Olha Rohulya - Fotolia
What can the world learn from the Netherlands when it comes to cyber security?
“Digital dykes” was how former minister of safety and justice Ivo Opstelten described the nation’s battle against cyber crime and malware.
The Netherlands’ historical battle against the sea has given it valuable expertise that is usable worldwide. The plan is to achieve the same with digital safety – both for consumer and enterprise security.
Opstelten used the sea as an analogy in his opening speech at the international security conference of his department’s NCSC (National Cyber Security Centre) back in 2014.
Since then, the Dutch have implemented several initiatives in the public and private sectors to improve cyber security or ‘heighten’ the digital dykes, as it were – and it has had some success.
The Netherlands was one step away from being the safest country in the European Union for internet users, according to Eurostat, the EU’s statistical office. Only internet users in the Czech Republic had fewer security-related problems in 2015.
The Netherlands also has the dubious honour of being in the world’s top five countries of origin for malware. Such digital threats have a global impact, so the Netherlands is working hard to improve its cyber security.
This has led to more public-private co-operation, with organisations embracing responsible disclosure policies, and better notification of digital threats.
Gone are the days of vulnerability alerts being revealed publicly only after they have been disseminated in IT security circles. Also gone is the somewhat hostile attitude towards so-called white hat (ethical) hackers, who probe systems without malicious intent.
The Netherlands is now more mature about IT security, says Marinus Kuivenhoven, a security consultant at IT services provider Sogeti, where he regularly scans systems, sites and software for large enterprises.
“Great strides have been made in the past two years in the handling of security,” he says, adding that there is an attitude of “wanting to do it right”.
Kuivenhoven points to several initiatives in the Netherlands where government bodies and private companies are coming together to improve IT security.
Independent security researcher Chris van ‘t Hof adds: “I think there is good co-operation between public and private sectors here in the Netherlands.”
Partnerships in the form of information sharing and analysis centres (ISACs) are effective, he adds.
Kuivenhoven also mentions the CIP (Centre for Information security and Privacy protection), which is partly funded by the Dutch tax authority and which several departments have joined, as well as the industry at large.
Built-in security, not bolt-on
The CIP’s activities include the drafting of a security framework. “The framework covers security questions in the design of IT systems,” says Kuivenhoven.
Security is not something to be left until after IT projects have been delivered, or when specific vulnerabilities have been discovered, he adds.
Although the framework is not a complete ‘how to’ guide for enterprise security, it does cover the basic issues. It suggests questions that should be asked and offers some answers to common security questions.
“It is a way to start up a dialogue about security, both for IT-using organisations and IT solution providers,” says Kuivenhoven.
He praises CIP spin-offs, such as the Secure Software Development manifesto for secure software development, which includes guidelines and processes to develop secure software, and facilitates a community of SSD practitioners.
“I would not have foreseen this just four years ago,” says Kuivenhoven.
There are other similar spin-offs focused on privacy, cloud computing and the internet of things. “It works on a voluntary basis, but it all serves the general interest – the security of the Netherlands,” says Kuivenhoven.
Read more about enterprise IT in the Benelux region
- Organisations in the Benelux countries are turning to big data analytics, but big data storage options can vary significantly between the lab and production environments.
- In Benelux countries, cloud storage is increasingly seen as an alternative to traditional storage and backup.
- Organisations in Belgium and Luxembourg are turning to the cloud for their IT, but there are striking differences in the level of take-up within the region.
Such agreements are unique to the Netherlands, says Kuivenhoven, who is in regular contact with his international colleagues. Other countries do have compliance guidelines and certification procedures, he says, but many security measures are designed after the fact.
Security needs to be embedded into the design, implementation and operation of IT systems, he says. And vulnerabilities in software are still the Achilles’ heel of digital safety, according to the NCSC’s 2015 Cyber Security Assessment for the Netherlands.
The Netherlands claims to have another advantage in the actual usage of IT systems. The so-called responsible disclosure for the reporting and handling of discovered vulnerabilities is common practice in the country. Enterprises of all sizes have internal policies and external guidelines for how to deal with the discovery – and eventually fixing – of vulnerabilities in their IT environments.
“Even the Gamma DIY retail chain has a policy for responsible disclosure,” says Kuivenhoven. This illustrates the widespread use of this practice, he adds.
“Germany, for example, does have responsible disclosure, but not as wide and far-reaching as in the Netherlands,” he says.
Kuivenhoven reports surprised reactions from colleagues in other countries, where vulnerability scanning and reporting is not the norm.
Politics play a role in achieving an enlightened approach to ethical hacking and cyber security. The Dutch parliament has discussed the issue of responsible disclosure extensively, and the NCSC has facilitated the drawing up of responsible disclosure policies.
Without this help from government and administration, Dutch cyber security might not have evolved to its current level and it could have been more fragmented, says Kuivenhoven.
From January 2016, Dutch companies must, by law, report data leaks and hacks that could affect others. With this legislation, the Netherlands is taking the lead on the forthcoming EU directive for data protection, which is expected to be mandated in the summer of 2018.