The Cybersecurity Assessment Netherlands 2024 (CSAN 2024) provides information about the digital threats, what interests are jeopardised by those threats, digital resilience and digital risks. According to the report, the country is not only suffering more and more cyberattacks inside its own national borders, but is also affected by cyberattacks elsewhere that impact the digital ecosystem.
In these times of geopolitical upheaval, the NCTV also sees that the activities are increasing in intensity. State actors are expanding their capabilities, deploying more and more different resources and tools, while criminal actors launch large-scale opportunistic attacks. The vital infrastructure of the Netherlands could become the target of digital espionage or sabotage, including the Port of Rotterdam, hospitals, wind farms, banks and the country’s electrical grid.
Large-scale outages
Examples of incidents during the past year include the attack by hackers from China that compromised the Ministry of Defence’s computer system (February 2024), the deliberate interference that broadcast Russian propaganda on a children’s television channel, and the theft of data from chip manufacturer Nexperia (both in April 2024).
Disruption of digital processes poses another threat. In August this year, various branches of the Dutch government and air traffic at Eindhoven Airport were disrupted by a bug in the software of the closed telecommunication network Defensier. The complexity of digital risks, and close interconnections between them, mean that disruptions have already caused system outages on a large scale. The impact can be severe, for example by bringing public transport, air traffic or medical care to a halt. This was highlighted by the computer failure caused by cybersecurity company CrowdStrike in July 2024, when 8.5 million computers around the world would not start up. In the Netherlands, air traffic, healthcare and other services were disrupted by the worldwide computer failure, which was caused by an error in an update.
Comprehensive approach to risk management
Digital risks are dynamic, and are affected by a wide range of different factors. The broader digital ecosystem, including monocultures within it, coupled with the high degree of digitalisation, mean that risks become interconnected. In the CSAN report, the NCTV argues the importance of a comprehensive approach to risk management, and looking beyond introducing standards and basic measures.
“State cybercampaigns are increasing in pace and complexity,” explains National Coordinator Counterterrorism and Security Pieter-Jaap Aalbersberg. “States are also deploying companies and hacktivists to carry out digital attacks, which further blurs the lines between separate organisations. For example someone might have a role in science or the business sector, while also being linked to a security service.” Cyberattacks are generally not isolated incidents: increasingly, multiple cyberattacks are combined, or used in conjunction with other methods such as disinformation campaigns. As such, the NCTV believes that an important part of risk management is to consider how these cyberattacks are connected, and what broader threat those risks present when added together.
The NCTV also warns about the global trade in sensitive personal data and the shortage of cybersecurity capacity and staff. The shortage of cybersecurity experts in the Netherlands, the NCTV argues, could ultimately affect the country’s digital resilience. It might also become interesting for malicious actors to consider what organisations have the greatest shortages – and so potentially the weakest defences.
Current status of the Dutch Cybersecurity Strategy
In 2022, the Dutch Cabinet presented the Dutch Cybersecurity Strategy (NLCS) to create digital security and resilience in the Netherlands. The CSAN 2024 provides a basis for reviewing the substance of that strategy and the associated plan of action. The report on the current status of the NLCS (in Dutch only) was sent to the Dutch House of Representatives at the same time as the CSAN 2024.
The Cabinet intends to minimise the threat from countries with offensive cyberprogrammes aimed at Dutch interests, and discourage it up front wherever possible. During the past year, results included a publication about more advanced malware that was used by China to spy on computer networks of the Dutch Ministry of Defence.
Other measures include setting up a single centralised cybersecurity organisation that will bring together the National Cyber Security Centre (NCSC), the Digital Trust Center (DTC) (in Dutch only) and the Computer Security Incident Response Team for digital service providers (CSIRT-DSP): a single organisation to inform every organisation in the Netherlands about threats and security measures.
Structural challenges
In conclusion, various factors have been posing a challenge to digital security for a long time. Attacks by state and criminal actors could impact national security. Developments that on the surface are unrelated to cybersecurity might nevertheless have a permanent effect on the threats and resilience. This is particularly true of developments in geopolitics and technology. It is also important to be aware that any organisation could be hit by a cyberincident. Digital risks therefore demand a more comprehensive approach to risk management. In today’s digitalised society, security of digital processes is crucial. However, the importance of that security sometimes clashes with other interests. Nevertheless, the importance of digital security is being embedded more and more firmly in laws and regulations, for example the current implementation of the recast European Network and Information Security Directive (NIS2) in the Dutch Cybersecurity Act (Cbw) .
It is also essential to be properly prepared for large-scale outages and digital incidents. The Cabinet is conducting exercises as part of those preparations; for example, this year’s public-private exercise ISIDOOR IV yielded valuable information about crisis preparation.