Dutch Security Report Portal: driving structural internet security

Invisible problem

Vulnerabilities, misconfigurations and abuses: problems are always arising on the internet. In many cases, they’re detected by international actors that continuously scan networks, such as Shadow Server and Google Safe Browsing. However, news of the detections often doesn’t reach the people who could fix the problems. “Sometimes, you only know that an issue has been detected if you specifically ask,” says Wido Potters, one of the people behind the NSM’s creation and actively involved through the AbuseIO foundation. “Lots of network operators never asked for the information – either because they didn’t even know it existed, or because they assumed that everything was fine. The result was thousands of vulnerabilities that went unfixed because the people who could’ve fixed them didn’t know about them. Reports were being sent to the National Cyber Security Centre, but the NCSC was passing them on only to the government and vital infrastructure operators. Nothing was being done with the other reports.”

Dutch Security Report Portal (NSM)

After years of discussions with the NCSC, Potters and other anti-abuse network members decided to take matters into their own hands. With support from SIDN Fund, 6 organisations joined forces to set up the NSM. NBIP, the AbuseIO Foundation, Connect2Trust, the Dutch Institute for Vulnerability Disclosure (DIVD), AMS-IX and SURFcert teamed up to build information systems capable of discovering issues on the Dutch internet and flagging them up to people who asked or needed to know.

Support from SIDN Fund

SIDN Fund’s support enabled the realisation of vital technical connections. Potters: ‘We brought existing systems together and adapted them so that everything slotted together seamlessly. SIDN Fund covered about half of the cost, with the participating organisations paying the other half. In total, the NSM processed hundreds of thousands of reports, mostly about vulnerabilities and misconfigurations, but sometimes about active abuses, such as phishing. Without SIDN Fund, the NSM would simply never have existed.”

Mieke van Heesewijk of SIDN Fund: “This project is a perfect example of what SIDN Fund is all about: providing early support for initiatives that highlight urgent problems and explore solutions. The Dutch Security Report Portal was a catalyst for structural internet security. It’s quite something that the government is now taking on responsibility for the job the portal was doing. It’s the ultimate confirmation that our support can make all the difference to a fledgling initiative.”

So successful it’s no longer needed

After several years of successful operations, the NSM has now been disbanded. Potters: “We’re pleased that the government has taken on the role. That was always the best solution. And it means that, after a successful few years, the NSM can be wound up. It’s done its job. It’s demonstrated to the government that a structural approach is both necessary and possible. The pressure from the field has clearly helped get the government to act.”

Teamwork gets you further

Potters acknowledges that the NSM’s collaborative model involved challenges. “Sometimes, one organisation would want to move faster than another. But that sort of thing is inevitable when multiple organisations are trying to create something together. You might be able to move faster by going it alone, but teamwork gets you further.” And the NSM got a long way. Thanks to the support of SIDN Fund and the commitment of the organisations behind the NSM, a temporary report desk became the catalyst for durable, structural internet security.