为了正常的体验网站,请在浏览器设置里面开启Javascript功能!

荷兰国家网络安全战略

2014-02-06 16页 pdf 685KB 22阅读

用户头像

is_078611

暂无简介

举报
荷兰国家网络安全战略 1 The National Cyber Security Strategy (NCSS) Strength through cooperation 2 3 1 Introduction The Netherlands supports safe and reliable ICT1 and the protection of an open, free internet. Society’s growing dependence on ICT makes it increasingly vulnerabl...
荷兰国家网络安全战略
1 The National Cyber Security Strategy (NCSS) Strength through cooperation 2 3 1 Introduction The Netherlands supports safe and reliable ICT1 and the protection of an open, free internet. Society’s growing dependence on ICT makes it increasingly vulnerable to the misuse and disruption of ICT systems. For this reason, the Government has launched a National Cyber Security Strategy, with input from a wide range of public and private parties, knowledge institutions, and civil society organisations. The Strategy constitutes the Government’s response to Parliamentary motions tabled by Raymond Knops and Marcial Hernandez.2 It also embodies the integrated approach to cybercrime announced in the 2010 coalition agreement. Structure of the Strategy This Strategy is divided into two parts. The first part (Chapters 2 to 4) presents an analysis of the problem, describes policy principles for cyber security, and sets out objectives. The second part (Chapter 5) sets out a number of lines of action, each containing priority activities for improving cyber security – activities that will be implemented by the Government, and in collaboration with other parties. 2 Developments that call for action ICT is essential for our society and economy. Safe and reliable ICT is essential for our prosperity and well-being, and serves as a catalyst for further sustainable economic growth. In Europe, 50% of productivity growth is due to the use of ICT.3 The Netherlands aims to lead the world in the use of ICT while guaranteeing the safety of ‘digital society’. The Netherlands wants to become the Digital Gateway to Europe. Society is vulnerable ICT offers opportunities, but also increases vulnerabilities in a society where critical goods and services are increasingly interrelated. A deliberate or accidental breakdown caused by technical/ human error or natural causes could lead to social disruption. The complexity of ICT systems and our growing dependence on them are leading to new vulnerabilities that could facilitate misuse and disruption. Examples include the rapid developments in mobile data transmission and cloud computing, which give way to new vulnerabilities and opportunities for misuse. The growing use of internet services involving the entry of personal details and the rise in the popularity of social media are also creating new forms of misuse, such as identity theft. 1 ‘ICT’ is an umbrella term referring to digital information, information infrastructures, computers, systems, applications, plus the interaction between information technology and the physical world that is the subject of communications and information exchange. 2 Motion tabled by Raymond Knops, House of Representatives, 2009-2010, 32 123 X, no. 66; motion tabled by Marcial Hernandez, House of Representatives, 2010-2011, 32 500 X, no. 76. 3 European Commissioner Neelie Kroes at the opening of the 2010 World Congress on Information Technology in Amsterdam. 4 Recent examples Three recent incidents illustrate these vulnerabilities and forms of misuse: In the second half of 2010, cyber security experts identified Stuxnet, an advanced malware program that disrupts the automation of industrial processes. Analysis showed that Stuxnet must have been expensive to develop. It is suspected that the Stuxnet attack was financed by a state and aimed at the critical infrastructure of another state, leading to global side-effects on other critical organisations. In an internationally coordinated operation in late 2010, the National Police Services Agency (KLPD) worked with partners in the Netherlands and abroad to dismantle a large botnet: a collection of computers misused remotely, often for criminal purposes and usually without the knowledge of their owners. The botnet, known as BredoLab, was masterminded from Armenia, its operations were concentrated in the Netherlands, and it was present in several other countries. Worldwide, millions of computers were taken over by BredoLab, which distributed spam and denial-of-service attacks. The measures taken by a number of companies against Wikileaks prompted its supporters to carry out worldwide denial-of-service attacks against Paypal, Mastercard, public prosecutors, and the police. The hackers temporarily disabled these organisations’ websites, demonstrating the plainness of ‘hacktivism’. Cyber security is freedom from danger or damage due to the disruption, breakdown, or misuse of ICT. The danger or damage resulting from disruption, breakdown, or misuse may consist of limitations to the availability or reliability of ICT, breaches of the confidentiality of information stored on ICT media, or damage to the integrity of that information. Existing parties in digital society need to cooperate nationally and internationally When cyber attacks occur, it is often difficult to identify the perpetrator, who may be a loner, an organisation, a state, or a combination of all three. The nature of the cyber threat4 is also often unclear. But many cyber attacks involve the same techniques and methods5 – illustrating the importance of further cooperation among parties concerned with cyber security, including public bodies working on particular types of threat, businesses that maintain the network and information infrastructure, and knowledge institutions concerned with cyber security and the public. Digital society is global. Cyber attacks and disruptions instantaneously transcend national borders, cultures, and legal systems. It is often unclear which jurisdiction applies to data transmission, and it is often uncertain whether the law can always be effectively applied. The Government wants to make it easier to combat the misuse of ICT, wherever it occurs. 4 cybercrime, cyber terrorism, cyber activism, cyber espionage, and cyber conflict 5 such as malware, botnets, spam, phishing, and targeted attacks 5 3 Basic principles Investing in cyber security means investing in our future, our economic growth, and our innovativeness – not only because safe ICT and the safe use of ICT are possible in the Netherlands, but also because the Netherlands is a major centre of knowledge and development in cyber security. We need to prioritise cooperation throughout the entire security system between civilian and military parties, public and private parties, and national and international parties. Only then can we ensure the resilience of our ICT infrastructure in critical sectors, a rapid and effective response to cyber attacks, and appropriate legal protection in digital domains. The following principles underlie our Strategy: Interlinking and strengthening initiatives A great deal is happening in the area of cyber security. But consistency is lacking in several areas. This observation is borne out by the findings of the 2010 National Report on Trends in Cybercrime and Digital Security and the National Security Think Tank’s report on ICT Vulnerability and National Security. As a result, duplications will be removed and initiatives pooled. Wherever possible, the Government will build on existing initiatives and, wherever necessary, develop new ones. Public-private partnerships ICT infrastructure, goods, and services are largely provided by the private sector. Continuity and security of supply are essential for the sector’s survival and for society as a whole, because the disruption of supply can also lead to social disruption. Mutual trust between the public and private sectors is essential if we are to work together and share information as equal partners. Every party concerned must gain value from participation in joint initiatives – an outcome that will be facilitated by an effective cooperation model with clearly defined tasks, responsibilities, powers, and guarantees. 6 Individual responsibility All users (individuals, businesses, institutions, and public bodies) should take appropriate measures to secure their own ICT systems and networks and to avoid security risks to others. They should take care when storing and sharing sensitive information and respect the information and systems of other users. Division of responsibilities between ministries The Minister of Security and Justice is, in accordance with the National Security Strategy, responsible for coherence and cooperation on cyber security. At the same time, each party in the cyber security system has its own tasks and responsibilities. Active international cooperation The cross-border nature of threats makes it essential to promote international cooperation. We must aim for an international level playing field. Many measures can be effective only if they are taken or coordinated internationally. The Netherlands supports and actively contributes to efforts such as the EU’s Digital Agenda for Europe and Internal Security Strategy, NATO’s development of cyber defence policy as part of its new strategic vision, the Internet Governance Forum, and other partnerships. The Netherlands advocates the widespread ratification and implementation of the Council of Europe’s Convention on Cybercrime. Measures must be proportionate There is no such thing as 100% security. When undertaking cyber security activities, the Netherlands makes choices based on risk assessment. In doing so, it aims to protect our society’s core values, such as privacy, respect for others, and fundamental rights such as freedom of expression and information gathering. We still need a balance between our desire for public and national security and for protection of our fundamental rights. Measures must be proportionate. To this end, we will apply, and where necessary strengthen, safeguards and testing mechanisms, including the existing supervisory instruments. Self-regulation if possible, legislation if necessary The public and private sectors will achieve the ICT security they seek primarily through self-regulation. If self-regulation does not work, the Government will examine the scope for legislation. But legislation would have to meet three conditions: it should not unduly distort competition and, as far as possible, should ensure a level playing field; the administrative burden should not be disproportionately increased; and the costs should be in reasonable proportion to the benefits. We live in a fast-moving world, and legislation can soon become obsolete. The Government will consider whether legislation needs to be tailored to developments in ICT. 7 4 The Strategy’s goal Security and trust in an open and free digital society The Strategy’s goal is to strengthen the security of digital society in order to give individuals, businesses, and public bodies more confidence in the use of ICT. To this end, the responsible public bodies will work more effectively with other parties to ensure the safety and reliability of an open and free digital society. This will stimulate the economy and increase prosperity and well-being. It will ensure legal protection in the digital domain, prevent social disruption, and lead to appropriate action if things go wrong. 8 5 The working plan: work in progress To achieve the objectives of the National Cyber Security Strategy, the following lines of action have been drawn up. The Netherlands will: • ensure an integrated approach by public and private parties; • ensure appropriate and up-to-date threat and risk assessments; • strengthen resilience against ICT disruptions and cyber attacks; • strengthen our capacity to respond to ICT disruptions and cyber attacks; • intensify the investigation of cybercrime and prosecution of its perpetrators; • promote research and education in cyber security. To implement each line of action, priority activities have been devised. Work in progress The Netherlands is doing a great deal to ensure cyber security. Below, we describe a number of priority activities, some new and some yet to be developed in full. They vary in the detail to which they have been worked out. Some are still at the blueprint stage, so that it is not yet possible to describe them in full. They are clearly still work in progress. They will be described in detail after the Strategy’s publication. 9 5.1 Setting up the Cyber Security Council and the National Cyber Security Centre Responsibility for digital security in the Netherlands lies with many parties. There is still insufficient cohesion between policy initiatives, public information, and operational cooperation. The Government therefore considers it essential to foster a collaborative approach between the public sector, the private sector, and knowledge institutions. The goal is to strengthen the network and ensure coordination from strategic to operational level. • The Government considers a new network-centred form of collaboration essential to achieve an integrated and coherent approach to cyber security. It aims to set up a Cyber Security Council, where strategic-level representatives from all relevant parties will sit and iron out the content and implementation of this Strategy. In the next few months, in consultation with all the relevant parties, the Government will decide how the Council is to be formed. The Council will be facilitated by the responsible public bodies. • The Government wants public and private parties, acting within their statutory scope, to collect information, knowledge and expertise in a National Cyber Security Centre, which will help improve understanding of developments, threats, and trends and help parties deal with incidents and make decisions in crises. The Government is inviting public and private parties to join the Centre. To this end, it is devising a partnership model. • The Government will also expand GOVCERT.NL,6 strengthen it, and incorporate it into the Centre. The Government wants the Council to start work on 1 July 2011 and the Centre to come into operation on 1 January 2012. 5.2 Setting up threat and risk analyses Strengthening security begins with understanding vulnerabilities and threats. By gathering and analysing knowledge and information from national and international public and private parties,7 we will gain a better understanding of current and potential new threats and vulnerabilities. The National Cyber Security Centre will adopt the working methods set out in this Strategy, cataloguing risks and identifying capacities that need to be strengthened in order to prevent threats and respond to disruptions. The knowledge thus gained will make it possible to take targeted measures throughout the cyber security system, from prevention to response and from investigation to prosecution. One of the tasks of the National Cyber Security Centre is to create a single comprehensive picture of the current ICT threats, including a report on trends in cybercrime and digital security (the first edition of which was published in 2010). 6 GOVCERT.NL aims to strengthen information security within the Dutch public sector by monitoring sources on the internet, by issuing threat warnings and advisory opinions on ICT vulnerabilities, and by helping public authorities deal with ICT-related incidents. 7 Including GOVCERT.NL, the AIVD (General Intelligence and Security Service) and the MIVD (Military Intelligence and Security Service), the police, special investigative services (such as the FIOD and SIOD), regulators (such as OPTA and the Netherlands Consumer Authority), government inspectorates (such as the Health Care Inspectorate), private parties (such as ISPs and security vendors), and national and international knowledge and research institutions. 10 The AIVD and MIVD8 will contribute to this picture. Where necessary, they will strengthen their cyber capacity. The Government is informed of threats to national security by the annual National Risk Assessment.9 Cyber security will receive extra attention in this Assessment. 5.3 Increasing the resilience of critical infrastructure We must prevent social disruption due to ICT breakdowns or cyber attacks. Various parties, from individuals to suppliers, have a responsibility in this regard. The user must be confident that an ICT good or service can be used safely. Suppliers must therefore offer safe ICT goods and services. Users must also take necessary security measures. • In 2011, the Telecommunications Act is being amended. This will provide a legislative basis for a number of existing agreements with the largest telecommunications companies about the continuity of their critical telecommunications infrastructure. Areas covered include the reporting of disruption or breakdown of services, minimum requirements for the continuity of services, and compliance with international standards. Wherever possible, the Netherlands will work for a joint European approach in these areas. • The Cybercrime Information Hub will continue its operations as part of the Centre for the Protection of National Infrastructure (CPNI).10 This year, the Government will examine how the CPNI and the National Cyber Security Centre can work together. • The responsible public bodies will work with these organisations to encourage compliance with the current minimum ICT security standards based on good practices. The Government will work with critical sectors to learn more about potential measures to prevent the disruption of their critical ICT facilities. On this basis, the responsible public bodies will urge critical sectors to take the same measures. One example is the Emergency Communications Facility (NCV), which from 1 May 2011 will replace the current emergency network. Critical organisations will be able to join the NCV. • The Government has developed a package of measures specifically geared to preventing digital espionage. It has published a manual entitled ‘Analysis of Vulnerability to Espionage’ to help businesses increase their resilience to espionage. 8 The AIVD and MIVD occupy a unique position with regard to information on cyber threats (such as digital espionage, cyber terrorism and cyber extremism) by conducting research in the interests of national security. 9 The National Risk Assessment analyses various types of threat to national security using a uniform method for constructing middle-term scenarios with scores for probability and potential impact. It then makes proposals for strengthening capacity in order to lessen the impact of threats. 10 The CPNI is a platform where critical sectors and public bodies can share information in a trusted environment on incidents, threats, vulnerabilities, and good practices in the areas of cybercrime and cyber security. The goal is to increase these parties’ resilience to disruptions. 11 • Public bodies must improve their own resilience. For this reason, the Government aims to ensure that, by the end of 2011, 80% of the critical organisations in the critical sectors public administration and public order and safety have continuity plans in place. These will include scenarios of widespread disruption to ICT and the electricity supply. • In mid-2011, the Government will draw up an information security framework for the civil service and a new regulation governing the protecting of classified information.11 It will also institute a public-sector-wide audit cycle for information security. • During the course of 2011, the Government will decide whether an electronic identity card that would be acceptable to the public will be incorporated into travel documents. Individuals will then be able to identify themselves reliably on the internet, entering an electronic signature that guarantees their privacy. • Public authorities will fulfil the European obligation to report the leaking of data in the telecommunications sector. And pursuant to the coalition agreement, the Government is developing a proposa
/
本文档为【荷兰国家网络安全战略】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑, 图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。 本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。 网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。

历史搜索

    清空历史搜索