With the new Dutch International Cybersecurity Strategy for 2023-2028, the government of the Netherlands demonstrates responsibility and agency in the face of continuous cyber threats posed by states and criminals. It aspires to keep democratic and human rights and norms top of mind and seeks to preserve a globally open, free and secure internet. The strategy makes clear the government’s willingness and ability to strike domestically, and in so doing, enhances the synergy between national and international aspirations to stay ahead of cyber threats both current and future.
The Dutch International Cybersecurity Strategy 2023-2028, published in September, details how the Dutch government plans to react to and anticipate international developments in the cyber domain, to strengthen existing coalitions and to expand and explore new partnerships with ‘emerging’ countries, with a focus on the Western Balkans, Southern African states, Asia and Oceania. The strategy has three core aims: the countering of cyber threats from criminals and states; the strengthening of democratic and human rights principles online; and the preservation of a globally open, free and secure internet.
Countering state cyber threats
The Dutch diplomatic commitment to combating cybercrime focuses primarily on eliminating safe havens for cyber criminal groups, in accordance with the UN normative framework and the Budapest Convention. Within the UN, the Netherlands is also participating in the negotiations for a UN convention on cybercrime. At the EU level, the Netherlands aims to ensure that this convention does not restrict online human rights. The new Dutch strategy also describes how the government assists other countries in the fight against cybercrime. The example provided is of helping other countries draft or harmonise their legislation in line with the Budapest Convention; which countries might be involved is not specified in the strategy. Both inside and outside the EU, the Dutch government combats cybercrime by providing legal assistance in criminal matters, and by assisting in prevention, response, investigation, prosecution and disruption. Its intentions for these activities were briefly outlined in the previous strategy.
The Netherlands commits to bolstering international information exchange related to cybercrime threats and to creating awareness and shared understanding, particularly when it comes to ransomware. It is also an active member of the International Counter Ransomware Initiative, an American initiative through which members exchange their experiences with resilience, disruption of ransomware groups, public-private partnerships and diplomatic deployment.
Minority rights and representation
The second pillar of the Dutch approach to EU cyber governance is the strengthening of democratic and human rights online, which it seeks to achieve through a more human rights-focused framing of cyber threats and responses, more coherent responses to disinformation and hate speech, and an increased emphasis on business ethics, particularly in and around the growth of AI. Perhaps the strength of the Dutch government in being able to effectively respond to these issues internationally is limited – particularly with regard to issues such as disinformation and hate speech coming from non-EU countries such as Russia – but the promotion of human rights-led approaches, as well as media literacy, could offer an effective long-term option for tackling issues that do not demand harder, proscriptive approaches.
Access to online media and services is considered an essential part of media freedom and freedom of expression. The Dutch government argues that international law and human rights law apply both online and offline, as was recognised by the UN in 2021 and the UN Human Rights Council in 2012. In the coming years, the government therefore wants to commit to the expansion of the Freedom Online Coalition (FOC). The FOC is dedicated to the application of human rights online, on themes which so far lack international consensus. This diplomatic coalition was established by the Dutch government in 2011, and currently has 37 member countries. It aspires to increase membership by ten countries over the coming five years, with a specific focus on the emerging countries mentioned above.
The Dutch government is concerned about the unlawful use of technologies for digital surveillance by states. The new strategy elaborates on how, in addition to legislation and regulations, the Dutch government carefully considers human rights and the rule of law in determining frameworks for the use of technologies. For instance, every supplier in the Netherlands is screened by the General Intelligence and Secret Service (AIVD) and proscribed from offering its products to ‘dubious’ regimes.
Disinformation and hate speech
With regards to disinformation and hate speech, the Netherlands aims to strike a balance between combatting state disinformation and propaganda on the one hand and protecting a free and pluralistic online media landscape on the other. Its approach therefore consists of protecting and stimulating free media, regulating tech platforms and deploying targeted diplomatic responses to disinformation from state actors. These elements are designed to ensure the freedom of expression of individuals. The Netherlands furthermore aims to work together with Canada in developing ‘rules of the road’ to combat disinformation. The extent to which the Dutch government can exert power on such matters remains debatable. After Russia’s invasion of Ukraine, the EU imposed a ban on Russian state media. Instead of bans, the Dutch government favours monitoring of information on the internet by Dutch security services, as well as educating children on media literacy and on how to search for and assess information.
The Dutch government believes that companies share responsibility in ensuring human rights principles are adhered to, deploying directives such as the OECD Guidelines for Multinational Enterprises and the UN Guiding Principles on Business and Human Rights, which are incorporated into EU partnerships with third countries. It also plans to organise a conference for the regulators of Member States on how to apply human rights in content moderation, and will promote the principles of the Digital Services Act and AI Act internationally, to enhance the Brussels effect.
The preservation of a globally open, free and secure internet
Where the previous international cybersecurity strategy advocated for capacity building within the cyber domain and for closing the international digital gap (Ministerie van Buitenlandse Zaken, 2017), the current strategy offers more tangible intentions, ideas and examples. It describes intentions to broaden, stimulate and strengthen cooperation with the Western Balkans, Asia, Oceania and countries in Southern Africa, and underlines the number of emerging countries that have signed the Declaration for the Future of the Internet. Through regional cyber dialogues, cyber resilience courses and cooperation with the UN, the Dutch government intends to facilitate the exchange of experiences. It plans to have dialogues on how to jointly strengthen technical management principles of the internet as well as the application of international law online. It furthermore aims to assist the aforementioned countries in establishing or further improving their Cyber Security Incident Response Teams (CSIRTs). The Dutch National Cyber Security Centre (NCSC) has initiated a capacity building project which is developing and executing trainings. The NCSC serves as the connecting link for both domestic and international partners, and the first national point of contact for EU Member States during cyber incidents.
Through collaborations with partners such as the Global Forum on Cyber Expertise (GFCE), established by the Netherlands in 2015, the needs and wants of emerging countries will be mapped and linked to the appropriate executors. On a European level, the government is seeking connection with the European Commission’s initiated Global Gateway Strategy, which aims to strengthen connectivity between the EU and the rest of the world through large-scale investments, e.g. in digitalisation. The government also intends to combine Digital Economy Packages investments in digital infrastructure with country-specific assistance in developing regulatory frameworks based on cybersecurity and privacy. It also seeks to connect with the UN Tech Envoy agenda, which is focused on digital inclusivity and sustainable access to new technologies.
Additionally, the government will apply a demand-driven approach and, where they consider it necessary, deploy national expertise in harmonising legislation with the Budapest Convention, formulate policy to protect critical infrastructure, or assist with the translation of international law into the online rule of law.
The network of cyber-diplomats which was planned in the previous strategy, has now effectuated in cyber-diplomats at 34 embassies and Permanent Representations. They play a crucial role in connecting with and maintaining the new and existing partners and initiatives.
Overall, the previous strategy was shorter, implicit and had more abstract goals, with an emphasis on the stance and views of the Dutch government in the cybersecurity realm, while the new strategy provides a more elaborate and concrete explanation of its international objectives. There is even a five-page appendix which extensively lists all the objectives, activities and the actors involved in them, thus providing a clear overview of what the Netherlands plans to do. It is a slight miss that the strategy does not elucidate the objectives that were not achieved, but instead only focuses on what has been achieved. Yet, it does offer us an overall idea of what has been accomplished so far. Notably, a few matters that were mentioned in the previous strategy did not reappear in the new one. The strategy, for instance, does not touch upon the further development of the so-called 3D approach – defence, diplomacy and development – nor does it touch upon the previously mentioned advocacy for a broader ratification of and an approach protocol for the Budapest convention. It also does not reflect on its role and the overall achievements of the Global Commission on the Stability of Cyberspace (GCSC), which terminated in 2021.
In conclusion, the Dutch government demonstrates responsibility and agency in the face of continuous cyber threats posed by states and criminals. In doing so, they aspire to keep in mind democratic and human rights and norms, and seek to preserve a globally open, free and secure internet. How effective the planned and ongoing measures will be is yet to be determined, and relies on the effectiveness of the EU and the UN. Nonetheless, the strategy does demonstrate the government’s willingness and ability to act domestically, and, in so doing, increases the combined power of national and international approaches to stay ahead of cyber threats – current and future. It would, however, be premature to say anything about the application of the strategy, as external factors – such as geopolitical developments and uncertainties – will play a significant role in its implementation.
About the Author
Parto Mirzaei is a PhD candidate in Cybersecurity Governance at Leiden University. Her work primarily focuses on the institutional architecture and fragmentation of the Dutch cybersecurity governance landscape.