AI can be used to quickly and easily access sensitive gov't data, Dutch experts warn

Artificial intelligence is significantly speeding up the time it takes to find and exploit software vulnerabilities, from days to hours and potentially minutes, Dutch cybersecurity officials warn.

The urgency was explained by researcher Rogier Fischer from cybersecurity company Hadrian. Fischer demonstrated to NOS how a low-cost OpenAI model could analyze the code of government websites, identify a security flaw, and access the restricted data. Fischer then downloaded a protected file and accessed a database. Such an attack cost him around 10 euros. “There is nothing that stopped me,” Fischer said, adding that access allowed full control inside the system. He said he stopped the test after proving the vulnerability.

Separate research by cybersecurity firm AISLE found that inexpensive AI systems can detect large numbers of vulnerabilities at scale. Since September, the company has identified more than 200 flaws using multiple AI models, according to co-founder Jaya Baloo.

“Companies and organizations must be able to respond rapidly,” Matthijs van Amelsfort, director of the National Cyber Security Center (NCSC), told NOS. “In the past, it took days before an attacker exploited a bug. Now it is hours. That will become minutes.” AI systems can automatically scan software for serious flaws, including long-standing vulnerabilities that went unnoticed for years. Because these tools are fast and do not tire, officials say the risk to digital infrastructure is rising.

AISLE also found that older, low-cost AI tools could replicate results previously attributed to more exclusive systems, including an AI tool called Mythos. “There was a narrative that AI suddenly became very good at finding vulnerabilities,” Baloo said. “But we have been doing this for months with older systems.”

Experts say defenders still appear to have an edge, but the gap may be narrowing quickly. Dimitri van Zantvliet of the CISO Platform said the situation is urgent, not panicked, noting that vulnerabilities in decades-old systems are still being discovered and must be fixed faster.

Officials also warned that offensive use typically follows quickly once new technology becomes widely available. Van Amelsfort said attackers often adopt new tools within months, raising the risk that AI-driven hacking could soon become widespread.

“The Netherlands is highly digital,” he said. “That also makes us vulnerable. Attackers and defenders will remain in a constant battle. We must ensure our defenses are in order.”