This article was published in Virus Bulletin, issue March 2012
On Thursday 12 January 2012 the Dutch National Cyber Security Centre (NCSC) was officially opened. With the push of a big red button, Minister of Security and Justice Ivo Opstelten proudly started a spectacular laser show in celebration of the event. Now that the lights have faded, let’s take a look at what the Dutch government aims to achieve through the NCSC.
THE NATIONAL CYBER SECURITY STRATEGY
On 22 February 2011 the Dutch government published the National Cyber Security Strategy (‘the strategy’). This document came about as the result of a motion adopted in Parliament  requiring an interdepartmental strategy. The document was created under pressure, but also in openness.
Two semi-public meetings were organized, allowing all parties a chance to view, respond to and feed back on the first draft of the strategy. The public sessions saw civil servants from all relevant ministries gathered with cyber security experts and representatives from law enforcement, regulatory bodies and industry (including industries deemed to be vital to national security). The feedback gathered from these sessions found its way into the final version that was sent to Parliament. (For example, my feedback contributed to a more pronounced emphasis on international cooperation.)
The rationale behind the public meetings becomes clear when we cite the official government publication announcing the strategy:
‘Government and industry will cooperate shoulder to shoulder to increase resilience against ICT disturbances and cyber attacks. A coherent approach is necessary and essential for the growing (international) problem’ . In other words, public-private cooperation is key. Two bodies were announced: the National Cyber Security Council and the NCSC. This cooperative approach is not
unusual for the Netherlands. Permit me a brief history lesson about the ‘polder model’.
It is often said that ‘polderen’ is unique to the Netherlands. Since the Second World War, through a combination of negotiations and cooperation, government, industry and unions have made consensus decisions on the road forward based on what is best for all concerned. It is believed that the consensus decision-making model may originate from the very early history of the northern and western parts of the Netherlands when (local) governments, cities, landlords and farmers worked together to contain rivers, dig canals, build and uphold dikes, create polders and win land over from the bogs and sea .
It is little surprise that the government has fallen back on this model to fight all things cyber – recent history has made it clear that no single actor alone can make a lasting impression on cyber perpetrators.
THE NATIONAL CYBER SECURITY COUNCIL
On 30 June 2011 Minister Opstelten instated the Cyber Security Council . The two chairs and their respective backgrounds are indicative of the approach taken: Eelco Blok is CEO of KPN, the Dutch incumbent telecommunications company, and Erik Akerboom is National Coordinator for Counterterrorism and Security. The Council is responsible for advising government and industry alike (including the NCSC) on all matters concerning developments in cyber security. The Council can set priorities in the approach to ICT threats and assess the need for further research and development as well as determine how information can best be shared with participating public and private parties. Government, industry, end-users and academia are represented in the Council. However, the Council is a separate entity from the National Cyber Security Centre.
THE NATIONAL CYBER SECURITY CENTRE
The NCSC is based on three pillars that are highlighted in its mission statement: ‘The NCSC cooperates in enhancing the defensibility of the Dutch society in the digital domain. Our goal is to realize a safe, open and stable information society by sharing knowledge, offering insight and also offering a proper action perspective’ .
The first goal manifests itself in the fact that the national Computer Emergency Response Centre, Govcert.nl, has been incorporated into the NCSC. The function of Govcert.nl hasn’t changed, but will be added to. Despite the fact that, as Minister Opstelten stated at the opening, all outside government remain responsible for their own cyber security, the Centre will play a more central role than before. As this is a familiar function, I will not elaborate here, except stress that in times of crisis the Centre will act as coordinating body between the different partners involved.
Expertise and advice
The second goal is about the development of knowledge and disseminating it to all partners. Two stages are foreseen at present. First, the government will intensify cooperation between the founding ministries and the relevant agencies, e.g. law enforcement agencies, AIVD (intelligence service), public prosecution and the National Forensic Institute. This will be achieved in part by embedding liaison personnel at the Centre.
Pim Takkenberg, Head of the Dutch National High Tech Crime Team, explains:
‘The liaison personnel will be present at the NCSC for one or more days a week. They will establish a connection between their respective organizations and the NCSC and will be responsible for organizing the relevant or necessary expertise from within their organizations. In this way, not only is trust developed between the cooperating agencies, but also a common language. By reaching out and connecting in “normal” times, it becomes much easier and more natural to do so in times of crisis – which could possibly lessen the impact of incidents.’
Since 2006, regular meetings have been held in the Netherlands between law enforcement and security agencies to discuss cyber crime. This form of cooperation will now be taken to a new level as the liaison personnel will play an important role in times of crisis.
In the second stage, cooperation between the Centre and industry is foreseen. If everything goes according to plan, the Information Sharing and Analysis Centres (ISACs) created around and constituted by members of vital sector groups including telecoms, financial institutions, water and energy providers, etc., will link to the NCSC to make optimal use of information and actively share knowledge.
The ISACs are already a feat of public-private partnership, although they are not unique to the Netherlands. At present they are organized through CPNI.nl . Relevant industry partners from a vital sector gather with government, law enforcement, AIVD and Govcert to share threats, learn from and warn each other of perceived threats, and establish best practices in a safe, non-competitive environment. By treating cyber crime and threats as topics that require a common approach, putting competition aside, solutions and security for all can be established. As the sector provides the chair, industry is the driving force behind the agenda .
In my opinion this is the nucleus of the initiative. If all parties concerned can find, as Takkenberg puts it, ‘a common language’, learn to work together and gain trust, the NCSC becomes the centre of expertise, excellence and esteem to which all concerned will look for guidance and coordination in times of crisis. Succeed here, and the rest will follow suit.
The NCSC has already published two reports. One describes how to recognize cyber crimes and when and how to report them . The other is a report on ICT security guidelines for web applications . The NCSC is already on the road to establishing itself as a centre of knowledge and advice.
Monitoring and reporting
Monitoring the threat level and reporting on it is the third pillar of the NCSC. The Centre aims for a broad participation, public and private, so it can collect data from divergent sources. This information is gathered at a more structural level, is more comprehensive and creates a better overview than ever before. Data can be studied, analysed, discussed, and reported to all the partners involved. The NCSC draws the analogy of laying out a puzzle: find and lay out all of the pieces in the correct order to get the complete picture. This way it ‘will make an important contribution to increasing national resilience by means of the integral approach and the unique shape of the cooperation’ . The first national trend report on cyber crime and digital security in the Netherlands was prepared by Govcert and published on 12 November 2011 . All relevant law enforcement and national security agencies contributed to the report for the first time.
As cyber crime does not stop at the border of nation states, the NCSC will also need to look to partners in other countries. At present the focus is on organizing itself, but in the future the Centre will reach out to other countries. In what form and with whom remains to be determined. The EU, individual member states and several other countries are all contemplating how to go forward, but all seem to agree that a public-private form of cooperation is paramount. The Netherlands has established a blue print on how to proceed. It could be worthwhile for other countries to study this model as a reference point for a way forward in the ongoing battle against cyber threats.
At present, the NCSC is a work in process. In 2011 a lot of effort was put into creating the Centre and getting very different organizations (and thus cultures) behind it. The coming months will undoubtedly pass with everyone finding their way, embedding liaison personnel, establishing optimal lines of contact and reaching out to industry through the ISACs. However, once all this has settled in place we will have a centre that shows the promise of being able to assess the level of cyber threats very quickly, and through its very foundation built on cooperation, will be able to coordinate in times of crisis at national level, between all relevant parties. Next to that, a framework has been created to learn as well as teach lessons. As such, the NCSC holds a promise that goes far beyond the Dutch borders. It may not be unique in its intentions, but as an established centralized centre it may well be so.
 Motie Knops, Tweede Kamer, vergaderjaar 2009-2010, 32 123 X, nr. 66.
 http://www.rijksoverheid.nl/documenten-enpublicaties/persberichten/2011/02/22/nationalecyber-security-strategie-gepresenteerd.html. (Translation, WdN).
Wout de Natris
De Natris Consult, The Netherlands
© 2012 Virus Bulletin/Wout de Natris