May 13, 2022 | Sharina Henriquez
ORANJESTAD – It is rare that the Aruba Security Service (VDA) invites a journalist to tell about state threats. Correspondent Sharina Henríquez talks about her appointment.
The reason for the conversation is the series of publications of Caribbean Network which deals with cybersecurity in Aruba. Vital businesses and government institutions are put at unnecessary risk because they don’t have their IT security in order, according to a study by cyber expert Erik Jan Koedijk.
“I want to emphasize that no one speaks on our behalf,” says the boss, Juri Nicolaas.
We are in a large conference room with closed windows, only pencil and paper. I can’t record the conversation. “I don’t have a phone with me right now. Paper is still the safest,” says Nicolaas. “Sorry, but these are the rules.”
A week earlier, he was at the NCTVI office with a task force of cyber experts for confrontation. But the Security Service, also a member of this group, was not at the table.
Who is responsible for what?
VDA reports that it has made the first big push to put cybersecurity on the agenda. And that the new NCTVI club, which has existed since 2018, has subsequently been pushed to (partially) take it further.
There is also a difference in responsibilities, explains Nicolaas. “They deal with crime in general, we deal with it when it’s a threat to national security.” That is also the case if, for example, a hacker shuts down the only WEB producing water and electricity, he says. The VDA initiated collaboration between vital business and government (working group).
In Aruba there is only one working group that watches over the vital companies WEB, Elmar, Setar, Centrale Bank Aruba. It’s a pilot, a test, where they work closely with the security service and NCTVI. Other crucial companies have not yet.
The intention, explains Nicolaas, is that there will be more of these so-called ISACs. Those are Analysis and Information Exchange Centers where parts of the government and business community share information about cyber threats as well as other knowledge. Because it is often confidential information, the parties make agreements about it.
“It still needs to be structured,” says Nicolaas. “The intention is that each sector has an ISAC with its own protocols. Eventually, he gets some sort of weather forecast that NCTVI sends out about cyber threats. The information remains a professional secret and there is no obligation to report yet.” But as NCTVI indicated earlier, there are plans to introduce a reporting obligation in a new law.
‘Eventually you’ll get some kind of cyber threat weather reports’
The urgency for Aruba to make cybersecurity a priority also emerges from Nicolaas’ response to the threats to the island. “Cyber security is more important than counterterrorism,” says Aruba’s security service foreman.
“The fight against terrorism is now lower on the agenda. Information security and cybersecurity have become very important. The cybercrime threat was low at first, because Aruba was not digitized. So now higher because more and more is being digitized”.
Furthermore, these threats are increasingly coming from state actors rather than ‘ordinary’ criminals. “We see traces of China and Russia. We see what is happening on our website every day. We look at specific tracks and if it’s dangerous. actor It can be considered. We are seeing actions from Venezuela, which is cautiously becoming a platform in the region.”
The security service is dedicated to cybersecurity for the protection of government information, espionage or counterespionage. “And we also hack as if.”
Security service conducts awareness campaign
Therefore, the service is also the one that carries out awareness campaigns for the public. On the website you can find a lot of information about how cyber criminals work, the trends you should be aware of. But now the question arises whether the security service should not learn from its own campaign.
Dutch cyber expert Erik Jan Koedijk has examined the VDA website and mail domain vda.aw and concluded that the security service is “unnecessarily vulnerable to cybercrime because the basic configuration does not seem to be in order” .
‘We can’t be Fort Knox, because people have to be able to tip us’
A remarkable conclusion, but Nicolaas sees everything differently. “Our experts say it’s not that bad. They know this, but they do not share his conclusion that citizens are at risk. By the way, our database is not connected to the Internet. The risk to state security is zero. Yes, the website is out of date, we are working on a new one. But it can’t be Fort Knox either. Because we also want people to continue to tip us.”
“I don’t want to trivialize it with this”, says Nicolaas, “but what brands? The setting we turn on or off in privacy mode is a choice. We do not have the risk profile, our domain has not been ‘spoofed’ yet. So we recognize the points, but the conclusion is short-sighted. Not well.”
‘Don’t compare Aruba to big countries’
Nicolaas also thinks that Aruba cannot be compared to the Netherlands and the United States. “They already have mature cybersecurity. They have been working with a stronger budget for years and have established a relationship with the hacker world. In most countries it’s still punishable if you’re on a target list.”
“Even in Europe, the legislation still has to change so that you can report cases without prosecution. I know the dutch government those t-shirts ‘I hacked into the Dutch government and all I got is this lousy t-shirt‘ gives. That’s a healthy relationship.”
A defensive response from the Security Service to the Koedijk investigation? That is not the case, says Nicolaas. “We don’t want to meet like that. I am grateful that citizens keep us alert and critical. But (about Koedijk’s research) I would have approached it differently. I would have a conversation first instead of a post (on Facebook), because then you create expectations.”
Nicolaas acknowledges that an email Koedijk previously sent to the Security Service with his findings got stuck and was only found much later. He also acknowledges that Aruba still has a lot of work to do for a cybersecure island. “But we don’t want to lead based on fear. That is why we focus on awareness. Is a uphill development†