third Cyber Security Assessment Netherlands - NCSC

on governmental organisations and businesses that use these
services. It is not clear who is behind the DDoS attacks.
9. As yet, a broad group of organisations is unable to implement
important basic (technical) measures, such as patch and
update management or a password policy. Where individual
organisations do have their basic security well organised,
it appears that shared services and infrastructure are still
vulnerable, which in turn leads to a risk for interests that
transcend particular organisations.
10. The inherent dynamics of cyber security demand a new approach.
Static information security measures are no longer sufficient;
organisations need greater insight into threats (detection) and
need the capacity to deal with the threats (response).
In conclusion, a) dependence on IT by individuals, organisations,
chains and society as a whole has grown; b) the number of threats
aimed at governments and private organisations has risen, mainly
originating from states and professional criminals; and c) digital
resilience has remained more or less at the same level. Although
more initiatives and measures are being taken, they are not always
in step with the vulnerabilities, and basic security measures have
not always been put in place.
Table 1 gives insight into the threats that various actors use to
launch attacks on governments, private organisations, and citizens.
Please see the Core Assessment (Chapter 6) for more information
about the changes in comparison with CSAN-2.
Interests
The scope of cyber security contains different levels of interests:
personal interests, the interests of organisations, chain interests
and social interests. Cyber security demands the protection of
all these interests.
As in previous years, dependence on IT continues to increase,
resul ting in more interests being affected, or having greater
conse quences when IT fails to function or there is a break
in confidentiality and integrity. This increasing dependence also
applies to the vital sectors. In addition, the electricity, telecom,
and IT services sectors are considered essential in terms of cyber
security. Increased dependence certainly applies to shared online
services, such as DigiD and iDeal.
Current developments, such as cloud computing, social media
and hyperconnectivity, have led to increasing use of the internet
as a platform for business transactions, for processing confidential
information and using IT to run socially important processes. The
ease of using the internet supports these developments, but it also
carries risks, which are not always taken properly into account.
Because the Netherlands has invested heavily in the electronic
provision of services, cyber security incidents can have a large impact.
Threats: actors and their intentions
The largest threat at the moment concerns states and professional
criminals and, to a lesser extent, cyber vandals, script kiddies
and hacktivists. It is not always possible to discover which actor
is behind a cyber attack: the attribution issue.
States form a threat particularly in the terms of information theft
(digital espionage), aimed at confidential or competition-sensitive
information belonging to governments and businesses. The General
Intelligence and Security Service (AIVD) confirmed attacks in the past
year on Dutch civil organisations, using Dutch IT infrastructure,
originating from China, Russia, Iran, and Syria. The Defence
Intelli gence and Security Service (MIVD) established that the defence
industry is a desirable target for cyber espionage and has seen
indications that the cyber espionage threat is also aimed at parties
with whom the defence industry collaborates. Information gained
through espionage in this industry serves the interest of states. The
MIVD also detected malicious phishing activities aimed at Dutch
military representatives abroad.
Professional criminals continue to pose a large threat. This was
shown recently in financial fraud and theft, with criminals changing
online transactions often after the theft, and misusing financial
(log-in) data (fraud with internet banking). Furthermore, criminals
are guilty of digital break-ins to steal information or to sell the data
to the criminal underworld. Finally, an IT takeover, for example
through malware infections, remains a worrying subject (see the
Pobelka botnet), as does the increasing incidents of ransomware,
in which end-users are blackmailed. Botnets, like the Pobelka
incident, that are aimed at financial transactions can steal a great
deal of other sensitive information, which can pose a significant
threat. In the Pobelka case, sensitive data was stolen from businesses
and governmental departments in the vital sectors, as well
as large quantities of personal data.
Criminals are becoming increasingly daring in their dealings
to acquire large amounts of money, for example, automatically
downloading and showing child pornography in ransomware to
force victims to pay money. The police note that the world of cyber
crime has become more intertwined with the usual hardened
crimininality. Recent surveys show that Dutch citizens are almost
as often the victim of hacking as they are of bicycle theft.
Cyber vandals, script kiddies, and hacktivists were recently in the
news due to disruption of the online services of governmental
bodies and businesses and the publication of confidential information.
Generally speaking, script kiddies and cyber vandals do not
gain from their activities, other than excitement. The technical
tools used by script kiddies are becoming better and easier to use.
This means that they can cause greater damage. Meanwhile, the
cyber vandal has a great deal of knowledge and can use that to cause
substantial damage. It is not always possible to find out how large
a share hacktivists hold in the intentional disruption of IT services.
8