With some government organisations in The Netherlands already using red teaming, the state CIO has commissioned research into red teaming programmes to see if a blue print of these tests could be used elsewhere in the government.
Alexandra van Huffelen, state secretary for digitalisation in The Netherlands, wrote in a letter to the Tweede Kamer (Lower House) that the digital resilience of the Dutch government lags behind other states.
“Among others, the Cyber Security Beeld Nederland (CSBN) 2021 shows actual threats of state and criminal actors, even against the (national) government,” she wrote. “Robust actions to enhance our resilience are crucial.”
To further accelerate the proactive approach to information security, structural testing of an organisation is an essential element. In this way, vulnerabilities and risks can be identified and addressed before they can have a large impact.
“After all, we know that despite all efforts mistakes can be made, new vulnerabilities become known, and attackers constantly develop new methods,” wrote Van Huffelen.
Already at the end of last year, a majority in the Tweede Kamer wanted a study to be conducted into whether a cyber stress test could be carried out at the central government, as is already the case at banks. That research has now been completed.
“The most important and positive conclusion is the confirmation that red teaming tests are already being used within parts of central government,” said Van Huffelen, referring to the TIBER-NL (Theat Intelligence Based Ethical Red-teaming-NL) programme of De Nederlandsche Bank (DNB, the central bank in The Netherlands).
Within this programme, financial institutions test how resilient they are against advanced cyber attacks. This is done with test attacks that are based on realistic threats. A small team from DNB coordinates, but the institutions carry out the tests themselves.
“This is only one of the types of tests that organisations can perform to assess their resilience. The central government also carries out other types of test, such as pen tests,” said Van Huffelen.
It is important, she added, to note that testing in itself is not the goal. It is used to share lessons learned and to follow up on found vulnerabilities and risks. “That is the main goal, because that enhances the digital resilience of the national government,” said Van Huffelen.
Trusted and secure environment
The report following the investigation into whether TIBER can be applied throughout the government states that it is possible if a number of preconditions regarding confidentiality and the way results are handled are met.
According to the state secretary, it is important for the security test to be carried out in a trusted environment, physically, digitally and socially. It is also important that the results and findings are formulated in such a way that they can be used by organisations within central government other than the organisation tested.
“Information about specific vulnerabilities will therefore remain confidential in principle,” wrote Van Huffelen in the letter to the Tweede Kamer. “The reliability of the party carrying out the red teaming is also important and is taken into account in the process.”
To illustrate this, she provided an example of a fictitious vulnerability in mails servers. If this information ended up in the wrong hands, it could be used to conduct real attacks on the mail servers of the organisation involved as long as no improvement measures have been taken.
By generically formulating the risk of the vulnerability, it can be shared in a secure environment. Other organisations can then check whether this applies to their own environment and therefor are at risk. They can subsequently make targeted improvements without being tested themselves.
The plan of approach
The findings of the study provide a good basis for further securing and strengthening the use of red teaming within the Dutch central government, concluded Van Huffelen in her letter to the Tweede Kamer.
To this end, a plan of approach has been drawn up that takes account of the preconditions outlined, which is being developed along three tracks: there will be a joint annual test calendar, which will also be implemented; a safe environment within which knowledge gained from the tests can be shared; and a process to make findings shareable. The intention is for this basis to be realised this year.
By 2025 at the latest, the Dutch resilience ambition must be fully embedded in the government-wide way of working and red team tests must be permanently included in the test planning and budget cycle, said Van Huffelen. The aim is to have a framework of standards available for security tests by then, which also looks at chains. The state CIO will implement the plan of approach in cooperation with the ministries, and the departments will also continue to carry out periodic tests themselves.