On february 24th of this year, a report was released by the Ministry of Security and Justice of the Dutch government with the alluring title “National Risk Assessment 2010” (PDF Alert – Dutch). This is not a new phenomenon, its a yearly recurring report that covers the results of scenarios thought up by the government in order to create or improve their strategies. Whats so special about the 2010 report is that for the first time ever, Cyber Conflict is a scenario being covered by the report.
In the scenario the Netherlands will be hit by a large-scale, coordinated cyber attack organized by an enemy state. These attacks debilitate the functioning of government institutions, parts of the critical infrastructure and commercial ventures. The IT infrastructure of several ministries are paralyzed, the electric grid in the provinces Gelderland and North Holland (think Amsterdam) shut down, telephone traffic is seriously limited and satellite communications are down (limiting the Defence departments´ ability to communicate with units abroad). International commerce and financial institutions are also severely hit.
What may surprise the average person, but what seems to be typical in cyber conflicts, is the amount of time it takes for the government to realise that it is being deliberately targeted by an enemy nation through cyber attacks. For a long time the events seem uncorrelated and this leaves the government (and, I would think, the commercial institutions mentioned) fighting the symptoms rather than the cause. The damaged parties limit their response to recovering the damaged systems and to increase security of their networks. The government lacks capacity to deal with the threat and clear and decisive handling of the situation is nowhere in sight. The government loses control over (parts of) its infrastructure because of the attacks and it is acknowledged as a violation of sovereign territory. Though not completely shut down, emergency services such as police, ambulance and fire departments are severely limited. Functioning of large parts of the government is dealt a dramatic blow by the shutdown of its IT networks, including the Second Chamber (Tweede Kamer). The damage to IT services is visible nation-wide and its citizens experience severe problems in direct relation to it. Several vital sectors are hit and recovery seems far away, leading to much uncertainty with the populace. The people are rapidly losing faith in the government to deal with the situation.
Though there are no solid leads that the Netherlands will face such an attack, experts agree that the scenario is technically possible and imaginable. Also, in spite of the extensive security measures put in place, the vulnerability is a big one. The Netherlands is a very ´connected´ nation and though we are but a small nation, the impact of a large scale cyber conflict would be great. In the report, the government acknowledges that several examples can be named where this has happened, such as Estonia (2007) and Georgia (2008). They also mention that 14 factories running Siemens software have been hit by the Stuxnet worm. As technology continues to develop, the Netherlands will become more connected, which makes this scenario more likely. As an appendix the lilelyhood and impact have been assessed of all scenarios. Cyber Conflict has been rated as Probable, with an impact score that ranges from zero to severe. Whats notable is that the damage will be mostly social-psychological in nature.
Points for Improvement
From the analysis it becomes clear that the following points should at least be developed or improved upon:
Centralized command for cyber security needs to be created
Interests of National Security should be integrated with international policy
Gathering, analysis and sharing of information needs to be improved
National and flexible insertion of cyber security expertise needs to be developed
A National policy with regards to defensive capacities needs to be developed
The report continues to elaborate on what initiatives have already been taken to assist in improving the Dutch defensive posture, but most of this has already been covered in an earlier article I wrote about the Dutch Cyber Security Strategy that was released a while ago. It is nevertheless good to see that the Dutch government takes the possibility of Cyber Warfare seriously and initiatives are being taken to minimize the damage and secure its citizens. The odds of successfully fending off a large scale cyber conflict are against them, but I don´t believe that there is any other ´connected´ nation who is faring any better. Luckily many of the earlier initiatives with regards to Critical Infrastructure have been about recovering services, and this may very well be our saving grace if we ever do get hit.