Cryptographic products and services form the foundation of a reliable digital economy. Cryptographic algorithms are generally developed in the field of science and are often public. Products and services based on cryptography are developed worldwide, with a high degree of specialization sometimes observed.
If the Dutch economy were to depend on one country or supplier for a vital cryptography application, this would pose a risky strategic dependency (RSA). This research aims to identify dependencies in the various market segments of the cryptography value chain and assess the extent to which these dependencies pose strategic risks.
The research distinguishes three (market) segments:
- the high-end segment, where cryptography is used to protect highly classified ('state secret') information. This specifically concerns the products and services that may be used for this purpose after evaluation by the AIVD.
- the 'mid-range' segment, where advanced cryptography is employed for specific purposes, often within regulatory frameworks. This includes applications in areas such as the electricity infrastructure, telecom networks, the financial sector, and more.
- the generic segment, encompassing everyday products and services that apply cryptography and are used by businesses and consumers. This includes applications like Microsoft Teams and WhatsApp.
The research primarily focuses on the mid-range segment, where societal and economic interests are most significant and the supply is potentially the most specialised. In this sector, regulatory frameworks are the main drivers for selecting cryptographic products and services. Certification and assurance are crucial here, providing a useful delimitation of the relevant products and services for the research.
Several universities in the Netherlands are working on high-end cryptographic algorithms. Additionally, the Netherlands is one of the few 'crypto producing nations' within NATO. France and Germany are the leading players in Europe in terms of certified products. The majority of products with European high assurance certification for vital sectors are produced in the EU, with around 75% in Germany and France. A small percentage of these products (about 5%) come from South Korea outside of Europe.
In the high-end segment, the Netherlands has limited dependence on products and services from other countries. Dependences are evaluated early on by the AIVD. In the mid-range segment, there are dependencies concerning high assurance products from suppliers mainly located within the EU. However, it is also noticeable that in certain product categories (e.g. databases and access control), there are hardly any European certified high assurance products on the market. This could lead to a dependency on primarily American producers. In the mid-range segment, dependencies are highly sector-specific. In these sectors, cryptography is usually not procured as a standalone product, unlike in the high-end segment, but rather as part of a broader product or as a service. Therefore, the dependencies are at a higher level than that of cryptographic products.
Moreover, there is a strong dependence on specialised personnel. The results suggest that the dependency on personnel and expertise in the sector and among consumers in the mid-range segment is greater than the dependency on cryptography suppliers.
Lastly, the Netherlands boasts an excellent (academic) knowledge position in cryptography. Since many cryptographic algorithms are now public, this does not lead to dependencies nor does the knowledge position directly offer an advantage for the mid-range segment. When it comes to certification and assurance, the Netherlands' position is also excellent, and proximity may provide an advantage.
