"Companies in the Netherlands - and elsewhere in the world - do not spend enough resources on Cybersecurity,” a statement that can be found often in Cybersecurity reports either published by...Show more"Companies in the Netherlands - and elsewhere in the world - do not spend enough resources on Cybersecurity,” a statement that can be found often in Cybersecurity reports either published by governmental organisations as well as private Cybersecurity companies, the latter suspiciously for commercial purposes. But what is the real impact that Cybersecurity Incidents have on the Dutch economy, especially on legal-entities in the Netherlands? Where is the data that objectively provides insight in the havoc that is wrecked by Cybersecurity Incidents and would justify an increase in investment? The conclusion drawn after analysing available data is puzzling: no reliable overview of actual Cybersecurity incidents and their impact on companies in the Netherlands exists. The landscape is a scattered scene of puzzle pieces, consisting of crime data, insurance claims, data breach reports and incidents reported to the National Cyber Security Center. So we are not sure whether companies over- or underinvest in Cyber Security, we simply cannot tell on the basis of facts. Threats are out there for sure, but when they do not materialize, it could well be that the defences are fit for purpose. The annual Cybersecurity Monitor produced by Statistics Netherlands (CBS) since 2017 is available, but not based on actual incidents occurred, but on surveys, which tend to show perception rather than reality. Though it is the best dataset available and the trends of four years (2017-2020) of data are valuable, despite lack of quantified financial impact. Is the Dutch situation unique? What have other nations done to get a better and more reliable view on the size and dimension of the impact of Cybersecurity Incidents? And what solutions could be available to get an objective view of the impact of Cybersecurity incidents on Dutch legal-entities? In the domain of Road Safety, impact data is carefully measured as policy- and lawmakers use it for improving policies with the objective to decrease the impact. Similar to natural disasters of which impact is reported in scales, such as Beaufort for storms, Mercalli for earthquakes, a scale may help to report on Cybersecurity Incident impact, and serve for policy makers to obtain objective and comparable data justifying their policy proposals. With this Thesis I aim to make a contribution towards providing objective insight into the impact of Cybersecurity Incidents, by means of proposing the Cybersecurity v Incident Impact (CSI2) scale. Only by proper measuring and reporting we know what is happening out there in Dutch Cyberspace, allowing for the right policies and laws to be proposed, as well as the right level of investments to be made.Show less
Content moderation is about optimizing the equilibrium between two important values: freedom of speech and a safe and secure digital space. The main tasks are defining what is admissible content...Show moreContent moderation is about optimizing the equilibrium between two important values: freedom of speech and a safe and secure digital space. The main tasks are defining what is admissible content and assuring that inadmissible content is not allowed into the digital public space. Commercial digital platforms cannot be expected to carry this responsibility on their own without any incentives or obligations. They have their own commercial goals to serve. Tightened and more precise regulation is necessary. Overfitting the regulation will compromise freedom of speech. Underfitting the regulation will compromise the security of the digital space. An important aspect of assessing this balance is transparency. In this thesis we looked at the historical timeline of drafted regulation and the rise of social media. The three layer-model of cyberspace was used to analyse AI facilitated content moderation. Transparency requirements on each level have been identified and existing and upcoming regulation on content moderation and AI has been assessed to identify gaps. Current regulation on transparency in content moderation lacks clarity, enforcement, and consistency, partly because the E-commerce Directive was drafted before the explosive rise of social media and AI. It is remarkable, however, that the basic requirement for notice and takedown still serves a very relevant purpose. An increased focus of regulation of the technical layer is required with the introduction of artificial intelligence tools in content moderation. Although regulation on artificial intelligence is fragmented and still in an early stage of development, the Digital Services Act and the EU White Paper on Artificial Intelligence include promising measures, such as record keeping and auditing. The overlap and mutual synergy between both regulations should be closely monitored. The last conclusion is on transparency of terminology. Terminology regarding transparency in the world of AI technology, often relates to insight into the technical functioning of algorithms and to the ability to predict the outcome of an artificial intelligence model. In the governance world, transparency is linked to accountability and clarity. This gap between the world of artificial intelligence technology and the world of governance will need extra attention when drafting further regulation on AI. There is a need for common terminology.Show less
This thesis compares Russian cyber operations against Ukraine and the United States of America between 2014 and 2019. It aims to research which factors influence the different outcomes in the...Show moreThis thesis compares Russian cyber operations against Ukraine and the United States of America between 2014 and 2019. It aims to research which factors influence the different outcomes in the studied operations. The studied operations involve cyberattacks on power grids on the one hand and digital information operations interfering in elections on the other. The results show that Russian power grid cyberattacks in Ukraine are more disruptive than in the USA, while their information operations were more effective in the USA. The argument put forward in this research is that Russia is less hesitant to disrupt critical infrastructure in Ukraine due to is involvement in the Ukrainian conflict. Moreover, there is limited potential of escalation of applying such disruptions in Ukraine. Finally, Ukraine provides Russia with opportunities to test its cyber operations without risking large scale retribution from powerful states. Information operations targeting the presidential elections have been more effective in the USA than similar operations in Ukraine. In this research it is argued that Ukraine is both more familiar and more resilient to Russian (dis)information operations. Furthermore, the conflict scenario between the two countries causes Ukrainians to be suspicious of pro-Russian narratives. Western media on the other hand amplified the Russian disinformation in the USA. In both countries Russia succeeded in deepening the social polarisation between opposing groups.Show less
Many have expressed their concerns of the increase and severity of ransomware attacks targeting the healthcare sector, in particular hospitals, during the corona-era. A combination of the...Show moreMany have expressed their concerns of the increase and severity of ransomware attacks targeting the healthcare sector, in particular hospitals, during the corona-era. A combination of the healthcare sector's reliance on its systems and the often urgent need to access (medical) data means that some cybercriminals have identified the healthcare sector as a suitable target. Some even claimed that the pandemic has cause a change in the modus operandi of offenders deploying ransomware. This qualitative research examines to what extent the COVID-19 pandemic truly changed the modus operandi of offenders who committed a ransomware attack targeting the healthcare sector. More specifically, it investigates how a ransomware attack was carried out at the healthcare sector during the pandemic through conducting a crime script analysis. Subsequently, it investigates whether this differs from the situation before the COVID-19 pandemic. The results of this study indicate that the modus operandi changed just a slightly bit from the situation before the COVID-19 pandemic, but no significant changes were identified. This indicates that we must be critical about most of the claims stating that COVID-19 has caused a serious change in ransomware attacks on the healthcare sector opening up new opportunities to avoid moral panic.Show less
This report describes the results of the research in the context of the Master's degree in Cyber Security. This study researched the problem that public tenders contain information that can be...Show moreThis report describes the results of the research in the context of the Master's degree in Cyber Security. This study researched the problem that public tenders contain information that can be collected by hackers during their preparation for a cyber-attack. Adversaries can easily access this information and abuse it against the tendering organizations. Therefore, the main goal of this research is to establish guidelines aimed at identifying and reducing sensitive information in tenders, in order to prevent that malicious parties gather and use this information in the preparation of cyber-attacks against tendering organizations. To this end, the various concepts of open data, procurement, reconnaissance, cyber kill chain, and open source intelligence were examined. In addition, interviews were held to both identify the risks for tendering organizations due to the above identified problem and to evaluate on the established guidelines. The research results have shown that the information in tenders is public due to the principles on which the rules regarding tenders are based. This is to offer fair opportunities to companies to win contracts through tenders. Due to the public nature of information in tenders, the comparison can be made with the concept of open data. As a result, the risks inherent to open data, such as abuse by malicious parties, also apply to information in tenders.Further research into the reconnaissance activities of hackers has made it clear that hackers are looking for specific types of information in preparation for cyber-attacks. It has been determined through document analysis on real tenders and interviews with security professionals that these types of information occur in tenders. This means that malicious parties can use tenders to collect information about organizations that is relevant for the preparation of cyber-attacks, against the tendering organizations. As a result, the tendering organizations face risks with regard to the confidentiality, integrity and availability of company assets. In particular, the likelihood that such risks arise is increased because the information is easily accessible to malicious parties. In order to prevent this, guidelines have been established. These guidelines should be used in follow-up research where a final solution is created that implements the described functionalities of the guidelines. The established guidelines focus in particular on identifying and reducing information that is relevant to hackers in tenders, before the tenders are made public. In this way the risks for tendering organizations can be prevented because this information can no longer be collected by malicious parties. The likelihood of the identified risks occurring is reduced. In addition, techniques have been suggested for these guidelines on which they can be implemented.The techniques regular expressions, text mining, comparison with known information, optical character recognition, and image recognition are discussed. Furthermore, guidelines have also been established that focus on the practical side of a final solution and the fact that this solution must be used in an existing context: people, processes and organizations. The guidelines and the results of the study were evaluated in interviews with senior purchasers. From these interviews it can be concluded that a solution based on the guidelines is of added value in practice in order to reduce sensitive information in tenders and prevent risks for tendering organizations. The results of this research thus result in recommendations for follow-up research, where the aim is to create an automated solution based on the guidelines that have been established.Show less