Cyber resilience with new technology

The Dutch Cyber Security Council (CSR) is a national, independent advisory body for the government composed of high-ranking representatives from public and private sector organisations and the scientific community. The CSR promotes cyber resilience in the Netherlands. It asked the Rathenau Institute to investigate how new technologies can contribute to enhancing cyber resilience in the Netherlands. The aim of the study is to provide building blocks for an advisory report by the CSR for the national government.

The report covers:

• the anticipated technological developments in the Netherlands in the medium term (a period of 2-8 years);
• the implications of those developments for existing cyber vulnerabilities;
• the opportunities that these new technological possibilities create for increasing cyber resilience;
• the conditions that have to be met in order to take full advantage of those opportunities; and
• the lessons that can be drawn from experiences in other countries.

The report devotes special attention to public organisations and suppliers of vital services.

The study focuses on new technological developments. However, the significance of technology depends on the practical use that society makes of its potential. This means that technological developments are shaped in part by various non-technical aspects, such as the cyber skills of users, organisational processes and legislation and regulation. This study into how the opportunities created by new technological developments can be grasped therefore concludes with a review of these wider conditions.

Relevant technological developments
This study concentrates on technological developments that are expected to have practical relevance for cyber resilience in the Netherlands in the coming years. It is not concerned solely with technological developments that are ‘new’ in an academic sense.

Two examples will illustrate this. The quantum computer will not be sufficiently advanced for use in practice in the immediate future. However, its prospective arrival is relevant for this study because measures will have to be taken in the coming years to protect existing IT systems against the risk of an attack with a quantum computer. On the other hand, the Internet of Things (IoT) is not a new technological development, but the explosive growth in its use in the coming years will force us to rethink how the Netherlands should address the vulnerabilities it creates. The further development of IoT is therefore relevant for this study.

Digitisation is making society vulnerable
This study also discusses the vulnerabilities associated with the digitisation of society. Measures designed to enhance cyber resilience cannot be considered in isolation from those vulnerabilities and the associated cyber threats.

With the further digitisation of society, the online and offline worlds are becoming increasingly entangled. Consequently, more and more data are processed digitally, more devices contain digital technology and more services are supplied digitally. The further roll-out of IoT will accelerate that trend. This is a problem due to widespread shortcomings in cyber resilience. Because of those flaws, IT systems and applications are frequently vulnerable to malfunctions, system failures and attacks.

Growing dependence on external parties
Another important trend with implications for cyber resilience is the growing dependence of end users on foreign technology companies for the proper functioning of digital products and services. For example, a growing number of digital services are supplied by providers of cloud technology. This creates new risks: loss of functionality due to system failure and loss of control of data and data processing.

Large foreign companies are also in the vanguard when it comes to the further development and implementation of new technologies such as machine learning, quantum computing and satellite and 5G networks. The Netherlands and the EU are therefore at risk of becoming even more heavily dependent on international parties.

Enhancing cyber resilience with new technology
New technologies like machine learning, post-quantum cryptography, LiFi, quantum communication, 5G networks and distributed systems offer possibilities for increasing cyber resilience. For example, machine learning will probably make it possible to automatically identify and repair vulnerabilities in software. And the aim of post-quantum cryptography is to enable data encryption that is resistant to attacks using the power of a quantum computer. These technologies are still being developed and are currently only used to a limited extent.

In fact, the use of automatic vulnerability detection and repair or post-quantum cryptography is not merely an opportunity, but also a necessity. To safeguard data security, for example, there will have to be a mass migration to post-quantum cryptography before quantum computers are capable of cracking existing forms of encryption.

New technologies create new vulnerabilities
New technological advances also create new vulnerabilities. Machine learning makes it easier to carry out cyber attacks, for example, because existing vulnerabilities can be automatically discovered and exploited on a large scale. New technologies can also be a source of new vulnerabilities. Machine learning could be used to manipulate visual material (deep fakes), for example. Furthermore, new technologies themselves contain vulnerabilities. For example, machine learning is susceptible to data pollution; malicious parties could abuse this vulnerability by intentionally feeding a machine learning system with inaccurate data.

Increasing cyber resilience with existing technology
There is only limited point to using new technologies if existing technologies that are capable of enhancing cyber resilience are not used more widely. For example, there is still considerable room for improvement in terms of taking basic security measures (strong passwords, 2-factor authentication), the use of encryption and of Privacy Enhancing Technologies (PETs), and the adoption of open data standards, open source software and safer communication protocols.

Conditions for exploiting technological opportunities
There are a number of conditions that have to be met in order to take advantage of the opportunities that new and existing technologies offer in terms of enhancing cyber resilience. First and foremost, measures to increase cyber resilience must be based on an adequate risk analysis, at board level, of an organisation’s critical data and processes: which ‘crown jewels’ demand maximum security and what risks are acceptable?

As a major client of digital products and services, the national government could also be an important role model, by making extensive use of PETs for example. The government could also encourage suppliers to improve the security of the digital products and services they bring on to the market through legislation, certification and standardisation. The Dutch government – or the EU – should be conspicuously involved in the drafting of international standards, which are very important for multinational measures in the domain of cyber resilience.

Strengthening digital autonomy
There are various options for countering the risks associated with the growing dependence on foreign technology companies.

1. The standard use of tools such as strong encryption, open data standards and distributed systems could avert risks such as unauthorised access to data, vendor lock-in and Single Points of Failure.
    
2. A second option is to incorporate stricter requirements in the purchasing conditions in contracts with suppliers of digital products and services. For example, providers of cloud services could be required to encrypt all stored data in order to prevent unauthorised access. The national government and providers of vital services could – and indeed must – play a leading role in this respect.
    
3. A third option for escaping over-dependence on foreign parties is for the Netherlands and Europe to create a larger IT industry of their own.

Improving the innovation climate
That third option requires a more effective knowledge and innovation policy, with a sharper focus in the government’s Netherlands Cyber Security Research Agenda (NCSRA). A more favourable innovation climate is also needed. The government could, for example, make tender procedures more attractive for innovative start-ups. The government and the suppliers of vital services could also play a stronger role as launching customer. The Netherlands’ prominent position in terms of knowledge in the field of post-quantum cryptography also creates opportunities for the launch of national IT companies, which could then develop products and services to support the migration to quantum-resistant cryptography.

Another reason for developing a national IT industry on at least a minimum scale is the need to guarantee maximum security for ‘crown jewels’ such as state and commercial secrets, for example by using strong forms of post-quantum cryptography. The government and suppliers of vital services must be able to buy the necessary products and services from trusted market actors that endorse important values such as privacy and autonomy.

Exploiting opportunities for post-quantum cryptography and machine learning
The government could promote the use of new technologies such as machine learning and post-quantum cryptography in various ways. That will require continued investment in knowledge creation in those domains. The government should also facilitate collaboration between research institutes and organisations devoted to finding innovative solutions for issues relating to cyber resilience. Organisations that do not have their own research capacity and which rely on the products and services supplied by market parties should be able to request assistance in evaluating whether an offer from a commercial supplier is suitable.

Expertise required for successful use of new technology
Exploiting the opportunities for increasing cyber resilience created by new and existing technologies calls for specific capacity and expertise. Due to the chronic shortage of experts in this field, greater investment is needed in programmes for teaching IT skills.