It’s no secret that skilled hackers are in high demand on both sides of the legal divide. Organisations hire them to audit their IT systems and keep them safe from criminals, who in turn advance their tactics and strategies to surpass those measures. But there is another category of hackers, the so-called ethical hackers, who search for vulnerabilities in the IT-systems of organisations they have no affiliation with, but with the intention to notify the owner and enable them to fix the problem before criminal hackers discover and abuse the vulnerability.
Despite their good intentions however, ethical hacking is not without risk. In various cases, the organisations they notified of vulnerabilities in their system took legal measures against the hacker. “Not all companies appreciate the value ethical hackers can bring. They assume criminal intent in any case of contact from an unfamiliar hacker,” explains Sanne Maasakkers, security specialist at the Dutch National Cyber Security Centre (NCSC), located at The Hague’s city centre.
Dutch authorities are among the first in the world to take a stance on this issue and mitigate the risks of reporting vulnerabilities. By developing clear guidelines and procedures for ethical hacking and vulnerability reporting, they encourage ethical hackers to put the Dutch government systems to the test, as long as those guidelines are followed. On top of that, NCSC is educating other organisations on how to effectively deal with ethical hackers and vulnerability reporting and also mediates when other organisations distrust a reported vulnerability or the reporting hacker.
Invitation and appreciation of ethical hackers
The NCSC, as the primary authority on cybersecurity in the Netherlands, sees merit in working with ethical hackers and have taken proactive measures to leverage their valuable activities. First of all, they have set clear rules for vulnerability hunting in government infrastructure, articulating which activities they see as friendly and which are considered hostile. Second, they have published a Coordinated Vulnerability Disclosure form, where ethical hackers can easily submit their findings to the right department and with clear instructions about the information they need and what can be expected in return. Valuable vulnerability reports are rewarded with what has become a highly popular t-shirt stating: ‘I hacked the Dutch Government and all I got was a lousy t-shirt’.
"Unlike commercial businesses who have the resources to award financial rewards to valuable vulnerability reports, we have to be creative with the incentives we offer. Luckily we have been quite successful in that respect," Sanne explains. The hacker community has been so valuable to the security of the Dutch IT systems, that NCSC is making it even more attractive for them to investigate their systems. In 2022, NCSC introduced a ‘wall of fame’ on its website to highlight and thank the researchers with the most valuable reports from the previous year. Being represented there will be accompanied by a hoodie with the text 'I am on the Wall of Fame', and the hoodie will be more prestigious because only a select group of highly valuable contributors will receive one. In 2022, 7 ethical hackers were added to the NCSC wall of fame. NCSC’s experience working with ethical hackers has taught valuable lessons about the conditions required to make such a collaboration fruitful.
Hâck The Hague
Around the same time when NCSC started creating guidelines for ethical hackers, the municipality of The Hague took an even more proactive approach to leverage their value. In response to a critical report by the Netherlands Court of Audit in 2016, the city of The Hague did a thorough assessment and upgrade to the security of its digital systems. Eager to find the most effective and affordable way to test the efficacy of their efforts, the cybersecurity team started exploring the possibility of inviting ethical hackers to attempt to hack their systems.
They decided to invite ethical hackers to a 48-hour hackathon at the city hall, where they were invited to search and report vulnerabilities in the IT systems of the municipality. What started with a group of 37 hackers and a couple of discovered vulnerabilities in 2017, has now grown out to be an annual (hybrid) event with over 200 hackers participating from all over the world. 125 vulnerabilities were reported in the latest edition, which took place in 2021. The entire cybersecurity team of the municipality and some of the municipality’s IT vendors are present during the event to respond and follow up on discovered vulnerabilities.
As the hackathon continues to prove its value every year, IT vendors to the municipality are also getting more enthusiastic about joining the event. Jeroen: “In the early years, many vendors were reluctant to even approve of the hackathon, probably because it was new and unfamiliar.” The IT vendors were afraid of what the hackers may do to their systems. In the latest editions of Hâck The Hague however, the vendors started participating in growing numbers. “The vulnerabilities found in our systems are typically also present in their other clients’ systems, so the hackathon is a great opportunity for them to upgrade their products among all their customers,” Jeroen explains.
The success of Hâck The Hague has not gone unnoticed by other governmental bodies in the Netherlands and beyond. The organising team receives many inquiries about how to organise such an event.
“And you better prepare your cybersecurity team for the load of work they will have after the event, because then all the vulnerabilities must be repaired,” Jeroen continues. From its initiation, Hâck The Hague was organised together with cybersecurity company Cybersprint, which was founded by former hired employee to the cybersecurity team of the municipality of The Hague Pieter Janssen. Cybersprint, which was acquired by UK-based Darktrace in 2022, took care of part of the organisation of the event and co-published an E-Guide together with the municipality with instructions on how to prepare for and organise a hackathon, named ‘How to hack a city’. As the E-Guide demonstrates, hackathons aren’t suitable for every organisation. Many conditions have to be in place to make it successful. If one or more of those conditions are lacking, a hackathon can have devastating results, such as data loss and reputation damage.