NLO Fortify no. 6 2017/2018
Share this edition
no. 6 | volume 4 | winter 2017/2018

Interview with Lokke Moerel

In many companies cyber security is still in its infancy

The advent of cyber crime has added a new dimension to protecting company innovations and commercially sensitive information. The media carry almost daily reports about hospitals hit by ransomware, ports, shipping and courier firms paralysed for days by malware that has infiltrated their computer systems, and mass thefts of credit card details or medical files.

As a member of the Dutch Cyber Security Council (CSR) and a lawyer with Morrison & Foerster, Lokke Moerel is no longer shocked by what hackers are capable of. What does surprise her though is just how many companies are still inadequately prepared for such attacks. She's also annoyed that many manufacturers – including some highly reputable ones - are evading their cyber security responsibilities: "Many producers are launching their ‘smart products’ too quickly. They're all so desperate to be first-to-market, without first ensuring that these products have adequate cyber security."

What are the main forms of cyber crime companies face and how are they evolving?

"Cyber crime was initially aimed at making a 'quick buck', for example through the theft of credit card details. As time went on, hackers became more interested in stealing commercially sensitive information ranging from innovation-related R&D data (including product manuals) to new designs for production plants. That was the second wave. The third, current, wave involves stealing personal information to deflect a company's focus away from the real target, namely its intellectual property. Another variant is to begin by stealing personal information from one company and using it to create convincing phishing emails to infiltrate another company (the true victim). We refer to this as a ‘stepping stone hack’. This is slightly different to what we've recently seen with malware such as Wannacry and NotPetya. The latter were generic attacks which exploited a weakness in Microsoft; they weren't specifically targeted at a particular company. The main purpose of those attacks seems to be to demonstrate the power to cause disruption. 'Stepping stone hacks’ by contrast, are carefully prepared, incredibly advanced infiltrations aimed at acquiring specific knowledge.”

Lokke Moerel

‘Quick buck’ hacks and hacks with a strategic goal involve quite different criminal profiles, don't they?

"Yes, modern cyber espionage is usually state-sponsored. The cases I'm involved with are almost always backed by state actors, usually from China or Russia. At least, that's what the forensic experts are telling us time and again. They base their conclusions on how the malware has been developed and coded, in which you can recognise specific styles."

What company data are generally stolen and what do hackers do with it?

"Medical details are particularly in demand. They're traded on the dark web and buyers can use them to create highly convincing phishing emails with which to infiltrate systems. An example is the stepping stone hack perpetrated against the US medical insurer Anthem, whose details were used to create phishing emails to infiltrate the US government. The dark web is also a form of information market. For example, there may be a call for tenders to build a port, and rival companies may want to know how much their competitors are bidding. Most companies aren't in the business of stealing this kind of information directly from their competitors, but if they are offered a report for a relatively small sum then this apparently is attractive. A wide range of stolen price-sensitive information is also available and traded to gain information for insider trading. Law firms are targeted by cyber criminals because they're often the first to be told of forthcoming transactions and acquisitions. There's no reason why patent offices shouldn't be targeted in the same way. Information about innovations that's exchanged with them would be a very interesting channel to tap."

You're confronted daily with these matters. Is there anything that still shocks you?

"The sophistication of cyber crime is continuing to grow, but that's almost a permanent trend so it doesn't really surprise me anymore. What does take me aback from time to time is the lack of baseline cyber hygiene observed by companies. Perhaps that's because I'm involved with so many cyber incidents and see it as an urgent issue. Nevertheless, I constantly see companies failing to timely implement software security patches and hence leaving themselves vulnerable. The disruption caused to the Port of Rotterdam could have been prevented if they'd only installed a simple Microsoft security patch. I would have thought we'd be past the stage of non-awareness by now, but unfortunately it seems we're not."

The Netherlands cyber readiness assessment

In a recent article in the NRC Handelsblad newspaper, you gave the Netherlands a score of just 3 for cyber security.

"There are many facets to cyber security.1 Are we scoring a 3 on them all? No, but if one element isn't being handled properly, it's difficult to obtain a high score overall. I think that some of the large companies that were hit by cyber incidents early on have since made significant improvements and now have their cyber security well in hand. But those same companies rely on a range of smaller suppliers and partners, and the security chain is only as strong as its weakest link. The cyber security and/or cyber hygiene of many companies is still in its infancy, which means the total picture is still far from satisfactory."

The Netherlands Cyber Readiness Assessment (2017)

How is the Netherlands doing compared with other countries?

"The Netherlands is in the top 10 of the world's most ‘connected' countries: 95% of households have an internet connection. That makes us one of the most ICT-intensive economies in Europe: we're currently seventh in the world and fourth in Europe (2017). 23% of our economy is internet-based and our goal is to reach a quarter by 2020. This means that our vulnerabilities are proportionally great, yet we only spend 0.01% of our GNP on cyber security. This is a much smaller percentage than France, the UK, Germany and the US. Cyber security is also relative. If we're more secure than the countries around us, cyber criminals will divert to those countries, to wherever it is easiest. At present, our total cyber-readiness is reasonable compared with other countries, but I still don't think it is sufficient. Either in absolute terms, because the threats are growing increasingly rapidly, or in relative terms, because the countries around us are investing much more in cyber security and are therefore catching us up. According to the Dutch government's General Intelligence and Security Service, Dutch companies and institutions are victims of cyber attacks, both structurally and on a massive scale; we just aren't prepared for them."

1 In her reply to this and the next question, Lokke Moerel refers to the report 'The Netherlands Cyber-Readiness at a Glance' by Melissa Hathaway and Francesca Spidalieri (May 2017). The diagram 'The Netherlands Cyber-Readiness Assessment' is also taken from that report.

What do companies do when they detect a cyber attack? Do they neatly follow a pre-prepared script or is it total panic?

"Most companies that are hit for the first time by a serious infiltration (i.e discovering malware on their systems whose effect they're unsure of but which they can see is exfiltrating data) break out in panic. Some may have an incident response procedure in place, but as soon as they consult it they can see straightaway it won't help them. These documents usually don't even give the names and mobile numbers of the individuals you need to phone to form the crisis team. So even before the right people can get round the table to manage the incident, an irresponsible amount of time has already been wasted. And if advanced malware is discovered, they'll need to call in external forensic experts. If these experts haven't already been identified, selected and contracted, that will create further unnecessary delay. Not to mention the fact that by then you're in no position to negotiate competitive terms and conditions with them. And if you do business in the U.S., each data breach that comes to light will bring you a number of ‘class actions’. In serious cases, lawyers are therefore brought in early on to maintain ‘legal privilege’ where possible and minimise the risk of liability. Data breaches can also trigger a raft of obligations to notify supervisory authorities in different countries. Moreover, this must be carefully coordinated to ensure that all the relevant authorities are notified simultaneously. Failure to do so will mean you risk being accused of not having reported the incident in good time (since you were clearly able to notify another authority sooner). What's more, the deadlines for notification are unrealistically short. In the event of data breaches involving the loss of personal information, companies must notify the competent Data Protection Authority within 72 hours. You can imagine that given everything you have to do, this deadline won't be met if you don't already have an action plan which you've practiced.

The common response after a company's first experience of a cyber attack is: never again! They immediately compile a sound plan for responding to cyber incidents and carry out tabletop exercises based on real-life scenarios. Before an attack, companies are often reluctant to invest in incident preparedness; after an attack, money is no object. Clearly, companies have to experience just how seriously adrift they can be if they lose control of their systems before they truly understand how important it is to prepare for worst-case scenarios and keep the relevant procedures 'front of mind'. It is the managing board's responsibility to ensure that the company is fully cyber-ready, i.e. that the relevant procedures are well-implemented and embedded in the organisation. In the U.S., company directors can be prosecuted by their shareholders if their cyber security is not up to scratch and even if they fail to adequately manage a cyber attack. And if you think that what happens in the U.S. couldn't happen here, you'd be wrong. For example, the Dutch Cyber Security Council has published the 'Cyber Security Guide for Boardroom Members', and all members of the Council hold discussions with company boards each year to focus their attention on the issue. This has revealed that levels of preparedness for cyber attacks still varies significantly."

about the csc

The Dutch Cyber Security Council (CSC) is an independent national body which brings together eminent representatives from the public and private sector and research community to advise the Dutch government. The CSC operates at strategic level to improve levels of cyber security in the Netherlands.

Due to its unique composition, the Council can approach priorities, obstacles and incidents strategically from various angles and develop an integrated approach to opportunities and threats. It works with sister organisations in other countries and encourages the establishment of similar bodies in countries without cyber security councils.

The CSC's recommendations and publications, some of which are in English, can be found at

Do we have sufficient understanding of the damage that's being caused by cyber crime?

"When I see companies developing innovative technologies and which haven't yet experienced a cyber attack, I think to myself: “Have you looked closely enough at your network? According to the Dutch intelligence agencies, two-thirds of the organisations affected by hacking don't even know it has happened. Many only realise they've been infiltrated when they start monitoring their network. Larger companies with innovative technologies are now more aware of this and continuously carry out such monitoring. But of course many smaller companies also have highly innovative technologies worth stealing. I believe awareness among these companies is still too low, but perhaps it is just a matter of costs. Various reports estimate that the damage caused by cyber crime in the Netherlands runs to around 10 billion euros. That's equivalent to 1.5-2% of our GNP. And since we only spend 0.01% of our GNP on cyber security, you'll appreciate the imbalance. A good rule of thumb is that companies should be allocating at least 10% of their IT budget to cyber security. However, a lot of these companies, especially the smaller ones, aren't reaching that target."

All the media attention on cyber crime is fuelling concern about privacy and personal data protection. To what extent is this slowing the rate of innovation and the use of new technology?

"I don't think innovation is being slowed down at all at the moment! On the contrary; I feel manufacturers are currently launching innovations too quickly. They're all falling over themselves to get onto the market without first adequately safeguarding the cyber security of their products and services. For example, a wide range of appliances which previously operated on a stand-alone basis - from washing machines to drilling platforms - are now all connected to the internet. Not enough thought has been given to the potential dangers of doing so and the security needed to offset this risk. It's rather like cars which in the past lacked adequate brakes, safety-belts or airbags. Initially that was acceptable but these days such safety features are standard practice. They're simply a ‘cost of doing business’. Essentially, we're currently generating revenue in the digital economy without making the necessary initial investments (in cyber security). This is unsustainable and will eventually backfire. We're in the process of creating a new legacy problem for the future. My second objection concerns privacy. This might not seem in any way related to cyber security, but a lot of machinery and tools used in production plants are now fitted with sensors. They may not seem to collect personal data, but the information they collect nevertheless contains data about the people who operate or maintain these machines: for example, how quickly and accurately they do their work, whether they're occasionally distracted and whether they've committed any errors. You then get privacy rules becoming relevant in areas where nobody ever considered them before. I don't think enough attention is given to these two developments in relation to innovation."

Lokke Moerel

What responsibilities do companies have in this area?

"All companies have a digital duty of care. We at the Dutch Cyber Security Council recently published a guide to the subject entitled ‘Ieder bedrijf heeft zorgplichten’ (‘Digital duty of care: a responsibility of all companies’). The purpose of this guide is to inform companies what their current obligations are, including giving them advice and examples of how their duty of care affects the marketing of new products. The guide is badly needed, given that even reputable manufacturers still neglect their responsibility. Take the example of Miele's smart dishwasher for hospitals, which was recently shown to be vulnerable to hacking. Miele Nederland's response was regrettably typical. Instead of accepting responsibility for its failure to make the dishwasher sufficiently cyber-secure, the company shifted responsibility for securing the appliance onto the hospital's network administrators, ‘as the dishwasher was embedded in the hospital’s network’. This is nonsense: all manufacturers are responsible for the cyber security of their own products. The reality is that some simply ignore these obligations.

Miele did offer a better response later on, acknowledging responsibility, but its initial reaction was puzzling. Similar statements were issued by Volkswagen when it emerged that their wireless car-keys and the chip of the engine immobilisers could be hacked, allowing the cars to be unlocked remotely. Rather than notifying owners and recalling the affected models to rectify the fault, Volkswagen took out an injunction to prevent the researchers from publishing their findings. The company also stated that car owners themselves were responsible for fitting a steering wheel lock or extra immobilisers. Again, I consider that a strange response. If Volkswagen sells a car, it must abide by the rules governing the sale of goods and product liability. If its car-key can be hacked because it is insufficiently secure, it is Volkswagen who is liable, just as it would be if the car's airbag or brakes were faulty. The company's reactions point to a complete lack of understanding that cyber security has to be a standard feature of a connected device. The belief that cyber security isn't the responsibility of the manufacturer is utterly incomprehensible for me as a lawyer. Whose responsibility is it then? I'd like to ask. Who is making money with the products? Yet somehow this logic isn't getting through. So it's up to people like me to say: for connected products adequate cyber security is your responsibility!"

Are you saying that when we launch innovations we should take our foot off the gas now and then and look more closely at the risks involved and how to protect ourselves against them?

"Technological developments always precipitate a backwards and forwards movement. It starts with technology defining what's possible and social and legal norms catching up later. Only at a later stage do we start to wonder whether it's really a road we should be going down. Take Uber and Airbnb: initially everyone thought they were brilliant and only saw the benefits. Now that the negative aspects are also becoming clear, governments are rushing around imposing regulations on these companies to prevent them from harming consumers.

I think we can expect a similar backlash in relation to connectivity. Linking everything together creates fantastic new opportunities and generates growth, and obviously we want to retain these benefits. But in the interests of public safety and security, some aspects of our highly critical infrastructures (such as our energy supply) shouldn't automatically be connected to the internet. And we really must throw out the idea that the consumer will be capable of making responsible choices simply by being informed of the need for security. A customer who buys a laptop shouldn't have to worry about security software. After all, you wouldn't buy a car without seatbelts."

If you monitor developments in cyber crime and are contacted each day by customers who are having problems with their cyber security, it must make you very gloomy about the future.

“I'm an incorrigible optimist, and while I recognise the problems I also think in terms of solutions and possibilities. So I believe that as a society, we'll resolve this problem too. However, there is one thing that really bothers me. We already have so many outdated legacy systems that need cleaning up, and this will be very costly and time-consuming. I therefore worry about manufacturers who are still launching products on the market with inadequate cyber security, and who are consequently creating a new legacy problem for the future. So let's at least ensure that everything new we release onto the market has the best possible security features. That doesn't seem to me to be asking too much."

about lokke moerel

Professor Lokke Moerel began her career as an IP lawyer at De Brauw Blackstone Westbroek, where she was a partner until 2015, when she joined U.S. technology law firm Morrison & Foerster. Lokke is now senior of counsel in the firm's Global Privacy & Data Security team. "During my first few years as an IP lawyer, I worked on software copyright law (including IBM's word processing programmes). Since the internet explosion I've increasingly been concentrating on a IT side. I've spent the last 15 years dealing with IT, cyber security, and data protection. At Morrison & Foerster, I help a number of data-driven companies in Silicon Valley with their cyber-readiness strategies and head the teams in our practice who respond to cyber attacks."

Lokke Moerel

Lokke Moerel is also Professor in Global ICT Law at Tilburg University and a member of the Dutch Cyber Security Council (CSC), an independent advisory body comprising representatives from the public and private sectors and the research community. The CSC operates at strategic level to improve levels of cyber security in the Netherlands. Its gives solicited and unsolicited advice to the government and public and private sector players about relevant developments in cyber security. "My specific contribution within the CSC derives partly from my international experience and knowledge of regulation in the sphere of cyber security and privacy, and from my practical experience with companies that have been affected by infiltration by cyber criminals and the questions this raises for instance about working with law enforcement agencies or sharing information with other companies."

See also >

  • Read articleTechnology entrepreneur and author Peter Hinssen get us thinking about radical innovation of the day after tomorrow.
    Trend in the market Radical innovation for the day after tomorrow no. 5 | volume 4 | winter 2017
  • Top