“Intensification of civil-military cooperation”. Some comments on the recent Dutch National Cyber Security Strategy on incident response  18.3.11

In February, the Dutch Ministry of Security and Justice released its “National Cyber Security Strategy (NCSS) – Success through cooperation.” (govcert.nl) Section 5.4, “Response capacity for withstanding ICT disruptions and cyber attacks”, is particularly interesting and highlights the ongoing transformation of the organisational landscape. While the strategy’s briefness makes a refreshing change for lazy readers like us, is also raises a couple of questions.

• In the summer of 2011 the cabinet will publish the National ICT Crisis Plan. This plan will include a exercise plan, which aligns both national and international exercises.
• The ICT Response Board (IRB), a public-private joint venture which gives the crisis decision making organisations advice on measures to combat or counteract large-scale ICT disruptions, will come into operation in 2011 and will be placed as a function in the National Cyber Security Centre.

Similar to Europe’s EP3R strategy (European Public Private Partnership for Resilience), Dutch governments bets on public-private cooperation. Obviously, states can’t claim sole responsibility for internet security neither on the governance, let alone on the operational level. Major, to say the least, chunks of the internet (as an infrastructure) consist of private networks (ISPs) and “owned” components. Nevertheless, internet security governance departs from traditions of internet governance inasmuch as it doesn’t even try to pretend to have the shiny facade of a liberal, open, democratic and a what-else kind of multistake-holderism. In internet security governance, governments and their international agencies haven taken the driver’s seat – at least when it comes institutionalisation and organisation of internet security.

Anyhow. Coming back to the Dutch strategy, I’m looking forward to reading the fine print of the ICT Response Board, e.g. funding, oversight, judicial form, members, non-members. But, I’m sure, we’ve yet to see the inclusion of the highly acclaimed civil society into internet security governance matters.

• Internationally focus will be on reinforcing the cooperation in the operational response between the CERT organisations in Europe and besides that the goal is to reinforce the International Watch and Warning Network (IWWN) which currently functions as informal globally operating consultation in the event of ICT incidents.

I’ve seen that International Watch and Warning Network (IWWN) mentioned numerous times, though I have yet to find a thorough description of it. New Zealand’s Centre for Critical Infrastructure Protection has the following: “The IWWN was established in 2004 to foster international collaboration on addressing cyber threats, attacks, and vulnerabilities. The IWWN provides a mechanism for participating countries to share information to build global cyber situational awareness and incident response capabilities.” Members: AZ, CA, FI, FR, DE, HU, IT, JP, NL, NZ, NO, SW, CH, UK, US. According to the Dutch strategy paper, it “functions as informal globally operating consultation in the event of ICT incidents”.

• The social impact of a large-scale terrorist attack on or via the Internet can be substantial. The Terrorism Combating Alerting System (ATb) will therefore be expanded with a cyber component and drills will be carried out.

How will this “Terrorism Combating Alerting System” be linked with privately owned networks?

• The Ministry of Defence is developing knowledge and capacities to be able to operate effectively in the digital domain. The maximum goal is to achieve options for the exchange of knowledge and expertise with civil and international partners. In addition, studies will be carried out on how the Ministry of Defence can make knowledge and capacities available for its third (primary) task within the ICMS (intensification of civil-military cooperation) agreements.

“Exchange of knowledge”, “intensification of civil-military cooperation”. I’m wondering what the stance of the Dutch and other Western governments on the Estonian idea of a “cyber army”, i.e. the potential subjugation of the internet security community under military command lines, is.

• A cyber education and training centre (OTC) will be founded.
• In order to further enhance the resilience of the own networks and systems, the tasks of the Defence Computer Emergency Response Team (DefCERT) will be further expanded in the coming years. In addition, investments will be made in increasing the security awareness among the personnel and there will be accreditation of systems and processes.

Strings of vagueness attached: The role of military CERT appears to be restricted to defending military networks. Given the common technical foundation of both cyber-annoyances and incidents touching “national security”, how could that work?