The administration's new national cybersecurity strategy is facing criticism. Experts see that it contains many good things, but also that a lot of things are missing. Experts also question the practical implementation.
This is according to a BNR Digital tour of various experts (1).
On Monday, the cabinet presented a new Dutch cybersecurity strategy with accompanying action plan. The government's goal is to create a digitally secure society and regulate security and quality requirements in the field of cybersecurity.
To realize these ambitions, the cabinet has formulated a variety of measures. For example, between now and 2026, the National Cyber Security Center (NCSC), the Digital Trust Center (DTC) and the Cyber Security Incident Response Team for digital service providers (CSIRT-DSP) will merge into a single national cyber security center. In this way, the government aims to combat fragmentation in the cybersecurity landscape and combine knowledge and expertise in the field of cybersecurity.
There will also be a "cyber weather report" to give citizens and businesses timely warnings of current threats. In addition, the National Coverage System will be strengthened and expanded, "robust legal requirements for security and compliance monitoring" will be established, and from 2023, Dutch citizens will be able to pay for multiple forms of cybercrime report online.
"The digital threat is rising sharply with criminals and hostile states threatening our interests. Therefore, action is needed now to increase our digital resilience, strengthen the system and address the threat," Justice and Security Minister Dilan Yeşilgöz-Zegerius said of the importance of the new cybersecurity strategy.
Security specialists are pleased that the administration is serious about cybersecurity. At the same time, they are critical of the cybersecurity strategy. "There are many good things in it, but also a lot of drivel. In addition, many things are missing," Bart Groothuis, MEP on behalf of the VVD, told BNR Digitaal. "There now comes a phase: how are we going to stop an attack that is coming tomorrow? I still miss that."
Groothuis also said he lacks an "active strategy" for strengthening cybersecurity. "Agreements could also be made with Internet providers. If you know that there are domains where malware is served, why don't we put them on a red screen? They do that in Belgium and they are leading in this and we are lagging behind."
The MEP advocates a DNS server that manages which sites are and are not safe. "All the knowledge we have about malware, IP addresses and domains you put on there. Then if you click on certain domains as a civil servant that are dangerous, they won't be opened." Groothuis thinks something like this can also be realized for companies and organizations working in critical infrastructure. "That way you protect your whole economic thinking," he thinks.
Finally, the MEP says more cooperation from Europe with other parts of the world is necessary. In his view, Australia, New Zealand, the United Kingdom and the United States already cooperate closely on policing, policy and geopolitics. "We should have an equivalent of that in Europe," Groothuis said.
Eward Driehuis, owner of 3Eyes Security, cybersecurity consultant and president of CSIRT.global, is also critical of the administration's plans. He emphasizes that the government has committed to raising awareness of the dangers of hackers and cyber attacks. "I am curious as to how these will be helped to be less risky cyber citizens," he said.
Driehuis also sees positives to the administration's cybersecurity strategy. "People are talking about [cybersecurity] more maturely than ever. For example, there is no longer a distinction seen in the criminal aspects of cyber. It's a very strategic piece, but how you're going to implement it practically becomes the question."
On Budget Day, the government announced that in the coming years it will tens of millions of euros in strengthening cybersecurity and digital resilience of our country.
https://www.bnr.nl/nieuws/technologie/10491060/kritiek-op-nationaal-plan-cybersecurity-veel-mist-en-veel-gezwam
