Belgium Reboots Cyber-Strategy: Cybersecurity plan 2.0 (2021-2025)

By Eva Houtave. Originally published on 17 June 2021 on the CiTiP blog of the University of Leuven.

Since 2012, Belgium has had a cybersecurity plan. Recently, the Belgium National Security Council released, together with the Center for Cybersecurity Belgium (CCB), an updated version, aiming to make Belgium one of the most secure countries in Europe in terms of cybersecurity by 2025. This post will discuss the updated plan and make a comparison with the first version.

In May 2021, an updated cybersecurity strategy for the period 2021 – 2025 was presented by the Center for Cybersecurity Belgium (CCB). After all, a first version of the cybersecurity strategy is still dated from 2012 and focused mainly on recognizing cyber threats. With this new plan, Belgium wants to be better prepared against cyberattacks. Not only safety guidelines and standards for citizens will be established based on this, but a legal framework is also prepared on this basis. As more advanced cyber threats with a higher degree of impact emerge, an updated version was inevitable. The recent attacks on Belnet (Belgian internet provider) and the recently discovered hacking of FPS Homeland affairs (whereby cybercriminals had access to any local data for over two years) demonstrated this again. In addition, the new strategy is part of the transposition of several international commitments. For example, in July 2016, the EU NIS Directive (Network and Information Security) was adopted, which was transposed in Belgium in April 2019. Based on this, a concrete strategy for the security of network and information systems had to be elaborated. Furthermore, since June 2019, the EU Cybersecurity Act is in force in Belgium. The new strategy accordingly adopts the “cybersecurity certificates” proposed by this European regulation as a measure to increase trust in and security of products and services. The NATO Cyber Defense Pledge (2016), which endorses cyber as a fourth operational domain of defense (alongside the conventional domains, being air, land and sea), was also taken into account.

Important updates

A first important update is the inclusion of a definition of cybersecurity, which is described as ‘the result of a set of security measures that minimize the risk of disruption of, or unauthorized access to, information and communication (ICT) systems’. Cybersecurity is delineated as a separate domain from privacy and data protection. It is also made explicit that measures against the usage of ICT to recruit terrorists or measures used to fight online disinformation campaigns do not constitute measures of cybersecurity. Nevertheless, it is indicated that the various domains are related.

In contrast to the first version of the strategy, the different stakeholders (the general public, companies, the government and organizations of vital importance (OVI)) are discussed in detail. It is emphasized that all stakeholders play a role. For the general public, the importance of securing both devices (smartphones, laptops, tablets) as well as the applications on these devices (such as banking applications) is highlighted. Companies should also implement security solutions such as firewalls in their IT systems. In relation to the government, it is stated that the CCB’s guidelines are accessible to all government departments. Finally, the OVIs, a new notion since the first strategy, are defined as “the sectors of energy, mobility, telecom, the financial sector, potable water, public health, digital service providers and government”. These organizations are very important as cyberattacks could potentially have a nationwide impact. However, the strategy does not explain what the role of the OVIs are.

This is followed by a more in-depth look at concrete cyber threats to the Belgian state and population. Here, it is striking that the same threats as in 2012 are put forward, specifically cybercrime, foreign military and intelligence services (espionage/war in cyberspace), terrorist groups and ‘hacktivists’. The most recent issues are always discussed, such as the use of encrypted communication channels by criminals (see blogpost SKY ECC). However, how exactly these communication channels will be tackled are not discussed. Attention is also paid to the so-called ‘technological risks’, being the risks arising when specifications of a new technology are not taken into account while securing it. The increasing dependence on ‘Third Party Providers’ at every step of the development, production, maintenance and processing process plays an important role in this. Therefore, the plan pleads for ‘secure Development’: attention to security within each step of the development process of new software and technologies. ‘Technology-specific developments’ carry risks as well. In this context, reference is made to “cloud computing”, whereby hacking can lead to the sharing of an incredible amount of information. In addition to focusing on the regulation of the personal aspects of security and privacy, the product-related aspects of these themes should, therefore, also be better regulated. It is advocated that this should be approached via a European/international framework.

Six strategic objectives

Next, the Strategy, discusses 6 strategic objectives for the upcoming years. First of all, the aim is to strengthen and increase trust in the digital environment. This should be achieved by focusing on the introduction of a secure network infrastructure. In addition, it proposes to establish a ‘Cyber Green House’. This would allow innovative cyber solutions and business models to be tested in a risk-free environment. Further investments will also be made in Research & Development (R&D). Belgium will also establish a framework that will allow companies to evaluate and certify the security of ICT products, services, and processes. For this purpose and in line with the Cybersecurity Act, a ‘National Cybersecurity Certification Authority’ (NCCA) will be established. This body, in consultation with market surveillance authorities, other sectoral authorities and the National Crisis Centre (NCCN), will coordinate the cybersecurity certification. It is also intended to strengthen the cyber skills of intelligence and security agencies.

As a second objective, the protection of users and administrators of computers and networks is stated. This will be achieved by raising awareness among citizens. Companies and organizations are also urged to publish a “Coordinated Vulnerability Disclosure Policy“. Finally, the sharing of cybersecurity guidelines and best practices through existing (and new) platforms will be promoted.

The third objective aims to protect OVIs from any possible cyber threat. It is emphasized that OVIs are currently informed of threats, vulnerabilities or incidents through an ‘Early Warning System’ (EWS) of the CCB. A consultation platform (Cyber Security Sectoral Authorities Platform) has also been established to optimize information exchanges between the OVIs. In addition, appropriate protection will be given to Belgian OVIs supporting international institutions based in Belgium. It is also emphasized that conducting regular exercises is important for building resilience against incidents. The participation of the Belgian security services, other government departments and the OVIs in both international and national exercises is therefore highly desirable.

The fourth objective entails the response to cyber threats. A first working point is to better map international threats. A greater effort will also be made to disrupt criminal cyberinfrastructures. To achieve this, more capacity and expertise must be acquired at all levels of the Belgian police and at the level of the judiciary. Since cybercriminals mostly operate in an international context, coordination with other countries must be ensured. In addition, this objective states that the Ministry of defense must further develop its cyber capacity. Finally, it is cited that the identification and attribution of a cyber-attack to a particular person, group or state should always be analyzed and decided through a coordinated national procedure. After all, if not, it could have diplomatic consequences.

The fifth objective aims to improve public, private and academic collaborations. To this end, efforts will be made to better coordinate existing initiatives. The Cyber Security Coalition will also receive further support.

The sixth objective entails the establishment of a clear international cooperation in the field of cybersecurity. In this respect, reference is made to Belgium’s support for the EU (and the Agency for Cybersecurity in Europe, ENISA), NATO and other international organizations in their contribution to an open, free and secure cyber environment. Bilateral collaborations between all relevant authorities in Belgium and their foreign counterparts are also encouraged.

Collaboration is key

Finally, this strategy provides a comprehensive overview of all pertinent cybersecurity actors in the Belgian field. These include the CCB (including Cert.be), Federal Police (Regional Computer Crime Units (RCCUs) and the Federal Computer Crime Unit (FCCU)), the Public Prosecutor’s Office (Federal Prosecutor’s Office), Defence, the National Crisis Centre (NCCN), State Security (VSSE), FPS Foreign Affairs, the National Security Authority, Body for Coordination and Analysis of the Threat (OCAD), sectoral authorities, the Belgian Institute for Postal Services and Telecommunications (BIPT) and the FPS Economy. In doing so, it emphasizes that, in addition to their own responsibilities, collaboration is essential in preventing, reducing, treating and monitoring cyber threats and incidents. Although Belgium already has several initiatives (e.g. Cybersecurity Sectoral Authority Platform) that enable this, the new strategy also calls for an overarching ‘cyber governance’ to enable dialogue and coordination of the various activities.