The Dutch Cybersecurity Strategy (NLCS) was presented to the Parliament on 10 October 2022 (Parliamentary Paper 26 643, no 925). At the time, it was promised to come up with a model for steering NLCS implementation by early 2023. The government has kept that promise; on 15 May , the parliament was informed about this steering model. It involves setting up all kinds of bodies and committees. Worryingly, although 'science' and 'private cooperation' are mentioned, they are not an active part of the steering process. It is an administrative circus with many layers, while contributions from science and cybersecurity companies are indispensable for the success of the strategy.
The outline of the model is as follows. Guidance on implementation is vested in the Defence, International and Economic Security Council (RDINEV). RDINEV is a sub-council of the Council of Ministers. In RDINEV sits the prime minister and the ministers of the various ministries such as Defence, Foreign Affairs, Justice and Security, Finance, Economic Affairs and Climate etc. RDINEV, in turn, is prepared, as far as this dossier is concerned, by the official Defence, International, National and Economic Security Committee (CDINEV). This committee is chaired by General Affairs or Foreign Affairs.
Effective cooperation?
Since the Minister of Justice and Security is coordinating minister for cybersecurity matters, she indicates that she is responsible for "optimal functioning of the cybersecurity system and I [Minister of Justice and Security] direct the implementation of the strategy by facilitating, supporting and stimulating it." In addition to the official circus described above, she has also set up official steering under the chairmanship of NCTV. This should be the steering committee that has insight into the progress of the strategy's implementation and - and here it comes - that is committed to effective cooperation between public, scientific and private parties. Cooperation, but no steering. And all this while science and private organisations are repeatedly - and we are talking dozens of times! - have been mentioned as parties needed for the success of numerous action points, underlying the strategy.
Screaming in the desert
Those who are not part of the steering process will not feel ownership and commitment. Ownership can only be obtained when you feel responsible for something, it has value and you have control over it. Active involvement can only be achieved when you value something and one feels in control (over the process). This is not the case now with the absence of private and science institutions in the steering committee. Companies and science companies are allowed to contribute insights, within a test to be defined, which can(!) give rise to adjustments. Whether this is listened to is determined by the steering committee, which - not to mention - does not include private and scientific parties themselves. So risk calling in the desert, especially if that desert is an area in which government does not like to venture.
Not even in the Cyber Security Council
Then there is the Cyber Security Council (CSR) to which advice is also sought on strategic developments that may be considered for possible adjustment -not 'steering'. The CSR consists of representatives from public, private and scientific organisations. However, there is currently no representative of the cybersecurity sector on the council. So the sector that collectively monitors the bulk of the Netherlands, tackles security incidents and performs ethical hacks is now not represented in the CSR!
Monitoring and responsibility
The cybersecurity sector is currently contributing to a safe(r) society in many ways by sharing knowledge, expertise and intelligence with public organisations.
The least the Minister should do to make the NLCS succeed with regard to the action points focusing on public-private partnerships is to give the cybersecurity sector a sense of control by making them part of the steering process. Therefore, put the CSR (representative) on the steering committee and ensure that the CSR is expanded to include representation from the cybersecurity sector.
Then, and only then, is there hope that cybersecurity companies will gain a sense of control and thus want to take responsibility for adding value - even more than they already do - not only to their own organisation and the government, but above all to a secure society.