Are critical companies at risk of cyber attacks? Aruban experts reject

12 May 2022 | Sharina Henriquez

ORANJESTAD – Cyber ​​expert Erik Jan Koedijk warns that various vital organizations in Aruba are in danger because their ICT security is not in order. It rejects other security experts on the island. Who is Koedijk? And why are Aruban cyber experts reacting angrily to him?

A number of very important organizations in Aruba are unnecessarily vulnerable to cyber attacks, according to Koedijk’s research. These are the water, electricity and telecommunications companies, but also its own Security Service, the Public Prosecutor’s Office and NCVI. It is about the basic security of e-mail and web systems, which is often not in order, says Koedijk. Something that is dangerous, but also easy to solve.

Koedijk has been coming to Aruba and the other islands for several years to provide training in cybersecurity. Since announcing his research, local experts have been sitting on the shelf, according to Caribbean network† They are ‘not amused’, some are even angry and think he ‘panics’. Koedijk would also unnecessarily make Aruba a target for hackers. And primarily wants to promote his own business, the answers sound.

“I do not want to appear like anyone macamba who knows it all better. In the Netherlands, we still have a long way to go. But I’m focusing on Aruba because someone asked me here during a masterclass last year: can you say something about the state of the organization in Aruba, because our hospital has already been hacked. Especially the government, vital organizations that we as citizens need to communicate with. I promised to do that in March, and I did, ”Koedijk explains.

Erik Jan Koedijk -photo: Sharina Henriquez

Who is Erik Jan Koedijk at all?

Read the previously published interview:
Expert warns: ‘Aruba’s most crucial organizations vulnerable to cyber attacks’

Caribbean network gained access to his research and subsequently went on to refute the findings with ten of the 25 organizations surveyed. The organizations surveyed were given a few weeks to close the vulnerability before it was published.

Part of Aruba’s Cyber ​​Security Task Force – Photo: Sharina Henriquez

In the office of the National Central Bureau of Counterterrorism, Security and Interpol
And what does the government service that is supposed to protect Aruba from cyber attacks mean? At the office of the National Central Bureau of Counterterrorism, Security and Interpol (NCTVI), Koedijk’s conclusions are vehemently rejected. A cybersecurity task force has been assembled specifically to respond to Caribbean network

The task force is a fairly new group of experts who confidentially exchange information on cyber threats, attacks, crime and solutions. “It’s a public-private partnership because most of the knowledge lies outside the government,” explains NCVI Director Dolfi Richardson.

They reject Koedijk’s findings as ‘not true, exaggerated, low-risk, and that we simply cannot secure everything’.

“We have everything in place† Maybe one thing he did not do, as he (Koedijk, ed.) Said, but it is not important. The basis is certain and more, ”says Giovanni Tromp, ICT manager at the water and energy company WEB. “We get attacked every second. These include children who want to play, and serious hackers. The point is whether they can get deeper into the system, and that’s not as easy as his research suggests. “

‘Every second we are attacked, but it is not easy to get in’
-Giovanni Tromp, ICT manager at the water and energy company WEB

Information security manager at the telecommunications company Setar, Paul Eelens, shares this view. “He has used tests that are very easy and public. We have seen him come in, but we often allow it on purpose. Then we lead hackers to a honeypot, a trap, to track their movements. But they lead nowhere. and they will certainly not go any deeper. “

The whole of Aruba is internet dependent on the monopolist Setar. Eelens says that the company invests a lot and structurally in cyber security. “We are also seeing the trend, as in the rest of the world, that attacks are getting bigger and more frequent. We are talking about fifty to a hundred thousand a month. A quarter to a third are bot attacks on our Internet system. ”

In the run-up to the war in Ukraine, Setar already monitored extra large movements of cyber attacks. And especially state-sponsored cyber attacks, in this case by the Russian government, make countries, including Aruba, vulnerable. But why would hackers find Aruba interesting, as a small island?

‘Aruba is not an island we are on the internet at millisecond intervals’
-Paul Eelens, information security manager at the telecommunications company Setar

Part of the Submarine Cable Map-

Eelens shows the submarine cable card. “You can see here that Aruba is not an island. We are milliseconds apart on the internet. For example, China, from which a lot is happening, is only 0.2 seconds away. And fine the attacks, they do not discriminate. “

Richardson adds: “We often tend to think because we’re so small that it’s all a far-from-my-bed show. But we forget we belong to the Kingdom and it’s positioned in the world as geopolitically important. “

The conversation in the FBI-like office is increasingly moving towards the threat to Aruba’s national security from cybercriminals and state actors. After some research, Richardson from NCVI admits: “Cybercrime is in the top 3, so it should have top priority.”

Is cybersecurity also a top priority for Aruban politics?
Richardson explains that in 2016 they started with cyber security. The Dutch research agency TNO was the initiator, wanted to make a baseline measurement, and a symposium was held to create awareness. Then there was a change of government and there was silence.

“In the last term of office (Wever-Croes I cabinet), they wanted to get e-government going. Then we said it is only possible if we also work with cybersecurity,” Richardson says.

From his story, it appears that much is still in the planning phase: a national policy, but also legislation that requires organizations, for example, to report cyber attacks. Something they often do not do because of reputational damage. In addition, NCVTI has no authority. That is why this task force shares information solely on a voluntary and trust-based basis, says Richardson.

‘There is still a lot to be done, but you can not compare us to the Netherlands
-Dolfi Richardson, Director NCVI

Moreover, no one knows how secure the government and other important organizations actually are. Therefore, zero measurements are still missing. There should also be a National Cyber ​​Council chaired by the Prime Minister. And above all, more money. “We got something, finally with the new budget. But to roll out the plan nationally, much more is needed, “Richardson said.

However, he does not think Aruba started too late. “We got there just in time, and yes, there is still a lot to do. But you can not compare us to Holland or America, they are even forerunners in the world.”

‘Citizens must be able to assume that they will not fall victim’
Back to Koedijk’s research, which concludes that the government and many vital companies in Aruba, including banks, are not fundamentally right. “While citizens are increasingly expected to arrange things digitally. They must be able to assume that they can not fall victim to the same organizations? ”, Says Koedijk.

The electricity company Elmar maintains that they offer their customers that cyber security. “We guarantee it,” says their IT manager Alfred Croes. “Yeah, that’s not how you should see it, because you can never completely guarantee it,” Richardson replies quickly.

Setar explains that they classify the threats according to risks and impact. “Most of the resources go to protecting our crown jewels. # 1 fights attacks that have the greatest impact on our users. Nor can we filter them all because of privacy and our democracy. Otherwise we would become a dictatorship,” Eelens said. .

“It’s like advertising in the neighborhood that the windows of those neighbors are old and broken. You invite the thieves’
-Eelens about Koedijk’s research

Concerns about this release remain, according to the end of the interview with the task force. For although the parties continue to reiterate that Koedijk’s research does not say much about their cybersecurity, they are concerned about the possible harm caused by the publication.

“It’s like advertising in the neighborhood that the windows of those neighbors are old and broken. The thieves are invited,” says Eelens van Setar. would like to give back the message that it can create more work for NCVI, “concludes Richardson.

Leave a Comment