Companies in the Netherlands are increasingly falling victim to ransomware, yet the wave of attacks is probably just the tip of the iceberg because many keep quiet when they are confronted with ransomware.
This is often out of shame or fear of reputational damage, but Dutch companies should be open about these attacks. Dave Maasland, CEO of ESET Netherlands, says this situation has to change and a lot could be learned from the US aviation industry.
For about 12 years, there have been few, if any, fatal aircraft crashes in the US. If aviation experts had been told this as a prediction in the mid-1990s, they would not have believed it. That was a time when aviation in the US was plagued by frequent air crashes. But eventually, the tide was turned by a seemingly controversial idea.
“A reporting system was established in which anyone involved could voluntarily report incidents with impunity,” said Maasland. “In fact, people were patted on the back when they revealed wrongdoings, but if management found out about an incident and people had failed to report it, they risked losing their jobs. I think we can learn a lot from such a system when it comes to ransomware.”
Rutger Leukfeldt, director of the Centre of Expertise Cyber Security at The Hague University of Applied Sciences, agreed. He is involved in setting up such a system in the UK. “That system is based on a unique database that we also have in the Netherlands in the field of organised crime – the Organised Crime Monitor,” he said.
“This monitor has existed since the 1990s and enables researchers to systematically analyse large-scale criminal investigations. Research based on the monitor has taught us a great deal in recent years and has given us insight into how organised crime works.”
A major difference from the US aviation reporting system is that the information in the monitor is anonymised and not freely accessible. “Although I am a great advocate of openness and sharing of information, I think that a closed system, to which only certain stakeholders have access, can also work,” said Leukfeldt. “In any case, bringing information together leads to more knowledge, a better picture and therefore a better approach.”
Openness crucial for security
While many Dutch companies affected by ransomware keep their mouths shut, a number of organisations have given a candid insight into attacks they have suffered over the past two years. For instance, Maastricht University was hit by a ransomware attack at the end of 2019 and ultimately paid a ransom of €197,000 to regain access to its files.
The institution called in Fox-IT’s expertise to investigate how and where the attackers had breached it. The university shared the lessons it learned from this openly with the world. This was something that had never been done in the Netherlands before, and it earned praise from many quarters.
“The university made an unusual choice by being open,” said Petra Oldengarm, director of Cyberveilig Nederland, which represents cyber security companies in the Netherlands. “I hope that this example will be followed more often, because organisations often keep an attack quiet for fear of reputational damage. Although this seems an understandable choice, the consequences are that other organisations cannot learn from incidents like this and that the cyber security level of a sector or even our entire country lags behind as a result.”
Maasland advocates a reporting system similar to that used in the US aviation industry, although at the moment he does not know what such a system should look like in practice. “I think organisations, public and private, have a moral duty to report ransomware incidents, anonymously at the very least,” he said. “At the same time, we must try to arrive at a system where people can report abuses or threats out of intrinsic motivation, because that way, they can and want to contribute to a safer digital Netherlands.
“It is important that all parties involved take part in reporting, not only the victim, but also a security company, the IT partner involved, the management, the IT department, and so on. The more holistic the approach, the better the picture that emerges.”
Sharing information is crucial to gaining insight into how attackers and attacks work, but in doing so, it is not always important to share details on a technical level, said Leukfeldt. “As a researcher, I don’t find it that interesting which port stood open, but would rather look at the underlying processes,” he said. “In order to share relevant information, it is important to know how an attack happened, and which links the criminals abused in order to get in.
“But after that, it is especially important to know how it was solved and what things and processes an organisation has adjusted. What are the lessons we can learn to minimise the impact of such an attack?”
Learning from cyber attacks is crucial. Commissioned by the Dutch Cyber Security Council, in 2018 a number of scientists investigated the effectiveness of the obligation to report data breaches in the Netherlands. The researchers concluded that the Netherlands learned too little from the reports that were made, partly because not enough useful information was shared by the Autoriteit Persoonsgegevens (Personal Data Authority), which processes the reports.
“Information-sharing starts with providing openness about cyber incidents, attack methods and vulnerabilities,” said Oldengarm. “In doing so, various organisations have a role to play, both public and private.”
The Netherlands government has been working for some time on setting up “a nationwide system of cyber security partnerships, within which information on cyber security is shared more widely, efficiently and effectively between public and private parties”, stated the Dutch Cyber Security Agenda in April 2018. Since the advent of the country’s Network and Information Systems Security Act, Cyberveilig Nederland has been designated as a hub for information sharing.
“This paves the way for the exchange of information between the cyber security sector and the National Cyber Security Centre,” said Oldengarm. “This brings us a step closer to effective information sharing, but we still have a long way to go.
“On the one hand, we must get the flow of information from the NCSC to the cyber security sector going, and on the other hand, we as a sector must get to work ourselves. We also have threat information that must be shared where possible. We must jointly look at what knowledge we can share with other stakeholders and we must talk to our customers about being allowed to share information about, for example, ransomware attacks that have taken place on their premises.”
Example from the UK
For this, the Netherlands may be able to learn from the system that is currently being set up in the UK, in which Leukfeldt is involved. “The VU University Amsterdam and Oxford University are also collaborating on this,” he said. “The goal is to create a publicly available database of cyber crime cases, based on our Dutch Organised Crime Monitor. The aim is to learn from cases that have been completed. These are put into the database anonymously, and eventually analyses can be made and we can learn at various levels.
“I expect that a system in which cases can be made anonymous, but with sufficient detail to be able to draw lessons, can also be successful in the Netherlands. In any case, I think it’s worth a try.”
Maasland added: “Cyber crime is penetrating further and deeper into our society and it is only a matter of time before this actually starts costing lives on a larger scale. We as an industry, business and government need to look at ways of making information public and sharing it, so that we can prevent further victims.”
