On 10 October, the Dutch government published the Dutch Cybersecurity Strategy (NLCS) 2022-2028, which builds on the Dutch Cybersecurity Agenda published in 2018. This strategy not only describes the ambitions for a digitally secure society, but also sets out the NLCS Action Plan 2022-2028. Many of the actions laid down in the plan can only be taken up together with stakeholders from both the public and private sector. However, this cooperation will not happen by itself. There are two main challenges.
The NLCS has four pillars: digital resilience of the government, companies and civil society organisations; secure and innovative digital products and services; countering digital threats from states and criminals; and, the cybersecurity labour market, education and the digital resilience of citizens. The strategy is wide-ranging, with more than 130 actions that must be carried out together with public, private and scientific organisations. To this end, an integral public-private management model will be established at the beginning of next year.
The bottom line is that 'cooperation' is essential to the strategy. It is stated that this cooperation can be voluntary, but not without obligation. Of course, cooperation is not mandatory in the current system. And ’voluntary’ can only be realised if partners (public and private) feel joint ownership.
Currently, public-private partnerships within the cyber landscape are mainly characterised by good intentions, but often lack reciprocity in cooperation. Private organisations share information, knowledge and expertise for the benefit of the national interest, certainly, but what do these organisations gain from it? In other words, what is the reciprocity of this cooperation? In our experience, this is often limited or non-existent.
The first challenge lies in achieving joint ownership. However, this can only be achieved if the government becomes more aware of the drivers and interests of the private sector and is prepared to respond to them. Those interests (for the short or long term) must be clear. Because an investment - as that is what cooperation is all about - is only made if one not only has the confidence that it serves the public interest, but also that it benefits one's own organisation in the long term. Think of financing cooperation processes or long-term forms of cooperation in which security of service plays a role. What, exactly, will be different from party to party, but must be determined for cooperation.
The second challenge is that there are more than 130 actions in the action plan in which private parties must also be involved for success. The concern is that these actions lay claim to the same parties, both public and private. Given the time and capacity required, it is not feasible, for any organisation, to be in countless partnerships at once. Prioritisation of these actions is therefore of the utmost importance.
An example in which both challenges come together is the sharing of security information - a crucial topic which has been the primary subject of conversation for years. We see that such information still does not end up in the right places. A number of activities have been included in the action plan to solve this problem. These actions should be the priority as far as we are concerned.
The first step must be for the intended cooperation parties to meet as soon as possible. Book a meeting room or book a number of workplaces at a startup location. Only through physical presence and consultation comes mutual understanding and trust. Only then do people understand each other's point of view. Because our experience is that only by getting to know each other, making mistakes together and repackaging together, is real cooperation and therefore also the necessary reciprocity achieved.
Fox-IT is ready and prepared to play its part, as we are always aiming to make society digitally safer and more secure.
Willemijn Rodenburg, Relationship Manager Government at Fox-IT