxemburg, which include cyber se- to inventory ICT vulnerabilities. The reported curity cooperation and expertise-sharing on the vulnerabilities are provided with proposed development of private-public partnerships. solutions, so the amount of time that these vulnerabilities can cause harm is significantly The Dutch government considers responsible reduced. 86 Additionally, the industry alliance disclosure as “an important step toward en- that represents the voice of business in the hancing the security of information systems, Netherlands – the Confederation of Neth- software, and other ICT products.”83 A set of erlands Industry and Employers (known as responsible disclosure guidelines have been VNO-NCW)87 – launched an initiative with the developed by the Ministry of Security and Ministry of Economics to spread knowledge Justice in collaboration with industry victims on security threats and solutions within and and ICT software/hardware developers. These across sectors.

24 The volume, scope, sophistication, and veloc- Agenda (NWA) as well as the EU’s Horizon ity of cyber threats to the Netherlands have 2020 strategy. The characteristics of the Top the potential to cause even more harm as the Sectors include a high labor productivity, ex- country becomes more digitally dependent port orientation, large size of R&D spending, and adopts inherently vulnerable ICTs into its and increased focus on solving social chal- core businesses and critical services. There are lenges. The Netherlands has identified nine a number of different paths being explored innovative Top Sectors in which it is a world to share information using the NCSC, ISACs, leader and is using specific policies to main- sector specific leads, and even industry asso- tain its premier status in the following key ciations. The urge to increase resilience, re- sectors: (1) agriculture and food; (2) chemis- duce the attack surface, and create a climate try; (3) creative industries; (4) energy; (5) high for businesses to thrive are all essential first tech systems and materials; (6) life sciences steps. The NCSC is an excellent platform to and health; (7) logistics; (8) horticulture and facilitate information sharing. However, it is source materials; and (9) water.88 The nine sec- unclear whether the necessary incentives are in tors are jointly responsible for 90 percent of place to accelerate the timely and actionable the (private) R&D expenditure in the country. exchange of data. The Netherlands’ two key commercial ports (the Schiphol Airport and In the Top Sector Policy, ICT is considered a the port of Rotterdam) and their security are cross-sectoral theme “in order to initiate and critical areas to strengthen, and could be used stimulate ICT innovation with and between as case studies to demonstrate how and why Top Sectors.”89 In late 2014, a special task force private-public information sharing is necessary (Team ICT) was established to evaluate and to both businesses and the economy. target the development of knowledge and tal- ents for applications, services, products, work 5. INVESTMENT IN processes, and jobs for tomorrow and beyond. RESEARCH AND Subsequently, in late 2015, an ICT Knowledge DEVELOPMENT and Innovation Agenda (KIA) for 2016-2020 was published that detailed the ICT challenges

The Netherlands views R&D, innovation, and collaboration between the “golden triangle” of businesses, knowledge institutions, and government bodies as essential to its future The Netherlands is pursuing a competitiveness and economic strength. As such, the Netherlands is pursuing a modernized industrial policy modernized industrial policy – the Top Sector – the Top Sector Policy – to Policy – to harness sector specific economic stimulate ICT innovation and strength and market share that would keep drive economic growth. the Netherlands’ economic growth thriving. The Top Sectors are seen as critical to contributing to the Netherlands’ National Science

25 relevant to all sectors and Top Sectors, such as enterprises (SMEs) for innovation and vital re- big data and cyber security. Today, discussions search for the future. The 2016 Ministry of Eco- are also underway to determine whether to nomic Affairs’ budget included €200 million identify ICT as a tenth Top Sector. (~$218 million) for this fund.92

The Netherlands has defined three central The Top Sector Policy is loosely linked to the ambitions as part of its Top Sector Policy and Dutch digital strategy (Digitale Agenda) and vision for 2020. First, it wants the Netherlands even less aligned with the national cyber se- to continue to be among the world’s most en- curity strategies, albeit they all recognize the trepreneurial and competitive economies (to- importance of investing in cyber security in- day, the Netherlands ranks in the top five most novation, and R&D. In line with the objectives competitive economies globally). Second, it outlined in the first NCSS and national dig- sets a goal for the Netherlands to lead the Top ital strategy, and with the recommendations Consortia for Knowledge and Innovation (TKIs), of the 2008 EU advisory board on Research in which public and private parties participate & Innovation on Security, Privacy, and Trust- and contribute to R&D in excess of €800 million worthiness in the Information Society, the (~$872 million) – of which at least 40 percent is 2013 Dutch National Cyber Security Research from private financing. Finally, it challenges the Agenda (NCSRA) II focused on two specific Netherlands to grow its R&D activities to 2.5 areas: (1) security and trust of citizens (to in- percent of its GDP (from ~2 percent in 2014).90 clude privacy protection, security of mobile services, data and policy management, and The Ministry of Economic Affairs offers various accountability); and (2) security and trustwor- tax incentives as part of the Top Sector Policy thiness of the ICT infrastructure (to include to promote software development, informa- malware detection and removal, intrusion tion and communication technology, and infor- detection and prevention, software security, mation security solutions. These include: the security of industrial control systems, and se- WBSO (R&D tax credit), which reduces wage tax cure operating systems).93 This research agen- and social security contributions for employees da highlighted the importance of basic and engaged in R&D activities; an R&D allowance applied research in universities and academic that functions as a super deduction for qualify- institutions – including training of doctoral ing non-wage expenses directly attributable to students – and encouraged a multi-stakehold- qualified research activities; and an innovation er approach to facilitate innovation. box (formerly known as a patent box).91 While none of these tax incentives are specifically Moreover, the NCSS2 stressed the need for dedicated to cyber R&D, the WBSO, RDA, and more coordination between the supply and innovation box are quite broad and open to demand of cyber talent so that creative people all industries, which includes cyber security in- and experts could meet and work together, novation. In addition, a dedicated Innovative and suggested linking innovation initiatives Future Fund was specifically designed to make with leading sector policy. It also encouraged investment available to small and medium-size the pursuit of a broad educational program

26 “ranging from primary education to higher ect (“Pieken in de Delta project”) aimed at education, and from work-based training to developing an innovation hub in The Hague university, and from the board room to the to address some of the most pressing nation- coalface” in order to enlarge the pool of cyber al, urban, and cyber security issues. This first security experts and enhance users’ cyber se- project led to the establishment of The Hague curity proficiency.94 With this goal in mind, the Security Delta (HSD) in 2013 – a security cluster Dutch government, the business community, with hubs in The Hague, Twente, and Brabant. and academia decided to join forces to im- HSD was designed to harness Dutch innova- prove the quality and breadth of ICT education tion and help drive economic growth by bring- at all academic levels, and launched a cyber ing together Dutch businesses, government, security platform for companies, students, and academic institutions to work collabora- policy makers, consumers, producers, and tively on cyber security and ICT innovation.96 researchers to “connect, inspire one another, The HSD Campus in The Hague is the national and attune research supply and demand.” innovation center for security with state-of- This platform, called the Dutch Cyber Security the-art labs, education and training facilities, Platform for Higher Education and Research and multiple office spaces – which have made or “Dcypher,” was established in 2016 by the this city one of the main cyber security hubs Dutch Ministries of Security and Justice, Eco- in Europe. At the end of 2016, TNO officially nomic Affairs, Education, Culture and Science, opened a Cyber Threat Intelligence lab in the and the Netherlands Organisation for Scientific HSD campus to experiment with new tech- Research (NWO).95 Dcypher’s mission supports nologies that can improve early cyber threats the national agenda for research and educa- detection and information gathering, and con- tion with particular emphasis in higher edu- fidential data exchanges.97 TNO and HSD are cation in the area of cyber security to create also working on the design of a new National sufficient cyber security knowledge, skills, and Cyber Testbed to address cyber threats to criti- inspire innovation. This private-public partner- cal infrastructures. The Metropolitan Region of ship on cyber security education is still in its Rotterdam and the Hague (MRDH) have made incipient stages and consultations between the an initial investment of €200.000 (~$217.930) government and the business community on toward the realization of this plan.98 improvements in computer sciences and cyber security curricula are starting but results have The 2012 NCSRA underscored the importance yet to be achieved. The NCSS 2 strategy noted of small business innovation research (SBIR) that the NCSRA II and additional private-public and funded short-term research projects de- partnerships would contribute to this develop- signed to progress from feasibility to proto- ment, as well. type. The initial SBIR program allocated €2.7 million (~$2.9 million) resulting in prototypes In 2010, a consortium comprised of the Neth- for eight areas including business forensics, erlands Organisation for Applied Scientific real time monitoring, and grid security. The Research (TNO) and other academic and second NCSRA allocated another €2.7 million private sector organizations initiated a proj- (~$2.9 million) in funding to SBIR for the years

27 2013-2014. Funding came from six ministries strategy and the execution of the Dutch cyber for 21 feasibility projects that progressed to security research agenda, among other things. six prototypes in the areas of bring-your-own- The TNO and NWO also provide significant device (BYOD) digital identity, forensics, dig- contributions to cyber R&D in the Netherlands. ital identity, and network reconnaissance for The NWO receives about €400 million (~$436 offensive and defensive purposes.99 In 2016- million) a year, of which €300 million (~$326 2017, the European Commission’s Internal million) directly comes from the Ministry of Security Fund was the primary funder (at over Education, Culture and Science. The NWO has 90 percent) of the NCSRA’s SBIR. An addition- a dedicated Cyber Security Programme focus- al €3.3 million (~$3.6 million) is being allocating on connecting academia and the business ed to the newest priorities of the Ministry of community to promote development of prod- Security and Justice in this area.100 ucts, services, and knowledge to increase the security of Dutch digitized society.102 The Dutch government understands the importance of collaborating in R&D and innovation. For example, Dutch industry and academic In addition to its initiatives with the European centers are also pursuing various initiatives Commission, the Netherlands has a number of on both the materials sciences of quantum bi-lateral engagements, as well. For example, computing and the information protocols the US-Netherlands Agreement on Cooper- and algorithms that comprise quantum soft- ation in Science and Technology Concerning ware. Countries around the world are racing Homeland and Civil Security Matters fosters to be the first with breakthroughs in quantum bilateral cooperation in fields that have a direct information technology – an emerging tech- impact on national security. Starting in 2012, nology with important applications that will the two countries agreed to collaborate on change the security, privacy, and integrity cyber security, including incident management of networked infrastructures and the trans- and response activities, control systems securi- actions running through them. One of these ty, and cyber security exercises.101 Strong inter- initiatives, called QuTech, was founded by TU national cooperation and experience sharing Delft and TNO, and receives funding from a facilitates cost and knowledge sharing, which wide variety of sources including the Dutch spurs the development of innovative and effective (national) cyber security capabilities.

Dutch investments in cyber R&D are overseen Dutch investments in cyber by several Dutch ministries such as Defense, Economic Affairs, Security and Justice, and R&D are overseen by multiple Infrastructure and Environment, and other enti- Dutch ministries and the ties such as the CSR – the independent national TNO and NWO provide cyber security council responsible for advising significant contributions. the government on the implementation and development of the national cyber security

28 Ministries of Economic Affairs and Education, the second round of funding in 2013.108 The Culture and Science, TNO, TU Delft, NWO, Dutch government funding almost doubled and the private sector. This advanced research that amount for short-term research projects institute is focused on quantum technologies in the first round of funding in 2011 to a total and materials sciences, and has received over of €6.5 million (~$7 million), but decreased €135 million (~$148.5 million) of funding from it to €5.5 million (~$6 million) in the second the Dutch government for a period of 10 round of funding in 2013. In these rounds, the years.103 Moreover, technology companies like government funded 40 cyber security-related Microsoft and Intel are also making significant projects in total. In the period from 2014- investments in QuTech’s quantum research. In 2016, NWO did not invest substantially in addition to QuTech, NWO through CWI,104 in cyber security research projects. partnership with the University of Amsterdam, the Free University of Amsterdam, and the In addition, the Netherlands participates in private sector are collectively funding research the EU’s “Horizon 2020” program, and lever- programs for new protocols and algorithms for ages its Top Sector Policy to enhance collabo- use in quantum computing, and have recently ration between the private and public sectors launched QuSoft – a new research center for through ground-breaking R&D in order to quantum software.105 QuSoft will also partic- generate growth in the ICT sector. The Inter- ipate and contribute to the EU strategy for national Research and Innovation Coopera- investment in Quantum Science and Technol- tion team, part of the Netherlands Enterprise ogies, which is part of the Horizon 2020 Work Agency (RVO) under the Ministry of Economic Programme. The EU has stated that it wants to Affairs, is the Dutch national contact point for have quantum capabilities by 2035.106 this EU program.109

The NWO’s program is aligned with both Despite all published innovation plans and the NCSRA II and the Dutch Digital Delta’s ambitious goals to promote the Netherlands 2016-2019 ICT Knowledge and Innovation as a “safe place to do business” and as the Agenda (KIA), and features interdisciplinary “Digital Gateway of Europe,” the country collaboration with international scientists, faces a significant shortage of cyber secu- local and global businesses, and higher edu- rity professionals able to protect its critical cation institutions.107 NWO funding for cyber infrastructure and digital assets. In response security-related projects is distributed among to the shortage of cyber security talent, the nine research themes of the NCSRA II that 2011 national cyber security strategy set up include: identity, privacy, and trust manage- a Cyber Education and Training Center to ment; malware and malicious infrastructure; start developing the human capital necessary and offensive cyber capabilities, among oth- to bolster the country’s growing digital econ- ers. Their budget for long-term research in the omy.110 The NCSS 2 reiterated the country’s first round of funding in 2011, however, con- need to train a sufficient number of qualified sisted of a mere €3.5 million (~$3.8 million) cyber security professionals, and warned that and about the same amount was allocated for the Netherlands would have a shortage of

29 over 6,800 IT personnel by 2017.111 In 2016, Finally, the NCSS 2 recognized that progress the Dutch Cyber Security Council signaled has been made in the Netherlands to increase again that there still was a major shortage of awareness of cyber risks, but that more needs cyber security professionals in the country, to be done to raise awareness of cyber threats and recommended increasing emphasis on and increase cyber hygiene across society. In cyber security education at all levels. response to this need, the Dutch government – and the NCSC in particular – regularly spon- Various universities and academic institutions sors and participates in multiple cyber securi- in the Netherlands offer undergraduate and ty awareness campaigns throughout the year. graduate degrees with cyber security concen- These include: the European Cyber Security trations, but most of the existing programs, in- Month during the month of October; the cluding at elite universities like the University “Alert Online” campaign – a two-week long of Amsterdam and the University of Leiden,112 public effort in which different stakeholders are still highly technical or lack a multidisci- join forces to promote cyber security among plinary approach that combines technology Dutch citizens, government, and the private with policy, law, economics, ethics, and oth- sector by organizing workshops, meetings, er social sciences. Some universities have presentations, and other activities; the “Hang recently launched masters degree programs up, click away, call your bank” campaign – an that combine technology, legal, criminal, effort promoted by the Dutch Payments As- and psychological issues, including privacy, sociation to inform Dutch citizens about ways intellectual property rights, cyber crime, and to protects themselves from online fraud; and the human factor in computer-related crimes. Safer Internet Day. Nonetheless, the degree For example, the University of Leiden, Delft to which these awareness campaigns effec- University of Technology, and the Hague Uni- tively prevent phishing or other cyber crimes versity of Applied Sciences, with the support is unknown.115 More recently, the Dutch of the Municipality of The Hague, launched Consumers Association (Consumentenbond) a multidisciplinary research center – a Cyber started an “Update!” campaign to encourage Security Academy – that offers a part-time manufacturers of Android smartphones to academic executive master’s program, short make software updates available to consum- courses, and tailored tracks on a wide array ers and inform them about vulnerabilities in of cyber security issues.113 Current cyber secu- their devices. As part of this campaign, the rity programs, however, should be further ex- Dutch Consumers’ Association filed a lawsuit panded and incorporated into all major tech- against Samsung in 2016 accusing them of nical and non-technical academic programs, having “poor software update policy” and and universities should work to optimize their demanding that the company respect its duty campus-wide resources to offer comprehen- of care and make updates available to cus- sive curricula that synthesize technical, policy, tomers for at least two years after purchase of economic, sociological, and legal compo- devices.116 nents of the study of cyber security.114

30 At the end of the 2016 cyber security aware- 6. DIPLOMACY AND TRADE ness week “Alert Online,” Herna Verhagen, CEO of PostNL, presented an advisory report The Dutch government has recognized cyber (“Digitaal Droge Voeten”) at the request security as a Tier One priority of its foreign of the CSR to Prime Minister Rutte in which policy and has been actively engaged in dip- she urged the Dutch government as well as lomatic and trade and commerce negotiations businesses to invest 10 percent of their an- related to cyber security and the promotion of nual ICT budget for specific cyber security practical cooperation in cyberspace, as well as measures.117 The report received widespread initiatives related to data protection and privacy coverage in Dutch media due to its alarming within the EU. The Netherlands is currently en- message about increased cyber threats and gaged in a variety of international discussions recommendation for the Cabinet to appoint a high-level official for cyber security, but it did not provide additional insight into the state of Dutch investments in cyber R&D.118 Cyber security is a Tier One The Netherlands’ Top Sector Policy recognizes priority for the Netherlands’ that ICT R&D is important, but in order to meet the challenge stated by Ms. Verhagen to the foreign policy agenda. Prime Minister and for the Netherlands to effectively seize its economic vision, it will need to elevate ICT to a dedicated tenth sector and harness the power of private and public funding for additional R&D. Currently, cyber R&D on cyber security, cyber crime detection and is fragmented across multiple institutions and prosecution, CSIRTs cooperation and Critical thus likely sub-optimized for a broader, more Information Infrastructure Protection (CIIP), impactful vision. Moreover, there is a serious confidence building measures (CBM), cyber shortage in cyber specialists, and university capacity building, Internet governance, digital programs still lack a comprehensive approach rights, and international norms for responsible to cyber education extending beyond simply state behavior in cyberspace. technical methods. The joint initiatives that the Netherlands has with the European Com- During the 2016 International Security Con- mission, the US, and others present an oppor- ference in Munich, Dutch Minister of Foreign tunity to harness the global innovation com- Affairs, Bert Koenders, recognized that “as munities. The Hague Security Delta and TNO’s societies become more and more dependent Cyber Threat Intelligence Lab may prove to be on cyber infrastructure, the opportunities important foundations to foster cyber security for growth and innovation seem endless and solutions for the digital future. promising. But so does our vulnerability to

31 cyber incidents, attacks [and] highly disrup- tile countries and cyber criminals. The strategy tive or even destructive cyber operations.”119 echoed previous documents in supporting a He stressed the Netherlands’ commitment to “secure, free, and open Internet” and encour- “strengthen our cyber defenses, build interna- aging the Netherlands to play a leadership tional consensus to protect critical infrastruc- role in improving international agreements on ture, like energy, telecom, and banking as well cyber security.124 It also emphasized the need the Internet itself, … defend digital rights, to strengthen the Netherlands’ role within var- promote innovation, improve cyber security, ious international fora by setting forth “a clear [and use cyber diplomacy to develop] a com- vision on Dutch international cyber policy to mon normative framework that regulates state ensure that all parts of the government oper- behavior in cyberspace and maintains interna- ate in a coherent and effective manner.”125 tional stability.”120

In addition, cyber security was an important theme in the 2013 Dutch “International Se- curity Strategy,” which identified various actions undertaken by the Netherlands abroad The Dutch Ministry of and in cooperation with other countries to Foreign Affairs published secure its interests domestically and interna- its own International Cyber tionally, and to promote the development of Strategy that recognizes the international standards and regulations on cyber security.121 In the 2013 national cyber need for an ongoing, open, security strategy (NCSS 2), the Dutch gov- and pragmatic dialogue ernment reiterated its strong commitment to between all stakeholders. work with international partners to “create a secure and open digital domain” and “protect fundamental rights and values.”122 It also reaffirmed its desire “to play a prominent role in the search for new coalitions for defense, diplomacy, and development,” and to serve as In order to foster stability in cyberspace and “cyber security mediator and hub” for interna- reach internationally accepted standards in tional cooperation in the digital domain.123 In which all parties involved are represented, February 2017, the Dutch Ministry of Foreign the Netherlands has been advocating for a Affairs (MFA) published the document “Build- multi-stakeholder “Internet governance model ing Digital Bridges” – the MFA’s “International that takes account of the interests of the various Cyber Strategy: Toward an integrated inter- actors”126 and investing in various formal and national cyber policy” – which stressed the informal alliances, both within and outside the importance for the Netherlands to work on EU. The Netherlands has been very active in diplomacy, defense, and development in order the international arena, including collaboration to tackle the threat of cyber attacks from hos- with the United Nations (UN), the Council of

32 Europe, NATO, the Organization for Econom- erlands also initiated a Cyber Norms Platform ic Co-operation and Development (OECD), with Estonia to discuss input for the UN Group Europol, and other multinational organiza- of Governmental Experts (UN GGE) on inter- tions. The multi-stakeholder theme expressed national law and joined the UN GGE as a full in both the national cyber security strategy member for the 2016-2017 period. In addition, and the 2011-2015 digital strategy (“Digitale the Dutch government played a critical role in Agenda”) is actively pursued during the Glob- the establishment of a new Global Commis- al Conference(s) on Cyberspace – a series of sion on the Stability of Cyberspace (GCSC) – a inter-ministerial gatherings held in London, global body tasked with developing proposals Budapest, Seoul, and The Hague since 2011 for norms and policy initiatives to improve the and known as the “London Process;” by devel- stability and security of cyberspace. The new oping confidence building measures (CBMs) GCSC is based in The Hague and is comprised between states, similar to those agreed upon of prominent international experts from over by members of the Organisation for Security 15 different countries, including diplomats, and Cooperation in Europe (OSCE);127 and by academics, and representatives of private participating in other multi-stakeholder set- sector companies, civil society, and the tech tings like the International Telecommunication community. Dutch MFA Koenders announced Union (ITU), the Internet Governance Forum the establishment of the GCSC at the Munich (IGF), and the World Economic Forum (WEF). Security Conference in February 2017. He stat- One important outcome of the 4th Global ed: “This is a unique initiative to ensure that we Conference on Cyberspace held in The Hague drive [existing] activities in the right direction. in 2015 was the launch of a Global Forum on … It requires greater coordination among us Cyber Expertise (GFCE) – a global platform all. It needs the development of norms to pro- for governments, inter-governmental organi- vide a stable and secure environment” for the zations, the tech community, and academia benefit of all.129 to exchange best practices and expertise on cyber capacity building. The mission of the With The Hague as the recognized city of inter- GFCE is to “identify successful policies, prac- national peace and security, the Netherlands tices and ideas” that can be replicated on a aims to develop into an “international center global scale, and “develop practical initiatives for cyber diplomacy” that brings together in- to build cyber capacity.”128 ternational experts, policymakers, diplomats, military personnel, and NGOs in order to In addition, the Netherlands started The Hague promote the peaceful use of cyberspace. The Process – a series of consultation meetings and country is already combining knowledge from activities between over 50 states and the au- existing Dutch centers, and creating a strong thors of the Tallinn Manual 2.0 on peacetime network of multidisciplinary expertise to tackle international law. The main objective of this different topics, such as international standards initiative is to promote interstate discussions for conflict prevention, civil-military cooper- and shared understanding about how inter- ation, and non-proliferation in cyberspace. national law applies in cyberspace. The Neth- These efforts would form the basis for a series of multi-stakeholder, high-level meetings.130

33 Another example of the multi-stakeholder Netherlands approaches negotiations on trade approach to building a safe, secure, free, and as a champion for data privacy and also advo- peaceful cyberspace championed by the Neth- cates for nations to remain technology agnos- erlands is the Freedom Online Coalition (FOC) tic in order to promote the free flow of goods, – a joint effort initiated by the Dutch MFA in services, data, and capital across borders. For 2011 to support Internet freedom and promote example, the Netherlands has engaged in democracy and human rights online.131 Today, many of the international dialogues concern- the coalition has 30 member countries from all ing encryption, export regulations for intrusion over the world and the Netherlands is push- software and “dual use” technologies, such as ing for additional countries to join. In addition those covered in the “Wassenaar Agreement to providing a platform for multi-stakeholder on Export Controls for Conventional Arms and meetings and conferences, Coalition members Dual-Use Goods and Technologies,” and has share information on violations of human rights been a pioneer in the promotion of responsi- online, work together to voice concern over ble disclosure. measures that curtail freedom of expression online, and engage civil society and the private Cyber issues are emerging in many different sector on pressing issues related to Internet traditional international relations areas includ- freedom while encouraging the incorporation ing human rights, economic development, of agreed upon standards into the design of trade agreements, arms control and dual use new and innovative products and services. technologies, security, stability, and peace and conflict resolution. The Dutch MFA serves as The 2011 Dutch digital strategy reinforced the the office responsible for coordinating Dutch connections between economics, cyber securi- participation and efforts in various multination- ty, ICT trust, and capacity building. In fact, the al fora of discussion on cyber security issues. Netherlands routinely addresses development Nonetheless, the more technical discussions cooperation issues and participates in projects that occur in international fora like the TF- dedicated to cyber capacity building, cyber se- CSIRT and the CSIRTs Network are outside the curity capacity building, and cyber confidence purview of the MFA. When cross-cutting issues building in developing countries. In addition, arise needing multiple sets of expertise to en- the Netherlands was the first country to speak gage, the Netherlands establishes ad hoc task out in favor of encryption and against limita- forces. For example, a Task Force Cyber was tions to the development, availability, and/or established in 2015 as part of both the Security use of encryption algorithms. Policy Department and the Multilateral Organi- zations and Human Rights Department of the Cyber security issues are often entangled in MFA, to develop and advocate a Dutch inte- trade negotiations and security treaties, as well. grated international cyber policy. The Neth- The Netherlands has participated in many of erlands has also established a Special Envoy these discussions and negotiations in the var- for International Cyber Policies position within ious international fora mentioned above, and the ministry with the direct responsibility of ne- has been implementing and enforcing interna- gotiating cyber security-related foreign policy tional agreements at the domestic level. The agreements and “further disseminating the

34 results of the GCCS and the Dutch ambitions Justice to achieve both the economic goals and priorities in the field of cyber.”132 For eco- of the Netherlands along with assuring its nomic and trade negotiations, the Ministries of security priorities. The Dutch government Economic Affairs, Security and Justice, Foreign strives to ensure consistency between its do- Affairs, and the NCSC assemble to discuss mestic and foreign policy agendas so that it and develop a common position to ensure the does not undermine its credibility at the ne- economic/trade missions achieve their desired gotiating table. The Dutch have established outcomes.133 The Netherlands intends to en- a brand and are recognized through the city hance its diplomatic initiatives by activating a of The Hague, as an international leader for network of cyber diplomats at a number of em- peace and security. Today, the Netherlands bassies. This network will fall under the existing is continuing to build on that brand and ex- budget of the MFA.134 tending it to be known as a leader in cyber security by leveraging EUROPOL’s Cyber In addition to its own foreign and econom- Crime Center, establishing the Hague Secu- ic policy positions, the Netherlands used its rity Delta for cyber innovation, and initiating 2016 presidency of the EU to advance the the Hague Process to clarify how internation- cyber security dialogue more broadly. Through al law applies to cyber operations. Dutch leadership, new initiatives in the field of international cooperation in cyber crime were 7. DEFENSE AND CRISIS spawned and the importance of an overarch- RESPONSE ing EU cyber security strategy was reaffirmed. By the end of 2017, the EU Commission is ex- In the late 2000s, the use of military grade pected to publish a second European Cyber weapons against national critical infrastructures Security Strategy. and the use of cyber in military operations cat- alyzed the Dutch Ministry of Defense (MoD) to Clearly, the Netherlands has fundamental in- undertake initiatives to better train, organize, ternational interests in this area and has been and equip its Armed Forces in order to pro- an advocate of free, open, and secure Inter- tect the Netherlands and enhance its military net. Economically, the country is one of the posture. Despite the military drawdown and top 10 exporters of ICT goods and telecom- broad-based budget cuts in other areas, the munication services and the broader Dutch MoD started to proactively invest in cyber op- digital economy is growing beyond 22 per- erational capabilities within its Armed Forces. cent. Its diplomatic initiatives are focused on At the same time, the MoD started to discuss strengthening international cooperation and publicly the importance of the mission and the reinforcing legal frameworks while reducing necessity to create a more robust cyber securi- crime, espionage, human rights violations, ty posture. In order “to protect the nation, the and other harmful on-line activities. Moving Netherlands is developing robust capabilities forward, the Dutch government should pur- based on the objectives of early detection, sue a more integrated approach that focuses active defense, and if necessary intervention,” the expertise from the Ministries of Foreign and it is building-up these capabilities in sup- Affairs, Economic Affairs, and Security and port of Dutch interests.135

35 Prompted by the 2010 NATO Summit in Lisbon facilitating rapid acquisition; (3) strengthening and the publication of the “NATO Cyber De- national digital resilience through partnerships; fense Concept, Policy, and Action Plan,” the (4) training and educating personnel about the Dutch government began reflecting some of opportunities and danger of the digital world; the same concepts and commitments in their (5) strengthening and hardening defense net- first national cyber security strategy in 2011 works, IT services, and systems; (6) moderniz- and subsequent cyber defense plans. ing the 2002 Intelligence and Security Services Act to enlarge the cyber intelligence capacity; The 2012 Dutch “Defence Cyber Strategy” ac- (7) building the operational cyber capacity of knowledged that military and civil, public and the Armed Forces.138 private, national and international actors had become more intertwined in cyberspace. The In order to accomplish these objectives, the Defense Minister’s accompanying letter to this Dutch organized and divided their lines of strategy declared cyberspace as a “fifth do- responsibilities in this field into these primary main for military operations alongside air, sea, functional areas: land, and space.”136 The 2012 defense cyber strategy described the role of the Netherlands • The Joint Information Management Or- Armed Forces in the digital domain and laid ganization (Joint InformatieVoorzienings out six focal areas of action: (1) adopting a Commando, JIVC), operational since comprehensive approach; (2) strengthening 2013, is responsible for protecting and the cyber defense of the Defense organization monitoring all military networks, IT ser- (defensive element); (3) developing the mili- vices, and systems in the Netherlands tary capabilities to conduct cyber operations and areas of operations. Its primary role (offensive element); (4) strengthening the in- is to protect and defend. The Dutch De- telligence position in cyberspace (intelligence fense CERT (DefCERT) – part of JIVC – is element); (5) strengthening the knowledge responsible for supervising and ensuring position and innovation strength of the De- the reliability and unhindered functioning fense organization in cyberspace, including the of information systems in support of mili- recruiting and retention of qualified personnel tary operations. DefCERT is the first point (adaptive and innovative elements); and (6) of contact for reporting and responding intensifying cooperation both nationally and to cyber incidents within the MoD and internationally (cooperative element).137 carries out threat and vulnerability assessments, advising the Armed Forces on Building on the 2012 strategy, the 2015 De- security measures. fense Cyber Strategy expanded the Nether- lands’ approach to holistic cyber operations • The Military Intelligence and Security and highlighted seven key initiatives to “create Services (MIVD) is responsible for cyber the right conditions for success [of the Neth- intelligence, along with the General In- erlands] in cyberspace.” These include: (1) at- telligence and Security Service (AIVD) tracting knowledgeable cyber professionals; within the Ministry of Interior and King- (2) expediting capability development and dom Relations. In 2015, AIVD and MIVD

36 combined their signal intelligence and power. “As with the deployment of other types cyber capabilities into the Joint SIGINT of force, when it comes to the deployment of Cyber Unit (JSCU) – a unit tasked with offensive cyber capabilities, the Netherlands protecting national security and the Dutch believes in exercising extreme restraint and Internet against cyber threats, while also only taking action if there is an adequate ba- providing better support to the Armed sis for such action in national or international Forces during their missions.139 The Dutch law.”144 As the Commander of DCC, Brigadier government is working to update the law General Hans Folmer, stated: (Computer Crime Act III) to expand their capabilities, including the ability to eaves- The mission of the Dutch Cyber Com- drop on cellphone and Internet traffic on mand is to contribute to the freedom of a large-scale, and to provide them with maneuver in cyberspace and to the fight- additional tools and authorities to better ing power of the Dutch armed forces by document cyber threats and investigate preparation, training, and deployment and combat advanced cyber attacks.140 In of operational cyber teams. These teams addition, MIVD actively cooperates with provide integrated military operational DefCERT in the field of computer network cyber capabilities in support of the Dutch defense (CND) and on investigations re- Armed Forces in the full spectrum of mil- lated to cyber incidents within the MoD.141 itary cyber operations. They plan, coordi- nate, and execute as part of a Joint Task • The Defense Cyber Command (DCC) is Force Cyber Operations from defensive the direct liaison for the Commander of cyber operations to offensive cyber op- the Armed Forces for the cyber mission. erations, with direct effects or supporting The DCC is also responsible for coordi- effects.145 nating all tasks within the Ministry of De- fense for all four services (army, navy, air In addition to protection, intelligence, and force, and military police) for operations operations, the DCC has a coordinating role and operational cyber capacity to include for all DOTMLPF activities (involving any com- offensive capability development and bination of doctrine, organization, training, deployment. materiel, leadership and education, personnel

The Netherlands announced the creation of its dedicated DCC in September 2014.142 Today, the DCC is an integral component of military The mission of the Dutch Cyber operations and provides both defensive and Command, established in 2014, offensive capabilities to the full range of mis- is to contribute to the freedom sions, including peace-time operations, crisis management, and humanitarian assistance.143 of maneuver in cyberspace The Netherlands was the first NATO country and to the fighting power of to openly discuss the importance of offensive the Dutch armed forces. cyber operations as an element of national

37 and facilities). It “coordinates and facilitates of collection of general data or information these cyber activities and capabilities within regarding other actors’ activities in cyber- the Dutch MoD and with military and civilian space. These operations do not include national and international partners. Further- the activities of the defense intelligence more, the Command obtains, disseminates, and security services; and manages cyber expertise for the entire Dutch Armed Forces by contributing to educa- 5. Supporting cyber operations – small-skill tion, training, and exercises.”146 operations in support of other more tactical level activities in peace-time, crisis, The Dutch DCC has openly discussed six dif- or conflict situations. Due to its versatility, ferent types of cyber operations, some compa- these operations are particularly useful in rable to what other countries have developed support of the information warfare capac- and some are new and more unique: ity, such as psychological operations, de- ception, operational security, lawfare, and 1. Cyber security operations – passive and de- electronic warfare; fensive measures focusing on protection, prevention of damage, and restoration; 6. Offensive cyber operations or combat operations – either supporting an operation 2. Defensive counter cyber operations or in another domain or executed in cyber- proactive countermeasure – actions to space only to achieve a military objective neutralize active threats within the Neth- (giving commanders the ability to achieve erlands’ own networks, such as detecting an operation). or obtaining information about cyber intrusions, cyber attacks, or impending cyber During the 2016 International Confer- operations, or for determining the origin ence on Cyber Conflict, Brigadier General of an intruder’s operations or terminating Folmer acknowledged that “the Nether- such adversary malicious cyber activity – lands includes the options of offensive these operations do not extend beyond cyber actions in all its military operations,” the Netherlands MoD’s perimeter; and stressed that “cyber operations must now be integrated in military missions and become 3. Offensive counter cyber operations con- just another tool in the toolbox of the mission ducted outside the perimeter of the Dutch commander. When developing military offen- MoD networks. These are military cyber operations executed in response to attacks, including launching preemptive and “Cyber operations must now be preventive counter operations against the integrated in military missions source of a cyber threat; and become just another tool 4. Cyber intelligence, surveillance, and recon- in the toolbox of the mission naissance operations – cyber operations at commander.” a lower level that have the sole purpose – Brigadier General Hans Folmer

38 sive capabilities, we should focus on using (~$449 million) for IT, but it is unclear how much them against legitimate targets and mitigat- of these funds are allocated for cyber defen- ing negative collateral effects. This means sive or offensive capabilities. The Netherlands that emphasis should be placed on planning, is investing in training and recruitment activi- decision-making, logging, testing, training, ties, focused R&D, and international coopera- and so on.”147 In addition to its domestic tion to support its cyber defense mission. The efforts, the Netherlands is participating in Dutch MoD is using recruitment techniques to NATO’s Multinational Cyber Defence Capabil- attract ethical hackers, and highlighting that ity Development Program with NATO’s Com- these missions are legal if conducted under munication and Information Agency, together the right authorities. They are also partnering with Canada, Denmark, Norway, and Romania. with key industry leaders to develop a skills development program for training motivated The Dutch MoD participates in the bi-annual soldiers to become cyber skilled experts. Fi- national level crisis response exercise. More- nally, recognizing that top talent is scarce and over, the Dutch Armed Forces are active the necessity of finding ways to optimize, led participants in multi-national and allied cyber to the bundling of AIVD and MIVD efforts into exercises – as noted in the incident response the Joint SIGINT Cyber Unit. Pooling scarce section – and especially in all those associ- knowledge and resources (funding and per- ated with NATO such as “Cyber Coalition” sonnel) is essential in these ever-changing and and “Cyber Atlantic.” It also participates in increasingly challenging fields. bi-lateral collaborative exercises with Germa- ny and other NATO countries. Additionally, The Netherlands has declared cyberspace as the Dutch government has been leading the a “fifth domain for military operations” and is scenario development and discussions within organizing to execute upon this mission. The NATO about integrating cyber into its for- country clearly recognizes that security is a mal military processes. During the July 2016 prerequisite not only for a functioning society Warsaw Summit, NATO member states agreed but for also the future of its economy. Yet, its vi- to enhance the cyber defenses of national sion and ambitious plans are not financed with networks and infrastructures, improve their sufficient money, materiel, or manpower. This resilience and ability to respond quickly and means that the Dutch must capitalize on their effectively to cyber attacks, and adapt their pragmatic outlook and find creative means by cyber defense capabilities. NATO also agreed which to attract, develop, and retain person- that cyberspace was a fifth domain of warfare. nel; partner and leverage the EU, NATO, and other alliances to gain capability; and convince The DCC and MoD writ large are supporting the new government to invest in their ambi- the cyber mission out of existing budgets. tious agenda with dedicated funds. While much of the MoD’s budget is classified, the 2017 defense budget showed an increase of €17 million (~$18.5 million) for cyber.148 That same budget allocated a total of €412 million

39 CRI 2.0 BOTTOM LINE The CRI 2.0 offers a comprehensive, com- parative, experience-based methodology to According to the CRI 2.0 assessment, the help national leaders chart a path towards a Netherlands is on a path to becoming cyber safer, more resilient digital future in a deeply ready and is currently partially operational in cybered, competitive, and conflict prone world. most of the seven CRI essential elements. For more information regarding the CRI 2.0, please see: http://www.potomacinstitute.org/ The findings in this analysis represent a snap- academic-centers/cyber-readiness-index. shot in time of a dynamic and changing land- scape. As the Netherlands continues to devel- The CRI 2.0 methodology is available in op and update its economic (digital agenda) Arabic, Chinese, English, French, Russian, and and national cyber security strategies, policies, Spanish, and is currently being applied to 125 and initiatives to reflect a more balanced ap- countries. proach that aligns its national economic visions with its national security priorities, updates to The CRI country profiles of France, Germany, this country profile will reflect those changes India, Italy, Japan, the Netherlands, the United and monitor, track, and evaluate substantive Kingdom, and the United States can be found at and notable improvements. the following link: http://www.potomacinstitute. org/academic-centers/cyber-readiness-index.

Legend Fully Operational

Partially Operational

Insufficient Evidence

IDI Rank NRI Rank GDP Rank National StrategyIncident ResponseE-Crime & Law EnforcementInformation SharingInvestment in R&DDiplomacy & TradeDefense & Crisis Response

8 Netherlands 11 17

40 Cyber Security Beeld Nederland ENDNOTES 2016,” September 5, 2016.

1. Robert Hobbes Zakon, “Hobbes’ 8. Ministry of Economic Affairs, Ag- Internet Timeline 24,” https://www. riculture and Innovation, “Digital zakon.org/robert/internet/timeline/. Agenda.nl – ICT for innovation and economic growth” (2011): 4. 2. The Centrum Wiskunde & Informatica (CWI) is part of the Netherlands 9. Ibid, 5; and European Policy Centre, Organization for Scientific Research “Establishing the Digital Single (NWO) and, at that time, was fully Market: policy recommendations,” funded by the Dutch Ministry of 1, http://www.epc.eu/dsm/6/ Education, Culture and Science. Policy_recommendations.pdf.

3. AMS-IX, “Linking Amsterdam 10. Ministry of Economic Affairs, Ag- to the World,” https://ams-ix. riculture and Innovation, “Digital net/about/historical-timeline/ Agenda.nl – ICT for innovation and linking-amsterdam-to-the-world. economic growth” (2011): 5.

4. Dutch Ministry of Security and Justice, 11. Ministry of Economic Affairs, “National Cyber Security Strategy “Progress through Renewal: 2016 2: from Awareness to Capability,” Enterprise Policy Report,” 27. (October 2013): 13, https://english. nctv.nl/binaries/national-cyber-secu- 12. Netherlands Organisation for Ap- rity-strategy-2_tcm32-84265.pdf. plied Scientific Research (TNO), “Cost of Cyber Crime Largely Met 5. OECD, “OECD Digital Economy by Business,” accessed on Novem- Outlook 2015,” (July 15, 2015): 38- ber 5, 2013, www.tno.nl/content. 39, http://www.oecd.org/internet/ cfm?context=overtno&content=nieu- oecd-digital-economy-outlook-2015- wsbericht&laag1=37&laag2=69&item_ 9789264232440-en.htm, and The id=2012-04-10%2011:37:10.0&Taal=2 . Hague Center for Strategic Studies, “Dutch Investments in ICT and Cyber- 13. Deloitte, “Cyber Crime Costs Dutch security,” (December 2016): 9-20. Organisations 10 Billion Euros each Year,” April 4, 2016, https://www2. 6. Mark Knickrehm et al., “Digital Disrup- deloitte.com/nl/nl/pages/about-deloitte/ tion: The Growth Multiplier,” Accenture articles/cybercriminaliteit-kost-ned- Strategy Report, 2016, https://www. erlandse-organisaties-10-miljard-eu- accenture.com/us-en/insight-digi- ro-per-jaar.html. English press tal-disruption-growth-multiplier. release: https://www2.deloitte.com/ nl/nl/pages/about-deloitte/articles/ 7. National Coordinator for Security and cyber-crime-costs-dutch-organisations- Counterterrorism (NCTV), Ministry of 10-billion-euros-each-year.html. Security and Justice, “Beleidsreactie

41 14. Dutch Ministry of Security and at the Cybersecurity Matching Forum,” Justice, “National Cyber Security November 10, 2015, https://www. Strategy: Success through Coopera- government.nl/documents/speech- tion” (February 2011), https://www. es/2015/11/10/speech-by-prime-min- enisa.europa.eu/media/news-items/ ister-mark-rutte-at-the-cybersecu- dutch-cyber-security-strategy-2011. rity-matchmaking-forum-tokyo.

15. Kim Zetter, “Diginotar Files for Bankrupt- 22. The Hague Center for Strategic Studies, cy in Wake of Devastating Hack,” Wired, “Dutch Investments in ICT and Cyberse- September 20, 2011, https://www.wired. curity,” 20. For more on other countries’ com/2011/09/diginotar-bankruptcy/. cyber security spending as a portion of their national GDP, see: Melissa 16. Dutch Ministry of Security and Justice, Hathaway et al., country profiles in the “National Cyber Security Strategy “Cyber Readiness at a Glance” series, (NCSS 2): from Awareness to Capability” Potomac Institute for Policy Studies, (October 2013): 28, https://english. http://www.potomacinstitute.org/ nctv.nl/binaries/national-cyber-secu- academic-centers/cyber-readiness-index. rity-strategy-2_tcm32-84265.pdf. 23. Melissa Hathaway et al., “Cyber Readi- 17. Deltawerken, “The Delta Works,” ness Index 2.0 – A Plan for Cyber http://www.deltawerken.com/ Readiness: A Baseline and an Index,” Deltaworks/23.html; and Dutch Dig- Potomac Institute for Policy Studies, ital Delta, “About us,” https://www. November 2015, http://www.potomac- dutchdigitaldelta.nl/en/about-us. institute.org/images/CRIndex2.0.pdf.

18. Ibid. 24. Dutch Ministry of Security and Justice, “National Cyber Secu- 19. Hans Folmer announcing the creation of rity Strategy (NCSS 1),” 2. Dutch Defense Cyber Command, The Hague, September 25, 2014, https:// 25. Ibid, 5-6. cyberwar.nl/d/20140925_Toespraak+Min- ister+Hennis-Plasschaert+bij+lancer- 26. Ibid, 9. ing+van+het+Defensie+Cyber+Com- mando+in+Den+Haag.pdf. 27. In addition to the attack on Digit- Notar, the Netherlands suffered other 20. Ministry of Foreign Affairs, “Inter- highly publicized incidents such as national Cyber Strategy: Toward An the hack on a municipal waste water Integrated International Cyber Policy,” system and the Pobelka botnet. February 13, 2017, Section 3.2 on “Cyber Defense and Security.” 28. Kadri Kaska, “National Cyber Security Organisation: the Netherlands,” NATO 21. Government of the Netherlands, Cooperative Cyber Defense Center “Speech by Prime Minister Mark Rutte of Excellence, Tallinn, (2015): 8.

42 29. To be able to provide independent 38. Some security-related investments are and well-considered advice, the CSR classified or not officially announced. has a balanced composition, made up of an equal number of represen- 39. Global Conference on Cyberspace, tatives of public and private parties “GCCS 2015,” https://www.gccs2015. (each hold seven seats). Scientific com. This event brought together se- institutions hold four additional seats. nior leaders and decision makers from The council has two co-chairmen: the governments, private sector, and civil government and private sector alter- society around the world to The Hague nate with each other every meeting. in 2015 to promote practical cooperation in cyberspace, enhance cyber 30. Dutch Cyber Security Council, capacity building, and discuss norms for “Home,” https://www.cybersecu- responsible behavior in cyberspace. rityraad.nl/index-english.aspx. 40. “Cyber Threats Call for Additional 31. Dutch Ministry of Security and Measures,” The Hague Security Del- Justice, “National Cyber Security ta, October 6, 2016, https://www. Strategy (NCSS 2),” 8. thehaguesecuritydelta.com/news/ newsitem/749-cyber-threats-calls-for-ad- 32. United Nations Department of Eco- ditional-measures. nomic and Social Affairs, “United Nations E-Government Survey 2016: 41. Ministry of Economic Affairs, Agriculture E-Government for Sustainable Devel- and Innovation, “Digital Agenda.nl,” 28. opment,” New York, (2016): 111 and 116, http://workspace.unpan.org/sites/ 42. Melissa Hathaway’s interview Internet/Documents/UNPAN96407.pdf. with Dutch officials, Washington D.C., December 11, 2016. 33. Dutch Ministry of Security and Justice, “National Cyber Security 43. National Cyber Security Centre, Strategy (NCSS 2),” 3. “What is the NCSC?”

34. Ibid, 7. 44. National Coordinator for Security and Counterterrorism, “National Manual on 35. National Cyber Security Centre, Decision-making in Crisis Situations – “What is the NCSC?”, https://www. The Netherlands,” https://english.nctv.nl/ ncsc.nl/english/organisation. binaries/national-manual-decision-making-in-crisis-situations_tcm32-84092.pdf . 36. Ibid. 45. National Coordinator for Security and 37. Dutch Ministry of Security and Counterterrorism, Ministry of Security Justice, “National Cyber Security and Justice, “Critical Infrastructure Strategy (NCSS 2),” 26-28. (Protection),” January 20, 2017, https:// english.nctv.nl/topics_a_z/critical_in- frastructure_protection/index.aspx.

43 46. Melissa Hathaway’s interview harnessed to knock businesses off-line with Dutch government officials, and affect citizens’ safety; (3) the third Washington D.C., March 28, 2017. scenario involved a significant breach of citizen data in which the government was 47. National Coordinator for Security and the custodian – similarly to the breach of Counterterrorism, “ISIDOOR: Op- the Office of Personnel Management in erational Cyber Exercise with Public the United States or other similar events and Private Partners,” June 25, 2015, in the United Kingdom or Canada; and https://english.nctv.nl/current_topics/ (4) the fourth scenario evaluated an news/2015/ISIDOORoperationalcyberex- environment of government regulations ercisewithpublicandprivatepartners.aspx. and interventions in critical infrastructures, in which the government would 48. National Cyber Security Centre, “ICT challenge itself to not only consider Crisis Management,” https://www. future incident response challenges, but ncsc.nl/english/Incident+Response/ also the relevant policy implications of ict-crisis-management.html. decisions it was making today and what outcomes might be achieved by 2021. 49. National Cyber Security Centre, “ICT Response Board,” https:// 54. European Defense Agency, “Complex www.ncsc.nl/english/Coopera- Cyber Crisis Management Exercise tion/ict-response-board.html. in Vienna,” September 16, 2015, https://www.eda.europa.eu/info-hub/ 50. National Coordinator for Security and press-centre/latest-news/2015/09/16/ Counterterrorism, “Review of Policy on complex-cyber-crisis-management-ex- Critical Infrastructure,” (July 2015). ercise-in-vienna; and NATO, “NATO Holds Annual Cyber Exercise in Estonia,” 51. Ibid. December 2, 2016, http://www.nato. 52. National Coordinator for Security int/cps/en/natohq/news_138674.htm. and Counterterrorism, “Successful 55. National Cyber Security Cen- international Exercise VITEX, May tre, “Monitoring,” https://www. 13, 2016, https://english.nctv.nl/ ncsc.nl/english/Incident+Re- current_topics/news/2016/Success- sponse/monitoring.html. fulinternationalexerciseVITEX.aspx. 56. Melissa Hathaway’s interview 53. Among the four hypothetical scenarios: with Dutch government officials, (1) the first one served to test the bounds Washington D.C., March 28, 2017. of encryption and privacy policy and evaluated how the government might ac- 57. Dutch Government, “National cess key data sets or technologies during Cyber Security Strategy 2,” 8. a national security crisis; (2) the second scenario highlighted a future of inse- 58. Cyber Threat Assessment cure IoT devices that are infected and Netherlands, (2016): 10.

44 59. The Dutch Standardization Forum was October 22, 2014, https://www. established by the Minister of Economic thehaguesecuritydelta.com/projects/ Affairs in 2006 to ensure implementation project/60-trusted-networks-initiative. of policies on electronic data exchange and (re)use of data and electronic ser- 65. NLnet Foundation, “Collective vices. This Forum supports the Dutch Approach to Internet Attacks Big government in the development, use, Success in the Netherlands,” Press and establishment of open standards Release, June 30, 2014, https://nlnet. for electronic information exchange. It nl/press/20140630-nawas-en.html. also promotes interoperability within the Dutch government system and 66. National Cyber Security Centre, in the relations between government “Cyber Security Assessment Nether- agencies, citizens, and enterprises, lands,” https://www.ncsc.nl/english/ and it prevents vendor lock-in and current-topics/Cyber+Security+Assess- reduces costs in government spend- ment+Netherlands/cyber-security-as- ing on ICT. For more see: “Dutch sessment-netherlands-2016.html. Standardisation Forum,” https://www. 67. Central Planning Bureau, “Cyber forumstandaardisatie.nl/content/english. Security Risk Assessment for the 60. Cyber Threat Assessment Economy,” July 6, 2016. Netherlands, (2016): 62. 68. Central Planning Bureau, “Cyber 61. National Cyber Security Centre, Security Risk Assessment for “Factsheets,” https://www.ncsc.nl/ the Economy,” (2016): 11. english/current-topics/factsheets. 69. Janene Pieters, “Dutch Parliament 62. Central Planning Bureau, “Cyber Approves Bill to Hack Criminal Security Risk Assessment for the Suspects,” NL Times, December Economy,” (2016): 2; and Dutch 21, 2016, http://nltimes. Cyber Security Council, “Bedrijven nl/2016/12/21/dutch-parliament-ap- doen nog te weinig aan digitale proves-bill-hack-criminal-suspects. veiligheid,” April 5, 2017, https://www. 70. Lexology, “The Netherlands – More cybersecurityraad.nl/010_Actueel/ Stringent Data Protection Law and Advies_zorgplichten_bedrijven.aspx. a DPA that is Ready to Act in 2016,” 63. The Hague Security Delta, “Trusted February 29, 2016, http://www.lexology. Networks Initiative,” https://www. com/library/detail.aspx?g=ad2e6ff6- thehaguesecuritydelta.com/projects/ 3f68-4b74-bddf-ddffce701466. project/60-trusted-networks-initiative. 71. National Cyber Security Centre, “Cyber 64. National Cyber Security Centre, “Cyber Security Assessment Netherlands,” Security Assessment Netherlands (CSAN) (2016): 62, and CPB, “Cyber Security Risk 2016,” 60, and The Hague Security Assessment for the Economy,” (2016): 44. Delta, “Trusted Networks Initiative,”

45 72. National Cyber Security Centre, 82. National Cyber-Forensics & Training “Cyber Security Assessment Alliance, “Become a NCFTA Netherlands,” (2016): 64. Partner,” https://www.ncfta.net.

73. NWO, “NHTCU,” https://www. 83. National Cyber Security Centre, dcypher.nl/nl/content/nhtcu. “Safer Internet Day,” https://www. ncsc.nl/english/current-topics/ 74. Ibid. news/safer-internet-day.html.

75. Government of the Netherlands, “Crime 84. National Cyber Security Centre, and Crime Prevention,” https://www. “Responsible Disclosure Guideline,” government.nl/topics/crime-and- https://www.ncsc.nl/english/current-top- crime-prevention/contents/investiga- ics/responsible-disclosure-guideline.html. tion-and-prosecution-of-criminals. 85. CIO-Platform Nederland and Rabobank, 76. Abuse Information Exchange, “Coordinated Vulnerability Disclo- “Home,” https://www.abuseinfor- sure Manifesto,” May 12, 2016. mationexchange.nl/english. 86. National Coordinator for Security and 77. Jeroen Pijpker and Harald Vranken, Counterterrorism (NCTV), Ministry of “The Role of Internet Service Security and Justice, “Beleidsreactie Providers in Botnet Mitigation,” Cyber Security Beeld Nederland European Intelligence and Security 2016,” September 15, 2016. Informatics Conference, (2016): 26. 87. Confederation of Netherlands 78. LookingGlass, Threat Intelligence Industry and Employers (known Data, April 2017, https://www. as VNO-NCW), https://www.vno- lookingglasscyber.com. ncw.nl/over-vno-ncw/english.

79. “Cyber Security Assessment 88. Government of the Netherlands, Netherlands 2016,” 62. “Encouraging Innovation,” https:// www.government.nl/topics/en- 80. National Cyber Security Center, terprise-and-innovation/contents/ “Cooperation,” https://www. encouraging-innovation. ncsc.nl/english/Cooperation/public-private-partnership.html. 89. Ministry of Economic Affairs, “Progress through Renewal: 2016 81. The Platform for the Information Society Enterprise Policy Report,” 71. or ECP (Platform voor de Informatie- Samenleving) is an independent and 90. Ibid, 6. neutral platform where government, business, and civil society work together 91. Deloitte, “2014 Global Survey of R&D and share knowledge on the impact Tax Incentives,” (2014): 32, https:// on and responsible application of new www2.deloitte.com/content/dam/ technologies in the Dutch society. Deloitte/global/Documents/Tax/dttl- tax-global-rd-survey-aug-2014.pdf.

46 92. Government of the Netherlands, Opstelten Sign Letter of Intent on “Encouraging Innovation.” Cybersecurity Cooperation,” Feb- ruary 22, 2012, https://www.dhs. 93. Herbert Bos, Sandro Etalle, Frank Franse, gov/news/2012/02/22/secretary-na- and Erik Poll, “National Cyber Security politano-and-dutch-minister-securi- Research Agenda II,” Government of ty-and-justice-ivo-opstelten-sign. the Netherlands and NWO, (2013): 3 and 16-18, https://www.dcypher. 102. NWO, “Programme: Cyber Security,” nl/files/mediabank/NCSRA-II.pdf. http://www.nwo.nl/en/research-and-results/programmes/cyber+security, 94. Dutch Government, “National and Deloitte, “2014 Global Survey Cyber Security Strategy 2,” 10. of R&D Tax Incentives,” (2014): 32.

95. Dcypher, “About Us,” https://www. 103. QuTech, “About Us,” https:// dcypher.nl/en/content/about-us. qutech.nl/about-us/.

96. HSD Foundation, “About HSD,” https:// 104. The Dutch national research institute www.thehaguesecuritydelta.com/about. for mathematics and computer science, Centrum Wiskunde & Informatica 97. HSD Foundation, “Opening TNO Cyber (CWI), is an institute of the NWO. Threat Lab at HSD Campus,” December 21, 2016, https://www.thehaguesecuri- 105. QuSoft, “About,” http:// tydelta.com/news/newsitem/788-open- www.qusoft.org/about/. ing-tno-cyber-threat-lab-at-hsd-campus. 106. European Commission, “European 98. HSD Foundation, “Funding for Commission will Launch €1 Billion Research to Design National Cyber Quantum Technology Flagship,” Testbed,” April 4, 2016, https:// May 17, 2016, https://ec.europa.eu/ www.thehaguesecuritydelta.com/ digital-single-market/en/news/euro- news/newsitem/614-funding-for-re- pean-commission-will-launch-eu1-bil- search-to-design-national-cyber-testbed. lion-quantum-technologies-flagship .

99. SBIR, “SBIR Cyber Security,” Septem- 107. NWO, “Background,” http://www.nwo. ber 25, 2014, https://www.dcypher. nl/en/research-and-results/programmes/ nl/files/downloads/Digital_Intelli- cyber+security/background. gence_Group_projectCyberscan.pdf. 108. NWO, “Government and NWO Invest 100. Dennis Huele, “SBIR Cyber Security More Than 6 Million Euros in Cyber Tender III,” http://www.rvo.nl/sites/ Security Research,” November 14, 2013, default/files/2016/11/Presentatie_ http://www.nwo.nl/en/news-and-events/ SBIR_cyber_security_tender_III.pdf. news/2013/ew%5B2%5D/government- and-nwo-invest-more-than-6-million- 101. US Department of Homeland Security, euros-in-cyber-security-research.html. “Secretary Napolitano and Dutch Minister of Security and Justice Ivo

47 109. Netherlands Enterprise Agency, thehaguesecuritydelta.com/news/ “Horizon 2020,” http://english.rvo.nl/ newsitem/749-cyber-threats-calls-for-ad- subsidies-programmes/horizon-2020. ditional-measures.

110. Dutch Ministry of Security and Justice, 118. “Dutch Investments in ICT “National Cyber Security Strategy 1: and Cybersecurity,” 19. Success Through Cooperation,” 8. 119. Government of the Netherlands, 111. Based on estimations from “Speech by Minister Koenders at Nederland ICT. International Security Conference in Munich,” February 12, 2016, https:// 112. University of Amsterdam, “Computer www.government.nl/documents/speech- Science: Education,” http://www. es/2016/02/12/speech-minister-ko- uva.nl/en/disciplines/computer-sci- enders-at-munchner-sicherheitskonferenz. ence/education; and Universiteit Leiden “Cyber Security,” http:// 120. Ibid. en.mastersinleiden.nl/programmes/ cyber-security/en/introduction. 121. Government of the Netherlands, “International Security Strategy,” (June 113. Cyber Security Academy, 2013): 14, https://www.government.nl/ “About the CSA,” https://www. documents/policy-notes/2013/06/21/ csacademy.nl/en/about-csa. international-security-strategy.

114. Francesca Spidalieri, “One Leader 122. Dutch Government, “National at a Time: The Failure to Educate Cyber Security Strategy 2,” 17. Future Leaders for an Age of Per- sistent Cyber Threat,” Pell Center, 123. Ibid. March 2013, http://pellcenter.org/ wp-content/uploads/2015/05/ 124. Janene Pieters, “Dutch Govt. Launches One-Leader-at-a-Time.pdf. International Cyber Security Strategy,” NL Times, February 13, 2017, http://nl- 115. “Cyber Security Assessment times.nl/2017/02/13/dutch-govt-launch- Netherlands 2016,” 43. es-international-cyber-security-strategy.

116. Rene Millman, “Dutch Watchdog 125. Ministry of Foreign Affairs, “Fact- Sues Samsung Over Lack of Security sheet Task Force Cyber,” 2017. Updates,” SC Magazine, January 22, 2016, https://www.scmagazineuk. 126. Government of the Netherlands, “Inter- com/dutch-watchdog-sues-samsung- national Security Strategy” (2013): 9. over-lack-of-android-security-updates/ 127. OSCE, “Permanent Council Deci- article/531383/. sion No. 1106,” December 3, 2013, 117. “Cyber Threats Call for Additional http://www.osce.org/pc/109168, Measures,” The Hague Security Del- and OSCE, “Permanent Council De- ta, October 6, 2016, https://www. cision No. 1202,” March 10, 2016, http:// www.osce.org/pc/227281.

48 128. The Global Forum on Cyber 139. General Intelligence and Security Expertise, “Overview,” https:// Service, “Joint Sigint Cyber Unit,” www.thegfce.com/about. https://english.aivd.nl/about-aivd/ contents/the-aivd-who-we-are. 129. The Hague Centre for Strategic Studies, “The Global Commission on 140. Janene Pieters, “Proposed Law Allows the Stability of Cyberspace,” Feb- Massive Data Mining by Intelligence ruary 17, 2017, http://hcss.nl/news/ Agencies,” NL Times, April 15, global-commission-stability-cyberspace. 2016, http://nltimes.nl/2016/04/15/ proposed-law-allows-massive-da- 130. Dutch Government, “National ta-mining-intelligence-agencies. Cyber Security Strategy 2,” 25. 141. Netherlands Defence Intelligence 131. Freedom Online Coalition, “About and Security Service, “DISS Annual Us,” https://www.freedomon- Report,” (June 2013): 12. linecoalition.com/about/. 142. Royal Netherlands Army, “Minister of 132. Ministry of Foreign Affairs, “Fact- Defence launches Defence Cyber Com- sheet Task Force Cyber,” 2017. mand,” September 25, 2014, https:// www.defensie.nl/english/organisation/ 133. Melissa Hathaway’s interview with army/news/2014/09/25/minister-of-de- Dutch government officials, Wash- fence-launches-defence-cyber-command. ington D.C., March 28, 2017. 143. NATO’s Information Assurance and 134. Ministry of Foreign Affairs, “International Cyber Defense Symposium, Mons, Cyber Strategy: Toward an integrated Belgium, September 17, 2014. international cyber policy,” Section 3.4. 144. International Strategy Section 3.2 135. Ministry of Foreign Affairs, “International Cyber Strategy: Toward an integrated 145. NATO CCDCOE, Statements by Briga- international cyber policy,” Section 3.2. dier General Hans Folmer at the 2016 International Conference on Cyber 136. Minister of Defense Hans Hillen’s letter Conflict, https://ccdcoe.org/cycon/ accompanying the 2012 “Defence content/international-cyber-confer- Cyber Strategy,” June 27, 2012. ence-opens-tomorrow-tallinn.html.

137. Ministry of Defense, “Defence Cyber 146. Ibid. Strategy,” (June 2012): 6 https:// ccdcoe.org/sites/default/files/strat- 147. Ibid. egy/NDL-Cyber_StrategyEng.pdf. 148. “Rijksbegroting,” chapter X, 111, 138. Ministry of Defense, “Defence Cyber http://www.rijksbegroting.nl. Strategy,” (February 2015), https://www. defensie.nl/english/topics/cyber-security/ contents/defence-cyber-strategy.

49 ABOUT THE AUTHORS

Melissa Hathaway is a leading expert in cyberspace policy and cyber security. She served in two US presidential administrations, spearheading the Cyberspace Policy Review for President Barack Obama and leading the Comprehensive National Cybersecurity Initiative (CNCI) for President George W. Bush. Today, she is a Senior Fellow and a member of the Board of Regents at Potomac Institute for Policy Studies. She is also a Senior Advisor at Harvard Kennedy School’s Belfer Cen- ter for Science and International Affairs, a Distinguished Fellow at the Centre for International Governance Innovation in Canada, a non-resident Research Fellow at the Kosciuszko Institute in Poland, and she is President of Hathaway Global Strategies LLC, her own consultancy.

Melissa developed a unique methodology for evaluating and measuring national levels of preparedness for certain cyber security risks, known as the Cyber Readiness Index (CRI). The CRI methodology is available in Arabic, Chinese, English, French, Russian, and Spanish, and is being applied to 125 countries. The CRI country profiles of France, Germany, India, Italy, Japan, the Netherlands, the United Kingdom, and the United States can be found at the following link: http://www.potomacinstitute.org/academic-centers/cyber-readiness-index.

Having served on the board of directors for two public companies and three non-profit organizations, and as a strategic advisor to a number of public and private companies, Melissa brings a unique combination of policy and technical expertise, as well as board room experience to help others better understand the intersection of government policy, developing technological and industry trends, and economic drivers that impact acquisition and business development strategy in this field. She publishes regularly on cyber security matters affecting companies and countries. Most of her articles can be found at the following website: http://belfercenter.ksg.harvard.edu/experts/2132/melissa_hathaway.html.

Francesca Spidalieri Francesca Spidalieri is the co-principal investigator on the Cyber Readiness Index Project at the Potomac Institute for Policy Studies. She also serves as the Senior Fellow for Cyber Leadership at the Pell Center, at Salve Regina University, as a Distinguished Fellow at the Ponemon Institute, and as 2017 Transatlantic Digital Debates Fellow at New America and at the Global Public Policy Institute. Her academic research and publications focus on cyber leadership development, cyber risk management, cyber education, and cyber security workforce development. She also published a report, entitled State of the States on Cybersecurity, that applies the Cyber Readiness Index 1.0 at the US state level.

All her additional studies can be found at the following link: http://pellcenter.org/cyber-leadership/.

50 For more information or to provide data to the CRI 2.0 methodology, please contact: [email protected]

The CRI 2.0 methodology is available in Arabic, Chinese, English, French, Russian, and Spanish, and is currently being applied to 125 countries.

The CRI country profiles of France, Germany, India, Italy, Japan, the Netherlands, the United Kingdom, and the United States can be found at the following link: http://www.potomacinstitute.org/academic-centers/cyber-readiness-index. POTOMAC INSTITUTE FOR POLICY STUDIES 901 N . Stuart St . Suite 1200, Arlington, VA 22203 www.potomacinstitute.org