“No country is cyber-ready”
“No country is cyber-ready”

An assessment of The Netherlands' preparations for cyber-crime and cyber-warfare has found the country is prepared on several fronts but there is still room for improvement.

The report, The Netherlands Cyber Readiness at a Glance by Melissa Hathaway and Francesca Spidalieri, assessed the country against seventy unique indicators grouped into seven categories. Published by the Potomac Institute for Policy Studies in the US, the report is the eighth in a series that have also analysed the US, France, Japan, Germany, UK, India and Italy. There is also a foundational report, The Cyber Readiness Index 2.0: A Plan for Cyber Readiness.

The report was funded by the Netherlands' National Coordinator for Security and Counterterrorism.

Patricia Zorko, the deputy national coordinator for security and counterterrorism and director of the Cyber Security Department, said, “The CRI analysis states clearly that the Netherlands are on their way in becoming cyber-ready and underlines how important it is to continue our efforts to strengthen and mainstream cyber-security in the Netherlands.”

The Netherlands' strong point was defence and crisis response and its weakest point was its structures around information sharing, and the report did not score The Netherlands very well for its national strategy, giving it three out of possible five points on this critical issue, the lowest score so far for European countries.

The Netherlands created its first national cyber-security strategy in 2011 which set out five principles and called for the creation of a National Cyber Security Centre which was formed the following year. A second strategy was published in 2013 which has been criticised for failing to create any new funds for cyber-security and not centralising the decision-making processes around national cyber-defence.

According to the report, “In addition to persistent challenges with funding and devising an effective execution plan, it also remains to be seen whether the new government will be able to put forward a more balanced approach that aligns the country's national economic visions with its national security priorities in an increasingly interconnected and conflict-prone geopolitical system.”

On defence and crisis response, the report said that the Dutch government declared cyber to be the fifth domain of warfare – in addition to air, sea, land and space – and the ministry of defence has continued to invest in cyber-defences despite large cuts in traditional military spending.

However, it concluded: “The country clearly recognises that security is a prerequisite not only for a functioning society but for also the future of its economy. Yet, its vision and ambitious plans are not financed with sufficient money, materiel, or manpower. This means that the Dutch must capitalise on their pragmatic outlook and find creative means by which to attract, develop, and retain personnel; partner and leverage the EU, NATO, and other alliances to gain capability; and convince the new government to invest in their ambitious agenda with dedicated funds.”

Despite creating its National Cyber Security Centre to facilitate information sharing, the report concluded that the “necessary incentives” for information sharing were lacking, and it urged the government to use Schiphol Airport and the Port of Rotterdam as case studies for public-private information sharing.

 Melissa Hathaway at the launch of the report
Hathaway, principal investigator on the CRI series, summarised the Netherlands' cyber-security posture: “The Netherlands, like many other developed countries, has started to develop multiple plans, policies and strategies to combat cyber-threats, protect the value of their digital investments, preserve their national and economic security and reach the ambitious goals set forth in their strategies.

“The publication of its two comprehensive national cyber-security strategies, the development of its strong national cyber-security architecture with military and intelligence services contributing to a whole-of-nation cyber-defense, and its proactive efforts to shape cyber-policy discussions in multiple international fora demonstrate that the Netherlands is committed to advancing its cyber-readiness.

“Nonetheless, as cyber-threats to the Netherlands continue to grow in scope, volume and sophistication, it will be essential to accelerate existing civil-military cooperation, increase dedicated funding, clarify the division of responsibilities among actors and measure the true costs of cyber-insecurity to the country.”

Hathaway has commented in the past – and it's quoted on the Potomac Institute website – that “no country is cyber-ready”.

Cyber-readiness index scores by country assessed so far

Country (scores out of possible 5)

National strategy

Incident response

E-crime & law enforcement

Information sharing

Cyber R&D

Diplomacy & trade

Defence & crisis response

US

2.5

4.0

3.8

3.9

4.5

4.6

4.8

France

3.5

3.8

4.0

3.1

3.1

4.0

4.8

Japan

3.3

3.3

3.7

3.7

3.0

3.8

2.2

Germany

3.5

4.0

4.0

3.6

3.0

3.0

4.0

UK

4.0

4.1

4.7

3.8

4.0

4.4

4.0

India

2.2

2.5

2.8

2.2

2.6

3.5

1.6

Italy

3.3

3.4

4.0

3.1

2.5

2.6

2.2

The Netherlands

3.0

3.3

3.8

2.8

3.4

3.4

4.0

The report has been welcomed by the Dutch government and cyber-security experts in Europe.

Koen Gijsbers, general manager at the NATO Communications and Information Agency, told SC Media UK via email that it's very relevant to put metrics against cyber-security performance at a national level, “not just for knowing where they stand themselves, but also for collective defence of the Alliance”.

“In this case, the assessment shows that my nation [The Netherlands] is having a lot of energy to improve and they have done a lot with limited resources. However, to further improve they need to address the resources issue. You cannot get cyber-security for free. I do not think the number mentioned by the CEO of Post NL, Herna Verhagen, is far off: at least ten percent of total IT cost should go to information assurance and cyber. I think the recent ransomware attacks [WannaCrypt0r] should be seen as a wake-up call.”

Ambassador Sorin Ducaru, assistant secretary general for the Emerging Security Challenges Division at NATO, told SC via email that countries across Europe are “stepping up their efforts” to combat cyber-threats. “Tools like the CRI can be especially constructive in helping a country to understand where they are when it comes to their national cyber-defences. Such a snapshot of a country's activities can enable frank discussion, including among senior leaders, on the state of a country's cyber-readiness. This in turn helps countries to prioritise investment and drive national capability development against the backdrop of connectivity and growth underpinned by safe and secure infrastructure. Thinking of national cyber-defence in this comprehensive manner – from both security and economic perspectives – is a particularly important contribution of the CRI approach.”

In a telephone interview with SC, Heli Tiirmaa-Klaar, head of cyber-policy coordination at the European External Action Service, praised the work The Netherlands has done to build its cyber-readiness.

According to its online profile, the European External Action Service supports the EU high representative, who is also a vice-president of the Commission and the president of the Foreign Affairs Council, in fulfilling his/her mandate to conduct the Common Foreign and Security Policy of the Union

Tiirmaa-Klaar was the lead author on the EU cyber-strategy. She believes that The Netherlands has been “leading” in many areas of European cyber-security. “They have good technical capabilities, they have a good awareness, they have made good proposals for international efforts, so The Netherlands is very visible in cyber when it comes to our work,” she said.

The Netherlands has developed a very good public-private communications partnership which is a model for other countries to adopt, she said. “In Europe, we have very differing preparedness levels of the countries. Our work here is to make sure that all the European countries have more or less the same level of playing field, in that case they will be more able to cooperate with each other.”

An index against which countries can benchmark themselves would enable them to self-assess their preparedness and prompt discussions both internally and internationally about cyber-security.

The European Union has many programmes to help less well-prepared countries improve their cyber-readiness, she said, including grants and training.

“And, of course, there are best practice collections available from the European Union Agency for Network and Information Security [ENISA], and there are some cooperation frameworks between all the 28 member states where they can learn from each other and they can discuss the best practices between each other,” she said.

All of the the CRI reports are available free of charge from the Potomac Institute website. The reports have also been translated into various languages including Russian.