Digital resilience under pressure
The government has sent its response to the WRR report entitled Voorbereiden op digitale ontwrichting (Preparing for Digital Disruption) to the House of Representatives of the Netherlands. In its response (Dutch only), which also includes an evaluation of the Citrix problems, the government sets out how the public sector is preparing for digital incidents and the measures that are being taken to increase digital resilience. The government reaffirms the main recommendation by the WRR, that preparations for incidents should emphatically be part of national security policy.
Response and resilience
Using this observation as its starting point, the government gives extensive consideration to the recommendations made by the WRR. It also states the areas in which measures have been taken, or where further expansion of, amendments or additions to measures are needed. Among the measures referred to that have been taken is the National Digital Crisis Plan, which the Minister of Justice and Security sent to the House of Representatives in February. The crisis plan serves as the basis for understanding and clarifying the overall picture for those organizations and actors with a role in managing the social consequences and effects of a digital incident.
In its response to the WRR report, the government noted, among other things, that improvements could be made to the exchange of information about threats and measures. To that end, a joint operational platform is being set up for the NCTV (National Coordinator for Security and Counterterrorism), NCSC (National Cyber Security Centre), AIVD (General Intelligence and Security Service), MIVD (Military Intelligence and Security Service), NP (National Police) and the OM (Public Prosecution Service), which will concentrate on analysing cyber-related incidents and threats. It is also to be announced that the various ministries are making inventories of possible blind spots, vis-à-vis the Landelijk Dekkend Stelsel (national coverage system, or LDS). The setting up of sector-based cybersecurity organizations will be encouraged, wherever necessary. With this in mind, the national coverage partnership guidelines will examine the various roles and responsibilities in the LDS with regard to referrals of security recommendations.
Testing and insurance cover
In its response to the WRR recommendations on ‘practising with a digital fire’, the government states that the providers of essential services and central government organizations should be obliged to test their crisis management policies and systems. The government currently sees no reason to take additional measures for insuring against damage resulting from cyber incidents. “The government notes that, with regard to insurance cover, it is becoming increasingly common for damage resulting from cyber incidents to fall under normal company insurance policies and that more and more cyber-related policies are available.”
WRR report on digital disruption
In September 2019, the WRR published its report entitled Voorbereiden op digitale ontwrichting (Preparing for Digital Disruption). In the report, the WRR asserts that the public sector and other major parties are insufficiently prepared for digital disruption. Such preparations are precisely what is needed now that the digital and physical worlds are becoming increasingly interconnected.