Belgian government websites score low on cyber security. This prompted us to talk to our cyber security expert Kristof Tuyteleers. He compares the cyber security approaches of the Netherlands and Belgium.
Why do our government websites score so poorly in terms of security?
There are several reasons why Belgian government websites lag behind in terms of security. To begin with, there is a lack of central guidelines and supervision. This means that there are no standard procedures that are applied everywhere. This leads to differences in security measures.
Are there other issues that complicate cyber security?
Absolutely. The complex division of powers in our country results in fragmented policy. Cyber security is divided between different levels of government, which makes coordinated action difficult. This fragmentation means that there is no uniform approach, which reduces the effectiveness of security measures.
Not all government departments and levels have IT specialists who can properly assess and address cyber risks.
What about awareness and expertise regarding internet security within government departments?
Unfortunately, there is a lack of this. Not all government departments and levels have IT specialists who can properly assess and address cyber risks. Limited knowledge and experience make it difficult to develop, implement and maintain appropriate security measures.
The Centre for Cybersecurity Belgium (CCB), responsible for coordinating national cybersecurity policy, is trying to fill this knowledge gap by developing guidelines and recommendations (e.g. on incident response and vulnerabilities). In addition, the CCB organises an annual large-scale awareness campaign on a central theme (e.g. two-step verification).
Are there any other reasons why the security of government websites is inadequate?
There is also a backlog in terms of investment in cybersecurity. Budgets, including in the business sector, are limited and cybersecurity is not always a priority. Today, there are insufficient resources available to acquire and develop the necessary technologies, expertise and manpower.
According to research by the Internet Cleanup Foundation, the Belgian government is lagging behind the Netherlands. How do Belgium and the Netherlands differ when it comes to cybersecurity?
Belgium and the Netherlands have different administrative approaches. The Netherlands has a stronger central policy and the Dutch government applies stricter standards. For example, there is the Baseline Informatiebeveiliging Overheid (BIO, or Baseline Information Security Government in English), a basic standards framework for information security within all levels of government in the Netherlands. In Belgium, the CCB has a framework with its cyber fundamentals that is mandatory for essential services, but not for municipalities, for example.
What about investments in digital security?
The Netherlands has been investing in this for some time and has, for example, the “comply or explain” standards, managed by the Forum Standaardisatie. These are mandatory, open standards for governments when purchasing or developing ICT systems and digital services, unless there are compelling reasons to deviate from them. Such exceptions must then be justified (“explain”). Examples of mandatory open standards are DNSSEC , DMARC, DKIM and SPF for email security.
I am a strong supporter of this approach. Not only does it increase the maturity level of security in public authorities, but it also puts pressure on suppliers to support secure standards, which in turn leads to broader adoption of modern and adequate security measures across the sector.
It is certainly not the case that the Netherlands is doing everything right and Belgium is doing nothing.
But let's not paint too black-and-white a picture: Belgium is also taking action. We are the first country to fully transpose the NIS2 Directive, which aims to create a more cyber-resilient digital society, into national legislation. In the Netherlands, it is not yet clear when this law will be in place. So it is certainly not the case that the Netherlands is doing everything perfectly and Belgium is doing nothing.
The Centre for Cybersecurity Belgium (CCB) is also clearly catching up, for example with Cyberfundamentals (CyFun), a framework that all companies and governments, regardless of their size, can use. There is an awareness that we need to shift up a gear. The development of DNS guidelines is a clear example of this.
With this article, we support the United Nations Sustainable Development Goals.