The Hague takes a stance on ethical hacking to leverage the wisdom of the expert crowd

Type: Behind the story
Topic: Cybersecurity
Publication date: 20 Feb

By creating clear rules and guidelines, Dutch authorities are among the first in the world to mitigate the risk of unsolicited vulnerability reporting

It’s no secret that skilled hackers are in high demand on both sides of the legal divide. Organisations hire them to audit their IT systems and keep them safe from criminals, who in turn advance their tactics and strategies to surpass those measures. But there is another category of hackers, the so-called ethical hackers, who search for vulnerabilities in the IT-systems of organisations they have no affiliation with, but with the intention to notify the owner and enable them to fix the problem before criminal hackers discover and abuse the vulnerability.

Despite their good intentions however, ethical hacking is not without risk. In various cases, the organisations they notified of vulnerabilities in their system took legal measures against the hacker. “Not all companies appreciate the value ethical hackers can bring. They assume criminal intent in any case of contact from an unfamiliar hacker,” explains Sanne Maasakkers, security specialist at the Dutch National Cyber Security Centre (NCSC), located at The Hague’s city centre.

Sanne Maasakkers “Instead of acting on the information handed to them, some organisations press charges against the messenger. As a result, the risk accompanied by the reporting of vulnerabilities restrains hackers from doing so.”

Dutch authorities are among the first in the world to take a stance on this issue and mitigate the risks of reporting vulnerabilities. By developing clear guidelines and procedures for ethical hacking and vulnerability reporting, they encourage ethical hackers to put the Dutch government systems to the test, as long as those guidelines are followed. On top of that, NCSC is educating other organisations on how to effectively deal with ethical hackers and vulnerability reporting and also mediates when other organisations distrust a reported vulnerability or the reporting hacker.

Invitation and appreciation of ethical hackers

The NCSC, as the primary authority on cybersecurity in the Netherlands, sees merit in working with ethical hackers and have taken proactive measures to leverage their valuable activities. First of all, they have set clear rules for vulnerability hunting in government infrastructure, articulating which activities they see as friendly and which are considered hostile. Second, they have published a Coordinated Vulnerability Disclosure form, where ethical hackers can easily submit their findings to the right department and with clear instructions about the information they need and what can be expected in return. Valuable vulnerability reports are rewarded with what has become a highly popular t-shirt stating: ‘I hacked the Dutch Government and all I got was a lousy t-shirt’.

Sanne Maasakkers “It has surprised us how in-demand the t-shirt is,” says Sanne. “People are posing with it on their social media profiles, and owning one is said to be a true career accelerator. Although it’s just a black t-shirt with white print, people are spending significant time and effort to get their hands on one."

"Unlike commercial businesses who have the resources to award financial rewards to valuable vulnerability reports, we have to be creative with the incentives we offer. Luckily we have been quite successful in that respect," Sanne explains. The hacker community has been so valuable to the security of the Dutch IT systems, that NCSC is making it even more attractive for them to investigate their systems. In 2022, NCSC introduced a ‘wall of fame’ on its website to highlight and thank the researchers with the most valuable reports from the previous year. Being represented there will be accompanied by a hoodie with the text 'I am on the Wall of Fame', and the hoodie will be more prestigious because only a select group of highly valuable contributors will receive one. In 2022, 7 ethical hackers were added to the NCSC wall of fame. NCSC’s experience working with ethical hackers has taught valuable lessons about the conditions required to make such a collaboration fruitful.

Hâck The Hague

Around the same time when NCSC started creating guidelines for ethical hackers, the municipality of The Hague took an even more proactive approach to leverage their value. In response to a critical report by the Netherlands Court of Audit in 2016, the city of The Hague did a thorough assessment and upgrade to the security of its digital systems. Eager to find the most effective and affordable way to test the efficacy of their efforts, the cybersecurity team started exploring the possibility of inviting ethical hackers to attempt to hack their systems.

They decided to invite ethical hackers to a 48-hour hackathon at the city hall, where they were invited to search and report vulnerabilities in the IT systems of the municipality. What started with a group of 37 hackers and a couple of discovered vulnerabilities in 2017, has now grown out to be an annual (hybrid) event with over 200 hackers participating from all over the world. 125 vulnerabilities were reported in the latest edition, which took place in 2021. The entire cybersecurity team of the municipality and some of the municipality’s IT vendors are present during the event to respond and follow up on discovered vulnerabilities.

Jeroen Schipper, CISO at the municipality of The Hague. “A reported vulnerability is actually an opportunity for us to improve our security. That’s what makes the hackathon so valuable.”

As the hackathon continues to prove its value every year, IT vendors to the municipality are also getting more enthusiastic about joining the event. Jeroen: “In the early years, many vendors were reluctant to even approve of the hackathon, probably because it was new and unfamiliar.” The IT vendors were afraid of what the hackers may do to their systems. In the latest editions of Hâck The Hague however, the vendors started participating in growing numbers. “The vulnerabilities found in our systems are typically also present in their other clients’ systems, so the hackathon is a great opportunity for them to upgrade their products among all their customers,” Jeroen explains.

The success of Hâck The Hague has not gone unnoticed by other governmental bodies in the Netherlands and beyond. The organising team receives many inquiries about how to organise such an event.

“But a hackathon is really only relevant if you have a well-managed and secured IT infrastructure, which you have audited internally first. The Hackathon is really only a test of how well you’ve done,” warns Jeroen.

“And you better prepare your cybersecurity team for the load of work they will have after the event, because then all the vulnerabilities must be repaired,” Jeroen continues. From its initiation, Hâck The Hague was organised together with cybersecurity company Cybersprint, which was founded by former hired employee to the cybersecurity team of the municipality of The Hague Pieter Janssen. Cybersprint, which was acquired by UK-based Darktrace in 2022, took care of part of the organisation of the event and co-published an E-Guide together with the municipality with instructions on how to prepare for and organise a hackathon, named ‘How to hack a city’. As the E-Guide demonstrates, hackathons aren’t suitable for every organisation. Many conditions have to be in place to make it successful. If one or more of those conditions are lacking, a hackathon can have devastating results, such as data loss and reputation damage. 

Discover more! Establishing constructive working relationships with ethical hackers is just one way the cybersecurity community in The Hague takes the lead to secure the digital world. Read more about this outstanding community and reach out for an introduction to founders, thought leaders and policy makers!