Frequently asked questions
Cybervandals and script kiddies are usually minors who commit attacks from pure mischief or to flaunt their own skills. Cybervandals have varying levels of skill, and script kiddies (or ‘skiddies’) are generally low-skill. According to Cyber Security Assessment Netherlands 2016, they are a growing threat owing to the increasing availability of low-threshold tools for mounting digital attacks. For example, it is becoming easier for cybervandals and script kiddies to carry out DDoS attacks Rathenau Instituut 13 (distributed denial of service) that shut down entire websites by using services traded on the dark web (DDoS-as-a-service).
Terrorist groups do not appear to have the IT skills necessary to commit serious cyberattacks yet, but it is only a question of time. The Islamic terrorist organisation ISIS is taking the digital offensive more often, however, and its cyberattacks are becoming more targeted. For example, it has stepped up its doxing activity, i.e. it collects personal data on Western military and government personnel and publishes it online to single them out as targets for attack (AIVD 2016). ISIS or its sympathisers are also having more success at defacement, i.e. hacking websites and replacing the original content with their own ideological content. Such attacks are not regarded as terrorist activities in themselves, but as propaganda.
Cybercrime is increasingly turning into a form of organised crime. Cybercriminals are becoming more professional, the methods they employ are growing more complex, and their revenue model is proving more profitable all the time. Malware infections are increasing in number, botnets are getting harder to detect and spear phishing is growing more common. This advanced form of phishing targets individual internet users and uses personal data, for example information that the targets themselves have posted on their Facebook or LinkedIn page. A seemingly innocent e-mail attachment that appears to come from a known source can thus lead to unpleasant surprises (NCSC 2014; 2015). Ransomware has become extremely commonplace in recent years. Individuals, businesses and even hospitals have experienced a growing number of ransomware infections. In these attacks, the malware encrypts the computer files, making them inaccessible, and the attacker demands a ransom to decrypt the files.
Cyberespionage by state actors
In addition to cybercriminals, state actors – foreign intelligence services and allied groups – are extraordinarily active in the digital domain. Russian and Chinese intelligence services are particularly keen to collect political, military, scientific and technological information in the West. For example, the Russian intelligence services gather data on the West’s views and positions on geopolitical issues. These intelligence services are highly professional and run extremely effective operations. It is estimated that Russia and China deploy upwards of a hundred thousand persons in cyberespionage worldwide, and other countries, including Iran, are also active. The Dutch government has long been the target of vast and advanced cyberespionage. Cyberattacks by state actors are thus a constant threat to national security (AIVD 2016; MIVD 2016). Alongside political targets, espionage also commonly focuses on economic targets. The Chinese intelligence services are especially interested in economically sensitive business information that will help China gain an economic advantage. The targets include businesses that form part of the Netherlands’ top economic sectors.
Cybercrime can cause enormous societal and economic damage. According to figures published by Statistics Netherlands, around 11 percent of the Dutch population have at some point been victims of cybercrime (CBS 2016). A study by PwC and VU University Amsterdam revealed that more than 20 percent of Dutch businesses and institutions reported incidents of cybercrime in the previous two years.
According to the researchers, the actual figures are ‘very likely’ to be higher (PwC & VU 2014). Estimates by Deloitte indicate that cybercrime costs the Dutch economy some 10 billion euros a year (Deloitte 2016). Verhagen cites a figure of around 15 billion but warns that the true scale of the damage remains unknown (Verhagen 2016). These figures are unverified, however, making it almost impossible to draw definitive conclusions about the actual damage (Overvest & Straathof 2015; Hendriks et al. 2016).
According to the Netherlands Bureau for Economic Policy Analysis, it is difficult to quantify either the importance of cybersecurity for the economy or the economic damage arising from cybercrime. The Bureau claims that estimates are generally based on experts’ best guesses and on ‘impenetrable methodologies’ (CPB 2016). The damage caused by economic cyberespionage is even more difficult to establish because it may only become clear in the longer term (NCSC 2016).
Cybercrime and cyberespionage are serious threats. If Dutch businesses are subject to large-scale cybercrime attacks, and if foreign intelligence services manage to access information about advanced technologies – one of the main pillars of the Dutch economy – then these threats will eventually undermine the innovativeness and competitiveness of the Dutch business sector.
Recommendation for government, businesses and other parties, e.g. the Dutch Consumers’ Association:
1. Pay more attention in education and in public information campaigns to cybersecurity and the cyberskills that consumers and the public should possess.
Recommendation for government and businesses:
2. Invest in an independent expertise and advisory centre for SMEs and larger businesses that operate outside the critical sectors.
Recommendations for government:
3. Set a good example as a ‘launching customer’ and do more to coordinate sound security measures internally.
4. Do more to hold critical sectors accountable for running secure operations, for example by agreeing on an annual hack test.
Recommendation for businesses:
1. Learn about existing duties of care and comply with them.
Recommendations for government:
2. Do more to support reporting of cybercrime at regional level and its prosecution.
3. Monitor whether the Computer Crime III bill imposes adequate conditions on the investigative services for exploiting zero-day vulnerabilities.
4. Build capacity in the AIVD so that the agency is better able to detect cyberespionage and the manipulation of information by state actors and to take (or encourage others to take) appropriate measures.
5. Monitor whether the ‘checks and balances’ in the bill updating the Intelligence and Security Services Act are in fact adequate in practice.
6. Legislate ‘open standards’ to permit oversight of smart device security. Allow regulatory agencies to take action against insecure IT products on that basis.
7. Ascertain whether regulatory agencies (Dutch DPA, ACM, Radiocommunications Agency Netherlands) have a mandate to take action against insecure IT products, or whether their mandate needs to be amended. Equip regulatory agencies with enough expertise and capacity.
8. See that IT manufacturers and suppliers comply with duties of care for secure products and check whether duties of care and liability legislation require amendment.
Recommendations for government and businesses:
1. Invest in cybersecurity training.
2. Invest in capacity-building: establish an independent expertise and advisory centre for SMEs and other businesses (non-critical sectors); see that expertise and capacity are sufficient in government, the relevant regulatory agencies and the AIVD.