The National Cyber Security Center (NCSC) does nothing with most of the threat information it receives. Due to legal restrictions and the agency's slow process, more than 95 percent of the information is discarded even though it is relevant. As a result, one in five Dutch companies falls victim to a hack every year. Those involved confirm this to the Volkskrant.
The NCSC receives threat information daily, ranging from vulnerabilities in software to indications that companies may be targets of ransomware attacks. The Network and Information Systems Security Act (Wbni) says the NCSC may only share such information with companies and organizations that are part of the critical infrastructure. Furthermore, this law states that many relevant data may not be shared. Think of IP addresses, e-mail addresses and passwords. Such data is considered personal data by the General Data Protection Regulation (AVG) and thus may not be shared.
This not only causes frustration among the business community and cybersecurity companies: it also generates considerable resistance internally. Insiders tell the Volkskrant that only 5 percent of the threat information the agency receives from intelligence services, foreign partnerships and non-profit organizations is shared with companies and organizations active in the vital sector. Nothing is done with the remainder of the information, even though it is crucial. "Because of the mess of the last few years, sentiment about the NCSC is bad. The WBNI is not well thought out," an insider told the daily.
A spokesman for the NCSC cannot confirm that only 5 percent of threat information gets to the right place. Some of this information is automatically forwarded to the target audience, for example, information about computer systems that may be infected with malware. "Other threat information is shared only after analysis or is used only for imaging," the spokesman said.
Frank Breedijk of the Dutch Institute for Vulnerability Disclosure (DIVD) argues that the system for sharing threat information has been made "far too complicated. For example, the NCSC does not actively and widely scan the Internet for known vulnerabilities. The supply chain attack on IT service provider Kaseya is a good example of how this can cause things to go massively wrong. Three months after the attack, 28 Dutch companies were found to still be vulnerable, some of which were hacked. In this case, the NCSC refused to scan the Internet to see which parties were at risk.
"That's like feeling at a door that's open," Breedijk explains. "You're not stealing anything, you're not changing anything, there's a threat and it's proportional." Technically, it is hacking because you are entering a system, and the NCSC is not allowed to do that. So potential targets are not informed of the threat.
The government is aware of this and is making every effort to give the NCSC more tools to share relevant and up-to-date threat information with non-vital organizations. The Ministry of Economic Affairs and Climate is working on a bill that would allow information about hacking attacks and other cyber threats to be shared with nonvital companies and organizations. Outgoing Minister of Justice and Security Ferd Grapperhaus is busy setting up a Landelijk Dekkend Stelsel (LDS) to simplify the exchange of information between the government, business and vital sector. The Digital Trust Center (DTC) will soon launch a pilot to share current threat information with nonvital companies and organizations to increase their digital resilience.
The business community does not want to wait for these developments and announced Tuesday that it is developing its own alert system. "The NCSC completely underestimates the urgency and pace. Information needs to be shared within minutes. That now takes weeks," said Inge Bryan of Fox-IT. According to her, the government is hampered by legal constraints that a private initiative does not have. The hardware and software needed to set up the system are already in place.
The NCSC and the DTC are positive about the alert system, but stress that there must be a clear division of labor if a crisis occurs. "Making the 1.8 million companies in the Netherlands more cyber resilient is a huge job. We like to see how new initiatives can complement each other as well as possible," says a DTC spokesperson.
