#9 Digital Disruption
In its report ‘preparing for digital disruption’ The Netherlands Scientific Council for Government (WRR) answers the question: how can government better prepare itself for societal disruption in a digitizing society? In this podcast WRR-chair Corien Prins and senior research fellow Erik Schrijvers will reflect on this. They recommend better preparation and argue that we need a clearer picture of dependencies, a new approach to vital infrastructure, greater powers and measures in the field of cyber insurance.
#9 Digital Disruption
Transcription podcast WRR Digital disruption
In 1912, the Titanic went down while the orchestra played this song. Though the ship looked invincible, it was actually very fragile. There was no warning of the danger ahead. A single hole caused it to fill up completely with water. There was no effective rescue plan and there were far too few lifeboats.
More than 100 years later, the Scientific Council for Government Policy in the Netherlands published a report on digital disruption. It describes measures to prevent a serious collision occurring within our digital world that has unnecessary fatal effects. Listen to this podcast to hear what might prevent our society from falling into ice cold waters.
Erik Schrijvers: We define disruption as a situation in which the continuity of society is at stake.
Voice over: Unlike the more physical disasters and disruptions mankind has experienced so far, digital disruption is not visible, nor is it local. Incidents can happen at the speed of light, on a large scale, with devastating effects.
Corien Prins: Digital disruption could also mean, or at least have an effect on democracy, on trust and democracy.
Voice over: Even though we do not exactly know what to expect, a quick response is essential.
Erik Schrijvers: An incident can be disruptive when you are not prepared to deal with the consequences.
In its report on digital disruption, the Council wants to prepare the country for the unknown unknown. Because if there is one common denominator in digital incidents that have hit us in the past decades, it is that we only knew what hit us when the incident had already happened. So how can we prepare?
Corien Prins: The future is unknown, but not empty, meaning that you do have means to at least find your way in the unknown and you have to look for those means.
Voice over: You are listening to the voice of Corien Prins, chair of the council, and you also heard Erik Schrijvers, senior researcher. Together, they are responsible for the explorations that have taken place to find out which methods we can use to be ready when lightning strikes.
Corien Prins: Well, ultimately, we cannot prepare for 100 percent, but we can prepare in at least introducing measures that allow us to look and be aware and search for the unknowns.
Erik Schrijvers: The way of thinking about cybersecurity is still a bit old fashioned, so we think about securing individual buildings, individual organizations. When an incident happens, it's always about networks of organizations. It's about chains. It's about different countries being hit at the same time. Almost all major incidents were incidents that had to do with problems with the supply chains. So this is, for example, with the NotPetya attack with WannaCry.
Voice over: In June 2017, several organizations in the Ukraine were attacked with malware called NotPetya. The malware took over control of several servers and computers, and from there it reached out to other computers that could invade in the Ukraine and elsewhere in the world. Information was held hostage and could be released by paying a ransom. The entrance and spread of the malware was possible due to vulnerabilities in regular Microsoft software. NotPetya was similar to WannaCry, a worldwide cyber attack a few months earlier. Reportedly, NotPetya caused damages estimated at 10 billion dollars. Among those affected was shipping company Maersk line, FedEx, Mondelez and Saint Gobain, a French construction giant.
Corien Prins: In our report, we formulate a few typical characteristics of this new type of disruption. Networks chains being one of them. Another one being the interaction between the digital world and the physical world.
Voice over: During the NotPetya attack in 2017, operations of the shipping company Maersk Line came to a standstill, worldwide, including Rotterdam.
Erik Schrijvers: The whole company worldwide had to write out things, writing out orders by hand and all the containers piled up in the harbors. You got traffic jams. The municipality of Rotterdam wanted to know what was going on, but didn't get the information from Maersk about the incident.
Corien Prins: The municipality didn't get access at first instance at Maersk. Well, imagine a firefighter stands at the port, aiming to address the fire. Imagine that as a company, you say to the firefighter: no access. This raises questions about authority. Who is responsible to combat the disaster and who is allowed to enter the scene? When a firebrigade is called to put out a fire, the procedures are clear. In case of a digital accident, roles of the involved parties have to be redefined in order to facilitate a quick response. This is better done beforehand.
Corien Prins: We do see that governments, for example, in addressing this problem highly depend on the private sector. A Dutch government organisation being attacked is highly dependent on, for example, a cloud provider or Microsoft or a major private company across the border. It also becomes a matter of both the public sector and the private sector working together, as well as national countries working together, cross-border.
Voice over: To avoid lengthy discussions in the aftermath of an incident, when time is money, new legislation has to be drawn on a national and on a European level.
Corien Prins: And of course, we do see that there is a difference between entering a gate in the physical world and entering a system with data, confidential data, but that needs to be addressed in the legislation, confidentiality, etc. And it also provides companies with a certain level of security: what the government is allowed and not allowed to do when entering a system.
Voice over: Society has become dependent on a limited number of major providers of infrastructure. This puts a lot of power in just a few hands and also heightens the fragility of systems. If only a small piece of software is corrupted, it spreads worldwide instantly, like a virus. Take, for instance, the example of SolarWinds. During 2020, Russian hackers were able to infiltrate the software of SolarWinds, a company that is used by all divisions of the U.S. Army, the White House, 425 of the Fortune 500 companies, all five of the top five accounting firms and hundreds of universities and colleges.
Hackers slipped into a software update of Orion, a network management product from SolarWinds. Users who downloaded and installed the corrupted update unwittingly gave hackers access to their networks. 18.000 networks were infiltrated, sensitive data was stolen, and many services were compromised. The IT Company SolarWinds has 300.000 customers around the world. Referring to this massive hack, Microsoft President Brad Smith warned of a global digital 9/11 if governments and companies do not take the right measures against these possibly disruptive threats.
Corien Prins: It also has to do with perception. We had a local level major disruption in the eastern part of the Netherlands at the end of last year, Hof van Twente. For those living in that area this was a major disruption. Public facilities were no longer available. It appears that it will take months to reconstruct the digital world there. People expect from the government that the government acts. We put our faith and trust in the government to address this type of situations.
Voice over: The council advises the Dutch government to act on four levels: Preparedness, Detection, Mitigation and Recovery & reconstruction.
These four stages are well known in the world of crisis preparation, in the world of firefighters. So preparedness means that you have an overview of the companies with whom you, on a digital level, are connected. It is crucial to have that information upfront. What service providers? Are they Dutch based, do they come from France, U.K., the United States? Being prepared means knowing your position in the digital world as well as the interaction with the physical world. That's 1, Preparedness.
Detection is also very important. Detection still takes very much time. For example, the European Agency Cyber Agency Enisa says it takes an average of six months to detect a cyber breach. So this is an average, of course, but it takes a lot of time to discover. So this needs to be improved. With major incidents, for example SolarWinds, most of the time the intruders are inside the network already for months. But still, the defense against hackers is a lot more difficult than attacking an organization, because as a defense, you need to defend the whole network and an attacker needs just one little problem or one little vulnerability to get in.
: The most important means to improve detection is to share information. We need to share information about incidents, but also about the whole context in which organizations operate and the digital service providers they are dependent of.
Mitigation means that you know when to put the server down and when not, and under what circumstances. Because if the server is down, are we still able to do it by hand, the old fashioned way, or do we have sufficient knowledge on how to do it the old fashioned way? Having the professional capacity to do it the old fashioned way, is for certain vital processes crucial. We have to have a backup facility. One of the crucial backup facilities is just old fashioned human based intervention.
To be connected or not to be connected? It seems practical to connect all systems to the internet, but this might be dangerous, as is illustrated by the case of DigiNotar. This Dutch company got hacked in 2011. As a trusted third party, it provided certificates for websites to prove they actually were the website they said they were. The hacker who infiltrated DigiNotar was able to produce and spread about 500 false certificates this way. Fake websites could impersonate their legitimate originals and obtain the information of users. When this was detected, faith was lost between many users and websites. Crucial information exchange with and between websites of the Dutch government became unreliable, endangering processes like customs clearing, banking transactions and surcharges. The hack was unintentionally facilitated by employees of DigiNotar, who connected the main server of the certificates to the internet, while it should have stayed isolated, as a precaution.
: So the final stage, Recovery & reconstruction. We have two key recommendations here. One of them being: Recovery & reconstruction also means that you have to learn from your mistakes. I mean, prevent them from happening again. And that means that you have to evaluate and that you have to learn lessons. At this point in time, we have a very good instrument that facilitates us in learning lessons, and that is the data breach notification in our European legislation. So data breach notification means that data breaches are reported to the supervisory bodies. But what we saw, at least what we saw in the Netherlands, is that they are reported, they are listed there, but we do not combine them. We do not or at least insufficiently, learn lessons from them. What do they show? What do these data breaches show us in the type of actors, the type of vulnerabilities, the type of connectedness? I mean, digital means are a key instrument in geopolitical conflicts.
Second point here is insurance. What you need as a society is: go on. But in going on, you need money, you need to rebuild and insurance could be a help. And of course, we do see that it is quite difficult for insurance companies to get a grip on how much damage, what are the risks here? How much money is involved here? Government should step in and should at least discuss and explore whether there should be or could be some sort of fund that allows for some sort of certainty, a certainty for insurance companies.
: The question then, of course, is, should the insurance company provide coverage based on a certain policy?
With attacks like WannaCry, NotPetya, the argument of insurance companies is more and more: this is what we exclude because this is war related.
: The current corona pandemic has shown that nowadays we depend heavily on digital infrastructures. Had corona struck 20 years earlier, society would have been injured a lot more. No serious digital incidents happened in the past year, but we came close and we are still not on safe grounds.
What if one WannaCry happened during this crisis? What if the Citrix problems happened during this crisis?
In the final days of 2019, the Dutch National Cyber Security Center was informed about certain vulnerabilities in a software called Citrix. Citrix is a program that is used to connect people who work from home or elsewhere with their offices. Dozens of cities in the Netherlands, among them Amsterdam and Rotterdam, disconnected after being advised so, as did members of parliament. Several universities and national airport Schiphol followed. The possible leaks were discovered after cyber attacks on a university at a medium sized city. A few months later, in 2020, the software had still not been repaired satisfactorily. About 50 percent of Dutch municipalities use Citrix.
What if a large cyber attack was work related or health related, happens now?
In 2017, many hospitals in the UK were hit by ransomware called one WannaCry. Communication systems were frozen, files were encrypted, 19.000 appointments of patients were cancelled and emergency centers had to be relocated.
: And a final illustration here is that you see that geopolitically crucial players in the present pandemic, like Pfizer, like the World Health Organization, are under attack.
: Many measures should be taken by government and organizations, but are there precautions ordinary citizens can take to arm themselves against cyber incidents?
Well, it's very hard for citizens to understand the very complex digital world. So we think, first of all, it's a it's the responsibility of the organizations themselves to be prepared and from the Dutch government to be prepared. But, of course, citizens can do some things. They can, for example, organize their own fallback options by writing down things sometimes, instead of putting all their important data in the cloud. And they can, for example, have some money in the pocket, instead of relying completely on digital means. But these are small measures compared to the measures we propose to prepare for digital disruption.
Voice over: Installing antivirus software is wise and so is a healthy distrust concerning unsolicited digital messages because private computers can be used for large scale attacks.
So be aware of your responsibility, although you are tiny, although you don't have influence on the larger picture. But as with the fire, it starts simple. When the fire comes to a certain intentness as an individual can no longer address the fire. I need a firefighter. But when it's still small, in my computer, at least I can try to do something. So be aware that you are a tiny part of that large chain, but sometimes a crucial part.
Voice over: And what applies to the individual, applies to every greater constellation.
Our report is not about prevention. The report is about: it happens. And from that moment on, are you prepared?
So what will happen with this report in the Netherlands? Well, so far the Dutch government has informed parliament that it will carry out a number of the recommendations. In their turn, parliament urged the cabinet to map out a plan of the interdependence of the Netherlands in the digital world, as this was recommended in the report on digital disruption.