This page presents the main findings and recommendations of the evaluation of the international cybersecurity policy of the Dutch Ministry of Foreign Affairs (MFA).
Contact: Wendy van der Neut
Introduction
The international cybersecurity policy of the MFA is aimed at preventing and mitigating cyber threats and attacks by states and state-affiliated actors directed against targets in other states. During the evaluation period (2015–2021), cyber threats increased worldwide. Digital attacks for which states or other actors are responsible are now a daily occurrence in the Netherlands and abroad. Although these attacks do not always attract publicity, their consequences are increasingly noticeable for governments, companies and citizens. In addition, a dichotomy has emerged internationally between predominantly Western countries (including the Netherlands) that strive for a globally open, free and secure internet, and certain other countries, including Russia and China, that wish to curtail citizens' free access to the internet.
As a consequence, the international cybersecurity policy of the MFA has become more urgent. However, as a relatively young policy area, it has never been evaluated up to now. This first evaluation shows that since 2015, good work has been done and things have been achieved, but there are also challenges and areas for improvement.
Aim of the research
The aim of the evaluation is to investigate what did and did not go well in the design and implementation of the MFA’s international cybersecurity policy, in order to provide recommendations for the future.
Results and recommendations
The main findings and recommendations of the evaluation of the international cybersecurity policy of the Dutch Ministry of Foreign Affairs (MFA).
Although the evaluation focused on MFA’s international cybersecurity policy, during the study it became clear that some of the key challenges – and solutions – are government-wide.
Several ministries are involved in aspects of the international cybersecurity policy. During the evaluation period (2015–2021), a number of interdepartmental policy documents related to international cybersecurity policy were drafted and interdepartmental cooperation improved. Nevertheless, the evaluation revealed there are still issues with departmental alignment and cooperation in relation to international (as well as national) cybersecurity policy. For example, ministries still too often work independently of each other, are not always sufficiently aware of each other's work, do not always make sufficient use of the expertise of other departments and do not always cooperate sufficiently with each other. As a result, threats and opportunities are missed, work is inefficient, and policy is not always consistent. One of the main causes of the cooperation problems is the departmental compartmentalisation of cybersecurity policy in the Netherlands, which is reflected in the facts that departments each set their own priorities, there is no national supra-departmental cybersecurity strategy and there is no centralised control of cybersecurity policy that could formulate such a strategy and set priorities.
Recommendations for the Dutch cabinet:
1. Investigate the best form for supra-departmental oversight of cybersecurity issues, and create this.
Supra-departmental oversight is needed to establish mandates and tasks relating to new issues and policy themes, to weigh up the various interests of the departments involved, to promote coordination between these departments and to draw up, monitor and if necessary adjust a supra-departmental cybersecurity strategy.
There are several options for achieving this, each accompanied by its own drawbacks. It needs to be investigated which option is most suitable to achieve the policy objectives and provide a solution for the problems identified.
2. Create a supra-departmental cybersecurity strategy.
The supra-departmental strategy presents a cabinet vision of the path the Netherlands wishes to follow in relation to cybersecurity-related issues. It should not be a summary of what the departments already do or intend to do, like the current Netherlands Cybersecurity Agenda (NCSA). Instead, it should establish links between the various policy themes by setting priorities, resolving any conflicting interests, introducing concrete objectives and exploring how these objectives can be achieved.
Within the MFA, the Taskforce Cyber (TFC) was set up in 2015 for the international cybersecurity policy. The evaluation showed that the TFC is doing much good work. The Netherlands has a strong international profile and within international forums has helped shape important instruments such as the EU cyber diplomacy toolbox and cyber sanctions regime. The creation of a network of cyber diplomats at a number of Dutch embassies was also a strong move.
However, there are also a number of issues that can be improved. One is that within MFA there is no unambiguous and up-to-date international cybersecurity strategy, nor are there frameworks delimiting which themes fall within the TFC’s remit. This makes it more difficult to prioritise properly, causes some strategic issues to remain unaddressed and adds to the already high workload.
Recommendations for the Ministry of Foreign Affairs:
3. As part of or following from a new supra-departmental cybersecurity strategy, also create a new strategy for MFA's international cybersecurity policy. Ensure that:
- a. Clear definitions and frameworks are included so that it is clear what does or does not fall under the responsibility of the TFC; and it is set out what the short-, medium- and long-term objectives are, how they link up and how they are expected to be achieved.
- b. A response is given to strategic issues that arise as a result of increasing cyber threats, global disagreements, emerging technologies and new policy themes. Examples of issues to address are how the Netherlands and like-minded countries can best involve the so-called ‘swing states’, how capacity building can best be deployed and the tenability of the Dutch rejection of an international cyber treaty.
- c. In light of the rapid developments in the cyber domain, time and capacity are factored in to ensure regular strategic reflection and scenario thinking about various possible future developments and threats.
- d. When drawing up the strategy, there is collaboration with other ministries and stakeholders from the business community and knowledge institutions.
4. Investigate how the work of the TFC can be prioritised more sharply in order to reduce the workload.
Use the new strategy to make explicit which activities and dossiers justify which efforts of the TFC and – in consultation with other departments and directorates within MFA – which dossiers and activities it might be better to drop or reallocate.
Another area for improvement is that the available capacity within the TFC (as in other parts of government dealing with cybersecurity policy) is limited considering the increase in cyber incidents and global challenges and the time required to coordinate departments. Prioritising better will not by itself be sufficient to overcome this problem. In addition, there is limited cyber expertise within MFA, and a lack in secure means of communication for the sharing of confidential information.
Recommendation for the Ministry of Foreign Affairs:
5. Ensure that MFA has sufficient capacity to carry out important tasks within the international cybersecurity policy. Three issues should be considered in relation to this:
- a. Expand the TFC workforce.
- b. Consider ways in which knowledge and expertise on cybersecurity-related topics can be acquired and maintained.
- c. Invest in secure and effective means of communication.