With some government organizations in the Netherlands that already use red teamsthe state CIO commissioned a study of the red team programs to see if a plan of these tests could be used elsewhere in government.
Alexandra van HufelenSecretary of State for Digitalization in the Netherlands, wrote in a letter to the Tweede Kamer (Lower House) that the digital resilience of the Dutch government lags behind other countries.
“Among others, on Cybersecurity Beeld Nederland (CSBN) 2021 it shows real threats from state and criminal actors, even against the (national) government, ”she wrote. “Strong action to increase our resilience is crucial.”
To further accelerate the proactive approach to information security, structural testing of the organization is an essential element. In this way, vulnerabilities and risks can be identified and addressed before they can have a major impact.
“After all, we know that despite all efforts, mistakes can be made, new vulnerabilities become known, and attackers are constantly developing new methods,” Van Hoofelen wrote.
As early as the end of last year, the majority in Tweede Kamer wanted to conduct a study on whether a cyber stress test could be carried out in the central government, as is already happening in banks. This study is now completed.
“The most important and positive conclusion is the confirmation that the red team tests are already being used in parts of the central government,” said Van Hufelen. Based on TIBER-NL (Theat Intelligence Based Ethical Red-teaming-NL) program of De Nederlandsche Bank (DNB, the central bank in the Netherlands).
Under this program, financial institutions are testing how resilient they are to advanced cyber attacks. This is done with test attacks that are based on realistic threats. A small team from DNB coordinates, but the institutions carry out the tests themselves.
“This is just one of the types of tests that organizations can perform to assess their resilience. The central government is conducting other types of tests, such as pen tests, “said Van Hufelen.
It is important, she added, to note that testing is not an end in itself. It is used to share lessons learned and to track identified vulnerabilities and risks. “This is the main goal because it increases the digital resilience of the national government,” they said Van Hufelen.
Trusted and secure environment
The post-investigation report on whether TIBER can be applied throughout the government states that this is possible if a number of preconditions are met regarding confidentiality and the way the results are processed.
According to the Secretary of State, it is important that the security test be conducted in a reliable environment, physically, digitally and socially. It is also important that the results and findings are formulated in such a way that they can be used by organizations within the central government other than the organization being tested.
“Information on specific vulnerabilities will therefore remain confidential in principle,” Van Hufelen wrote in a letter to Tweede Kamer. “The credibility of the country that carries the red team is also important and is taken into account in the process.”
To illustrate this, she gave an example of a fictitious vulnerability in mail servers. If this information falls into the wrong hands, it can be used to carry out real attacks on the mail servers of the participating organization, as long as no improvement measures are taken.
By formulating the risk of vulnerability in general, it can be shared in a secure environment. Other organizations can then check that this applies to their own environment and are therefore at risk. Subsequently, they can make targeted improvements without being tested.
The approach plan
The results of the study provide a good basis for further securing and strengthening the use of red teams in the Dutch central government, Van Hufelen concluded in a letter to Tweede Kamer.
To this end, an approach plan has been prepared, which takes into account the outlined prerequisites, which is being developed in three areas: there will be a joint annual test calendar, which will also be implemented; a safe environment in which knowledge gained from tests can be shared; and a process for sharing findings. The intention is for this foundation to be realized this year.
By 2025 at the latest, the Netherlands’ sustainability ambition must be fully integrated into the government’s way of working, and red team tests must be constantly included in test planning and the budget cycle, Van Hufelen said. Until then, the goal is to have a framework of standards for security testing that also looks at chains. The State Director of Information Technology will implement the approach plan in cooperation with the ministries, and the departments will also continue to conduct periodic tests themselves.