Cyber Security Assessment Netherlands 2018
The Cyber Security Assessment Netherlands (CSAN) 2018 offers insight into threats, interests and resilience, as well as related developments in the field of cybersecurity, relevant for national security.
The CSAN is an annual publication of the National Coordinator for Security and Counterterrorism. The CSAN is compiled in collaboration with the National Cyber Security Center (NCSC), the Dutch intelligence agencies and with cooperation of the business community, government bodies and academia.
CSAN 2018 shows the scope and severity of digital threats facing the Netherlands are still considerable and continue to evolve. National security remains under constant threat of digital attacks. The Dutch economy and broader Dutch society have become entirely dependent on digital resources. Attacks and outages can have major consequences, potentially disrupting society itself.
Digital threat is permanent
Cyber attacks are profitable, simple to execute and involve little risk for attackers. In light of recent geopolitical developments, state actors are expected to continue using such digital attacks and may even opt to do so on a greater scale. However, we are also seeing another development whereby attackers fail to anticipate, or accept, the unintended consequences of their actions on other countries that do not constitute their primary target. The most familiar case in this respect is NotPetya, an attack that also inflicted unintended financial damage on Dutch companies.
The most significant threats are sabotage and disruption by nation-states
Nation-states are perpetrating an increasing number of attacks on other countries for geopolitical reasons. Their aim is to acquire strategic information through espionage, to influence public opinion and democratic processes, or even sabotage vital systems.
Professional criminals continue to be a major threat to Dutch society. Cyber attacks with a major societal impact can be perpetrated with relatively few resources. Perpetrators can carry out attacks without any need for large-scale capabilities; they can simply purchase them externally. This became clear in January, when the DDoS attacks plaguing several banks turned out to have been carried out with a simple bought-in attack.
Lack of basic measures
Many organisations in the Netherlands fail to implement the basic measures needed to repel cyber attacks. This concerns basic measures such as the timely installation of updates or prevention of flaws in configurations. For example WannaCry and BadRabbit exploited known vulnerabilities and could have been prevented if the necessary security updates had been installed. Insecure products and services make life easier for attackers. As the recent period has shown, organisations could have prevented incidents and mitigated damage by ensuring that their basic security was properly in place.
Click here for the animation about the Cyber Security Assessment Netherlands.