Posted in:

EuroFocus: The Netherlands

The Low Countries are on high alert as the Dutch seek to make the Netherlands Europe’s cyber-securest country for business. By James Hayes.

The Netherlands, like other nations in Europe, is confronted by two estimable cyber security challenges. One of these is well known: how to protect its citizens, society and economy from harm posed by cyber criminals, state-sponsored agents, and other malevolent online threats. The second challenge is to make its financial environments secure for the safe conduct of the trade and investment its economy needs.

As Europe’s economies rely increasingly on investment from around the world to fund economic growth and sustainability, concern grows that venture capitalists from outside the continent will be deterred from economies beset by cyber threats. Or, to put it another way, they are more likely to invest in economies known to be digitally protected places for business venture.

Furthermore, the Netherlands itself is a vibrant digital consumer market. By 2017 the Netherlands had an internet penetration rate of 98% (against a European average of 87%), according to Statistics Netherlands-CBS. Additionally, the Netherlands is a frontrunner in online banking with more than 80% uptake, and its citizens and businesses represent Europe’s fourth largest ecommerce market. Despite its comparatively modest size and population, as the country becomes more connected and its economic future becomes more digitally-dependent, it must also address cyber security and become a ‘safe place to do business’.

The Netherlands government has historically made this issue central to its national cyber doctrine: a cyber-secure digital environment helps national and international economic growth, and attracts money from overseas. “If we are to continue to be able to exploit the opportunities of digitalisation in the long-term, we must be able to securely navigate the digital world,” said the Netherlands’ Minister of Justice and Security in the introduction to his country’s National Cyber Security Agenda. “Cyber security is now the foundation for all successful entrepreneurship and administration and for confidence in the digital domain: this shared interest means that we are mutually dependent and share responsibility for national security.”

The Dutch embarked on this programme emboldened, arguably, by their digital maturity: the country embrace the internet revolution of the 1990s much faster – and more enthusiastically – than any other EU state, both in terms of state endorsement and social adoption. Much of its national cyber security policy is framed in the context of economic defence.

A 2017 assessment by the Potomac Institute for Policy Studies – entitled Netherlands Cyber Readiness – declared that the country has become one of the world’s ‘most technologically advanced and highly connected countries’, one that it ranks among the top 10 most connected countries globally. The Dutch National Cyber Security Centre (NCSC)’s Cyber Security Assessment Netherlands 2018 study quotes the Dutch Government’s ‘Economic and Social Need for More Cyber Security’ report as noting that the Netherlands has developed into one of the most IT intensive economies in Europe: this it owes to its well-developed digital infrastructure. However, this lead has also meant that the county has suffered greater exposure to digital threats and digital risks earlier and more extensively than other European nation states.

Of course, none of the developed world’s economies are now immune to the cyber threat scourge; and even though much cyber attack activity emanates from internal economic competitors, as a centre for global financial activity, it’s not surprising if the Netherlands’ financiers, industrialists, and its homeland security agencies, have profound concerns about the impact it has on their national economic health.

NATIONAL ROLE IN EUROPEAN CYBER DEFENCE

Digital maturity also brings extra levels of state responsibility. Countries are highly dependent upon each other precisely because the digital domain has a cross-border nature. The Amsterdam Internet Exchange (AMS-IX) is the world’s third-largest Internet exchange point by size (maximum throughput 6,663Gbps): thousands of businesses rely on it. Attacks on Dutch digital infrastructure by malevolent Dutch or foreign threat actors would result in huge problems in other countries around the world. Those countries could hold the Netherlands accountable at a national state level.

The governance of this mighty status has become more crucial since 2016, the Potomac Institute for Policy Studies Netherlands Cyber Readiness report suggests. This is because the Netherlands could ‘bridge’ the UK and Europe during the former’s transitional relationship with Europe due to Brexit: ‘The Netherlands has also the opportunity to position itself as a more politically stable country for conducting business during a time of increased populist movements throughout Europe’, the report avers.

Yet despite this aspiration, the Netherlands faces high levels of cyber crime, industrial espionage, disruption of critical services, and other malicious cyber activities. So, the Dutch take their stately cyber security responsibilities very seriously. The Netherlands is also host to a multitude of important pan-European cyber security bodies and law enforcement agencies.

They include the already-mentioned NCSC (the Netherlands central information hub and centre of expertise for cyber security), the Hague Security Delta (HSD), Europol and its EU European Cybercrime Centre (EC3), the European Network for Cyber Security (ENCS), the NATO Communications & Information Agency, Netherlands Defence Intelligence and Security Service (DISS), and the Cyber Security Academy (CSA). Just about all of these are located in or near The Hague.

It’s probable that having them at work within its borders has, on occasion, drawn Dutch cyber threat counteraction into the public arena. The most high-profile recent example of this is April 2018’s disruption by DISS of a cyber operation being carried out in The Hague by a Russian military intelligence team. Their target was the Organisation for the Prohibition of Chemical Weapons (OPCW). This body’s mission is to implement the provisions of the Chemical Weapons Convention.

The Russian operatives had set up in a car close to the OPCW headquarters as they prepared to hack into its IT infrastructure via its Wi-Fi network, reportedly. Before they could strike, they were apprehended by DISS officers. The Russians, who reportedly travelled on diplomatic passports, were subsequently deported back to their homeland.

“Our exposure of this Russian cyber operation is intended as an unambiguous message that the Russian Federation must refrain from such actions,” commented Dutch Defence Minister Ank Bijleveld. “The Netherlands is responsible for protecting international organisations within its borders, and that is what we have done.”

The growth in cyber security systems in The Netherlands, can (at least partly) be attributed to the gamut of national laws and regulations that contain security obligations and requirements, notably the Wet Bescherming Persoonsgegevens, and the EU GDPR (General Data Protection Regulation).

National policy guidelines also feature in the National Cybersecurity Strategy as well as a Defence Cyber Strategy, which are both implemented by the NCSC. Additionally, the Dutch Parliament has approved the installation of a Digital Trust Centre (DTC) that will serve to improve cyber security of ‘non-vital’ sectors – e.g., cyber-vulnerable SMEs.

ECONOMIC IMPACT TO BUSINESSES

Despite – or possibly because of – its redoubtable cyber defensive stance in both policy and practice, the Netherlands is subject to a high volume of cyber attacks. And, in terms of financial losses, it hurts. As long ago as 2014, McAfee reported that cyber crime cost the Netherlands at least €8.8bn per year. Deloitte’s 2017 study Cyber Value at Risk in the Netherlands estimated that the Dutch economy loses an expected €10bn in value per year, or approximately 1.5% of its GDP, to cyber criminals.

The size of this impact is, in part, reflective of the extent to which the Netherlands’ economy has become digitalised in recent years. This is about the same estimated amount suffered by the UK, which has a much higher value GDP. Many of the Netherlands’ organisations are challenged by maintaining effective cyber defences against onslaught after onslaught, at a time when they are also having to wrestle with digital transformation. For most large Dutch organisations, the uncertainty and impact created by cyber risk are significant, but – reports suggest – do not nullify the benefits of their transitioning business operations to wholly digital enabling technologies.

How sensitive this balance is is reflected by Deloitte’s view that, of the expected loss, approximately 75% – or €7.5bn – is loss of opportunity, and in turn, about 65% of that is long-term impact that materialises more than a year later. Of the total expected impact of €10bn per year, Deloitte attributes €9bn to large organisations, and the remaining €1bn is borne by SMEs (while accounting for 30% of total GNP income).

And then there is the fallout of GDPR enaction. When the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DDPA) released its GDPR fining policy, it was the first EU information commission to do so. While the DDPA has yet to explicitly state how it will categorise GDPR violations, it has made public a list of what it calls ‘relevant factors’ to determine a severity of a violation.

Factors include the duration of the infringement, the number of data subjects (people) affected, how quick the company reacts, and what type of personal data is involved. The DDPA did not issued its first GDPR penalty until July 2019. A fine of €460,000 was imposed on the Dutch Haga Hospital for having an insufficient internal security of patient records.

CRITICAL NATIONAL INFRASTRUCTURE EXPOSURE

The Netherlands’ name originates in the native-language reference to its low elevation and flat topography, with only about 50% of its land exceeding around 1m above sea level, and nearly 17% of Dutch territory actually falling below sea level. The country depends on its extensive system of canals, locks, and flood defences to manage its geographical challenges.

As such, the Netherlands’ water control infrastructure constitutes a major part of its crucial national infrastructure – and is thus a primarily target for cyber attackers who could exploit vulnerabilities for the purposes of extortion, or just to malicious ends. High-profile concern was raised in a report published earlier this year (2019), the Dutch Court of Audit declared that the Netherlands waterworks systems is not sufficiently protected against cyber attacks.

The report was acutely wide-ranging in its criticism of the slow progress the Rijkswaterstaat – the Dutch Directorate-General for Public Works & Water Management – is making toward making its infrastructure more cyber secure. Several of the waterworks managed by Rijkswaterstaat have been designated as ’vital’ (i.e., critical), which means that an attack on any of these can have major consequences for the Netherlands, and could prove much more of a risk than unforeseen natural disaster or technological malfunction.

The waterworks function on automated systems that mostly date from the 1980s and 1990s; this maturity leaves them largely unsecured against contemporary cyber threats. Furthermore, these legacy systems have, over time, been connected to centralised IT networks, to make them remotely controllable. Security on these systems was similarly not designed to be secure against malicious digital interference. The Court of Audit also found that not all these vital waterworks are connected to Rijkswaterstaat’s Security Operations Centre (SOC): ‘As a result, there is a risk that Rijkswaterstaat will not detect a cyber attack or detect it too late’, warned the report.

In its conclusion, the Court of Audit has advised the Dutch government Infrastructure and Water Management to investigate the current threat level against the waterworks and report back on whether additional people and resources are needed to close the risk gap.