The Dutch Safety Board (Onderzoeksraad voor Veiligheid/OvV) published a report on the effects of vulnerabilities within Citrix software today. Jeroen Dijsselbloem, the council’s chairman concluded: “This example proves that Dutch governmental and business offices are very vulnerable to cyberattacks, and that there is no national structure in which all potential victims can be warned in time.”
Attacks through Citrix
On 17 december 2019, Citrix revealed they had found vulnerabilities in their software, and offered temporary solutions to amend the issue. Before organisations using Citrix were able to act, many of them were targeted by cyberattacks. The National Cyber Security Center (NCSC) warned those organisations they deemed vital; others were not. To this day some systems are still compromised, which brings significant risk for the network’s users.
Safe software is generally the manufacturer’s responsibility. The OvV is of the opinion that manufacturers should invest more to continually update their product’s security. Many organisations that rely on these software solutions will not be warned if vulnerabilities are detected, as the NCSC does not deem itself responsible to do so. The OvV strongly recommends a centralized approach from the government’s side to detect threats and warn potential victims.
Recommendations of the Research Council
Within our digitising society, the council recommends a new quality standard when it comes to the security standards of software, and to make sure manufacturers adhere to this new standard. Furthermore, co-operation between business and government should be stimulated, to increase the already scarce knowledge on this subject, and to be able to leverage software manufacturers into respecting a new standard when it comes to the quality of their product. Finally, the council recommends new laws so that large companies and organisations can be held liable when it comes to upholding their digital safety.
Read the official press release in Dutch here.