Chantal Bennink (Ministry of the Interior and Kingdom Relations) and Bill Kuipers (ICTU) are at the helm of the 6th Government-wide Cyber Exercise. They explain why exercising is crucial, how the exercise scenario is created and what participants can expect this year.
With the growing threat of cyber attacks such as ransomware and phishing, digital resilience is more important than ever. The Government-wide Cyber Exercise, initiated by the Ministry of the Interior and Kingdom Relations (BZK), offers government organisations the chance to discover their response to a cyber attack. Chantal Bennink, information security policy officer at BZK, stresses the importance: “Such a global CrowdStrike computer malfunction again shows the importance of practising and good preparation. By practising regularly, you map out the risks as an organisation, among other things. You gain insight into the different roles and responsibilities of employees and it becomes clear how lines within the organisation function. This contributes to the effectiveness of crisis management and increasing digital resilience. In addition, because of the cross-border effects and interdependencies, it is important to strengthen both internal and external cooperation. A cyber incident can quickly develop into a cyber crisis with organisation-transcending consequences.”
Realistic exercise scenario
ICTU is responsible for the organisational implementation of the Government-wide Cyber Exercise. Project leader Bill Kuipers starts devising a realistic exercise scenario with various stakeholders as early as February: “KPMG analyzes threats to ensure the scenario is current and relevant. Earlier, a ransomware attack was central; this year, AI and deepfakes are relevant and play a role. We also pay more attention to the psychological factor in crisis management. Once the scenario is outlined, we test it extensively with stakeholders such as the Association of Dutch Municipalities (VNG), the Information Security and Privacy Protection Center (CIP), provinces and security regions to ensure the exercise is relevant and feasible. With the special toolkit, participants can then set up their crisis exercise. Last year, over 130 organisations participated.”
Choose your exercise moment
With some adjustments, the organisers hope the exercise will include even more learning moments. Bennink explains one change: “Instead of simultaneous practice, we encourage organisations to do their practice the week before the central exercise. This gives participants the flexibility to choose a suitable practice moment. During the live moment on 4 November, they can then watch experts tackle the crisis in the studio. We hope to offer more engagement and flexibility this way.”
More than the cyber exercise alone
Besides the Government-wide Cyber Exercise, several cyber webinars and a master class will also be organised. Kuipers explains: “The masterclass and webinars are an important part of the Government-wide Cyber Programme. With various partners such as CIP, Logius (Digital government service of BZK), The Employee Insurance Agency (UWV) and the General Intelligence and Security Service of the Netherlands (AIVD), topics such as NIS2 are discussed. Thus, a lot of knowledge is shared. The website weerbaredigitaleoverheid.nl contains the entire programme and also the webinars and exercises from previous years can be watched back. This gives organisations that have not yet participated a good idea of what to expect.”
Greater awareness
For the future, the organisers hope for wider participation. Bennink: “We want to keep growing and expanding and aim to create more and more awareness. My wish is to get organisations from the Caribbean Netherlands to join. We see many returning participants who indicate that practising helps in discussions with the board and raises awareness within the organisation. As a result, plans are adjusted and improvements implemented. Then our goal is achieved.”
