Several groups in the House of Representatives are questioning the Cabinet's intention to expand the Network and Information Systems Security Act (Wbni). They fear that the privacy of citizens will be at stake. The House therefore wants Justice and Security Minister Yeşilgöz-Zegerius to continue evaluating the law if it is passed.
Several groups expressed their concerns about the new cybersecurity law Monday during a debate (1) on the Wbni.
Digital threats are growing by the day. This is because our country has a high-quality digital infrastructure. Moreover, the corona pandemic has caused the digitization of processes to accelerate.
Digitization brings all kinds of benefits, but it also has a downside. "The dependence on digital processes has also made us vulnerable to outages and to the activities of malicious actors," the National Coordinator for Counterterrorism and Security (NCTV) and the National Cyber Security Center (NCSC) warned in the report Cybersecurity Assessment of the Netherlands 2022 ( 2).
"For society to function undisturbed as a society, resilience against digital threats is crucial," the report's authors said. However, investments to increase our country's digital resilience are lagging behind. Basic measures are also far from being in place everywhere. This puts our country at great risk if hit by a cyber attack.
"Despite efforts to increase resilience, there is skewing with the increasing threat. That skew increases the risk of disruption to our society," according to the NCTV and the NCSC. The Port of Rotterdam Authority (3), the Central Bureau of Food Trade (CBL) (4) and KPN shared their concerns about the possible consequences of cyber attacks with the House of Representatives early this month.
Awareness about the dangers of cyberattacks to our society have penetrated the cabinet. "The government lags behind in digital resilience. Privacy (5) also remains a concern. Incidents often have serious consequences, both financially and for trust in government. Information security is of strategic importance and it requires continued attention," State Secretary for Digitalization Alexandra van Huffelen wrote in a letter to the House of Representatives last summer (6).
The secretary of state came up with the plan to pay more attention to Red Team exercises. These include employees who actively search for vulnerabilities and exploits in applications to penetrate internal company systems. In addition, the cabinet says it is doing everything possible to bring in and retain "young digital talent."
Furthermore, the government is investing in knowledge and expertise in the workplace. Civil servants working for the central government will receive mandatory basic training on digital resilience from 2024 (7). The cabinet also wants to criminalize several forms of espionage (8). However, the Council of State has reservations about the current bill to regulate this (9).
Another important tool of the cabinet to strengthen the digital resilience of our country is the "Temporary Act Investigations AIVD and MIVD to Countries with Offensive Cyber Program" to, or the Temporary Act for short (10).
The law gives the security services more freedoms to use their powers, such as the investigative orderly interception (OOG-I) and hacking powers. Supervision of the services will be limited by the law and shifted to ex-post monitoring. The law is scheduled to expire four years after enactment.
A final measure that the cabinet plans to implement to strengthen our country's digital resilience is to expand the Network and Information Systems Security Act (Wbni). This law stipulates that the NCSC may only share current threat information with companies and organizations operating in the vital infrastructure, such as financial institutions, Internet service providers and utility providers.
To get around this obstacle, the cabinet wants to expand the Wbni. Although parliament has not yet officially approved this, the NCSC is nevertheless already allowed to share relevant threat and incident information with non-vital companies and organizations.
Several members of the House of Representatives expressed concerns about citizens' privacy at Monday's debate. Among other things, they fear that personal data will be shared that may be used for other purposes. Marieke Koekkoek (Volt) fears that this data, among other things, may be used in court even though it was not shared for that purpose.
The SP is also very concerned about possible privacy breaches. "With information that you once received from a warning, very ugly things can also happen," Renske Leijten said Monday during the debate. She asked Minister Yeşilgöz-Zegerius to lay down in the law which data may be shared and when it must be deleted. Finally, the SP member asked that the law be permanently evaluated. She submitted a motion on this (12).
Queeny Rajkowski (VVD) asked the Minister of Justice and Security which organization shares threat information with which parties. She also came up with the proposal to give the Dutch Institute for Vulnerability Disclosure (DIVD) a larger and more formal role in digitally protecting the Netherlands by constantly scanning the Internet for vulnerabilities. The exact wording of her request can be found in this motion.
That the Cabinet is willing to dip into its pockets to improve our country's digital resilience was evident on Budget Day. VPNGids.nl studied the budget documents of the Ministry of Justice and Security, the Interior and Kingdom Relations, and Economic Affairs and Climate. The documents showed that the government will invest millions of euros in cybersecurity in the coming years (14).
The budget of the NCTV rises to 54.9 million euros next year. The NCSC will receive an additional 16 million euros this year. In the coming years that amount will increase to 42 million euros. The Public Prosecutor's Office will receive an additional 12 million euros to "bring the knowledge and capacity to deal with cybercrime (15) up to standard."
The budget for the Personal Data Authority will increase from 37.8 million euros to 41.4 million euros between 2024 and 2027. The yet-to-be-announced algorithm watchdog will be attached to the privacy watchdog. The budget of the AIVD increases to 86.5 million euros in 2027. The budget of the MIVD rises from 17.2 million euros to 35.8 million euros in 2023. In 2024, the budget of the MIVD will reach 71.7 million euros.
The Ministry of EZK will receive an additional 6.6 million euros in 2023 to improve cybersecurity in our country. From 2027 that amount increases to 16.1 million euros. Agency Telecom will receive 41.4 million euros from the state budget next year. In 2027, this amount drops to 39.5 million euros.
1) https://www.tweedekamer.nl/debat_en_vergadering/commissievergaderingen/details?id=2022A06034
2) https://www.vpngids.nl/nieuws/kans-op-ontwrichting-door-hackers-is-groot/
3) https://www.vpngids.nl/nieuws/havenbedrijf-rotterdam-bezorgd-over-potentiele-cyberaanvallen/
4) https://www.vpngids.nl/nieuws/cbl-supermarkten-zien-groter-dreigingsniveau-door-cybercriminelen/
5) https://www.vpngids.nl/privacy/
6) https://www.vpngids.nl/nieuws/cybersecurity-en-privacy-krijgen-prioriteit-bij-nieuw-beleid/
7) https://www.vpngids.nl/nieuws/ambtenaren-krijgen-verplichte-basistraining-digitale-weerbaarheid/
8) https://www.vpngids.nl/nieuws/kabinet-wil-meer-vormen-van-spionage-strafbaar-stellen/
9) https://www.vpngids.nl/nieuws/raad-van-state-kritisch-over-uitbreiding-strafbaarheid-spionage/
10) https://www.vpngids.nl/nieuws/aivd-nederland-stond-vorig-jaar-continu-bloot-aan-cyberaanvallen/
11) https://www.vpngids.nl/nieuws/overheid-gaat-ook-niet-vitale-bedrijven-dreigingsinformatie-verstrekken/
12) https://www.tweedekamer.nl/kamerstukken/moties/detail?id=2022Z17706&did=2022D37577
13) https://tweedekamer.nl/kamerstukken/moties/detail?id=2022Z17705&did=2022D37576
14) https://www.vpngids.nl/nieuws/kabinet-investeert-miljoenen-in-cybersecurity/
15) https://www.vpngids.nl/veilig-internet/cybercrime/
