In response to serious information security incidents, we see the development of cybersecurity policy becoming more and more urgent. However, a vision of what such policy must include is still lacking. Bits of Freedom believes that we can significantly improve our cybersecurity through smart and focused measures. We have therefore drafted a paper that sets out four principles and eight measures that must be included in cybersecurity policy. With this paper we hope to give guidance to the development of cybersecurity policy in Europe and the Netherlands.
Stuxnet and Diginotar are examples of serious information security incidents that shook up Europe over the last couple of years. As Europe and its Member States become more and more dependent on ICT systems, they become more vulnerable to attacks on such systems. Cybersecurity therefore, is rightfully placed high on the political agenda.
But if we focus too much on incidents like these, cybersecurity policy will be the result of emotional reactions: we will go from incident to incident, not taking time to devise structural solutions. Meanwhile, Internet freedom is at risk (e.g. by considering extensive monitoring of Internet traffic) and we will run the risk of undermining the most important infrastructure of the 21st century: the Internet.
In Europe and the Netherlands
Bits of Freedom believes that Europe and its Member States deserve better cybersecurity: we are convinced that smart and focused measures can significantly improve our cybersecurity. To further this aim we have drafted a cybersecurity policy paper that sets out four principles and eight measures that modern cybersecurity policy must include.
In this paper we argue – amongst other things – that cybersecurity starts with basic security measures, as most security issues are caused by simple vulnerabilities. We also argue that cybersecurity must focus on personal security and we advocate investment in knowledge and capacity in the area of ICT instead of new powers. This requires governments giving the right example: lack of control or large dependence on third parties in information management, creates a considerable security risk ad undermines the credibility of cybersecurity policy. Europe and its Member States therefore need additional knowledge and capacity in the area of ICT, so that they can control their own infrastructures and can better estimate the consequences and risks of envisaged policies.
We submitted an English version of our paper as part of the Public Consultation Improving Network and Information Security (NIS) in Europe.
A Dutch version of the text (with some minor adjustments) was later co-signed and presented by a large coalition of Dutch security experts and stakeholders in the Netherlands. The Dutch Minister of Security & Justice, Ivo Opstelten, described the paper as “constructive” and said that he will look in what way the paper can be included in the national cybersecurity strategy. We look forward to seeing these words be put in action in the upcoming period.