Despite high-profile incidents like Hof van Twente, municipalities take few measures against cyber attacks. Almost half do not practice with simulated hacking attacks. In the unlikely event that a cyber threat or digital crisis does occur, there is often no script ready. This is according to research by Binnenlands Bestuur and AG Connect. In April, they sent fifty municipalities a questionnaire about cybersecurity and information security. Twenty-seven of them responded. The main findings of the research were published today.
The poll shows that practicing with cybersecurity attacks is far from a given for municipalities. Six out of twenty-seven municipalities do not practice digital attacks on their own computer systems at all. Eleven municipalities do so partially, or are busy preparing such simulations. Security expert Brenno de Winter calls the results "very disappointing. "This fits the picture that instead of a real test, preference is given to non-committal meetings where someone gives a speech," De Winter said.
The study also reveals that only one in three municipalities has had its information security inspected and analyzed by the Court of Audit in the past five years. According to De Winter, such research hardly ever takes place because the relevant knowledge is often lacking in the Courts of Audit. On the other hand, it is important that it is done regularly: during internal penetration or pen tests, researchers almost always find critical vulnerabilities.
Just last month it was revealed that the information security of the municipality of Utrecht was not in order. Employees were insufficiently aware of the dangers of social engineering and phishing and secret information was not stored properly. Furthermore, the municipality worked with outdated operating systems and passwords were easy to obtain or crack. External security, on the other hand, was in order. The Utrecht Court of Audit recommended investing structurally in training employees and improving the layout of municipal buildings to prevent unauthorized access.
The lack of technical knowledge is a common problem, according to the researchers. Not only with Courts of Audit, but also with city council members and boards of directors. Without this knowledge, there is no one to raise the alarm if something is not right. Because this knowledge is lacking, one in five municipalities does not have a preparedness plan if a cyberattack occurs.
According to De Winter, this mainly plays out in smaller municipalities and they practice the least with simulated cyber threats. Thus they end up in a vicious circle. "If you don't practice with attacks from the outside, that scenario is not going to happen. You want to run an exercise in which everything goes wrong, so that afterwards there is a feeling of: we have to do something with that," the security expert told Binnenlands Bestuur and AG Connect.
De Winter advocates openness. Currently, municipalities are mostly unwilling to say anything about their information security, or, for example, the budget they spend annually on pen tests. "An amount can vary, but says nothing about the final reports. Being open about this is precisely what is important."
Hof van Twente is the exception to the rule. The municipality was the target of a ransomware attack in December 2020. Hackers managed to penetrate the municipality's computer systems and encrypt privacy-sensitive information of the municipality and its residents. This included financial records and applications for youth care and environmental permits. Furthermore, the perpetrators managed to capture confidential information about citizens' work, income and debts. Finally, they managed to take down backup systems.
Mayor Ellen Nauta had the matter thoroughly investigated. She felt it was important that the results be made public. In mid-March, cybersecurity firm NFIR published its investigation report into the attack. Around the same time, De Winter made his interpretation report public. This showed that the security left much to be desired in a number of areas. A modification in the firewall allowed the FTP server to be reached from anywhere. Moreover, this server ran on a vulnerable version of Microsoft's Remote Desktop Protocol (RDP). Finally, although the password of the FTP server had been modified, it was anything but strong: it read Welcome2020. A pen test did not warn of this.
In a response, the Information Security Service (IBD) reveals that municipalities do take information security seriously and are working hard on it. A spokesman says he does not agree with the conclusions. "The examples in this article are recognizable, but it is a bit of selective shopping. This article creates the impression that things are particularly bad at municipalities, while society as a whole should be getting a leg up. Municipalities are transparent about their incidents and administrators are aware of their responsibilities around digital security."
Outgoing State Secretary of the Interior and Kingdom Relations Raymond Knops wrote a progress letter last March to update the House of Representatives on increasing the digital resilience of the public sector. In it he wrote, among other things, that his ministry, together with the Association of Dutch Municipalities (VNG), has developed three cyber exercise packages for municipalities and provinces in recent years.
Knops acknowledges that it is a good start, but that there is still much work ahead to make digital service processes and computer systems less vulnerable. "Technology and the associated threats seem to develop faster than organizations can put adequate management measures in place. In doing so, the realization has dawned that one must increasingly accept that cyber incidents cannot always be prevented, but that one must be better able to detect them and better able to intervene to limit the consequences," the secretary of state wrote to the House of Representatives.
Structurally practicing with simulated cyber attacks is the only way to deal with cyber threats in the future, according to Knops.
