"The challenge now is to achieve even greater impact"
[Originally published on September 26, updated on October 2]
With a view to further increasing our added value for the internet, we use the knowledge and expertise gained from running the .nl domain to pursue our mission: promoting safe and convenient digital living for everyone. That involves broadening our activity span and developing new propositions. Since 2016, progress towards those goals has been overseen by our Commercial Director Arjan Middelkoop. In this interview, he talks about the current situation and the main new solutions we're offering.
"In the first few months after I joined SIDN, I drew up a long-term plan," recalls Arjan Middelkoop. "We began by identifying three domains where we wanted to deliver added value: digital identity, digital security and digital usability. However, we quickly discovered that three domains was too many. So we dropped digital usability and are now fully focused on digital security and digital identity."
In the field of digital identity, we've taken a number of important initiatives. "The most significant move was of course acquisition of a majority interest in Connectis," says Middelkoop. "We've recently built on that strategic relationship by enabling registrars to act as resellers for Connectis eHerkenning tokens. We're now also partnering with Privacy by Design. Work is already underway to increase the market footprint of their IRMA identity solution and to expedite further development. Within the online security domain, we're developing three propositions. One is the now familiar Domain Name Surveillance Service (DBS). Another is SPIN: software that both protects IoT devices against hackers and makes the internet less vulnerable to DDoS attacks. Finally, we've developed a proposition called CyberSterk, designed to help SMEs identify their digital vulnerabilities. All three look like very promising products. We've come a very long way: we're now at the stage where market demand is starting to develop and we can offer real solutions and products. All the products I've mentioned have made the transition from attractive concept to operational solution. The next challenge is to work with our partners to generate growth and volume, and thus to achieve the intended impact in our chosen domains."
Value for registrars
Not all registrars welcome us developing new activities. Some take the view that SIDN should stick to its core role. So we want to reach out to those registrars and work with them wherever possible. We aim to involve registrars not only in developing new products and services, but also in bringing those products and services to market. We liaise closely with the Registrars' Association about our plans, and we regularly exchange ideas with registrars. "Our registrars form an ideal sales channel," Middelkoop continues. "We want any new propositions we develop to form logical extensions to the registrars' service offerings. That way, we're delivering added value for registrars as well. While there are still some registrars that think we should confine ourselves to managing the .nl zone, an increasingly large group is very positive about what we're doing. They recognise that our new propositions mean shared opportunities, and that together we can have a positive impact on the internet in the Netherlands. We've already got a number of registrars signed up to act as resellers for Connectis, and the first eHerkenning tokens have now been sold through that channel. Meanwhile, we're talking to various registrars about CyberSterk. When you have 1,200 registrars, all with their own circumstances and business models, it's inevitable that reaction is going to be mixed. Ultimately, we have to focus on maximising the added value we deliver for all internet users, in terms of promoting safe and convenient digital living. We're doing our very best to make the new activities successful: with and for our registrars, of course, but also for other stakeholders."
Domain Name Surveillance Service (DBS)
Our DBS protects brand owners against phishing and reputational damage by promptly alerting them to the registration of domain names that resemble their brand names. We've been marketing the service successfully for several years now, gradually adding features along the way. "Our clients want to do more than simply check domain names," says Middelkoop. "The next step is content checking. Our aim is to offer a broader package of domain safeguarding tools. That's technically challenging, but we're working hard and we're confident of delivering."
SPIN is short for Security and Privacy for In-home Networks: open-source software that protects domestic IoT devices against abuse. "We've completed the test phase," Middelkoop sums up. "As an open-source application, SPIN can easily be adopted by the community, either for as-is use or for adaptation. One of the firms that have decided to use SPIN is EmbeDD, a Swiss company that develops software for CPE devices. EmbeDD is incorporating SPIN into its own open-source router software DD-WRT. From now on, SIDN (Labs) will return to using and developing SPIN as a research tool.
Small and medium-sized enterprises (SMEs) are increasingly aware of the risks posed by cybercrime. Unfortunately, though, most security solutions don't suit SMEs. They're too expensive or require too much technical know-how for firms without big IT departments. We've therefore developed CyberSterk: a comprehensive package consisting of a 'box' that detects abnormal internet traffic in a company network, plus good practice tips and tests. Every CyberSterk subscriber gets a weekly scan of their network and website(s). The scan reveals any vulnerabilities and alerts the subscriber to acute threats. We also do regular phishing simulations, in which personnel are sent dummy phishing e-mails. "Our approach tests client companies' resilience from both the inside and the outside. We flag up weaknesses and raise the alarm if any immediate threats are detected. When there's an issue, the subscriber gets a notification via a simple app. But we don't just tell people that something's wrong: we also tell them how to fix it. The client's IT partner gets a technical briefing as well. For SMEs that don't have anyone responsible for IT, we recommend service providers that can help. On 1 October, we're starting a CyberSterk pilot, which will involve partnering with two registrars to offer a 'minimum viable product'. We're hoping for twenty to forty paying customers, who can help us to fine-tune CyberSterk."
IRMA is an identity platform with a focus on personal data privacy. It enables users to share only those items of personal data ('attributes') that are strictly necessary to access a given service. Hence the acronym, derived from 'I Reveal My Attributes'. Suppose, for example, that you want to log in with an online alcohol retailer. The retailer only needs to know that you are over eighteen. They don't need to know your exact date of birth, or your gender. For a number of months now, we have been helping Bart Jacobs of Privacy by Design, IRMA's inventor, to bring this product to market. "We're currently talking to a number of big businesses, including health insurers," confirms Middelkoop. "IRMA has a lot of potential advantages for them. It's user-friendly, it offers real privacy benefits for end users, and it tends to be significantly cheaper than the alternatives. Now that we're providing IRMA's technical infrastructure, service providers have more confidence in the system."
Culture change at SIDN
Since Arjan Middelkoop's arrival at SIDN, our approach to new propositions has changed. As he says, "We don't try to do everything on our own any more. Increasingly, we look for smart partnerships instead. More importantly still, we've become more agile. Instead of trying to develop a perfect product and then see whether people actually want it, we start small and gradually adapt: 'start fast, fail fast, learn fast'. The current approach to product and proposition development has necessitated a culture change at SIDN. In our role as operator of the .nl domain, we're like an oil tanker: dependable and not easily knocked off course. Those characteristics are exactly what's required in the context of our core activity. However, an organisation with a broader role on the internet, capable of entering new markets, sometimes needs to be more like a speedboat: fast and manoeuvrable."
It's impact that matters
What constitutes success with the new services? "We're less concerned about the financial result than about the impact," Middelkoop responds. "Nevertheless, new products and services do need to be profitable; it's important that we recover our investments and operating costs. Our aim is to make a (responsible) profit, so that we can continue working to promote safe and convenient digital living for internet users. Services such as CyberSterk therefore need to secure a substantial market share, otherwise we won't be able to protect SMEs properly against cybercrime. And I'm confident that we're going to succeed. We've got several strong propositions on the table."