third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Core assessment » 1 Interests<br />
»<br />
»»»»»<br />
1 Interests<br />
The National <strong>Cyber</strong> <strong>Security</strong> Strategy 2011 defines cyber<br />
security as follows:<br />
<strong>Cyber</strong> security means being free of the danger of harm caused<br />
by the disruption, failure or inappropriate use of IT. The<br />
danger of harm caused by misuse, disruption, or failure can<br />
mean a restriction on the availability and reliability of IT,<br />
infringement of the confidentiality of the information stored<br />
in IT or harm to the integrity of this information.<br />
Thus cyber security is about protecting information and<br />
the functioning of IT. When IT does not work properly<br />
or confidentiality and integrity of information are at<br />
risk, the interests of our society may be damaged.<br />
This chapter examines the relation between IT security<br />
and interests.<br />
1.1 Importance of IT security to society<br />
The increasing digitalisation of our society is apparent to<br />
practically everyone. It means that harm to IT security can have<br />
an ever-greater impact on our interests. In the context of cyber<br />
security we differentiate between four types of interests that<br />
need to be protected:<br />
Individual interests<br />
»»<br />
Privacy<br />
»»<br />
Freedom of speech<br />
»»<br />
Access to services<br />
»»<br />
Physical safety<br />
Chain interests<br />
»»<br />
Responsibility for information<br />
from citizens or customers<br />
»»<br />
Management of general<br />
provisions and systems such<br />
as GBA, iDeal and DigiD<br />
»»<br />
Dependency between<br />
organisations<br />
Organisational interests<br />
»»<br />
Products and services<br />
»»<br />
Production resources (incl.<br />
money and patents)<br />
»»<br />
Reputation<br />
»»<br />
Trust<br />
Social interests<br />
»»<br />
Availability of vital services<br />
»»<br />
Upholding of (democratic)<br />
rule of law and national<br />
security<br />
»»<br />
Infrastructure of the internet<br />
»»<br />
Free flow of services<br />
»»<br />
Digital security<br />
<strong>Cyber</strong> security needs to consider all of these interests. These interests<br />
will have a different weighting for everybody and may be contradictory.<br />
Individual interests<br />
These are interests that individuals deem important and seek<br />
to protect. Examples include basic rights such as privacy or the<br />
importance of freedom of speech as well as the security of<br />
someone’s digital identity and the importance of access to online<br />
services. From a European perspective, relatively large numbers<br />
of Dutch people use the internet for shopping (76 per cent) and<br />
banking (82 to 84 per cent). [3: CBS 2012] Compared with other<br />
EU Member States, Dutch people state notably often (28 per cent<br />
compared with an average of 13 per cent) that they have been<br />
[12: : EC 2013-1][3]<br />
unable to use online services because of cyber attacks.<br />
Privacy concerns are the main reason why 35 per cent of Dutch<br />
[49: TNO 2012]<br />
people choose not to use an internet service.<br />
Organisational interests<br />
These are interests that an organisation depends on to achieve its<br />
objectives and/or its continued viability. A successful hacker can<br />
cost an organisation a considerable amount in recovering from or<br />
combating an attack, and hacking can also result in loss of reputation.<br />
It is not just attacks; compromising the integrity (accuracy,<br />
topicality, and/or completeness) of data can have very negative<br />
effects. For a webshop, availability and the website functionality<br />
are crucially important and failure can result in a sharp decline in<br />
turnover. If a chemical factory’s process control system fails or<br />
control is seized, safety could be seriously compromised.<br />
Chain interests<br />
These are interests that transcend businesses. Examples include<br />
responsibility for information from citizens or customers and<br />
suppliers or the availability of digital services, but they also include<br />
the importance of basic provisions such as those for online<br />
payments. The chain’s interest is compromised when cyber attacks<br />
affect <strong>third</strong> parties. For example if personal information is leaked or<br />
where online services that other organisations depend on are no<br />
longer available. The partial failure of iDeal following cyber attacks<br />
in April 2013 is one example. [4]<br />
Social interests<br />
These are interests that transcend the interests of the organisation<br />
and are important to Dutch society as a whole. Examples include the<br />
availability of essential services such as electricity. <strong>Cyber</strong> attacks<br />
against a company or sector may ultimately affect society as a<br />
whole. For example the long-term failure of payment transactions<br />
or the electricity supply as the result of a cyber attack could affect<br />
the economic interests of the <strong>Netherlands</strong> and lead to social unrest.<br />
3 The period of measurement was March 2012, well before the cyber attacks in April/May 2013.<br />
4 http://tweakers.net/nieuws/88305/storingen-ideal-en-ing-kwamen-door-ddos-aanval.html<br />
17
Change language