The National Coordinator for Counterterrorism and Security (NCTV) has published the Cybersecurity Image Netherlands (CSBN) 2023. The CSBN provides trends, incidents, threats, and challenges in the field of cybersecurity within national security.
Key Takeaways from CSBN 2023
- Digital Security Remains Crucial: The Dutch society is heavily digitized, making the safety of digital processes vital to national security.
- Persistent Digital Threats: The digital threat to the Netherlands remains high. Changes include an uptick in hacktivism, fuelled by geopolitical tensions like the Russian-Ukrainian conflict. If the situation escalates, Dutch interests could be at risk.
- Challenges in Risk Management: Strategic themes identified in CSBN 2022 still pose complications for risk management. Notable changes include increased digital security requirements due to European regulations and the growing interconnectedness within a broader, not only digital, ecosystem.
- Need for Increased Resilience: The imbalance between the digital threat and resilience, as outlined in CSBN 2022, remains a significant concern.
- Operational Technology (OT) Vulnerabilities: OT is a crucial component of vital processes within organizations. Despite growing attention to OT resilience, there’s room for improvement.
- Broad Risk Management Approach: The unique nature of digital risks calls for a broader management approach, treating them as an integral part of national security risks.
Digital Threats: Still High
The digital threat remains high, particularly due to:
- Interactions with Other Threats: Cyber incidents can result from disruptions like energy supply issues and can, in turn, cause such disruptions. Developments in technologies such as Generative AI, Quantum Computing, and “the metaverse” also influence digital threats.
- Complexity and Interconnectedness: The intertwined nature of digital processes, systems, and networks, coupled with outdated information systems, create vulnerabilities that cyber actors can exploit.
- Geopolitical Tensions: State actors increasingly resort to cyberattacks to protect their interests, with potential ripple effects.
- Profitable Cybercrime: Cybercrime remains a lucrative venture, and cybercriminals continue to profit from ransom payments, illegal services like Cybercrime-as-a-Service (CaaS), and the sale of stolen information.
- Hacktivism: Social controversies and international conflicts can spur hacktivism.
- Concentration of Information: The centralization of information and digital processes is attractive for misuse by malicious actors.
- Limited Consequences for Attackers: Cyber attackers often face little risk of apprehension or extradition.
Cyber Incidents in 2022/2023: Consistent with the Threat Landscape
Incidents from March 2022 to February 2023 align with the digital threat landscape of recent years. The NCTV saw no society-disrupting incidents in the Netherlands or other EU countries. Ransomware attacks remained prevalent, sometimes accompanied by data leaks. Also noteworthy were attacks by hacktivists, mostly abroad but a few in the Netherlands.
Russian-Ukrainian War: Massive Cyber Campaign, Less Impact Than Anticipated
In February 2022, Russia invaded Ukraine, launching cyberattacks primarily aimed at Ukraine and the region. These attacks included espionage, sabotage preparations, and disinformation. Western and Ukrainian digital defenses managed to mitigate the impact of these attacks.
Notably, criminal and hacktivist actors became involved in the context of the war. Private companies offered support to Ukraine, often in collaboration with countries backing Ukraine. Russia also engaged in influencing public opinion in Western countries via disinformation.
Strategic Themes Continue to Complicate Risk Management
In the 2022 Cybersecurity Image of the Netherlands (CSBN), the National Coordinator for Counterterrorism and Security (NCTV), in collaboration with partners, identified six strategic themes that will be relevant for the digital security of the Netherlands in the coming years. These themes are still entirely applicable. Upon reflection of these themes, several changes have been noticed, which are discussed below.
Additional Requirements for Digital Security Take Time to Yield Results
A significant change that can enhance digital resilience in the coming years is the additional requirements for digital security. These requirements emerge from new European laws and regulations, the Dutch Cybersecurity Strategy 2022-2028, and the action plan derived from it. However, awareness and further development and implementation of all these measures require considerable time.
Hardening of Geopolitical Tensions
Over the past year, geopolitical tensions have further escalated. Sectors and organizations may experience the consequences of this hardening but can do little to change it. However, it is a factor that should be considered when determining the desired level of digital resilience. For example, a state actor could attack an ICT service provider of a vital organization as a stepping stone to that digital organization.
Insurability of Digital Risks Under Pressure
While organizations can do a lot to improve digital resilience, cyber incidents can still occur, and/or damage is not always preventable. The insurability of digital risks is under pressure for various reasons. One reason insurers mention is the increase in digital risks. Another reason is that cyber incidents can escalate into a so-called systemic crisis, making them uninsurable.
Being Part of a Broader Ecosystem Complicates Risk Management
Whether it’s countries, sectors, or organizations, few can function independently of a broader ecosystem. This includes outsourcing parts of business operations, such as payroll administration, access pass management, or market research. Being part of a broader ecosystem has advantages, such as benefiting from economies of scale and specialist knowledge, including in the field of cybersecurity. However, being part of a broader ecosystem also complicates risk management. For example, there is often no insight into dependencies and vulnerabilities in the broader ecosystem, and it is difficult to get a grip on them. These dependencies and vulnerabilities can be a substantial part of digital risks.
Digital Ecosystem Provides Opportunity Structure for Cyber Attacks
Cybercriminals are part of a broader malicious and legitimate digital ecosystem and depend on it. This ecosystem thus provides an opportunity structure for them. Due to increasing specialization among cybercriminals, they too are becoming increasingly dependent on each other’s (online) services in the context of cybercrime-as-a-service. This dependence also applies to the use of legal services, such as web hosting and communication services like VPNs or domain registrations.
Strategic Themes Mentioned in the 2022 CSBN
- Risks form the flip side of a digitized society.
- Digital space is a playing field for regional and global dominance.
- Cybercrime is industrially scalable, resilience is not yet.
- Market dynamics complicate the management of digital risks.
- Integrated and coherent risk management is still in its infancy.
- Limitations in digital autonomy also limit digital resilience.
These themes continue to shape the landscape of cybersecurity in the Netherlands, influencing how organizations and individuals approach digital security and risk management. The importance of maintaining awareness of these themes and adapting strategies accordingly cannot be overstated.
Operational Technology (OT) and Digital Threats in the Netherlands
- Operational Technology (OT) and Industrial Internet of Things (IIoT): OT, also known as ‘Industrial Automation and Control Systems’ (IACS), plays a central role in driving, monitoring, and managing physical processes within organizations, acting as the engine of vital sectors. OT is increasingly intertwined with Information Technology (IT). In addition, IIoT is playing an increasingly important role in industrial environments. This development has advantages for optimizing processes, but also brings risks. It increases the attack surface and hence the risk that OT systems are compromised, posing challenges for securing such systems.
- Balancing Digital Threats and Resilience: The process of reducing the imbalance between digital threats and resilience remains a major challenge. The digital threat remains consistently high, and the complications for risk management remain fully applicable.
- Cyber Risks and Vulnerabilities: All digital processes, organizations, and sectors are potentially vulnerable to cyber incidents. Unauthorized access to information and threats to the accessibility of processes due to cyberattacks, ransomware, and DDoS attacks are real. The consequences of a cyber attack on one organization can also indirectly affect others, particularly if a major global service provider is hit.
- Underestimating Risks: Organizations often believe that they are not of interest to cyber criminals or state actors, or that their sector experiences few incidents. However, criminals continuously attempt to exploit any ‘digital doors’, regardless of the organization, resulting in detrimental effects for the victims. State actors actively search for organizations in chains, as a stepping stone to more interesting targets.
- Four Risks to National Security: The nature of digital risks is not fundamentally different from those outlined in the previous year’s report (CSBN 2022). Four risks to national security were identified that apply directly or indirectly to specific sectors, organizations, and individuals:
- Unauthorized access to information (and possibly its publication), especially through espionage.
- Inaccessibility of processes due to sabotage, ransomware, and DDoS attacks.
- Violation of the security of the digital space, for example through misuse of global ICT supply chains, misuse of internet protocols, or sabotage of cables.
- Large-scale outage due to natural or technical causes, or non-malicious human actions.
- Read the full CSBN 2023 report (Link to PDF)
- Visit the Dutch NCSC website (Link to website)
- Read the full CSBN 2022 report (Link to PDF)