Abstract
Digitization is placing new demands on how we deal with incidents that threaten to undermine core societal functions and processes. Societal disruption will almost inevitably flow from the disruption or failure of digital infrastructure given the interdependence of the digital and physical realms. Digitization also poses new challenges for policy makers as the use of digital technology leads to complex, cross-border networks with geopolitical implications.
You have full access to this open access chapter, Download chapter PDF
3.1 Introduction
Digitization is placing new demands on how we deal with incidents that threaten to undermine core societal functions and processes. Societal disruption will almost inevitably flow from the disruption or failure of digital infrastructure given the interdependence of the digital and physical realms. Digitization also poses new challenges for policy makers as the use of digital technology leads to complex, cross-border networks with geopolitical implications.
3.2 Our Growing Dependence on Digital Technology
The role of digital technology in society has exploded in recent decades with the growth of ‘datafication’, computing power and connectivity. While each trend brings countless new opportunities to society, they have also altered the risk landscape for citizens, companies, organizations and states.
3.2.1 Datafication
Ever more societal processes are based on the flow of data and information.Footnote 1 ‘Datafication’ has three main features.Footnote 2 The exponential growth of data being stored and exchanged is due not only to targeted collection and voluntary provision, but also to constant production through automated processes.Footnote 3 Data is also coming to play a more autonomous role in the functioning of society, with datafication changing the nature of data collection and its analysis through algorithms. The growing range of applications means that for ever more sectors and for ever more people, data is the raw material on which ‘real-world’ processes are based and ‘real-world’ actions are taken. Data has thus become an essential factor of production for countless companies. Public services rely on data, for example the interwoven system of healthcare and rent allowances.Footnote 4 For citizens, data is the oxygen that allows them to participate fully in society.
Datafication makes us more vulnerable to societal disruption by increasing the importance and vulnerability of data processes and files. A large number of recent incidents have shown user data to be inadequately secured, stolen by criminals, or held ‘geopolitical hostage’. The scaling up of data-use not only exacerbates these vulnerabilities, but also means that ever more people can be affected. Some incidents have compromised the data of many millions of people. Malicious actors are also becoming more focused, seeking to hack into organizations such as banks and hospitals. With both the growing application of data and our dependence on it, problems involving the reliability, availability and integrity of data can also have more serious consequences, partly because they support core processes in everyday life. The failure or disruption of a digital system means that an important factor of production is no longer available or can no longer be relied on. It would be akin to dealing with a factory or a government department with no staff, or at least with a great many absent employees.
3.2.2 Computing Power
Increased computing power allows us to automate ever more complex processes. The most recent phase in this development is the use of algorithms, which allows us to process larger amounts of data than ever before and make decisions more rapidly as they are partly automated. When smart digital systems are properly programmed and trained, they are more reliable than humans in making rapid and complex decisions. But the speed and scale at which digitized systems make complex decisions means that things can quickly get out of hand when things go awry. Due to system complexity, problems can no longer be attributed to individuals, especially when multiple systems are communicating automatically. An illustrative incident is the Dow Jones Newswire’s accidental publication of a report about Google’s purchase of Apple in 2017, meant as a technical test. Automated trading robots responded within milliseconds, and the impact on stock prices was severe.Footnote 5 Another example was the 2010 ‘flash crisis’, when a trillion dollars in stock value evaporated in minutes due to unintended machine-to-machine interactions.Footnote 6 A more recent issue is the Russian interference in US elections, cunningly using automatic newsfeed systems, the scale of which only became apparent after extensive research.Footnote 7
The failure of an automated system can result in societal functions and processes running less efficiently, becoming unsafe, or failing altogether.Footnote 8 An example is the 21 August 2018 rail outage at Schiphol Airport, caused by an error in the Dynamic Traffic Management System (DVM) software.Footnote 9 DVM software, used to manage the rail infrastructure around Schiphol, normally ensures that rail traffic routed through the Schiphol tunnel keeps flowing as smoothly as possible. When the DVM failed, the train routes between Amsterdam and Schiphol had to be managed manually. Instead of the normal average of 20 trains per hour, only 4 trains were able to run on this route for an extended period, affecting around 50,000 passengers. The incident revealed the importance of a well-functioning fall-back option and the availability of people with the skills to take control without the help of automated systems.
3.2.3 Connectivity
A third aspect of digitization is growing connectivity. The number of internet users continues to grow rapidly, as do the number of devices connected to the internet, the amount of data exchanged, and the number of applications and services managed online. Cloud computing, the Internet of Things (IoT) and artificial intelligence are expected to further reinforce connectivity, increasing the potential for serious consequences when societal disruption occurs. This is because efficient networks are crucial for the continuity of core societal processes and for quick and effective resolution if things go wrong.
For most digital services and applications, organizations can choose between different providers. But for some basic functions of the internet, there is no alternative.Footnote 10 Opinions vary regarding the vulnerability of the internet.Footnote 11 To date, the internet has been surprisingly resilient, finding its way around problems through its decentralized design. It is probably partly for this reason that no major crisis has yet occurred. The more connected an organization, network, or country, the better able it is to absorb shocks. At the same time, existing methods of attack may be scaled up – a DDoS attack using IoT devices, for instance.Footnote 12 Our growing reliance on the internet also means that greater connectivity can have further-reaching impact.
It is also difficult to determine which parts of the internet are truly indispensable.Footnote 13 While we can make technical distinctions, in practice this is not always useful. If large data centres, internet exchanges or authentication services fail, a large section of the population would suffer the consequences. The same applies to large cloud providers, as recent disruptions at Google and Amazon have shown. Technically, such problems would not affect the ‘core’ functions of the internet but would jeopardize many online services. The same applies to local physical infrastructure that links organizations to the internet or connects them in other ways, such as through mobile facilities.Footnote 14 Examples here include major network operators. Were one of these operators to go down due to for instance a power failure, this would not ‘bring down the internet’ but would restrict local connectivity and lead to major problems. Such organizations might in fact be ‘too connected to fail’.Footnote 15
3.3 Chains, Networks and Complexity Transcending Borders
The developments described above have led to major changes in how society is organized. Organizational processes have become intertwined with data systems, with the resulting chains and networks transcending national borders and growing in complexity. This makes it increasingly difficult to anticipate and respond to societal disruption.
3.3.1 Chains and Networks
The availability of fast and cheap hardware and software has led organizations to base their production and services on real-time planning. This reduces storage costs, ensures the efficient use of capital and allows rapidly adapting to changed circumstances. But in the event of hardware failure or a network connection outage, the supply of goods can quickly dry up. The opposite happens at the other end of the chain, or elsewhere in the network, where goods may accumulate. NotPetya led to congestion at Maersk terminals around the world because the international registration system for containers ceased to function. With such flows and production chains interrupted, the economic security of the Netherlands would quickly enter the danger zone.Footnote 16
The internet and other large-scale networks allow controlling processes remotely. Organizations are increasingly making use of open networks, with devices communicating via protocols. This communication regularly takes place over the public internet to save on the costs of setting up a dedicated communication network. One problem with linking management systems to larger networks or to the internet is that these systems are sometimes outdated and no longer receive support from external suppliers or their own organization. While these systems may function safely in isolation, when linked to larger networks their vulnerability is a major risk as outsiders can access them much more easily. This applies to the systems used for drinking water, payment transactions, and the operation of canal locks and sluice gates.Footnote 17
Chains and networks have intrinsic vulnerabilities and suffer disruption when their individual links fail. Information is scattered between actors, whose actions can unintentionally affect others in the chain. Digitization adds new vulnerabilities involving interfaces with the outside world, for example electronic patient records in hospitals and shared IT services such as data storage and cloud services.Footnote 18 Such applications add new parties to the system, creating new dependencies. They often also lead to more interactions, with all the accompanying risks of disruption.
Failures within chains and networks can result in cascade effects, particularly where components are intricately connected. Cascade effects occur when an ostensibly isolated problem affects the rest of the network, and possibly beyond it.Footnote 19 The consequences are far-reaching when many parties depend on the same service or supplier. This has traditionally been the case for the electricity supply, meaning that power outages top lists of events with major disruptive potential. The question today is whether parts of our digital infrastructure now occupy a similar position. Although hard evidence is hard to come by, a large-scale analysis of incidents in Europe shows that telecoms (37%) and internet (7%) services are second and third behind the energy sector (47%) when it comes to cascade effects.Footnote 20 Examples of major dependencies are legion, ranging from the use of Microsoft operating systems and Intel chips in most computers to banks and companies relying on the services of a handful of major international cyber-security companies.Footnote 21 The market for cloud services is also dominated by an extremely small number of companies (Amazon, Google, Microsoft and Salesforce).
3.3.2 Beyond National Boundaries
Digitization means that almost every organization is vulnerable to disruptions in networks or supply chains because they depend on the products and services of third parties. At the same time, these networks and chains often cross national borders. Global connectivity, global production chains and IT facilities mean that the causes of a societally disruptive failure in one country can reach far beyond its borders. The internet itself is virtually without borders, meaning that any organization connected to the internet could, in principle, be attacked from anywhere in the world.Footnote 22 Due to these factors, societal disruption could quickly become borderless.Footnote 23
The disappearance of national borders also manifests in how facilities and services are globally connected. Dutch companies, government institutions and citizens depend on a limited number of large – mainly US-based – software providers, IT service providers and security companies. Many cloud services simply run somewhere on the internet, not necessarily in one location. The use of cloud services may protect the continuity of processes, precisely because data is stored in multiple locations. Due to their elastic capacity, cloud providers are also better able to mitigate DDoS attacks and to update software as soon as patches become available. The revenue model of cloud providers also provides them with strong incentives to ensure the security of their facilities, which is often better than that of their customers.Footnote 24
At the same time, the use of cloud services is creating new vulnerabilities. Cloud servers increase the number of parties, devices and applications involved, giving attackers more opportunities to access targeted systems. More data flows back and forth, increasing the chances of disruption. There are also concerns about delegating control over data and applications to cloud providers. Many cloud services consist of a layered and complex combination of platforms and services, involving contractors and subcontractors; this makes it unclear who is responsible for what – especially when things go wrong.Footnote 25 It is their size and the very large number of companies and organizations that use cloud providers that make them ‘too big to fail’. At the same time, this makes them attractive geopolitical targets.
3.3.3 Complexity
The number of connections, products, services and actors means that systems are becoming increasingly complex and difficult to understand or quickly bring under control. Physical and digital systems are inextricably linked; as operational and digital technologies merge, cyber security (securing systems) and safety (the safety and reliability of systems) are intertwined. This creates new problems. For example, updates to operating systems and user software can have major unintended consequences for the functioning of systems in hospitals. That the damage caused by WannaCry involved missing updates is only half of the story (see inset). The other half is that the complex digital environments of organizations render updates time-consuming; updates entail risks that must first be explored before they can be implemented safely.
WannaCry and the UK’s National Health Service
The global ransomware attack known as WannaCry began on Friday, 12 May 2017. Within a day, it had affected over 230,000 computers in at least 150 countries. One of the most high-profile victims was the NHS in the UK. WannaCry exploited a known vulnerability in Windows, for which Microsoft had already released a patch 2 months earlier. The NHS had not yet implemented the patch; the malware spread mainly through the internal network of the affected hospitals.
WannaCry disrupted services in one-third of UK hospital trusts (around 80) and 8% of GP practices and NHS organizations (around 600 institutions). About 19,000 patient appointments were cancelled; 5 out of the 27 accident and emergency centres infected were unable to provide care to all patients and had to be relocated. Communication during the crisis also became more difficult because the use of e-mail was in many cases no longer possible. It took the NHS about 1 week to return to normal.
Estimates of the total financial damage caused by WannaCry worldwide range from a few hundred million to a staggering four billion dollars. The UK Department of Health and Social Affairs calculated the costs of the incident, broken down into costs incurred during the crisis and costs the following week, and into direct costs (lost production in terms of patient care) and the additional IT support needed to restore affected data and systems.
During | Aftermath | Total | |
---|---|---|---|
Direct costs | £19 million | 0 | £19 million |
IT costs | £0.5 million | £72 million | £73 million |
Total | £20 million | £72 million | £92 million |
‘Complex’ means more than just ‘complicated’. A complicated system consists of many parts and connections but is ultimately organized. A complex system consists of many parts and connections and, in part, lacks organization. Complex systems are characterized by multifaceted interactions that follow their own local rules; there are no overarching rules or principles that characterize the various interactions that can potentially take place.Footnote 26 If these interactions are closely aligned and tightly organized, disruption can have a significant external effect and lead to problems at the system level.Footnote 27
This raises doubts about the current trend of linking all sorts of devices and systems to the internet without due regard for potential consequences, including for corporate and government systems, devices in hospitals, and physical infrastructure such as canal locks. Once they are connected to the internet, these systems are potentially vulnerable to errors and disruptions in other parts of the global infrastructure. This means that society is now vulnerable to unexpected system failures on a much larger scale.Footnote 28 The OECD notes that the ‘indirect effects’ of such errors or disruptions may lead to significant damage.Footnote 29
Complexity becomes a problem if something goes wrong. An explosion may occur at the location where chemicals are mixed or where fireworks are stored; in terrorist attacks, the perpetrators are usually active on the ground or have left explosives there at an earlier stage. But in the disruption or failure of digital facilities, cause and effect may be far removed in physical terms. This makes it more difficult to determine causality, particularly when malicious actors are involved, and how and where authorities should act. Which organization should the authorities be looking at, and where? Which systems are involved and who is using them? It can also be unclear whether and under what circumstances a course of action, such as forcing entry into a system, will lead to disruption. The right moment to intervene is difficult to determine.
3.4 Geopolitics
Digitization has changed the position of countries in the world, especially countries with open societies. Digitization has increased their vulnerability, providing a much wider ‘area of attack’ for malicious actors. It has also given them the means to do serious damage, made even more attractive by the anonymity of the internet. Dependence on foreign providers also raises questions about the technological facilities that countries need to adequately guarantee the continuity of their core societal processes.
3.4.1 Dependence on Large Foreign Providers
Especially in western countries, many organizations that provide these core services are privately owned. This is especially true of organizations that work with digital technology. The Dutch government largely depends on Fox-IT for the integrity and confidentiality of government information. For telecommunications services, the government relies on companies such as KPN. Due to such dependence, acquisitions are sensitive.Footnote 30 For example, the emergency number 112, the national communication network for emergency services (C2000), the Emergency Communication Facility, and the fibre optic network for defence and telecommunication services for Schiphol Airport would be potentially vulnerable to discontinuity if they were to be acquired by a provider from another country.Footnote 31 For many Fox-IT services, there is no alternative; the recent takeover of Fox-IT by a British party gives pause for thought.Footnote 32
In addition to corporate takeovers, this issue also applies to tenders and investment in new technology. C2000 is currently maintained by an originally German company (Hytera) now in Chinese hands. The Chinese company Huawei is working with all major telecoms companies in the Netherlands and has many contracts in Europe to build 5G networks. There is suspicion that such companies are – with or without their knowledge – undermining Dutch society by enabling espionage, disruption or sabotage by other states. Some of the countries in which these companies are based have legislation that could force these firms to cooperate with their governments. Partly for this reason, the Dutch government decided in 2018 to phase out the use of Kaspersky’s antivirus software.Footnote 33
Particularly the growing presence of Chinese companies in EU member states is perceived as a risk to national economic security.Footnote 34 An underlying problem is that the internet is intrinsically insecure. Companies have an interest in an open and unsafe internet as this enables them to collect a great deal of user data.Footnote 35 But an open and unsafe internet also helps governments to undertake surveillance, often exploiting the lack of security in companies’ existing systems, especially telecoms companies as they offer access to so much digital data traffic. China is certainly not the only country that intrudes into digital systems to collect information, with the ability to launch full-fledged cyber operations. The United States, France, Russia, the United Kingdom, Israel and Germany all have professional military cyber units and intelligence services with their own means of attack. Building up offensive cyber capacity is much cheaper and easier than aiming for a safer internet by, for example, investing in public interest technology or regulating vital infrastructure.Footnote 36 The net effect of building offensive cyber capacity is an increasingly unsafe digital realm.
3.4.2 Malicious States
Various actors have the capacity and motive to disrupt the core processes of society. Criminal actors and states constitute the leading threats to national security.Footnote 37 Criminals focus on where they can gain the most or have the greatest impact; increasingly, this means public services. In addition to major financial institutions, hospitals are increasingly targeted due to the sensitive personal data they possess and society’s dependence on healthcare facilities and services. States tend to focus on espionage – with more than a hundred countries possessing the means for it – and the undermining of core processes in other societies. Of all malicious actors, states have the greatest resources at their disposal; they can choose specific goals, work on achieving them over long time horizons, and cause the greatest damage.
While the initial fear was that cyber weapons could destroy national electricity supplies or military command structures, they now appear to be aimed primarily at more mundane areas, often in pursuit of specific goals. Examples include the shutdown of the oil company Saudi Aramco in Saudi Arabia, the destruction of a blast furnace in Germany,Footnote 38 the paralysis of municipal computer systems in Atlanta, and the manipulation of elections. Such actions take place almost daily, not to destroy other countries but to disrupt their functioning and undermine citizen confidence. There are no international rules about what is permitted and about proportionate responses.Footnote 39 States are reluctant to help develop cyber-specific international rules of conduct. With their own activities in cyberspace often shrouded in secrecy, actions often go unanswered and continue unimpeded.
3.4.3 The Perfect Weapon
Digitization offers the opportunity for achieving major impact using relatively simple techniques, as seen in attacks on the core functions of the internet.Footnote 40 Such attacks can affect many sectors, making them an attractive first step in an escalating conflict. They are much cheaper and easier to carry out than attacks on specific organizations or networks, as they do not require access to the target system which can take months or years of preparation. Attacks can also be switched on and off with the touch of a button, making them highly effective means to exert pressure. Alarmingly, attacks on the core functions of the internet remain limited in discussions over national security and cyber conflict.Footnote 41
Attacks on the Core Functions of the Internet: Dyn, Mirai and the Internet of Things
In 2016, the Domain Name System (DNS) was corrupted by a DDoS attack using the Mirai botnet.Footnote 42 With the failure of the little-known DNS provider Dyn, major platforms such as Twitter, Netflix, Reddit and many other popular websites and services were inaccessible in the US and Europe for most of the day. Thousands of compromised consumer devices from webcams to digital video recorders were enlisted in the attack. A similar attack later targeted major media websites in France.Footnote 43 Some consider the Mirai botnet attacks as a dress rehearsal.Footnote 44
There have been many attacks on the DNS, including one on all 13 DNS root servers in 2002.Footnote 45 In 2015, China launched a 5-day DDos attack on Github for hosting websites that bypassed its censorship restrictions – the first time a state used its own digital infrastructure for offensive purposes. Also in 2015, hackers attacked Turkey’s top-level DNS (.tr), rendering all websites using the domain name – banks, media companies, all government organizations and military networks – inaccessible for at least a day. That attack lasted for more than 2 weeks. Attacks on the DNS are difficult to mitigate because they mimic normal user behaviour and are difficult to separate from normal internet traffic.
Cyber weapons seem to be the ‘perfect weapon’.Footnote 46 They can be obtained cheaply and used for myriad purposes, from disrupting organizations that provide services essential to the everyday functioning of society to sowing uncertainty and dissatisfaction. What is more, it is easy to cover one’s tracks.Footnote 47 These features have led to a shift in the balance of power, with smaller countries now exercising more clout through the digital domain, able to take part in the global battlefield even if they lack the wherewithal to enter into large-scale military confrontation. Cyber-attacks such as NotPetya and WannaCry have also shown that the alleged perpetrators (Russia and North Korea, respectively) are prepared to accept a great deal of collateral damage.Footnote 48
3.5 Conclusion
We can draw a number of conclusions:
-
There is a very high degree of interdependence between the digital domain and the physical domain. Developments such as ‘datafication’, the use of algorithms in decision-making, and the complex web of connections between systems around the world mean that the physical realm now merges seamlessly with the digital realm. Societal disruption will increasingly have both a digital and a physical dimension.
-
The continuity of everyday life has traditionally been a major public interest. In a digitized society, this interest remains undiminished.
-
Digitization means that society is now vulnerable to new forms of disruption due to unstable and often poorly secured software and hardware as well as complex, cross-border supply and production chains. These create many opportunities for malicious actors to disrupt societal processes or even to take them down entirely.
-
Digitization also means that the continuity of core societal processes at the national level largely depends on parties based overseas, specifically major providers of digital services and malicious state actors that specifically target these services.
Notes
- 1.
WRR, 2011a.
- 2.
WRR, 2015: 27–28.
- 3.
Kitchin, 2014: 87–98.
- 4.
WRR, 2011a.
- 5.
- 6.
Schneier, 2018: 85.
- 7.
Sanger (2018, 185, 255) mentions 80,000 posts on Facebook, possibly seen by 126 million people, and 288 million readers of Twitter messages. The impact of this remains unknown.
- 8.
See e.g. Stratix (2017: 4) for telecom failures.
- 9.
Van Gompel, 2018.
- 10.
WRR, 2015: 66.
- 11.
- 12.
See e.g. Pras, 2014.
- 13.
- 14.
Van Ruijven & Duijnhoven, 2018.
- 15.
Snyder, 2017.
- 16.
For the distinction between chains and networks, see WRR (2011a: 72). A ‘chain’ is a linear process in which different organizations work towards a shared end result outside their own organization. ‘Network’ refers to a relatively open relationship in which nodes are related to other nodes through multiple, traversing and often redundant connections.
- 17.
See WRR, 2017 for an analysis of flow security and how it is addressed in policy.
- 18.
- 19.
- 20.
Klaver et al., 2013.
- 21.
Van Eeten et al., 2011.
- 22.
ChipSoft is now the largest supplier of new hospital electronic health records in the Netherlands, followed by Epic. Nine of the last ten implementations came from one of these two companies. https://www.zorgvisie.nl/hoe-konden-chipsoft-en-epic-zo-dominant-worden/
- 23.
Dunn Cavalty, 2007: 14.
- 24.
Boin, 2017.
- 25.
Hon & Millard, 2018: 350.
- 26.
Michels & Walden, 2018: 32–37.
- 27.
- 28.
West, 2017.
- 29.
Perrow, 1983.
- 30.
Clearfield & Tilcsik, 2018: 242.
- 31.
- 32.
NCTV, 2018.
- 33.
Bulten et al., 2017: viii.
- 34.
- 35.
https://www.rijksoverheid.nl/documenten/kamerstukken/2018/05/14/voorzorgsmaatregel-ten-aanzien-van-gebruik-kaspersky-antivirussoftware. Meanwhile, policy is being developed for secure software and hardware; see Ministry of Economic Affairs and Climate and Ministry of Justice and Security, 2018.
- 36.
AIVD, 2019.
- 37.
- 38.
- 39.
There is no generally accepted typology of malicious actors. It is also unclear what constitutes ‘malicious’. NCTV, 2018 distinguishes between states, criminals, terrorists, hacktivists, cyber vandals and script kiddies, and insiders. This categorization is, in amended form, based on an extensive typology of threat actors by De Bruijne et al., 2017. Boundaries between these actors can be blurry as groups often work together and means of attack quickly become ‘established’ once they have been used.
- 40.
- 41.
Mačák, 2017.
- 42.
WRR, 2015, section 2.
- 43.
- 44.
- 45.
ENISA, 2018a: 50.
- 46.
Scott & Spaniel, 2016.
- 47.
DeNardis, 2014: 98.
- 48.
Sanger, 2018.
- 49.
ENISA, 2017.
- 50.
The Stuxnet attack on nuclear power stations in Iran, attributed to Israel and the United States, led to great collateral damage. Around 50,000 computers were infected in India, Indonesia, Pakistan and Germany. See Schneier, 2015: 150.
References
AIVD (Algemene Inlichtingen en Veiligheidsdienst) [General Intelligence and Security Service]. (2019). Annual report 2018. AIVD.
Boin, R. A. (2017). De grenzeloze crisis: Uitdagingen voor politiek en bestuur [Crisis without borders: Challenges for politics and management]. Inaugural lecture, Leiden University.
Broeders, D. (2017). Aligning the international protection of ‘the public core of the internet’ with state sovereignty and national security. Journal of Cyber Policy, 2(3), 366–376.
Bulten, C., de Jong, B., Breukink, E., & Jettinghoff, A. (2017). Vitale vennootschappen in veilige handen [Vital companies in safe hands]. Radboud Business Law Institute. https://www.wodc.nl/binaries/2609_Volledige_Tekst_tcm28-250320.pdf
Clearfield, C., & Tilcsik, A. (2018). Meltdown: Why our systems fail and what we can do about it. Penguin.
CPB [Netherlands Bureau for Economic Policy Analysis]. (2018). Risk report on cyber security economy 2018. https://www.cpb.nl/sites/default/files/omnidownload/CPB-Notitie-15okt2018-Risicorapportage-Cyberveiligheid-Economie-2018.pdf
De Bruijne, M., van Eeten, M., Gañán, C.H., & Pieters, W. (2017). Towards a new cyber threat actor typology: A hybrid method for the NCSC Cyber Security Assessment. https://www.wodc.nl/binaries/2740_Volledige_Tekst_tcm28-273243.pdf
DeNardis, L. (2014). The global war for internet governance. Yale University Press.
Dunn Cavalty, M. (2007). Critical information infrastructure: Vulnerabilities, threats and responses. ICTs and International Security, 3. https://www.peacepalacelibrary.nl/ebooks/files/UNIDIR_pdf-art2643.pdf
ENISA. (2017). Commonality of risk assessment language in cyber insurance. Recommendations on cyber insurance. https://www.enisa.europa.eu/publications/commonality-of-risk-assessment-language-in-cyber-insurance
ENISA. (2018a). ENISA threat landscape report 2017: 15 top cyberthreats and trends. ENISA.
ENISA. (2018b). Good practices on interdependencies between OES and DSPs. ENISA.
Hon, W. K., & Millard, C. (2018). Banking in the cloud. Part 2: regulation of cloud as ‘outsourcing’. Computer Law & Security Review, 34, 337–357.
Kitchin, R. (2014). The data revolution: Big data, open data, data infrastructures and their consequences. Sage.
Klaver, M. H. A., Verheesen, B., & Luiijf, H. A. M. (2013). Intersectorale afhankelijkheden: Buitenlandse methoden en mogelijke toepasbaarheid in Nederland [Intersectoral dependencies: Methods from abroad and their possible application in the Netherlands]. TNO.
Luiijf, E., & Kernkamp, A. (2015). Sharing cyber security information: Good practice stemming from the Dutch public-private participation approach. TNO.
Mačák, K. (2017). From cyber norms to cyber rules: Re-engaging states as law-makers. Leiden Journal of International Law, 30(4), 877–899.
Michels, J. D., & Walden, I. (2018). How safe is safe enough? Improving cybersecurity in Europe’s critical infrastructure under the NIS Directive. Queen Mary School of Law Legal Studies Research Paper No. 291/2018. https://ssrn.com/abstract=3297470
Ministry of Economic Affairs and Climate and Ministry of Justice and Security. (2018). Roadmap Veilige Hard- en Software [Roadmap for safe hardware and software]. The Hague.
Mueller, M. (2017). Will the internet fragment? Sovereignty, globalization and cyberspace. Polity Press.
NCTV. (2018). Nationale veiligheid bij overnames en investeringen of inkoop en aanbesteding [National security in take-overs and investments or service provision and tenders]. https://www.nctv.nl/binaries/WEB_113154_NCTV_Veiligheid_bij_overnames_tcm31-334520.pdf
Netherlands Court of Audit. (2019). Digitale dijkverzwaring: Cybersecurity en vitale waterwerken [Digital flood defences: Cyber security and vital defences]. The Hague.
OECD. (2003). Emerging Risks in the 21st Century. An agenda for Action. OECD Publishing.
Perrow, C. (1983). The organizational context of human factors engineering. Administrative Science Quarterly, 28(4), 521–541.
Pras, A. (2014). Alle dagen internet. Beheersen door beheren [Every day on the internet: Control through management]. Inaugural lecture, University of Twente.
Sanger, D. A. (2018). The perfect weapon: War, sabotage and fear in the cyber age. Crown.
Schneier, B. (2015). Data and goliath: The hidden battles to collect your data and control your world. W.W. Norton & Company.
Schneier, B. (2018). Click here to kill everybody: Security and survival in a hyper-connected world. W.W. Norton & Company.
Scott, J., & Spaniel, D. (2016). Rise of the machines: The Dyn attack was just a practice run. Institute for Critical Infrastructure Technology. https://icitech.org/wp-content/uploads/2016/12/ICIT-Brief-Rise-of-the-Machines.pdf
Snyder, C. (2017). Too connected to fail. How attackers can disrupt the global internet, why it matters and what we can do about it. Cyber Security Project, Belfer Center for Science and International Affairs.
Stratix. (2017). Telekwetsbaarheid. Handelingsperspectief voor huishoudens bij uitval van telecomdiensten door stroomstoring [Remote vulnerability. How households can respond in the event of an outage of telecom services due to a power outage]. Hilversum.
Van den Hoven van Genderen, R. (2017). Is de verkoop van Fox-IT aan een buitenlandse partij (de ‘FOXIT’) een bedreiging voor de nationale veiligheid? [Is the sale of Fox-IT to a foreign party (the ‘FOXIT’) a threat to national security?]. Tijdschrift voor Internetrecht, 2017(2).
Van Eeten, M., & Bauer, M. (2012). Mega-crises and the internet: risks, incentives, and externalities. In I. Helsoot, A. Boin, B. Jacobs, & L. Comfort (Eds.), Mega-crises: Understanding the prospects, nature, characteristics and the effects of cataclysmic events. Charles C. Thomas.
Van Eeten, M., Nieuwenhuijs, A., Luiijf, E., Klaver, M., & Cruz, E. (2011). The state and the threat of cascading failure across critical infrastructures: the implications of empirical evidence from media incident reports. Public Administration, 89(2), 381–400.
Van Gompel, M. (2018) Softwarefout en winkeldief oorzaak van grote treinstoring Amsterdam [Software error and shoplifter cause of major train failure Amsterdam]. SpoorPro Professional Journal for the Rail Sector. https://www.spoorpro.nl/materieel/2018/08/22/grote-treinstoring-in-amsterdam-door-softwarefout-en-winkeldief/
Van Ruijven, Th., & Duijnhoven, H. (2018). Verkenning ten behoeve van de risicocategorie aantasting functioneren internet [Exploration of the ‘effects on the functioning of the internet’ risk category]. TNO.
Van Ruijven, Th., & Keijser, B. (2017). Ketenweerbaarheid tegen cyberdreigingen: uitgangspunten, good practices en een stappenplan voor het vergroten van cyber-ketenweerbaarheid [Chain resilience against cyber threats: Principles, good practices and a step-by-step plan for improving cyber resilience]. TNO.
West, G. (2017). Scale: The universal laws of growth, innovation, sustainability, and the pace of life in organisms, cities, economies, and companies. Penguin.
WRR [Netherlands Scientific Council for Government Policy]. (2011). iOverheid [iGovernment]. Amsterdam University Press. https://www.wrr.nl/publicaties/rapporten/2011/03/15/ioverheid
WRR [Netherlands Scientific Council for Government Policy]. (2015). De publieke kern van het internet. Naar een buitenlands internetbeleid [The public core of the internet. Towards a foreign internet policy]. Amsterdam University Press. https://english.wrr.nl/publications/reports/2015/10/01/the-public-core-of-the-internet
WRR [Netherlands Scientific Council for Government Policy]. (2017). Veiligheid in een wereld van verbindingen [Security in a connected world]. WRR. https://www.springer.com/gp/book/9783030376055
Zuboff, S. (2019). The age of surveillance capitalism: The fight for a human future at the new frontier of power. PublicAffairs.
Author information
Authors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2021 The Author(s)
About this chapter
Cite this chapter
Schrijvers, E., Prins, C., Passchier, R. (2021). Digitization and Societal Disruption. In: Preparing for Digital Disruption. Research for Policy. Springer, Cham. https://doi.org/10.1007/978-3-030-77838-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-77838-5_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77837-8
Online ISBN: 978-3-030-77838-5
eBook Packages: Computer ScienceComputer Science (R0)