NCTV: Disruption of society is a danger

There is a permanent digital threat to national security. Nearly all vital processes and systems in the Netherlands are partly or entirely digitised, with hardly any fallback options or analogue alternatives available. Along with the inadequate level of cyber resilience, these factors make the Netherlands vulnerable to digital attacks. The significant investments by both government and business, the new cybersecurity notification obligation as well as more stringent laws and regulations will need to produce visible effects in the next few years. This picture has emerged from the Cybersecurity Assessment Netherlands 2019 (CSBN 2019) published by the National Coordinator for Security and Counterterrorism (NCTV). 

Permanent threat from countries

The greatest digital threat to national security emanates from espionage, disruption and sabotage by countries such as China, Iran and Russia. This danger is also apparent from the recent annual reports of the intelligence services. China poses the greatest threat of economic espionage by far. The Netherlands is an interesting target for espionage by Russia in light of the MH17 disaster and other factors. As the Netherlands depends on a handful of providers and countries, we are vulnerable to their – changing – intentions. The vast majority of hardware and software is either designed or produced in China and the USA. Other countries can also apply certain legislation which departs from our privacy requirements or which results in unauthorised access to the data of Dutch users or businesses. There is the ongoing threat of cyber crime as well. Given that hacking tools are readily available and limited knowledge is needed to launch a cyber attack, it is expected to remain a problem in the years ahead.

Lack of analogue alternatives and fallback options

Our almost total dependence on digitisation means that digital security has become essential for the functioning of our society and economy. A single incident in a network can lead to a chain of incidents and eventually to gas, water and power outages. Due to the nearly complete disappearance of analogue alternatives and the absence of fallback options, dependence has increased to such an extent that impairment can cause socially disruptive damage. This damage need not always be the result of a cyber attack; a simple error alone can have profound consequences. 

Cyber resilience still not up to scratch

Cyber resilience is the most important instrument for reducing risks, given that it is too complex to influence threats and dependence. Organisations continue to be the target of successful attacks with simple methods. Incidents could have been prevented and damage could have been mitigated by putting basic measures in place. It will remain a challenge in the next few years to maintain cyber resilience at such a level that we can respond effectively to the increasing level of dependence and the changing nature of the threat.