23 Mar THE DUTCH STRATEGY ON CYBER: LET’S FILL IN THE NORMS
By Rik van Dijk
This week the new Minister of Foreign Affairs Stef Blok released the Geïntegreerde Buitenland- en Veiligheidsstrategie (GBVS), the international Defense and Foreign Affairs strategy. The strategy, titled “Wereldwijd voor een veiliger Nederland” (Global for a safer Netherlands), projects the Dutch priorities in the areas of defense and foreign affairs for the coming four years.
Resting on three pillars, Defend, Prevent and Fortify, the document contains an expansive part on cybersecurity and the creation of norms in the cyber domain. Are the ambitions set out in the strategy feasible and does it provide us with a way forward in the complex discussion surrounding international norms in the cyber domain?
As one of the most digitized states in the world, the Netherlands has been very active in that policy area over the last few years. In the International Security Strategy (2013), the predecessor of the GBVS, the government emphasizes its active commitment to create international norms and a shared conceptual framework on cybersecurity carried by the international community.
Under the pillar Prevent, the GBVS reiterates the ambition to strengthen the international judicial framework in the cyber domain. This ambition, however, feels very much the same as the one four years earlier. While the Dutch government pursues international treaties that limit the export of software and hardware that can be used for surveillance purposes by governments, other concrete measures to fulfill the ambitious goals remain in the dark.
In the years between the two strategies the international community has seen some of the largest cyber-attacks to date, almost all of which were perpetrated by groups with nation-state backing. Prominent examples are the release of ransomware created by North Korea (2017) or the Russian attacks on Kiev’s power grid (2015, 2016). However, the international community has failed to formulate a clear response to such attacks.
While cyber attacks are increasing in strength and occuring more regularly, the United States, China and Russia have failed to reach consensus on a framework that would bind the use of cyber weapons to stricter international rules. The U.N. Group of Governmental Experts that worked towards this consensus collapsed in 2017.
Is it than fair to chastise the Netherlands for not singlehandedly creating a resilient international framework on cyber norms in the last four years? Most certainly not. The Netherlands has played a leading role in the maturation of cyber as a domain in both defense and foreign affairs. The attention the cyber domain receives, emphasizes an important step forward from the years before when cybersecurity seemed a non-issue for most policy makers and the GVBS is the culmination of that effort.
However, it now seems that in the Netherlands, the pendulum swings to the other side. Chris Painter, Senior Director for U.S. Cyber Policy jokingly said, “cyber is the new black, it fits with everything.” And this is a risky development because the pursuit of norms in the cyber domain without a strategy on what those norms might entail might create a false sense of accomplishment. Adding the word cyber to a concept such as diplomacy does not create a new game plan, just a new word. In the GVBS, cyber still remains something mysterious and slippery while it would benefit immensely from being dragged into clear cut definitions and policy.
The GBVS is a continuation of the Dutch strategy to make its voice heard in the cyber domain and contribute to a safer world. And with the collapse of the U.N. effort, it is important that other states continue to pursue the creation of an international framework of norms. But, I would like to see the Dutch strategy move beyond the vagueness of the wish for international cyber norms to the pursuit of a clear cut strategy to the interpretation of international norms. more importantly, how they should be enforced. For me that would strengthen the practicability of the Prevent pillar regarding cyber.