In contrast to the Russian Federations focus on control through sovereignty, the Dutch cyber- security development has been shaped by its beliefs in the importance of cooperation, self- regulation, and individual responsibility in a multi-stakeholder model (MODNL, 2012; MOJNL, 2011; NCTV, 2013). These beliefs significantly influence the approach of the Netherlands to cybersecurity and will be used to answer the sub-question: “How is the development of international cyber norms framed within the Netherlands approach to cyber- security?”.
International Law and Human Rights
The Netherlands approach to cyber-security is framed as one which has a strong connection and belief in the effectiveness and functioning of international law. With its limited international power and open economy, the realisation of the Netherlands interests is dependent on an effective and stable international legal. An order which ensures the stability, prosperity, and security of the Netherlands (MFAISSNL, 2013; NCTV, 2018). It is particularly important for the Netherlands economic security that other states can be held accountable based on mutual agreements, transparency, and the objective to settle any dispute peacefully. Adherence to international law thus protects the Netherlands from the arbitrary actions of other states (MFAISSNL, 2013).
This belief in international law is transferred to the development of cyber norms, where the Netherlands advocates for the creation of international agreements and an internet governance model. This model has to, through the multi-stakeholder approach, take into account the interests of the various public and private actors in cyberspace (MFAISSNL, 2013; NCTV, 2018). To that end, the Netherlands wants a more detailed debate on the application of international law in cyberspace and specifically cyber operations (MFAICSNL, 2017). It believes, in respect to the UNGGE, that international law does not need to be reinvented. It is consistency in application what needs to be ensured (MFAGVBNL, 2018; A/68/156/Add.1, 2013). The approach of the Netherlands on the applicability of international law aligns with that of the UNGGE which similarly does not see a necessity to reinvent current laws (A/70/174, 2015).
However, the self-regulation, self-responsibility, and multi-stakeholder approach of the Netherlands does not fit within the UNGGE approach. The multi-stakeholder model ascribes responsibility to the relevant stakeholders whereas the UNGGE primarily sees states as the
42 responsible actor. The 2013 report briefly advises states in the norms to encourage the participation of the private sector and civil society in improving security in cyberspace (A/68/98, 2013). However, their role is no longer discussed in the 2015 report. The state remains the only relevant actor and is responsible not only for its own actions but also that of non-state actors who use its territory (A/70/174, 2015). As such, the multi-stakeholder model distorts the process of securitization as the responsibility for resolving the security issue no longer is the sole responsibility of the state. It goes against the logic of security as extraordinary measures cannot be taken by design by non-state actors (Buzan et al., 1998).
A problem of the multi-stakeholder model is that it creates many different actors whom each has a different perspective on what they perceive as existentially threatening. Yet, Finnemore and Hollis (2016) argue that their inclusion can have benefits. The process of inclusion can generate a behavioural change in attitudes and makes the spread and acceptance of norms easier. Through participation, a sense of ownership of the norms is created, which in return facilitates compliance through institutionalization (Finnemore & Hollis, 2016). For the Netherlands, international forums such as the UN and NATO as part of the multi-stakeholder approach serves as a means to achieve a greater security in cyberspace, whilst also raising awareness on the protection of human rights and fundamental freedoms (MFAICSNL, 2017; NCTVNCANL, 2018).
To maintain and advocate fundamental rights and freedoms internationally, the government pursues a policy on human rights that includes an international cyber component. Respect for human rights is the basis for an open, free and secure society. The protection of personal data and privacy, freedom of expression, the right to seek information, freedom of association and assembly, and the prohibition on discrimination are under increasing pressure from some governments, which use national security as a pretext for disproportional intrusions (MFAICSNL, 2017, p. 14).
It is essential for the Netherlands that human rights and fundamental freedoms are safeguarded both offline and online. The Netherlands believes these efforts are vital as a means to offset a negative trend where a growing number of states are putting pressure on internet freedom (MFAICSNL, 2017). To ensure the protection of these rights and freedoms, the Netherlands seeks to have international law on human rights include a cyber component, and the protection of personal data (MFAICSNL, 2017).
In terms of protection, the Netherlands does not believe in the threat or use of force and respects the principles of sovereignty and prohibition of force in the UN Charter. However, in recognizing Article 51, the Netherlands recognises the right for individual and collective self-
43 defence (MODNL, 2013). An exception to the prohibition on the use of force for the Netherlands is in cases of humanitarian intervention. The Netherlands believes that a military intervention is permissible as a last resort under strict conditions and exceptional cases which can be justified on political or moral grounds (MODNL, 2013). These limitations are also applied to the use of cyber operations (MFAICSNL, 2017). This inclusion may be premature considering that there is still an ongoing debate on the application of human rights in cyberspace (Schmitt & Vihul, 2014). The issue, according to Schmitt and Vihul concerns defining what can and cannot be seen as a part of a personal object in cyberspace. This definition will have an effect on how cyber-attacks can be qualified as violating human rights and fundamental freedoms and as a result be immensely important to the UNGGE discussion (Schmitt & Vihul, 2014).
In the current reports, the UNGGE norms do not directly or explicitly seek to guarantee this level of personal protection. The norms speak of respecting Human Rights Council Resolutions 20/8 and 26/13 and the UN General Assembly resolution 68/167 and 69/166 (A/HRC/RES/20/8, 2012; A/HRC/RES/26/13, 2014; A/RES/68/167, 2014; A/RES/69/166, 2014). The norms do not explicitly state the direct link between the respect for human rights and the protection of personal data. However, resolution 69/166 does argue that the “unlawful or arbitrary surveillance and/or interception of communications, as well as unlawful or arbitrary collection of personal data…violate the rights to privacy and to freedom of expression” (A/RES/69/166, 2014, p. 2). To that extent, the UNGGE agrees in principle with the Netherlands on the importance of data protection although they are not explicit, explained, or directly mentioned in the UNGGE reports.
There have been regional efforts made by the EU via the General Data Protection Regulation (GDPR) to address the issue of processing and protecting personal data. The regulation suggests that an individual’s data is something to be protected and that those who collect and manage it must prevent its misuse or exploitation (2016/679, 2016).
This EU effort means it has securitized and defined personal data as a referent object. This will not necessarily bring any changes for the Netherlands and its approach to the UNGGE considering it already seeks to advocate for such measures. However, now that the GDPR has gone into effect, its existence may be influential for the continuation of any potential future UNGGE. It may have major consequences in relation to the application of international law and human rights, the principles of sovereignty, non-intervention, and territorial integrity, and in the framing and protection of the infrastructure of the Netherlands.
44
Infrastructure
The Netherlands uses many different definitions to describe its infrastructure. It speaks of cyber infrastructure, digital infrastructure, information infrastructure, critical information infrastructure, IT infrastructure, ICT infrastructure, strategic infrastructure, essential infrastructure, vital infrastructure, critical infrastructure, civil infrastructure, global infrastructure, and on occasion simply refers to infrastructure (MODNL, 2012; MFAISSNL, 2013; MFAICSNL, 2017; MSJNL, 2011; NCTV, 2013). The most mentioned infrastructures are critical infrastructure and information infrastructure although none of these definitions are explained within the security strategies. This lack of explanation and cohesion is troubling when compared to the UNGGE which only discusses critical infrastructure and critical information infrastructure (A/68/98, 2013; A/70/174 2015).
An effort was made in 2015 and 2016 to create a classification and criteria of the critical infrastructure in the Netherlands (MSJNL, 2015, 2016). The classification covers both public and private infrastructure and is divided into two categories dependent on the economic, physical, and societal consequences damage or disruption to those infrastructures would cause (MJSNL, 2015). Category A includes energy, drink water, and nuclear infrastructure or industry (MJSNL, 2015). Category B includes transport, chemical, financial, public administration and since 2016 telecom and ICT infrastructure (MSJNL, 2015, 2016). In cases of damage or disruption, category A infrastructure has a higher priority than category B infrastructure (MJSNL, 2015). In relation to the UNGGE, this would suggest that critical information infrastructure with respect to telecom and ICT are less important to the Netherlands than its critical infrastructure. Thus, in terms of securitization, it would suggest that the Netherlands believes is critical infrastructure is more important referent object.
Cyber security concerns ICT security and the security of information stored in ICT systems. Disruptions to ICT- based services and processes may have major social consequences, and a disruption to vital services and processes may even lead to social unrest. Protecting personal information, state secrets and other sensitive information is vital for ensuring the trust parties have in the digital domain (NCTV, 2013, p. 18).
Nonetheless, in respect to the UNGGE, the Netherlands does mainly focus on its critical information infrastructure and the economic and social consequences damage or disruption might cause. Determining the economic cost and effect is more difficult and estimates vary widely. Even so, Deloitte (2017) estimates that the Dutch economy approximately loses 10 billion euros or 1.5% of its GDP value per year. However, they also argue that the risk are
45 significantly outweighed by the benefits derived from cyberspace (Deloitte, 2017). Together, this economic and social perspective has certain implications for the way the Netherlands approaches prevention, deterrence, and attribution, which for the most part is defensively orientated.
Prevention, Deterrence, and Attribution.
The Netherlands does not believe that a total and all-encompassing cyber defence is possible, practical, or affordable (MODNL, 2012). Persistent and technological advanced opponents would still be capable of damaging its infrastructure and cause the feared economic and social damage or disruption. The objective is therefore to build as much flexibility in the protection of its infrastructure and in the ability to actively respond to a cyber-attack (MODNL, 2012). The purpose of this defensive flexibility is to protect data, the exchange of data, and the infrastructures to a degree that they remain available, accessible, and functional in the aftermath of a cyber-attack (MODNL, 2012).
To that end, the Netherlands believes that prevention is better and cheaper than a cure. It believes that effective prevention is only possible if the interest and goals of the relevant actors in cyberspace are aligned, which in turn allows for a more effective and accurate threat assessment (MFAISS, 2013). The threat from cyberspace is framed as cyber criminality from non-state actors, and digital espionage and disruptive attacks from state actors (Kingdom of the Netherlands, 2015). The Netherlands also believes that certain state-actors are using cyber- operations for political objectives which include spreading disinformation to influence public opinion. This foreign influence could potentially lead to economic damage, the erosion of democratic legitimacy, and a cyber arms race (MFAGBVNL, 2018).
These preventative actions are also supposed to function as deterrence measures. One of these measures is the ban or the introduction of a mandatory export license on specific hardware, software, and technology. These goods are supposed to be part of a list of controlled goods and be incorporated into relevant EU Dual-Use Regulation and the Wassenaar Agreement (MFAICSNL, 2017). The dual-use regulation includes “software and technology, which can be used for both civil and military purposes, and shall include all goods which can be used for both non-explosive uses and assisting in any way the manufacture of nuclear weapons or other nuclear explosive devices” (428/2009, 2009, p. 3). There is currently an ongoing debate and proposal to include cyber-surveillance technology to this definition.
46 The Netherlands is to a certain extent in favor of expanding existing controls. Yet, on the other hand, they are also critical of the EUs proposal to amend the dual-use regulation list (MFAICSNL, 2017). The fear is that these measures could disrupt the level-playing field on a global level and disadvantage the EUs industry, seeing as the control list only applies to the EU (MFAICSNL, 2017). Both regulations however fit within the objectives of the UNGGE norms, which asks states to prevent the “proliferation of malicious ICT tools and techniques and the use of harmful hidden functions” (A/70/174, 2015, p. 8). However, a ban or limitations on these technologies could have implications for the law enforcement and intelligence service “legal” use of these systems (Bromley, 2017).
Defensive operations in the information domain are designed to counter external influence and internal misuse or corruption of vital friendly information systems. Offensive operations in the information domain focus on the acquisition of information and intelligence, and the deliberate release of information in order to influence a situation in support of the national interest. Activities in this domain are conducted in intelligence, information or cyber operations or a combination of these (MODNL, 2013, p. 86).
The “legal” use involves the creation of offensive and defensive cyber capabilities (MODNL, 2013). The use of these capabilities is framed as a combination of preventative, deterrence measures, and retaliatory (MODNL, 2013; MFAGBVNL, 2018). The purpose of these capabilities is to detect, neutralise, deter, and if necessary retaliate proportionally to cyber- attacks (MFAGBVNL, 2018). Offensive assets may be deployed for the sake of information and intelligence gathering efforts. This could be done by infiltrating the relevant information systems and networks of potential attackers. The gathered information and intelligence will be used as an early warning sign and to assist counterintelligence activities (MODNL, 2012; MFAICSNL, 2017). The purpose of defensive capabilities is to protect “friendly” data and the supply of information (MODNL, 2013). Dutch intelligence services have already used these information capabilities. They were able to penetrate the computer network of the Russian hacker group Cozy Bear and monitor their activity, and witness them launch several attacks against the US Democratic Party during the 2016 US Elections (Modderkolk, 2018). As these efforts were directed at non-state actors, they are arguably acceptable according to the UNGGE norms, although discussing their role falls outside of its purpose.
The Netherlands seeks to widen the scope of international legislation to encourage more cross-border investigations and presses for the further ratification and spread of the Budapest Convention on Cybercrime; in part to resolve issues of attribution. If the origin, perpetrator, or objective of an attack cannot be identified, it limits the possible responses the Netherlands can
47 undertake (MFANL, 2017). The Netherlands already cooperates with private actors and “friendly” states in several investigations to elevate the attribution issues and prosecute potential suspects (MFANL, 2017). So far, the Netherlands has participated in several cross- border investigation operations. They cooperated in 2018 with the United Kingdom and Europol to shut down the DDoS-for-hire website WebStressers (Landelijke Politie, 2018). They also cooperated with the United States, Germany, and Europol to shut down the dark web marketplace Hansa (Greenberg, 2018).
However, these intelligence efforts of the Netherlands are ultimately contradictory in nature, considering the UNGGE and securitization theory. On the one hand, the international investigative efforts of the Netherlands comply with the requests of the UNGGE to cooperate and exchange information for the sake of addressing threats and prosecuting terrorist and criminal use of ICTs (A/68/98, 2013; A/70/174, 2015). Yet, these same efforts go directly against the UNGGE cyber norms to prevent the use of harmful hidden functions (A/70/174, 2015). The Netherlands cannot both want the non-proliferation of cyber weapons and harmful hidden functions and at the same time justify using it themselves. It creates a conflict in securitization as it does and does not allow for the use of extraordinary measures. The UNGGE has not clarified the “legal” usage of these measures and will be required to do so, especially considering the opinions of other states like the Russian Federation which is firmly against the use of these measures as shall be discussed in the next chapter.
48