Column: sense of urgency needed in fighting security vulnerabilities

Cyber threats were recently in the top three concerns among the Dutch, according to research by the Clingendael Institute. Not surprisingly, because that threat is regularly accentuated, for example by recent reports that thousands of computer networks in the Netherlands show vulnerabilities that should have been fixed long ago. The perception is that accidents are waiting to happen.

There is undeniably a serious and troubling problem that affects us all. But instead of getting caught up in fear and panic, it is better to focus on structural solutions. Fortunately, these are available, but awareness of them among companies and organizations still leaves much to be desired. And so does awareness that active involvement on their part is crucial to keeping our systems safe.

Security risks and economic damage

At the heart of the problem is that vulnerable systems pose an economic risk, as well as a threat to our security. Both cybercriminals and state actors are targeting Dutch systems, making robust cyber resilience vital. Problems at non-vital companies resulting from vulnerabilities can also affect vital and critical companies (energy, telecom, etc.), so the social impact can be significant. So the least any business and organization can do is to be informed about vulnerabilities and threats and act on that information.

But that can only be done if those vulnerabilities are known. Extra annoying is that many such leaks are often unknown and thus invisible. If you are the first to know about such a leak, you can exploit it. This is why both cyber criminals and so-called ethical hackers look for them. One group to abuse them, the other, like the volunteers of the Dutch Institute for Vulnerability Disclosure (DIVD), to report them so they can be closed.

Notification and code of conduct

Much is being done in the Netherlands to find vulnerabilities and notify parties who are affected. This involves close cooperation between sectoral initiatives and the central government, particularly the Ministries of Justice & Security and Economic Affairs and Climate. Real strides have been made in this area in recent years. Many more organizations and companies are now notified by reporters of vulnerabilities than a few years ago.

Another example of an initiative to share this kind of information, but with a specific target group where the impact of security breaches and incidents is high, is the Clean Networks platform. This was created thanks to a broad collaboration of government, the Dutch Internet sector and nonprofit initiatives to combat Internet abuse in networks of ISPs and hosters. Detecting vulnerabilities, notifying affected parties and fixing those vulnerabilities is brought together in this initiative in a technical solution. This automatically sends appropriate notifications with suggested fixes and prioritization to affected parties. When incidents occur, help and support is available. For example, Clean Networks acts as CSIRT (Computer Security Incident Response Team) for Dutch ISPs and the hosting industry.

Participants also commit to a code of conduct, so that they too bear responsibility for making and keeping their systems clean. A seal of approval is being developed to show who is making active efforts to clean up nuisances, and who is less diligent about those risks. Co-funded by the European Union, the project is leading the way internationally on how to address these issues.

The National Cyber Security Center (NCSC) and the Digital Trust Center (DTC) also provide notifications for critical & critical infrastructure and for SMEs, respectively. There are also sectoral initiatives, for example for the Port of Rotterdam and for cybersecurity companies. The House of Representatives recently passed the Promoting Digital Resilience for Business Act (also known as the DTC Act), which regulates information sharing about threats, vulnerabilities and incidents with the wider business community from the DTC.

In short, organizations that want it can be informed about vulnerabilities and security breaches (as soon as) that are known. Yet we can read almost daily about successful hacks and the misuse of known security vulnerabilities. How is that possible?

Capitalizing on knowledge

What is still missing is a broader awareness within organizations that vulnerabilities can occur anywhere and that action must be taken. The era when these risks could be ignored without major consequences is long behind us, but that awareness is not yet in everyone’s mind.Therefore, it is now high time for companies and organizations to take a proactive approach to finding and combating vulnerabilities.Every company or organization has a responsibility to close vulnerabilities.

To increase resilience, Dutch companies and organizations must therefore act more decisively. Trade associations have a role to play here by informing their members and supporters (better) about their responsibilities, the risks they face and how they can reduce them.

In addition, hotlines, reporters themselves and the government have an important task to make the importance of reporting vulnerabilities and taking action even clearer.

For individual companies and organizations, it is necessary to put information security and actively plugging vulnerabilities high on the agenda, if this is not already the case.

And for all parties involved, cooperation remains key, both in terms of sharing information and raising awareness among companies and organizations that acting appropriately on information about vulnerabilities and abuse is critical.

By working together and leveraging available knowledge and resources, we can increase resilience to security vulnerabilities. Fortunately, a wealth of knowledge is available and both government and sectoral initiatives are ready to help. The time for action is now.

This column was written by NBIP general director Octavia de Weerdt and was first published with the Dutch publication AG Connect.