During the last week of January 2018, various Dutch banks as well as the Tax and Customs Administration have been the victims of DDoS attacks. The attacks impacted users of Internet banking and visitors to the website of the Tax and Customs Administration. Few details are known about the nature and the source of these attacks. Despite this lack of information, the attacks serve to illustrate the challenges that our society must face in the area of cybersecurity.
Were the attacks a reprisal for the disclosures made by Nieuwsuur (an in-depth news programme) and de Volkskrant (a national daily)?
Based on the timing, this explanation seems obvious, but remains a speculation. Experience does show that cyberattacks more often than not are launched directly after a newsworthy or controversial situation. One that comes to mind is when the Turkish minister Kaya was prohibited from landing at Rotterdam The Hague Airport in March 2017. Immediately afterwards, the airport’s website was bombarded by a DDoS attack. And in the days following, a number of websites were defaced with texts in Turkish.
When the Turks shot down a Russian jet fighter in 2015, the response was a DDoS onslaught against Turkish targets. Banks, government websites, and websites of TV stations were inaccessible for a long period. But proof that this was a direct reprisal for certain actions has never been provided.
Another example is the lone wolf who initiates an attack from the attic out of dissatisfaction. This demonstrates once again that assigning blame without solid evidence is virtually impossible in such cases. Although the timing is striking, there is a lack of concrete proof. Other potential suspects are individuals, criminal organisations and even other states who can keenly exploit the situation. With the case in point, suspicion falls quickly on Russia, even though there is not a shred of evidence. In a nutshell: a dangerous game.
Why are DDoS attacks employed?
A DDoS is a rather simple way of attacking online. Because of its technical nature, the chance of getting caught is very slim in most cases. DDoS attacks can be purchased online, or even set up by an individual with enough knowledge of what to do. At the same time, DDoS attacks are possibly the most difficult in terms of assigning blame. The instances of detection services being able to arrest the hacker responsible for a DDoS attack resulted from the perpetrators bragging about their actions to acquaintances or even claiming responsibility on social media, such as Twitter. This behaviour offers detection services a lead for their search. If no such claims are made, it is then often a matter of looking for a needle in a haystack. DDoS is also a popular method for blackmailing, creating havoc, or just for provoking. As regards the motive for the DDoS attacks in the past few days, we can do nothing more than speculate.
Do the victims have effective security in place?
Based on the attacks in question whose impact we now see, the question of whether the victim organisations have effective security in place is the wrong one to ask in our opinion. Effectively protecting yourself against DDoS attacks is complex and requires close cooperation among multiple parties in a chain. It is therefore rarely as simple as buying a solution and hence eliminating the problem.
So the right question is not “Are we occasionally the victims of DDoS attacks?”, but “Are we flexible enough to respond to attacks that constantly change in size as well as in their technical nature?” That sometimes there is an impact is a fact of life that all of us must acknowledge.
The financial sector is known as one of the most mature in terms of cybersecurity, with the banks especially having done much in recent years. Since 2013, the sector has collaborated intensively in the area of cybersecurity, for instance by exchanging information. At the same time, the Netherlands is the frontrunner in Europe for the number of people who do their banking online. Consequently, the banks are under great pressure to make online banking secure, while keeping it simple and user-friendly for their customers.
What action can we take against DDoS attacks?
The fact is that the perpetrators are making their attacks more and more sophisticated, including DDoS attacks therefore. Whereas in the beginning hackers exploited incorrectly configured servers, they now have at their disposal a vast network of unprotected IoT devices, security cameras as just one example. We on the defending side must therefore stay active and keep becoming more sophisticated.
An additional point is that in some situations cybersecurity concerns more than just an individual organisation and its customers. For example, in the case of the financial sector, the Tax and Customs Administration and DigiD (an access control system), it concerns us all, as Dutch society. It is time we have a frank and open discussion on the issue. Not only about the threat, but also about our collective tolerance for what can go wrong.
Public-private collaboration is vital for combating and overcoming attacks like the one discussed here. Collaboration between the Government, critical infrastructure companies, Internet service providers and industry make Dutch society increasingly electronically safer.