Tackling complex cyber security challenges: more policy guidance from government needed

Digital progress in the Netherlands

The Netherlands is one of the digital transformation frontrunners in Europe. The basic digital skills of the Dutch population already surpass the EU’s target for 2030 (at least 80% of 16-to 74-year-olds). The country also employs a relatively large number in the IT sector (7.2%), significantly higher than the EU average (4.6%).

Getting the big picture

Our digital society needs robust cyber security policies. All the more so now that AI is developing at a lightning rate and global geopolitics are having a major impact on the digital domain.

The Dutch government is all too aware of these significant challenges. For some time, it has sought to get a better idea of what kind of cyber security R&D and innovation is happening – and not least what is still needed to keep cyber security solutions at the level needed in the future. Once the government then has the big picture, this will make it easier to determine what the next logical step is in terms of making policy.

High stakes

When TNO Vector was asked to conduct a broad survey on what is happening in cyber security and where there are still gaps, it soon became clear that there were very few clues.

‘We really had to start from scratch,’ stresses Marcel de Heide, an economist at TNO Vector who is researching innovation policy. ‘Cyber security involves very specific solutions, bringing together a range of different technologies. And besides the technical and economic aspects, cyber security solutions also affect society at large. So, the societal and legal aspects should always be considered carefully as well. In essence: the stakes are high.’

"Cybersecurity is about more than creating economic opportunities; it also involves mitigating societal risks and ensuring national security." - Gabriela Bodea, Research Scientist at TNO Vector.

National security issue

‘You can look at cyber security in different ways,’ agrees Gabriela Bodea, who researches the impact of technological developments on society for TNO Vector.

‘It’s not just about creating economic opportunities, but mitigating the economic and societal risks as much as possible at the same time. And the way cyber security is implemented also affects our national security.

So, it can bring several issues at once, with both opportunities and risks having to be carefully weighed against each other. The government plays a huge role here. To get the right policy, the first thing that needs to be clarified is how the government views cyber security. Is economy the main focus? Or is cyber security so important to national security that policy should be drafted with public interest in mind?’

More than just objective facts

The report recently published by TNO Vector calls on the Dutch government to make clear decisions urgently. It is worth noting that the underlying research not only collected and analysed data, but also involved interviews with several experts with a great deal of experience in the cyber security sector. Thanks in part to their input, the result was not just a statement of objective facts, but a more comprehensive report that clearly highlighted concerns from the field and also raised critical questions.

New requirements needed

When researching and writing the report, we couldn’t help but consider it in the context of the world we are living in. After all, we live in a time of tense geopolitical relations and when generative AI applications are speeding up the already rapid digital revolution in society. This also affects the requirements we place – or rather should be placing – on cyber security solutions, as that is something not happening enough at the moment.

"Users do not feel the responsibility or inadequately shoulder the responsibility for their cybersecurity. This lack discourages developers from investing in R&D and innovation for cybersecurity solutions." - Marcel de Heide, Economist at TNO Vector.

A clear role for the government

‘There is an increasingly complex playing field emerging. We are in a situation where users of cyber security solutions rarely know exactly what they need,’ De Heide says.

‘The market is very complicated when it comes to solutions. Users are not taking enough responsibility for their own cyber security. This means demand is lower than it should be, and developers aren’t as willing to invest a lot in R&D and innovation, fearing they won’t recoup that investment quickly enough.

That’s where the government comes in: it needs to see what it can do from a policy perspective to highlight the demand for cyber security solutions more clearly and ensure that the supply matches that.’

Reality has now dawned on us

‘It’s important to stress that the government should not start developing and offering cyber security solutions to consumers itself,’ Bodea adds. ‘But it can set conditions and outline frameworks that market players have to meet, while driving cyber security research and innovation.

We should of course have addressed this much earlier as a society. We were all so enamoured with new digital technologies that we embraced them a bit too quickly without thinking about the potential downsides. But the reality has now dawned on us, which is a good starting point to give cyber security the attention it deserves and desperately needs.’

A new way of doing data research

When embarking on research into the cyber security domain, it was already clear that finding relevant data would be a major challenge. An exploratory analysis had concluded that there was not only a lack of relevant statistics, but also no methodological framework available to determine the impact of R&D and innovation in the field.

No mean feat for Anastasia Yagafarova, an economic consultant at TNO. Together with colleagues Marcel de Heide and Gabriela Bodea, she scoured several databases to extract the information needed on the cyber security sector. Gradually, a number of statistics emerged, continually enriched with newly acquired information.

What started as an experiment soon resulted in a reliable and well-supported statistical framework. This successful approach also lends itself very well to other research areas where information needs to be ‘distilled’ from multiple databases. Yagafarova is currently also involved in a research project on artificial intelligence, for example.