This investigation shows that vulnerabilities in software lead to insecurities for organizations that use software, and for those who depend on these organizations. The gap between digital dependency and the threat level on the one hand; and the extent to which society is resilient to it on the other hand, is growing. Fast and fundamental interventions are needed to prevent society from being disrupted. That is why the Dutch Safety Board issues recommendations.
The full recommendations, including notes, can be found in the report.
To the Dutch Cabinet and to organizations in the Netherlands that use software:
1. Ensure in the near future that all potential victims of cyber attacks are alerted quickly and effectively – solicited and unsolicited - so they can take measures for their digital safety and security. To this end, bring together public and private response capacity and ensure sufficient mandate and legal safeguards.
To the European Commissioner for Internal Market and the European Commissioner for A Europe Fit for the Digital Age:
2. Ensure that your initiatives to legislate for safer and more secure software lead to a European regulation that establishes the responsibility of manufacturers and provides insight to buyers of software in how manufacturers assume this responsibility. Establish that manufacturers are liable for the consequences of software vulnerabilities.
To software manufacturers collectively:
3. Develop good practices with other manufacturers to make software safer and more secure. Include a commitment to these practices in contracts with your customers.
4. Warn and help all your customers as quickly and effectively as possible when vulnerabilities in software are identified. Create the preconditions necessary to be able to warn your customers.
To the State Secretary of the Interior and Kingdom Relations and the Minister of Economic Affairs and Climate Policy (for the benefit of all organizations and consumers in the Netherlands):
5. Encourage that Dutch organizations and consumers jointly formulate and enforce safety and security requirements for software manufacturers. Ensure that the government plays a leading role in this. Proceed on the basis of the principle: collective cooperation where possible, sector-specific where necessary.
To the Dutch Cabinet:
6. Create a legal basis for the management of digital safety and security by the government, by analogy of the Dutch Government Accounts Act (Comptabiliteitswet).
7. Require all organizations to uniformly account for the way in which they manage digital safety and security risks.