The National Cyber Security Center (NCSC) does nothing with most of the threat information it receives. Due to legal restrictions and the agency’s slowness of action, more than 95 per cent of the information is thrown away even though it is relevant. As a result, one in five Dutch companies is the victim of a hack every year.
Most threat information ends up in the trash
The NCSC receives threat intelligence on a daily basis, ranging from vulnerabilities in software to indications that businesses may be the target of ransomware attacks. The Network and Information Systems Security Act (Wbni) states that the NCSC may only share such information with companies and organizations that are part of the vital infrastructure. Furthermore, this law stipulates that a lot of relevant data may not be shared. Think of IP addresses, e-mail addresses and passwords. Such data is considered personal data by the General Data Protection Regulation (GDPR) and may therefore not be shared.
This not only causes frustration among the business community and cybersecurity companies: it also generates considerable resistance internally. Insiders tell de Volkskrant that only 5 per cent of the threat information that the agency receives from intelligence services, foreign partnerships and non-profit organizations is shared with companies and organizations active in the vital sector. Nothing is done with the remaining part of the information, while this information is indeed crucial. “Due to the mess of recent years, sentiment about the NCSC is bad. The WBNI has not been well thought out,” an insider told the newspaper.
A spokesperson for the NCSC cannot confirm that only 5 per cent of threat information ends up in the right place. Some of this information is automatically forwarded to the target group, for example, information about computer systems that may be infected with malware. “Other threat information is only shared after analysis or is only used for imaging,” the spokesperson said.
‘Feel at a door that is open’
Frank Breedijk of the Dutch Institute for Vulnerability Disclosure (DIVD) argues that the system for sharing threat information has been made ‘far too complicated’. For example, the NCSC does not actively and broadly scan the internet for known vulnerabilities. The supply chain attack on IT service provider Kaseya is a good example of how things can go terribly wrong. Three months after the attack, 28 Dutch companies were still vulnerable, some of which had been hacked. In this case, the NCSC refused to scan the internet to see which parties were at risk.
“That’s like feeling an open door,” says Breedijk. “You don’t steal anything, you don’t change anything, there’s a threat and it’s proportional.” Technically, it’s hacking because you’re entering a system, and the NCSC isn’t allowed to do that. As a result, potential targets are not informed of the threat hazard.
Industry is working on its own alarm system
The government is aware of this and is doing everything it can to provide the NCSC with more tools to share relevant and up-to-date threat information with non-vital organisations. The Ministry of Economic Affairs and Climate is working on a bill that will make it possible to share information about hacking attacks and other cyber threats with non-vital companies and organizations. Outgoing Minister of Justice and Security Ferd Grapperhaus is busy developing a National Covering System(LDS) to simplify the exchange of information between the government, the business community and the vital sector. The Digital Trust Center (DTC) will soon launch a pilot to share current threat intelligence with non-vital companies and organizations in order to increase their digital resilience.
The business community does not want to wait for these developments and announced on Tuesday that it would develop its own alarm system. “The NCSC completely underestimates the urgency and pace. Information should be shared within minutes. That will now take weeks,” said Inge Bryan of Fox-IT. According to her, the government is hampered by legal restrictions that a private initiative does not have. The hardware and software needed to set up the system are already available.
The NCSC and DTC are positive about the alarm system but emphasize that there must be a clear division of tasks if a crisis occurs. “Making the 1.8 million companies in the Netherlands more cyber-resilient is a huge job. We like to see how new initiatives can complement each other as best as possible,” says a spokesperson for the DTC.
Catch up on more articles here
Follow us on Twitter here