The digital threat to national security is permanent. Nearly all vital processes and systems in the Netherlands are partly or entirely digitised, with hardly any fallback options or analogue alternatives available. These factors, combined with the inadequate level of cyber resilience, make the Netherlands vulnerable to digital attacks.
The effects of the significant investments by both government and the business community, the new cybersecurity notification obligation as well as more stringent laws and regulations will need to become visible in the next few years. This picture emerges from the Cyber Security Assessment Netherlands (CSBN) 2019.
Countries constitute a permanent threat
The greatest digital threat to national security emanates from countries such as China, Iran and Russia, in the form of espionage, disruption and sabotage. This has also emerged from the recent annual reports of the intelligence services. China poses the greatest threat of economic espionage by far. The Netherlands is an interesting target for espionage by Russia in light of the MH17 disaster and other factors.
The Netherlands depends on a handful of providers and countries, which makes us vulnerable to their changing intentions. The vast majority of hardware and software is either designed or produced in China and the USA. Furthermore, other countries can apply certain legislation that diverges from our privacy requirements or leads to unauthorised access to the data of Dutch users or businesses. On top of that, there is the undiminished threat of cyber crime. Given that hacking tools are readily available and limited knowledge is needed to launch a cyber attack, this is expected to remain a problem in the years ahead.
Lack of analogue alternatives and fallback options
Our almost total dependence on digitisation has made cyber security essential for the functioning of our society and economy. A single incident in a network can lead to a chain of incidents and eventually to gas, water and power outages. Due to the almost entire disappearance of analogue alternatives and the absence of fallback options, dependence has increased to such an extent that impairment can lead to socially disruptive damage. This need not always be the result of a cyberattack; a simple error alone can have profound consequences.
Cyber resilience still not up to scratch
Cyber resilience is the most important instrument for reducing risks, given that it is too complex to influence threats and dependence. Organisations continue to be the target of successful attacks with simple methods. Incidents could have been prevented and damage could have been mitigated by putting basic measures in place. It will remain a challenge in the years ahead to maintain cyber resilience at such a level that it will enable an effective response to the increasing level of dependence and the changing nature of the threat.