Digital threat in the Netherlands is increasing
The scope and severity of digital threats facing the Netherlands are still considerable and continue to evolve. National security remains under constant threat of digital attacks. The Dutch economy and broader Dutch society have become entirely dependent on digital resources. Attacks and outages can have major consequences, potentially disrupting society itself.
This is according to the Cyber Security Assessment Netherlands 2018 (CSAN 2018) published by the National Coordinator for Security and Counterterrorism (NCTV). The CSAN underscores the need to invest in our digital security, an urgent concern for several years now. It demonstrates the urgency of implementing the measures and investments described in the National Cyber Security Agenda (NCSA).
Digital threat is permanent
Cyber attacks are profitable, simple to execute and involve little risk for attackers. In light of recent geopolitical developments, state actors are expected to continue using such digital attacks and may even opt to do so on a greater scale. However, we are also seeing another development whereby attackers fail to anticipate, or accept, the unintended consequences of their actions on other countries that do not constitute their primary target. The most familiar case in this respect is NotPetya, an attack that also inflicted unintended financial damage on Dutch companies.
The most significant threats are sabotage and disruption by nation-states
Nation-states are perpetrating an increasing number of attacks on other countries for geopolitical reasons. Their aim is to acquire strategic information through espionage, to influence public opinion and democratic processes, or even sabotage vital systems. However, it is becoming increasingly complex to attribute cyber attacks to their perpetrators, as individual attackers become more difficult to distinguish.
Professional criminals continue to be a major threat to Dutch society. Cyber attacks with a major societal impact can be perpetrated with relatively few resources. Perpetrators can carry out attacks without any need for large-scale capabilities; they can simply purchase them externally. This became clear in January, when the DDoS attacks plaguing several banks turned out to have been carried out with a simple bought-in attack.
Lack of basic measures
Many organisations in the Netherlands fail to implement the basic measures needed to repel cyber attacks. This concerns basic measures such as the timely installation of updates or prevention of flaws in configurations. For example WannaCry and BadRabbit exploited known vulnerabilities and could have been prevented if the necessary security updates had been installed. Insecure products and services make life easier for attackers. As the recent period has shown, organisations could have prevented incidents and mitigated damage by ensuring that their basic security was properly in place.