The Hague: Europe's Cyber-Guardian
In its bid to become the digital gateway to Europe, the Netherlands takes a robust stand in fighting such cyber-threats and guaranteeing the security of critical infrastructure. Given the country’s highly competitive internet markets, cybercrime, digital espionage and the disruption of online services are a major concern. National smart city plans in the Netherlands are reliant on cyber-security. The Government therefore nurtures ICT start-ups, invests in secure products and services that protect privacy and creates policies and regulations conducive to entrepreneurship in this domain.
Den Haag (The Hague), in particular, is sharpening its profile in cyber-security. The Dutch capital is home to prominent international organisations and around 400 security businesses. The Hague Security Delta (HSD), a unique public-private partnership funded mainly by the municipality was launched in 2014, as the national innovation centre and leading security cluster in Europe. Creating products and services to combat global menaces, such as organized crime and terrorism, HSD is set to enhance The Hague’s status as the international city of peace and justice.
On a tour of the gleaming HSD complex, The Smart Citizen spoke to Roel van der Weij of The Hague’s Safety and Security development service. “We are a hub in the Netherlands for Europe and the rest of the world,” he said. “The centre has had a lot of success in its four years of existence.”
HSD addresses five action pillars in an interdisciplinary manner: national security, cyber-security, urban security, the protection of critical infrastructure and forensics. It supports cyber-security start-ups with ‘living labs’, training facilities and office space.
The network comprises some 250 knowledge partners, government agencies and businesses, he explained on a tour of the gleaming HSD complex. Multinationals such as Siemens, Nokia and Huawei, scientific institutes such as the Delft University of Technology and bodies such as EUROPOL, the Ministry of Security and Justice and the National Police research and collaborate in a trusted environment. HSD also houses 50 to 60 security-oriented companies, an ecosystem of exciting new start-ups.
“Cybersecurity has really grown over the past few years, so economically, it’s really interesting for us as a city, but also for the Netherlands to have the cluster here,” says van der Weij.
Equipped with living labs, HSD provides high-tech facilities to test new solutions in real-life crises. Labs develop products and methods for real-time intelligence or replicate the experience of cyber-incidents. Through the simulation of disasters, first responders, for example, develop complex crisis and security management skills, such as during large sporting events or fires.
HSD frees companies from cumbersome property management and costly overheads. Shared spaces, such as boardrooms, mean that occupants don’t have to spend a lot of rent for the few times a year clients or investors come to meet them. Located in the heart of town, HSD is linked to the fastest trains in the Netherlands.
The centre offers a wide range of support, for example, the creation of opportunities for overseas expansion; access to capital; seed-funding; academic courses; networking at campus lunches and professional ‘matchmaking’ events. HSD enables market access, support through the chamber of commerce and a pipeline to tech-focused companies. Top-notch personnel can also be secured through its Security Talent scheme.
Rogier van Gulpen,
Product Owner, StartMail
Mark de Groot, Leader, Ethical Hacking Team, Royal Dutch Telecom (KPN)
Pieter Jansen, Founder CEO, Cybersprint
Start-ups like Cybersprint and StartMail are lucky to have a champion at the highest levels in Prince Constantijn, the younger brother of reigning Dutch king Willem-Alexander.
The prince is an INSEAD graduate who has also had a stint in The World Bank. An independent adviser on corporate innovation, he jointly initiated Startup Fest Europe, a five-day festival of events throughout the Netherlands and has been appointed Special Envoy for Startup Delta2020.
At a roundtable at the Smart and Safe City Conference in June 2017, Prince Constantijn said that innovators struggle against a risk-averse system. “Smartness exists in the experimental sphere. We see smartness in tech, experts, people, but they confront dumbness – budgets, procurement processes, bureaucracy, governance".
The good hacker
Ubiquitous connectivity is the promise driving the Internet of Things (IoT). Future cities will be networked with countless autonomous, intelligently functioning IT systems embedded in mundane household objects-all potentially hackable. However, say experts, not enough is being done to incorporate security and privacy into IoT design.
Mark de Groot of Royal Dutch Telecom (KPN) prepares for worst-case scenarios. “Large-scale IoT attacks are not a matter of if, but when,” says de Groot, leader of KPN’s ethical hacking team, which simulates various types of attacks. “If hackers take control of IoT devices, they could disrupt a city’s traffic signals, strike the power grid or jeopardise the safety of driverless cars. Such possibilities take hacktivism and terrorism to a whole new level. The race is on is to develop resilience to these threats in order to safeguard critical infrastructure.”
Not that intelligence agencies are exempt from launching cyber-attacks. For example, WikiLeaks revealed in March that the CIA runs a global programme to hack consumer devices, including smartphones. “These State actors have their own reasons for compromising devices,” says de Groot, voicing concern about hacks of IoT technology to spy on and manipulate citizens, and subvert foreign powers. “It is vital to embed security into the DNA of smart city development, hug the hackers, promote responsible disclosure and perform regular attack simulation exercises,” states the ethical hacker.
First line of defence
“When you’re hacked, your reputation is at stake,” according to Pieter Jansen, CEO and founder of Cybersprint. The company, which joined the HSD campus in April 2016, develops software that detects vulnerabilities and prevents incidents. Its solutions are implemented by major banks, government organisations and pharmaceutical companies around the world. Cybersprint provides an example of how, through cooperation, innovative Dutch start-ups can be marketed internationally, while creating jobs in The Netherlands. Starting out with 3 employees a year and a half ago, it soon grew to a twelve-person team.
Jansen highlights two main problems facing large organisations:
- first, monitoring the online attack surface (for example, obsolete websites built for special events, or improperly used social media accounts)
- second, phishing, the biggest problem confronting the finance industry, which involves scammers who use fake websites, domains and email addresses to install ransomware and lure people into transferring money.
Around 200,000-300,000 new domains are registered every day. Typically, a shadow website can be set up without IT services simply using a credit card, making it a nightmare for banks to monitor. Cybersprint scouts the web for shadow websites to determine who set them up. The company has developed a next-generation virus scanner and warns companies about visible and hidden hacks on their websites and other digital domains.
The company’s real-time Digital Risk Monitoring platform locates threats, working outside the clients’ environment, therefore, outside the hacker’s purview. Shadow websites, for instance, outdated or forgotten servers and webpages, comprise 90 per cent of the Internet and are easy targets for criminals. Cybersprint’s software reveals all webpages belonging to an organisation, including in the dark web – the recesses of the Internet beyond the reach of Google where people browse anonymously. “The dark web is deeply encrypted and virtually untraceable unless you’re the FBI,” says Jansen.
A cyber-attack goes through a ‘cyberkill’ chain. Cybersprint works to boost defences: it recognises the first, or exploratory, stage of a hack, while most players repel attacks further down the line. The idea, says Jansen, was to fill a niche where there were no existing players. Cybersprint immediately alerts clients to risks, whereas normally, it takes 2 days to detect an attack. The company’s IT experts can then block malicious activity, or hand data over to fraud intelligence teams.
Through HSD access to capital, Cybersprint received funding in April 2017 from InnovationQuarter, a regional governmental development agency and fund for safety and security. “This seed investment will help us grow even faster and support product development, which in turn will stimulate expansion into other international markets," says Jansen.
Jansen is grateful for the Soft Landing programmes in foreign markets afforded by HSD, aimed at facilitating meetings with potential clients and lawyers who can help entrepreneurs set up overseas businesses. Under that initiative, a number of American companies visited Holland and Dutch firms went to Maryland, USA. He has also taken part in high-level trade missions facilitated by HSD, thus meeting his first clients in Atlanta and Washington, and visiting Germany last year as part of a delegation led by the Dutch King and Queen. Sounding upbeat about a tech-driven future, Jansen notes: “Smart cities can be accelerators of cybersecurity".
“Google knows more about you than your partner!” says Rogier van Gulpen, product owner of an ultra-secure encrypted web-mail service called StartMail. “We think this is a problem for society.”
Edward Snowden’s disclosures in 2013 about government spying and mass data collection, followed by the hacking of the DNC email server during the 2016 US elections, drove home the importance of search engine privacy, van Gulpen said. StartPage, the world’s most private search engine, is expanding to meet demand. Traffic is increasing to between 5 to 6 million searches daily. StartPage does not collect personal information or share, for example, with advertisers or Governments. It serves Google search results confidentially without recording IP addresses or tracking user searches. There is no digital fingerprint.
StartMail is a fee-paying service, the only way to ensure strong security and privacy protection, according to van Gulpen. Email is inherently insecure: once sent, everyone can read it, and you can never be sure how well the recipient is protected. With StartMail the user owns his data and, importantly, deleted data means just that –nothing lurks on the Net.
Email in transit is protected with two forms of encryption: ‘PGP’, a privacy tool allowing communication between people who have a PGP key, and a set of user-created questions-and-answers to lock and unlock encrypted messages. StartMail caters to four main client profiles: programmers; regular users; people who distrust government/small businesses; and journalists and activists.
StartMail grew with support from HSD. Instead of outsourcing, it got a development team of 15 together. The company interacts with in-house tech-focused businesses, for example, a ransomware analytics company, or specialists in the protocols they need to use, or bitcoin supply partners.
“If you search with Google, they will build a profile of you. If you like scuba diving and search Egypt with Google, you get holiday information but if you’re a political activist then you get information about the political system. This is a problem because information that should be available to everyone is limited and we saw this with the American election results. People only see information because of their interests or environment or Facebook only shows you what your friends are thinking. It’s like a filter for counter-arguments. We think that is risky. Our service is partially a solution to that,” says van Gulpen.
Van Gulpen acknowledges the risks inherent in handling data as a privacy-focused company. “You become a honeypot if you just collect information. ‘We are constantly trying to minimise our contact with user data; because we do not have access to data we do not have to protect it. We don’t have to trust our people. Our users don’t have to trust us because the technology takes care of that. And, of course, we are less scared of States or criminal groups that try to get access to data.”
“There is a great risk if you are collecting data that it gets stolen. Less could be more in terms of business value.” Regarding the direction of security policy, van Gulpen says: “It’s a balance, if you want a smart city you need a lot of data and have to take privacy into account. Smart cities need data but they need protection too”.