0
From Embers
To Fires
From Cybersecurity To Cyber-
Resilience
Master thesis – Stef Breuer – 2095203 – March 3rd, 2019 Supervisor: Els de Busser – Second reader: Sergei Boeke
1
Foreword
Dear reader,
In front of you you find the final version of my master thesis for Crisis and Security Management. For starters I would like to pay tribute to my thesis supervisor for her advice and time, to my second reader for his help, and to my friends and family for their unconditional support. Thank you all very much.
This second paragraph, however, is devoted to the title of this thesis: ‘From Embers To Fires,
From Cybersecurity To Cyber-Resilience.’ This title contains a metaphor, wherein cyber
incidents can be thought of as the ‘embers’ which, over the years, have manifested into complex and less controllable problems, here illustrated as ‘fires.’ In regard of the latter, embers signify the possibility for an actor to control the situation and act adequately, whereas the former, or fires, illustrates the loss of control and thus, consequently, requires flexibility and adaptability to this new situation. This metaphor suggests that cybersecurity measures are an adequate response in case of ‘embers,’ however, they lack the potential to extinguish ‘fires.’ Therefore cybersecurity measures are deemed insufficient to deal with more complex security issues. Cyber-resilience, on the other hand, is designed on the basis of flexibility and adaptability to deal with complex security issues, and thus has the ability to extinguish ‘fires.’
Either way, when acted upon too late, the result would be scorched earth. Scorched earth has the significant ability to, in time, sustain new life. If we consider these contemporary modern times as scorched earth, however, than it enables us to use this fertile ground to re-consider our security strategies. In the hope that this ‘fire’ will not happen again. In that sense I hope that this thesis depicts the scorched earth phase that we are in now, and provides a possible answer to how to deal with this fertile ground in order to be more secure in the future. Hence this thesis aims to propose food for thought in this regard.
I hope you enjoy reading this thesis. Sincerely,
2
Table of content
Reading Guide ... 5
Chapter 1 ... 7
Introduction ... 7
1.1 The cyber domain in ambiguity ... 7
1.2 Issues that become cyber threats ... 7
1.3 From cyber threats to actual cyber-attacks ... 8
1.5 Research question and sub-questions ... 9
1.6 Academic relevance ... 10
1.7 Societal relevance ... 11
Chapter 2 ... 12
Body of knowledge ... 12
2.1 Security, cybersecurity, and converged interests ... 12
2.2 From interests to exploitation ... 12
2.3 National security and critical infrastructure ... 13
2.4 Resilience in perspective ... 15
Chapter 3 ... 17
Theoretical Framework ... 17
3.1 Motivational grounds ... 17
3.1.1 Starting remarks ... 20
3.1.2 Fitting the theory ... 20
3.1.3 Difference between cybersecurity and cyber-resilience ... 20
3.2 The seven steps for institutional survival ... 21
3.3 Testing the theory ... 23
Methodology ... 25
4.1 Justification of research design ... 25
4.2 Logic of case selection ... 26
4.3 Measurement of key variables ... 26
4.3.1 Variables and indicators ... 27
3 4.4.1 Data characteristics ... 28 4.4.3 Timeframe ... 29 4.5.1 Content analysis ... 29 4.5.2 Unit of analysis ... 30 4.5.3 Codebook ... 30 Chapter 5 ... 32 Limitations ... 32 5.1 Internal validity ... 32 5.2 External validity ... 33 Chapter 6 ... 34
Threat representation: A government’s perspective ... 34
6.2 Increased state actor interest in critical infrastructures ... 35
6.3 Threat development for critical infrastructures ... 36
6.4 Taxonomy of exploitable vulnerabilities ... 37
6.4.1 Systems ... 37
6.4.2 Information ... 39
6.4.3 Networks ... 42
6.5 Sub-conclusion ... 45
Chapter 7 ... 47
Actor involvement: How cyber-incidents tend to unify ... 47
7.1 Introduction ... 47
7.2 Common ground principles: Detection, Prevention, Response ... 48
7.3 Attribution issue ... 49
7.3.1 False flag operation ... 50
7.4 Emerged collaborations ... 50
7.4.1 National Cybersecurity Centre ... 50
7.4.2 GOVCERT.NL ... 51
7.4.3 National Detection Network ... 51
7.4.4 General intelligence- and security service (AIVD)... 51
7.4.5 Military intelligence- and security service (MIVD) ... 51
7.4.6 DefCERT ... 52
4
7.4.8 Cyber Analysis Team-5 (CAT-5) ... 52
7.4.9 Information Sharing and Analysis Centres (ISAC) ... 52
7.4.10 Private actors ... 53
7.4.11 Cybersecurity Council Netherlands ... 53
7.4.12 National Cybersecurity Agenda ... 53
7.4.13 Dutch Cybersecurity Alliance ... 53
7.5 Sub-conclusion ... 53
Chapter 8 ... 55
Pinpointing the differences in perspective ... 55
8.1 Introduction ... 55
8.2 Cybersecurity as cornerstone for strategy ... 55
8.2.1 The government’s perspective on cybersecurity ... 56
8.2.2 Conklin and Shoemaker’s perspective on cybersecurity ... 56
8.2.3 Differences in perspective ... 57
8.3 Cyber-resilience assessed ... 59
8.3.1 The government’s perspective on cyber-resilience ... 59
8.3.2 Conklin and Shoemaker’s perspective on cyber-resilience ... 60
8.3.3 Differences in perspective ... 61
8.4 Sub-conclusion ... 64
Chapter 9 ... 65
Forging different perspectives into one ... 65
9.1 Introduction ... 65
9.2 Lessons learned ... 66
9.3 Foundation for a new conceptual model ... 71
9.4 Proposing a new conceptual model ... 72
Chapter 10 ... 79 Conclusion ... 79 10.1 General conclusion ... 79 10.2 Practical recommendations ... 83 Chapter 11 ... 84 Discussion ... 84
5 11.2 Findings in relation to current research ... 84 11.3 Limitations ... 85
6
Reading Guide
In the first chapter of this thesis, the introduction, the ambiguity and controversy shrouding the concept ‘cyber’ is clarified. Furthermore, this chapter displays the research question, sub-questions, academic relevance and societal relevance that guide the subsequent chapters of this research. The second chapter, however, displays the body of knowledge. Which contains a literature study wherein the relationship between cyber and security is depicted. Especially in regard to critical infrastructures in the Netherlands. Chapter three describes the theory that has been tested in this thesis. Specifically referring to the theory of Conklin and Shoemaker (2017) on cyber-resilience, titled: Seven Steps for Institutional Survival. In chapter four, the methodology is discussed. Thereafter, in chapter five, the limitations of the research design have been identified.
The latter displays the content of the research design, whereas the subsequent chapters embody the results of the research. Starting with chapter six. This chapter addresses the government’s threat perception in regard to critical infrastructures. Furthermore, in chapter seven, actors in the cyber-resilience landscape have been identified and, additionally, motivational grounds for actors to collaborate on have been identified. Chapter eight pinpoints the differences between the academic perspective on cyber-resilience and the government’s perspective. Subsequently, in chapter nine, a new conceptual model is proposed for the government. This model, however, fuses the notions of cybersecurity and cyber-resilience from the government’s perspective into the theoretical framework of Conklin and Shoemaker. The following chapter, chapter ten, provides the general conclusion and recommendations and lastly, chapter eleven, embodies the discussion.
7
Chapter 1
Introduction
In this world, in its current nature, the word ‘cyber’ has been fostered as an impregnable essence of human existence. Its branches are widely dispersed among societies and state actors, continuously driving technological developments and discourses. This chapter, however, delineates solely a fragment of its ambiguity. The aim is to depict, not only its significance, but also its effect on security discourses. Hence this chapter describes some of the vital aspects of ‘cyber’ alongside emerged discourses and three famous events. Thereafter the goal and contributions of this thesis are presented, that form the backbone of this thesis.
1.1 The cyber domain in ambiguity
As far as human ingenuity goes, the cyber domain is perhaps the most ambiguous and controversial of them all. On one hand, this entirely man-made ‘digital’ realm enables humanity to drive all sorts of technological innovations, enabled on the backbone of vast connectivity between systems, devices, and services (Chao Hu et al., 2015). This connection of networks (AMS-IX, n.d.), however, allowed societies to (re-)shape overall experiences and demands for comfort (Picot and Wernick, 2007, p. 660). Hence inevitably affecting economic and political forces and conditions (Myriam Dunn Cavelty, 2014). In that sense, the cyber domain has evolved into a technological ecosystem (Myriam Dunn Cavelty, 2013) wherein whole sectors, such as health care, automotive, and agriculture are continuously subject to change (Chao Hu et al., 2015; Picot and Wernick, 2007, p. 660-661). Yet, on the other hand, the cyber domain is characterised by controversy. As it tends to be shrouded in anarchy; a realm where laws cannot be dictated on one another (Myriam Dunn Cavelty, 2013). Therefore signifying its ambiguous and controversial character.
1.2 Issues that become cyber threats
That ambiguity is almost inherent to the cyber domain partially becomes evident by delineating some of the issues that adhere to its security. Especially to cybersecurity. In that regard, computer viruses, cybercrime, and hybrid-warfare are just some of the issues that have enjoyed increased attention in policy discourses over the years (Myriam Dunn Cavelty, 2013). These issues have, all in their own significant way, manifested to cyber threats. That is, threats that
8 pose a substantial threat to modern ways of life due to their appearance of being inexhaustibly conceived in the cyber domain (Myriam Dunn Cavelty, 2014). Furthermore, these issues have turned into threats in the sense that their potential has manifested to such an extent that cyber threats are able to disrupt critical infrastructures, harm economic interests, and endanger public values (Myriam Dunn Cavelty, 2014). Therefore cyber threats tend to be interconnected with topics such as strategic importance, (state) power, control, order, and sovereignty (Myriam Dunn Cavelty, 2013). In that regard it is argued that cyber threats are considered the most substantial threats to national security (AIVD, 2018; Myriam Dunn Cavelty, 2014). In which the Netherlands is no exception thereof (AIVD, 2018).
1.3 From cyber threats to actual cyber-attacks
The strategic importance of the cyber domain tends to become evident in the manifestation of cyber threats to actual cyber-attacks. The three most notorious cyber-attacks hitherto are illustrated in this section. They encompass: Estonia (2007), Stuxnet (2010), and NotPetya (2017) (Greenberg, 2018; Kaplan, 2016, p. 162; 163; Zetter, 2014, p. 5; 380-383). Respectively, Estonia has been the victim of a state actor initiated cyber-attack that affected the whole country. An attack that has been conducted as a result of a dispute regarding the removal of a cold war soviet memorial statue (Bright, 2007; Kaplan, 2016, p. 162; 163; Schmidt, 2013). This cyber-attack, however, was directed at Estonia’s digital infrastructure and resulted in the paralysation of public and financial services, consequently making them unavailable to the public for three weeks (Ashmore, 2009; Kaplan, 2016, p. 162; 163; Schmidt, 2013). Furthermore, Stuxnet, which is maybe the most notorious cyber-attack of them all, entails the collaborative (successful) effort of the United States and Israel in constructing the world’s first known cyber weapon. It owes its reputation due to its sabotaging intent by design, which was specifically aimed at disrupting Iran’s nuclear productions (Zetter, 2014, p. 5; 380-383). As for the most recent cyber-attack, NotPetya (2017), this cyber-attack on a Ukrainian accounting firm consequently affected organisations on a global scale. These organisations were, in one way or another, connected to that Ukrainian accounting firm and, therefore, allowed for the disruption of their services (Greenberg, 2018). Nevertheless, as far as these examples go, however, they tend to show that state actors are not reluctant to use cyber-attacks as a means to serve a variety of goals and interests.
9
1.4 A shift in perspective
The preceding depicted state actor capabilities as the prelude for conducting cyber-attacks. In that regard, some academics have come to the opinion that a determined actor will get into a targeted system or network eventually. Regardless of the cybersecurity measures that are in place (Conklin and Shoemaker, 2017). When it comes to dealing with these kind of threats, however, academics in the security field have shown an increasing interest in a rather new point of view (Conklin and Shoemaker, 2017; Myriam Dunn Cavelty, Kaufmann and Søby Kristensen, 2015; Peter, 2017). This point of view regards a combination of the concepts ‘cyber’ and ‘resilience,’ or ‘cyber-resilience.’ Resilience, in its most basic form, refers to the ability to (rapidly) recover from a disruptive event in order to return to its initial state or to a new adjusted state. It therefore poses an approach for addressing unexpected events or continuous changing environments (Myriam Dunn Cavelty, Kaufmann and Søby Kristensen, 2015).
1.5 Research question and sub-questions
The threats that are conceived in the cyber domain are considered, by the Dutch domestic intelligence service at least, as the most substantial threat to national security (AIVD, 2018). Hence posing interesting questions. Especially in regard to the protection of critical infrastructures and the governments point of view on its cyber-resilience. Therefore the main question of this thesis is:
What is the perspective of the Dutch government on cyber-resilience for critical infrastructures?
Several important remarks are deemed necessary to address in advance in order to understand the adhering sub-questions. First of all, in this thesis the term government will solely refer to the Dutch administrative branch of the government that is ruled by the prime minister and its ministers. Therefore the Dutch government, in this sense, comprises of the administration that is charged with the executive management of the country. The ministers are empowered, within the confinements of their specific jurisdiction, to take decisions individually or agree upon the implementation of specific measures collectively (Deschouwer and Hooghe, 2005, p. 184-185). In that respect the administrative branch suits best with the purpose of this thesis. With the latter taken into account, the sub-questions of this thesis are as follows:
10 2. How has the spectrum of involved state and non-state actors in the cyber-resilience
landscape evolved over the years?
3. What differences in perspective can there be identified between the academia and government in regard to cyber-resilience?
4. What lessons can there be derived from the differences between the academic perspective on cyber-resilience and the government’s perspective?
It is imperative to understand, however, that the notion over the years – in any case – refers to the time period ranging from 2011 (the emergence of the Dutch cybersecurity strategy) to 2018, unless it is specifically noted otherwise. Additionally, threat representation should be interpreted as a cumulation of (a) the threat perception of the government, (b) the type of threat, and (c) the potential target. The last remark, however, regards the sources that are referred to in this thesis. In this thesis annual reports from multiple independent sources, i.e. semi-government organisations1, have been consulted in order to substantiate arguments by depicting
different perspectives. These semi-government organisations comprise of the AIVD and the MIVD. Moreover, in some instances this thesis refers to the CSR (Cyber Security Raad Nederland), which is an independent public-private-academic collaboration. Similar to the reference to the AIVD and the MIVD, reference to this source is also with the aim to substantiate arguments in this thesis and therefore should not be regarded as the government’s perspective. Lastly, and most importantly, due to its coordinating role the NCTV is regarded as the only clear and direct representation of the government’s perspective. Therefore any reference to the NCTV should be interpreted as the government’s perspective.
1.6 Academic relevance
In regard to the cyber domain, the government tends to emphasise cybersecurity, whereas some of the current academic literature emphasises cyber-resilience. Although cyber-resilience is not an entirely uncommon area for the government (NCTV, 2011), it can be argued that lessons can continuously be derived from different perspectives. Which, in this specific case, applies to the academic perspective. In that sense this thesis tends to fill the gap in knowledge by assessing what exactly the perspective of the Dutch government is on cyber-resilience for critical
1 In this thesis, semi-government organisations refers to the AIVD and the MIVD. This is due to the notion that these organisations are not directly part of the government. Nevertheless they are part of distinct ministries and therefore are regarded as semi-government organisations instead of the government itself.
11 infrastructures and how this perception differs from the academic (theoretical) perspective. Hence this thesis contributes to the overall body of knowledge by testing the theory of Conklin and Shoemaker and proposes, as a result, food for thought for the government.
1.7 Societal relevance
In modern worlds, the cyber domain has become intertwined in everyday lives in such a fashion that people and organisations have become largely dependent on it. This dependency especially applies to critical infrastructures. This thesis aims to provide new insights for the government by introducing cyber-resilience as a valid concept for reducing potential dangers and risks to CI and thus to society.
Moreover, by assessing the government’s perspective on cyber-resilience a new societal debate might emerge wherein the approaches of cybersecurity and cyber-resilience are disputed. Especially in light of the continuously changing landscape of cyberspace, where new threats tend to emerge on a continuous basis.
Thesis content
This thesis is organised as follows: The second chapter describes the body of knowledge. Herein notions of academic literature regarding security, cybersecurity, and cyber-resilience are delineated. Chapter three embodies the theoretical framework. Specifically explicating the theory of Conklin and Shoemaker (2017): Seven steps for institutional survival (Conklin and Shoemaker, 2017). Chapter four encompasses the methodology. Chapter five entails the limitations of this thesis. Chapter six describes the threat representation of the government. Chapter seven identifies the actors and common interests in the cyber-resilience landscape. Chapter eight depicts the differences between the government’s and academic perspective on cyber-resilience. Chapter nine comprises of the ‘lessons learned’ section. Chapter ten embodies the overall conclusion of this thesis and, lastly, chapter elven marks the end of this thesis by providing a discussion.
12
Chapter 2
Body of knowledge
Threats, incidents, security, and interests are all elements that influence one another, yet, in this thesis they have one thing in common; they form the dynamics of the cyber domain. It is therefore important to firstly address the context in which these elements reside before continuing in detail into cyber-resilience. Hence this chapter delineates the changing notion of (national) security, critical infrastructures, forms of cyber incidents, and delineates some perspectives on (cyber-)resilience.
2.1 Security, cybersecurity, and converged interests
Security, nowadays, does not solely comprise of reliability. This is due to the cyber component that tends to coincide notions such as detection, prevention, recovery, deterrence, and resilience. As a result, security not only tends to affect a vast array of distinct interests (Cardénas et al., 2009) but has, inevitably, also converged multiple interests over time. Some of these interests can be identified as national, military, commercial, and cultural interests (Hansen and Nissenbaum, 2009).
This convergence of interests, however, is characterised by complexity. Especially when taking cybersecurity into account. Cybersecurity, nevertheless, is the result of technological innovations and changing geopolitical conditions (Hansen and Nissenbaum, 2009) that, consequently, made it imperative to protect systems, networks, and information against damage and unauthorized access (Myriam Dunn Cavelty, 2013; Myriam Dunn Cavelty, 2014).
2.2 From interests to exploitation
The emergence and development of IT tend to influence the dynamic between reliability and security to such an extent that it has become subject to new vulnerabilities (Cardénas et al., 2009). For instance, unauthorised access can result in the exploitation of vulnerabilities in systems or networks. Consequently resulting in the compromise of hard- / and software. If the intruder is malicious intended, however, delay, disruption or destruction of processes, exfiltration of information, or providing a foundation for future cyber operations are potential
13 consequences that have to be taken into account. Depending on the goals, or interests, of the intruder nevertheless. The interests for exploiting a system or network, however, can differ from (counter)intelligence, to competitional benefits, to influencing conflict situations (Buchanan, 2016, p. 77; Myriam Dunn Cavelty, 2014). Moreover, an intruder might also tamper with information that is stored in systems. In which this information is vulnerable to corruption, exploitation, destruction, theft, and modification, yet also depending on the interests of the intruder (Myriam Dunn Cavelty, 2014).
For a state actor it can be of strategic importance to exploit another state’s systems or networks. This is especially interesting in light of the notion that the targeted state seldomly discovers the true intent of the exploitation, if the exploitation is noticed in the first place (Buchanan, 2016, p. 76). Aggravating the latter is an issue that is known as the attribution issue. That is, the difficulty to determine who exactly was in the system. As state actors tend to cover behind
plausible deniability. Suggesting that a state actor might deny any involvement of an
exploitation due to the lack of concrete evidence (Myriam Dunn Cavelty, 2013). Even if an actor detects unauthorised access of any kind, however, it still can significantly harm the reliability of IT. Hence stressing the necessity for adequate security measures.
2.3 National security and critical infrastructure
It is not only due to the interests that are endangered that the cyber domain is regarded as threatening. The essence of the terminology that is used to define threats conceive a similar interpretation. In that regard it is argued, however, that the man-made cyber domain has been made dangerous from the start. For instance due to the use of medical metaphors that tend to be coincided with terms such as virus, infected computers, and the need for caution and protection (Hansen and Nissenbaum, 2009).
In that sense, the threats that adhere to the cyber domain have become more then ‘mere’ technical issues. Its influence, therefore, on politics and economics – and vice versa – for instance, tends to signify the ambiguous and controversial character of the cyber domain and the substantial threat it poses to national security (Myriam Dunn Cavelty, 2014; Hansen and Nissenbaum, 2009). Moreover, the possibilities that emerged with the cyber domain also affects the reliability in security. Which has become subdue to unpredictability (Myriam Dunn Cavelty, 2013). The cyber domain, therefore, is regarded as a domain of conflict. Which seemingly
14 appears to be more in favour of the attacker than of the defender. Hence posing a continuous threat to national security and correlated interests (Hansen and Nissenbaum, 2009).
Nevertheless, the government became increasingly aware of the need for intensifying the national security strategy. This especially became apparent in the mid-90’s, when the effects of the destructive potential of an attack on, or failure of, critical infrastructure on society were considered (Myriam Dunn Cavelty, 2014). From the government’s perspective, a devastating effect on national security tends to occur when critical infrastructure is disrupted which, consequently, destabilizes society (Department of Defence, 2015; NCTV, 2010). This would be in conflict with the state’s obligation towards society, that is, protecting its citizens from external threats (Department of Defence, 2015; NCTV, 2010; Van Zuijlen in Muller, 2004, p. 12-14; 23). Despite this obligation the government has chosen to privatise 80 per cent of its ciritcal infrastructures in the time period 2004 to 2005 (Bulten et al., 2017). Hence inevitably constituting a new substantial risk to national security. Especially in regard to the potential impediment for integrating adequate security measures and standards against future (cyber) threats. In that sense, in order to anticipate on this risk, the government has obliged the providers of critical infrastructures to take care of their own responsibility. Therefore obliging them to take responsibility for the continuity and resilience of their own processes and services (NCTV, 2016a).
Henceforth, in the years ranging from 2010 to 2016 another development took place in the Netherlands. Which entails the division of critical infrastructures into twelve distinct sectors: (1) Energy; (2) Telecommunication/ ICT; (3) Drinking water; (4) Food; (5) Health care; (6) Finance; (7) Water management; (8) Public safety; (9) Law and order; (10) Public management; (11) Transport; and (12) Chemical and nuclear industry (NCTV, 2010). Around 2016, however, it became evident that there are insufficient resources in order to protect every sector to the same extent. This limited amount of resources therefore required to be allocated amongst the sectors that are the most vulnerable. As a result, the government made an even more profound distinction between sectors by sub-dividing them into critical processes. This resulted in the distinction into category A and category B processes. Wherein category A processes are perceived to have a bigger disruptive potential on society, in case of system failure or break down, in contrast to category B processes (NCTV, 2016a).
As a result the government distinguished the remaining eleven sectors as follows: (1) Energy (A); (2) Drinking water (A); (3) Water (A); (4) Nuclear (A); (5) ICT/ Telecom (B); (6)
15 Transport (B); (7) Chemical (B); (8) Finance (B); (9) Emergency response communication (B); (10) Digital governmental processes (B); and (11) Defence (B). Although these categories are assigned to each sector, it does not imply that the B processes are free of danger. A disruption or sabotage in any of these sectors or processes still can have a cascading effect on society with detrimental economic, physical or societal consequences (NCTV, 2018b).
The latter mentioned critical processes that adhere to each category encompass: (1) Energy: domestic transport and distribution; (2) Drinking water: drinking water utilities; (3) Water: managing water quantity; (4) Nuclear: storage, production, and processing of nuclear material; (5) ICT/ Telecom: internet and data services; (6) Transport: managing flight control; (7) Chemical: large scale production, processes of (petro-)chemical substances; (8) Finance: payment transactions; (9) Emergency response communication: emergency service communication; (10) Digital governmental processes: basic registration of people and organisations; (11) Defence: deployment of the military (NCTV, 2018b).
2.4 Resilience in perspective
It can be argued that, in light of the efficient and effective deployment of resources for security, resilience is required. Resilience, as a concept, is described by Myriam Dunn Cavelty, Kaufmann, and Søby Kristensen (2015) as: “A set of mechanisms that is applicable not only to
technical systems, but also to individuals, as well as to society and has the aim to maintain survival, stability, and safety” (Myriam Dunn Cavelty, Kaufmann and Søby Kristensen, 2015,
p. 4). These mechanisms comprise of a set of response measures designed for a quick recovery in order to return to its initial state or adjustment to a new situation (Myriam Dunn Cavelty, Kaufmann and Søby Kristensen, 2015).
Herrington and Aldrich (2013) argue, however, that when resilience is put in the context of cyber it becomes subject to greater complexity. Especially from the point of view were cyber threats are shrouded by unknown factors that, therefore, can be best anticipated on with resilience rather than by security. Hence stressing the importance of resilience in the cyber domain (Herrington and Aldrich, 2013).
Aggravating the argument of Herrington and Aldrich on cyber-resilience, is the government’s loss of ownership of CI’s. This occurrence has made CI’s subject to market influence and stress the need for public-private partnerships. In that regard, the government has made itself
16 vulnerable to the ‘willingness’ of private actors to help the government. For instance with identifying critical objects and processes and sharing information (Myriam Dunn Cavelty, 2014).
17
Chapter 3
Theoretical Framework
In order to assess the government’s perspective on cyber-resilience for critical infrastructures, this thesis distinguishes two perspectives on cyber-resilience. These entail the government’s perspective and Conklin and Shoemaker’s perspective. Insofar this thesis tests Conklin and Shoemaker’s theory on (2017) Cyber-Resilience: Seven Steps for Institutional Survival (Conklin and Shoemaker, 2017). The main aim of this theory is to provide a security architecture that is designed to protect an organisation’s most critical assets during a cyber incident and therefore, consequently, act as a future deterrent (Conklin and Shoemaker, 2017). Insofar this chapter is organised as follows. First the motivation for choosing this theory is elaborated. Thereafter the theory itself is explicated and, lastly, it is described how the theory of Conklin and Shoemaker has been tested.
3.1 Motivational grounds
Motivation for choosing the theory of Conklin and Shoemaker over other theories resides in a couple of notions. The first notion comprises of the fact that this theory is specifically designed for cyber-resilience. In that sense, however, a clear distinction is made within the theory between cybersecurity and cyber-resilience. It therefore emphasises the differences between the two concepts. Moreover, the theory of Conklin and Shoemaker describes and defines seven distinct steps that are deemed necessary in order to become a cyber-resilient organisation. In that sense this theory explicates and dissects cyber-resilience into measurable and executable steps, yet also allows it to be applied to a variety of organisations. In regard to the latter, measurable, however, in the sense that the steps can be measured against strategies and annual reports in a binary way, at first, and more in-depth, as second. For instance, if a step is present in an annual report, the answer would be yes (binary), whereas the substantiation of the content provides an open answer to the how or why (not) (in-depth). This enables for a valid assessment of the perception of the Dutch government regarding cyber-resilience for critical infrastructures in a coherent manner. Additionally it discards the need for compiling multiple theories or multiple definitions into one. In sum, the theory of Conklin and Shoemaker allows for the
18 testing of the theory on annual reports in a coherent fashion and, therefore, enables the measurement and evaluation of the criteria, also in a coherent fashion.
It is imperative to emphasise, however, that the theory of Conklin and Shoemaker is directed at
organisational cyber-resilience and thus does not address cyber-resilience in general. In this
thesis, nevertheless, Conklin and Shoemaker’s theory is tested on CI’s in general. That is, the steps for cyber-resilience that are defined by Conklin and Shoemaker are quite specific, yet enjoy a certain level of abstractness. Or to put it in other words, the seven steps of the theory are specifically defined, whereas their content is open to a certain level of abstractness. Hence suggesting that a distinct actor or organisation can fill in the content of each distinct step according to its own interests.
By applying the organisational perspective of Conklin and Shoemaker’s theory, however, this thesis produces learning experiences – that might be translated into substantial measures – out of its analysis that, subsequently, can be applied by each distinct ministry that is responsible for its own CI (NCTV, 2016a). Therefore Conklin and Shoemaker’s theory bears the potential to provide concrete learning experiences in contrast to other theories; that tend to be more abstract, or are solely applicable to a specific type of organisation.
In that regard, the current academic literature regarding cyber-resilience is minimal. Theories that can be found are either too abstract or too specific. In which the latter would not be generalisable to CI at all, and the former will not apply to all CI. Herrington and Aldrich’s (2013) theory: The Future of Cyber-Resilience in an Age of Global Complexity is an example of a an approach to cyber-resilience that can be interpreted as too abstract. In their theory they identify some of the complexities that shroud the concept of ‘cyber.’ In that regard they emphasise psychological factors of human anxieties for risks and threats of the unknown. Which are factors that tend to coincide with cyber incidents. Nevertheless, it applies more to national security than to resilience. This does not only imply that in order to assess cyber-resilience with this theory, more schools of thought should be consulted, meaning more variables, but also maintains a level of abstractness – due to notions such as ‘anxieties’ for example – that does not allow for the coherent or valid measurement of cyber-resilience as meant in this thesis (Herrington and Aldrich, 2013). Therefore it would miss the goal of this thesis.
19 On the other hand, however, theories can also be too specific. Zhu’s (2018) theory regarding
multi-layer cyber physical security resilience for smart grid is an example thereof. Although
this theory enables the measurement of cyber-resilience for specific CI’s – i.e. power grids – it does not cover the whole spectrum of CI’s. Thus suggesting that the findings cannot be generalised to all CI’s (Zhu, 2018). Therefore too specific theories tend be inadequate in regard to the scope of this thesis.
Other theories, like the theory of DiMase, Collier, Heffner and Linkov’s (2015), for example, proposing a system engineering framework for cyber physical security and resilience, also tends to be too specific. The authors distinguish cybersecurity from cyber-resilience in the slightest way, therefore it lacks a clear definition, or answer, on how to achieve cyber-resilience (DiMase, Collier, Heffner and Linkov, 2015). Insofar too specific theories do not allow for a clear identification of measurable indicators for cyber-resilience.
The author that tends to come the nearest to measurable cyber-resilience is Myriam Dunn Cavelty. Especially in her theory regarding Resilience and (in)security: Practices, subjects,
temporalities. Yet this theory regards mainly a general perspective on resilience and therefore,
within her theory, refers to other theories in order to apply the cyber component to resilience (Myriam Dunn Cavelty, Kaufmann and Søby Kristensen, 2015). She specifically referred to the theory of Herrington and Aldrich’s (2013), regarding The Future of Cyber-Resilience in an Age
of Global Complexity (Herrington and Aldrich, 2013) in order to apply the cyber component.
In her own theory, however, the general perspective on resilience tend to stress that measures should be installed that are aimed at a quick recovery by returning to its initial state or adjusted new situation. Which will be the result of a well-designed anticipation on a situation or event (Myriam Dunn Cavelty, Kaufmann and Søby Kristensen, 2015). Nevertheless, this theory does provide a measurable definition on resilience, yet it lacks a substantial cyber component. Consequently making the definition too broad and, as a result, vulnerable to interpretation. Either way, it signifies why this theory does not fit with the purpose of this thesis.
Conclusively, other theories besides Conklin and Shoemaker’s theory tend to be too abstract, too specific, or lack the necessary cyber component in order to allow for a valid measurement. The theory of Conklin and Shoemaker, therefore, provides a clear and measurable definition of cyber-resilience that can be assessed in a coherent fashion, and also allows it to be tested on different forms of organisations. Therefore the theory of Conklin and Shoemaker suits best with the goal of this thesis.
20 In a way, the government might benefit from the theory of Conklin and Shoemaker, as new food for thought, when it comes to the security of CI’s. Their theory elevates the current approach from cybersecurity to cyber-resilience, which allows for a re-design of security architectures. Hence not only allowing for improvements to national security, but also contributes to the government’s ambition of becoming the leading knowledge power of Europe in regard to cybersecurity (CSR, 2018).
3.1.1 Starting remarks
It is deemed important to take notice of two remarks in advance, before Conklin and
Shoemaker’s theory is elaborated further. These remarks entail the design of theory in order to fit the purposes of this thesis, and the theoretical difference between cybersecurity and cyber-resilience. These are elaborated on subsequently.
3.1.2 Fitting the theory
At the start of this chapter it was mentioned that the theory of Conklin and Shoemaker is primarily aimed at organisations, whereas this thesis was aimed at the government’s
perspective on cyber-resilience for critical infrastructures. A slight difference one might argue,
however, in the course of this chapter it will become apparent how these steps can be tested against government cyber related measures and perspectives, as proposed in their annual reports.
3.1.3 Difference between cybersecurity and cyber-resilience
Conklin and Shoemaker tend to stress the difference between cybersecurity and cyber-resilience, as they tend to get intertwined sometimes.
In that sense Conklin and Shoemaker (2017) argue that cybersecurity refers to the profound security design wherein (counter)measures are taken in order to protect ICT systems and networks against unauthorised access and the adequate response that coincides with it. It therefore aims to protect ICT systems and networks against exploitation from both internal and external threats by taking defensive measures (Conklin and Shoemaker, 2017).
Cyber-resilience, on the other hand, refers to the installation of a security architecture that is aimed at protecting an organisation’s most critical assets during a successful security breach.
21 Therefore enabling an organisation to continue its operation, processes or service. These so called ‘assets’ can be anything that is considered important, such as technologies, people, processes, and facilities. The security architecture itself, however, comprises of profound processes and controls that are translated into seven steps – that will be elaborated on subsequently – which enable an organisation to adapt to changing conditions and rapid recovery of a cyber incident (Conklin and Shoemaker, 2017).
3.2 The seven steps for institutional survival
As Conklin and Shoemaker argue in their theory, cyber-resilience is a single mission of an organisation encompassing overarching principles that embody a (a) profound coordination, (b) continuity management, and (c) incident response. These theoretical principles allow for the functioning of an organisation during a successful security breach. Conklin and Shoemaker translated these three principles into a security architecture that comprises of the following seven steps: Classify, Risk, Rank, Design/Deploy, Test, Recover, and Evolve (Conklin and Shoemaker, 2017).
1. Classify
The classification step is directed at establishing a coherent baseline for the things that require protection – i.e. assets. This step identifies all potential targets that will be the input for the subsequent steps (Conklin and Shoemaker, 2017). Some classification examples are: Hardware, Software, Devices, and Data (NIST, 2014)*. 2
2. Risk
This step encompasses a systematic risk assessments wherein all known threat scenarios are identified. The result is an understanding of all conceivable hazards that can threaten an asset or its environment. As a result, a detailed description regarding threats and hazards, or attack surfaces, emerges which acts as a guide for supporting decision making and establishing situation awareness. In some cases the attack surfaces might overlap. The identified attack surfaces include: Natural disasters, Cyber incidents, Acts of terrorism, Sabotage, and Criminal activity (Conklin and Shoemaker, 2017).
* NIST (National Institute of Standards and Technology): NIST is an institution of the U.S. Department of Commerce. The reference to this source is due to NISTs’ ownership of some of the classifications that are referred to in this thesis (NIST, 2017).
22
3. Rank
The ranking step entails the selection and evaluation of organisational resources in order to identify the critical assets. These assets are carefully selected against criteria such as organisation purposes, values, mission, and vision. As a result, the organisation’s resources are primarily directed at protecting critical assets according to a ranking scheme. The remaining resources are, consequently, allocated to the protection of the remaining assets. Additionally, the ranking processes entails assigning relevant stakeholders to each critical asset and identifying the necessary protection requirements. A ranking process can entail, for instance, electronic and behavioural controls via access links and assigning levels of confidentiality to individuals (Conklin and Shoemaker, 2017).
4. Design/ Deploy
The design / deploy step is a strategic governance processes wherein specific security controls are designed and deployed in order to protect stated mission, vision, and goals that, in themselves, ensure the critical assets. It therefore establishes specific objectives for security controls. In order to ensure their effectiveness, however, the controls are analysed an assessed (Conklin and Shoemaker, 2017). The security controls comprise of: (1) Risk Assessment; (2) Certification, Accreditation and Security Assessments; (3) System Services and Acquisition; (4) Security Planning; (5) Configuration Management; (6) System and Communications Protection; (7) Personnel Security; (8) Awareness and Training; (9) Physical and Environmental Protection; (10) Media Protection; (11) Contingency Planning; (12) System and Information Integrity; (13) Incident Response; (14) Identification and Authentication; (15) Access Control; and (16) Accountability and Audit (NIST, 2016a).
5. Test
The test step regards planning and oversight with the aim to assure resilience. It tests the security controls against their assigned goals (Conklin and Shoemaker, 2017). Hence encompasses the assessment of the security protocols, whether they are appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements (NIST, 2016b).
23
6. Recover
The recover step entails a profound continuity plan wherein actions and responsibilities are described in the event of a security breach. Its aim is to continue the critical process or service. An important part of the recovery plan, however, is the mitigation process. This entails the mitigation of the impact of a disruptive event, which is imperative to continue a process or service. It therefore establishes a well-defined plan for every critical asset and a lessons learned section for establishing future strategies. Step specifics regard operational plans comprising of: Identifying, Analysing, Response, Escalation, and Learning from all adverse incidents as well as well-defined process for assigning roles and responsibilities, and managing and tracking resolutions (Conklin and Shoemaker, 2017).
7. Evolve
The evolve step regards the adjustment of the initial cyber-resilience architecture based on lessons learned. These lessons learned comprise of the identification of measurable resilience improvements and the subsequent analyses of its effectiveness. This results in the identification and deployment of processes and technology responses. Lessons learned typically involve objectively evaluating the performance of deployed process against plans, objectives, standards, and procedures, as well as the outcomes of organisational innovation and deployment process (Conklin and Shoemaker, 2017).
3.3 Testing the theory
The recurrence of these steps and their adhering indicators has been tested against government measures and policies, as described in annual reports from the government institution NCTV, semi-government institutions AIVD, MIVD, and the independent collaboration Cyber Security Raad Nederland. It therefore enabled the assessment of whether or not the steps of Conklin and Shoemaker recurred in the latter mentioned documents. The result therefore (i.e. the presence or absence of the seven steps in the documents) allowed for a distinction in different perspectives, substantiated from different angels. This consequently enabled the distinction between this singular academic perspective and the government’s perspective on cyber-resilience. And, in addition, allowed for learning experiences to be derived from this theory in the interests of the Dutch government (Deschouwer and Hooghe, 2005, p. 184-185).
24 This thesis has tested the elements of each step by converging them into indicators and assess whether or not the Dutch government has applied these distinct steps, or not, and to what extent. It has therefore enabled to construe the perception of the Dutch government on cyber-resilience for critical infrastructures in comparison to the academic perspective. This allowed for a valid distinction of what specific part(s) of cyber-resilience can be prescribed to the Dutch government and which ones to academia.
It is important to emphasise, however, that the theory of Conklin and Shoemaker is initially directed at organisations. Yet it was compatible with this thesis in the following sense. Cyber-resilience is regarded as the dependent variable, whereas the distinct seven steps represent the independent variable. Therefore suggesting that cyber-resilience is subject to the influences, or the indicators, of the seven steps as proposed by Conklin and Shoemaker. This, as a result, allows for a differentiation in perspective regarding cyber-resilience for critical infrastructures. Which enables a distinction to be made between the government’s perspective on cyber-resilience for critical infrastructures and the academic perspective.3
25
Chapter 4
Methodology
This chapter elaborates on the research design. Hence this chapter starts with the justification of the research design, followed by the logic of the case selection. Additionally, the key variables of this thesis have been identified and explicated. Subsequently the method of data collection and data characteristics are discussed, as well as the method of data analysis and the codebook.
4.1 Justification of research design
In order to answer the research question: What is the perspective of the Dutch government on cyber-resilience for critical infrastructures? This thesis has employed a deductive approach. In that sense this thesis started out with a theoretical proposition, that is, Cyber-Resilience: Seven
Steps for Institutional Survival of Conklin and Shoemaker (Conklin and Shoemaker, 2017). In
addition, by analysing qualitative information in the paragraphs of annual reports of the NCTV, AIVD, MIVD, and the Cyber Security Raad Nederland, the theoretical propositions have been tested against qualitative information (Neuman, 2014, p. 69).
Nevertheless, considering that the benchmark of a deductive approach is a theoretical concept, instead of observations in the empirical world - as is with an inductive approach (Neuman, 2014, p. 70), the deductive approach did fit better with the goal of this thesis. More importantly, a deductive approach allowed for testing of whether or not indicators are present in the government’s annual reports (Neuman, 2014, p. 14).
As mentioned briefly in the preceding, this thesis employed a qualitative approach. It therefore aimed to construct social reality by assessing past measures and policies. Moreover, specific words and sentences can express differences in perspectives, or emphasise them more conveniently than a cumulation of words and symbols could. Therefore it is argued that a qualitative approach did better suit the interests of this thesis (Neuman, 2014, p. 17).
Lastly, this thesis comprised of an explanatory research in which theory of Conklin and Shoemaker (2017) has been tested against qualitative information. Consequently this thesis
26 enriched the theories’ explanations and enabled the emergence of fertile ground for new considerations for the government.
4.2 Logic of case selection
This thesis took into account that the Netherlands is – and their (cyber)security policies are – subject to European regulation, however, due to the limited amount of time that was available in order to conduct this thesis, solely the Dutch strategies and measures that adhere to cyber-resilience for critical infrastructure have been assessed. Hence dismissing European regulation in this thesis.
4.3 Measurement of key variables
The key concept of this thesis regarded cyber-resilience. Concisely expressed cyber-resilience entails: a single mission for an organisation with overarching principles that touch upon (a) profound coordination, (b) continuity management, and (c) incident response. Insofar these principles allow for the continuity of an organisation’s most critical processes during a successful security breach (Conklin and Shoemaker, 2017).
The variables that adhere to cyber-resilience are derived from the theory of Conklin and Shoemaker (2017) and therefore regarded the seven steps of cyber-resilience (Conklin and Shoemaker, 2017). By interpreting these distinct steps as variables, it allowed for the testing on qualitative information that, in this thesis, regarded Dutch annual reports. All the subsequent variables and indicators have been assessed as a bundle in each of the sub-questions of this thesis. This enabled for the assessment of each variable in a distinct moment in time (2011-2018) and thus whether or not there was a correlation between theory and practice. A remark in this regard, however, affects the variables in general. These variables have been tested against qualitative information with the aim to explain, rather than to extend or complement the theory of Conklin and Shoemaker. It therefore only assessed whether or not the variables accord with the qualitative information and to what extent. Therefore, in no way this thesis aims to provide a new theory of some sort.
Before the indicators are elaborated, however, the following remark has been deemed important. In regard to the indicators, a certain level of abstractness has been taken into account, considering the notion that in the timeframe of this thesis (2011-2018) new factors – i.e. new
27 technologies and actors – have emerged. Which, consequently, could have discarded indicators during the analysis if they were formulated too concrete. Furthermore, in order to enable this thesis to include, rather than exclude, these kinds of factors a certain level of abstractness in the indicators was required in order to establish validity and to enable coherent measurement.
4.3.1 Variables and indicators
The variables regard:
1. Classify: The identification and categorisation of potential targets (Conklin and Shoemaker, 2017).
Its indicators are: Hardware, Software, Devices, Data (NIST, 2014). 2. Risk: The identification of all known attack surfaces.
The indicators are: Natural disasters, Cyber incidents, Acts of terrorism, Sabotage, and Criminal activity (Conklin and Shoemaker, 2017).
3. Rank: A rigorous set of protection requirements, in order to resist any known or conceivable method of attack. Relevant stakeholders are assigned to supervise and maintain each asset.
The indicators are: Stakeholders, Processes, Missions, Visions, Goals (Conklin and Shoemaker, 2017).
4. Design/Deploy: An infrastructure of substantive controls to effectively satisfy its stated mission, goals, and objectives. This step identifies the explicit control objectives for each critical asset (Conklin and Shoemaker, 2017).
The indicators are: (1) Risk Assessment; (2) Certification, Accreditation and Security Assessments; (3) System Services and Acquisition; (4) Security Planning; (5) Configuration Management; (6) System and Communications Protection; (7) Personnel Security; (8) Awareness and Training; (9) Physical and Environmental Protection; (10) Media Protection; (11) Contingency Planning; (12) System and Information Integrity; (13) Incident Response; (14) Identification and Authentication; (15) Access Control; and (16) Accountability and Audit (NIST, 2016a).
5. Test: This is a planning and oversight function that is characterised due to its critical control performance against stated mission goals (Conklin and Shoemaker, 2017). The indicators are: Security protocols, Procedures (NIST, 2016b).
28 6. Recover: The goal of recovery planning is to ease the impact of disruptive events by using well-established plans in order to ensure predictable and consistent continuity of the critical services.
The indicators are: Improvement strategies, Operational plans, Process for role assigning, Process for responsibility assigning, Process for managing and tracking resolutions (Conklin and Shoemaker, 2017).
7. Evolve: In this step measurable improvements that could increase the resilience of critical assets are identified, analysed and systematically deployed.
Its indicators are: Measurable improvements that increase resilience, Effects of current process, Technological improvements, Lessons learned, Organisational innovation, Deployment processes (Conklin and Shoemaker, 2017).
4.4 Method of data collection
The method of data collection section elaborates on the data universe, the explicit samples that have been used, and the codebook.
4.4.1 Data characteristics
Data universe
The data universe regards: media reports, journals of scholars, government policy papers, security service reports, podcasts, and books.
Sample
The sources that have been addressed during the research comprised of publicly available government official annual reports from the following institutions: Nationaal Coördinator Terrorismebestrijding en Veiligheid, Militaire Inlichtingen en Veiligheidsdienst, Algemene Inlichtingen- en Veiligheidsdienst and the Cyber Security Raad Nederland.
In sum, 30 documents have been assessed. Respectively the subdivision of the documents is as follows:
Government institution NCTV: 9 documents, comprising of 8 cybersecurity strategies and 1 cybersecurity agenda (2018).
29 Semi-government institution AIVD: 7 documents, comprising of 7 annual reports.
Independent collaboration Cyber Security Raad Nederland: 7 documents, comprising of 4 magazines, 2 annual reports and 1 cybersecurity strategy.
4.4.3 Timeframe
The documents that have been consulted ranged from the years 2011 to 2018. It is argued, however, that the Dutch government, in particular the NCTV, started with presenting its annual reports, concerning cybersecurity strategies, since 2011. Which is due to the occurrence of Stuxnet and the significant threat of cyber weapons to critical infrastructure (Zetter, 2014, p. 5; 380-383).
4.5 Method of data analysis
This section elaborates, besides the method of analysis, on the means with which the analysis has been conducted. These means comprise of the content analysis and codebook.
4.5.1 Content analysis
The method of analysis that has been applied in this thesis regards content analysis. Which is, according to Neuman (2014): “A technique for examining the content or information and
symbols contained in written documents or other communication media” (Neuman, 2014, p.
49).
It is important to stress, however, that sub-questions one and two are descriptive of nature. Nevertheless they were important to address because they depict the circumstances and conditions in which cyber-resilience has unfolded in the given time period. Furthermore, sub-question one and two allowed for the provision of a clear context that support sub-sub-questions three and four by describing the shared interests and common problems that actors who are involved in the cybersecurity and cyber-resilience landscape face.
In other words, sub-question one and two provided the necessary backbone in order to answer sub-questions three and four, with the aim to eventually answer the main research question. Hence, by describing the development of the context over the time period 2011 to 2018 it could become clear which elements of the theory tends to recur in government measures and policies and which ones did not. Hence enabled this thesis to make a clear distinction in the difference
30 in the government’s perspective on cyber-resilience for critical infrastructure and the academic perspective (i.e. Conklin and Shoemaker 2017).
4.5.2 Unit of analysis
Due to the qualitative character of this thesis and, additionally, due to the limited amount of time that was available to conduct this research, the unit of analysis regarded paragraphs. These paragraphs have been copied into the code sheet, in which the paragraphs that actually have been used for this thesis have been translated.
Moreover, by assigning the paragraphs to a distinct category or multiple categories, a cumulation of paragraphs allowed for the assessment of similarities with other paragraphs within that same category. The aim was to filter, and consequently analyse, the paragraphs on their assigned codes. Some paragraphs coincided with multiple codes, in case they overlapped. More importantly, however, because the qualitative information stemmed from Dutch sources, the original paragraphs have been copied into the code sheets unaltered. Thus suggesting that most of the paragraphs have not been translated into English. In that regard it is argued that translation results in loss of objectivity.
The categories and indicators were derived from the variables, as described in paragraph 4.3. The coding rules that adhere to the distinct categories were defined in the codebook itself.
4.5.3 Codebook
For this thesis a codebook has been devised, which enables any future research according to the same principles that adhere to this thesis. During the analyses the codebook has been adjusted with the aim for adequately fitting the paragraphs into the categories. It is argued that this method enabled the continuous assessment of cyber threats and security measures over time and thus adjustments, or extensions, to the codebook were deemed necessary in order to encompass all cyber threats and security measures. The codes, categories, and indicators comprise of:
Code 100 – Classify: Hardware, Software, Devices, Data.
Code 200 – Risk: Natural disasters, Cyber incidents, Acts of terrorism, Sabotage, Destructive
31
Code 300 – Rank: Stakeholders, Processes, Missions, Visions, Goals.
Code 400 – Design/Deploy: (1) Risk Assessment; (2) Certification, Accreditation and Security
Assessments; (3) System Services and Acquisition; (4) Security Planning; (5) Configuration Management; (6) System and Communications Protection; (7) Personnel Security; (8) Awareness and Training; (9) Physical and Environmental Protection; (10) Media Protection; (11) Contingency Planning; (12) System and Information Integrity; (13) Incident Response; (14) Identification and Authentication; (15) Access Control; and (16) Accountability and Audit.
Code 500 – Test: Security Protocols, Procedures.
Code 600 – Recover: Improvement strategies, Operational plans, Processes for role assigning,
Processes for responsibility assigning, Process for managing and tracking solutions.
Code 700 – Evolve: Measurable improvements that increase resilience, Effects of current
processes, Technological improvements, Lessons learned, Organisational innovation, Deployment processes.
32
Chapter 5
Limitations
The limitations of this thesis have been distinguished into internal validity and external validity limitations.
5.1 Internal validity
An internal validity issue regards the theory that has been tested. That is, te theory
Cyber-Resilience: Seven Steps for Institutional Survival of Conklin and Shoemaker (2017) (Conklin
and Shoemaker, 2017). This theory is mainly directed at individual organisations. It is designed as a framework for organisations in order to increase their cyber-resilience by applying the seven steps. By assessing this theory on governmental cyber-resilience approaches, however, it is possible that some indicators might not apply. Consequently resulting in false conclusions. Moreover, this thesis tends to have generalised critical infrastructures whilst critical infrastructures can be sub-divided in A and B categories and A and B processes. Nonetheless entailing that, when taking a singular critical infrastructure into account, this thesis might produce false conclusions.
In all the annual reports regarding the Cybersecuritybeeld Nederland it is evident that different actors and publications use different cyber taxonomies and registration methods for cyber incidents and threats. Moreover, the concept ‘cyber incident’ varies per edition, in both ways it affects the internal validity.
Lastly, because the focus of this thesis is on critical infrastructures, the parts and roles that are attributed to the end-user will not be taken into account extensively, although this is an important aspect in cybersecurity. Which therefore can have detrimental consequences for the internal validity of this thesis.
33
5.2 External validity
An external validity issue that tends to coincide with this thesis regards the choice for the theory. By solely applying the theory of Conklin and Shoemaker this thesis adheres to a singular academic vision on cyber-resilience, whilst other cyber-resilience theories might produce other conclusions. Hence the findings of this thesis might not be generalisable.
Another external validity issue that dismisses this thesis from generalisation regards the dynamic of time. In a sense, everyday new technological development tend to emerge and therewith new vulnerabilities. In a small amount of time new cybersecurity issues might emerge which requires new cyber-resilience approaches from the government and other stakeholders. Suggesting that this thesis cannot be generalised over every future time period.
34
Chapter 6
Threat representation: A government’s perspective
The NCTV – as government institution – published its first national cybersecurity strategy a year after the discovery of Stuxnet (2010) (NCTV, 2011). Henceforth it published national cybersecurity strategies for all subsequent years to come (NCTV, 2018a). These cybersecurity strategies describe what in this thesis is referred to as the government’s threat representation. Which can be sub-divided into the government’s: threat perception, the type of threat, and the (potential) target. In order to guide this concept throughout this chapter, the following question has been conceived: How has the government’s threat representation manifested over the
years?
This question will be elaborated, according to an introduction into Dutch national security, infrastructures, threat development, and vulnerabilities. With special emphasis on vulnerabilities against systems, information, and networks.
6.1 Introduction
Starting with the government’s threat representation. In order to get a better understanding of the government’s threat representation, it is important to firstly address the kernel of their security perspective. This kernel can be distinguished into five security interests that, cumulatively, constitute the general national security interest of the government (NCTV, 2018a). These security interests encompass:
1. Territorial security – “The undisturbed functioning of the Netherlands as independent
state in a broad sense, and territorial integrity in a narrow sense. This entails the physical area and the coinciding infrastructure, as well as the image and reputation of the Netherlands” (NCTV, 2018a, p. 22).
2. Physical security – “The undisturbed functioning of people within the Netherlands and
its environment. This affects healthcare and the wellbeing of people. Criteria are deaths and heavily wounded, and lack of primary needs such as food, energy, drinkable water and adequate housing” (NCTV, 2018a, p. 22).
