A few weeks ago I read this in the news: “The Netherlands are not ready for a cyberattack”. This intrigued me and a couple of things sprung to mind. First off: ‘Haven’t I read this before?’ And secondly: ‘Why would you report this?’
It turned out I did read something alike. It was back in May already, when the Commander of the Armed Forces, Tom Middendorp, gave a briefing on the recently installed Defence Cyber Command. He told that the new division of the Armed Forces, consisting of about 80 men, was still ‘adolescent’ and needs more manpower and money to be effective.
We’re not ready
Just like this time, I was wondering why they would give this briefing. Middendorp got very detailed about how hard it is to stop a cyberattack, how the spreading of ‘fake news’ is dangerous and how we are hit with ‘thousands of attacks’ each year.
I truly do not understand why they would report so extensively on the state of our national cybersecurity. When hackers know that we are not ready, it is no surprise they will try to attack. They know they have an advantage on us. And now they kind of know where to hit us.
On the other hand, I don’t want the government to tell everybody that we are ready for a cyberattack and that we are safe. That is giving criminals a go to say: “Challenge accepted”. They will try even harder to hack our systems. And since hackers are always couple of steps ahead on our government’s defences, they will probably know a way to get in.
I think we should not report on the state of our cybersecurity at all. Don’t give away our weaknesses or our strengths, for that matter. It will be only an invitation for criminals to try to get in.
But if we have to report on it, make sure you only report on it afterwards, when the incident is dealt with. Like what the police did, after their Operation Bayonet, when they infiltrated Alphabay and Hansa Market on the dark web and basically shut it down – which was a really cool operation if you ask me. They reported it after the operation was over and only the results, not on the tactics.
I know we need to report on cybersecurity, not the least to try to get more money for it. But be careful on how you report on it and when. In a way it is the same as with terrorism: The more attention, the more attacks are likely. If we can bring it down to just facts and notifications, perhaps it helps bring down the attacks.
That, and lots of funding for the Defence Cyber Command and the National Cyber Security Centre. Only then we will have a change.