third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
on governmental organisations and businesses that use these<br />
services. It is not clear who is behind the DDoS attacks.<br />
9. As yet, a broad group of organisations is unable to implement<br />
important basic (technical) measures, such as patch and<br />
update management or a password policy. Where individual<br />
organisations do have their basic security well organised,<br />
it appears that shared services and infrastructure are still<br />
vulnerable, which in turn leads to a risk for interests that<br />
transcend particular organisations.<br />
10. The inherent dynamics of cyber security demand a new approach.<br />
Static information security measures are no longer sufficient;<br />
organisations need greater insight into threats (detection) and<br />
need the capacity to deal with the threats (response).<br />
In conclusion, a) dependence on IT by individuals, organisations,<br />
chains and society as a whole has grown; b) the number of threats<br />
aimed at governments and private organisations has risen, mainly<br />
originating from states and professional criminals; and c) digital<br />
resilience has remained more or less at the same level. Although<br />
more initiatives and measures are being taken, they are not always<br />
in step with the vulnerabilities, and basic security measures have<br />
not always been put in place.<br />
Table 1 gives insight into the threats that various actors use to<br />
launch attacks on governments, private organisations, and citizens.<br />
Please see the Core <strong>Assessment</strong> (Chapter 6) for more information<br />
about the changes in comparison with CSAN-2.<br />
Interests<br />
The scope of cyber security contains different levels of interests:<br />
personal interests, the interests of organisations, chain interests<br />
and social interests. <strong>Cyber</strong> security demands the protection of<br />
all these interests.<br />
As in previous years, dependence on IT continues to increase,<br />
resul ting in more interests being affected, or having greater<br />
conse quences when IT fails to function or there is a break<br />
in confidentiality and integrity. This increasing dependence also<br />
applies to the vital sectors. In addition, the electricity, telecom,<br />
and IT services sectors are considered essential in terms of cyber<br />
security. Increased dependence certainly applies to shared online<br />
services, such as DigiD and iDeal.<br />
Current developments, such as cloud computing, social media<br />
and hyperconnectivity, have led to increasing use of the internet<br />
as a platform for business transactions, for processing confidential<br />
information and using IT to run socially important processes. The<br />
ease of using the internet supports these developments, but it also<br />
carries risks, which are not always taken properly into account.<br />
Because the <strong>Netherlands</strong> has invested heavily in the electronic<br />
provision of services, cyber security incidents can have a large impact.<br />
Threats: actors and their intentions<br />
The largest threat at the moment concerns states and professional<br />
criminals and, to a lesser extent, cyber vandals, script kiddies<br />
and hacktivists. It is not always possible to discover which actor<br />
is behind a cyber attack: the attribution issue.<br />
States form a threat particularly in the terms of information theft<br />
(digital espionage), aimed at confidential or competition-sensitive<br />
information belonging to governments and businesses. The General<br />
Intelligence and <strong>Security</strong> Service (AIVD) confirmed attacks in the past<br />
year on Dutch civil organisations, using Dutch IT infrastructure,<br />
originating from China, Russia, Iran, and Syria. The Defence<br />
Intelli gence and <strong>Security</strong> Service (MIVD) established that the defence<br />
industry is a desirable target for cyber espionage and has seen<br />
indications that the cyber espionage threat is also aimed at parties<br />
with whom the defence industry collaborates. Information gained<br />
through espionage in this industry serves the interest of states. The<br />
MIVD also detected malicious phishing activities aimed at Dutch<br />
military representatives abroad.<br />
Professional criminals continue to pose a large threat. This was<br />
shown recently in financial fraud and theft, with criminals changing<br />
online transactions often after the theft, and misusing financial<br />
(log-in) data (fraud with internet banking). Furthermore, criminals<br />
are guilty of digital break-ins to steal information or to sell the data<br />
to the criminal underworld. Finally, an IT takeover, for example<br />
through malware infections, remains a worrying subject (see the<br />
Pobelka botnet), as does the increasing incidents of ransomware,<br />
in which end-users are blackmailed. Botnets, like the Pobelka<br />
incident, that are aimed at financial transactions can steal a great<br />
deal of other sensitive information, which can pose a significant<br />
threat. In the Pobelka case, sensitive data was stolen from businesses<br />
and governmental departments in the vital sectors, as well<br />
as large quantities of personal data.<br />
Criminals are becoming increasingly daring in their dealings<br />
to acquire large amounts of money, for example, automatically<br />
downloading and showing child pornography in ransomware to<br />
force victims to pay money. The police note that the world of cyber<br />
crime has become more intertwined with the usual hardened<br />
crimininality. Recent surveys show that Dutch citizens are almost<br />
as often the victim of hacking as they are of bicycle theft.<br />
<strong>Cyber</strong> vandals, script kiddies, and hacktivists were recently in the<br />
news due to disruption of the online services of governmental<br />
bodies and businesses and the publication of confidential information.<br />
Generally speaking, script kiddies and cyber vandals do not<br />
gain from their activities, other than excitement. The technical<br />
tools used by script kiddies are becoming better and easier to use.<br />
This means that they can cause greater damage. Meanwhile, the<br />
cyber vandal has a great deal of knowledge and can use that to cause<br />
substantial damage. It is not always possible to find out how large<br />
a share hacktivists hold in the intentional disruption of IT services.<br />
8