Dutch Cyber Security Council Invested

As part of the Dutch National Cyber Security Strategy that was launched earlier this year, one of the two new entities has officially been stood up. On June 30th of this year, Dutch minister Ivo Opstelten (Ministry of Security and Justice) officially installed the Cyber Security Council. The council will be advising both government and private parties on relevant developments in the area of digital security.

The council will make a priority of IT threats, will look into the necessity for further research & development and will investigate how this knowledge is best shared between collaborating public and private parties. The council will also expressly look to basic values such as the importance of privacy or fundamental rights such as freedom of speech and gathering of information. The foundation of the advice the Council will supply will lie in public-private risk assessments. The first threat analysis in the area of Cyber Security will be expected in October this year.

According to this government publication (warning, Dutch) the Cyber Security Council has been assembled based on balancing the public, private and scientific community with a broad spectrum in relevant Cyber Security issues and angles. It will feature a dual chairmanship. The Council currently exists of the following members:

  • Eelco Blok, co-chairman of the Council, CEO KPN;
  • Erik Akerboom, co-chairman. National Coordinator for Counterterrorism
  • Harry van Dorenmalen, on behalf of the IT suppliers, chairman IT~Office and Chairman IBM Europe
  • René Steenvoorden, on behalf of the major IT end users, chairman CIO Platform and CIO Rabobank
  • Frank Heemskerk, on behalf of the end users and SMEs, chairman of the ECP-EPN Supervisory Board and member of RVB Royal Haskoning;
  • Ben Voorhorst, on behalf of the vital infrastructure, operational director Tennet and member of RVB Tennet;
  • Professor Corien Prins, Tilburg University;
  • Mark Dierikx, DG Energie, Telecom and Competition, Ministry of Economic Affairs, Agriculture and Innovation;
  • Mark van Nimwegen, Board of Prosecutors General, cyber crime portfolio holder;
  • Professor Michel van Eeten, TU Delft;
  • Major General Koen Gijsbers, Chief Director Information Provision and Organisation, Ministry of Defence;
  • Professor Bart Jacobs, Radboud University Nijmegen;
  • Ruud Bik, KLPD Chief Constable;
  • Jan Kees Goet, deputy Head AIVD;

The installation of the Cyber Security Council acts as a prelude to the investment of the National Cyber Security Centre, which is to be made operational on January 1st, 2012. The NCSC is to be the operational centre of knowledge and expertise brought together by a collaboration between the public and private sector. Though it is absolutely a positive development that the Cyber Security Council has been made operational so quick, it is sad that the Dutch government did not provide a public course for other interested parties to participate. Obviously the first batch of members have been hand-picked and as such it could hardly be called a democratic process. Let us hope that this is changed rapidly so that more parties with experience in Cyber Security and Cyber Warfare can start assisting the Dutch government.

 

Dutch National Cyber Security Strategy – Blessing or Curse?

Around September last year I wrote an article on the Dutch government promising a Cyber Security doctrine that was to determine the strategy the Netherlands was to follow in the areas of Cyber Crime, Cyber Warfare and generally all things related to Cyber Security. Well this document has finally arrived, and can be found here (PDF alert – Dutch). Its a decidedly vanilla document with not much meat to it, and the approach our government has taken looks a lot like that of the UK. That is to say: defend and extend on the commercial interests, partake in the various international initiatives pertaining to Cyber and don´t rock the boat too much (cost-wise).

The document outlines the following starting points:

  • Connect and Strengthen existing initiatives
  • Invest in Public-Private collaborations
  • Personal responsibility (referring to endusers protecting their own systems)
  • Division of Responsibilities of the various Departments
  • Active international collaboration
  • All actions to be undertaken are proportional
  • Selfregulation if possible, legislate if not

The list obviously isn´t anything new or exciting and has the added value of being very low-cost or even free. Its about what you´d expect from a government that has to take a 30 billion spending cut. One has to wonder about the effectiveness of such an approach, seeing as how most of these points have been in place (and followed) for a while and have yet to yield the desired results. Taking a look at the proposed action plan, we see corresponding initiatives:

Creation of a Cyber Security Council and National Cyber Security Center
The cabinet establishes that caring for Cyber Security is now a burden for a multitude of organizations and departments, and so they wish to unify all these efforts into two centers: The National Cyber Security Council and a National Cyber Security Center. The Security Council is the new organization where the strategy will be established by representatives of all involved parties. The Cyber Security Center will essentially be its  executing branch, and act as a place where information, knowledge and expertise is shared amongst the participants. The government urges all public and private parties to join in, and is working on a collaborationmodel to this end. They also intend to expand and strengthen GOVCERT, and to make GOVCERT a part of the Security Center.

Create Threat- and Risk analyses
By sharing information, knowledge and expertise, the cabinet aims to build threat- and risk analysis so that they can chart weak spots and strengthen the segments that need fixing. The  AIVD and MIVD (Dutch Intelligence communities) will insert their knowledge and if necessary, increase their cyber capabilities. This initiative is to yield a yearly National Threat Assessment, which is to inform the Government on current or pending risks.

Increasing resilience of critical infrastructure
The Dutch approach to Cyber Security has so far always hinged on business continuity rather than prevention or actual security. The document refers to an existing initiative from the ´old days´ called the CPNI (Informatieknooppunt Cybercrime, or Infopoint Cybercrime), and how this initiative is eventually to be folded into the Cyber Security Center. Also, the existing Telecommunications Act will be actualized in 2011 to accomodate for various new factors. Through the following measures, the government hopes to create more Cyber Security momentum:

(more…)