Cyber security is becoming a Dutch export
By Jasper Bakker
IT security is about to rival cheese, tulips, windmills and flood defences as an export from the Netherlands.What can the world learn from the Netherlands when it comes to cyber security? “Digital dykes” was how former minister of safety and justice Ivo Opstelten described the nation’s battle against cyber crime and malware.
The Netherlands’ historical battle against the sea has given it valuable expertise that is usable worldwide. The plan is to achieve the same with digital safety – both for consumer and enterprise security. Opstelten used the sea as an analogy in his opening speech at the international security conference of his department’s NCSC (National Cyber Security Centre) back in 2014.
Since then, the Dutch have implemented several initiatives in the public and private sectors to improve cyber security or ‘heighten’ the digital dykes, as it were – and it has had some success. The Netherlands was one step away from being the safest country in the European Union for internet users, according to Eurostat, the EU’s statistical office. Only internet users in the Czech Republic had fewer security-related problems in 2015.
The Netherlands also has the dubious honour of being in the world’s top five countries of origin for malware. Such digital threats have a global impact, so the Netherlands is working hard to improve its cyber security. This has led to more public-private co-operation, with organisations embracing responsible disclosure policies, and better notification of digital threats. Gone are the days of vulnerability alerts being revealed publicly only after they have been disseminated in IT security circles. Also gone is the somewhat hostile attitude towards so-called white hat (ethical) hackers, who probe systems without malicious intent.
The Netherlands is now more mature about IT security, says Marinus Kuivenhoven, a security consultant at IT services provider Sogeti, where he regularly scans systems, sites and software for large enterprises.“Great strides have been made in the past two years in the handling of security,” he says, adding that there is an attitude of “wanting to do it right”. Kuivenhoven points to several initiatives in the Netherlands where government bodies and private companies are coming together to improve IT security. Independent security researcher Chris van ‘t Hof adds: “I think there is good co-operation between public and private sectors here in the Netherlands.” Partnerships in the form of information sharing and analysis centres (ISACs) are effective, he adds. Kuivenhoven also mentions the CIP (Centre for Information security and Privacy protection), which is partly funded by the Dutch tax authority and which several departments have joined, as well as the industry at large.
Built-in security, not bolt-on
The CIP’s activities include the drafting of a security framework. “The framework covers security questions in the design of IT systems,” says Kuivenhoven. Security is not something to be left until after IT projects have been delivered, or when specific vulnerabilities have been discovered, he adds. Although the framework is not a complete ‘how to’ guide for enterprise security, it does cover the basic issues. It suggests questions that should be asked and offers some answers to common security questions. “It is a way to start up a dialogue about security, both for IT-using organisations and IT solution providers,” says Kuivenhoven.
He praises CIP spin-offs, such as the Secure Software Developmentmanifesto for secure software development, which includes guidelines and processes to develop secure software, and facilitates a community of SSD practitioners. “I would not have foreseen this just four years ago,” says Kuivenhoven. There are other similar spin-offs focused on privacy, cloud computing and the internet of things. “It works on a voluntary basis, but it all serves the general interest – the security of the Netherlands,” says Kuivenhoven.
Such agreements are unique to the Netherlands, says Kuivenhoven, who is in regular contact with his international colleagues. Other countries do have compliance guidelines and certification procedures, he says, but many security measures are designed after the fact. Security needs to be embedded into the design, implementation and operation of IT systems, he says. And vulnerabilities in software are still the Achilles’ heel of digital safety, according to the NCSC’s 2015 Cyber Security Assessment for the Netherlands. The Dutch claim to have another advantage in the actual usage of IT systems. The so-called responsible disclosure for the reporting and handling of discovered vulnerabilities is common practice in the country. Enterprises of all sizes have internal policies and external guidelines for how to deal with the discovery – and eventually fixing – of vulnerabilities in their IT environments.
For the realisation of the initiatives in the public and private sectors to improve cyber security or ‘heighten’ the digital dykes, the Netherlands needs skilled It professionals. Currently the Netherlands in dealing with a huge shortage in IT professionals and this challenge will only get bigger in the future. To keep its position as leader in cybersecurity the Netherlands needs to keep attracting international IT talent. Esti, IT Recruitment Amsterdam, guides companies to develop a company culture that will generate maximum employee engagement and in which international professionals thrive.