“An organisation can always be hacked. You need to prepare for this,” says Saskia Bruines, Alderman for Economy, International Affairs and Services, at the Municipality of The Hague. Not a reassuring conversation starter, but a message for everyone to take cybersecurity seriously.
How does The Hague “prepare for this”? Partly by agreeing to have their computer systems – and their suppliers’– hacked by ethical hackers during Hâck The Hague. Hâck The Hague is an open and transparent event taking place every year in the Atrium of the city Hall where national and international hackers are let loose, within a controlled environment. They search for vulnerabilities in the systems and websites of the organisation and the suppliers that are part of the same ecosystem, at a specific time, while sticking to pre-defined rules.
“While digital security is often difficult to explain, it becomes easier to explain when a few hundred hackers are working live in the Atrium of the City Hall while citizens queue to pick up their passports,” says Daan Rijnders, Lead (Quartermaster) Cyber Secure at the Municipality of The Hague.
I consider Hâck The Hague to be the equivalent of an annual evaluation
And if it is an eye-opener for citizens, it is mainly a learning moment for the municipality. “I consider Hâck The Hague to be the equivalent of an annual evaluation,” says The Hague’s Chief Information Security Officer, Jeroen Schipper, who is also responsible for the event. “When it comes to digital safety and security, you can develop policies until you’re blue in the face. But it’s only when you organise an event like this, that you will know in practice whether we’ve done our job properly.”
The value of such an event is evident when more and more suppliers also agree to take part in it. Four years after their first edition, Hâck the Hague welcomes 200 professional and student hackers from 23 nationalities, and a growing number of the city’s suppliers who sign up to take the security of their own systems to the next level.
For example, DG Groep participated in Hâck The Hague in 2019 submitting their GISIB application, which is used to register, inspect and manage all government assets or capital goods, including roads and lampposts, grasslands, forests, riverbanks and reeds. “We had protected our system to the best of our knowledge, but you can never be sure that this is sufficient when more than 100 hackers are let loose on your systems,” recalls Jan Uittenbogaart, DG Groep CEO and Product Development Manager.
You can never be sure when more than 100 hackers are let loose on your systems
Thanks to the event DG Groep found several issues, including potential data leaks and was able to immediately get to work on solutions. They even checked back in with the hacker that found the problem to confirm that their fix was effective.
More and more services in cities become digitalised, and local governments have to ensure these can take place safely, making cybersecurity all the more important. “Society is digitalising and as a city, we must keep in step with this evolution,” says Bruines. This means not only being able to offer innovative services at a click’s distance, but also maintaining a secure digital environment.
Cities can keep a secure environment and build their digital resilience, only if everyone is on board. “All too often, cybersecurity is seen as something that IT will take care of,” says Bruines. “In reality, this issue deserves attention from and should be a concern at every administrative level. Without this awareness, organisations are incapable of structurally improving their cybersecurity.”
All too often, cybersecurity is seen as something that IT will take care of
You can have the most secure system, but if your employees don’t understand what part they have to play in it, the system will fail. “Involve employees in everything you do,” suggests Peter van Eijk, Information Security Manager at the Municipality of The Hague. “This includes IT professionals and people from within the organisation.”
The information security department needs to analyse and understand the technical risks, then translate them into risks for the organisation and measures that each employee has to take to limit them.
Security of your system also goes as far as suppliers. Cities, like any other organisation, can depend on third parties for their hardware, software or IT services. But this exposes them to additional threats, particularly as they don’t have direct control over the level of security exercised by third parties. For example, the download of a plug-in to monitor performance on your website can turn into a Trojan horse giving access to sensitive information. To avoid this, it is important that municipalities add security measures requirements to their purchasing conditions and monitor compliance.
There are several actions that cities can take to increase their digital resilience and security. Starting from mapping their digital footprint. Meaning that a city should know what systems and websites it uses. How can you protect something you don’t even know you have?
This is where The Hague also started back in 2007, when the organisation’s digital footprint and attack surface were relatively undefined. Today, the city has a precise overview of it and its vulnerabilities, a job that needs constant work.
After knowing what your city needs to protect, you should make sure you have the necessary specialists and experts. And then, you can start working on finding vulnerabilities, analysing risks and solving problems. However, van Eijk says that “being in control doesn’t mean you have to fix every vulnerability right away. It’s about having insight into the vulnerabilities and their possible impact so that you can make the right decision about whether you need to tackle something now or later.”
Based on their experience, The Hague and Cybersprint have published an e-guide on how you can improve your organisation’s cybersecurity and what role hackers can play in this process. By actively involving ethical hackers in cybersecurity policy, cities can always stay one step ahead of cybercriminals.
Keeping knowledge to yourself won't make the internet a safer place
“Tackling the digital resilience of a governmental body or company essentially means not being afraid of being caught with your trousers down,” reads the guide. Cities shouldn’t be afraid to create the conditions for ethical hackers to test their systems. “Dare to share knowledge – that applies to hackers as well as companies. Keeping knowledge to yourself won’t make the internet a safer place,” says Jonathan Bouman, General Practitioner and Ethical Hacker.
The invitation from The Hague is to get moving, and not be afraid to try unconventional ways to tackle cybersecurity. Interested cities can get in touch with The Hague’s Chief Information Security Officer, Jeroen Schipper, to share more information about cybersecurity in their city.