The Netherlands’ Cybersecurity Landscape
Thu, 13 Dec 2018 || By Faadillah Fayyadh Aidad


Cybersecurity can be defined as “the protection of computer systems from theft or damage to their hardware, software, or electronic data, as well as from disruption or misdirection of services they provided”.[1] With the ever-increasing demand for computing power in the world, as well as the interconnectedness of such computer network with each other, cybersecurity has become more important than ever. Many private companies fill up the market for private cybersecurity, varying from antivirus to cloud security. State actors, however, would require different kinds of infrastructure compared to an individual, and different states have different capabilities of cybersecurity.

Cyber attacks can have devastating consequences, such as swinging elections[2], creating misinformation; panic; and hysteria to the citizens[3], as well as embezzlement of state secrets.[4]  Of all the countries in the world, the Netherlands, together with 20 other nations are ranked as “the leading countries” on global cybersecurity commitment by the Internal Telecommunications Bureau’s annual report on cybersecurity.[5] The Dutch do this by having a comprehensive and systemic way of assessing threats to their cyberspace, their capabilities of handling such threats, and actions to consider in the event of an attack. This commentary will examine what made Dutch cybersecurity renowned as one of the best in the world, and how Indonesia can learn from them on how to improve its own cybersecurity.

Landscape and Protocol of Dutch Cybersecurity

Cybersecurity is essential for the Netherlands as the country has developed one of the best IT infrastructures in Europe. Economic capabilities are boosted by the subsequent effort of digitalization, which leads the government to concentrate effort to improve it. Thus, the government has a big interest in maintaining a secure digital environment to maintain   the momentum gained from digitalization. According to the Netherland’s National Cyber Security Centre (NCSC), cyber attacks proliferate in recent years due to the effectiveness and ease of conducting such attacks.[6] Attackers have very little chance of being caught, and the problem often lies not on the attacker's capability or tools to commence the attack, but the victim. NCSC have two reasons for it. The first is that producer of digital goods have very little incentive to build a secure product, as doing so will cost more money on production and maintenance.[7] Second is the relegation of cybersecurity as a second priority by the public, private companies, and governments, with the same reason above: funding issues. Besides, an increasingly digitalized nation increases the complexity of maintaining a secure digital environment.[8]

Threats Towards the Dutch Cybersecurity Ecosystem

NCSC believes that nation-states pose the most significant threats to Dutch National Security, more than any other actors.[9] State actors exercise cyber attacks because they want to acquire information, influence the public, and disrupt vital infrastructures of the state. NCSC acknowledges that jihadists have been busy on the cyberspace, but their presence there are mostly for the purpose of propaganda or fundraising; they still prefer doing physical terrorism compared to cyberterrorism.[10] Hacktivists activities also aren't categorized as a national security threat as their activities didn't focus on stealing state secrets. State actors, on the other hand, have an agenda and capabilities that non-state actors don't have. They are capable of utilizing their national resources to do the attack themselves or use a third party to orchestrate the attack. They also tend to use simple techniques, such as phishing and malware, to collect resources for a bigger, more damaging attacks.[11] National cyberattacks can create massive collateral damage, with cases like the WannaCry ransomware in 2017 that affected people from 150 different countries.

NCSC acknowledges the impossibility of mapping the full resilience of organizations in the Netherlands. The cybersphere is too chaotic and full of many different variables, making it impractical to list all possible measures against it.[12] Instead, the NCSC encourages organizations in the Netherlands to implement basic measures of cybersecurity, as most cyber attacks don't utilize any advanced tools, but exploit the vulnerabilities in the system and human error,[13] as organizations tend to ignore cybersecurity measures unless a breach has been detected. This mindset is what NCSC sees as the biggest vulnerability of Dutch organizations in their field of cybersecurity.


Compared to the Netherland’s NCSC, Indonesia is still lagging behind in terms of cybersecurity. Indonesia’s cybersecurity association, the Badan Sandi dan Siber Nasional (BSSN), which had only been established last year, and the only legislation concerning cybersecurity is the Presidential Order to establish the BSSN.[14] Indonesia is wholly unprepared to face a cyberattack, and with the election next year, it is very vulnerable to cyber attacks which seek to undermine its sovereignty. The NCSC signified that even a developed country like the Netherlands is unable to contain threats from the cybersphere. It needs the assistance from the public and private sectors to contribute as well. As cyber attacks tend to use basic tools, basic measures are also capable to stop it. Teaching the public and private sectors basic measures for data security should be an adequate first step to establish a national cybersecurity measure. All in all, cybersecurity is a very new concept for Indonesia, and it needs to start catching up if it wants to maintain its democracy in this age of cyber warfare.

EditorTreviliana Eka Putri

Read another article written by Faadillah Fayyadh Aidad

[3] Ibid.

[4] Ibid.

[5] International Telecommunications Union (2017). Global Cybersecurity Index 2017. P. 15. Available at: []. Accessed 17 October 2018.

[7] Ibid., p.23

[8] Ibid., p.23

[9] Ibid., p. 17

[10] Ibid., p. 17

[11] Ibid., p. 17

[12] Ibid., p. 37

[13] Ibid., p. 37