In all debates on cyber security the Dutch government is adamant: in the private sector cyber security is the responsibility of the private sector. The same goes for lower government organisations.
In this the government is correct. It is impossible for government to claim responsibility towards the security of a private company and, indirectly, for its customers or users. This may be slightly different for lower government organisations who may lack necessary knowledge and expertise, but for this discussion let me put them on the same plane. So is there a balance to be found in this discussion? Well, that’s a tough one, but let’s take a look at what we have and what we lack.
Who cleans up the mess?
So, now we’re familiar with the government’s position, but on the other side it seems like it’s the same government that often has to clean op the mess after an incident, like with the Diginotar crisis and suffers from citizens feeling less safe in the modern and for most incomprehensible digital world. In a crisis like the KPN hack, it’s the government that coordinated actions. So I conclude that government sees a role for itself in cyber security.
And there is something else also. A parliamentarian said this week – I quote from memory here-: “When half of the country is flooded because of a hack in the water management systems, the blame will not go to the local authority and their lapse in security, but to the Minister responsible for cyber security”; who nodded solemnly, but quietly in response.
So I conclude here that government already has a role and will often be seen as responsible, correctly or not.
Did cyber security land?
Obviously I can’t look into board rooms, but I dare state that cyber security has not landed sufficiently and if it has, than it did not, always, lead up to successful measures. Not even at companies of which we automatically assumed to have the highest levels of cyber security in place. So let´s concluded that either security was underestimated or, less positively, neglected. At least I hope that this is the case. The alternative is a little more frightening, because that implies the situation is totally hopeless and no one dares admitting it.
Has cyber security landed since?
Doing nothing is no longer an option, for no one. Or it shouldn’t be, but I’m still not convinced that the choice between a higher profit, dividend or end of year bonus and a slightly less profit but higher cyber security falls the right way. The same goes for developing cyber skills in an environment of stringent budget cuts, setting government organisations back to bare minimums.
So how does the security of customers and users, plus the inner security of the company or government organisation itself, compare in your organisation?
So where is the balance found?
My best offer at present is that the government takes on a directive stance within a self regulatory environment. E.g. by setting minimum standards for cyber security. With the National Cyber Security Centre and the National Cyber Security Council the Dutch government has created two bodies that can lead this discussion. Within the Centre the study for minimum standards takes place, while the Council discusses the outcome and hands in an advice to the government, that sets the binding standards. By evaluating this process continuously, standards are changed with the sign of the times.
This latter process takes care of arguments stating that a bear minimum is never enough. True, but no minimum is almost certainly worse and the continuous process creates its own dynamism and keeps organisations on its toes. Through this transparent process, with representatives of all parties on board, consensus on the standard is achieved time and again.
Self regulation enforced
Public and private entities alike get the chance to self implement the set standards. As long as no one falls under the minimum nothing happens. However, incidents are to be reported, investigated and studied. Only if an organisation was proven lacking as to the standards, enforcement comes into view.
Reporting incidents becomes part of the standard. This must come to be seen as a necessary step towards trust and improvement. Warning all concerned, taking necessary measures and assisting customers will be appreciated as showing leadership. Customers will have more trust in you if you do so, while all others can directly learn and start prevention. Everyone stands to win.
A super cyber enforcement agency
The government could think about creating a super enforcement agency for all things cyber and not and I repeat NOT, create snippets of enforcement here and there spread over too many regulators with different enforcement tools, skills, resources and powers, which on top of that have to cooperate, share data, coordinate. Of which some may even be unwilling to enforce as proven in the recent past (and I’m not even going to start and point at the situation in many EU countries here). The strength of this regulator must be made apparent and becomes the sole party to discuss the enforcement of cyber incidents and perpetrations with, nationally and internationally.
It looks like there is one administrative agency that has proven it´s proficiency and effectiveness time and again over the past 8 years. This is a standard to work from in this new environment that has to be created in order to achieve effectiveness. Of course I point to OPTA. (Of course there is a criminal side to this discussion. Could this be merged somehow also?)
The combination of this agency with the efforts of and skills at the NCSC would set a new standard in the fight against all things cyber for the world to see. It would be a smart move from several angles. Just take a minute to think about it.
Invest in cyber security
Cyber crime seems to cost between €10 to €30 billion a year for The Netherlands alone. If we’d invest ca. €500 million in cyber security, I’d imagine we as a nation could come a long way securing ourselves.
It looks like that there can be a balance between government responsibility and that of the private sector. In the Netherlands the stage has been set to be able to make effective use of the new coordinating bodies. It now takes a government willing to lead and an enforcement agency in the back ground as a sort of sheep dog, herding the flock onwards. There are carrots enough, it only lacks a few sticks.
Wout de Natris, De Natris Consult
Leiderdorp, 14 April 2012