Preparations for digital disruption should become stated goal of security policy

Most governments, international bodies and other major players have insufficient resources to respond adequately to incidents that will lead to digital disruption, inside or outside the digital domain. The cyber-security measures that have so far been taken are almost exclusively aimed at preventing incidents. This is the outcome of an analysis by the Netherlands Scientific Council for Government Policy (WRR), summarized in a report entitled Preparing for digital disruption. The WRR recommends that preparations for digital disruption be made a stated goal of security policy, and of policies that aim to safeguard the continuity of critical infrastructure.

©WRR

In recent years, all manner of disruptions have occurred in the digital realm. Most have been remedied swiftly, and their impact was limited mainly to inconvenience. However, the consequences of some of these incidents have been much more serious, the most concerning aspect being their effect on critical processes in society. This means that they jeopardize essential services such as healthcare, payment traffic, government services and the electricity supply. Moreover, the potential economic and social costs of such incidents are clearly rising. They can run into the hundreds of millions of euros for individual organizations and companies. Even worse, the potential for material damage and victims is growing, as society becomes ever more dependent on digital technologies – the growing reliance on digital means during the Covid-19 pandemic being a case in point.

However, it is striking that almost all cyber-security measures taken by governments and other major players, such as the EU, are aimed primarily at preventing incidents. In reality, there is no such thing as total digital security, but this uncomfortable message has systematically faded into the background. Whether inside or outside the digital domain, incidents can and will occur and may lead to disruption. Today, a raft of provisions, crisis contingency plans and legal regulations are in place to deal with the possibility of incidents in the ‘real world’. But when it comes to the area of cyber security, preparations for disruption have received much more limited attention. The analysis in Digital disruption shows that in most cases there are insufficient resources to respond adequately, certainly in view of the fact that such disruption may have adverse consequences in the physical and social realms as well, even including public confidence in constitutional democracy itself.

Better preparations for the risk of digital disruption would enable countries to act more effectively in the event of disruption, and to recover more quickly following a serious incident. The authors of this book not only offer a thorough analysis of the new risks and uncertainties that come with the digitization of our core societal processes, but also present some ideas on how to counter them. They range from a taxonomy of cyber incidents to new competencies for cyber agencies and a cyber pool to compensate for uninsurable losses. This book is of relevance for scholars, practitioners and government officials worldwide, and is particularly pertinent to European legislative processes such as the revision of the NIS Directive, aimed at protecting critical infrastructures. It is the English version of a report formerly presented to the Dutch government and is published in the Springer book series Research for Policy.