Company: The Hague
Client in lead: Peter van Eijk
For a municipality, core services for citizens and businesses rely heavily on IT. And the COVID-19 crisis adds remote working to it. The municipality of The Hague therefore invests in information security. "Information security helps safeguard the business continuity of our municipality", says Peter van Eijk, Team Lead IT Security for the municipality. We interviewed him about strategic choices, actions and insights regarding information and cyber security. And what are all these hackers doing in the City Hall?
"Around 7.000 civil servants work for the municipality of The Hague. 20 of them work directly on information security."
"The municipality provides services to the city and its citizens, with both privacy-sensitive data and business-critical information. Securing this, to ensure confidentiality, integrity and availability of information, is of the utmost importance."
"Information security is organized on a strategic, tactical and operational level. The information security strategy is developed and implemented municipality-wide."
"100% digital security doesn’t exist. It’s about increasing your resilience and knowingly taking risks."
Throughout the whole interview, one aspect dominates: work together and share knowledge. Whether with ethical hackers, other governments, citizens or businesses. For the municipality of The Hague, this means working on information security for business continuity and for reliable, transparent, and secure civil services.
"This is the core of the strategic policy framework information security for The Hague 2019 - 2022. For the international city of peace and justice, digital security offers an opportunity to stand out and add security to peace and justice. An opportunity to be a forerunner on this topic", says Van Eijk. The security framework defines 4 priorities for information security: working risk-based, being responsible, security by design, being a forerunner, sharing knowledge and public-private cooperation [view box, Ed.].
"As a municipality, we provide a lot of services to our citizens based on software, and we're using more and more of it. Undeliberate mistakes in software development (which is natural) may increase digital risks. 100% digital security doesn’t exist. It’s about increasing your resilience and knowingly taking risks. Some of these risks are acceptable; we limit the implementation of our measures. Some risks aren’t acceptable, for instance when they are key to business continuity. We’ll take blunt actions then”, Van Eijk explains.
Working risk-based. Working on information security is a constant consideration between likelihood, threat and consequential damage on one hand, and the costs of mitigation to limit the damage on the other hand.
Being aware of responsibility and acting accordingly, with defined ownership.
Security by design. From the start of projects and innovations, for both systems, policies and processes, security is included.
Forerunner in the field of cyber security. The Hague puts forward its knowledge and expertise and takes measures to be as digitally secure as can be, with regards to working risk-based.
"When working on security, we focus on widely used Security frameworks. Those are based on guidelines and best practices to manage and reduce cyber security risks. The core of it consists of identifying deviations within the IT infrastructure. Either we take direct action and avoid repeating deviations, or we make sure we'll partner up with organisations to increase our digital resilience, including Zerocopter," says Van Eijk. The IT infrastructure is monitored 24/7, to continuously test offered web services and apps to co-workers and citizens.
Detection is not only monitoring IT systems of its own organisation. Van Eijk: "It's important to inform yourself as well: are there vulnerabilities known worldwide? We act on those as well. And we also look at the digital threat landscape, to adjust our policies and used technologies. This landscape changes really fast and the methods of attacks too. We keep this in mind when working on digital security."
Without action, detecting deviations makes no sense for digital security. But how to decide which detections or reported weak spots to work on? "For this, we gratefully use the triage service of Zerocopter'', says Van Eijk. "We started working with Zerocopter and its platform in 2017. In 2019, we implemented the Coordinated Vulnerability Disclosure (previously Responsible Disclosure) together with Zerocopter. When an ethical hacker finds a vulnerability in one of our systems, we kindly ask him or her to report the weak spot to Zerocopter. The municipality won't take any legal steps against the ethical hacker for reporting the issue, as long as he or she has agreed to our terms."
"The team of Zerocopter sorts through the reports of weak spots. It is valid? Is there a Proof of Concept? What is the severity? What is a good financial reward?" says Van Eijk. "This is really important: we don't have the capacity ourselves nor all the specific knowledge to analyse the risk of a weak spot. Although we're ambitious and curious enough to learn from Zerocopter!"
Van Eijk emphasises the collaboration. "It isn't just the platform that helps us deal with cyber criminals. It’s also the network of screened ethical hackers. And the reputation of Zerocopter and its owners and employees appeal to us as well. That's a second reason for having set up the collaboration. We're not just buying a license, they are not just a supplier, but we're working together. In each possible way, Zerocopter really wants to increase our digital resilience."
"I'd rather want an ethical hacker detecting and reporting a weak spot than a cyber criminal."
In the strategic policy framework for information security, the fourth priority is about being a forerunner in the field of cyber security. "We act on this by, among others, inviting ethical hackers and by monitoring Internet of Things (IoT) devices throughout the city. For innovations, these devices are used more and more, but they also increase the attack surface. We monitor weak spots", says Van Eijk. More on that later, but first: a group of ethical hackers in the municipality hall of The Hague, helping the governmental institutions to defend itself against cyber criminals.
One of the ways The Hague invests in cyber security is not what you might expect. The Hague likes being hacked. Well, to prevent it of course. Since 2017 ethical hackers are invited each year to hack into the IT systems of the municipality. The hacking challenge Hack The Hague publicly takes place in City Hall.
Isn't that scary, invite getting hacked? "It can be. You'll never know what an ethical hacker might find. But I'd rather want an ethical hacker detecting and reporting a weak spot than a cyber criminal", says Van Eijk. "This form of transparency shows the community we're taking cyber security very seriously. With the challenge, we invite ethical hackers to put our live systems to the test, in a controlled setting, with specific restrictions in place. The ethical hackers report their issues to Zerocopter. They then triage the findings: are they complete, valid and reproducible? On the day of the hacking challenge, our IT team already starts fixing the findings. We fix some of the weak spots within an hour! The challenge provides an additional advantage: it raises public awareness. We were even featured in mainstream media."
The event is growing each year. In 2017, 40 ethical hackers took part. The scope back then: only the websites hosted by the municipality. In the third edition, in 2019, 79 international ethical hackers took part and the scope also included services of some 20 vendors. Due to the COVID-19 crisis, unfortunately, the 2020 edition was cancelled. However, Van Eijk and The Hague are keen on an even larger edition in 2021 on September 27th!
The city, businesses and citizens of The Hague are using more and more IoT devices. In the Living Lab Scheveningen, the city tests innovations to solve social problems, including the use of IoT devices. "They're incredibly cool to use. At the same time, they increase the attack surface. That'll bring in the same risks for reputation, privacy, continuity and even financial damage. To keep using these devices yet minimise the risks, we developed the Smart City IoT Monitor, together with suppliers", Van Eijk explains. "With the monitor, we assess the vulnerabilities and possible patches or workarounds. When a patch isn't available, we'll intensify our monitoring. If we're hit, at least we know it."
Van Eijk has been working specifically on cyber security for the last six years. What are some of his insights that other cities and businesses can't miss? "Awareness of civil servants and employees is vital. Next to that, working together against cyber criminals is also indispensable", says Van Eijk.
"Pay attention to cyber security awareness within your organisation. Awareness is part of our cyber program. Previously, we organised a crisis simulation, where we would provide the top 200 civil servants with cyber dilemmas and scenarios. In teams, they were faced with cyber problems, learned how an incident evolves, which decisions to make and how to communicate. They learned how to manage it together", says van Eijk. "Although we made big progress on awareness with the simulation, it showed us awareness is and remains an important topic. At the end of this year, we're launching another campaign for civil servants for cyber security awareness."
For Van Eijk, part of working together against cyber criminals is choosing allies. What are the results of this collaboration? "The results are diverse! We continuously increase and improve our digital resilience, raise awareness and support social interests. In our organisation, we see a growing interest and awareness", says van Eijk. "We also learn from Zerocopter. After their triage, we're curious to know on what grounds a finding is assessed. Would we have done it the same way? Now and then, we can even discuss these grounds as equal partners. We didn't expect this to happen, but it's all the better!"
Last, but not least: what are your plans for 2021 when it comes to digital security? "An even larger Hack The Hague event!" Van Eijk laughs. "We're also planning to further increase the digital resilience of the municipality, including policies when dealing with a possible cyber crisis. And we're investing in partnerships, including the one with Zerocopter. Next year, we will be running a Bug Bounty Program for the City of The Hague with Zerocopter. I'm looking forward to it.
Get to know everything about Zerocopter