Ransomware a threat to national security, says Dutch counterterrorism office

Ransomware attacks have the capacity to destabilize the Netherlands and is a threat to national security, the National Coordinator for Security and Counterterrorism (NCTV) said in its annual report on cybersecurity, released on Monday. It is the first time the office has categorized the cyber crime as endangering national security, though the practice of hijacking data, encrypting it, and charging money to unlock it actually dates back to the 1990s.

The agency suggested cybercrime is showing no signs of slowing down. The theft of data, disrupted systems, blocked data traffic, interrupted communications services, and the possible shut down of utility services like water, gas and energy providers can all have massive consequences for society and the economy.

“Ransomware attacks pose a risk to national safety when it comes to the continuity of vital processes, the leaking and/or publishing of confidential or sensitive information and the damage to the integrity of the digital space,” the NCTV said. “National security is at stake when the target of such an attack is part of the vital infrastructure (including the central government and all established vital processes) and the attack disrupts the continuity of vital processes.”

The agency said that the many organizations in the Netherlands are completely unprepared to fend off such an attack. Those which have prepared by taking basic measures also usually are deficient in their preparations because they do not regularly examine risks as criminals adapt and new tactics develop.

While ransomware attacks themselves can be lucrative, with ransom payments often made in bitcoin or other cryptocurrencies, a growing issue is Ransomware as a Service (RaaS), the NCTV said. That is when developers create ransomware methods which are then leased to people who can carry out attacks when they take out a subscription. Research shows that RaaS can cost from 30 euros per month up to by signing up for services which cost as little as 30 euros per month, up to several thousand euros, according to cybersecurity firm Crowdstrike.

“Cryptocurrencies offer ransomware attackers the possibility to have the victim transfer money in a fast, irreversible and relatively anonymous manner,” the NCTV wrote. “Tracking and prosecuting perpetrators behind ransomware is therefore not sufficient: increasing resilience and disrupting the revenue model deserve just as much attention.”

The NCTV was also concerned about the country’s robust commercial IT infrastructure being utilized by criminals. “The Netherlands stands out as a country where a high, above-average level of cybercriminal infrastructure is hosted. This is evident from many criminal investigations and requests for legal assistance from abroad.”

Government also needs to take a firmer role in addressing the insufficient approach to cyber security in the Netherlands, the NCTV said. It can help address issues at “the national level, including structural problems such as the growing dependence on foreign software, hardware producers and service providers.” The government can also enact regulations about what products are allowed on the market, for example a standard for Internet-of-Things devices, and it can also put forward policy to encourage more risk management.