Despite positive developments in cyber security, various incidents in the past year have shown there is still plenty of work to be done in the Netherlands, according to a report by the National Coordinator for Counterterrorism and Security (NCTV).
Digital processes form the nervous system of Dutch society, which require undisturbed functioning. Cyber attacks affect this nervous system and can ultimately lead to the paralysis of parts of society. Because of the interconnectedness between the digital and physical worlds, administrative attention to the importance of digital security, digital threats and resilience from a purely technical perspective is too limited, says the NCTV’s Cybersecurity assessment Netherlands 2021 report.
The country’s National Cyber Security Centre (NCSC) has seen an increase in the use of multifactor authentication by companies, and insecure technologies are being phased out, bringing about an improvement in detection and response, and a wide range of initiatives are emerging to improve organisations’ resilience.
But the Netherlands does not yet have its digital resilience sufficiently under control, says the NCTV’s report, as evidenced by the various cyber incidents the country had to deal with last year.
In the report, the NCTV identifies four risks to Dutch national security:
- Unauthorised access to information, particularly through espionage.
- Inaccessibility of processes as a result of sabotage and the use of ransomware.
- Violation of the security of digital space.
- Large-scale outages.
Espionage, sabotage and downtime were also looked at in last year’s report, and the risks associated with these are still topical in the Netherlands. Numerous cyber incidents have taken place in the past year in, or in relation to, the Netherlands.
Covid-19 was frequently used as a theme by cyber criminals to carry out attacks, and facilities to work remotely were also targeted. Processes with a digital component were also made inaccessible and organisations in supplier chains were hit. There have been many incidents in which large amounts of vulnerable business and privacy-sensitive information have become public. Non-intentional failures have also led to outages.
Although targeted attacks on critical processes have not yet been seen in the Netherlands, various reports indicate that the resilience of critical processes in the country is sometimes inadequate. The Cyber Security Council concluded in its recent advisory report Integral approach to cyber resilience that even in organisations that are part of vital processes, basic ICT and security hygiene is often not in order, so basic threats to their processes cannot be detected or deflected.
A report by the Human Environment and Transport Inspectorate showed that Waternet, the drinking water supplier for Amsterdam and its surrounding area, is insufficiently “in control” of its cyber security. Also, research by KPN Security, following a hack at a water supply company in the US in which a cyber criminal attempted to poison the drinking water, suggests that many Dutch industrial control systems are not sufficiently secured.
In response to the 2019 Cybersecurity assessment Netherlands, which highlighted an increasing digital threat and the country’s lagging digital resilience, the Dutch government decided that additional measures would be taken, and under the direction of the minister of justice and security, measures were introduced to strengthen the resilience of vital processes to cyber threats.
One of these measures focused on strengthening supervision, which should provide a powerful impetus for vital providers to continue working on a high level of digital resilience and continuity. Various Dutch supervisory authorities are working together on this.
In its Coherent inspection assessment of cyber security of vital processes 2020-2021, the Inspectorate of Justice and Security concluded that not all supervisors yet have standard knowledge and expertise in the field of cyber security. This is an important finding in the light of increasing digital threats and disruptions, and the need for digital resilience.
The NCTV also mentions the dangers of breaching the security of the global digital space, with which almost all digital processes in the Netherlands are strongly intertwined. The digital processes of, for example, providers of critical infrastructure, but also those of large and small companies and citizens, make use of the services and products of globally operating companies.
They are also strongly intertwined with the technical infrastructure of the internet, including, for example, sea cables. This interconnectedness has brought many benefits and continues to offer opportunities, but at the same time poses a risk. Misuse or failure of this digital space can have major consequences for the functioning of the digital processes, which can affect the Netherlands’ economy or put the country at a disadvantage in international negotiations.
In the digitised Netherlands, security is not a separate issue. It is linked to values such as freedom and economic growth. Ideally, there should be a balance, but that balance is under pressure, says the NCTV, because the tension between different values is increasing.
Digitisation plays an increasingly important role in the relationship between countries, but countries and international partnerships can also experience discomfort over the influence of large tech companies and want to be less dependent on a handful of major players from a limited number of countries.
The entire Dutch society runs on a digital infrastructure of which only a few technology companies are owners and gatekeepers. As a result, digital or strategic autonomy is indispensable for the Netherlands.