July 3, 2017

Cyber Security Risk Assessment (CSRA) for the Economy

Society is digitising. The five most valuable companies in the world are ICT companies. The Dutch population makes extensive use of the Internet, and the government is also focusing increasingly on the use of digital means. This digitisation also involves an increase in the economic importance of cyber security. Cyber security contributes to economic opportunities, and prevents damage caused by ICT failure or disruptions, whether caused unintentionally (e.g. software problems) or intentionally (e.g. by cyber criminals).

These are the main findings of this report:

•    State-sponsored hackers (hackers working on behalf of a country), are aiming to intervene in political parties and democratic institutions and processes – also in the Netherlands. These interventions put pressure on international economic relationships, thus harming economic interests of the Netherlands as a small, open economy.  
•    In the Netherlands, 11% of the population has indicated to have been a victim of cybercrime. This is a slight decrease from last year. 
•    Cybercriminals derive scale advantages from a digital infrastructure (e.g. for anonymous communication and the anonymous exchange of money). The international nature of cybercrime limits the possibilities of law enforcement agencies to counter these economies of scale. This means the chances of being caught are slim and the profitability of such criminal activity remains high. Timely international collaboration may aid an effective response.  
•    Intelligence agencies use software vulnerabilities (‘zero-days’). Unlawful publication of such information immediately leads to a less safe ICT environment for users, as well as to societal damage. An assessment framework and a response strategy are policy options that may mitigate or prevent such damage. An assessment framework helps to determine whether a zero-day vulnerability could be used for intelligence purposes or should be reported to the software provider involved. In cases of leaked zero-day information, a well-prepared response plan limits societal damage. 
•    Encryption enables the protection of intellectual property, competition-sensitive information and personal data, around the world. Weakened encryption due to built-in ‘back doors’ reduces the level of protection. However, such back doors also make it easier for intelligence agencies to analyse large-scale communication.  
•    There is relatively little known about the magnitude of the damage caused by cybercrime. As a result, this may cause ICT users to be insufficiently aware of the risks. Awareness can be increased by more information becoming available, for example, through statistical research or increased corporate transparency. 
•    It may sometimes take years before large data leaks and other cyber incidents come to light.  This is why reputation mechanisms function less optimally, which increases the importance of encryption, preventive supervision and security standards.
•    Incidents at hospitals and municipalities show that the risks of data leaks particularly relate to local administrative data flows.  
•    A mandatory public infrastructure for the exchange of data in the health care sector can simplify compliance with standards, prevent the dependence on a single private party, and provide citizens with insight into who has access to their data. Whether the benefits outweigh the risks could be investigated. 


Bas Straathof
Anne Marieke Braam
Tatiana Kiseleva