Cybersecurity Assessment 2024: Turbulent Times, Unforeseen Effects

The digital threat to the Netherlands is significant and diverse. The country is a target for cyberattacks and is also affected by attacks occurring elsewhere that have repercussions within the digital ecosystem. There is an observed intensification in the activities and a broadening of the capabilities of state actors. These are the key conclusions from the recently released Cybersecurity Assessment Netherlands (CSBN) 2024, prepared by the National Coordinator for Counterterrorism and Security (NCTV).

Digital risks are complex and highly interconnected, which can lead to unforeseen effects, as disruptions have already caused widespread system outages. The NCTV warns in the CSBN that it is crucial to adopt a broad perspective on risk management, going beyond standard regulations and basic measures.

“One of the main findings in this CSBN is that state actors are intensifying their cyber activities and broadening their cyber capabilities,” says Pieter-Jaap Aalbersberg, National Coordinator for Counterterrorism and Security. “The pace and complexity of state cyber campaigns are increasing. They also employ other actors, such as companies or hacktivists, to carry out digital attacks. This blurs the lines between different organisations. For example, individuals may fulfill a scientific role or a role in the business sector while simultaneously being connected to an intelligence agency.”

Cyberattacks often do not occur in isolation; they are part of a broader toolkit that states employ. Multiple cyberattacks can be used in combination or alongside non-cyber means (such as disinformation campaigns). “When it comes to risk management, it is also important to consider the interconnections of these cyberattacks and the broader threat posed by the cumulative nature of these risks,” the NCTV states.

Large-Scale Outages

In addition to cyberattacks, there is a threat posed by large-scale outages, which can also be caused by technical issues and unintentional human actions. In a digital monoculture, where many organisations rely on a small number of providers, incidents can have far-reaching and unforeseen consequences. An example of this is the computer failure caused by cybersecurity company CrowdStrike in July 2024, which rendered 8.5 million computers globally unable to boot. Such disruptions can have serious repercussions, potentially halting public transport, air traffic, or medical services. The NCTV also warns about the global trade in personal data and the scarcity of cybersecurity capacity and personnel.

Progress of the Dutch Cybersecurity Strategy

In 2022, the Dutch government presented the Dutch Cybersecurity Strategy (NLCS) aimed at creating a digitally safe and resilient Netherlands. Concurrently with the CSBN 2024, a progress report on the NLCS was submitted to the House of Representatives. This report outlines the progress of the public-private action plan, which addresses the challenges highlighted in the CSBN 2024.

The government aims to counter the threats posed by countries with offensive cyber programs targeting Dutch interests as much as possible and to deter these actions proactively. Over the past year, this has led to the publication of information regarding advanced malware used by China to spy on the computer networks of the Ministry of Defence.

Additionally, efforts are underway to create a new central cybersecurity organisation that will merge the National Cyber Security Centre (NCSC), the Digital Trust Center (DTC), and the Computer Security Incident Response Team for Digital Service Providers (CSIRT-DSP). This will result in a single organisation that informs all entities in the Netherlands about threats and security measures. Preparations are also in full swing for the implementation of the revised European Network and Information Security Directive (NIS2) into the Cybersecurity Act (Cbw).

As outlined in the CSBN 2024, we must prepare for large-scale outages or digital incidents. The government is addressing this, among other ways, through practice exercises. Last year, valuable insights into crisis preparedness were gained through the successful public-private exercise ISIDOOR IV.

Source: NCTV

Photo: Istock.com/Igors Aleksejevs