Cyber WarfareMarch 21, 2012 - nr.77
Conclusions and recommendations
The problem of definition
- Cyber security can be threatened by cyber warfare, cyber espionage, cyber terrorism, cyber activism and cyber crime. These phenomena need to be defined to prevent them being confused with each other conceptually. This does not mean the threats are not interrelated. The techniques used are often similar; only the intended objective is different. Identifying the objective is particularly important when deciding upon the correct national response to a particular threat, if only to reduce the risk of overreaction.
- The AIV/CAVV therefore recommends that the government adopt clear and uniform definitions.
Internationally, too, governments and organisations need to agree on uniform interpretations if they are to make international agreements to address cyber threats.
The cyber threat
- The government observes that reliance on digital networks presents new security risks. In addition to cyber crime, which is largely outside the scope of this report, cyber espionage seems to be on the increase. However, more systematic and quantitative study is required of the extent of the various forms of cyber threat. Since the problem is transnational and available capabilities can accordingly best be pooled, the AIV/CAVV recommends that the government initiate such an independent study at EU and NATO level.
After land, air, sea and space, cyberspace is regarded as the fifth domain of military operations. What are the political and military objectives for which operational cyber capabilities should be developed, and how can they be deployed? What is the nature and role of operational cyber capabilities in military operations?
- Cyberspace is expected to be an important arena in every future conflict. However, a ‘cyber war’, fought with devastating consequences solely in cyberspace, is unlikely. The more clearly defined term ‘cyber warfare’ is therefore used in this report. Cyber warfare can be regarded as part of a military operation that includes other (non-cyber) dimensions.
- Operational cyber capabilities – part of the military capability – can be a means to achieve a political end. Their use requires a clear political framework. The existing national security strategy has a national focus. The AIV/CAVV recommends that operational cyber capabilities and developments in this area be included in an integrated strategy for domestic and foreign security policy.
- In addition to developing operational cyber capabilities, it is also important to invest in coherent ‘cyber diplomacy’ so that a broad pallet of well thought-out measures can be considered in response to concrete threats. These may range from exerting political pressure and imposing economic sanctions to pressing for criminal law measures and – in the final instance – the use of authorised force.
- The deployment of cyber capabilities must be conducive to the armed forces’ main objectives, for instance protecting national defence systems, gathering intelligence and disrupting, damaging or destroying an opponent’s computers and networks.
- Although cyber weapons are initially relatively inexpensive, planning a technologically complex attack requires specialised knowledge. Cyber weapons have a limited shelf life, their deployment often has indirect consequences and the aggressor is difficult to trace. But it is certainly possible to identify the aggressor with the aid of non-technological means.
- In the light of technological advances, the AIV/CAVV recommends that a review be conducted of whether the current distinction between wired and wireless data should be retained in the Intelligence and Security Services Act (WIV).
- The WIV rightly prohibits an intelligence service from using a local exploit in a military network attack aimed at changing or damaging a system. Any such attack must be conducted under the responsibility of the Chief of Staff of the Armed Forces with prior political authorisation. Further to this segregation of duties, clear procedural agreements must also be made within the armed forces in respect of cyberspace.
- It may be decided to use cyber attacks in military operations. In essence, this is the use of a military means – cyber capability – to achieve a political end. The operational deployment of cyber capabilities in conformity with applicable legal frameworks is limited by the technical characteristics of cyber weapons and the knowledge available within the armed forces. The AIV/CAVV therefore recommends that, for the time being, scarce defence resources be used to develop offensive capabilities on only a limited scale and that priority be given to improving the protection of defence networks and gaining an adequate intelligence capability in respect of the digital domain.
- Partly in view of the scarcity of technical knowledge and capability, the AIV would advocate an even more integrated approach at the National Cyber Security Centre. The Centre, operational as of January 2012, could develop in due course into a kind of national Computer Emergency Response Team (CERT) responsible for aggregated monitoring of vital networks, making more use of the capabilities already present at GOVCERT.NL, the Military Intelligence and Security Service (MIVD), the General Intelligence and Security Service (AIVD) and the Dutch Police Services Agency (KLPD), and complemented at times by commercial organisations and academic institutions. Where intelligence is concerned, there is also scope for more cooperation between the AIVD and the MIVD. The AIV/CAVV recommends combining the available capital- and knowledge-intensive signals intelligence (SIGINT) and cyber capabilities into a joint unit.
Under what circumstances can a cyber threat be regarded as the threat or use of force within the meaning of article 2, paragraph 4 of the UN Charter? Under what circumstances can a cyber attack be regarded as an armed attack against which force may be used for self-defence on the basis of article 51 of the UN Charter?
- Article 2, paragraph 4 of the United Nations Charter prohibits the threat or use of force in international relations. The prohibition includes armed force that has a real or potential physical effect on the target state. It also covers other forms of force that have led or could have led to death, injury or damage to goods or infrastructure.
- Under international law, the use of force in self-defence pursuant to article 51 of the UN Charter is an exceptional measure that is justified in armed cyber attacks only when the threshold of cyber crime or espionage is breached. For a cyber attack to justify the right of self-defence, its consequences must be comparable with those of a conventional armed attack. If a cyber attack leads to a considerable number of fatalities or large-scale destruction of or damage to vital infrastructure, military platforms and installations or civil property, it must be equated with an ‘armed attack’.
- An organised cyber attack on essential state functions must be regarded as an ‘armed attack’ within the meaning of article 51 of the UN Charter if it causes (or has the potential to cause) serious disruption to the functioning of the state or serious or prolonged consequences for the stability of the state, even if there is no physical damage or injury. In such cases, there must be a disruption of the state and/or society, or a sustained attempt thereto, and not merely an impediment to or delay in the normal performance of tasks.
- When exercising the right of self-defence in response to a cyber attack, the use of force must comply with the requirements of necessity and proportionality. The measures must be directed at ending the attack and preventing its repetition in the near future and there must be no viable alternatives.
- The principle of proportionality does not require a response to be of the same nature as the attack itself. A cyber attack that meets the criteria of an armed attack can justify a response with conventional arms.
- Taking measures against cyber aggression is lawful only if there is a sufficient degree of certainty regarding the origin and source of the attack.
When do the humanitarian laws of war apply to acts performed in the digital domain? Are they the same as those applying to the kinetic use of force? If so, how should we interpret the law-of-war principles of distinction and proportionality and the obligation to take precautionary measures?
- The humanitarian law of war applies only to armed conflict, international or otherwise. Cyber operations that do not breach the threshold of an armed conflict do not fall within the scope of the humanitarian law of war.
- Cyber attacks that are more than sporadic, isolated armed incidents and that (could) result in loss of life, injury, destruction or prolonged damage to physical objects may be qualified as armed conflict within the meaning of the humanitarian law of war. This is primarily the case where cyber attacks are conducted in conjunction with a kinetic attack. But it is also the case where a cyber attack – without the deployment of kinetic capabilities – causes destruction or prolonged and serious damage to computer systems that manage critical military or civil infrastructure, or seriously compromises the state’s ability to perform essential public functions and hence causes serious and longlasting damage to the economic or financial stability of the state and its population.
- In every armed conflict, international or otherwise, the rules on the conduct of hostilities apply to the deployment of all types, capabilities and methods of warfare, including those of a digital nature. These rules include the principles of distinction, proportionality and the taking of precautionary measures. Moreover, feigning a protected or neutral status with a view to conducting an attack, and misusing such a status (including an IP identity) as a shield against an attack are also prohibited.
In the digital domain, how should we interpret the international law concepts of sovereignty and neutrality?
- The right of neutrality applies in respect of the deployment of cyber weapons and capabilities. Where possible, it prevents belligerent parties from using computers or computer systems located in neutral territory and from attacking computer networks or information systems in neutral territory. A neutral state may prevent a belligerent party from using computers and information systems located in its territory or jurisdiction. The mere transmission of data through part of the internet located in neutral territory, however, does not constitute a violation or loss of neutrality.
To what extent can international standards of conduct for the use of the digital domain contribute effectively to increasing cyber security? Can we learn from experiences with existing codes of conduct, for example in the area of non-proliferation?
- Standards of conduct can apply to the protection of networks, cooperation in criminal matters, the application of international law and the exchange of information. The scope of existing agreements laid down in the Council of Europe Convention on Cybercrime needs to be extended. Significantly, the Convention states that countries must prosecute or extradite groups or individuals accused of committing cyber crime in third countries while in the territory of the state in question. This makes it easier to combat such illegal activities as large-scale illegal trade in malware and identity data. As concluded above, current international law applies to the digital domain as regards the use of force, the law of war and the principles of sovereignty and neutrality. It is therefore not necessary to agree a special ‘cyber treaty’. The AIV/CAVV thinks, however, that the application of international law would be significantly strengthened if states were to elaborate on these principles in an international code of conduct or declaration.
- In general, the private sector could assume more responsibility for protecting the critical infrastructure it operates. This could be achieved through better regulation of enterprises’ responsibilities and liabilities in this area. Assurances must also be given on the provision of a minimum level of service if part of the critical infrastructure fails.
- The AIV/CAVV would note that although the Dutch government is rightly an active proponent of freedom of expression on the internet, the Netherlands has not yet been as active in global talks to agree standards on conflict management in the digital domain. The AIV/CAVV recommends that the Netherlands participate in initiatives to agree standards in this area, such as a Group of Governmental Experts to be re-established by the UN Secretary-General.
- There is neither the opportunity nor the need to reach agreement on a global nonproliferation regime. There are significant differences between weapons of mass destruction and cyber ‘weapons’. Nor is there sufficient reason to impose and enforce export restrictions on certain digital technologies and software in order to protect national military and civil cyber infrastructure.
How can NATO and the EU apply the principles of common defence and deterrence and the solidarity clause to cyber threats? How can NATO and the EU improve information exchange for the purpose of analysing threats?
- NATO will likely be able to develop only modest offensive cyber capabilities to protect its systems and networks, i.e. for active defence. The conventional and nuclear capabilities of individual NATO members already act as deterrents, but their respective offensive cyber capabilities could be used in future NATO operations.
- The European Commission’s Directorates-General – in particular Home Affairs (HOME), Information Society and Media (INFSO), Justice (JUST) and Internal Market and Services (MARKT) – and the European External Action Service (EEAS) need to implement a joint strategy that will increase the coherence of their cyber security activities.
- Articles 4 and 5 of the NATO Treaty may be applied to attacks in cyberspace. Article 5 is worded so generally that it can cover all forms of armed force. Article 4 is not as extensive in scope and may be applied to cyber attacks that endanger national security but do not breach the threshold of an armed attack. In the event of a cyber attack, article 4 is the more likely of the two to be invoked.
- The EU’s mutual assistance clause (article 42, paragraph 7 of the TEU) will probably be invoked chiefly to express political support. The EU can however play a leading role in promoting cyber security in the private sector in the member states.
- The EU and NATO’s exchange of information on cyber security runs into the same familiar institutional obstacles as their cooperation in other areas. An additional problem is that any exchange in the near future will be chiefly one way given the EU’s limited policymaking and capabilities in the fields of common foreign and security policy and cyberspace. For the time being, the EU and NATO will have to exchange as much intelligence as possible through informal channels, with due regard for privacy rules.
Mr F. Korthals Altes and Professor M.T. Kamminga
Chairs of the Advisory Council on International Affairs and the
Advisory Committee on Issues of Public International Law
2500 EB The Haque
Date 30 August 2011
Re Request for advice on digital security
Dear Mr Korthals Altes and Professor Kamminga,
Our dependence on digital networks has given rise to new security risks, as is recognised in NATO’s new Strategic Concept and the Netherlands’ Cyber Security Assessment.
In February 2011, the Government presented the National Cyber Security Strategy. In accordance with the policy letter ‘Defence after the credit crisis’ of 8 April 2011, we have been investing additional resources in digital resilience at the Ministry of Defence and the development of operational cyber capabilities.
Against this background, we, the Minister of Foreign Affairs and the Minister of Security and Justice, wish to ask the Advisory Council and the Advisory Committee to answer two general questions: What do developments in the digital domain mean for Dutch foreign policy as well as security and defence policy? And how can international cooperation contribute to effective protection against cyber threats?
We would also ask you to address the following specific questions:
- After land, air, sea and space, the digital domain is regarded as the fifth domain of military operations. What are the political and military objectives for which operational cyber capabilities should be developed? And how can they be deployed? What is the nature and role of operational cyber capabilities in military operations?
- To what extent and in what ways is the existing international law framework relevant to acts performed in the digital domain, especially cyber violence?
• Under what circumstances can a cyber threat be regarded as the threat or use of force within the meaning of article 2, paragraph 4, of the UN Charter? Under what circumstances can a cyber attack be regarded as an armed attack against which force may be used for self-defence on the basis of article 51 of the UN Charter?
• When do the humanitarian laws of war apply to acts performed in the digital domain? Are they the same as those applying to the kinetic use of force? If so, how should we interpret distinction and proportionality (two important principles of humanitarian law governing warfare) and the obligation to take precautions?
• In the digital domain, how should we interpret the international law concepts of sovereignty and neutrality?
- International cooperation is indispensable to cyber security.
• To what extent can international standards of conduct for the use of the digital domain contribute effectively to increasing cyber security? Can we learn from experiences with existing codes of conduct, for example in the area of non-proliferation?
• How can NATO and the EU apply the principles of common defence and deterrence and the solidarity clause to cyber threats? How can NATO and the EU improve information exchange for the purpose of analysing threats?
Given the speed of change in cyber security, we would appreciate receiving a concise advisory report as soon as possible.
Minister of Foreign Affairs
Minister of Defence
Government response to the AIV/CAVV report on cyber warfare
On 17 January 2012 a joint committee of members of the Advisory Council on International Affairs (AIV) and the Advisory Committee on Issues of Public International Law (CAVV) presented an advisory report on cyber warfare. The government is grateful to the AIV/CAVV for its in-depth study of this issue. It is a valuable contribution to the debate on cyber security and will aid the government in clarifying and consolidating policy in this field. The report supplements the National Cyber Security Strategy which focuses on protecting national security and tackling cybercrime (Parliamentary papers 26643, no. 174). It also supplements the Cyber Security Legal Framework sent to the House of Representatives on 23 December (Parliamentary papers 26643, no. 220).
The main points of the government’s response are as follows.
- The cyber threat we face demands a comprehensive strategy. The advisory report is concerned with supplementing the national approach. To do this, the existing crisis management system will have to be reviewed.
- Cyberspace is a new theatre of operations for the armed forces. The Ministry of Defence is investing in measures to greatly strengthen existing capabilities and develop new (including offensive) capabilities.
- The right of self-defence also applies to cyber attacks.
- The government sees no need for a new global ‘cyber treaty’, although it will work to promote a practical framework for the application of international law in cyberspace.
- Though NATO cyber policy is defensive, discussion of the use of offensive capabilities will become necessary at some point. Article 5 of the NATO Treaty also applies to cyber attacks.
- A comprehensive EU approach is required.
2. The cyber threat
The government sees the growing threat in cyberspace to national interests and the increase in technologically advanced cyber attacks as cause for concern. Espionage, sabotage, crime and cyber terrorism constitute a direct threat to national security. This was one of the conclusions of the first National Cyber Security Assessment (CSBN) completed in December 2011 (Parliamentary papers 26 643, no. 220). Without wishing to play down the seriousness of the threat, the government endorses the AIV/CAVV’s conclusion that further study is needed. The CSBN, coordinated by the National Cyber Security Centre (NCSC), is a valuable instrument for this purpose. It will be further refined in the next few years, with specific emphasis on improving the quality and quantity of the data it contains.
A secure and properly functioning digital network is essential to the Netherlands, with its open and internationally oriented economy and strong service sector. The comprehensive approach set out in the National Cyber Security Strategy will continue to be the basic principle underlying government policy. This was the basis for the establishment of the NCSC, which is a public-private partnership. A joint, public-private and civil-military approach is required because the nature, extent and level of complexity of an attack will not always be clear. Nor will the ultimate aim (criminal, ideological, military or political) of the attacker. This makes it difficult to determine the legal basis of the response and the resources required. In organising a joint approach it is important for roles, tasks and responsibilities to be clearly defined. On the initiative of the National Coordinator for Counterterrorism and Security (NCTV), the existing crisis management system will be reviewed to see whether it is capable of dealing swiftly and effectively with large-scale digital disruption. As the AIV/CAVV rightly points out, it is also important to invest in coherent ‘cyber diplomacy’.
3. The armed forces – theatre of operations
The large-scale use of ICT by the armed forces enables them to perform their tasks more effectively and efficiently, but also increases their vulnerability. Operating in cyberspace is therefore an issue of fundamental importance to them. Without a smoothly functioning ICT infrastructure the armed forces simply cannot carry out their duties. Virtually all weapons and sensor systems have ICT components, while both command and control and logistical support are dependent on digital systems. Disruption of the armed forces’ ICT infrastructure will thus jeopardise their effectiveness and ability to continue functioning. The priority is therefore to safeguard the reliability of military networks, weapons systems, intelligence and command and control systems, and to prevent the theft of information.
At the same time, cyberspace provides a new theatre of operations for the armed forces which, as the AIV/CAVV rightly notes, ‘is expected to be an important arena in every future conflict’. Since the networks of potential opponents are, like our own, vulnerable, cyberspace can also be used to enhance our intelligence capability and to carry out military operations. The rise of cyberspace as a theatre of operations strengthens the current trend whereby traditional warfare is giving way to a more hybrid and multifaceted model of conflict in which the use of ICT plays an ever-growing role. This picture is further complicated by the fact that it is difficult to establish where cyber attacks originate and who is behind them. In addition, the AIV/CAVV rightly concludes that a ‘cyber war’, fought solely in cyberspace, is currently an unlikely prospect. What is probable, however, is that operational cyber capabilities will be deployed frequently in the near future, either independently or in support of regular military operations. To this end, offensive operational cyber capabilities will have to become part of the total military capability of the Dutch armed forces. The armed forces must have sufficient capability to be able to respond adequately and effectively in all circumstances and against every opponent.
An excellent intelligence capability is a basic requirement for the defence apparatus to be able to function and operate in cyberspace. With regard to addressing the issue of attribution, the AIV/CAVV concludes, correctly, that the intelligence and security services have an important role to play. The intelligence gathering and counter-intelligence work of the Military Intelligence and Security Service (MIVD) do not constitute offensive activities. The intelligence in question is gathered, within the constraints of the Intelligence and Security Services Act 2002 (WIV 2002), from closed sources.
The AIV/CAVV believes that in light of technological advances a review should be conducted of whether the current distinction between wired and wireless data should be retained. This is supported by the conclusions of the Intelligence and Security Services Review Committee (CTIVD) in its recent supervisory report (no. 28) on the use of signals intelligence (SIGINT). The government is of the opinion that this distinction cannot be maintained. It is therefore preparing an amendment to the WIV 2002 which will have to make a careful assessment of privacy issues and take account of the effects on providers of electronic communications networks. The House of Representatives will be informed on progress with the amendment in the course of 2012.
Strengthening the cyber capabilities of the armed forces
Following the meeting to discuss matériel on 7 November 2011, the Minister of Defence undertook in answer to a question from MP Marcial Hernandez to address the cyber activities of the armed forces in this response. That undertaking is fulfilled here. The degree to which the activities described can in fact be performed depends on the financial resources available. For policy development purposes, a defence strategy for cyber operations is being drawn up in close consultation with national and international partners. The strategy will be finalised and presented to the House before the summer.
A cyber programme manager has been appointed and Cyber Task Force set up under the authority of the Chief of Staff of the Armed Forces (CDS). The programme manager is responsible for coordinating all cyber-related activities within the defence apparatus. In the short term, the priority is to strengthen defensive and intelligence capabilities. In the medium term, the focus is on establishing a Defence Cyber Expertise Centre (DCEC) by the end of 2013 and a Defence Cyber Command Centre (DCC) by the end of 2014. The DCC will coordinate cyber operations within the defence apparatus and will be responsible for the interface between the various cyber capabilities of the different parts of the armed forces. The Royal Netherlands Army Staff (CLAS) will play a major executive role in the operational arena.
As the AIV/CAVV also notes, recruiting and retaining sufficient numbers of properly qualified staff will present a major challenge. In view of the need for qualified specialists in other sectors, here too the Ministry of Defence will have to work closely with other public and private parties so as to make the most effective joint use of scarce human resources. Consultations are already taking place between ministries and with companies and universities. The potential for creating a pool of ‘cyber reservists’ is also being explored.
Defensive measures focus on enhancing protection of networks and of weapons and control systems. The Ministry’s Computer Emergency Response Team (DefCERT) is partly responsible for the security of these networks and systems and must be fully operational by mid-2013 to protect the most sensitive defence networks around the clock. Capacity will be expanded further in the period leading up to 2016 to include other networks and weapons and control systems. DefCERT is due to conclude a voluntary agreement with the NCSC establishing a framework for intensive cooperation (information exchange and support) in the event of a disaster.
At the same time, the Cyber Task Force will be developing an offensive capability and drafting a cyber doctrine for the armed forces. The AIV/CAVV notes that the same technology is often used for offensive operations as for intelligence purposes. Achieving an offensive capability therefore requires the efficient deployment of all the scarce cyber capacity (including intelligence capacity) within the defence apparatus. In developing this offensive capability, the AIV/CAVV’s recommendation on separating the duties of the CDS and the director of the MIVD will be taken into account.
In the period from 2012 to 2015 the MIVD will increase cyber intelligence capacity. The first step was taken with the addition of nine FTEs as of 1 January 2012. What is more, the MIVD and the General Intelligence and Security Service (AIVD) are stepping up cooperation in the field of cyber and signals intelligence, which should culminate in the establishment of a joint unit for gathering SIGINT and cyber intelligence.
Within the defence apparatus, developing and securing knowledge regarding the cyber threat is the primarily the responsibility of the DCEC. The first priority is to increase awareness of the threat among personnel. An interactive environment consisting of e-learning modules, a simulation and a knowledge base will soon be available for training purposes.
Investment will also be made in research. In 2012 a senior lecturer in Cyber Studies will be appointed and a research group set up at the Netherlands Defence Academy (NLDA), while on 1 January 2014 a chair in cyber defence studies will be established. A wide-ranging cyber research programme was launched at the Netherlands Organisation for Applied Scientific Research (TNO) in January 2012. The defence research programme is part of a national cyber security research agenda that aims to make the most effective use of the available research budgets.
4. The international legal framework
Use of force and the right of self-defence and jus ad bellum
The findings of the AIV/CAVV with regard to the use of force and the right of self-defence are largely in line with the government’s position. Particularly relevant is its conclusion that cyber attacks are subject to the same rules as the use of force in the physical domain. In the advisory report the existing rules of international law on the use of force are strictly applied to cyber attacks, fully echoing the government’s views. The AIV/CAVV concludes that both state and non-state actors can carry out an armed attack within the meaning of the UN Charter against which the use of force for the purposes of self-defence is permissible. The government endorses this conclusion and emphasises that it constitutes a significant legal development.
The government also endorses the AIV/CAVV’s conclusion that attribution presents a substantial challenge where cyber attacks are concerned. It concurs with the AIV/CAVV’s view that force may be used in self-defence only if the origin of the attack and the identity of those responsible are sufficiently certain. It also concurs with the view that the use of force in response to an armed cyber attack must comply with the international law requirements of necessity and proportionality.
International humanitarian law (jus in bello)
The government shares the AIV/CAVV’s conclusion that applying the rules of international humanitarian law (jus in bello) to hostilities in cyberspace is ‘technically feasible and legally necessary’. However, it also agrees with the AIV/CAVV’s view that armed attacks in cyberspace only fall under the laws of war if they are carried out in the context of an armed conflict by the parties to that conflict. This constitutes an important distinction with regard to other cyber attacks. The advisory report examines the issue of armed conflict initiated by a cyber attack and gives some useful examples of the practical application of the basic principles of the laws of war to cyber warfare.
The government regards the AIV/CAVV’s elaboration of the concept of neutrality in relation to the deployment of cyber weapons as a useful starting point for further thinking on this subject. In an armed conflict involving other parties, the Netherlands can protect its neutrality by impeding the use by such parties of infrastructure and systems (e.g. botnets) on Dutch territory. Constant vigilance, as well as sound intelligence and a permanent scanning capability, are required here.
Like the AIV/CAVV the government sees at present no need for a new, global cyber treaty. It believes that existing rules of European and international law suffice with regard to cyber attacks. It does however support the recommendation in the report to give more political weight and practical effect to the application of international law in the digital domain through the introduction of a code of conduct.
5. International cooperation
The interlinked and interdependent nature of ICT systems worldwide makes international civil-military and public-private partnerships indispensable. Close, bilateral consultations to this end are being held with the United States, the United Kingdom, Germany, Australia and the other Benelux countries. The potential for closer cooperation with Canada, France and the Scandinavian countries is being explored.
As the AIV/CAVV observed, the Netherlands plays an active role in discussions on standards of conduct in cyberspace, mainly in order to preserve a free and open internet and offer a counterweight to countries wishing to restrict the free use of internet and media in the name of security and combating cyber crime. At the same time, the government acknowledges the importance of avoiding potential conflicts between countries resulting from cyber incidents. The Netherlands will pursue these aims in the appropriate forums. It also believes it is essential for businesses to shoulder their responsibilities when it comes to the export of technologies that could be used by governments for repressive purposes. In the interests of protecting human rights, the Netherlands considers it important for businesses not only to engage in self-regulation but also to have a framework in which to take decisions on the export of their products. It is therefore pressing for an expansion of the EU Dual-Use Regulation. This would make it possible to impose an ad-hoc licensing obligation for individual cases if there are indications that items will be used, partly or solely, for the commission of human rights violations.
NATO’s new Strategic Concept was followed up by a cyber defence policy, adopted in June 2011. As the AIV/CAVV notes, where cyber threats are concerned NATO is focusing primarily on strengthening its defensive capability. Partly owing to pressure from the Netherlands, the policy now addresses the need for more intensive information exchange, the development of a joint threat assessment and the importance of EU-NATO cooperation. The government also believes that in the longer term, NATO will have to develop a doctrine on the deployment of an offensive cyber capability. The decision on any collective response to a cyber attack would be taken according to the existing procedures. In the digital domain, as elsewhere, it is not always easy to establish when article 5 would come into operation. That is always a question that must be tackled at political level.
The government shares the AIV/CAVV’s view that the EU would benefit from a comprehensive, coordinated approach to cyber security. Last year the European Commission launched its internal security strategy, which identifies raising levels of security for citizens and businesses in cyberspace as one of five priorities. The House of Representatives was informed of this on 19 January 2011 (Parliamentary papers 32317 no. 32). At the beginning of this year, European Commissioner Neelie Kroes announced plans for a European internet security strategy. The Netherlands supports these developments and will put its expertise, for example in the areas of threat assessment and public-private partnerships, at the Commission’s disposal. In addition, the Netherlands is urging the Commission to give external, geopolitical considerations a clearly defined place in the EU approach to cyber security.