Back to Vulnerable through software - Lessons resulting from security breaches relating to Citrix software

Addressing cybersecurity calls for acceleration

In December 2021 the Dutch Safety Board published its investigation report ‘Vulnerable through software - Lessons resulting from security breaches relating to Citrix software.’ One year after its publication, the Board calls on parties to accelerate their actions to improve resilience to cyber threats. The gap between cyber threats and cyber resilience is widening. Parties must therefore act faster and step up the pace in all relevant areas. This is stated by the Board in the follow-up note it published today on the parties’ responses to the reports’ recommendations.

In 2021, the Safety Board issued seven recommendations in its report, addressed to government parties and the business sector. The first recommendation aims to increase response capacity in the short term. The six following recommendations aim, in the longer term, to strengthen the public and private system and introduce incentives to create a system in which manufacturers and customers continuously work on to make software more safe and secure.

Recommendations recognized

Responses to the report show that the Dutch government and international software manufacturers recognize the importance of improving their approach to cybersecurity. The Board finds it hopeful that the parties express several intentions and  actions they took or are planning to take. However, it will take several years (until 2026) before the actions are implemented. The Board calls on parties to continuously accelerate actions to increase digital safety and security.

Faster action needed

The Dutch cabinet shows its commitment to realize the possibility to alert all potential victims of cyber threats as quickly as possible. Software manufacturers are not yet taking collective action, pointing mostly at customer responsibility and the lack of a level playing field. As of yet, it is not clear what effect European laws and regulations will have on this dynamic. The Dutch cabinet is acting on the recommendation to ensure a legal basis requiring governmental organizations to manage digital safety and security; for private companies, the government is maintaining voluntary compliance with a strengthened code of conduct.

The Dutch Safety Board’s full response on the follow-up on the recommendations can be found on its investigation page, 'Vulnerable through software - Lessons resulting from security breaches relating to Citrix software.'