In May of last year, the US Government published its International Strategy for Cyberspace. The publication made some waves in the international community because in this document the US stated that military reprisals to cyber attacks were now officially on the table. More specifically, the US government stated that it ‘encouraged responsible behavior and oppose those who would seek to disrupt networks and systems, dissuading and deterring malicious actors and reserving the right to defend these national security and vital national assets as necessary and appropriate’ [emphasis mine]. This declaration of intent came after an ever increasing number of (detected) attacks on USG networks and systems. Development of cyber capabilities by governments worldwide are also likely to have influenced the situation.
Whatever the underlying political reasons of publishing such a loaded statement, the publication is clearly intended to deter would-be attackers and, as such, is more or less aligned with one of the RAND Corporation’s Monograph studies during Project Air Force on CyberDeterrence and Cyberwar (freely available PDF). In this lengthy publication by the hand of Martin C. Libicki, the subject of CyberDeterrence is extensively studied and described. He approaches the subject from so many angles that it would make you smile if it you didn’t have to read it all to get to the end. One especially important aspect of this discussion is the much-debated problem of attribution. Since retalliation and the threat thereof are a large part of deterrence, knowing who to strike is of paramount concern. Libicki describes various scenario’s such as striking back to the wrong target or not striking at all, and how every scenario has its own consequences. Suffice to say that if you, as an attacker, hide your tracks well enough (don’t forget the cyber intelligence aspect!), you won’t have much problems with retalliatory strikes. If you manage to implicate an innocent third party instead, you may even turn that into a distinct advantage. Considering that retalliation may now include kinetic attacks (bullets to bytes), it can be safely said that they have upped the proverbial ante.
You might be wondering what the point is of declaring retalliatory (potentially kinetic) attacks when every player in this field knows what the score is: No attribution – No problem. So why make a public statement about how you’re going to strike back if everyone knows its highly unlikely? Well, Libicki covers that too by describing the effects of not striking back, striking back silently, striking back publicly as well as not striking back publicly. I won’t copy/paste his work here, but reading between the lines I found that even though such a public statement is mostly a bluff, it is somewhat of a deterrent and it wins out over the downsides. Besides, and here is the succint point of it all, even though you declare that you may use kinetic military options as a retalliatory measure doesn’t mean you are immediately obliged to actually do so.
In December of last year, the Dutch government was advised by the Advisory Council on International Affairs (AIV) (Dutch) to declare a similar statement with regards to cyber attacks. If the Dutch government decides to take up the advice, The Netherlands will be in the same boat as the US when it comes to cyberdeterrence strategy. It doesn’t worry me. I feel that making such a statement to the world has more upsides than downsides and it shows backbone. When I, along with friend and fellow NCDI council member Niels Groeneveld, was asked to provide input to some of the questions the AIV was looking to answer, I found the discussion so interesting that I wrote several articles about it. See the “Questions from .GOV” series. I was happy to see that some of my input had been used, but it also more-or-less automatically disqualifies me from judging this advice. So I ask you: How do you feel?
As part of the Dutch National Cyber Security Strategy that was launched earlier this year, one of the two new entities has officially been stood up. On June 30th of this year, Dutch minister Ivo Opstelten (Ministry of Security and Justice) officially installed the Cyber Security Council. The council will be advising both government and private parties on relevant developments in the area of digital security.
The council will make a priority of IT threats, will look into the necessity for further research & development and will investigate how this knowledge is best shared between collaborating public and private parties. The council will also expressly look to basic values such as the importance of privacy or fundamental rights such as freedom of speech and gathering of information. The foundation of the advice the Council will supply will lie in public-private risk assessments. The first threat analysis in the area of Cyber Security will be expected in October this year.
According to this government publication (warning, Dutch) the Cyber Security Council has been assembled based on balancing the public, private and scientific community with a broad spectrum in relevant Cyber Security issues and angles. It will feature a dual chairmanship. The Council currently exists of the following members:
- Eelco Blok, co-chairman of the Council, CEO KPN;
- Erik Akerboom, co-chairman. National Coordinator for Counterterrorism
- Harry van Dorenmalen, on behalf of the IT suppliers, chairman IT~Office and Chairman IBM Europe
- René Steenvoorden, on behalf of the major IT end users, chairman CIO Platform and CIO Rabobank
- Frank Heemskerk, on behalf of the end users and SMEs, chairman of the ECP-EPN Supervisory Board and member of RVB Royal Haskoning;
- Ben Voorhorst, on behalf of the vital infrastructure, operational director Tennet and member of RVB Tennet;
- Professor Corien Prins, Tilburg University;
- Mark Dierikx, DG Energie, Telecom and Competition, Ministry of Economic Affairs, Agriculture and Innovation;
- Mark van Nimwegen, Board of Prosecutors General, cyber crime portfolio holder;
- Professor Michel van Eeten, TU Delft;
- Major General Koen Gijsbers, Chief Director Information Provision and Organisation, Ministry of Defence;
- Professor Bart Jacobs, Radboud University Nijmegen;
- Ruud Bik, KLPD Chief Constable;
- Jan Kees Goet, deputy Head AIVD;
The installation of the Cyber Security Council acts as a prelude to the investment of the National Cyber Security Centre, which is to be made operational on January 1st, 2012. The NCSC is to be the operational centre of knowledge and expertise brought together by a collaboration between the public and private sector. Though it is absolutely a positive development that the Cyber Security Council has been made operational so quick, it is sad that the Dutch government did not provide a public course for other interested parties to participate. Obviously the first batch of members have been hand-picked and as such it could hardly be called a democratic process. Let us hope that this is changed rapidly so that more parties with experience in Cyber Security and Cyber Warfare can start assisting the Dutch government.
On february 24th of this year, a report was released by the Ministry of Security and Justice of the Dutch government with the alluring title “National Risk Assessment 2010” (PDF Alert – Dutch). This is not a new phenomenon, its a yearly recurring report that covers the results of scenarios thought up by the government in order to create or improve their strategies. Whats so special about the 2010 report is that for the first time ever, Cyber Conflict is a scenario being covered by the report.
In the scenario the Netherlands will be hit by a large-scale, coordinated cyber attack organized by an enemy state. These attacks debilitate the functioning of government institutions, parts of the critical infrastructure and commercial ventures. The IT infrastructure of several ministries are paralyzed, the electric grid in the provinces Gelderland and North Holland (think Amsterdam) shut down, telephone traffic is seriously limited and satellite communications are down (limiting the Defence departments´ ability to communicate with units abroad). International commerce and financial institutions are also severely hit.
Around September last year I wrote an article on the Dutch government promising a Cyber Security doctrine that was to determine the strategy the Netherlands was to follow in the areas of Cyber Crime, Cyber Warfare and generally all things related to Cyber Security. Well this document has finally arrived, and can be found here (PDF alert – Dutch). Its a decidedly vanilla document with not much meat to it, and the approach our government has taken looks a lot like that of the UK. That is to say: defend and extend on the commercial interests, partake in the various international initiatives pertaining to Cyber and don´t rock the boat too much (cost-wise).
The document outlines the following starting points:
- Connect and Strengthen existing initiatives
- Invest in Public-Private collaborations
- Personal responsibility (referring to endusers protecting their own systems)
- Division of Responsibilities of the various Departments
- Active international collaboration
- All actions to be undertaken are proportional
- Selfregulation if possible, legislate if not
The list obviously isn´t anything new or exciting and has the added value of being very low-cost or even free. Its about what you´d expect from a government that has to take a 30 billion spending cut. One has to wonder about the effectiveness of such an approach, seeing as how most of these points have been in place (and followed) for a while and have yet to yield the desired results. Taking a look at the proposed action plan, we see corresponding initiatives:
Creation of a Cyber Security Council and National Cyber Security Center
The cabinet establishes that caring for Cyber Security is now a burden for a multitude of organizations and departments, and so they wish to unify all these efforts into two centers: The National Cyber Security Council and a National Cyber Security Center. The Security Council is the new organization where the strategy will be established by representatives of all involved parties. The Cyber Security Center will essentially be its executing branch, and act as a place where information, knowledge and expertise is shared amongst the participants. The government urges all public and private parties to join in, and is working on a collaborationmodel to this end. They also intend to expand and strengthen GOVCERT, and to make GOVCERT a part of the Security Center.
Create Threat- and Risk analyses
By sharing information, knowledge and expertise, the cabinet aims to build threat- and risk analysis so that they can chart weak spots and strengthen the segments that need fixing. The AIVD and MIVD (Dutch Intelligence communities) will insert their knowledge and if necessary, increase their cyber capabilities. This initiative is to yield a yearly National Threat Assessment, which is to inform the Government on current or pending risks.
Increasing resilience of critical infrastructure
The Dutch approach to Cyber Security has so far always hinged on business continuity rather than prevention or actual security. The document refers to an existing initiative from the ´old days´ called the CPNI (Informatieknooppunt Cybercrime, or Infopoint Cybercrime), and how this initiative is eventually to be folded into the Cyber Security Center. Also, the existing Telecommunications Act will be actualized in 2011 to accomodate for various new factors. Through the following measures, the government hopes to create more Cyber Security momentum: