Cybersecurity Assessment 2024: turbulent times, unforeseen effects

The digital threat to the Netherlands is large and diverse. The Netherlands is a target of cyber attacks, or is experiencing the impact of cyber attacks that spill over into the digital ecosystem. In addition, state actors state actors are intensifying their activities and broadening their capabilities.

Enlarge image Boorplatform op zee met op de achtergrond ook windmolens
Image: ©ANP
State actors are intensifying their activities and expanding their capabilities, using various means from a broader toolkit. Vital infrastructure in the Netherlands, such as wind farms, can become the target of digital espionage or sabotage.

These are the main conclusions of the Cybersecurity Assessment Netherlands (CSAN) 2024, released today, prepared by the National Coordinator for Counterterrorism and Security (NCTV). Digital risks are complex and highly interconnected. This can lead to unforeseen effects; for example, disruptions have already caused large-scale system outages. In the CSAN, the NCTV warns that it is important to look at risk management with a broad perspective that goes beyond norms and basic measures. “One of the key findings in this CSAN is that state actors are intensifying their cyber activities and broadening their -capabilities,” said Pieter-Jaap Aalbersberg, National Coordinator for Counterterrorism and Security. “The pace and complexity of state cyber campaigns is being stepped up. They are also deploying hacker groups to carry out digital attacks.” Partly because of this, the dividing lines between different organizations are increasingly unclear. For example, individuals sometimes fulfill a scientific role or a role in business, but at the same time are associated with an intelligence agency.”

Cyber attacks often do not stand alone, but are part of a broader toolbox that states employ to achieve their goals. This may involve using multiple cyber attacks in combination with each other, or with means outside of cyber (such as disinformation campaigns). “When it comes to risk management, it is therefore also important to look at the connection of these cyber attacks and the broader threat posed by the sum of these risks,” the NCTV said.

Large-scale outages

In addition to cyber attacks, large-scale outages also pose a threat. Outages of digital processes can have a variety of causes, including technical problems and non-intentional human actions. In a digital monoculture, where many organizations depend on a small number of providers, incidents can have potentially far-reaching and unforeseen consequences. One example is the computer outage caused by cybersecurity firm CrowdStrike in July 2024, in which 8.5 million computers worldwide stopped booting. This can have far-reaching consequences, such as the shutdown of public transportation, air travel or medical care. The NCTV also warns of the global trade in sensitive personal data and the scarcity of cybersecurity capacity and personnel.

Progress of the Netherlands Cybersecurity Strategy

In 2022, the Cabinet presented the Netherlands Cybersecurity Strategy (NLCS) with the goal of a digitally secure and resilient Netherlands. Simultaneously with the CSAN 2024, the NLCS progress report was sent to the House of Representatives. This describes the progress on the public-private action plan. With this action plan, the government addresses the challenges outlined in the CSAN 2024. 

For example, the government wants to counter the threat coming from countries with an offensive cyber program directed against Dutch interests as much as possible, and where possible discourage it on the front end. In the past year, this has led, among other things, to a publication about more advanced malware used by China to spy on computer networks of the Ministry of Defense.

Work is also underway to create one new central cybersecurity organization into which it will merge the National Cyber Security Center (NCSC), the Digital Trust Center (DTC) and the Computer Security Incident Response Team for Digital Service Providers (CSIRT-DSP). This will create a single organization that informs all organizations in the Netherlands about threats and security measures. Preparations are also underway for the implementation of the revised European Network and Information Security Directive (NIS2 Directive) into the Cyber Security Act (Cbw).

As the CSAN 2024 also outlines, we must prepare for large-scale outages or digital incidents. One way the government does this is by practicing. Last year, the successful public-private exercise ISIDOOR IV provided valuable insights into crisis preparedness.