It is a thorn in the side of the Dutch business community: the government does not immediately share important information about cyber threats with the largest companies in the country.
The law stands not yet allow the National Cyber Security Center (NCSC) to share such information with non-vital sectors – so a large part of the business community is fishing behind the net. But with a detour, initiators ASML and ABN Amro have found a way to obtain the crucial knowledge to secure their production chains against hackers.
Through the new CISO Circle of Trust foundation – established in collaboration with NCSC – the security bosses of ten Dutch top companies have access to the most accurate and up-to-date warnings about vulnerabilities and active hacker groups. And they may also share that information with their suppliers. This is particularly important for ASML: the high-tech company works with hundreds of suppliers in the Netherlands and abroad.
‘No talk club’
On Tuesday, during the ONE cybersecurity conference in The Hague, the CISO Circle of Trust announced its existence with a press release. The technology already works, the NCSC is collaborating to be able to share the most sensitive information. Other participating companies include Shell, Philips, Akzo and KPN.
“This is not a talking club. We have built a platform to share current threat intelligence to better secure your company and your supply chain,” said Aernout Reijmer, responsible for information security at ASML.
The system is designed in such a way that sensitive information about the origin of a vulnerability or threat cannot simply be passed on. Moreover, the participants are also expected to share vulnerabilities that they encounter.
There was no time to wait for a change in the law, Reijmer says. “That will take two years.” Meanwhile, hackers strike daily. ASML’s supplier VDL noticed this, which was down for weeks due to a hack attack last year. The problems are also tangible in other sectors. For example, a ransomware attack on a supplier of supermarket chain Albert Heijn ensured that there was no more cheese on the shelves.
Real Threat
NCSC has access to the most up-to-date information on cyber threats, including data from the security services. There is no mandate to secure economic activity in the Netherlands. But the threats are so real that the NCSC is looking for ways to protect the economy. For example, since this spring the port of Rotterdam has been given permission to share critical information with suppliers.
ASML will use the information from the Circle of Trust for its supply chain, also abroad. Reijmer: “We have built a similar network with the semiconductor industry in the US and are now going to set it up in East Asia as well.”
Also at Chinese chip companies? “They also have ransomware in China and we want our customers to remain protected. We will pay close attention to which information we are allowed to share and which we cannot.”