In line with the national “Digital Agenda 2020” Dutch municipalities, organised in the VNG (Association of Dutch Municipalities) aim for a common approach for implementing ICT services. This had resulted in the objective by VNG for a common municipal digital infrastructure (GGI) that is supposed to support better and safer collaboration between municipalities. GGI is linked to the national digital infrastructure (GDI), and aims for a municipal cloud that supports all digital services. Security is one of the aspects of GGI. It should be noted that the notion ‘awareness’ is not mentioned at all in the GGI documentation, and is apparently of no concern.

Cybersecurity awareness is discussed in another document, which discusses the agenda digital safety 2020-2024 by the VNG. There, it is stated that increasing knowledge on digital safety applies to all in the municipality. Two simulation games have been developed, one for civil servants and managers, and one for system administrators. Many more action trajectories are being developed, including sharing of information.

GGI: the municipal digital infrastructure

Building GGI is a stepwise process, starting with standardised services becoming available in 2019, precise date depending on the participant and the kind of service. Municipalities and municipal collectives are free to select the services that they desire:

  • GGI-network: a secure database for national services
  • GGI-safe: a collective service for operational information security on networks and ICT infrastructures of municipalities and municipal collectives and the GGI
  • GGI-services: a collective service for safe exchange of data between local and national services
  • GGI-appointments: for connecting and offering cloud-solutions by service providers

GGI-safe

The VNG has issued a tendering procedure at the beginning of 2019 for the realisation of GGI-safe, which has been rewarded to KPN (Dutch Telecom), and others, since July 2019, in three tiers of services. Municipalities can opt for one or more of these services, for some fee, to be established later. It is said to have been implemented.

  1. SIEM/SOC services (KPN, waiting room contract Capgemini).
  2. Additional security products/services (KPN, Protinus IT en Telindus-ISIT, waiting room contract SecureLink).
  3. Expertise services (Capgemini, BDO Advisory, KPN, Ordina, IT-Staffing en Protinus IT).

As for (1), it seems data will be monitored at regular points: a network sensor (to be installed by provider), outer firewall, DNS-server, domain controller, proxy server, and mail server.

As for (2), the following is foreseen:

  • CASB (Cloud Access Security Broker);
  • DDI-management (DNS, DHCP en IP address management);
  • Firewall;
  • Mail filtering;
  • Endpoint protection (incl. servers)/anti-virus, anti-malware;
  • Advanced Persistent Threat Protection (ATP);
  • GGI-Anti-DDOS;
  • Intrusion Detection & Prevention (IDS/IPS);
  • EMM (Enterprise Mobility Management)/MDM/MAM (Mobile Device & Application Management);
  • VPN-management;
  • DLP (Data Loss Prevention/Data Leakage Prevention; incl. endpoint en network);
  • Vulnerability management;

And for (3), there is:

  • SIEM-proces;
  • Compliancy;
  • Vulnerability;
  • Pentesten;
  • Forensics bij security incidenten;
  • Hardening ICT-infrastructuren.

This all seems basic security infrastructure, far removed from any notion of cybersecurity awareness we are entertaining. The detection – mitigation process is out of the hands of the public administration. In CS-AWARE, detection, awareness, mitigation and sharing are integrated, at the level of the public administration.

CS-AWARE does not entertain a particular intervention program at the level of the organisation. The Dutch situation is interesting because it seems very complete. Nevertheless, it also looks fragmented and coordination is sometimes centralised, sometimes decentralised. It may be that it merely adds to existing complexity and that much is left over to the municipalities.

Jerry Andriessen, Wise & Munro

Sources:

VNG-agenda digitale veiligheid (2020) (https://vng.nl/sites/default/files/2020-02/vng_agenda_digitale_veiligheid_2020-2024_def_0.pdf)

GGI-Veilig / Volwassenheidsmodel Digitale Weerbaarheid (http://www.da2020.nl/ggi)