No more talk, time for action.

Fox-IT (part of NCC Group) was invited to join a round-table session hosted by the parliamentary Committee of Digital Affairs on Wednesday 8 December 2021. The purpose of the meeting was to have a discussion about topics related to digitization and the role that the government, politicians to be precise, have in this matter.

Fox-IT happily accepted the invitation with Erik de Jong (Strategic Advisor to the EU Board) representing the company. In three rounds, ten organizations were asked to elucidate their perspective on digital matters. Topics differed from human rights to smart automotives. Prior to the session, Fox-IT wrote and submitted a position paper advising the Dutch government on possible priorities in the cyber security domain.

The content of the above mentioned position paper is publicly available here (in Dutch). An English translation can be found below.

Position paper Fox-IT:

Fox-IT stands for an open, safe and democratic society and contributes to these core values every day. We do this by manning the front lines to fight cyber criminals and state actors. As a Dutch entity that operates at the heart of society we also participate in many partnerships to be able to make this contribution. We do so for example as one of the co-founders of the trade association ‘Cyberveilig Nederland’ (Cybersafe Netherlands) that exists to increase the quality and transparency of the cyber security sector in the Netherlands. But we also fight for equal opportunities in the labor market for the future generation through the collaboration we have with JINC.

We carry out our cybersecurity activities working closely together with partners and customers. This enables us to witness the threats organizations face on a daily basis up close. It is a given that the Netherlands’ lagging behind in the field of cybersecurity is only increasing and continues to increase because, even though many reports on these topics have been written, there is a lack of follow-up and appropriate action and execution. The fact that the digital world is fast changing can’t serve as an excuse, it is not new that we are dependent on ICT, it is not new that technology is developing, it is not new that there is a shortage of staff and it is not new that we need to protect the most vulnerable in our society.

So the time for talking is over: it's time for action. It is known what the government must do to increase the (cyber) resilience of society, organizations and citizens. For this we’d like to refer to the report of the Cyber Security Council that was published in April 2021. There is a high degree of consensus among security experts about this report, and we strongly advise to make this report the central starting point for the security ambition of the Dutch national government. It would be a waste to let it disappear in a footnote of the upcoming coalition agreement.

However the government doesn’t have to do it alone. We as a company are strongly committed to making a contribution wherever we can. In fact, in some cases digital resilience can only be achieved when there is an equal public-private relationship, i.e. together. Fox-IT therefore emphasizes the importance of equal and reciprocal partnerships between businesses and the government. Because only by using the knowledge and expertise from both sides the most optimal solution, one that suits the increasing threat and the growing importance of ICT, can be realized.

Data sovereignty is an outstanding example. Government organizations are increasingly putting more data in the cloud, either voluntarily or under pressure from large IT service providers. In these situations it is important that the Dutch government maintains control over its own data. The data must be protected using encryption and must be able to be retrieved “from the cloud” when needed. Integrity and confidentiality must be guaranteed. To properly tackle these kinds of issues, equal cooperation with trusted private partners is necessary.

For citizens, companies and society as a whole, the safety and resilience of central government and vital providers is crucial. We advise the central government and its suppliers to look at a variant of the General Security Requirements for Defense Contracts (ABDO) for the entire central government. Uniformity where possible, customization where necessary. Because of the importance, we are in favor of certifying IT service providers in this domain or even auditing them in the case of classified information.

Critical infrastructure organizations must meet various strict requirements in the physical domain because of the importance of these organizations for society, but the situation is different in the digital domain. The NIS directive ( the European guideline for network and information security) now states that vital providers must take “appropriate measures”, without providing clarity on what those measures should be. In practice, this means that some organizations are hardly bound by any measures. Fox-IT sees it as inevitable that stricter minimum requirements will also apply in the digital domain for vital critical infrastructure providers with a more prominent role for supervisors.

Security and resilience are not only a result of the measures taken by an organization ,but also to a large extent rely on the security of hardware and software. The aforementioned CSC report contains concrete recommendations on this topic that we fully endorse. And once again we’d like to bring a recurring discussion point from this dossier to your attention. AMS-IX and ECP have, together with partners including Fox-IT, published a neutral overview map with all pros and cons for a legal decryption obligation for companies such as Whatsapp, iMessage and Telegram (over-the-top services). Fox-IT is an opponent of such obligation.

Finally the human component. Often perceived as the weakest link in the chain nothing could be further from the truth. In layered security, people are often the most flexible layer, able to react alertly where technology fails. But for that, people have to be resilient. And although we teach children in the Netherlands from an early age how to be resilient in traffic from the start, digital resilience is the great absentee in the Dutch curriculum. This is unacceptable. Information about digitization, including security, should be included in the curriculum as soon as possible. Right now great initiatives like HackShield fill this gap.

Somewhat contradictory to, but also complementary to the “it’s time for action” motto, is the measurability and determination of the effect of measures that must be defined in advance. Invest in, and implement, initiatives that have clear deliverables and measurable goals in advance. This will also make it easier to stop when it turns out that it doesn't have the desired effect. With the accumulated knowledge and expertise Fox-IT possesses this is also definitely something we can contribute to.

In summary we would like to share three standpoints that are important for Fox-IT:

• Initiate equal and reciprocal partnerships between the private and public sector to tackle strategic issues.

• Ensure that central government, vital providers and suppliers, including security providers, must meet a set of minimum requirements and guarantee a prominent role for the supervisor.

• Incorporate digital resilience into the curriculum in primary and secondary education.

Together and as a collective we contribute to a safer and more secure country