Dutch cyber security strategy

Joost Bunk and Max Smeets

Introduction

The Netherlands is one of the most connected countries in the world. This is largely due to three international hubs: the Port of Rotterdam, Schiphol Airport, and the Amsterdam Internet Exchange (AMS-IX). Spanning across all five continents, interconnecting more than 800 communication networks by offering professional peering services to Internet Service Providers (ISPs),1 AMS-IX is one of the largest the internet exchanges in the world. The Netherlands is also a highly digitalized country. It has a large information communications technology sector, with innovative markets for services such as e-health and e-commerce. It has one of the strongest broadband connections in the world and a high internet penetration rate: about 95 percent of households have internet (The World Bank, 2019). The Dutch digital economy accounts for almost one quarter of the total Dutch economy (Organisation for Economic Co-operation and Development [OECD], 2015; The Hague Centre for Strategic Studies, 2016). This means the stakes are high when it comes to cyber security'." To capitalize on the social and economic opportunities offered by digitalization, over the past decade the Netherlands has started to recognize the importance of prioritizing cyber security though a series of policy initiatives and organizational reforms. The purpose of this chapter is to briefly review the Dutch government’s efforts in establishing and implementing an active and coherent cyber policy'.

Since 2010, the Netherlands has led a wide range of initiatives promoting cyber security and stability'. The government currently engages with a variety of stakeholders - including the private sector, civil society, state actors, and intergovernmental organizations — across multiple fora and organizations. Rather than being a passive participant, the Netherlands has been a catalyst, driving change in the field of cyber security' both domestically' and internationally. Yet, the challenge which lies ahead for the Dutch government is to make sure their cyber efforts as a whole will become greater than the sum of its parts. It will require increased coordination and collaboration across initiatives to turn the current patchwork into a synergistic endeavor. Our argument is presented in four parts. The first part provides an overview of the national cyber security strategies published since 2011. It also addresses which key' tenns have been defined by the Dutch government. The second part discusses the Dutch government’s views on sovereignty, international law and international cooperation. Part three analyzes the role of the private sector in the Netherlands. The final part concludes.

Statement of national cyber security strategy General overview

The Dutch government has published several white papers and national strategies on cyber security. An overview of the most important government publications is provided in Table 11.1. Issued by different government institutions with distinct organizational structure and mission, the publications listed in the table should not be seen as one continuous body of work by the Dutch government. Although some publications refer to and build on each other, there are inherent differences in where the focus of the publications lies.4

The first national cyber security strategy was published by the Dutch Ministry of Security and Justice in 2011. The document talks about the importance of secure and reliable ICT considering Dutch ambitions to become the “Digital Gateway to Europe” (Ministry of Security and Justice, 2011: 3). It addresses a range of issues that require consideration: improved coordination across initiatives, public—private cooperation, international cooperation in the EU and NATO context, the need for a balanced approach with respect to regulation, stimulating research and education, intensification of cybercrime forensics, enhancing the response capacity against cyberattacks, and building in resiliency of critical infrastructure. Yet, as the last sentence of the report indicates “[t]he activities listed above will be implemented within the existing budgets” (Ministry of Security and Justice, 2011: 15). In other words, there was a sense that much needed to be done within the government, but it lacked political consensus and urgency to spend significant resources on it. In more recent years, however, the Dutch budget for cyber security efforts has been steadily increasing. In the budget proposal for 2019, the Dutch

Table 11.1 Overview of Key Official Government Publications on Cyber Security

Title

Year

Published by

The National Cyber Security Strategy (NCCS)

2011

Ministry' of Security and Justice

Defensie Cyber Strategic (Defense Cyber Strategy) 2012 (DCS 2012)

2012

Ministry of Defense

National Cyber Security Strategy 2 (NCCS 2)

2013

The National Coordinator for Security and Counterterrorism

Letter to Parliament Defensie Cyber Strategie 2015 (LPDCS)

2015

Ministry of Defense

The Cabinet’s stance on Encryption (C-E)

2016

Minister of Security and Justice, & Minister of Economic Affairs

The Cabinet’s response to AIV/WRR Reports (C-AIV/WRR)

2016

The Cabinet

The Digital Agenda 2016—2017 (DA)

2016

Ministry of Economic Affairs

International Cyber Strategy (ICS)

2017

Ministry' of Foreign Affairs

National Cyber Security Agenda (NCSA)

2018

National Coordinator for Security and Counterterrorism

Defensie Cyber Strategie 2018 (DCS 2018)

2018

Ministry of Defense

government states it will invest 95 million euros in cyber security annually (Government of the Netherlands, 2019b: 16). The investment is dedicated to largely the same set of issues listed in the 2011 strategy.-’ Overall, whilst the priorities for cyber security have hardly changed, it can be

argued that slowly but surely resources are becoming available to actually implement these

6

measures.

The Ministry of Defense published its first national cyber defense strategy in 2012. The Dutch Ministry of Defense recognizes cyberspace as the fifth domain for military operations, along with air, sea, land, and space (2012: 4). The strategy does not only focus on strengthening cyber defense but also on improving the Dutch intelligence position in cyberspace and developing the military capability to conduct cyber operations. More specifically, the Defense Cyber Strategy has six broad focal points: 1) a comprehensive approach, 2) defense, 3) offense, 4) intelligence, 5) adaptive and innovative, and 6) cooperation. The same six focal points are adopted in the updated defense strategy published in 201S, with the underlying strategic principles of deterrence and resilience remaining largely unchanged. This means that whereas the US DoD and Cyber Command transition to a new strategic approach in 2018 - moving away from deterrence towards a strategy of persistent engagement and defend forward — the Dutch largely maintained the same posture over the years.7

One notable inclusion in the 2018 defense strategy, however, concerns the discussion on the need for public attribution as part of the deterrence strategy. According to the strategy:

[tjhe increasing cyber threat requires a strong international response based on international agreements. That is still insufficient. The government wants to more frequently approach cyber attack perpetrators (publicly) about their behavior. [...] An active political attribution policy contributes to the deterrent ability and making the Netherlands less attractive as a target of cyber attacks. A state actor who (publicly) is held accountable for his actions will make a different assessment than an attacker who can operate in complete anonymity. The Netherlands thus contributes to combating impunity in the digital domain.

(Ministry of Defence, 2018: 7)f

The discussion in the latest strategy of the Ministry of Defense follows two prominent public attribution cases by the Dutch government. In late 2018, it was announced that Dutch intelligence efforts in cooperation with UK counterparts helped to disrupt a cyber operation being carried out by a Russian military intelligence (GRU) team targeting the Organization for the Prohibition of Chemical Weapons (OPCW) in The Hague (Government of the Netherlands, 2018c). Equally, the revelation of Dutch reporters from Nieuwsutir and de Volkskrant that the Dutch Joint Sigint Cyber Unit (JSCU) gained access to computer systems of the Russian hacker group “Cozy Bear” in January 2018 reached international headlines - although there is no direct evidence which suggests this was a state-led effort to publicly disclose this information (Modderkolk, 2018; Smeets, 2018b). Both attacks were widely covered in the international media, praising Dutch cyber capabilities.

Finally, Table 11.2 provides an overview of the cyber threat perception across all main government publications. As the table suggests, since 2011 almost every publication observes a growing cyber threat. However, the strategic documents avoid calling out specific threat actors — even when discussing the different categories of cyber threats. When it does discuss specific actors, it is usually in the context of attacks on other countries.10 This is a significant

Table 11.2 Overview of the Perception of the Cyber Threat across Government Publications

Cyber threat

Key Threat Actors

Cyberterrorism

NCOS

Moderately higher

No

Yes, briefly

DCS 2012

Considerably higher

No

No

NCOS 2

Considerably higher

Yes, briefly.

No

LPDCS

Moderately higher

Yes, briefly

No

C-E

No mention

No

No

C-AIV/WRR

No mention

No

No

DA

Higher

No

No

ICS

Considerably higher

Yes (Russia)

No

NCSA

Considerably higher

Yes, moderately

No

DCS 2018

Higher

Yes, briefly

No

difference compared to other countries. For example, the South Korean national strategy talks about the need to develop offensive cyber capabilities to counter North Korea, and the latest US DoD cyber strategy talks about the need to defend forward in cyberspace prioritizing four actors: China, Russia, Iran, and North Korea (US Department of Defence, 2018).

The Dutch talk about the threat environment in more detail in a separate annual publication series entitled the “Cyber Security Assessment Netherlands” by the National Cyber Security Centre. The publications however rarely mention against which specific actors the Dutch government should primarily seek to disrupt and deter.

Definitions

First, the NCSS 2011 defines cyber security as “freedom from danger or damage due to the disruption, breakdown, or misuse of ICT” (National Cyber Security Centre |NCSC], 2011: 4). ICT is subsequently considered to be a “an umbrella term referring to digital information, information infrastructures, computers, systems, applications, plus the interaction between information technology and the physical world that is the subject of communications and information exchange” (NCSC, 2011: 3). The paper goes on to discuss the consequences that the lack of cyber security could have, stating that “the danger or damage resulting from disruption, breakdown, or misuse may consist of limitations to the availability or reliability of ICT, breaches of the confidentiality of information stored on ICT media, or damage to the integrity of that information” (NCSC, 2011: 30). The latest National Cyber Security Agenda, published in 2018, provides an equally broad definition: “Cybersecurity is the entirety of measures to prevent damage caused by disruption, failure or misuse of ICT and to recover should damage occur” (Ministry of Justice and Security, 2018: 9; National Coordinator for Security and Counterterrorism, 2018a).

Second, cyberterrorism does not receive widespread attention in the strategy documents of the Dutch government. The national cyber security assessments, published annually, indicate that terrorists could have intentions to commit “terrorist attacks using digital tools” (National Coordinator for Security and Counterterrorism [NCSC], 2018a: 17). Yet, terrorism is not considered one of the most worrisome cyber threats. It argues that terrorists prioritize physical attacks over cyberattacks as it would be easier to wreak havoc. Instead, terrorists primarily use the digital domain for fundraising and propaganda.

Third, a white paper entitled “Resilient Critical Infrastructure — A Factsheet,” published by The National Coordinator for Security and Counterterrorism (2018b), provides a detailed overview of what the Dutch government considers to be “critical infrastructure.” Published in December of 2017, it describes a large number of processes that, in case of breakdown or disruption, could lead to serious societal disruption. The paper identifies the responsible parties and puts each process into category “A” or “B”, depending on its importance to Dutch society and level of threat, i.e., “level of criticality'” (NCSC, 2017: 1). The following processes are considered to be category A: 1) national transport and distribution of electricity, 2) oil supply, drinking water supply, 3) flood defenses and water management, and 4) storage, production and processing of nuclear materials. Over a dozen other processes are grouped into category' B.

The Netherlands is an outlier in terms of how it defines critical infrastructure. Focusing on the processes themselves, like the distribution of electricity, rather than on broader sectors, like the electricity grid, its perspective on critical infrastructure is deliberately narrow. According to the Dutch government, this narrow understanding allows for more efficient allocation of sparse resources. The US government, in its 2001 Critical Infrastructures Protection, defined critical infrastructure more broadly as “systems and assets, whether physical or virtual” rather than processes (Cybersecurity & Infrastructure Security Agency [CISA|, n.d.; Legal Information Institute, 2001). The British Centre for the Protection of National Infrastructure has a very' broad definition, including not only' systems, assets and processes, but also networks, facilities and even “essential workers that operate and facilitate them” (2019). Germany’s Federal Office for Information Security (Bundesamt fur Sicherheit in der Informationstechnik) defines critical infrastructure as consisting of physical structures and facilities; considerably' different from the Dutch focus on less rigid and more specific aspects of the infrastructure, captured in the word “processes.” However, the recent Directive on security of network and information systems (NIS Directive) has led to a convergence in EU-members’ approach to critical infrastructure (European Commission, 2018).

International law and norms building International law

The Dutch relation with international law and their position on the applicability is firmly rooted in Dutch history'. This should be no surprise in the country of Hugo Grotius, a country with a strong tradition in international law, and in The Hague - city of peace and justice (Government of the Netherlands, 2018a). While the Dutch can pride themselves with centuries of engagement with international law, their official position on international law and cy'berspace is fairly young. In 2012 the Dutch government explicitly acknowledged in the Adviesraad Internationale Vraagstukken, Commissie van Advies Inzake Volkenrechtelijke Vraagstukken (C-AIV/WRR: 4) the applicability of jus ad helium in cyberspace: “the Government considers it important that the Committee stated that regarding digital attacks not a different regime applies then to violence in the physical domain.” In the same letter the government acknowledges the applicability' of jus in hello in cyberspace. In relation to jus in hello the government states that that digital acts of violence only fall under the law of armed conflict when they are committed in the context of an armed conflict, by the parties to that conflict. The government states that this is an important delimitation with respect to other actions of digital violence (C-AIV/ WRR, 2011: 7).

In the NCSS 2 the Netherlands recalled its position in the wider debate of international law and formulated a goal with regard to cyber diplomacy: “Therefore, with its position in the area of international law, the Netherlands wants to contribute to the discussions about the application of legal rules in the digital domain” (NCSC, 2013: 21). In the 2013 Dutch response to Resolution 67/27, establishing the UN GGE of 2013, it is stated that the Netherlands supports the European Union’s aims to ensure a secure Internet while promoting openness and freedom on the Internet, to encourage the development of confidence-building measures and norms of behavior and to apply existing international law in cyberspace (Secretary-General of the UN, 2013: 15). Furthermore, the Dutch

government’s belief is that the development of norms for state conduct does not require a reinvention of international law, but rather needs to ensure consistency in the application of existing international legal frameworks.

In 2015, during the hosting of the Global Conference on Cyberspace, through the Minister of Foreign Affairs, the government explicitly indicates that International Law as a whole — that is, all the conventional set of rules, agreements and treaties that are binding between countries — apply to cyberspace: “The rules and norms that apply offline, including the tenets of international law, most certainly apply online” (Government of the Netherlands, 2015: para. 20). In the Dutch response to Resolution 69/28, establishing the UN GGE of 2015, international human rights are emphasized, stating it is essential that fundamental rights are safeguarded. The Dutch response states that the same rights that people have offline must also be protected online. The submission furthermore commits the Netherlands to respect the following principles: the rule of law, legitimate purpose, non-arbitrariness, effective oversight, and transparency (Secretary-General of the UN, 2015: 8).

Equally, the Dutch response states in regard to the whole body of international law that the existing international frameworks of rules and restrictions equally apply to cyber operations. The submissions refer back to the “landmark achievement” of GGE 2013 and encourages further work to enhance States’ understanding of how these existing rules apply. In particular the submissions points-out the examination of the international legal framework that applies to cyber operations that do not rise to the threshold of an armed attack. This includes the question of how the principle of state sovereignty applies and includes the question of the application of the principle of due diligence (UN, 2015: 89). From 2015 onward, the Dutch position is that existing international law, including international human rights law, is applicable in cyberspace. This position is reflected in various strategies such as the ICS and NCSA. Unlike other States the Netherlands has to this date not yet published publicly a specific position on sub questions on the application of international law in cyberspace. A letter to parliament detailing a more specific Dutch position is expected before the summer of 2019 (Government of the Netherlands, 2019a).

International governance

The international outlook of Dutch cyber security has been widely acknowledged (Luiijf, 2011: 14). Being one of the few states with an International Cyber Strategy suggests the Netherlands aims to play a substantial role in regional and international governance. As cyber security discussions cover a large number of overlapping topics, it is challenging to provide a comprehensive overview of Dutch engagement in the field of international governance.

The ICS details an overview of Dutch engagement regional and international governance. The ICS states that the government forms broad coalitions and partnerships to protect Dutch national and Internet interests. The Dutch do so at the UN-level by nominating an expert to the 2016—2017 GGE and national submissions in 2015 and 2017."

The “Cyber Diplomacy Toolbox” was introduced during the Netherlands 2016 Presidency of the European Council. This initiative provides an inventory of possible diplomatic instruments that the EU institutions and Member States could use in response to adversarial cyberattacks (European Council, 2017). Following the public attribution of the cyberattack against the OPCW, the Dutch were part of a coalition of EU Member States pushing for the implementation of a “cybersanctions regime” as part of diplomacy toolbox (Drozdiak & Chrysoloras, 2018). The DCS 2018 states that NATO is the cornerstone of Dutch security policy. The Netherlands has, together with other allies, advocated recognition of cyberspace as a military domain (Ministry of Defence, 2018: 8). In further operationalizing this recognition, the Netherlands has offered cyber capacities to contribute to missions and operations of the alliance (Government of the Netherlands, 2018b: 3). According to the ICS, the Dutch government also closely cooperates with the Organisation for Economic Co-operation and the Development (OECD) and the Organization for Security and Co-operation in Europe (OSCE).

Norms development

The Dutch position on (the development of) norms has always been closely connected to its understanding of the application of international law. The Dutch response to Resolution 67/27, establishing the UN GGE of 2013, already indicated that the development of norms for State conduct does not require a reinvention of international law, but rather needs to ensure consistency in the application of existing international legal frameworks. The relation and potential tension between international law and the development of new norms, has been a topic of debate. The Dutch position is, however, that where there are gaps left by international law or questions unique to cyber security, additional non-binding, voluntary norms of responsible state behavior can be considered (Van Marissing, 2017: 30).

The Netherlands recognizes that the nature and dependence of the digital domain require restraint regarding activities that can touch the “public core” (Government of the Netherlands, 2017: 13). One particular norm the Netherlands has therefore sought to promote concerns the protection of the public core of the Internet. It was first publicly addressed by the Dutch Netherlands Scientific Council for Government Policy (Broeders, 2015). In the Dutch response to Resolution 69/28, establishing the UN GGE of 2015, further work is identified: to establish special normative protection for certain systems and networks, including critical infrastructure providing essential civilian services, civilian incident response structures, and certain critical components of the global Internet (UN, 2015: 8).

In the ICS the Netherlands acknowledged that it is working on developing norms and standards and has submitted an initiative proposal on the public core to the UN GGE of 2016—2017 (Government of the Netherlands, 2017: 11). However, the UN GGE 2016-2017 has not resulted in a consensus report. In addition, the Netherlands has launched the Global Commission on the Stability of Cyberspace, which will facilitate new voluntary norms of behavior in the cyber domain (Government of the Netherlands, 2017: 14). In 2017 the GCSC launched a “Call to Protect the Public Core of the Internet” and Norm Package Singapore featuring six new global norms for both state and non-state actors “to help promote the peaceful use of cyberspace” (Global Commission on the Stability of Cyberspace, 2018: para. 1). Through the Freedom Online Coalition (FOC), the Netherlands has also sought to add to the normative debate in the realm on human rights. A key priority of the FOC is “the shaping of global norms through joint action” (Global Commission on the Stability of Cyberspace, 2018: para. 1). Until early 2019, the FOC has published fifteen joint statements on a variety of freedom online related topics.

Role of the private sector

The Netherlands has a long tradition of public-private partnership. The almost mythical tale is that, with water as their shared enemy, the farmers and noblemen from the Middle Ages had to come together to decide on dikes and other measures against the water. The Treaty of Wassenaar from 1982 is seen as the modern starting point of this so-called “polder model”: a consensus model in which employers, unions, and the government negotiate wages and labor conditions. The Treaty’s agreement to hold down wages for the benefit of the Dutch economy’s competitiveness was considered successful and is sometimes referred to as “the Dutch miracle.” To this day, “polderen” (in its literal meaning “to create a polder”, but often used as “to come to a solution through compromise”) remains at the heart of Dutch culture and society. The question arises to what extent we see “cyber- polderen” in Dutch society.

According to Sergei Boeke, research fellow at the Institute of Security’ and Global Affairs, the institutional cyber security landscape resembles a participant-government connecting a variety of patterns on the basis of trust and equality (2017: 452). The scholar notes that cyber responsibilities and capabilities are decentralized in the country. In that sense, one can argue that there is a form of “cyber-poldering” in the Netherlands.

A textbook example of private-public partnership in the Netherlands is the Cyber Security Raad (Cyber Security Council) or CSR, a vehicle for public-private partnerships in the Netherlands for issues related to cyber security. The CSR is an independent advisory body that advises both public and private parties in the Netherlands on the issue of cyber security. The members of the CSR are leaders in business, government, and science. As such, a number of members in the board come from major Dutch companies. They are however, not supposed represent the specific companies’ interests; rather, they act in the name of the entire sector their company is part of, and the organization that acts in that sector’s interests.12 The National Cyber Security Centre (NCSC), perhaps the country’s main government institution for cyber security, considers public private partnerships particularly important for critical infrastructure protection. For the NCSC, this means that knowledge sharing and confidence building between the government and energy companies, telecommunication companies, and financial companies, among others, are considered especially important.

Conclusion

The purpose of this chapter was to provide a brief overview of Dutch cyber policy. As has become evident, over the past decade the Netherlands has led a number of new initiatives to promote cyber security. We can expect that for the coming years, the Netherlands will continue to invest in this field.

Our overview showed that the responsibilities of securing the Netherlands against cyber threats are spread across a range of government institutions, each establishing their own policy and initiatives on the basis of their own perspectives. The key challenge is to make sure that these policies and initiatives are synergistic rather than conflictual. This form of synergy can only come about if the Dutch government has a clear nation-wide vision of what it seeks to achieve, and continues to put the right levers in place to ensure coordination and collaboration.

Furthermore, the promotion of cyber stability has never been an endeavor a single government can take on. Early on, the Dutch government realized that cooperation with international partners — within the UN, EU, and NATO framework — is essential. This form of collaboration, especially amongst like-minded states, will only grow in importance in the years ahead. The future stability of cyberspace will rely on an ever-growing number of states, semi-state, and non-state actors working together.

Notes

  • 1 For further information see, https://www.ams-ix.net/ams
  • 2 Like the Dutch white papers and other official documents, this chapter uses the terms “digital security” and “cyber security” interchangeably.
  • 3 The annual national cyber security assessments (CSAN), published since 2012, are not included in this table.
  • 4 The CSAN, however, does provide an overview of this kind.
  • 5 There is one exception: the government also seeks to invest money in their National Cyber Security Centre (not yet mentioned and established in 2011).
  • 6 Also, the National Cyber Security Strategy 2 (NCCS 2) builds on, rather than deviates from, the NCCS 1.
  • 7 It is said that the Dutch cyber command - and affiliated organizations - continue to struggle to operate effectively. For an overview see, Smeets, M. (2018a) and van Lonkhuyzen and Versteegh, 2018.
  • 9 It remains unclear if the Dutch government has a framework for when and how to publicly attribute cyberattacks.
  • 10 The annual reports of the Dutch intelligence services does pay specific attention to Russian threat.
  • 11 The ICS further details that multilateral governance, such as before mentioned, should be complemented, where appropriate, through engagement with the technical community, nongovernmental sector and academia through multi-stakeholder and public-private platforms such as the Internet Governance Forum (IGF) and the Internet Corporation for Assigned Names and Numbers (ICANN).
  • 12 For example, Mr. Hans de Jong, President of a major Dutch technology company Philips, is co- chairman ot the CSR. His task as a member is to represent the biggest Dutch employer organization, the VNO-NCW. Likewise, Mr. Farwerck is COO at the Netherlands’ largest provider, KPN, but represents the organization of Dutch ICT companies, Netherlands ICT.

Suggested reading

Broeders, D. (2014, May 1). “Investigating the Place and Role of the Armed Forces in Dutch Cyber Security Governance,” Ministerie van Defensie, The Hague, Netherlands, www.researchgate.net/pro file/Dennis_Broeders/publication/280522039_Investigating_the_Place_and_Role_of_the_Armed_ Forces_in_Dutch_Cyber_Security_Governance/links/55b74c8008aed621de045985/Investigating- the-Place-and-Role-of-the-Anned-Forces-in-Dutch-Cyber-Security-Govemance.pdf

Cyber Wiser, (n.d.). “Netherlands (NL).’’ www.cyberwiser.eu/netherlands-nl

Hathaway, M. & Spidalieri, F. (2017, May). “The Netherlands Cyber Readiness at a Glance,” Potomic Institute for Policy Studies, Arlington, United States. www.potomacinstitute.org/iniages/CRI/Final CRI20NetherlandsWeb.pdf

Huele, D. (2016, November). “SBIR Cyber Security Tender III.” www.rvo.nl/sites/default/files/2016/ 11 /Presentatie_SBIR_cyber_security_tender_III.pdf

Pieters, P. (2017, February 13). “Dutch Govt. Launches International Cyber Security Strategy,” NL Times, http://nltimes.nl/2017/02/13/dutch-govt-launches-intemational-cyber-security-strategy Van den Blink, E. A. (2018). “Public-Private Partnerships in Dutch Cyber Security Governance: An Analysis of Its Effectiveness” (Master’s thesis), Universiteit Leiden, Netherlands, https://openaccess. leidenuniv.nl/bitstream/handle/1887/84042/Blink_van_den_CSM_2018.pdf?sequence= 1

References

Adviesraad Internationale Vraagstukken, Commissie van Advies Inzake Volkenrechtelijke Vraagstukken. (2011). Digitate Oorlogsvoering (C-AIV/WRR). https://aiv-advies.nl/download/9fc55422-c96d- 4563-9279-f434803c0afd.pdf *

Boeke, S. (2017). “National Cyber Crisis Management: Different European Approaches,” Governance, 31 (3): 449-464.

Broeders, D. (2015). “The Public Core of the Internet. An International Agenda for Internet Governance,” (WRR Report No. 94), The Netherlands Scientific Council for Government Policy, The Hague, Netherlands, https://english.wrr.nl/publications/reports/2015/10/01/the-public-core- of-the-intemet

CISA. (n.d.). “Critical Infrastructure Sectors.” www.cisa.gov/critical-inffastructure-sectors

Drozdiak, N. & Chrysoloras, N. (2018, October 11). “U.K., Netherlands Lead EU Push for New Cyber Sanctions,” Bloomberg, www.bloomberg.com/news/articles/2018-10-11 /u-k-netherlands-lead-eu- push-for-new-cyber-sanctions-document

European Commission. (2018). “The Directive on Security of Network and Information Systems (NIS Directive).” https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis- directive

European Council. (2017). “Cyber Attacks: EU Ready to Respond with a Range Of Measures, Including Sanctions.” www.consilium.europa.eu/en/press/press-releases/2017/06/19/cyber-diplo macy-toolbox/

Global Commission on the Stability of Cyberspace. (2018). “Global Commission Introduces Six Critical Norms Towards Cyber Stability.” https://cyberstability.org/news/global-commission-introduces- six-critical-norms-towards-cyber-stability/

Government of the Netherlands. (2015, April 16). “Opening Speech GCCS Bert Koenders.” www.gov ernment.nl/documents/speeches/2015/04/16/opening-speech-gccs-bert-koenders

Government of the Netherlands. (2017). “International Cyber Strategy.” www.government.nl/binaries/ government/documents/parliamentary-documents/2017/02/12/international-cyber-strategy/Inter national+Cyber+Strategy.pdf

Government of the Netherlands. (2018a, June 20). “Speech by Minister Blok on First Anniversary Tallinn Manual 2.0.” www.government.nl/documents/speeches/2018/06/20/speech-by-minister- blok-on-first-anniversary-tallinn-manual-2.0

Government of the Netherlands. (2018b). “Report of the NATO Summit 11—12 July.” www.tweedeka mer.nl/kamerstukken/brieven_regering/detail?id=2018Z14237&did=2018D40000

Government of the Netherlands. (2018c, October 4). “Netherlands Defence Intelligence and Security Service Disrupts Russian Cyber Operation Targeting OPCW.” www.government.nl/latest/news/ 2018/10/04/netherlands-defence-intelligence-and-security-service-disrupts-russian-cyber-operation- targeting-opcw

Government of the Netherlands. (2019a, January 30). “Espionage by Russia.” https://zoek.officielebe kendmakingen.nl/h-tk-20182019-39-33.html

Government of the Netherlands. (2019b, September 18). “VI Justitie en Veiligheid Rijksbegroting 2019.” www.rijksoverheid.nl/documenten/begrotingen/2018/09/18/vi-justitie-en-veiligheid-rijks begroting-2019

Legal Information Institute. (2001). “Critical Infrastructures Protection Act of 2001 (42 U.S. Code §5195c).” www.law.comell.edu/uscode/text/42/5195c

Luiijf, E. (2011). “Drie nationale cyber security strategieen vergeleken,” Magazine voor Nationale veiligheid en crisisbeheersing, 14—15.

Ministry of Defense. (2012). 'The Defense Cyber Strategy. www.itu.int/en/ITU-D/Cybersecurity/Docu ments/National_Strategies_Repository/Netherlands_2012_NDL-Cyber_StrategyEng.pdf

Ministry of Defense. (2018). The Defense Cyber Strategy, www.defensie.nl/binaries/defensie/documen ten/publicaties/2018/11/12/defensie-cyber-strategie-2018/web_Brochure+Defensie+Cyber+Strate gie.pdf

Ministry ot Justice and Security. (2011). The National Cyber Security Strategy, www.enisa.europa.eu/ topics/national-cyber-security-strategies/ncss-map/Netherlands_Cyber_Security_strategy.pdf/ Ministry of Justice and Security. (2018). Nederlandse Cyber Security Agenda: Nederland digitaal veilig. www. rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2018/04/21/nederlandse-cybersecur ity-agenda-nederland-digi taal-veiligZCSAgenda_def_web.pdf Modderkolk, H. (2018, January 25). “Dutch Agencies Provide Crucial Intel about Russia’s Interference in US-Elections,” de Volkskrant. www.volkskrant.nl/media/dutch-agencies-provide-crucial-intel- about-russia-s-interference-in-us-elections~a4561913/

National Coordinator for Security and Counterterrorism. (2013). “Cyber Security Assessment Netherlands CSAN 20IS.” https://english.nctv.nl/binaries/CSBN2018_EN_web_tcm32-346655.pdf National Coordinator for Security and Counterterrorism. (2018a). “Cyber Security Assessment Netherlands CSAN 2018.” https://english.nctv.nl/binaries/CSBN2018_EN_web_tcm32-346655.pdf National Coordinator for Security and Counterterrorism. (2018b). Resilient Critical Infrastructure, https:// english.nctv.nl/binaries/Factsheet%20Critical%20Infrastructure%20ENG%202018_tcm32-240750. pdf

National Cyber Security Centre. (2011). The National Cyber Security Strategy (NCSS): Strength through Cooperation, https://english.nctv.nl/binaries/cyber-security-strategy-uk_tcm32-83648.pdf Organisation for Economic Co-operation and Development. (2015). “OECD Digital Economy Outlook 2015.” www.oecd.org/internet/oecd-digital-economy-outlook-2015-9789264232440-en.htm Secretary-General of the UN. (2013). “Addendum to the 2013 Report of the Secretary-General on Developments in the field ot information and telecommunications in the context of international security,” А/68/156/Add. 1.

Secretary-General of the UN. (2015). “The 2015 Report ot the Secretary-General on Developments in the Field of Information and Telecommunications in the Context of International Security,” A/70/172. Smeets, M. (2018a). “Cyber: People, People, People: Vragen Over het DCC en Het Inzetten van Cyberactiviteiten,” Atlantisch Perspectief 6: 30—34. www.atlcom.nl/upload/AP_6_2018_Smeets.pdf Smeets, M. (2018b, February 8). “The Netherlands Just Revealed Its Cybercapacity: So What Does It Mean?” The Washington Post, www.washingtonpost.com/news/monkey-cage/wp/2018/02/08/the- netherlands-just-revealed-its-cybercapacity-so-what-does-that-mean/?utm_term=.c50daecc2el8 The British Centre for the Protection of National Infrastructure. (2019). “What We Do.” www.cpni. gov.uk

The Hague Center for Strategic Studies. (2016, December). “Dutch Investments in ICT and Cybersecurity.” https://hcss.nl/report/dutch-investments-ict-and-cybersecurity The World Bank. (2019). Indicators, https://data.worldbank.org/indicator

US Department ot Defense. (2018). Summary Department if Defense Cyber Strategy 2018. https://media, defense.

gov/2018/Sep/18/2002041658/-l/-l/l/CYBER_STRATEGY_SUMMARY_FINAL.PDF van Lonkhuyzen, L. & Versteegh, K. (2018, December 18). “Het cyberleger kan en mag nog weinig,” De NRC. www.nrc.nl/nieuws/2018/12/18/het-cyberleger-is-er-wel-maar-mag-weinig-a3099254 Van Marissing, R. (2017). “The Role of Cyber Diplomacy in Dutch Security Policy,” Atlantisch Perspectief, 3: 29—32.

 
Source
< Prev   CONTENTS   Source   Next >