Why do Dutch & EU organisations not sufficiently secure their network and data?
Dr. Ir. Henk Jan Jansen
Security Tech Enthusiast | Bridging the Gap Between Ideas, Execution & Innovating for a Better Tomorrow
Foreword
Nearly two-thirds of Dutch companies have already been victims of cybercrime. Security experts warn that the question is not whether an organization is affected, but when. Nevertheless, many companies assume that the vulnerability of their own organization to cybercrime is not too bad. Wrongly. How do we ensure that organizations give cybersecurity the attention it deserves, so that their network and data are optimally protected?
My personal view of the Dutch government and its initiatives to make all ministries and provinces part of an IV Organization.
Apparently the Government hasn't really learned much from the past 10 years?
For an IV organization that is actually based on the BiSL model see figure 1
This consists of three layers where one has to start at the bottom layer and work upwards in this way.
In addition, security comes into play, in short it comes down to the fact that such an environment will be set up in a Cloud solution and therefore third parties also have access to data, no matter how much you pretend to secure this, there are always accounts that have access to confidential data. I personally believe that people within the EU and even in the Netherlands are very sloppy with, among other things, the security of data in general and the protections of any company platform.
Hence a representation of the real state of IT security and cyber security measures and data privacy, does anyone even know whether data is safe for others and or for hackers? This is a very, very disturbing thought!
Read more Cybersecurity and the EU's approach to cyberthreats below
Cybersecurity: EU approach to cyber threats
The EU is working on multiple fronts to increase cyber resilience, fight cybercrime and intensify cyber diplomacy and defence.
Infographic - Biggest cyber threats in the EU
Cybersecurity challenges
Crucial sectors such as transport, energy, healthcare and finance are becoming increasingly dependent on digital technologies. Digitization offers plenty of opportunities and solutions to problems – especially in corona times – but also exposes the economy and society to cyber threats.
Timeline
18/11/2022
Cybersecurity at the EU: Council agrees its position
17/10/2022
Council adopts conclusions on ICT supply chain security
21/06/2022
Council adopts conclusions on coordinated EU response to hybrid campaigns
23/05/2022
Cyberspace: Council agrees on stronger cybersecurity to prevent cyberattacks
16/05/2022
Council extends sanctions regime for cyberattacks
Cyberattacks and cybercrime are growing both in number and ingenuity across Europe. By 2025, 41 billion devices worldwide are expected to be connected to the internet, so this trend will continue.
Strong cybersecurity action and open and secure cyberspace can increase citizens' trust in digital tools and services.
In October 2020, EU leaders called on the EU to:
·??????better protect against cyber threats
·??????create a more secure communication environment, in particular through quantum encryption
·??????ensure access to data for judicial and enforcement purposes
A cyber-resilient Europe
EU cybersecurity strategy
In December 2020, the European Commission and the European External Action Service (EEAS) presented a new EU cybersecurity strategy. The aim is to make Europe more resilient to cyber threats so that all citizens and businesses can fully benefit from reliable services and digital tools. The new strategy contains concrete proposals for regulation, investment and policy.
On 22 March 2021, the Council adopted conclusions on the strategy. In it, he stresses that cybersecurity is essential for building a resilient, green and digital Europe. EU ministers want to achieve strategic autonomy while maintaining an open economy. For example, the EU should be able to make more autonomous choices in cybersecurity ?to strengthen its digital leadership and strategic capabilities.
The EU is working on 2 legislative proposals to address online and offline hazards now and in the future:
·??????an updated directive to better protect network and information systems
·??????a new directive on the resilience of critical entities
What is cybersecurity?
Cybersecurity refers to the activities necessary to protect network and information systems, their users and other persons facing cyber threats.
(EU Cybersecurity Act)
EU Cybersecurity Regulation
The Cybersecurity Regulation entered into force in June 2019 and introduced:
·??????an EU-wide certification scheme
·??????a new and stronger mandate for the EU Agency for Cybersecurity
An EU-wide cybersecurity certification scheme
Certification is important for ensuring high cybersecurity standards for ICT products, services and processes. Currently, EU countries use different certification schemes, leading to market fragmentation and regulatory barriers.
With the Cybersecurity Act, the EU provides a single certification framework for the entire EU. This will lead to:
·??????more confidence
·??????growth of the cybersecurity market
·??????facilitating trade across the EU
The framework will provide for a set of rules, technical regulations, standards and procedures.
The EU cybersecurity market
·??????In the Global Cybersecurity Index top 20, 18 places are occupied by European countries
·??????The value of the EU cybersecurity market is estimated at over €130 billion and is growing by 17% annually
·??????The EU has more than 60,000 cybersecurity companies and more than 660 centres of excellence in this field
EU Agency for Cybersecurity
The new EU Agency for Cybersecurity builds on the structures of its predecessor (the Network and Information Security Agency), but has a stronger role and a permanent mandate. Its name – Enisa – has remained the same.
It supports Member States, EU institutions and other stakeholders in tackling cyberattacks.
Network and Information Systems Directive
The Network and Information Systems Directive (NIS Directive) was adopted in 2016 and was the first EU-wide legislation to ensure closer cooperation between Member States in this important area. It included security obligations for operators of essential services (in key sectors such as energy, transport, health and finance) and for digital service providers (online marketplaces, search engines and cloud services).
In December 2020, the European Commission proposed a revised NIS Directive ?(NIS2), replacing the 2016 Directive. It is a response to the changing threat landscape and to the digital transformation, which has gained momentum due to the corona crisis.
The Council and the European Parliament reached a provisional agreement on new measures in May 2022. These must ensure:
·??????stronger risk and incident management and collaboration
·??????a more extensive scope
Biggest cyber threats in the EU
?
Ransomware
Definition: Attacks in which cybercriminals lock files or computers and demand "ransom" to undo that lock.
60% of affected organizations are likely to have paid a ransom.
?
Distributed Denial of Service (DDoS)
Definition: Attacks that prevent users of a network or system from accessing relevant information, services, or others.
In July 2022, the largest DDoS attack to date was carried out against a European customer.
?
Malware
Definition: malicious software to damage, disrupt, or break into a device.
In June 2022 alone, software containing adware and Trojans was downloaded around 10 million times.
?
Social engineering
Definition: Attacks that exploit human error or behavior to gain access to information or services.
82% of data breaches involved human error.
?
Data attacks
Definition: Attacks to gain unauthorized access to data and to manipulate data and disrupt the behavior of systems.
Most attacks target servers (nearly 90%).
?
Internet threats
Definition: Attacks that hinder access to the Internet. For example, Border Gateway Protocol (BGP) hijackings.
In June 2022, it was found that Russia had destroyed 15% of Ukraine's internet infrastructure.
?
Disinformation – misinformation
Definition: a deliberate attack in which false or misleading information is created or shared to manipulate public opinion.
Ukraine was hit by large-scale disinformation campaigns even before the Russian invasion.
?
Supply chain attacks
Definition: An attack strategy that addresses the weak spots in an organization's supply chain and can cause cascade effects.
In 2021, 17% of security breaches involved incidents in the supply chain. In 2020, this was still less than 1%.
?
The timeline of Cyber security
2022
November 18
Cybersecurity at the EU: Council agrees its position
The Council agrees its position on a common cybersecurity framework across all EU institutions, bodies, offices and agencies.
Given the significant increase in the number of advanced cyberattacks against the EU in recent years, the Commission proposed measures in March 2022 to ensure good cybersecurity.
The aim is to improve the resilience and incident response capacity of all EU entities and to establish a common framework to ensure the same approach everywhere.
Now that the Council's position is known, negotiations with Parliament can start as soon as the European Parliament has also voted on its negotiating mandate.
·??????Cybersecurity at the EU: Council adopts position on common rules (press release, 18 November 2022)
October 17
Council adopts conclusions on ICT supply chain security
Ministers adopted conclusions to improve the security of EU supply chains in the field of information and communication technologies (ICT). ?The conclusions also address dependencies in these supply chains. The call to action is all the more urgent in the context of Russia's aggression against Ukraine.
The Council calls for the frameworks for screening public procurement or foreign direct investment to be adapted, including the selection criteria related ?to cybersecurity. ?Member States also invite the Commission to provide methodological guidance encouraging contracting authorities to pay attention to the cybersecurity practices of tenderers and their subcontractors.
Attention is also paid to existing and future cyber-specific legislation that can improve the security of ICT supply chains:
·??????the revised Network and Information Security Directive ?(NIS2)
·??????certification schemes issued under the Cybersecurity Act
·??????The proposal for a Cyber Resilience Act
Finally, the Council proposes to use support mechanisms to finance secure digital infrastructure, increase knowledge and awareness in this area, and deepen international cooperation for safer ICT supply chains in the EU and beyond.
June 21
Council adopts conclusions on coordinated EU response to hybrid campaigns
In the context of Russia's aggression in Ukraine, following the adoption of the Strategic Compass by the European Council, the Council of the EU reiterates in its conclusions the importance of developing an EU toolbox against hybrid threats.
This toolbox provides the framework for a coordinated response to hybrid threats and campaigns affecting the EU and its partners. It brings together all actors, policies and facilities to counter the impact of hybrid threats in a more coordinated way.
The Council reiterates that the primary responsibility for countering hybrid threats lies with Member States and that decisions on a coordinated EU response should meet the following conditions:
·??????protecting democracy and international law
·??????helping to achieve EU objectives
·??????be proportionate to any campaign against the EU
·??????demonstrate situational awareness
·??????taking into account the broader context
·??????respect international law and protect fundamental rights and freedoms
May 23
Cyberspace: Council agrees on stronger cybersecurity to prevent cyberattacks
The Council agrees with the conclusions on developing a stronger EU cyber strategy to better and more resiliently withstand cyber threats.
By developing this so-called "cyber defence" or "cyber attitude", the EU is stronger in the face of offensive cyber activities directed against the EU and its Member States. The aim is to respond, both directly and with long-term actions, to actors who want to deny the EU safe and open access to cyberspace. This includes preventing, discouraging and deterring threats, and improving cyber capabilities.
The conclusions stem from various EU laws and policies, including the Strategic Compass, the Action Plan for a Stronger Security and Defence Policy.
May 16
Council extends sanctions regime for cyberattacks
The Council extended the sanctions framework ('restrictive measures') for cyberattacks against the EU and its Member States for a further 3 years, until 18 May 2025.
The EU can therefore continue to impose targeted sanctions on individuals and entities involved in major cyberattacks threatening the EU or member states from outside.
·??????Cyber-attacks: Council extends sanctions regime until 18 May 2025 (press release, 16 May 2022)
May 13
Better cybersecurity and resilience: agree on NIS2 Directive
The Council and Parliament reached a provisional agreement on measures for strong joint cybersecurity in the EU. The aim is a more resilient public and private sector, and a greater incident response capacity.
The new directive, called NIS2, will replace the current directive on security of network and information systems (NIS directive) after adoption.
The new legislation will:
·??????ensure better risk and incident management and cooperation
·??????expand the scope
May 11
Provisional agreement on digital operational resilience act (DORA)
The Council and the European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which aims to ensure that the financial sector in Europe can continue to function resiliently in the event of serious operational disruptions.
领英推荐
DORA creates a regulatory framework for digital operational resilience: all enterprises must ensure that they can withstand ?, respond?to ?and recover from all types of ICT-related disruptions and threats.
As the risk of cyberattacks increases, the EU wants to strengthen the IT security of financial institutions such as banks, insurance companies and investment firms.
March 8-9
EU ministers agree on strengthening cybersecurity
EU ministers for telecommunications and digital affairs will meet on 8 and 9 March 2022 at an informal meeting organised by the French Presidency.
They call for European cooperation on cybersecurity to be strengthened and accelerated, as the cyber threat and risk of cyber incidents due to the situation in Ukraine grows even faster. They ask for more information on risks that threaten European communication networks and infrastructure, as well as recommendations on how to strengthen their resilience.
They adopt a political declaration on strengthening EU cybersecurity capabilities.
2021
December 3
Council agrees its position on new cybersecurity directive
Infographic - Biggest cyber threats in the EU
During the December Telecommunications Council, EU ministers agreed a 'general approach' on measures for a high common level of cybersecurity across the EU under the so-called 'NIS2' directive.
The aim of the legislation is to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole. It aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states.
October 19
Joint Cyber Unit initiative: Council adopts conclusions
In its conclusions, the Council calls on the EU and the Member States to further develop the EU cybersecurity crisis management framework, including by exploring the potential of a joint cyber unit.
The Council considers that existing networks should be consolidated and possible gaps and needs in the field of information exchange within and between cyber communities identified. Next, potential primary objectives and priorities of a possible joint cyber unit should be agreed.
May 17
Council extends sanctions regime for cyberattacks by one year
The Council decided to extend the sanctions regime for cyberattacks against the EU or member states until 18 May 2022.
The EU can therefore continue to impose targeted sanctions on individuals and entities involved in major cyberattacks threatening the EU or member states from outside.
Sanctions may also be imposed for cyberattacks against third countries or international organisations if necessary for the common foreign and security policy (CFSP).
April 29
Combating online child abuse – informal agreement with Parliament on temporary rules
Council and Parliament negotiators agree on a temporary measure allowing providers of electronic communications services, such as e-mail and messaging services on the Internet, to ?continue to detect, remove and report online child sexual abuse and grooming – pending permanent legislation announced by the European Commission.
The agreement provides for a derogation from Articles 5(1) and 6(1) of the ePrivacy Directive. It still needs to be approved by the Council.
April 20
Fiat of the Council for EU Cybersecurity Competence Centre in Bucharest
In order to improve the security of the Internet and ?other network and information systems in the EU, the Council adopted a Regulation establishing a Cybersecurity Competence Centre. The centre will be located in Bucharest (Romania) and will manage cybersecurity funding from Horizon Europe and the Digital Europe programme.
This "European Cybersecurity Industrial, Technology and Research Competence Centre" will work with a network of national coordination centres in the Member States.
This adoption by the Council of the Regulation establishing the Centre and the Network will be followed by the final approval by the European Parliament.
March 22
Council adopts conclusions on cybersecurity strategy
The Council adopted conclusions on the EU cybersecurity strategy for the Digital Decade. This strategy was presented by the Commission and the High Representative for Foreign Affairs and Security Policy in December 2020. It provides a framework to protect EU citizens and businesses from cyber threats, promote secure information systems and safeguard a global, open, free and secure cyberspace.
The conclusions state that cybersecurity is essential for a resilient, green and digital Europe. The main objective is to achieve strategic autonomy with an open economy. For example, the EU should be able to make more autonomous choices in cybersecurity to strengthen its digital leadership and strategic capabilities.
2020
December 15
Council conclusions on tackling disinformation
The Council adopted conclusions calling for the EU to step up its action against hybrid threats – such as disinformation – and to strengthen resilience to them. New technologies and crises, such as the COVID-19 pandemic, offer actors with bad intentions opportunities to expand their interference activities. These are a challenge for Member States and the EU institutions on top of the crisis.
The COVID-19 pandemic makes the EU and its Member States more vulnerable to hybrid threats. These include the increasing spread of disinformation and manipulative interference. These types of threats, in particular malicious cyber activities, disinformation and threats to economic security, require a comprehensive approach with effective cooperation and coordination.
December 11
Provisional agreement on EU Cybersecurity Competence Centre
Negotiators from the Council and the European Parliament reached a provisional agreement on a proposal to establish the European Cybersecurity Industrial, Technology and Research Competence Centre and a network of national coordination centres.
Together, these structures will help secure the Digital Single Market – in areas such as e-commerce, smart mobility and the Internet of Things – and increase the EU's autonomy on cybersecurity.
December 9
European Cybersecurity Competence Centre to be located in Bucharest
Infographic - Selection of the location of the Cybersecurity Industrial, Technology and Research Competence Centre
The government representatives of the EU Member States choose the Romanian capital Bucharest as the location of the new European Cybersecurity Industrial, Technology and Research Competence Centre.
That Competence Centre will ensure better coordination of cybersecurity research and innovation in the EU. It will also be the main EU instrument for pooling investment in cybersecurity research, technology and industrial development.
·??????European Cybersecurity Industrial, Technology and Research Competence Centre: location selection (background information)
·??????This knowledge centre has not?shared all information with all EU Member States
December 2
Cybersecurity of connected devices – Council adopts conclusions
The Council adopted conclusions highlighting the new risks to privacy and information and cybersecurity posed by the increased use of connected consumer products and industrial devices.
The conclusions urge the need for long-term horizontal legislation to address all relevant aspects of connected device cybersecurity – such as availability, integrity and confidentiality.
Connected devices – including machines, sensors and networks that make up the Internet of Things (IoT) – will play an important role in further shaping Europe's digital future. This also applies to its security.
·??????Cybersecurity of connected devices - Council adopts conclusions (press release, 2 December 2020)
July 30
EU imposes sanctions against cyberattacks for the first time
The Council imposes restrictive measures against 6 persons and 3 entities responsible for or involved in multiple cyber attacks. The sanctions include a travel ban and the freezing of assets. Persons and entities from the EU are also not allowed to provide sanctioned persons and entities with resources.
June 9
Council conclusions: Shaping Europe's digital future
The Council endorses conclusions addressing a wide range of issues related to the implementation of the EU Digital Strategy. The text highlights the importance of the digital transformation in combating the COVID-19 pandemic, and its crucial role in the post-recovery recovery.
One of these points is cybersecurity, as cyber threats and crimes increase in number and complexity. EU ministers therefore want to improve the EU's response capacity and ?safeguard the integrity, security and resilience of digital infrastructure, communication networks and services. The EU also believes in the need for ?a coordinated approach to mitigate cybersecurity risks and ensure a secure deployment of 5G.
June 5
Mandate for cybersecurity centres and state of play of 5G networks
On 3 June 2020, Coreper agreed on a new mandate for negotiations with the European Parliament on the proposal for a regulation establishing the European Cybersecurity Competence Centre and the Network of Coordination Centres. As a next step, the Croatian Presidency will contact Parliament's chief negotiator to see if a trialogue could be held.
The Presidency also presented the state of implementation of the EU toolbox for the security of 5G networks.
2019
December 3
Importance and security risks of 5G technology: Council adopts conclusions
The Council conclusions on 5G address the impact on the European economy and the necessary mitigation of security risks.
EU ministers stressed that 5G networks will be crucial infrastructure for maintaining vital social and economic functions.
May 17
Cyberattacks: Council can now impose sanctions
The EU and its Member States will be more resilient in the fight against cyberattacks.
The Council sets out a framework enabling the EU to take targeted restrictive measures to prevent or respond to cyberattacks that pose an external threat to the EU or Member States.
This decision allows the EU to penalise for the first time persons or entities that:
·??????be responsible for or attempted cyberattacks
·??????provide financial, technical or material support for such attacks
·???????being involved in a different way
Sanctions may also be imposed on the persons or entities associated with them.
This framework also applies to cyberattacks against countries outside the EU or international organisations, where restrictive measures are deemed necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP).
April 9
Council adopts cybersecurity regulation
The Council adopts the Cybersecurity Regulation. In doing so, the following shall be set up:
·??????a system of EU-wide certification schemes
·??????an EU Cybersecurity Agency, replacing the existing European Union Agency for Network and Information Security (ENISA)
March 13
Pooling expertise on cybersecurity: Council opens negotiations with European Parliament
EU ambassadors give the Presidency of the Council a mandate to open negotiations with the European Parliament on pooling expertise in cybersecurity.
These negotiations will mainly revolve around 2 initiatives:
·??????establishing a cybersecurity knowledge base, i.e. the Centre for Cybersecurity Industry, Technology and Research
·??????setting up a network of national coordination centres
2018
December 19
Cybersecurity Regulation: EU ambassadors approve proposed regulation
The adoption of the Cybersecurity Act paves the way for the introduction of an EU-wide cybersecurity certification and for the consolidation of a permanent EU Cybersecurity Agency.
The new regulation was provisionally agreed by the Presidency and the European Parliament on 10 December.
For internet-connected devices, EU-wide cybersecurity certificates will soon ?be available, making more informed choices for consumers and making it easier for businesses to market their smart products.
November 19
Cyber defence: Council brings policy framework up to date
The EU wants to become more resilient to cyberattacks.
In order to strengthen their cyber defence capabilities, it is important that EU Member States cooperate more and more.
To this end, the Council adopted an updated version of the EU cyber defence policy framework.
The update enables the EU to take into account the changing security challenges since the adoption of the first framework in 2014. The updated policy framework also identifies priority aspects of cyber defence and provides further information on the role of the various parties involved.
At its last meeting, on 18 October 2018, the European Council called for measures to build strong cybersecurity in the EU.
EU leaders focused in particular on restrictive measures as a means of responding to cyberattacks and deterring potential perpetrators.
October 18
European Council calls for action to improve cybersecurity in the EU
Heads of State or Government call for the EU to further strengthen its deterrence, resilience and response to hybrid, cyber and chemical, biological, radiological and nuclear threats.
The leaders' call follows the cyberattacks against the Organization for the Prohibition of Chemical Weapons (OPCW) in The Hague.
The European Council also calls for negotiations on all cybersecurity proposals to be completed "before the end of the parliamentary term" (April 2019).
September 13
Cybersecurity Regulation: Council opens negotiations with European Parliament
The Council will start negotiations with the European Parliament with a view to reaching an agreement on the cybersecurity regulation before the end of the year. A general approach on this proposal was reached on 8 June.
The Regulation aims to increase cyber resilience by establishing an EU-wide certification framework for ICT products, services and processes. It would also upgrade the current European Union Agency for Network and Information Security (ENISA).
April 16
Malicious cyber activities: Council adopts conclusions
The Council adopted conclusions on malicious cyber activities, stressing the importance of a global, open, free, stable and secure cyberspace where human rights and fundamental freedoms and the rule of law apply in full.
The Council expresses its deep concern at the increased capability and willingness of non-EU countries and non-state actors to achieve their objectives through malicious cyber activities. The EU will?further strengthen its capacity to counter cyber threats.
2017
December 20
EU institutions strengthen cooperation against cyberattacks
The EU institutions are taking an important step towards greater cooperation in combating cyberattacks.
An interinstitutional agreement establishes a permanent computer crisis response team (CERTEU) for all EU institutions, bodies, offices and agencies.
CERTEU should coordinate the EU's response to cyberattacks against its institutions.
October 24
EU ministers agree on cybersecurity action plan
The Council agreed to set up an action plan for the reform of EU cybersecurity.
Ministers stressed that online security is essential for European citizens and businesses.
2016
June 9
Council agrees on next steps in the fight against cybercrime
EU justice ministers discussed further improving criminal justice in cyberspace. They adopt 2 sets of conclusions, with practical measures to improve cooperation and also a timetable for future actions.
·??????Conclusions on improving criminal justice in cyberspace
·??????conclusions on the European Judicial Network for Cybercrime