Public Private Partnership in the Cybercrime Information Exchange
samen against united tegen cybercrime cybercrime
NICC ICTU Adress Wilhelmina van Pruisenweg 104 2595 AN The Hague P.O. Box 84011, 2508 AA The Hague, The Netherlands, T 070 888 79 46 / firstname.lastname@example.org www.samentegencybercrime.nl
Public Private Partnership in the Cybercrime Information Exchange
‘The Information Exchange is not the ultimate answer to the problem, but it certainly contributes to the solution. If you find that ICT security isn’t going well, government and private sector organizations have to share information and deal with it together. The Information Exchange was set up as an experiment, but our experience has been so positive that we’re continuing with it.’ MARK FREQUIN, MINISTRY OF ECONOMIC AFFAIRS
Overview of the results of the Cybercrime Information Exchange
Tracking down and prosecuting cybercrime? Extremely important, but not the real solution for the problem. Prevention is better. That is why the NICC programme has brought public and private organizations together in the National Infrastructure against Cybercrime. The beating heart of this National Infrastructure is the Cybercrime Information Exchange. Within it, private and public organizations fight against cybercrime side by side.
Start Information Exchange
Every sector organizes one meeting of its ISAC every 6 â€“ 10 weeks. The exact frequency is dependent on the needs of the sector.
Cross-sector activities are developed on a regular basis for the thematic meetings about Process Control Security.
‘It’s going well. Public Private Partnership and choosing a ‘bottom-up’ way of working on the basis of trust are the most important success factors. The NICC programme has brought together organizations based on the added value they give each other. It does this by using its know-how in bringing organizations together, and not by trying to solve their problems.’ Boele Staal, NVB (Netherlands Bankers’ Association)
Cybercrime is becoming more professional The European Commission gave an explicit warning in May 2007 about the increase in cybercrime. International organized crime has discovered the Internet, and is making use of the most advanced techniques. Cybercriminals operate from countries where they experience little or no incon足venience from the police or the judiciary. The very industry sectors on which we as a society are particularly dependent represent key targets for them. Not only for cybercriminals whose objective is financial gain, but also for terrorists.
An attack on the energy supply or financial sectors, for example, would be able to seriously disrupt society. This is why the critical sectors were designated as a priority in 2006 within the National Infrastructure against Cybercrime.
Start of new style FI-ISAC
The financial sector is first to join the Cybercrime Information Exchange with their FI-ISAC.
The hard facts
Eighty percent of the vital infrastructure in the Netherlands is in the hands of the private sector. It is itself responsible for taking measures to combat cybercrime. Considerable knowledge about cybercrime is held within public organÂ izations such as the National Police Services Agency (Korps Landelijke Politiediensten, KLPD), the General Intelligence and Security Service (Algemene Inlichtingen- en Veiligheidsdienst, AIVD) and GOVCERT.NL, the governmentâ€™s Computer Emergency Response Team. Yet when the NICC programme began in 2006 there was still scarcely any structural collaboration, knowledge sharing or exchange of information reported between public and private organizations. November 2006
Fact sheets on phishing, cross-site scripting, two-factor authentication, DNS server vulnerabilities and the MIFARE chip produced.
A number of fact sheets are written about current threats, in collaboration between the various ISACs, GOVCERT.NL, the AIVD and the NICC.
The fact sheets indicate what the threats relate to and what measures can be taken to prevent incidents.
The solution: the Cybercrime Information Exchange The NICC programme began in 2006 with a project to bring representatives of the vital sectors and relevant public organizations around the table within the Cybercrime Information Exchange. This Information Exchange has since grown into a permanent network of professionals in the areas of cybercrime and ICT security.
Its point of departure is that companies themselves will only take effective measures if they have access to the right information and are able to make an accurate risk assessment. By sharing information intensively about incidents, threats and good practices, the Information Exchange participants can prevent incidents themselves. This will safeguard the Dutch economy as a whole and the continuity of the individual organizations at the same time.
HIgh Tech Crime Team November 2006
Start CMIS (Cybercrime Monitoring and Investigation Service)
This is a service developed by the FI-ISAC and financed by the NVB. It provides information for the banks about the possible misuse of bank information on the Internet.
â€˜Participating in the ISACs has greatly expanded our network. The Information Exchange also offers continuity. That makes our work easier, because we can meet and communicate quickly, simply and efficiently with our partners. The structural collaboration and information sharing has been extremely valuable for us.â€™ Elly van deN Heuvel, GOVcert.nl
Sharing vital information
The Information Exchange is based on the model used by the UKâ€™s Centre for the Protection of National Infrastructure (CPNI). This model comprises various consultation groups in which representatives of companies exchange confidential information with each other on a per sector basis. Such a consultation group is called an Information Sharing and Analysis Centre (ISAC).
The ISACs are arranged around a core group consisting of the the AIVD, Team High Tech Crime of the KLPD and GOVCERT.NL. Representatives of these organizations are present at each ISAC consultation, to which they contribute their substantive knowledge and network about cybercrime. With the consent of the participants, they channel relevant information from one sector to another. The NICC acts as a facilitator and motivator in all consultations.
Notice-and-Take-Down (NTD) experiment in the banking sector
An NTD experiment is started by the FI-ISAC, enabling the banks to report phishing sites to GOVCERT.NL that they are unable to take down themselves, or only with great difficulty.
GOVCERT.NL uses its international network to take the phishing sites down. This experiment has been seen as extremely successful.
Way of working is the strength
The Information Exchange is embedded in a government sponsored public-private programme, the NICC. This provides a trusted environment for national and international partners. A small core group of public organizations consisting of the NICC programme, the KLPD, the AIVD and GOVCERT.NL: • facilitates the sector consultations and the working groups; • identifies cross-sector subjects; • transfers relevant knowledge and information to other sectors; • initiates cross-sector activities; • initiates, finances and directs research on
behalf of the connected sectors; • connects organizations within the National Infrastructure against Cybercrime; • refers organizations not directly participating in the Information Exchange to the network; • acts as the flywheel and ensures that the momentum that has been generated is maintained and built on. As a neutral party, the NICC programme ensures that the knowledge accumulated in the Information Exchange is disseminated throughout the whole National Infrastructure against Cybercrime.
Start Information Threat Monitor (ITM)
The ITM has been developed and financed by the banks in collaboration with the NICC, and conducted by KPMG. It provides insight into the
threats and vulnerabilities that are associated with several new products that are being developed by the banks.
The success factors of the Information Exchange Trusted environment Continuity Impartiality Driven by the demands and needs of the sectors Government as facilitator Secure ICT infrastructure Value for every party involved Flexibility in its implementation Contribution of information from governmental organizations Focus on cybercrime and ICT security Specification and streamlining of the analysis function Acts as the flywheel Cross-sector exchange International network
The drinking water companies join the Cybercrime Information Exchange with the formation of their Water-ISAC.
United against Cybercrime
The Information Exchange is a success. In two years, the exchange of vital information between public and private organizations has come into being. By mid-2008, seven ISACs were operational, and this number continues to grow (see ‘Particip ating Sectors’). Members of an ISAC are given access to the know ledge and experience of other organizations in their own sector, other sectors, and the participating governmental organizations. Furthermore, the knowledge of other organizations with which they have connections, such as (university) research institutes, forensic companies and consultancies, is also made accessible via these participants. The NICC programme collaborates with organiza-
tions such as the CIO Platform Nederland, the International Instrument Users’ Association (WIB) and the Federation of Technology Sectors (FHI). The Information Exchange is a condensation point of networks, knowledge and information. The corporate participants value the insight into the knowledge and information made available to them through the participation of the govern mental organizations. The public organizations profit from the information about the development of incidents within the various sectors, and from the measures taken by the private organizations to strengthen their defence. The keywords for this successful interchange are trust and value.
Start drinking water companies’ SCADA Security benchmark
Commissioned by the NICC, TNO (the Netherlands Organization for Scientific Research) conducted a benchmark study examining the level of SCADA Security in the drinking water
companies participating in the Water-ISAC. This led both to a total report for the whole sector, and individual reports on the separate companies.
Participating sectors 2006 • FI-ISAC: Dutch financial institutions
A research study is currently being undertaken with public
and private organizations active in the Port of Rotterdam into 2007
ICT vulnerabilities. A Port-ISAC may well result from this.
• Water-ISAC: drinking water sector
University medical centers are also expressing interest. Led by
• Energy-ISAC: gas and electricity companies
OPTA, the Dutch telecommunications regulator, a number of
• Airport-ISAC: Schiphol Airport
governmental organizations concerned with regulation and law enforcement have been brought together, such as the
KLPD, the Public Prosecutor’s Office, the police, the Consumer
• Multinationals-ISAC: internationally-operating organizations with headquarters in the Netherlands
Authority, the Authority for the Financial Markets and GOVCERT.NL. The possibility of this consultation group
• Railways-ISAC: organizations in the Dutch railway sector
joining the Information Exchange is being discussed. ICT
• PCS-ISAC: the first thematic, cross-sector consultation group
suppliers are considering forming an Office Automation-ISAC
dealing with security issues in connection with SCADA and
and a Process Automation-ISAC. Discussions are also ongoing
process control systems
concerning the establishment of a permanent consultation group for the Internet sector in the Netherlands.
Start of NICC’s participation in organizations such as the European Scada and Control Systems Information Exchange (EuroSCSIE)
Sharing knowledge at a European level now also begins. The SCADA Good Practices for the drinking water sector is also translated into English and made available to the EuroSCSIE.
A questionnaire for vendors in the area of process automation (PA) is also developed at a European level.
You only share information with someone that you trust. That trust has to be established, and guaranteed by effective rules. All participants are members of an ISAC individually, by name. The definitive, permanent membership guarantees continuity, so that participants can get to know and trust each other. Participation is voluntary, but not without obligation. Participants must make an active contribution to their consultation group, in a spirit of give and take. Information is classified according to a confidentiality code, from white for public information to red for the very most confidential matters (see â€˜Traffic Light Protocolâ€™). Whoever contributes the information decides on the degree of confidentiality.
By being able to talk about vulnerabilities and incidents openly, in an atmosphere of absolute trust, public and private organizations obtain a better overview of potential threats, vulnerabilÂ ities and dependence chains. And perhaps even more importantly: all participants are able to benefit from measures that have been proven to be effective.
Companies begin to connect to the GOVCERT.NL Monitoring service
The drinking water and energy companies participating in the Water-ISAC and Energy-ISAC are given the possibility to connect themselves to the
GOVCERT.NL Monitoring service. Several drinking water and energy companies make use of it.
Traffic Light Protocol Whoever contributes information to an ISAC consultation establishes its classification according
to a confidentiality code. The code is classified according to traffic light colours: Red
Non-disclosable information and restricted to
This information may be shared with more people within
representatives present at the meeting only.
and outside a participantâ€™s organization, but publication in print or on the web is forbidden.
Amber Limited disclosure and restricted to members of the
Information Exchange and those within their organizations
Public information that may be disseminated without
who have a need to know in order to take action.
Start Internet Banking Security Round Table (with banks, ISPs, security software vendors, GOVCERT.NL and the NICC)
The FI-ISAC launches the initiative to harmonize activities and communications vehicles with several collaborating partners. The objective is to work together to maintain Internet banking
‘The importance of the NICC programme has been extremely significant. Without them, the Information Exchange would never have got off the ground. They are also really important for continuity. As a Multinational-ISAC, we haven’t been active for long, and it takes time to get the consultations running effectively.’ DICK BRANDT, TNT POST, CHAIRMAN MULTINATIONALS-ISAC
Participation in an ISAC must produce benefits. Otherwise, the enthusiasm for the Information Exchange will quickly fade. Guaranteed added value is dependent on some concrete factors:
security. Various combinations of these organizations have since come together, leading to concrete results concerning a number of topics:
• the chairman is drawn from the sector; • the sector determines the content and the agenda of the consultation; • continuous interesting input from the participants; • flexibility in response to and handling of questions from the participants; • continuity: the longer the group stays together, the more open its participants will be to share more sensitive information and the more value the consultation will have; • a neutral party facilitates the consultation and ensures that momentum is maintained.
– Identification of a secure PC client – Sharing malware information – An Internet Banking Security Roadmap – Banks��� vision on secure Internet banking.
Added value for all participants
The cross-pollination between the public and private sectors delivers added value for all parti cipants. The construction of a permanent network represents significant added value for all parti cipants. They also now contact each other outside the ISAC meetings for informal discussions and exchange of knowledge. Subjects such as business continuity and countering fraud are particularly important for companies. In a secure environment they are able to deliberate about cybercrime threats and security themes. They receive valuable information from the participating governmental organizations and sector colleagues that they are able to use to enhance and expand their ICT security.
The government is principally concerned with the protection of the critical infrastructure and the prevention of criminal activity. By contributing to the Information Exchange they also contribute to the achievement of the Cabinet’s objectives in the area of cybercrime and ICT security: prevention by way of sharing knowledge, exchanging information and raising awareness.
The gas and electricity companies join the Cybercrime Information Exchange with their Energy-ISAC.
The KLPD, the AIVD and GOVCERT.NL can contribute and obtain information in the Information Exchange that is necessary for the protection of both the vital sectors and economic interests. This platform makes it possible to put security-related issues on the agenda of a broad target group at one time. The governmental organizations are able to finely adapt their tactics in the area of investigation and prosecution on the basis of the input from the private sector organizations. The business community will in turn reap the benefits of this.
Start exchange of good practices in the energy sector
The participants in the first meetings of the Energy-ISAC share various good practices with each other about the implementation of risk
management and the development of a business case for security.
‘The Information Exchange is a place where you can share sensitive information with each other. That can only happen if you can be sure that the agreements you make will also be followed up on. It has to deliver results, too. Notice and Take Down, for example, the active taking down of sites, has been a success.’ GEO ALDERSHOF, THE CONFEDERATION OF NETHERLANDS INDUSTRY AND EMPLOYERS (VNO-NCW)
Knowledge-sharing and information exchange that goes beyond the individual sectors themselves is also now gaining momentum. Good examples of this are the initiatives in the area of SCADA and process control systems, which is of vital importance for the operational processes of organizations in many sectors.
A special cross-sector PCS-ISAC has therefore been established to address issues in this area. The NICC programme plays an important role in the development of cross-sector analysis. By financing research and sharing the results with the participating sectors, it makes parti足 cipation in the Information Exchange even more attractive.
Start of the elaboration of a hacking scenario within the energy sector
At the request of the National Security Programme, a hacking scenario is elaborated during two sessions within the Energy-ISAC
relating to the energy infrastructure in the Netherlands.
â€˜It would make it easier to cooperate if we could get more stable and similarÂ arrangements internationally, with similar roles and responsibilities. You need stability and continuity of people to establish the necessary trust base.â€™ Steve Cummings, cpni uk
Developing new knowledge together
In its early days, the Information Exchange placed the emphasis on the sharing of information. It was soon decided to jointly develop new information that could eliminate bottlenecks however. In the financial sector, for example, an Information Threat Monitor has been established. Round tables have also been started addressing Internet banking security issues, with banks, Internet service providers, security software vendors and governmental organizations.
The Water-ISAC has taken the initiative to draft SCADA Good Practices in the Drinking Water Sector. A benchmark has been established in the energy sector for process control security. A research study into ICT vulnerabilities has been initiated through consultation between public and private sector organization in the Port of Rotterdam.
The development of the document describing SCADA security good practices for the drinking water sector in the Netherlands initiated
On the basis of the benchmark mentioned earlier, the NICC commissions TNO to develop a document describing 39 SCADA Good Practices for the Dutch drinking water sector.
These good practices enable the drinking water companies themselves to take measures within their own organizations.
The fight against cybercrime cannot only be undertaken at a national level. Participants within various ISACs (such as the FI-ISAC and the Multinationals-ISAC) are initiating contact with each other because the international component of cybercrime poses specific problems for them. The NICC programme fosters international knowledge exchange through establishing and strengthening contacts with comparable organizations in other countries, such as the CPNI (United Kingdom), SEMA (Sweden), Melani (Switzerland) and the Bundesamt f端r Sicherheit in der Informationstechnik (Germany).
The NICC programme also works together with other initiatives in the area of ICT security, such as the European Network and Information Security Agency (ENISA), the SANS Institute and the Meridian. Information obtained from the European SCADA and Control Systems Information Exchange (EuroSCSIE) delivers added value within a number of ISAC consultation groups.
Several organizations operating at Schiphol form the Airport-ISAC and join the Cybercrime Information Exchange.
Cybercriminals rapidly and continually adapt their methods. New threats are immediately brought to the attention of the participants in the Information Exchange. A selection of the successes of the Information Exchange: • within a short time a valuable platform has been created in which cybercrime-related issues can be quickly studied and addressed; • the elaboration and testing of a hacking scenario produced by the National Security Programme in the energy sector; • Notice-and-Take-Down phishing experiment with GOVCERT.NL and the banks;
• the dissemination of and discussion about information relating to the report on the MIFARE chip; • the discussion about material threats from specific countries, including recommendations to take measures to reduce risks; • consultation about the latest modus operandi of criminals in the area of Internet banking, including a review of preventative measures; • the discussion about the potential vulnerabilities of process control systems in the energy sector, which were verified in the international network;
Further elaboration of SCADA good practices begins
The good practices are elaborated further within several Water-ISAC working groups and discussed in the meetings.
‘Only trust can lead to the openness of information. The pioneering role of the NICC has been vital; the network has been bearing fruit. The participants are now also sharing information outside the FI-ISAC consultations when immediate action is needed.’ WIM HAFKAMP, RABOBANK, CHAIRMAN FI-ISAC
• all European initiatives in the FI-ISAC area made preparations for a European exchange platform, together with ENISA and CERT-Hungary; • round table meetings with the banks, Internet service providers and security software vendors; • SCADA security benchmark and SCADA good practices in the drinking water sector; • process control security benchmark in the energy sector.
Participation in the Information Exchange has raised awareness about security measures to counter cybercrime amongst senior management. A good example is the SCADA security benchmark, which was established within the drinking water sector on the initiative of the Water-ISAC. The reports about this have been discussed at the highest levels of management within the drinking water companies, and have led to further investments in ICT security.
A group of multinational companies headquartered in the Netherlands and listed on the AEX index form the Multinationals-ISAC and join the Cybercrime Information Exchange.
‘Especially in the ISACs that have existed longest, such as the banks and the water companies, participation has led to greater trust between the sector organizations and the police. We’ve come a lot further together in the sharing of information.’ Fred Westerbeke, National Police Services Agency (KLPD)
Continuing to strengthen security
Within a period of only two years, the subject of ICT security has moved to the top of the agenda in both the public and private sector through the activities of the Information Exchange. That is a good start. But security is more than ICT alone. In time, ICT security and physical and personnel security will need to be harmonized effectively. It is only when these aspects are well coordinated and made consistent with each other that businesses and society at large can be sure of the best possible safeguards against cybercrime.
A fully developed and mature Cybercrime Informa足tion Exchange is therefore essential. For this reason, the Information Exchange will be further expanded and strengthened in the coming years. The spearheads of this process will be the involvement of additional sectors, the establishment of thematic cross-sector ISACs and the strengthening of the international network. The Information Exchange is, and continues to be, the beating heart of the National Infrastructure against Cybercrime. It is uniquely the platform that enables organizations in the private and public sectors to address security issues effectively, in an atmosphere of unqualified openness and trust.
NS and ProRail form the Railways-ISAC and join the Cybercrime Information Exchange.
â€˜The strongest point about the NICC programme is that it resists being tempted into being involved in execution. This both avoids getting bogged down in operational problems and guarantees independence. The objective is purely to bring organizations together so they can share information.â€™ kees buis, cio platform The Netherlands
Appendix 1: trust and value
The key objective of the Information Exchange is the improvement of the exchange of information about cybercrime between public and private organizations in the Netherlands. The Information Exchange also makes a practical contribution in this respect. Research has shown that both public and private organizations value the exchange of information within the Information Exchange. The private sector organizations value the insight they gain into the knowledge and information held by the governmental organizations.
They are particularly interested in information about threats, modus operandi, increasing risks and future developments. The governmental organizations have benefited from gaining insight into the development of in足cidents within the sectors and the measures taken by private sector organizations to improve their defences against cybercrime. The Information Exchange is therefore vital for the creation of the exchange of information about cybercrime. The key prerequisites for the realization of this exchange of information are trust and value.
Start of process control security benchmark for energy companies
The Energy-ISAC requests that a research study similar to that undertaken for the drinking water sector is conducted for the gas and electricity companies. The NICC commissions The Centre of
Expertise (HEC) and consultancy firm Verdonck, Klooster & Associates (VKA) to undertake this study jointly.
Trust Hypotheses APPENDIX 1
Trust is the basis for information sharing.
Trust is achieved in small groups, in which
Building trust takes time and requires
people get to know each other personally.
Rules (including the Traffic Light Protocol)
Experience of the ongoing sector consul-
to build trust are important as the basis for
Participants are members of a consultation
tation groups shows that building trust,
group individually, by name. Permanent
through which participants become open
to share confidential information, takes
at least a year. Only then do participants reach the level at which ‘red’ information is shared.
Inventory of interdependencies of organizations at Schiphol
The organizations at Schiphol investigate the interdependencies between them and the potential vulner abilities associated with these. This was achieved by each of the various participants giving presentations
enabling them to share their risk analyses with each other. Joint projects have also been initiated in relation to the ICT security benchmark, such as the Integrated Incident Room Infrastructure (GMI).
Value Betrayal of trust produces delays, and
Each participating organization must derive
The value of the consultations can vary
much time is needed to rebuild trust again.
value from the consultations. Otherwise, the
for each participant.
enthusiasm for investing time and energy in this sort of initiative will quickly fade.
Participation is voluntary, but not without
The continuous efforts of the facilitating
Subjects such as business continuity and
obligation. Participants are expected to
organization are required to monitor and
countering fraud are particularly important
actively contribute to the consultations.
maintain this. It also depends on continuÂ
for the private sector. The government is
ous interesting input being provided by
principally concerned with the protection
the participants. And it demands flexibility
of the critical infrastructure and the
in response to and handling of questions
prevention of criminal activities.
from the participants (demand-driven working). The sector takes the lead in determining the agenda for the consulÂ tations. May 2008
Inventory of interdependencies of NS and ProRail
NS and ProRail shared each otherâ€™s risk analysis in the Railways-ISAC, enabling them to make an inventory of the applications and infrastructures
that they both use. This has enabled them to estimate potential risks.
Value continued Hypotheses APPENDIX 1
Value grows with investment and trust.
Value is determined by the relevance of the
The network ensures a structure in
subjects included on the agenda.
which peers can be found, also outside
the consultation groups.
Experience The longer the group stays together,
The subjects can be specific for the sector.
The fact that participants get to know each
the greater the value the consultation has.
There must be a clear agreement within
other facilitates further contacts between
Continuity is therefore important.
the sector about the potential cybercrime
them. They also communicate with each
other outside the meetings, both within their sector and between repres足entatives of public and private sector organizations.
The first process control security Event was organized on May 21. A preparation committee was formed by representatives from the sectors participating in the Information Exchange, together with some ap足-
propriate players from the NICC network (CIO Platform Nederland, WIB, FHI and TU Delft). This day represented the first step in the formation of a PCS-ISAC, focusing on the theme of Process
The network can address subjects that have recently arisen. A platform has
been created in which information can be quickly shared. Experience Informal networks are created through
• the dissemination of and discussion
The Information Exchange also serves
participation in the Information Exchange.
about information relating to the report
as a condensation point of networks. In
Participants also contact each other out-
on the MIFARE chip;
addition to the networks of relevant gover-
side the meetings, both within the sector and between public and private sector organizations. The network is a platform for quick information sharing. Some examples of this are: • elaboration /testing of a hacking scenario
• discussion about material threats from specific countries; • the discussion about new modus operandi involved in phishing attacks on banks; • discussion about the potential vulnera-
nmental organizations, the private sector companies also participate in various international networks. The knowledge and information from these various networks is brought together in the Information
bilities of process control systems in the
Exchange meetings, and its value can also
by the National Security Programme
energy sector, verified in the international
be tested in them.
within the energy sector in two sessions;
Control Security, and cross-sector initiatives are being developed on the subject. A second Event is to take place on December 4 at TU Delft.
Appendix 2: trust
To initiate and maintain the sharing of knowledge and information, the sectors need an environment in which a basis of trust can be established and sustained in an efficient and effective way. This costs time, and requires investment from the participants. From the experience of the ongoing sector deliberations it appears that only after a year is the level reached at which the most confidential information is shared.
Criteria for building trust 1. A trusted environment 2. Continuity 3. An impartial stance 4. Demand-driven by the sector 5. The government as facilitator 6. A secure ICT infrastructure
MIFARE chip (RFID)
The impact of the vulnerability of the MIFARE chip has been investigated and reported on by a group of specialists from a number of ISACs, and
appropriate countermeasures proposed. The fact sheet produced by GOVCERT.NL and the AIVD provided important input for this.
Trust A trusted environment
An impartial stance
Clear rules, endorsed by participants
The Information Exchange must be clearly
Only an impartial Information Exchange
themselves, are necessary for the creation
positioned, in both policy and operational
can act as an intermediary between the
of a trusted environment. They must be set
terms. The position of the Information
various organizations. The Information
down in participation guidelines
Exchange must be clear for at least the
Exchange is therefore not a policy-making
(the Ttraffic Light Protocol).
coming five years. Participants are mem-
organization, but does contribute substan-
Trust is built up in small groups in which
bers of the consultation groups by name.
tive input for policy. The connection with
people get to know each other personally.
This permanent membership guarantees
the policy departments involved must be
Permanent membership in the core of
the Information Exchange reinforces the underlying trust.
Start of research into ICT vulnerabilities in the port sector
In close collaboration with a steering committee consisting of the Port of Rotterdam, Deltalinqs, the Customs Authorities and the Harbour Police, the NICC has initiated a research study that will
provide insight into ICT vulnerabilities in the Port of Rotterdam. This research is being undertaken jointly by HEC and VKA.
Demand-driven by the sector
The government as facilitator
A secure ICT infrastructure
The sectors are leading, partly because they
As a governmental organization it is easier to
To the degree that more substantial flows of
appoint the chairman of the consultation
collect, process and analyze certain confiden-
information are generated, there is also in
group. To a great degree the sectors them足
tial information. The Information Exchange is
turn an increasing necessity for a secure ICT
selves determine the subjects to be included
a natural point of contact for (governmental)
infrastructure in order to be able to better
on the agenda.
organizations within the Netherlands and
facilitate the process of sharing sensitive
information. The need for this becomes even more important as the analysis function expands further. The Information Exchange works together with GOVCERT.NL to realize a secure ICT infrastructure. The provision of information takes place in layers, in a way comparable to the colour coding of the traffic light model: per sector, cross-sector or for a broad public.
Start of participation in the Programme Committee of the European SANS Conference
The NICC participated in the preparations for the first European SANS Conference on process control security, held in September 2008 in Amsterdam.
Appendix 3: value
Both public and private sector organizations must obtain value from the consultations. Otherwise, the enthusiasm required to devote time and energy to the Information Exchange will quickly fade. Participation in the Information Exchange is voluntary, but not without obligation. Participants are expected to make an active contribution to their consultation group. The participants are also responsible for continuously contributing interesting input. The longer the group stays together, the greater the value of the consultations becomes. Continuity is important for this.
The relevance of the subjects discussed determines the value of a consultation. This is guaranteed by giving the sector the initiative to establish the agendas for the meetings. Criteria for guaranteeing value 1. Value for every organization involved 2. Flexibility in execution 3. Input of information from the government 4. Focus on cybercrime and ICT security 5. Developing / streamlining the analysis function 6. Central flywheel function 7. Financial resources 8. Cross-sector exchange 9. A national and international (European) network
Start of participation in the Programme Committee of the Meridian Conference 2008
The NICC participated in the preparations for the Meridian Conference 2008, to be held in October 2008 in Singapore.
Value APPENDIX 3
Value for every organization involved
Flexibility in execution
Input of information from the government
It must be possible for every organization
The sectors differ in terms of the problems
The specific expertise of GOVCERT.NL,
involved to derive value from their participa-
they face, their structure and their needs.
the AIVD and the KLPD and their access to
tion in the Cybercrime Information Exchange.
This means that they need customization.
sources of information delivers significant
Its nature may be different for each organ
added value for the Cybercrime Information
ization – safeguarding of critical assets for
The speed with which subjects of the day can
the government, for example, and business
be dealt with to a large degree determines
continuity for the private sector.
the success of the Information Exchange.
Exchange. Expertise is (reciprocally) built up by, and shared between, existing organizations
A trusted, informal network enables the
that fulfil a function within the National
government to share important subjects
Infrastructure. The participants from the
quickly with the sectors involved.
governmental organizations are not seconded to a central location. They participate from their own organizations in the Information Exchange, maximizing the use of the knowledge from these organizations.
Industrial espionage is an important topic within the Multinationals-ISAC. Participants share good practices and information about incidents with each other, and the AIVD has provided important input.
Focus on cybercrime/ICT security The organizations also remain more commit-
A win/win scenario is created for public
It appears from the experiences in other
ted to the Cybercrime Information Exchange
and private sector organizations by not
countries (such as the UK and Switzerland)
in this way, and in a wider sense to the
only focusing on the vital character of the
that it is advisable to develop the various
Natio足nal Infrastructure against Cybercrime.
sector, but also by paying attention to
component areas involving ICT, physical
The Cybercrime Information Exchange also
subjects related to the business continuity
structures and human resources to a mature
strengthens the relationship in this respect,
of the private sector organizations as well
level before addressing the integration of
and avoids the duplication of knowledge
as cybercrime conducted for financial gain.
the various aspects of security. This has
There is clear governmental interest in this
been endorsed by the sectors that are
too, since the prevention of criminality is
currently participating, who have also seen
also an important issue for the govern-
groups within their own organizations that
are addressing these themes. The principal difference concerns the dynamics
It has been reported from the sectors
within the various key security factors.
that fragmentation of the ICT
Threats change within ICT many times
security/cyber足crime theme leads to
faster than with the areas of physical and
confusion. It is desirable to streamline it.
personnel security. It is of course necessary to harmonize the different key factors.
Start of participation in the MPCSIE (Meridian Process Control Security Information Exchange)
The NICC participated in the establishment of a worldwide exchange platform in the area of process control systems, initiated by the Meridian.
Developing/streamlining the analysis function
Central flywheel function
Currently the Cybercrime Information
A flywheel function is necessary to maintain
The way of working required for this
Exchange focuses principally on Information
the momentum of information sharing and to
strengthening and binding function also calls
Sharing (the ‘IS’ from ISAC). The sectors
provide for and support the new cross-sector
for a specific type of employee within the
have indicated that there is an increasing
and international initiatives. The facilita-
Information Exchange. The competences
need for the development of an Analysis
ting role that the NICC currently has in the
must principally be focused on the building
Centre (the ‘AC’ from ISAC). At the moment
Cybercrime Information Exchange is essential
and maintaining of relationships, the ability
this function is being shared by the separate
in this respect.
to operate within a complex and sometimes
organizations involved in the Cybercrime
sensitive context, the analysis of the key
Information Exchange, such as the KLPD,
The strength of this lies in the mobilization
issues faced by the sectors, and bringing
the AIVD and GOVCERT.NL. This function
of the currently associated organizations and
together, supporting and guiding relevant
needs to be strengthened, and this can most
drawing them together. It does not therefore
effectively be done by one of the associated
principally concern taking over tasks, but
organizations or as a separate function within
binding and reinforcing the organizations.
the Cybercrime Information Exchange.
The Information Exchange needs financial re-
The sectors are becoming increasingly
It is vital to have a permanent group of
sources to fund research and to obtain advice
dependent on each other. Security themes
participants in the Cybercrime Information
from external sources. The objective of this
addressed by the different sectors are
Exchange who can provide knowledge from
is to be able to deal with issues in a broader
beyond a sector-specific consultation in
context. In the future a budget can also be
Many of the themes addressed by different
order to be able to stimulate this cross-sector
utilized for such items as training courses, fact
sectors are converging. The involvement and
exchange of knowledge. Furthermore, this
sheets and trend reports.
participation of additional sectors is making
knowledge can also then be shared in both
it possible to deal with these themes on a
a national and an international (European)
cross-sector basis, and this is enhancing the
efficiency and effectiveness of the approach. The Information Exchange enables sectors to link together quickly to discuss relevant subjects.
Value continued A national and international (European) network APPENDIX 3
It is increasingly apparent that the
Valuable contacts have also been estab-
development of a network that includes
lished between the various initiatives and
similar organizations in other countries will
comparable ones in other countries, such
produce substantial added value.
as the CPNI (UK), SEMA (Sweden), Melani
The fight against cybercrime is essentially
(Switzerland) and the BSI (Germany).
an international endeavour after all. This
It will be important to continue building
has already been demonstrated from
up contacts such as these in the future.
the information that has been obtained from the EuroSCSIE (European Scada and Control Systems Information Exchange). This has produced significant added value in the consultations in the various sectors concerned with this theme. A step of the same kind is currently being taken within the financial sector.
Appendix 4: participating organizations
The organizations participating in the Cybercrime Information Exchange are listed in the following table. The individual participants representing these organizations generally hold the following positions within them: • Security Managers • Corporate (Information) Security Officers • Senior ICT Security Specialists • ICT Managers • Information Security Advisors • Process control (Security) Managers • Process control (Security) Specialists • Risk Managers
FI-ISAC APPENDIX 4
ING / Postbank
Bank Nederlandse Gemeenten
(BNG, a bank for the public
(NVB, the Netherlands Bankersâ€™
De Nederlandsche Bank
representing smaller banks
(DNB, the Central Bank of
Van Lanschot Bankiers
The governmental organizations GOVCERT.NL, the AIVD and the KLPD (High Tech Crime Team) participate in all consultation groups. The consultation groups are facilitated, supported and financed by the NICC.
Port of Rotterdam
Douane / Belastingdienst
Ahold / Albert Heijn
NS (Netherlands Railways)
(Dutch Customs / Tax
Douane / Belastingdienst
(Dutch Customs / Tax Authority)
Organizations in the Water-
ISAC, Energy-ISAC, Airport-
Rotterdam (Port of Rotterdam Authority)
Aircraft Fuel Supply
with organizations in the Oil, Chemicals and Nuclear sectors, hospitals, suppliers and consultancy firms.
Annemarie Zielstra (ICTU) programme manager
Auke Huistra project manager Cybercrime Information Exchange
The NICC programme is an ICTU programme, commissioned by the Ministry of Economic Affairs. The motto of the ICTU is: help government to perform better with ICT. The ICTU combines knowledge and expertise in the area of ICT and
Manou Ali programme support
government. ICTU executes various projects with and on behalf of governmental organ足i zations. In this way, policy is translated into concrete projects for government. More information can be found at www.ictu.nl.
Publisher NICC Editor Tekstbureau De Nieuwe Koekoek, Utrecht Design OSAGE / communicatie en ontwerp, Utrecht Photography Marcel Rozenberg, Schiedam Print OBT / TDS printmaildata, Schiedam
‘It would make it easier to cooperate if we could get more stable and similar arrangements internationally, with similar roles and responsibilities. You need stability and continuity of people to establish the necessary trust base.’ Steve Cummings, cpni uk ‘Only trust can lead to the openness of information. The pioneering role of the NICC has been vital; the network has been bearing fruit. The participants are now also sharing information outside the FI-ISAC consultations when immediate action is needed.’ wim hafkamp, rabobank, voorzitter fi-isac ‘The Information Exchange is not the ultimate answer to the problem, but it certainly contributes to the solution. If you find that ICT security isn’t going well, government and private sector organizations have to share information and deal with it together. The Information Exchange was set up as an experiment, but our experience has been so positive that we’re continuing with it.’ Mark Frequin, EZ Tracking down and prosecuting cybercrime? Extremely important, but not the real solution for the problem. Prevention is better.