Reducing the Risk of Cyberconflict: a case study of the commitment of the Netherlands to develop and implement confidence-building measures for the cyber domain

(1)

0

Reducing the Risk of Cyberconflict

A case study of the commitment of the Netherlands to develop and

implement confidence-building measures for the cyber domain

MSc Crisis and Security Management

Marlou Snelders

Student Number: 2149885

Faculty of Governance and Global Affairs Leiden University

23-06-2020

Supervisor: James Shires

(2)

1

Abbreviations

AIVD General Intelligence and Security Service (NL) ASEAN Association of Southeast Asian Nations CBM Confidence Building Measure

CERT Computer Emergency Response Team

CSBN Cyber Security Assessment Netherlands CSIRT Computer Security Incident Response Team

CSR Cyber Security Council (NL)

CVD Coordinated Vulnerabilities Disclosure

EU European Union

EU CSDP EU Common Security and Defence Policy GGE Group of Governmental Experts

GCSC Global Commission on the Stability of Cyberspace GCCS Global Conference on Cyberspace

GFCE Global Forum on Cyber Expertise

ICANN Internet Corporation of Assigned Names and Numbers ICT Information and communication technology

ITU International Telecommunication Union MinDef Ministry of Defence (NL)

MinEC Ministry of Economic Affairs and Climate Policy (NL) MinFA Ministry of Foreign Affairs (NL)

MinGA Ministry of General Affairs (NL)

MinIKR Ministry of Interior and Kingdom Relations (NL) MinJS Ministry of Justice and Security (NL)

NATO North Atlantic Treaty Organization

NATO CCD COE NATO Cooperative Cyber Defence Centre of Excellence NCSC National Cyber Security Center (NL)

NCTV National Coordinator for Counterterrorism and Security

OEWG Open-Ended Working Group

OPCW Organisation for the Prohibition of Chemical Weapons OSCE Organisation for Security and Co-operation in Europe

UN United Nations

UN SG UN Secretary General

UNIDIR United Nations Institute for Disarmament Research UNODA United Nations Office for Disarmament Affairs

(5)

4

Preface

‘it’s not so much the cost of doing it, it’s the cost of not doing it.’- Chuck Parker NATO

This thesis concludes the Master’s Programme Crisis and Security Management at the Faculty of Governance and Global Affairs of Leiden University. Starting this thesis, I could have never thought that a pandemic as COVID-19 would expose the risks of digitalization so obvious. The dependence of modern-day society on ICT has never been this commonplace. During the process, after some productive days, a Microsoft update made all of my files disappear and challenged my technical skills to restore them. Long live the cloud and all open-source information on ‘how to get back my files’. After a long day of typing and reading about cyber intrusions, I even believed someone was inside my computer when every attempt to scroll in the browser and Word instantly resulted in the laptop deleting words and closing all tabs. Luckily, it turned out to be the backspace button of my keyboard being stuck (at least let’s assume so).

The knowledge and insights gathered throughout the process have made me eager to start my professional career and contribute to the solutions to today’s challenges.

First of all, I want to express my gratefulness to James Shires. Thank you for your dedication and valuable feedback throughout the thesis process. As my supervisor, you gave me the confidence to finish the project and inspired me to stay critical at all stages. It was a long process starting from state-level response to cyber operations to the in-depth analysis of the confidence-building measures.

Secondly, I would like to extend my gratitude to the Taskforce Cyber at the Security Department at the Ministry of Foreign Affairs. Thank you for all of the insights, ideas and advice during and after my internship. Without, I would never be able to come up with this result.

I want to sincerely thank all of the interviewees for taking the extended time to share your interesting and useful contributions and insights. It allowed me to put the pieces to the puzzle and information that I would never have obtained with just document analysis.

And last but not least, my girlfriend, and all my family and friends for your valuable comments, patience and necessary distractions.

Marlou Snelders June 21, 2020

(6)

5

Executive Summary

As part of the broader diplomatic framework to counter the risk of escalation by the use of ICT, confidence-building measures (CBMs) are being employed on global and regional levels. Traditionally, CBMs have been used to emphasize trust, reduce the risks of misunderstanding and prevent escalation. This study analyses the motivations and manners in which small states engage in the development and implementation of CBMs in the cyber domain. A case study of the Netherlands provides an in-depth analysis of the motivations and mechanisms behind cyber CBMs in the context of the United Nations and the Organisation for Security and Co-operation in Europe.

The study shows that the Netherlands is highly dependent on ICT and has suffered multiple cyber incidents. The country is, therefore, motivated to put in extra efforts to stabilize the risks in the cyber domain. Engagement in cyber diplomacy also fits the socio-political culture of the country. Being a natural bridge-builder, the Netherlands acts as a mediator within the multilateral platforms while promoting its national values in the cyber domain. To maintain this position, the Netherlands has to put up significant efforts in cyber diplomacy.

As a small state, multilateralism and strengthening the international legal order are the cornerstones for international policy. CBMs offer practical tools to act upon this and can be seen as small steps towards an international legal framework. For small states, CBMs ensure a level of communication outside alliances in times of crisis and create a level of predictability. A normative framework without constructive CBMs in place would turn into a paper tiger. Strategic engagement in cyber CBMs also allows for the promotion of national values and flagships, meanwhile strengthing the position within the geopolitical playing field.

Furthermore, engagement in cyber CBMs by small states is a long term effort. Until now, big powers have not yet been on the frontline to develop and implement CBMs. Consequently, CBMs have the possibility to mature before the big powers realize the need for it or escalation becomes a reality. This allows small countries, like the Netherlands, to set an example and create a preferable environment for the long term, be it in small steps.

Without being the ultimate solution for the challenges in the cyber domain, this study shows that besides the traditional aim of reducing and eliminating causes of mistrust and misunderstanding, CBMs can be used by small states as a unique tactical instrument to promote national interest. Especially, regional organizations, as the OSCE, are a useful platform to convert CBMs to feasible instruments for tangible results. However, the ambiguity and fragmentation of cybersecurity governance and policy are complicating factors in this approach.

Keywords

(7)

6

1. Introduction

In the last decade, cybersecurity has become a prominent matter on the political agenda and is considered one of the most significant national security issues of this time (Roberts 2018, Kello 2017, NCSC 2019). Ever since the cyberattacks on Estonia and Georgia in 2007 and 2008, there has been a numerous amount of cyber incidents. GhostNet (2009), Stuxnet (2010), the US presidential campaign hacks (2016), WannaCry (2017), and the Russian Hack at the OPCW are some of the most know alleged state-sponsored cyber operations of the recent past (Sanger 2018). States never officially acknowledge their involvement in most of the operations, though it is evident that they possess offensive cyber capabilities. The Dutch Intelligence Agency noted in 2018 that China, Iran, and Russia have such a program (AIVD 2018, p. 8). Moreover, a year later, Australia, Germany, Poland, Sweden, the United Kingdom (UK), United States(US), Denmark, and The Netherlands all publicly stated to have access to offensive cyber weapons as well (Faesen et al. Clingendael & HCSS, 2019).

In July 2016, NATO declared ‘cyberspace’ as an additional operational domain next to land, sea, air, and space during the Warsaw Summit, subsequently, cyber operations can qualify as a use of force of Article 5 of the NATO Charter (NATO, 2019). The bar to qualify under the scope of Article 5 is set high, causing much discussion on how to deal with the so-called below the threshold operations. In traditional hostile acts, international law accommodates this vacuum by giving states the right to respond through the use of countermeasures or sanctions not involving the use of force (Corn and Jensen, 2017, p. 128). The international community agreed that existing International law (in particular the UN charter1_{) applies}

to cyberspace, and the Tallinn Manual offers additional guidelines to the applicability of international law to cyberconflict and cyber operations2_.

Nevertheless, the unique character of cyberspace makes it considerably difficult to apply. Whereas cyberspace is a cross border domain, cyberattacks are not restricted by physical or geographical borders (Corn & Jensen, 2018). Efrony and Shany point out this boundlessness and anonymity are the two key characteristics that distinguish a cyberattack from other kinds of attacks (2018). The non-physical character, the use of proxies are just a few issues that make cyber operations often more complicated and time-consuming to detect and evaluate. Attribution is, therefore, far more complicated than traditional conflict situations. As states are drawing up their inventory on how to use and respond to cyber operations, there is a reasonable likelihood of escalation (Sanger 2018; Corn and Jensen 2017; Schmitt 2014).

1_{UN document A/68/98, Group of Governmental Experts on Developments in the Field of Information and}

Telecommunications in the Context of International Security, 24 June 2013, p 2.

2_{In 2017, international academia and legal experts led by Michael Schmitt developed the Tallinn Manual 2.0, a handbook that}

offers guidelines on the international law applicable to cyber operations. The Tallinn Manual 2.0 is the successor to the first Tallinn Manual published in 2013, on request of the NATO Cooperative Cyber Defence Centre of Excellence. The Tallinn Manual 2.0 was released to expand the applicability from ‘cyberconflict’ to ‘cyber operations’.

(8)

7 These developments substantiate the need for reducing the risk of escalation of cyberconflict and obtaining clarity about the ‘rules of the road’ for state-behavior in cyberspace. To cope with these urgencies and to strengthen international cooperation to counter these threats, the international community has taken several steps and initiatives. Among the development of a normative framework and capacity building initiatives, the UN Group of Governmental Experts (GGE) and regional institutions as the Organisation for Security and Co-operation in Europe (OSCE) have adopted sets of confidence-building measures (CBMs) (Pawlak 2016).

CBMs are instruments to emphasize trust, reduce the risks of misunderstanding and prevent escalation. They emerged during the cold war and focused on military communication and information exchange, transparency and verification and military restrain. More recently, also non-military CBMs are deployed that have a political, economic, environmental, societal or cultural character. (Pawlak, 2015). In global and regional instituions these CBMs are used intertwined. In comparision to large powerfull nations, small states often lack military and economic resources to enforce their national interest within international fora. According to Joseph Nye, small states therefore use soft power tools for agendasetting. This study argues that CBMs are soft power tools to reduce the risk of cyberconflict. Up til now, the engagement of small states in confidenc-building measures is understudied.

Most of the preliminary academic literature is often focused on the application of international law. They are analyzing, e.g., sovereignty or the twofold problem of attribution regarding either the technical issues tracing the origin of cyber operations or the assignment of state responsibility to individual actors or organizations (Clark & Landau 2010, Payne & Finlay 2017, Rid et all 2015). As cyberconflict goes beyond the traditional national borders and has a large geopolitical element, it is necessary to incorporate diplomacy as a tool for keeping cyberspace stable (Riordan, 2019). Many states have national cyber and defense strategies. However, there is still little research on diplomatic instruments that can be applied to control the impetuousness and risks of conflict in cyberspace.

The literature on cyber diplomacy mainly focusses on the broad norms debate (e.g. Boeke & Broeders 2018; Homburger 2019; Klimburg & Almeinda 2019). Concerns are increasingly expressed about the sustainability and stagnation of this debate due to the failed negotiations in the previous consultations of the UN GGE (Hendriksen 2019). Some authors even argue that agreement on new norms is unlikely, stating now is the time to move forward to a more practical approach (Grigsby 2017). In this respect, CBMs can play a serious role. CBMs can create more stability and transparency in order to control this grey area between war and peace. Up until now, the concept of CBMs has long been overshadowed and solely discussed as part of the norms discussion. Little research is available on CBMs as a specific diplomatic tool to reduce cyberconflict (Borghard & Lonergan 2018, p.18).

This study argues to discuss confidence-building measures as a separate instrument, without questioning the remarkable impact of the norms debate and its possible impact in the future. An in-depth view on

(9)

8 the motives of small states behind the development and implementation of CBMs is necessary, as CBMs belong no less to the pillars of the international framework. The understanding of CBMs for cyberspace constitutes to a broader framework of the cyber diplomacy toolbox. This could potentially assist policy-makers in their work and strategic considerations in the future. This leads to the following research question:

Why and how do small states engage in cyber confidence-building measures at regional and global levels?

To answer the research question, this qualitative study performs a case-study of the involvement of the Netherlands in confidence-building measures on the global and local levels, respectively in the UN and the OSCE. The Netherlands has been successfully advocating the development and implementation of CBMs in the field of ICT in both organizations. This study aims to reveal the mechanisms and motives to choose these CBMs as a diplomatic policy instrument. The analysis is partly based on the soft power theory of Joseph Nye and the findings of Adamson and Homburger on small states as cyber norms entrepreneurs (Nye 2004; Adamson and Homburger 2019).

First, the chapter on the theoretical framework outlines the uniqueness of cyberspace and cyberconflict and describes the phenomenon of confidence-building measures in academic literature and the field of crisis and security management. The last part of this chapter analyses the theory and literature about the use of CBMs and other soft power diplomacy tools to prevent the escalation of cyberconflict. Chapter 3 explains the causal mechanism, case-selection, collection of empirical sources and the operationalization and methods used to conduct the research. Chapter 4 outlines relevant events and publications as a start of the case study. Following, chapter 5 ellaborates on the main drivers of the causal mechanism, namely, multilateralism (including values, culture and foreign policy), dependency on ICT and the occurance of a large-scale cyber incident. Followed by Chapter 6, which specifically addresses the engagement of the Netherlands in cyber CBMs within the UN and OSCE. Finally, the conclusion presents the main findings of this study including the discussion and limitations.

(10)

9

2. Theoretical framework

2.1 The Unique Character of Cyberspace and Cyberconflict

The increasing dependency of society on the Internet makes states more vulnerable to cyber-attacks (WEF 2017). Cyberconflict has become a daily occurrence and today's most significant security issue (Edwards et al. 2017, Sanger 2018). Peoples and Vaughan-Williams already note in 2014 that cybersecurity for both military and non-military purposes should be a security issue in critical security studies. In order to understand this security issue, it is necessary to explain the concepts of cyber,

cyberconflict, and the difficulties the unique character of cyberspace raises. It should be mentioned that

this study addresses cyber diplomacy. Cyber diplomacy deals with the international challenges and difficulties posed by the use of ICTs (Hocking & Melissen 2015). It should not be mistaken with e-diplomacy referring to the use of the digital features for the benefits of e-diplomacy. The study does not, as far as a clear distinction is possible, address international approaches towards cybercrime.

No uniform definition of cyberspace or the digital domain exists. The UN agency for telecommunications (ITU) defines it as ‘systems and services connected either directly or indirectly to the Internet & telecommunications and computer networks’ (2013). States, however, often use a more comprehensive definition, including other information systems than solely the Internet, referring to ‘digital, wireless, and computer-related activities in the broadest sense’ (Nye 2017 b.). Following NATO, the Dutch Military refers to cyberspace as the fifth operational domain of the military, next to sea, land, air and space (2014). The notions of cyberconflict, cyber warfare, information warfare and

cyberwar are used intertwined and the lack of common definitions creates a barrier in the international

debate. It leads to misunderstanding and makes it difficult to come to agreements. This study uses the notion of cyberconflict primarily. With cyberconflict, the study refers to conflict carried out within the broad definition of cyberspace.

The uniqueness of cyberspace entails a number of difficulties. First, cyberspace is a cross border domain. Operations are therefore not restricted by physical or geographical borders (Corn & Jensen, 2018). They can be carried out from one place and affect the other side of the world without any physical presence except computers, networks et cetera. Often, an operation is redirected via a third country, making the delusion as if the operation was carried out from another place. Another difficulty includes that states can use a proxy to carry out malicious acts. A proxy can be a semi-state or non-state actor but also a representing group of actors. Consequently, states can not be held legally responsible for their actions, making attribution to states in these situations complicated (Schmitt and Vihul, 2014 & Mumford 2013). Furthermore, a large part of the critical infrastructure was not intended to be connected to the Internet and not secured by design. Nevertheless, ICT systems are integrated into almost all of our critical infrastructure. This makes it relatively easy to find ways to access these systems and carry out malicious intents, increasing the vulnerabilities of a society.

(11)

10 Cyber capabilities can be deployed in various ways. In some articles, cyber capabilities have been compared to other technical innovations of the past, e.g., the use of nuclear weapons and the period of the cold war (Kesan & Hayes). Others call this comparison into question, as there are many differences. For example, nuclear weapons are solely used for fighting, and as a weapon an sich. Cyber capabilities, on the other hand, can be used in support of and integrated into kinetic warfare and also for subversion and coercion e.g. the use of (mis)information. Nye points out that the cyber power playing field includes far more players than the situation of the Cold War due to low costs and easy access (Nye 2017 a.). This section showed the complicating factors of cyberconflict. Cyberconflict is a relatively new field, yet to be expanded for today’s geopolitical order and international relations. To cope with these challenges, the international community reached out to the traditional disarmament toolkit. The next section, therefore, reflects on disarmament, arms control and confidence-building measures.

2.2 Disarmament, Arms Control and Confidence Building Measures

Disarmament, arms control and confidence-building measures (CBMs) in the past have proven to be effective means to reduce the chances and impact of escalation. Before continuing to their role within cyberspace, it is relevant to clarify the terminology and address the differences. Disarmament generally represents the overall process of reducing the use, quantity and capabilities of military weapons or forces. Arms control and CBMs can be seen as part of the disarmament toolkit. Arms control refers to measures taken to control or reduce weapon systems or armed forces. Like CBMs, they are installed to increase stability and reduce the risks of an arms race. Unlike CBMs, these measures typically include monitoring and verification provisions. Arms control measures can put specific limitations or reductions on weapons systems or armed forces (UNODA). CBMs can function as a precedent for arms control agreements or complement them by providing additional frameworks.

CBMs initially aimed to prevent the deployment of nuclear weapons and later extended to areas as outer space and weaponry. Applying the same to cyberspace and cyberconflict, however, seems more difficult (Ziolkowski 2013, p. 540). Although traditional arms control regimes have shown to be useful means to establish stability in the past, there are several reasons to believe that these traditional arms control agreements are not likely to be effective in cyberspace. First of all, this is problematic due to strategic factors, whereas governments do not want to have strategic disadvantages. Policymakers, mostly the big powers, are therefore hesitant to implement limits on cyber capabilities in an ever-developing time where future technological developments are uncertain and adversary capabilities and inventories are difficult to determine (Borghard and Lonergan 2018, p. 15). However, this is seen throughout the entire field of disarmament, for example, looking at nuclear non-proliferation.

Secondly, states are now in a position to build a much bigger arsenal unnoticed. Whereas traditional weaponry mostly exists in the physical domain and can be spotted from the air, cyberweapons can be hidden in any computer anywhere. For example, the enrichment and testing of biochemical and nuclear

(12)

11 weaponry can be monitored by seismic and infrasound systems. The verification and monitoring of cyber weapons are far more complicated, perhaps sometimes impossible. Nevertheless, evidence suggests that intelligence services are sometimes informed of cyber operations. For example, the AIVD hack inside the GRU cyber command, during the DNC intrusions, shows that it is possible to infiltrate in the adversary’s computer systems and notice ongoing operations (Sanger 2017). However, constant monitoring and verification are complicated, and above all, unwanted because it requires a mutual level of transparency. Therefore, most cyber operations stay unnoticed3_.

Confidence-building measures are seen as an intermediate step towards an arms-control regime as they are often less restrictive of nature (Interview 2; OSCE 2013). Borghard and Lonergan do believe that as CBMs differ from arms control, they can contribute to crises and escalation in the cyber domain (2018). The next section explains the background and concept of confidence-building measures.

2.3 Confidence Building Measures

Confidence-building measures (CBMs) or confidence and security-building measures (CSBM) are instruments in international relations that aim to emphasize trust, decrease misunderstanding, and prevent escalation such as the outbreak of war or any other form of armed conflict between States (Ziolkowski 2013, p.533, Britannica). CBMs are employed to contribute to the creation of favorable conditions for preventive crisis management between states (UNODA 2019). CBMs contribute to stability and détente by helping convey intent behind a state’s unilateral security policies and actions that would otherwise be cloaked in uncertainty (Holst 1977, 1983). They thus provide valuable insights into the geopolitical playing field. Though, CBMs have also been criticized from both a military and diplomatic perspective because of the lack of reciprocal effectiveness in e.g. the peak of the Cold War (Borghard and Lonergan 2018).

Traditionally, CBMs were deployed to control and mitigate the risks posed by technical innovations and geopolitical dynamics. The Helsinki Final Act of the Conference on Security and Co-operation in Europe first introduced CBMs during the Cold War in Finland 1975. It was signed by 35 states covering a wide range of topics varying from sovereignty, refraining from the threat and use of force, but also economics and respect for human rights and fundamental freedoms (OSCE 1975). The 1986 Stockholm document on Confidence and Security- Building Measures and Disarmament in Europe succeeded this foundation (OSCE 1986). This document is considered the first agreement with militarily and political-binding CBMs (OSCE 2010). In 1990, the Vienna document followed, containing complementary CBMs and specifications for implementation. The CBMs of the Vienna document are focused explicitly on military communication and information exchange, transparency and verification and military

3_{It should be noted that the preparation seems to been unnoticed. Nevertheless, classified information could reveal that}

(13)

12 restrain, are often referred to as ‘military’ CBMs. In the last years, the OSCE has shifted focus to non-military CBMs. Non-non-military CBMs aim to increase transparency, trust and confidence through actions and measures without a military component, e.g. with a political, economic, environmental, societal or cultural component (Pawlak, 2015).

CBMs can be in principle both legally and politically binding. If even feasible, creating legally binding measures for arms control would take years of negotiations. Especially, for the case of cyberconflict, where dissent exists on the definitions alone. Therefore, all measures currently taken by the OSCE, including the CBMs to reduce cyberconflict, are politically binding. Also, the CBMs proposed by the UN reports are all voluntary of nature. The impact of politically binding CBMs should, nevertheless, not be underestimated. They provide serious direction and commitment (Den Dekker 2001). Though, the lack of political will is crucial in the success of CBMs, without genuine political intent, results will be disappointing. ‘Pseudo-CBMs’ are likely to backfire (OSCE Guide). CBMs are mainly based on mutual trust, which is at the same time its largest pitfal. States do not want to give up their own strategic and military advantages, if they are not sure others will do the same. Therefore, military and intelligence services often seem less trusting than e.g. diplomats. Security services are reluctant to make their own actions more difficult or even not allowed anymore. This can create a bureaucratic obstacle for implementation.

An example of insufficient trust can be found in some of the bilateral CBMs in the cyber domain. The first bilateral confidence-building measures in the cyber domain were agreed upon by the Russian Federation and the United States in 2013 (White House). These CBMs were mainly aimed at information exchange and crisis communication. It establishes three connections: a link between the nuclear risk reduction centers, a channel between national CERTS and, a hotline between White House and Kremlin in case of a cyber incident. Also, the US and China signed a bilateral digital non-aggression pact in 2015 to refrain from digital economic espionage. The past has shown that these bilateral agreements have had a limited impact (Korzak 2015). The involvement of multiple states offers the opportunity to address accountability and the not directly doomed to the ‘when they do it, we do it too’ mentality. Multilateral agreements on CBMs could therefore be more desirable for enduring contributions to peace and security. The next sections discuss the current intiatives and developments on cyber CBMs and the cyber diplomacy framework in the context of the UN and OSCE.

(14)

13

2.4 Cyber Confidence Building Initiatives

2.4.1 Norms of responsible state behavior in cyberspace

The discussion about confidence-building measures in cyberspace is closely linked to the debate about norms of responsible state behavior. It is therefore not strange, that often in literature, the concepts of CBMs and norms of responsible behavior are used interdependent or even intertwined (e.g. in Baseley-Walker 2011 and Finnemore & Hollis 2016). We should not, though, make the mistake of lumping these concepts together. Norms have the intention to establish expectations about responsible state behavior in cyberspace within the international community, while CBMs serve as more operational tools to manage these expectations (Ziolkowski 2013). Norms are often defined broadly, with the consequence that without CBMs, the chances of misinterpretation are likely to be higher. Pawlak even argues that without CBMs in place, ‘legally binding norms enshrined in international treaties only provide an illusion of stability and normalcy’ (2014). Grigsby even states norms have been given disproportioned attention and overshadowed interest in CBMs. He urges for a focus shift to CBMs as a more practical tool for maintaining stability in cyberspace as the norms discussion is moving to the background (2018).

2.4.2 United Nations Group of Governmental Experts

The United Nations Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace in the Context of International Security (formerly on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE)) was established by the Secretary-General (SG) under the UN First Committee on Disarmament and International Security in 2005 to discuss responsible behavior in cyberspace. The 2010 report first mentions CBMs, recommending the development to reduce ‘the risk of misperception stemming from ICT disruptions’(UN GA 2010b.). In the 2013 report, the GGE recommends six CBM to ‘increase transparency, predictability and cooperation and encourages states to build upon progress in regional groups as the OSCE (UN GA 2013a.). Meanwhile, the OSCE agreed in 2013 to an initial set of eleven CBMs to ‘reduce the risks of conflict stemming from the use of ICTs’ (OSCE 2013b.). The CBM recommendations that followed in the GGE report of 2015 build upon the consensus that was reached in the OSCE. These CBMs ‘to enhance trust, cooperation, and reduce the risk of conflict’, proposed by the 2015 GGE report, however, primarily shape the role CBMs can play to contribute to stability in cyberspace and reduce the chances of cyberconflict, leaving the more practical assessment to regional institutions (UN GA 2015a.). The agreement of the US, China and Russia over these CBMs and new norms, is seen as a big breakthrough. However, the 2016-2017 UN GGE failed to produce a consensus report. In 2019, a new UN GGE has been installed (UN GA 2019b.). Parallel to the UN GGE, an Open-ended Working Group (OEWG) has been installed on the Russian initiative to include the rest of the UN and non-state stakeholders in cybersecurity discussion (UN GA 2019c.).

Ideally, CBMs would be adopted by the entire international community in an international organization as the UN. However regional approaches to comparable security issues have proven to be more

(15)

14 successful, due to the nature of internal political relations between member states. Consequently, the Agenda for Disarmament Securing our Common Future, the UN Secretary-General (SG), particularly points out that the UN and regional organizations should ‘work together to strengthen existing platforms for regional dialogue on security and arms control’ (2018).

2.4.3 Organization for Security and Co-operation in Europe

This part focusses on the initiatives of the OSCE, being the world's largest regional platform. Although the organization is named ‘Organization for Security and Co-operation in Europe, the 57 member states originate from not only Europe but also Central Asia and North-America. Earlier on, the difference between military and non-military CBMs was discussed shortly. Over the last year, the OSCE has been primarily focused on the latter. Non-military CBMs were used as the additional bridge to sustainable peace in conflicts and crises such as in the Western-Balkans. The OSCE considers local-ownership in these processes is essential to the success of the CBMs (OSCE 2013a). The OSCE-guide on non-military CBMs makes a distinction between political, economic, environmental, societal and cultural CBMs. For cyberspace, this study argues that economic CBMs could be in particular outstanding. Economic CBMs can increase cross-border trade and provide a basis for dialogue on cooperation to mutual obstacle, often resulting in joint forces beyond trade issues (OSCE 2013a, p.9). Military CBMs aim to reduce military tension and chances of a sudden attack. The establishment of a hotline for pertinent communication is traditionally seen as a military CBM.4_{Initially, confidence-building measures as those presented in the}

Vienna document are primary a transparency tool, offering a state of predictability and not intended to serve as a crisis management mechanism once military conflict has begun. However, for cyberspace communication lines and other CBMs could also be beneficial during conflict.

Cybersecurity issues were set priority to the OSCE agenda during the summits of Head of State in Astana (2008) and Oslo (2010). In 2012, the Permanent Council decided to establish an open-ended, informal OSCE working group for the development of confidence-building measures to ‘reduce the risks of misperception, escalation, and conflict that may stem from the use of ICTs’. Consequently, the first set of eleven voluntary CBMs was adopted in December 2013 and, in 2016, five more CBMs were adopted through Decision No.1202. The measures are a mix of transparency and cooperative measures, the latter is mostly reflected in the additional set of CBMs e.g. the voluntary exchange of information, best-practices and vulnerabilities and engagement in national expert meetings and meetings on a regional and sub-regional level. The initial set of CBMs is distinguishable from the second set as it represents a low level of consensus regarding the conceptual and legislative frameworks surrounding cyberconflict among member states in substantive commitments. The CBMs added by Decision No. 1202, however, show more political commitment ensuring consultations channels and cyber focal points, the protection of critical infrastructure and the encouragement to work with non-governmental stakeholders. Chapter 6. elaborates on the initiatives taken in the context of the UN and OSCE.

(16)

15

2.5 Confidence Building Measures as a Tool for Cyber Diplomacy

2.5.1 Soft Power

Soft power, first mentioned by Joseph Nye in 1992, refers to ‘getting the other to do what you want’ through persuasion and making values and ideas attractive to others rather than by hard power inter alia coercion (military) or payment (economic) (Nye 2004). However, the use of soft power alone is not entirely sufficient, as a country needs to have some level of hard power in order to combine these tools as smart power successfully. The soft power of a state depends predominantly on its culture, political values and its foreign policies. Culture can take on many different shapes differing from universal values to shared interests, which can be attractive to others. Political values are manifested in e.g. the state of democracy and human rights within a country but also how a state conduct upon these values within international organizations and foreign policy. A state’s attitude to the latter can profoundly affect the opinion of others, e.g. if a state behaves deceitful and arrogant, the willingness of another state to cooperate is likely to be lower. At the same time, this example shows that regardless of whether a state is willing to cooperate, states could still force cooperation upon them with hard power. Nevertheless, this would be less fruitful for cooperation in the long-term.

As soft power does reaches not only states but also individuals, the credibility of a state is vitally important. The access to information is as well of great value in modern-day soft power. The uniqueness of cyberspace and cyberconflict makes the field accessible for many actors and narrows the gap between non-state and state actors. Cooperation with non-governmental actors has therefore become more relevant, whereas the field of cyberconflict, especially the technical sector, possesses a great deal of knowledge. The strength of soft power is largely located in the long term effects, creating influence and shaping policy over time (Nye 2017).

Figure 1. (Source: Nye, 2005)

The critiques on Nye’s soft power theory are mainly aimed at his views on the efficacy of US soft power in the last decade and the authenticity of the theory due to the revisions Nye made to his own definitions in his later career. The adjusted theory as described above maintains nonetheless an appropriate theory to gain more insight into the mechanisms and motivations behind the development of CBMs.

(17)

16

2.5.2 Small states and Cyber diplomacy

Small state diplomacy is primarily presented as soft power diplomacy. Whereas small states often do not have the military and economic resources to coerce other states to take the same stance. These limits also ask for efficient use of resources. Rather than being an all-round player, small states can aim for a frontrunner position on specific topics. Adamson and Homburger show that smaller countries use cyber norm entrepreneurship as a soft power tool to establish security, clarity, stability and certainty (2019). In their article, they argue that smaller states, especially highly developed ICT states, could be subjective norm entrepreneurs in the field of cyber. The motivation for the development of norms on state behavior in cyberspace by e.g. the Netherlands is ‘connected to their own security concerns.’ As small to medium size states benefit highly of a stable international environment based on international law, multilateralism is essential.

(18)

17

3. Methodology

3.1 Research Design

The study has a specific interest in the engagement of small states. It aimes to explain their motivations and mechanisms behind the use of cyber CBMs as peacekeeping instruments. A plurality of causal pathways causes the engagement. This study aims to find out the causal mechanisms binding these pathways and wants to figure out the necessary and sufficient conditions for this outcome. Motivations and mechanisms that go beyond the quantification of numbers and data need to be studied using qualitative research. This study uses a qualitative single case study design to examine the engagement of the Netherlands within the UN and OSCE. A single case study design is appropriate as this design offers a high conceptual validity, meaning that it enables us to explain what happened (George & Bennett 2005).

The study focusses on the explanation of the causal mechanisms and motivations behind the use of CBMs as a policy instrument rather than explaining causal effects. To understand these processes, it is necessary to have a proper understanding of the context. The in-depth approach in a single case study design offers hereby room for detail, possibly leading to new insights during the analysis of such unexplored terrain (Yin, 2018). Furthermore, the flexibility of a case study design is suitable as it enables switching between existing theory and new findings. An in-depth analysis of high quality and multiple sources of empirical evidence is made by using open-coding and process-tracing (Blatter and Haverland, 2014).

3.2 Research Framework

Confidence-building measures are an overshadowed policy tool in cyber diplomacy, and existing literature mainly focusses on the development of normative frameworks. Meanwhile, the theory does show distinctions between norms and CBMs. The practical characteristic of CBMs can expose more exhaustive incentives than norm development. In literature, no comprehensive causal mechanism exists on the motivations and mechanisms of small states behind the engagement in CBMs for cyberspace. The study aims to uncover new mechanisms and motivations that go beyond the existing theory (George and Bennett 2005, p.85). Therefore, a potential causal mechanism is created upon the theory on confidence-building measures, the soft power theory of Joseph Nye (2004, 2017), and complemented by the views of Adamson and Homburger on small states as cyber norm entrepreneurs (2019). Considering the practical nature of CBMs, it is likely that motives behind CBMs expose more exhaustive incentives than norm development. The study contributes to research on the broader framework of cyber diplomacy.

(19)

18 Figure 2. presents a causal mechanism for the engagement of small states in cyber CBMs. The study hypothesizes that multiple conditions (T+(X1_+X2_+X3_{)+V) are necessary for active engagement in cyber}

CBMs. First, the malicious use of ICT by states poses a risk of cyberconflict (T) and creates the ground for further incentives to act upon it. The reputation of CBMs build in the past as being instruments to decrease misunderstanding, emphasize trust and prevent escalation (V) also influences the motivation of active engagement in cyber CBMs. This study argues that the reputation of CBMs (V) alone is not sufficient for small states to lead to the outcome (Y): active engagement in cyber CBMs. The added interaction of X created by X1_+X2_+X3_{eventually leads to the policy choice for active engagement in}

cyber CBMs. X is a necessary condition for small states to engage in cyber CBMs actively. X on itself is not sufficient, as the incentive of T is necessary to engage in cyber CBMs in the first place.

Figure 2. Causal Mechanism for the Engagement in Cyber CBMs by Small States

The condition X1_{shows that when small states want to promote their values or want to influence other}

states, they need soft power tools and make use of multilateralism. This is essential, as they lack the resources to enforce their intentions upon other states by economic and military means (as explained by Nye’s soft power theory). If a state does not make use of X1, _{it would not have the right resources to}

engage in cyber CBMs actively. This study argues that CBMs be used as a tool for soft power diplomacy as they can contribute (in the long term) to a desirable stable international environment in which the risks to cyberconflict are low. Additionally, the efforts and contribution of a state to their success can contribute to the overall status of a country in international relations. Notably, soft power can help in negotiations for the development and implementations of the CBM itself by creating trust as being a reliable negotiating partner and a role model for cybersecurity issues.

X2 _{shows that having a knowledge-based economy and most critical infrastructure connected to ICT}

leads to the dependency of economic and social welfare on ICT. Consequently, a state needs to maintain a stable and secure ICT environment. This outcome contributes to the incentive of actively engaging in CBMs. Therefore, this study expects that X2 _{is part of the necessary condition of X to counter T by}

(20)

19 means of X. Furthermore, the study expects that a large scale cyber-attack creates a level of awareness within governments (X3_{) to see the urge to act upon cybersecurity by for example the engagement in}

cyber CBMs. Together with X1_{and X}2_{, X}3_{creates the incentive to be an international frontrunner on}

cyber diplomacy and engage in CBM’s actively. The study, therefore, expects that X is a necessary condition. The study assumes that V is a necessary condition: without the successful use of CBMs in the past, CBMs would not have built a reputation of being a useful policy instrument to counter risks. The case study aims to examine the mechanism and reveal how and to which extend X1, _X2_{and X}3 _are

related to each other. The next section discusses the case selection more into detail.

3.3 Case Selection

When a process-tracing study proposes a new mechanism, a positive case scenario is chosen. Therefore, the study performs a within-case study of the Dutch engagement in the development and implementation of cyber CBMs within the global and regional context. This engagement concerns the United Nations (UN), specifically in the Group of Governmental Experts on advancing responsible state behavior in cyberspace (UN GGE), and the Organisation for Security and Co-Operation in Europe (OSCE). The Netherlands is a representative of small countries that are developed on ICT. Another argument for this case study is the availability of sources. This study aims to have high-quality sources in order to acquire a full understanding of the policy intends, motives and mechanisms behind the advocacy for CBMs in cyberspace. This goal is most feasible in the case of the Netherlands.

For the scope of the study, the case study focusses on the timeframe between 2010 and 2019. The beginning of this frame stems from the 2010 GGE report, which first mentions a recommendation for the development of CBMs. In the following 2013 and 2015 reports, the GGE’s recommended several voluntary CBMs. In 2012, the Permanent Council of the OSCE decided to establish an informal working group for the development of CBMs to ‘reduce the risks of misperception, escalation, and conflict that may stem from the use of ICTs’. The adoption of eleven CBMs in 2013 and five additional CBMs in 2016 followed. Furthermore, the start of the period corresponds with the first serious appearance of cybersecurity on the Dutch policy agenda (GOVCERT.NL 2010). Between 2010 and 2019, the Netherlands has actively participated in and advocating the use of cyber CBMs in both the UN and OSCE processes.

The OSCE and UN are both examples of institutions in which the Netherlands participated and successfully reached consensus on sets of CBMs. The CBMs in both institutions rely on computer emergency response teams (CERT) for the dissemination of both threat and security information (Borghard and Longergan, p.21). The processes differ from each other in the level on which the negotiations take place. Within the UN, a global institution takes place at the expert-level group and in the OSCE, a regional organization, in an informal open-ended working group. Although the OSCE is a regional oriented organization, it should be noted that the 57 member states originate from not only

(21)

20 Europe but also Central Asia and North-America. Both institutions are considered multilateral institutions. However, the differences in negotiation and the fact that the UN and OSCE are different platforms for global and regional cooperation, this study might reveal divergent motivations and mechanisms that have not yet been studied or overlooked in earlier literature. The outcome of this research can lead to an improved theory applicable to the field of confidence-building measures within the cyber domain.

3.4 Collection of empirical data

More than in other research designs, the quality of the analysis highly depends on the quality and trustworthiness of the empirical sources (Blatter and Haverland 2012, p. 105). When using a triangulation of methods, investigations can be more profound and relations can be studied more in-depth without losing its context (Swanborn 2010). Therefore, multiple sources are used. The study conducted a desk study of academic literature, conferences, newspaper articles (in Lexis Nexis), the official websites of governments (government.nl/zoek.officielebekendmakingen.nl) and global/regional organizations with publicly available reports and press releases. The academic literature is used predominantly to gain background knowledge and factual content and the analysis of official documents and conferences as input for the analysis of the case study itself.

For the analysis of the regional initiatives, the study analyzed the three main cyber-related Permanent Council Decisions: No. 1039, No.1106 and No. 1202 (OSCE 2012; 2013b.; 2016). For background and additional information on regional CBMs, the study consulted the OSCE Guide on Non-military Confidence-Building measures (OSCE 2013), the Helsinki Final Act (OSCE 1975) and the Vienna Document (OSCE 2011). As relatively little minutes or reporting on the OSCE Informal Working group exists, one of the permanent representatives was interviewed in addition to the involved visiting Dutch diplomats. Evidence for the initiatives at the global UN level was collected by analyzing the UN GGE resolutions and reports, the Agenda for Disarmament and its implementation plan, the annual reports of the Secretary-General, the national views submitted, the OEWG resolution, the letters of the chair and comments by the Member States. As the GGE meetings are closed expert meetings, the study interviewed one of the experts to gain a better understanding of the Dutch conduct herein.

For the overall engagement of the Netherlands to CBMs, related evidence was collected in official government documents. In the search on government websites and archives, the following keywords were used to find relevant data: cyber, confidence-building measures, digital domain and ICT. The final selected documents consist of 61 publications of the Ministry of Foreign Affairs, Ministry of Interior and Kingdom relations (including AIVD), Ministry of Economic Affairs and Climate Policy, Ministry of Justice and Security (including the NCTV and NCSC) and the Ministry of Defence (including the MIVD). Besides, 30 speeches performed by the Ministries mentioned above at various international platforms, for example, the Muncher Sicherheitzkonferenz and Parliamentary Assemblies of NATO. As

(22)

21 the Netherlands acts as part of the European Union and NATO also, eleven EU documents and the communique of five NATO summits are taken into account. The exhaustive list of analyzed policy documents can be found in Policy Documents list (References page 53).

Furthermore, several individual semi-structured interviews are held to fill in potential gaps of the desk study and cause an in-depth understanding of the dynamics in the case study and creates the ability to discuss content that is not publicly available (Gall et al., 1996). The interviews are held in a semi-structured design in order to maintain control over the interview, asking specific questions and at the same time, allowing input and ideas toward the implementation of confidence-building measures (Longhurst, 2003, p.105). The selected interviewees have different backgrounds and represent different views, knowledge and opinions on the proposed case studies. They vary from a diplomatic, academic, military and national security perspective to maximize the general representativity of the interview data. In order to understand the bigger picture and collect differing and renewing perceptions, meetings, multiple conferences and consultations were visited. The author attended multiple bilateral meetings and conferences such as the One Conference, the UK-NL North Sea Neighbors Conference and an International Law in Cyberspace consultation. These places are eminently places to gather cybersecurity expertise and bring together the bounded community working on this topic (Shires 2018, p. 38). Finally, the author followed the online Cyber Diplomacy course of UNODA and the OSCE UNODA Scholarship on Peace and Security to gain a better understanding of confidence-building measures and the position of cybersecurity within disarmament affairs.

3.5 Data analysis

The study transcribes the collected data and codes it into conceptual categories and themes. This is done by open coding in which the researcher reads the transcripts thoroughly in order to find categories and identify recurring codes (Corbin and Strauss 2014, p.87). The coding framework derived from the open coding is used for semi-open coding, in which the researcher rereads the transcripts and labels the codes. This is done with the help of the software program ATLAS.ti and Microsoft Excel. To not lose track of the process as a whole, process-tracing is used for further analysis.

Process-tracing assesses the strength and weaknesses of every piece of empirical material by conducting four tests to determine the content, accuracy and probability. If evidence passes a test, it provides the researcher with a level of certainty of uniqueness to confirm or disconfirm the hypnotized mechanism. Cumulation of evidence can make the confirmation more trustworthy (Beach & Pedersen 2013, p.125). To reduce biases, process-tracing also looks for evidence for rival hypotheses. In order to understand and test the mechanism proposed in Figure 2, each part of the mechanism should be examined separately (Beach & Pedersen 2019). On the next page, Table 1. shows each part of the configuration and the expected observations that might operate as evidence.

(23)

22

Table 1. Operationalization Causal Mechanism Small State Engagement in Cyber CBMs

Configuration part Expected observations Type of Evidence

X1A_{: Promotion of Values,}

Culture and Policies

Expect to see specific socio-political values Measured using account evidence from interviews with diplomats, policy workers and experts, and also retrieved from government records such as national strategies and speeches.

X1B_{: Lack of Military and}

Economic resources

Expect to see the state is classified as a small or medium size in data regarding territory, population, economic and military resources; high import/export numbers. Significant reference to the importance hereof in official government documents and expert warnings.

Measured using pattern evidence retrieved from statistical data from well-known international research organizations; account evidence is used from interviews with diplomats, policy workers and experts, and also retrieved from documents produced by the ministries such as national (cyber) security and defense strategies, speeches and annual threat trend reports. X1C_{: Use of Soft}

Power/Multilateralism

Expect to see membership of multiple organisations and alliances including the UN, OSCE, EU and NATO. And frequent referencing to the membership and its efforts by engagement in (cyber) diplomacy activities such as e.g. presence in expert and working groups

Measured using trace and account evidence from official membership records and minutes of multilateral organisations and government strategies and speeches; trace evidence from reports and strategies of the Ministry of Foreign Affairs; reports from advisory committees and account evidence with diplomats and UN and OSCE records/minutes.

X2A_{: State is highly}

developed in ICT and has a knowledge-based economy

Expect to see the economy of a state mostly relying on information and communication services rather than agriculture and raw industry.

Measured using pattern evidence from statistical data on development and level of maturity e.g. ITU Account.

X2B_{: State is dependent on}

ICT

Expect to see the disappearance of analog fallback options for services that are vital to society; economy relying on ICT

Measured using pattern evidence from statistical data; trace and account evidence from annual threat reports and expert interviews.

X2C_{: The need for a stable}

and secure ICT environment

Expect to see expressed concerns and needs to act upon cybersecurity

Measured using trace and account evidence from annual threat reports and expert interviews.

X3A_{: The state suffered large}

scale cyber attack

Expect to see a breach or intrusion taken place that either manipulates, damages or compromises vital processes to the functioning of a state.

Measured using sequence evidence from official government statements and newspapers.

X3B_{: Vulnerabilities are}

exposed

Expect to see expressed concern about these vulnerabilities

Measured using trace and account evidence from annual threat reports, experts warnings and external reports.

X3C_{: Awareness and}

concerns

Expect to see increased engagement in cybersecurity and cyberdiplomacy; explicit statements on actions to be taken.

Measured using trace and account evidence from governmental records such as national (cyber) security and defence strategies, speeches and interviews with diplomats and experts.

(24)

23

4. Notable Events and Publications

4.1 Timeline

This chapter extensively describes the notable events and publications that influenced the motives and cyber policy choices of the Netherlands between 2010 and 2019. First, a timeline presents an overview of relevant events and publications. The events and publications mentioned in the timeline are selected based on the frequency of appearance in policy documents, speeches and interviews. Secondly, the analysis explains the developments in chronological order as they are interrelated and follow each other. At the beginning of the section, the events and publications mainly concern general cybersecurity policies, whereas later on, the developments naturally narrow towards an international cyber policy approach. This transition corresponds with the focus of the policy documents, which eventually became self-contained policy documents on international cyber policy. At the beginning of the analyzed period, defense and security agencies were the ones addressing cybersecurity issues. The Ministry of Foreign Affairs primarily focused on urging the protection of internet freedom and freedom of expression. From approximately 2015, cyber became the topic of specialized working groups within different ministries.5

The timeline in Figure 3. gives an overview of the significant events and publications that influenced the engagement of the Netherlands. The timeline was updated and adjusted during evidence collection and analysis. Level 1 presents events, both international and national, that presumably influenced the cybersecurity governance trends in the Netherlands. Level 2 represents the developments within the EU and NATO. These are taken into account, whereas the Netherlands generally acts by its membership of the European Union and NATO alliance, and these policies interact significantly. Below, level 3 presents official Netherlands government publications considering cybersecurity governance and cyber diplomacy. Level 4 presents developments within the context of the UN and OSCE. These events are presented in chapter 6. The timeline in its original size can be found in Appendix 3.

Figure 3. Timeline relevant events and publications between 2010-2019

5_{Including the Taskforce Cyber in the security department of the Ministry of Foreign Affairs, which is currently responsible}

(25)

24

4.2 Shaping Cyber Security Governance (2010-2014)

Many speeches and threat assessments in the year 2010 remark the changes the world was confronted with at the time. The global financial crisis in 2007 and 2008 and the European debt crisis that was ongoing at that moment caused economic changes. Governments worldwide were forced to make substantial cutbacks. Moreover, the Dutch government made significant budget cuts on national defense costs. Documents also address a decrease in public trust in the government. The developments revealed the interdependency of states and the level of globalization in the world, and a growing sentiment among the public to focus on local and national issues first. Gaining back the support of the people for security operations became an objective for the government (Speech MinDef 2010). The rise of new powers, especially China and new threats on the horizon, announced extensive geopolitical changes.

The National Trend Report Cybercrime and Digital Security is one of the first government reports to establish a national framework for the approach towards cybercrime and digital safety (GOVCERT.NL 2010). The report is a joint initiative by GOVCERT.NL (the former Dutch national computer emergency response team), the intelligence services, law enforcement, the NCTV, and the national telecommunication authority. At the beginning of 2011, the government adopted the first National Cyber Security Strategy (NCSS). The main intention of the strategy was to have a more coherent approach to cybersecurity activities. It focusses on the formulation of a multi-stakeholder model and generating competent ICT professionals (MinJS 2011). As part of the strategy, the Cyber Security Council (CSR) was established as an advisory body. The CSR is mandated to recommend on cybersecurity incidents and monitor the implementation of the NCSS (MinIKR 2011, MinFA 2013a). The CSR consists of independent representatives from the public and private sectors and academia. The CSR covers the broad scope of digital security, including fundamental rights.

In September 2011, the government revealed that the company DigiNotar was compromised. DigiNotar issued SSL certificates for the government, also known as PKI-Overheid certificates. These certificates are comparable to a verified stamp on a letter, a digital stamp securing that digital communication is authentic. Due to the security breach, the originality of the certificates was no longer trustworthy. With false certificates in circulations, internet traffic with Diginotar certificates could no longer be reliable. Considerably more than 500 false certificates were spread in the summer before the announcement (de Vries, 2011). Consequently, the government was compelled to revoke trust in all certificates, and DigiNotar went bankrupt a year later (NU 2011).

The letter to parliament on the digital burglary DigiNotar (2012) confirms the severity of this event. The breach had large consequences, whereas the certificates of the Dutch government and other companies were integrated into a comprehensive system with many business and communication depended on the certificates. One of the main critiques on this event was the suspected lack of oversight by the government resulting from a concerning letter to parliament that went public months after the company was compromised. Consequently, the compromise of DigiNotar is considered a great wake-up call for

(26)

25 The Netherlands to strengthen its cybersecurity efforts. Although the government already decided at the beginning of 2011 to work to one ICT security organization, it increased efforts to establish a national authority after this event. If the Netherlands would not have experienced the Diginotar attack, less officials would be aware of the urgency of the situation. Therefore, the policy letter provides evidence that corresponds with the X3 _{of the proposed mechanism in the research framework, which suggests that}

‘a large-scale incident exposing vulnerabilities and consequently creating awareness and concern to act upon’ is a necessary condition. However, it should be noted that not the awareness was not equally spread throughout the government but mainly stayed within the intelligence agencies and security department.

In answer to the need for a centralized oversight institution, the Ministry of Security and Justice opened the National Cyber Security Centre under its authority on 12 January 2012. To become ‘the center of expertise for cybersecurity and the management of cybersecurity incidents’. GOVCERT.NL, which dealt with the DigiNotar case, was incorporated in the new NCSC. The mandate of the NCSC is to improve ‘the understanding of developments, threats, and trends’ (MinJS, 2013a.) The center is the primary contact point for cyber incident handlings and crisis management. The tasks of the NCSS cross not only national borders but also traditional divisions between governmental services. Hence, the NCSC declared to focus on close cooperation between different ministries (Speech MinJS, 2013). In addition, the NCSC aimed to cooperate closely with the private sector, especially with partners from vital sectors as energy, transport, telecoms and ICT (Speech MinJS, 2012).

In multiple reports and speeches from 2010 and 2011, the government urges the need to reform multilateral institutions and adjust international cooperation to the 21st_{-century challenges (MinFA 2011,}

p.2; MinDef 2010). The International Security Strategy 2013 (ISS 2013) confirms the concerns over the chancing geopolitical security landscapes and the emergence of new threats. It states that ‘internal and external security can no longer be easily distinguished from each other’ (MinFA 2013a, p. 2). In line with earlier speeches, the government expresses its worry about the multilateral system not adapting to the changing security environment. Meanwhile, this system is essential to the health of the Netherlands (MinFA 2013a, p. 8). This confirms the presence of X1A_{and X}1B_{precisely the intention to promote the}

awareness of 21st_{-century challenges and creating a strategic framework to counter international security}

threats and on how to promote the national views within the international security community.

To address the implications and needs of the changing international security climate, the ISS 2013 stressed an integrated approach and the inclusion of the private sector. The ISS distinguishes three main pillars of interest: defence of own and our allies’ territory, an effective international legal order, and economic security. It stresses the importance of NATO as its alliance partner but also points out that the defence gap between Europe and the US is growing, while China and Russia seem to keep up (MinFA 2013a, p.5). In terms of the development of standards and regulation for cybersecurity, the ISS claims

Reducing the Risk of Cyberconflict: a case study of the commitment of the Netherlands to develop and implement confidence-building measures for the cyber domain