According to a new report by the Scientific Council for Government Policy (WRR), the Netherlands is not ready for a large cyber-attack or major outage. This can be attested to by the KPN outage in June, which saw the emergency services number offline. It’s not just the government that is not prepared; it’s companies and society as a whole.
At the moment there is too much “improvisation and gambling” going on when it comes to digital disasters. “That is partially due to naivety”, says WRR researcher Erik Schrijvers, “But it is also due to laziness.” According to the council, there is little transparency, and all the risks that come with that, as systems which govern, for example, telephone communication, payments, security and transport are completely automated, interconnected and operate in a web with various vendors and intermediaries.
The major KPN outage in June is a stark example of how things can go wrong. That day, the emergency services number was unavailable for hours. During the outage, three people died, ambulances arrived later than desired. “[This] illustrates the enormous interdependence, in this case between the provider KPN, software companies that supply KPN and the emergency services number. It also shows how poorly prepared we were”, reports Schrijvers.
In order to prepare the Netherlands for a large cyber attack, the WRR has a few suggestions. Firstly, the networks and vendors of systems in important sectors need to be mapped. Doing so should shed light on whether extra fall-back options are necessary.
The WRR also advises establishing a damages fund for the victims of cyber-attacks, as these are often not covered by insurers. If nothing is done, it’s possible that it could go horribly wrong, as it did in June, more often.