Are critical businesses at risk of cyber attacks? Aruban experts deny

May 12, 2022 | Sharina Henriquez

ORANJESTAD – Cyber ​​expert Erik Jan Koedijk warns that several vital organizations in Aruba are at risk because their ICT security is not in order. Other security experts on the island deny this. Who is Koedijk? And why are Aruba’s cyber experts reacting angrily to him?

Some very important organizations in Aruba are unnecessarily at risk of cyber attacks, according to Koedijk’s research† This applies to water, electricity and telecommunications companies, but also to its own Security Service, Public Ministry and NCTVI. It’s about the basic security of web and email systems, which is often out of order, says Koedijk. Something that is dangerous, but also easy to solve.

Koedijk has been coming to Aruba and the other islands for several years to provide cyber security training. Ever since she announced her investigation of him, local experts have been waiting, according to Caribbean Network† They are ‘not amused’, some are even angry and think he is ‘causing a panic’. Koedijk would also unnecessarily make Aruba a target for hackers. And he mainly wants to promote his own company, according to the answers.

“I don’t want to look like someone macamba who knows everything better. In the Netherlands we still have a long way to go. But I focus on Aruba, because someone here asked me during a master class last year: can you say something about the state of organizations in Aruba, because our hospital was already hacked. In particular the government, vital bodies with which we as citizens have to communicate. I promised to do it in March and so I did,” explains Koedijk.

Erik Jan Koedijk -photo: Sharina Henríquez

Who is Erik Jan Koedijk anyway?

Read the previously published interview:
Expert warns: ‘Aruba’s most important organizations are vulnerable to cyber attacks’

Caribbean Network he was given access to his research and subsequently went to dispute the results with ten of the 25 organizations examined. The investigated organizations had a few weeks to close the vulnerability before it was published.

Part of the Aruba Cyber ​​Security Task Force – Photo: Sharina Henriquez

In the office of the National Central Bureau of Counterterrorism, Security and Interpol
And what is the opinion of the government service that should protect Aruba from cyber attacks? In the office of the National Central Bureau of Counterterrorism, Security and Interpol (NCTVI), Koedijk’s conclusions are flatly denied. A cybersecurity task force has been brought together specifically to respond to Caribbean Network

The working group is a relatively new group of experts exchanging sensitive information about cyber threats, attacks, crimes, and solutions. “It’s a public-private partnership, because most of the knowledge is outside the government,” explains NCTVI director Dolfi Richardson.

They dismiss Koedijk’s findings as “bogus, exaggerated, low risk and we just can’t be sure of everything.”

“We have it all instead† Maybe one thing he didn’t do, that he (Koedijk, ed.) said, but that’s not important. The base is certainly there and more”, says Giovanni Tromp, ICT director of the water and energy company WEB. “We are being attacked every second. These include kids who want to play games and serious hackers. The point is whether they can get deep into the system and that’s not as easy as their research suggests.”

‘Every second we are attacked, but it is not easy to enter’
-Giovanni Tromp, head of ICT at the water and energy company WEB

The information security manager of the Setar telecommunications company, Paul Eelens, shares this opinion. “He has used tests that are very easy and public. We have seen it come in, but we often allow it on purpose. Then we take the hackers to a honeypot, a trap, to track their movements. But they lead nowhere and certainly don’t go any deeper.”

All of Aruba depends on the Internet of the monopolist Setar. Eelens says the company invests heavily and structurally in cybersecurity. “We also see the trend, just like in the rest of the world, of attacks getting bigger and more frequent. We are talking about fifty to a hundred thousand a month. A quarter to a third are bot attacks on our Internet system.”

In the run-up to the war in Ukraine, Setar was already monitoring extra-large movements of cyberattacks. And especially state-sponsored cyberattacks, in this case by the Russian government, make countries, including Aruba, vulnerable. But why would hackers find Aruba interesting, like a small island?

‘Aruba is not an island, we are on the internet milliseconds apart’
-Paul Eelens, Information Security Manager at Setar Telecommunications Company

Part of the Submarine Cable Map – www.submarinecablemap.com

Eelens shows the submarine cable map. “You can see here that Aruba is not an island. We are milliseconds apart on the internet. For example, China, where a lot is happening from, is only 0.2 seconds away. And aside from those attacks, they don’t discriminate.”

Adds Richardson, “We often tend to think that because we’re so small, it’s all a sideshow away from my bed. But we forget that we belong to the Kingdom and it is positioned in the world as geopolitically important”.

The conversation in the FBI-style office is increasingly moving to the threat to Aruba’s national security from cybercriminals and state actors. After doing some research, NCTVI’s Richardson admits, “Cybercrime is in the top 3, so it should be top priority.”

Is cybersecurity also a top priority for Aruba policy?
Richardson explains that in 2016 he started with cybersecurity. The Dutch research agency TNO was the initiator, it would carry out a baseline measurement and a symposium was held to raise awareness. Then there was a change of government and there was silence.

“In the last legislature (Wever-Croes I cabinet) they wanted to start up electronic government. So we said that is only possible if we also work on cybersecurity,” says Richardson.

Based on their history, it seems that a lot is still in the planning phase: a national policy, but also legislation that requires organisations, for example, to report cyber attacks. Something they often don’t do due to reputational damage. Also, the NCVTI has no authority. That’s why this working group shares information purely on a voluntary and trustworthy basis, says Richardson.

‘There is still a lot to do, but we cannot be compared to the Netherlands
-Dolfi Richardson, NCTVI Director

Also, no one knows how secure the government and other major organizations really are. Therefore, it is still necessary to perform zero measurements. There should also be a national cyber council chaired by the Minister for General Affairs. And above all, more money. “We have something, finally with the new budget. But to implement the plan nationally, much more is needed,” Richardson said.

However, he does not believe that Aruba has started too late. “We arrived just in time and yes, there is still a lot to do. But you can’t compare us with Holland or America, they are even forerunners in the world”.

‘Citizens must be able to accept that they will not become victims’
Let’s go back to Koedijk’s research, which concludes that the government and many vital businesses in Aruba, including banks, don’t have the basics straight. “While citizens are increasingly expected to fix things digitally. Surely they must be able to assume that they cannot become victims of the same organizations”, says Koedijk.

The Elmar electricity company maintains that it does offer its clients this cybersecurity. “We guarantee it,” says its IT manager, Alfred Croes. “Yeah, you shouldn’t look at it that way, because you can never fully guarantee it,” Richardson quickly replies.

Setar explains that they classify threats according to risk and impact. “Most of the resources go to protecting our crown jewels. Number 1 is fighting the attacks that have the biggest impact on our users. We also can’t filter everyone, due to privacy and our democracy. Otherwise, we would become a dictatorship,” says Eelens.

‘It’s like announcing in the neighborhood that the windows of those neighbors are old and broken. You invite the thieves’
-Eelens on the Koedijk investigation

Concerns about this post remain, according to the end of the task force interview. Because while the parties keep repeating that Koedijk’s research says little about their cybersecurity, they are concerned about any harm its publication will cause.

“It’s like announcing in the neighborhood that the windows of those neighbors are old and broken. You invite thieves,” says Eelens van Setar. “It is not good for the Kingdom, we are so unnecessarily in the crosshairs of the greats of the world. We want to return that message, which can generate more work for NCTVI”, concludes Richardson.

Leave a Comment