On the 17th of December 2019, the American software manufacturer Citrix made a public announcement on its website that some of its software products contained a vulnerability. This vulnerability allowed attackers to penetrate the digital systems of organizations using these products. Citrix indicated which measures organizations could take to temporarily fix the problems, but it did not yet have a definitive solution. One month later, on the 17th of January, the National Cyber Security Centre (NCSC) advised Dutch users to shut down their Citrix servers. Immediately in the weeks following the disclosure of the software vulnerability, attackers penetrated the digital systems of several organizations. These attacks continue to this day.

The Dutch Safety Board investigated what lessons can be learned from the way in which the parties involved dealt with the risks of vulnerabilities in Citrix software and other incidents where vulnerabilities in software were exploited by attackers. Both the prevention and response to such incidents were examined.

Investigation publication

Vulnerable through software - Lessons resulting from security breaches relating to Citrix software

The Netherlands’ approach to digital safety and security needs to change rapidly and fundamentally to prevent Dutch society from being disrupted by cyber-attacks. This is the conclusion reached by the Dutch Safety Board in its report ‘Vulnerable through software’ published today. The Board investigated security breaches that occurred in thousands of organizations due to vulnerabilities in Citrix software. Jeroen Dijsselbloem, Chairman of the Dutch Safety Board, commented, “These incidents show that Dutch government organizations and businesses are highly vulnerable to cyber-attacks. They highlight the lack of a national structure capable of alerting all potential victims of cyber-attacks in a timely manner.”

Attacks via Citrix
On 17 December 2019, Citrix disclosed a vulnerability in its software and took temporary measures to mitigate the risks. But before the thousands of organizations using Citrix could be made aware of the acute risks and install the temporary measures, attackers had penetrated some systems. The National Cyber Security Centre (NCSC) issued a direct alert to the Dutch national government and vital operators, for which it considers itself responsible. Other organizations and the wider business community were not alerted directly by the NCSC, leaving the attackers free to infiltrate digital systems on a large scale. To this day, attackers have illegal access to systems and data in organizations. They can use this capability at any time to disrupt business processes and services, and affect privacy and security.

Manufacturers’ responsibility
Secure software is primarily the responsibility of the manufacturer. The Dutch Safety Board argues that manufacturers should invest greater resources on a more continuous basis to improve software security. At present, manufacturers inundate software users with patches and updates to fix flaws in their software without coming up with structural solutions. There are no instruments to provide software purchasers with independent insights into the security of the product they are buying. In addition, customers often lack the expertise and power to demand more secure software from the manufacturers. Some customers do not recognize the importance of doing so.

Limited government approach
As things stand, early warning systems do not reach all organizations that use software and are therefore potential victims of cyber-attacks. The NCSC sees no legal mandate for itself in terms of warning organizations beyond national government and vital operators. The Dutch Safety Board believes it is essential that the government should adopt a centralized approach to identifying threats and issuing quick and direct warnings to all potential cyber-attack victims, backed by a sufficient mandate and legal safeguards.

Recommendations of the Dutch Safety Board
Society is becoming increasingly dependent on digital systems. Manufacturers, governments and organizations will have to work together to come up with an effective approach that will make the Netherlands more resilient to cybercrime. This requires manufacturers to improve the security of their software on a fundamental and continuous basis. The Dutch Safety Board recommends that software quality requirements be set at a European level to compel software manufacturers to take responsibility for the security of their products. The Board advises the relevant government bodies and the business community to join forces. By working together, they can strengthen their position in relation to the software manufacturers and make better use of their limited expertise.

Within government, the monitoring of digital safety and security can be regulated in the same way as the monitoring of prudent fiscal policy as laid down in relevant legislature. Such legislation requires a single government official and a central service to oversee the relevant processes, to intervene where necessary and to be held accountable. The Board also recommends that larger companies and organizations be held legally accountable for how they manage their digital safety and security.

View the infographic by clicking on the image.

Infographic kwetsbaar door software

Recommendations

This investigation shows that vulnerabilities in software lead to insecurities for organizations that use software, and for those who depend on these organizations. The gap between digital dependency and the threat level on the one hand; and the extent to which society is resilient to it on the other hand, is growing. Fast and fundamental interventions are needed to prevent society from being disrupted. That is why the Dutch Safety Board issues recommendations.

The full recommendations, including notes, can be found in the report.

To the Dutch Cabinet and to organizations in the Netherlands that use software:

1. Ensure in the near future that all potential victims of cyber attacks are alerted quickly and effectively – solicited and unsolicited - so they can take measures for their digital safety and security. To this end, bring together public and private response capacity and ensure sufficient mandate and legal safeguards.

To the European Commissioner for Internal Market and the European Commissioner for A Europe Fit for the Digital Age:

2. Ensure that your initiatives to legislate for safer and more secure software lead to a European regulation that establishes the responsibility of manufacturers and provides insight to buyers of software in how manufacturers assume this responsibility. Establish that manufacturers are liable for the consequences of software vulnerabilities.

To software manufacturers collectively:

3. Develop good practices with other manufacturers to make software safer and more secure. Include a commitment to these practices in contracts with your customers.

4. Warn and help all your customers as quickly and effectively as possible when vulnerabilities in software are identified. Create the preconditions necessary to be able to warn your customers.

To the State Secretary of the Interior and Kingdom Relations and the Minister of Economic Affairs and Climate Policy (for the benefit of all organizations and consumers in the Netherlands):

5. Encourage that Dutch organizations and consumers jointly formulate and enforce safety and security requirements for software manufacturers. Ensure that the government plays a leading role in this. Proceed on the basis of the principle: collective cooperation where possible, sector-specific where necessary.

To the Dutch Cabinet:

6. Create a legal basis for the management of digital safety and security by the government, by analogy of the Dutch Government Accounts Act (Comptabiliteitswet).

7. Require all organizations to uniformly account for the way in which they manage digital safety and security risks.

Imagery

Updates

  • Press

    Fundamental intervention is needed to ensure Dutch digital safety and security

  • News

    Get in touch about this investigation

Investigation data

Investigation start date

Report publication date

Status Completed

Phase Publication