–> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023
Jeroen: Thanks, Hans, for taking the time to speak to Leaders in Finance in the run-up to the Cyber Security event on the 25th of May this year. First, could you please introduce yourself?
Hans: Thanks, Jeroen, for the introduction and for the opportunity to speak to Leaders in Finance on the 25th of May. I’m really looking forward! My name is Hans de Vries, and I’m currently leading the National Cyber Security Centre, which is an expert knowledge board on cybersecurity in the Netherlands, and the crisis coordinator when ‘shit hits the fan’, so to speak. My organization plays an important role in making sure that we all understand what cyber risks are, how to act on them and, especially when there are problems, to coordinate the actions needed within society, both from a private and a public environment. We should all be able to fully benefit from the digital society, but there is a downside. We need to talk about that downside, but it’s also mention the upside. Meaning, all the possibilities that cyber security brings. It’s great to be part of that integral mechanism of dealing with the digital society.
Jeroen: How many people work with your organization?
Hans: Currently, we have about 250 to 300, depending on how you count. Meaning, only personnel or entities from the external workforce as well. Let’s say it’s about 300 and growing.
Jeroen: That says a lot about the importance of the topic, the fact that it’s growing. How long have you been doing this job?
Hans: It’s now been eight years.
Jeroen: Is it very different from eight years ago what you’re doing today?
Hans: Oh, definitely. When we started, it was with about 60 people, and it was a more technical affair than it is currently. Now it is about geopolitics, large impact society panels etc. It is very important for the leaders in the industry, whether they are in finance or not, to understand their role. Previously, it was more an IT thing, but it’s not anymore.
Jeroen: You seem to really enjoy your job and your work. If you could only pick one thing that you enjoy most about your current role, what would it be?
Hans: What I really enjoy is connecting the dots. Bringing people who need a solution together with people who bring ideas or possibilities. That’s what I love about my job. Not so much that my organization or I personally must be a part of the solution but creating the opportunity for the solution is what makes me tick.
Jeroen: Well put, that’s great. If we zoom in on the financial services industry and the institutions that work in that industry, what would you say are the biggest challenges at the moment, related to cyber security?
Hans: I think there are a few things. Of course, ESG is top of mind with the leaders of industry, and I fully understand that. But the dependencies on IT and IT-infrastructure should be among the top priorities as well. We simply cannot do without.
As the NIS2 points out, there is a personal liability when things are not arranged well. If you don’t organize cyber security as you should, you might be personally liable. That’s new, so key is making sure that the board of directors all understand their role and responsibilities. The second part is understanding the supply chain dependencies. Banking and finance are IT-driven nowadays. It’s not about going to a physical counter anymore; it has become a virtual counter. Meaning that it’s all IT-driven. Understanding what kind of dependencies there are, what organization you depend on for your IT-infrastructure and your services is crucial. So, supply chain dependencies are one and then there’s concentration risk. If you look across industry from a finance perspective, almost everybody is using the same product. And whether that is a good thing, that’s a calculated risk. But you need to know that those dependencies are there.
Thirdly: do you have the recovery capacity at hand to make sure that as soon as there is an incident, that you can ensure that people can start working again? All of us depend on IT. Take the example of making sure that you can pin with iDeal in shops. The moment it’s out, it creates havoc, we all know that. So, in summary, those are the three things that are really important for all, but especially for financial institutions.
Jeroen: Obviously, I could ask a hundred follow-up questions here, but I won’t. Maybe just one, on the supply chains. Because in finance, there is a lot of talk related to DORA nowadays, about how you can actually ‘own’ or understand all the risks in a supply chain. That is what I learned from leaders in the industry, and it’s a tough one. For example, your data is on a server in the US and you need to do a DD on Amazon Web Services. Do you see that financial institutions are concerned about that?
Hans: Well, let’s put it this way: I hope they are concerned about it.
Jeroen: Because?
Hans: Well, they should be. As I stated, supply chain dependency really makes you understand how your servers are being serviced. You not only have to know the service, but also the company that makes sure that the service is running. From a geopolitical tension’s perspective, we question whether we want to be fully dependent on what’s coming out of the States. But then we still have to create our own environment here in Europe. That doesn’t mean that things that come out of the United States are worse, definitely not.. How to make that more transparent is one of the key things my organization is focusing on. So yes, it’s important to have knowledge at hand and close by, but also to have a good IT-infrastructure that is so robust and hard to fail. We have system banks, so we need system-driven infrastructure. We all know that the Netherlands is one of the largest data points. It’s so robust, the chance that it goes down is slim. From a financial perspective, we also must look at organizing it such that the downside, meaning breakdowns or outages do not have a large impact on the services.
Jeroen: Right, thank you. You mentioned geopolitical tensions, I think that’s a great bridge to the next question. If we zoom out from the financial services industry to a broader vision, what do you think are the biggest challenges for society at large?
Hans: The professionalism of cyber-crime has increased a lot lately. State actors are an increasing threat to cyber security, including in the financial sector. As indicated by the AIVD (General Intelligence and Security Service), several countries have an offensive cyber program that targets the Netherlands and its allies. In addition, public reporting has seen an increase in digital attacks performed by state actors. An example of such an attack in the financial sector is the ‘Bangladesh Bank cyber heist’. In this attack digital instructions to illegally transfer close to one billion dollars were executed. Researchers from several cybersecurity companies and the FBI attributed this attack to North Korea. Recently attacks attributed to this state actor have also been observed in the Netherlands. A recent example that also had a (limited) impact in the Netherlands is the supply chain attack via the popular 3CX communication software.
Also, there are dependencies on concentration risk of technologies. We’ve seen what the closure of Swift meant for the Russians. We also lean heavily on technology from America, the Cloud and all the Cloud Services. Having said that, I know that those organizations try to be agnostic, They try to avoid being part of the discussion on a geopolitical level. The help that commercial entities gave the first weeks to Ukraine was enormous and battle changing, in fact. Help from Microsoft, Google and all the others to the government of Ukraine allowed them to act very swiftly. Commercial entities were very heavily involved in making sure that the free and civil society of Ukraine could stay up and take up a stance. I compliment them for that.
Jeroen: Yes, that’s great.
Hans: It’s a difficult situation, if you look at it from that perspective. Large organizations now take up a stance with the geopolitical tensions.
Jeroen: Yes, well put. It’s all about technology ultimately. Technology could be used for the good things, but also for the things that kill our societies. There’s talk of all kinds of AI, quantum computing and all that. I’m not an expert at all, however, if you look at technology, what do you think are the things you’re most concerned about, and what are promising?
Hans: If we go back to twenty years, we all thought that creating the internet and creating the world wide web would bring the ultimate answer to everyone. Meaning that society would have the right answer to every question. What we’re seeing is the opposite. We have created bubbles where people with like-minded thoughts only get the information that they want to hear. Extremely dangerous. And we’re seeing it all the way into politics in several countries. We can definitely see the same risk with ChatGPT. It creates the possibility of writing nice texts, but we don’t see the sources of those texts. Whether they are valid or not. It sounds really nice, but it could be really nice-sounding sort of bullocks. That’s really a big issue with AI, especially ChatGPT, and all the others that are coming out, for example, Google also has their own, it opened just now. There are a lot of organizations building upon that, but we still don’t know whether the pillars they are all standing on are valid enough to be taken into account. That’s one of the things that I find risky. Especially if it starts creating news, then we are really in deep shit.
Jeroen: How does that relate to cyber, just to make sure that I understand the link?
Hans: Cyber is an enabler. For me, cyber is a means making sure that the digital society keeps running. It’s a mechanism, a method. The digital society in general is the thing that we’re trying to help create. Cyber security is just a pillar out of all the things that you need for a digital society. And ChatGPT can create value in the sense that it answers information, but it can also deflate and obfuscate different views to something new, which is not correct. That’s something that I’m worried about as a person. Even the top sector leaders are talking about the need for a six-month standstill on technology growth. Something is up. I know that ChatGPT is already being used on the first cyber-attack. It has been used to find holes in software, to create possibilities and create software libraries and programs to misuse that type of information. It’s always a double use, it can do good, but it can definitely do bad. And it depends on the user which direction it goes.
Jeroen: Right. The final question for you is: if you are just out of college, university, or want to start in the field of cyber, whether it be private or with the government or anything in between, what are your tips for starters?
Hans: I’d start even younger, at the junior age to make sure that cyber securitists understand. I’m a huge fan of Hack Shield, a program for 8–12-year-olds, which helps kids to understand what cyber security is in a game-kind-of way. It’s being used and presented as a game where a lot of things are being investigated, for example one of the questions they get is, “Explain to your parents and grandparents how to implement 2-factor identification.” It’s so fun to see schools using this program which is Dutch but used in several countries now. HackShield shows the power and the possibilities of a transmedial cyber security game, and it progresses all over the world. HackShield and I share a goal, which is a cyber issues free society. If the financial industry would be able to support that, to make it an integral part of society, that would be so helpful.
Jeroen: That’s great! Alright, Hans, we’re very honoured to have you at the event. We’re very much looking forward to your participation there in the c-level panel at the beginning of the day. Thanks for taking the time to do this pre-event interview and again, I’m looking forward to having you at our event.
Hans: I’m looking forward to it as well. Thanks!
Jeroen: Thank you!
–> This is a pre-event interview in the run-up to the Leaders in Finance Cyber Security Event on 25 May 2023