third Cyber Security Assessment Netherlands - NCSC

Introduction
Information Technology (IT) has penetrated the heart of
our society to the extent that nowadays we could not
function without it. Now more and more electronic,
software-driven devices are connected to the internet,
making them part of the cyber domain. This digitalisation
and connectivity is so advanced that we often don’t even
realise it is there, but our offices, households, factories
and shops are all part of this development. IT is thus an
important driver of innovation, increased productivity,
and economic growth.
Sometimes IT is fallible and vulnerable, while the information it
stores or exchanges is increasingly valuable. Many parties are keen
to exploit vulnerabilities and gain access to information so that they
can manipulate or publish it. Cyber security is thus an increasingly
important subject.
Given its crucial importance, a National Cyber Security Strategy [1] has
been formulated in 2012, in which one of the actions involves
conducting up-to-date analyses of relevant threats and risks. Indeed
cyber security – preventing and combating cyber attacks – requires
an overview of and insight into the developments and incidents that
do occur. This is needed to determine the course of (new) measures.
This third Cyber Security Assessment Netherlands (CSAN-3) is the
next step in the implementation of this line of action. The following
key questions are derived from the objectives of the assessment:
»»
What Dutch interests are harmed and to what extent by restricting
the availability and reliability of IT, infringement of the confidentiality
of information stored in IT or harm to the integrity
of such information and what developments are happening
here? (interests)
»»
What events and what activities by which actors may harm
IT interests, what tools do they use and what developments
are happening here? (threats)
»»
To what extent can the Netherlands defend itself against
vulnerabilities in IT, could these harm IT interests and what
developments are happening here? (resilience)
CSAN-3 delivers insights in response to these questions, continuing
to build on the previous assessments, which means it cannot be
seen as separate. The reporting period is April 2012 to March 2013,
but also includes relevant developments up to May 2013. The focus
is on Dutch national interests but it also includes developments of
interest elsewhere in the world. CSAN-3 presents the facts, describing
developments in qualitative terms and provides, where available
in trustworthy form, quantitative substantiation. Topics that are
unchanged or scarcely changed since the previous editions are not
described or only in brief. Interpretations are based on the valuable
insights and expertise gained from the government and the vital
sectors concerned.
Reading guide
This edition (CSAN-3) for the first time comprises a core assessment
and detailed sections. The aim of the core assessment is to provide
as clear and complete an insight as possible into changes in Dutch
‘Interests’ that could be harmed, the ‘Threats’ which influence
these and the extent to which society is ‘Resilient’ in the area of
cyber security. The core assessment (see figure below) is built on
the basis of the Interests, Threats and Resilience triangle that is in
line with the classification used in other threat assessments such
as for terrorism. [2]
Threats
Actors
Tools
Interests
Manifestation
Resilience
Vulnerabilities
Measures
Interests (Chapter 1) considers the Dutch interests that may be harmed
through encroachments to the availability and reliability of IT,
infringement of the confidentiality of information stored in IT or
1 National Cyber Security Strategy, a new version of this strategy is in preparation at the time of
writing.
2 Source: National Coordinator for Security and Counterterrorism (NCTV).
13