After record setting negotiations, four parties have finally presented a coalition in the Netherlands. There are a fair number of cyber security measures in the preliminary agreement, which will serve as a guideline for the government s term for the coming years.
Following the elections of 15 March1, three of the four larger parties in the Netherlands started coalition talks a task that was viewed as difficult from the start.
With the Liberal Democrats and Christian Democrats as the largest parties, it would be difficult to reach consensus with the biggest winner Green Lefts and the centre-democratic Democrats 66 (D66). After Green Lefts eventually dropped out of the coalition talks, a new attempt was made with the Christian Union, a painfully slow negotiation process that was concluded on 10 October with a coalition agreement.
As opposed to a few years ago, the new agreement has a rather large number of sections on IT security pointed out by many in the industry by counting the use of the term cyber , which appeared eight times in the 70-page document that outlines the new government s plans for the country over the next four years. An important factor for adding so much IT to the agenda would be D66, the centre party with MP Kees Verhoeven2 as a well-known spokesperson for the digital agenda.
Law on intelligence and security-agencies
Of particular interest in the agreement are amendments to the controversial law on intelligence and security agencies3, which will go fully into effect on 1 January 2018. A group of petitioners recently successfully collected enough signatures4 to start a national referendum to try to rescind the law, which would give intelligence agencies the power to use dragnet methods for collecting information on many people in a single area . Most criticism of the law revolves around the supervision of an accountability taskforce, of which some is too vague.
Even though the WiV will go into effect regardless of the outcome of the referendum, the new coalition has decided to evaluate the law within two years . If the supervision is indeed not enough, the law can be altered if necessary.
Use of zero days
Another controversial law, the Computer Criminality Act III, will also be slightly altered . Newly detailed plans in the agreement specifically mention the use of zero-days by law enforcement5, and gives stricter rules for police and intelligence agencies to use these. Specifically, zero-day-technology can only be bought and used if required for very specific cases . Also, vendors of such software will be screened by the Dutch national intelligence agency AIVD to make sure software is not also sold to dubious regimes . As with the WiV, this policy will now also be evaluated every two years, and law enforcement has to release statistics on the use of zero-days on a yearly basis.
A lot of these measures are seen as both good and bad by experts . Good, because a new evaluation clause has been added and several safeguards have been built in to prevent abuse . But privacy activists had hoped for more severe measures like scrapping parts of the laws entirely.
Investing in the country s digital capacity
The coalition plans to spend an extra ‘ 95m to lay out an ambitious cyber security agenda and to increase the country s digital capacity . The new funds will be divided among several departments like the Ministry of Security and Justice, Defence, Foreign Affairs and Interior. An extra investment of ‘ 275m a year will be put into digital forces within the Dutch army, starting 2020, to increase cyber capacity in the armed forces. A particularly increasing role will be designated for the National Cyber Security Center6 (NCSC), which advises the private sector on security practices and will be taking on a bigger role in preventing cyber crime and attacks in the future. Also new is the intention to make revenge porn illegal, or the posting online of pornographic material of an ex as a way of revenge after a bad breakup .
This would probably be broadened to any form of posting nudity online of other persons, though the agreement keeps the terms vague most likely to allow for interpretation. A particularly high-profile case of revenge porn dominated the Dutch technology news earlier this year, as a young girl sued Facebook for refusing to hand over information on who uploaded a video of her . The case got some international attention when Facebook, after a long legal battle, was ordered to hand the information over7 in 2015.
Storing of email addresses
Hidden away somewhere else in the agreement is the addition of email addresses in the Municipal Personal Records (the Basisregistratie Personen), with little more details given other than that email addresses will be stored safely and encrypted . There’s also a small line about increasing the security of DigiD, the digital login system Dutch citizens can use to login to government services to do their tax returns or view their student loans . There have been talks for years about replacing DigiD in favour of a new system called eID8, which has been in an experimental phase for a while but has not been rolled out yet.
Internet of things security standards
For suppliers, the coalition plans to introduce security standards for internet of things appliances9, though how these standards are to be implemented remains to be seen . This had been a longstanding wish of D66. The agreement also mentions a possible import ban for appliances that don t follow security practice, although was not detailed.
The coalition agreement is so far just an agreement the four main parties have set up, but it s far from definite . The new coalition will be small with a majority of only one, with 76 seats in a house of 150. The parties ideals are also far apart, so only a few dissidents in the coalition might mean a law could fail to pass.
However, after more than eight months of negotiations, Dutch MPs will probably not be looking for hard internal clashing.
- ^ the elections of 15 March (www.theguardian.com)
- ^ Kees Verhoeven (twitter.com)
- ^ controversial law on intelligence and security agencies (pilpnjcm.nl)
- ^ successfully collected enough signatures (nltimes.nl)
- ^ the use of zero-days by law enforcement (www.computerweekly.com)
- ^ National Cyber Security Center (www.ncsc.nl)
- ^ was ordered to hand the information over (www.computerweekly.com)
- ^ a new system called eID (joinup.ec.europa.eu)
- ^ introduce security standards for internet of things appliances (searchsecurity.techtarget.com)
When talking about security threats that face companies today, I compare them to the difference between a gas leak in your home and carbon monoxide. Gas companies put a scent in natural gas, so if there s a leak you can smell it, and you know there s a problem . Computer performance is like that . Users notice when their PC is running slower, they don t like it, and they want to get the problem fixed. A security issue is more like carbon monoxide . You can t see it, you can t smell it, and by the time you know you ve got a problem, it s too late. Security breaches within businesses have become commonplace . There are now billions of cyber exploits every day, according to the 2017 Internet Security Threat Report by Symantec* . In 2016, these attacks were successful enough to expose over 1.1 billion identities, according to the same report .
The bottom line is that 90 per cent of security incidents result from exploits against software defects, according to a CSO report attributed to the U.S . Department of Homeland Security.
2017 is on pace to set a new record for compromised identities, with more than 1,200 breaches recorded and 3.4 billion records exposed according to Risk Based Security s Q1 2017 DataBreach QuickView ReportOpens in a new window1 . It s not a matter of if a business will be attacked, but rather, when. Looking back over the past year s data breaches, there s one common thread: weak identity protection at the endpoint. The PC is a front door to a company s network and assets . But all too often, that PC is outdated and lacking hardware-enhanced protection . In other words, the front door is wide open. Older endpoints are vulnerable because their technology only supports single-factor identity protection at the software layer, rather than providing a much more secure multifactor authentication solution rooted in the PC hardware . A common vulnerability is the use of weak or stolen passwords .
This is a problem, as more than 80 per cent of major data breaches come from password issues at the software level, according to the 2017 Verizon Data Breach Investigations Report.
Why multifactor identification matters
There is now a more effective approach to identity and access management: multifactor authentication anchored in silicon inside Intel-based, enterprise PCs . With the Intel Core vPro platform, our security solutions provide a unique, deeper layer of protection at the root of trust: the hardware component of the computing stack . While two-step authentication is certainly stronger than one, true multifactor authentication encompasses:
As a result, cyber criminals have a much harder time gaining access to a PC. As part of the migration to Windows 10, companies can strengthen security today by upgrading to new devices powered by 7th Generation Intel Core vPro processors with Intel Authenticate deployed . This combination gives you customisable, hardware enhanced, multifactor authentication with biometrics, credentials and the IT policy engine all stored and executed securely in hardware below the software layer where attacks are prevalent. More than 50 PC designs have been optimised for Intel Authenticate since its introduction in January 2016 . Our hardware-enhanced solution supports a range of customisable, hardened factors to fit specific business needs and integrates easily into existing environments. And there s a bonus: Users love it because they don t have to remember complex, ever-changing passwords. Endpoint security doesn t end with identity protection . We re also aggressively innovating to make hardware the center of data protection . The 7th generation Intel Core vPro processor-based devices, announced in January 2017, support a new hardware-enhanced file encryption solution called Intel Data Guard.
Intel Data Guard lets IT centrally set policy on how and when to encrypt files, then execute that policy automatically on individual endpoints . IT has the flexibility to decide how and when files should be encrypted automatically (without any user action) or whether certain file types or folder locations can be encrypted at the user s discretion . This dramatically reduces human error from the process, because users no longer are exclusively relied upon to remember to encrypt sensitive data .
The result is less risk of data loss of sensitive company data. The key to staying ahead of today s ever-evolving security environment is to deepen your endpoint protections . Refresh older PCs with modern systems that feature hardware-based security defenses that transform an endpoint problem into a key part of the solution.
Over the past 18 months the rail operator, part of National Express, has introduced a string of new safety measures – which appear to have paid off.
Run by the Department for Transport, it sets a national standard for passenger safety and security.
Each station is assessed by the British Transport Police against a list of criteria – including how well it is designed and managed, the approach taken to tackling crime when it does happen, and local passenger perception of security.
Security measures introduced by c2c include a new purpose-built 24/7 CCTV centre, based in Romford, which provides access to over 1,100 cameras – with operators able to view more than 50 at once.
There is also a dedicated British Transport Police team for the c2c route, and every station has staff present from before the first train arrives in the morning until after the last service departs at night to reassure passengers.
Iain Palmer, c2c security manager, said: We take the safety and security of our passengers extremely seriously, and we ve invested in more people and new technology to help keep our customers safe.
We re extremely proud to have been awarded Secure Stations accreditation for every station on the route.
The new accreditation lasts for two years before the stations are re-assessed by the police.
The Secure Stations Scheme provides British rail companies with the chance to improve security at their stations and show customers they are committed to reducing crime.
Peter Slattery, from Southend Rail Travellers Association, said: I whole heartedly agree that it is good they have got the award.
The stations do seem safe up until about 10pm, but after that there are not many staff there and it doesn t feel as safe.
It is better than it used to be many years ago.