Since 1 June 2024, as Director CIO Rijk (BZK), Art de Blaauw has been the driving force behind the Digitalisation Policy of Central Government. In his first months, he has had to deal with 3 major cyber incidents. “Before taking the next step in Cyber Resilience, I want to evaluate them properly and draw lessons”, he says.
De Blaauw thinks working together on digitalisation in government is crucial: “Collectively ensuring a digital government that is accessible, open, responsive, sustainable, secure and agile”. This single sentence describes what he, as CIO Rijk, together with the Digital Government and Digital Society directorates, is committed to take care of. That is why Government-wide Digital Resilience is one of his main topics. His directorate will work on this theme, together with the departments and Central Government bodies. For a digitally resilient Central Government, he plans to work even more closely together with other organisations in this field, such as the National Coordinator for Terrorism and Security (NCTV), the National Cyber Security Centre (NCSC), the Digital Society Directorate (BZK) and the Ministries of Justice & Security, Economic Affairs and Defence.
Who is Art de Blaauw?
Art de Blaauw spent more than 25 years in the world of business, before making the transition to Central Government as Director CIO Rijk at the Ministry of the Interior and Kingdom Relations. He was a member of General Management of Ilionx, Director of Technology & Innovation at Equinix and a Strategist at Microsoft and VMware, among other roles. He studied Econometrics at Erasmus University. During this time, he chose an elective course on Computer Security at TU Delft out of interest.
3 incidents
De Blaauw: “3 incidents in my first 100 days is on the high end. We will evaluate these incidents thoroughly and draw lessons from them.” One thing that became clear: “We have to be vigilant for unintentional outages as well as intentional attacks.”
Next steps
“Central Government is already collaborating quite substantially on the topic of Digital Resilience”, says de Blaauw. “For instance in the field of Red Teaming. With this, we test the security measures of an organisation or chain simulating a cyber attack, aiming to learn from it and become more cyber resilient. We also have a joint approach in place to strengthen the Security Operations Centres within Central Government. By acting in this together, we will be learning from each other and jointly raise digital resilience to a higher level.”
De Blaauw offers a few more examples. “On a more technical level of information security, we are working on the National Crypto Strategy for protecting central government information with the highest level of security. In addition, we are preparing for the threat of the quantum computer. This is because it will soon be able to crack our most widely used cryptography (encryption of data, ed.).” He sees more opportunities to further increase cyber resilience. “I think we need to identify the risks that service and equipment suppliers from countries with offensive cyber programmes bring. We will be addressing that in our policy.”
Preparing for quantum computer threat
The AIVD released the Quantum Migration Handbook. In it, you will find practical measures and recommendations to limit the threat of quantum computers to cryptography.
Collaboration between CIO Rijk and CISO Rijk
Within the CIO Rijk Directorate, the CISO Rijk is the 1st point of contact in cyber incidents and is supported by his own Information Security and Privacy department. “We are fortunate to have a very good CISO Rijk: Aart Jochem. He has a vast amount of experience that I can truly depend on.” In case of cyber incidents, the CISO Rijk and the CIO Rijk are jointly in charge, although there is an order to that. “First the incident comes to the CISO Rijk, I am the next point of contact,” he says.
The collaboration process between the CISOs and the central government CIOs is as follows: “Interdepartmental collaboration is structured in the CISO Council, which Aart presides over, with the CISOs of the central government bodies. This council is a ‘doorstep’ to the CIO Council, which includes the CIOs of the departments and the major public service providers. I preside over that council. The CISO Council submits information security proposals for Central Government to the CIO Council. As such, collaboration and broad consideration on topics are well structured.”
De Blaauw notes differences in the way things are done in Central Government and in the world of business. For instance, the drive and dedication of his colleagues at BZK strike him in a positive light. But he says he is still adjusting to the reality that in government, the flow of documents passes through many decision-making structures. “I usually focus more on getting results rather than how to articulate issues,” he says.
Strategic issues
The various topics he is responsible for are all related. Information Security, for instance, bears parallels to topics such as Risk Management and IT Sourcing, he says. “For example, we can be too heavily dependent on particular suppliers or solutions. These are all strategic issues. Suppose something happens to a frequently used system and things go wrong at the provider’s end. We would have some serious challenges as a government in that case.” He presents another example to illustrate a societal and strategic issue: “With increased geopolitical political threats, we have to be prepared for when our digital infrastructure goes down for whatever reason.”
Preparing for incidents
October was Cyber Security Month. This included the Government-wide Cyber Exercise. De Blaauw feels training is very important as a way of preparing for incidents. “It helps raise awareness within the organisation and enables us to work together more effectively during a cyber crisis.” He therefore also thinks exercises in a wider (government) context, such as ISIDOOR, are of great value. “We work in chains more and more; practically everything is interconnected. By practising together, you are more likely to know where to find each other when real incidents occur. It also helps us ensure that crisis management approaches are aligned.”
Government-wide Cyber Exercise
Practice, practice, practice is the motto. That is why the Ministry of the Interior and Kingdom Relations organised the 6th Government-wide Cyber Exercise on 4 November 2024. You can watch this video for an impression of the exercise (in Dutch) and use the material (in Dutch) to practice yourself.
Administrators: join in!
It is essential that administrators and senior officials join the regular training, he stresses. “This will reinforce their leadership during a real crisis. Crises come with time pressure, uncertainty and a high degree of urgency. Often, the administrator is the chairman of the Crisis Consultation and he or she then must be able to make quick decisions. Since information exchange is quite different during a crisis of this kind, you need some experience to do that properly.”
De Blaauw has 3 pieces of advice for administrators. First, it is recommendable to take a crisis management course. He attended the Interdepartmental Basic Crisis Management Course at the National Academy for Crisis Management. ‘’It was there that I learned that as chairman of a crisis consultation, you should think out loud as much as possible so that you include people in your thinking prior to taking a decision.” A 2nd piece of advice: “Crisis Management is also Network Management. So, make sure you know the administrators of other organisations in your chain or within your area, so you can more easily communicate with them during an incident or crisis.” 3rd: “Assume breach: assume attackers are already present in your systems. So, in cyber security, don’t just focus on the outside to make sure nobody gets in. Focus on the inside as well, so that unexpected or unauthorised activity is detected promptly, and damage is limited.”
He concludes with a word of advice to anyone involved in a cyber crisis consultation: “Engage in risk management. Know what your organisation’s crown jewels are, which you want to protect and always safeguard. What risks are involved and what measures should you be taking?”
You might also be interested in
- Practicing, Testing and Knowledge Sharing
- Cybersecurity
- I-strategie Rijk
- 5 Tips on How to act During a Cyber Incident