The Dutch business community is taking the lead in the fight against cyber criminals itself. There will be a warning system for every organisation that is at risk of being attacked by hackers. The initiators no longer want to wait for the government.
The new warning system should prevent companies from still being hacked, while the government is aware that the digital front door was open for a long time. "We have decided not to wait for the government any longer and set up such a system ourselves," says Inge Bryan, director of the cybersecurity company Fox-IT and closely involved in the development of the system.
In recent years, several companies in the Netherlands were hacked, while the government already knew that these organisations had their digital front door open. However, the responsible Ministry of Justice and Security had no authority to share this information more widely.
'Everything is ready'
But that will soon change. Anyone who finds a vulnerability — often ethical hackers, software companies or cybersecurity officers — will soon be able to report this to the new initiative. This system then automatically warns the right person or his internet provider. Various industry and non-profit organisations are involved with the warning system. Amongst, the internet service providers (NBIP), the digital sector (DINL) and Connect2Trust. 'We already have the hardware and software that are required,' assures Octavia de Weerdt, director of NBIP.
Up until now, reports about concrete threats were mainly called in at the National Cyber Security Center (NCSC) of the Ministry of Justice and Security. A recent amendment to the law has given the NCSC more leeway to disseminate information. For example, information can recently be passed on to the Digital Trust Center (DTC) of the Ministry of Economic Affairs and Climate, which recently started a pilot to pass on information further.
According to the initiators, this does not solve the problem. "The NCSC completely underestimates the urgency and the pace," said Bryan of Fox-IT. “Information should be shared within minutes. That will take weeks now."
A barrier to rapid information sharing is the GDPR privacy law. Lists with, for example, leaked e-mail addresses and passwords often remain unshared. The government may only share personal data if there is a legal mandate to do so, but the situation is different for a private initiative. 'As a private organisation we can invoke a legitimate interest', says Frank Breedijk, of the volunteer collective Dutch Institute for Vulnerability Disclosure (DIVD).
As a result of the initiative, there will soon be two organisations where vulnerabilities in IT systems can be reported. The NCSC is now seen by foreign governments and international companies such as Microsoft as the party to which leaks must be reported. Bryan hopes that such parties will also report their information to the private warning system. "We will also inform vulnerable parties unsolicited, something the government is not allowed to do."
She is not afraid that information will become fragmented further. “The government will always have legal restrictions that a private initiative does not have. And it is also understandable that there is information that the government wants to keep to itself. So in the end you will always have two systems." She does hope that the NCSC will participate in the initiative. Conversely, the new initiative will also share its information with the government.