“From a broad perspective, municipalities now function essentially as big data processing centres.” We are speaking with Ester Weststeijn, Mayor of the municipality of Rozendaal, a member of the Association of Netherlands Municipalities Information Society Committee (in Dutch, the VNG Commissie Informatiesamenleving), and one of the ‘Cyber Mayors’ in the Netherlands. In this interview, we ask Weststeijn 5 questions about the digital security of municipalities and the upcoming Cyber Security Act (Cbw). What could this law mean for these ‘data processing factories’ – municipalities – and their residents?
Municipalities are like big data processing factories, you mention. Could you tell us more about this?
Weststeijn: “Our primary focus is on addressing societal issues and delivering services to our residents. We may not always realise that digital data, registrations, and links have become essential for this purpose. Our activities are full of them. Consider, for example, the Basic Registration of Persons and the data on who is entitled to social assistance benefits. Or geo-data that we use when processing environmental permits, and tools in which we process reports from residents about the public space. This includes data from parking systems, traffic lights, sensors, and systems for controlling locks or bridges. The examples are endless, as are the opportunities to work more efficiently with them. Digitalisation offers numerous benefits, particularly when municipalities adopt more standardised and collaborative digital services. Ultimately, the average resident is indifferent whether permits are registered in system A or B, as long as the process is handled correctly and securely.”
You mention the importance of digital security. In that respect, where are the vulnerabilities within municipalities?
“If for any reason our systems stall, waste will no longer be collected, and benefits will no longer be provided. While this may sound somewhat threatening, all screens will go black. As an administrator, this spectre alone should be enough to keep you focused on information security. Soon it will be legally required (translation NIS2 directive in the Cbw, ed.), but aside from that, I feel a moral obligation to our residents, entrepreneurs, and organisations. We are using their data concerning their lives. They derive rights and obligations from it. That needs to be handled with care and security. It is not a matter for programmers or technicians alone. When things go wrong, it is very tangible in the real world.”
Of these, which examples were felt, from which we can and should draw lessons?
“The municipality of Lochem is often cited as a notable example. In 2019, they experienced a cyber hostage attack where an intruder covertly sabotaged the municipal system for months. The attacker aimed to encrypt files using ransomware, demanding a ransom for the restoration of system access. Fortunately, the attack was detected early, preventing it from being more severe, but it still led to significant disruptions in municipal services.”
Weststeijn continues: “The attack disrupted essential municipal services, including relocation notices, passport processing, and the municipality’s phone systems. Backup systems could no longer be trusted. As an organisation and administrator, you then face a significant challenge. Were social assistance benefits granted correctly, and licences issued legitimately? Could planned marriages proceed as planned? Not to mention the huge consequential expenses to put things back in order. I use Lochem as an example, but I could also have mentioned the municipality of Hof van Twente. Or the municipality of Buren. Or the DDOS attacks on Dutch hospitals two years ago. I often hear that it’s not a matter of if you will be hacked, but when. Given the current geopolitical climate and increasing cyber threats, that still seems to be an accurate statement.”
Weststeijn considers former Lochem mayor Sebastiaan van ‘t Erve a hero: “This cyber crisis propelled him to the forefront of digital resilience efforts. He openly shared his municipality’s experiences to raise awareness about the dangers of cyberattacks. He earned the title of IT politician of the year 2024 through his actions.”
The Cybersecurity Act (Cbw) is on its way. What advice would you give local administrators regarding their organisation’s digital security?
“My advice to administrators: take ownership and act responsibly! Information security is too crucial to rely solely on the IT staff. As a local administrator, you must feel inherently responsible for the entire municipal organisation and the data you share with chain partners. That embodies the core principle of the Cbw.”
“You might think of this Cbw as an annoying stick, with a supervisor, the threat of fines and the obligation of training, but I think of it differently. That is, I see it as a tool for administrators to obtain the proper amount of attention and structural funding in their organisations and city councils. In doing so, the CISO serves as the director’s right hand in the ongoing dialogue on information security. Therefore, engage in regular discussions about risks with the CISO and the city council. This will not occur automatically. To effectively utilise the Cbw as a tool, municipalities require knowledge and expertise, a robust information position, and adequate structural resources. We bring this matter to the attention of the central government. Together, the VNG and central government must (continue to) work towards ensuring that legislation is properly implemented across the Netherlands.”
What do you think about risk management?
“Good question, as risk management is central to the Cbw. We understand it through our experience in the financial and legal areas. Risk-focused work involves ongoing discussions about where our digital security weaknesses lie. We need to identify which risk mitigation measures to prioritise. This also means ensuring measures and assessing through audits or penetration tests. Consistently, we work towards strengthening both our digital front and back doors. Additionally, we must consider even minor issues, like attic windows, to ensure our residents continue to trust that we can perform our duties securely, for them.”
More information on the Cybersecurity Act (Cbw) (currently only in Dutch)
