How to counter worsening cyber-security threats: The international strategy of the Dutch government

The piece below originally appeared in the Netherlands Atlantic Association’s magazine Atlantisch Perspectief.

Over the past decades, our reliance on the internet and everything that passes over it has grown exponentially to a point where living without it is hardly imaginable. Even those people who are not active online are indirectly dependent on many goods and services that could no longer be rendered without the government or private sector relying on Information and Communications Technology (ICT). We experience this as progress and have recognized the enormous opportunities and increase in quality of life that have come with it. The discourse that evolved with the emergence of the internet held a promise of increased business opportunities, transparency, and fundamental freedoms (of speech, assembly, etc.) that could now be exercised in an unfettered way like never before.

Waves of democratization, like the Arab Spring, were spurred or amplified by social media. However, with those opportunities and increased interconnectedness came threats and vulnerabilities. And online interdependence has increasingly exposed us to malicious actors with bad intentions. This has sparked an intense international debate and necessitated efforts to fight these evils. Every single part of our government deals with the threats and opportunities that come with the use of ICT, ranging from the Dutch Defense Ministry adding cyber capabilities to its inventory, to the Dutch Ministry of Home Affairs making sure our elections are conducted securely and without foreign interference, to the Dutch Justice Ministry protecting our critical infrastructure and fighting cybercrime. It is now integral to everything the government undertakes, and responses to all these challenges and opportunities must be aligned in a whole-of-government approach, which requires regular updates.

For the Dutch government, cyber diplomacy is a necessity, not a luxury. For an open service-oriented economy, a safe and secure internet is key. Many of the transatlantic internet cables land in the Netherlands, making Amsterdam one of the largest hubs for internet traffic in the world. But most importantly, the Netherlands is one of the few countries in the world that has promotion of the international rules-based order enshrined in our constitution (article ninety). Extending this mission into cyberspace is therefore regarded as a core task of the Ministry of Foreign Affairs (MFA).

The MFA is involved in many of these efforts, particularly where the work of other departments has an international dimension. But it also has defined its own mission, which is derived from the overall foreign and security policy. Obviously, the work of the development-cooperation side and the international-trade side of the house also has a digital dimension, but for the sake of this article, I will focus on cyber diplomacy in the security context of our work. We have a three-pronged approach to promoting a safe, free, and open internet globally.

Subscribe for content and events on European security

Sign up for updates from the Atlantic Council’s Transatlantic Security Initiative, covering the debate on the greatest security challenges facing the North Atlantic Alliance and its key partners.

  • This field is for validation purposes and should be left unchanged.

1. Develop and consolidate the rules of the road in cyberspace

Although to some the internet may seem a lawless place where state actors and their proxies, criminals, and terrorists can perform harmful acts and go unpunished, that is not the case. Our laws, and in particular international law, apply in full in cyberspace. In the opinion of the Netherlands and a growing group of like-minded countries, the notions contained in the United Nations (UN) Charter and Human Rights Conventions are applicable equally online and offline. Your privacy, rights of assembly, and free speech, all are protected by the same laws and treaties. However, discussion amongst experts is still ongoing as to how some international rules exactly apply. For example: what constitutes an armed attack in cyberspace, and when is self-defense warranted? Over the past decades, such discussions have taken place under the aegis of the UN. The most recent set of eleven norms for state behavior was agreed in 2015. Of course, this is a domain that is still very much under development, both in terms of technology and in terms of policy. So, it is only natural that the discussion continues.

Norms of state behavior are currently being further elaborated along two separate UN tracks. And with the development of new technologies, we need to keep developing and strengthening those rules of the road in cyberspace to make sure that use of ICTs and other technologies is safe and secure, and that the fundamental rights of each individual are respected. Also, a number of Confidence Building Measures like transparency and responsible behavior in case of cross-border cyberattacks have been developed within the OSCE. The construct of rules, norms, and principles for state behavior is being elaborated and strengthened all the time. Nevertheless, we see an increase in irresponsible and malicious behavior by many, ranging from theft of intellectual property to benefit national industries, to crippling attacks on critical infrastructure, to interfering in electoral processes. The Global Commission on the Stability of Cyber Space (GCSC), an independent non-governmental organization that the Netherlands MFA initiated, issued an authoritative report on these matters in November 2019.

It stated unequivocally that the public core of the internet as well as critical infrastructure should be off-limits to any tampering and that the latest developments concerning electoral infrastructure and medical infrastructure in the face of the COVID-19 crisis gave particular reason for concern and grounds for their protection. The suggestions from the GCSC have been referenced by many nations during the negotiations at the UN in New York. The GCSC had an important attribute which is vital to the entire debate on shaping the rules of the road in cyberspace: a multi-stakeholder composition. Government representatives, scientists, practitioners, politicians, civil society, tech companies, think-tankers, even hackers: Every single part of our society should be involved in shaping this space for the future. The internet is not like a public road that is owned by the government, which can decide on its own what the maximum speed should be. The internet is owned by us all, and it is still growing as we speak. Every owner should feel responsibility, and every owner should take part in shaping its future. This should remain the organizing principle of future exchanges on our digital future, and I was delighted to see that UN Secretary-General António Guterres has embraced this principle in his recent Roadmap for Digital Cooperation.

2. Hold those who break the rules accountable

Although we all seem to broadly agree on the norms and rules of the road in cyberspace, and on what is and is not acceptable, malicious behavior is on the rise. A recent example is the abuse of the COVID-19 crisis for cyber operations. There is thus a clear need to get better at catching those who break the rules. And this is not easy; actions on the internet are easily disguised, and it is increasingly difficult to ascertain who may be behind an action. So it is of critical importance that we work together with EU partners and like-minded nations across the world, first of all, on the forensic details of cyberattacks. We share information between allies and partners, just as with information on common crime. And then we coordinate on calling out malign practices. Whereas the decision to attribute a cyber operation to another state will always be a sovereign decision by any government, the way to communicate such a move, and the option to impose consequences, will gain meaning and impact when coordinated between nations.

Many individual nations have an attribution framework for these purposes, but on Dutch initiative, the European Union (EU) has also developed a cyber-diplomacy toolbox. The most recent addition to that is an EU cyber-sanctions regime, which allows the EU at twenty-seven to impose sanctions on individuals and entities that are found guilty of malicious cyber operations. In order to be able to agree on such a sanction by unanimity within the EU, we need to able to convince each member state of the facts. For this purpose we draw up evidence packs, which have to be unclassified, because the person or entity targeted by a sanction should have recourse to the European Court of Justice. To facilitate the assembly of such evidence packs, we need to build alliances between the public and private sectors, with the involvement of other stakeholders. We have increasingly realized that many different players hold one or more pieces of the incredibly complex puzzle that is called cyber: police, national cyber-security centers, security services, Computer Emergency Readiness Teams (CERTs), but also private security firms, social media platforms, universities, Interpol/Europol, and so on. We have to get much better at forging alliances between these players to be able to see the full extent of what goes on on the dark side of the internet. And this could help us with getting better at exposing different kinds of interference, including disinformation campaigns.

The Dutch are engaged in diverse diplomatic efforts to promote adherence to international rules and norms. For example, the Netherlands Ministry of Foreign Affairs has initiated the Freedom Online Coalition (FOC). The FOC is a partnership of now thirty-two governments, working to advance and secure internet freedom. Coalition members work closely together to coordinate their diplomatic efforts and engage with civil society and the private sector to support Internet freedom—free expression, association, assembly, and privacy online—worldwide. Similarly, the Dutch MFA supports non-governmental organizations in this field like the Digital Defenders Partnership and Access Now. We seek to serve, guide, and influence decision-makers across sectors through human-rights-focused thought leadership and innovative, evidence-based policy analysis, as well as through events like RightsCon, an annual meeting and a movement that connects and empowers civil society and mobilizes a global community to collaborate on the most pressing issues at the intersection of human rights and technology.

Minister Stef Blok visited the cybersecurity company Fox-IT in Delft. His visit focused on cyber diplomacy and the international nature of cyber attacks. Photo via Fox-IT, Sicco van Grieken.

3. Enable all nations to protect themselves

Defense against cyber operations starts with resilience. Resilience means not only being able to withstand an attack, but also being able to continue functioning through an attack. This is vital as today the functioning of our society is increasingly dependent on a functioning internet. Full protection of a country’s critical infrastructure is therefore key. Definitions of critical infrastructure vary from country to country and keep changing and growing all the time. Banks, electrical grids, telecoms, etc. are regarded as critical in every country. But for the Netherlands for instance, where about 35 percent of its territory lies below sea level, the waterworks that keep the sea out are computer operated and are without a doubt critical infrastructure. However, until recently, our medical infrastructure was not regarded as critical in the same way other sectors were. With the COVID-19-related attacks and the realization that hospitals were critical to the continuity of our society, that definition is now under review.

It is very important that countries that are less well-equipped get assistance to achieve the same level of protection. This should not be seen as charity; it is in everyone’s interest. Some major cyber incidents of the past few years have shown that most damage done is actually collateral damage well beyond the initial target, or intentionally random and global in its effect. Think of the Wannacry cyberattack that affected up to 300,000 computers in 150 countries, or NonPetya, the most devastating cyberattack in history that crippled ports, paralyzed entire corporations, and froze government agencies around the world. In that sense we could compare the internet to the earth’s atmosphere; damaging effects from a cyberattack do not stop at our borders, just as climate change knows no boundaries. This capacity building is first of all a matter of building technical resilience, for example by setting up Cyber Emergency Response Teams.

But it could also entail assistance with drafting legislation that ensures internet safety and security, and at the same time respect for human rights. The overall aim should be to make sure that everyone can reap the benefits of new technologies and enjoy a free, safe, and secure internet. And just as important: empower all states to take part in the global debate about our common digital future as equal partners, including the private sector and civil society in these countries. To support this effort, the Netherlands Ministry of Foreign Affairs initiated the Global Forum for Cyber Expertise (GFCE) in 2015. The GFCE is a multi-stakeholder community of more than 115 members and partners from all regions of the world, aimed at strengthening cyber capacity and expertise globally. As a global platform comprising governments, international organizations, non-governmental organizations, civil society, private companies, the technical community, and academia, the GFCE builds global cyber capacity. This Dutch government initiative has now matured into the world’s strongest independent Capacity Building platform.

4. Conclusion

The Dutch government has climbed a steep learning curve over the past years and is still learning every day. Cyber-security reports show that threats are getting worse, not decreasing. International cooperation is vital to consolidate the rules of the road in cyberspace, further their implementation by increasing the chance of exposing and stopping those who break the rules, and assist other countries in upgrading their resilience. With new technological developments like the Internet of Things, the attack surface will increase, and with it, the responsibilities of all involved to protect us from malicious actors. The Dutch Ministry of Foreign Affairs aims to continue to play a leading role in cyber diplomacy both from The Hague and through our dedicated cyber diplomats in selected embassies across the world.

Timo S. Koster was, until September 1, 2020, Ambassador-at-Large for Security Policy and Cyber at the Dutch Ministry of Foreign Affairs. From 2012 to 2018, he was Director for Defense Policy and Capabilities at NATO Headquarters in Brussels.

Further reading:

The Transatlantic Security Initiative, in the Scowcroft Center for Strategy and Security, shapes and influences the debate on the greatest security challenges facing the North Atlantic Alliance and its key partners.

Image: Dutch Prime Minister Mark Rutte talks during press conference at the end of the weekly Council of Ministers in The Hague, the Netherlands, on May 20, 2020. Photo by Robin Utrecht/ABACAPRESS.COM