Cyber revolution
Cybersecurity is embracing more and more concepts, says Prof. Bibi van den Berg. ‘It used to be just about protecting data. Now we use it to refer to things like the consequences of disruptions to ICT processes and the structures of organisations, and the processes involved.’ In her chairship of Cybersecurity Governance, Van den Berg researches all the non-technological measures that can be taken to improve cybersecurity. These measures include policy, legislation and regulations, social norms and market incentives. ‘So much has changed in the last ten years that we can’t understand all the consequences. We have experienced a true cyber revolution.’
What do citizens think?
Van den Berg has three core points to make. First, she points to the importance of the contribution the social sciences and humanities can make to cybersecurity: ‘The discipline is still very much focused on technology. For example, businesses and the government still often use risk management to identify cybersecurity issues. This method arose out of the technical industry and is very focused on numbers. In my view, you shouldn’t apply those numbers uncritically; you should also look at factors like risk perception. What do citizens think about it? What is their experience of the risks? And what is the impact of politicians’ statements?’
CBS is currently seeing a shift: there is increased cooperation with other research institutions and CBS is improving the user options for its data’
Fake news a serious threat
Secondly, Van den Berg strongly recommends broadening the research area. ‘At the moment we only look at deliberate attacks – like hacks – and not enough at the dangers of human error or things like natural disasters. And cybersecurity is still mainly focused on preventing attacks on machines and data systems. We still haven’t developed a policy or methodology to deal with the dangers of fake news, even though that’s something that can seriously jeopardise the democratic process. You can’t compare a post spreading rapidly through social media with the pamphlets that used to be dropped from a plane.’
Businesses in trouble
Van den Berg’s final point is the lack of theory and definitions. ‘There is still very little “foundation” in my discipline. What exactly is cybersecurity? What is cyberterrorism?’ Van den Berg emphasises that there has not yet been a disastrous cyber attack anywhere in the world. ‘Last year an attack disrupted the Rotterdam container terminal for a while, and the ransomware WannaCry caused problems for big companies all around the world. That’s a serious event, but no lives were put at risk, as would be the case with an attack that disconnected the electricity supply or water management for a longer period. We don’t actually know how prepared the Netherlands is for an attack like that. There is a lot of investment in cybersecurity, but we’re not there yet.’
Privacy and security at CBS
CBS collects and processes an enormous amount of personal data about people in the Netherlands, as well as information about companies. The security of that data and citizens’ privacy are extremely important to CBS. That is one reason why CBS’ Deputy Director General Bert Kroese attended Bibi van den Berg’s talk. Van den Berg is also a member of CBS’ ICT advisory council, in which role she focuses in particular on information security and privacy. Van den Berg: ‘CBS is a fortress, with multiple moats that protect the data. Every moat has a bridge, which has to be well guarded. CBS is currently seeing a shift: there is increased cooperation with other research institutions and CBS is improving the user options for its data. This move is in line with CBS’ social responsibility, and with today’s developments. But it is also a security risk. This is a development that is receiving constant attention, not least on the ICT advisory council.’