NCSC: public-private cooperation is key

2012-03-01

Wout de Natris

De Natris Consult, The Netherlands
Editor: Helen Martin

Abstract

The Dutch National Cyber Security Centre (NCSC) was officially opened in January. Wout de Natris looks at how the Dutch government aims to achieve a safe, open and stable information society, with a focus on public-private cooperation.


On Thursday 12 January 2012 the Dutch National Cyber Security Centre (NCSC) was officially opened. With the push of a big red button, Minister of Security and Justice Ivo Opstelten proudly started a spectacular laser show in celebration of the event. Now that the lights have faded, let’s take a look at what the Dutch government aims to achieve through the NCSC.

The National Cyber Security Strategy

On 22 February 2011 the Dutch government published the National Cyber Security Strategy (‘the strategy’). This document came about as the result of a motion adopted in Parliament [1] requiring an interdepartmental strategy. The document was created under pressure, but also in openness. Two semi-public meetings were organized, allowing all parties a chance to view, respond to and feed back on the first draft of the strategy. The public sessions saw civil servants from all relevant ministries gathered with cybersecurity experts and representatives from law enforcement, regulatory bodies and industry (including industries deemed to be vital to national security). The feedback gathered from these sessions found its way into the final version that was sent to Parliament. (For example, my feedback contributed to a more pronounced emphasis on international cooperation.)

The rationale behind the public meetings becomes clear when we cite the official government publication announcing the strategy:

Government and industry will cooperate shoulder to shoulder to increase resilience against ICT disturbances and cyber attacks. A coherent approach is necessary and essential for the growing (international) problem’ [2].

In other words, public-private cooperation is key. Two bodies were announced: the National Cyber Security Council and the NCSC. This cooperative approach is not unusual for the Netherlands. Permit me a brief history lesson about the ‘polder model’.

Polder model

It is often said that ‘polderen’ is unique to the Netherlands. Since the Second World War, through a combination of negotiations and cooperation, government, industry and unions have made consensus decisions on the road forward based on what is best for all concerned. It is believed that the consensus decision-making model may originate from the very early history of the northern and western parts of the Netherlands when (local) governments, cities, landlords and farmers worked together to contain rivers, dig canals, build and uphold dikes, create polders and win land over from the bogs and sea [3].

It is little surprise that the government has fallen back on this model to fight all things cyber – recent history has made it clear that no single actor alone can make a lasting impression on cyber perpetrators.

The National Cyber Security Council

On 30 June 2011 Minister Opstelten instated the Cyber Security Council [4]. The two chairs and their respective backgrounds are indicative of the approach taken: Eelco Blok is CEO of KPN, the Dutch incumbent telecommunications company, and Erik Akerboom is National Coordinator for Counterterrorism and Security. The Council is responsible for advising government and industry alike (including the NCSC) on all matters concerning developments in cybersecurity. The Council can set priorities in the approach to ICT threats and assess the need for further research and development as well as determine how information can best be shared with participating public and private parties. Government, industry, end-users and academia are represented in the Council. However, the Council is a separate entity from the National Cyber Security Centre.

The National Cyber Security Centre

The NCSC is based on three pillars that are highlighted in its mission statement: ‘The NCSC cooperates in enhancing the defensibility of the Dutch society in the digital domain. Our goal is to realize a safe, open and stable information society by sharing knowledge, offering insight and also offering a proper action perspective’ [5].

Incident response

The first goal manifests itself in the fact that the national Computer Emergency Response Centre, Govcert.nl, has been incorporated into the NCSC. The function of Govcert.nl hasn’t changed, but will be added to. Despite the fact that, as Minister Opstelten stated at the opening, all outside government remain responsible for their own cybersecurity, the Centre will play a more central role than before. As this is a familiar function, I will not elaborate here, except to stress that in times of crisis the Centre will act as coordinating body between the different partners involved.

Expertise and advice

The second goal is about the development of knowledge and disseminating it to all partners. Two stages are foreseen at present. First, the government will intensify cooperation between the founding ministries and the relevant agencies, e.g. law enforcement agencies, AIVD (intelligence service), public prosecution and the National Forensic Institute. This will be achieved in part by embedding liaison personnel at the Centre.

Pim Takkenberg, Head of the Dutch National High Tech Crime Team, explains: ‘The liaison personnel will be present at the NCSC for one or more days a week. They will establish a connection between their respective organizations and the NCSC and will be responsible for organizing the relevant or necessary expertise from within their organizations. In this way, not only is trust developed between the cooperating agencies, but also a common language. By reaching out and connecting in “normal” times, it becomes much easier and more natural to do so in times of crisis – which could possibly lessen the impact of incidents.’

Since 2006, regular meetings have been held in the Netherlands between law enforcement and security agencies to discuss cybercrime. This form of cooperation will now be taken to a new level as the liaison personnel will play an important role in times of crisis.

In the second stage, cooperation between the Centre and industry is foreseen. If everything goes according to plan, the Information Sharing and Analysis Centres (ISACs) created around and constituted by members of vital sector groups including telecoms, financial institutions, water and energy providers, etc., will link to the NCSC to make optimal use of information and actively share knowledge. The ISACs are already a feat of public-private partnership, although they are not unique to the Netherlands. At present they are organized through CPNI.nl [6]. Relevant industry partners from a vital sector gather with government, law enforcement, AIVD and Govcert to share threats, learn from and warn each other of perceived threats, and establish best practices in a safe, non-competitive environment. By treating cybercrime and threats as topics that require a common approach, putting competition aside, solutions and security for all can be established. As the sector provides the chair, industry is the driving force behind the agenda [7].

In my opinion this is the nucleus of the initiative. If all parties concerned can find, as Takkenberg puts it, ‘a common language’, learn to work together and gain trust, the NCSC becomes the centre of expertise, excellence and esteem to which all concerned will look for guidance and coordination in times of crisis. Succeed here, and the rest will follow suit.

The NCSC has already published two reports. One describes how to recognize cybercrimes and when and how to report them [8]. The other is a report on ICT security guidelines for web applications [9]. The NCSC is already on the road to establishing itself as a centre of knowledge and advice.

Monitoring and reporting

Monitoring the threat level and reporting on it is the third pillar of the NCSC. The Centre aims for a broad participation, public and private, so it can collect data from divergent sources. This information is gathered at a more structural level, is more comprehensive and creates a better overview than ever before. Data can be studied, analysed, discussed, and reported to all the partners involved. The NCSC draws the analogy of laying out a puzzle: find and lay out all of the pieces in the correct order to get the complete picture. This way it ‘will make an important contribution to increasing national resilience by means of the integral approach and the unique shape of the cooperation’ [10]. The first national trend report on cybercrime and digital security in the Netherlands was prepared by Govcert and published on 12 November 2011 [11]. All relevant law enforcement and national security agencies contributed to the report for the first time.

International cooperation

As cybercrime does not stop at the border of nation states, the NCSC will also need to look to partners in other countries. At present the focus is on organizing itself, but in the future the Centre will reach out to other countries. In what form and with whom remains to be determined.

The EU, individual member states and several other countries are all contemplating how to go forward, but all seem to agree that a public-private form of cooperation is paramount. The Netherlands has established a blueprint on how to proceed. It could be worthwhile for other countries to study this model as a reference point for a way forward in the ongoing battle against cyber threats.

Conclusion

At present, the NCSC is a work in process. In 2011 a lot of effort was put into creating the Centre and getting very different organizations (and thus cultures) behind it. The coming months will undoubtedly pass with everyone finding their way, embedding liaison personnel, establishing optimal lines of contact and reaching out to industry through the ISACs. However, once all this has settled into place we will have a centre that shows the promise of being able to assess the level of cyber threats very quickly, and through its very foundation built on cooperation, will be able to coordinate in times of crisis at a national level, between all relevant parties. Next to that, a framework has been created to learn as well as teach lessons. As such, the NCSC holds a promise that goes far beyond the Dutch borders. It may not be unique in its intentions, but as an established, centralized centre it may well be so.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.