The Dutch Safety Board has been investigating security breaches due to vulnerabilities in software from Citrix. The Board also conducted investigations into other, similar incidents.
Vulnerabilities in Citrix and other software have led to insecurities for organizations that use this software and for those who depend on these organizations.
Software products are always vulnerable. Manufacturers add new features to existing products, reuse existing components or build layers into the architecture.
Organizations do not always have the expertise and capacity to analyze, weigh up and take measures against risks, or do not see the urgency of doing so.
There is no national structure for the management of digital incidents in the Netherlands that allows for timely warning of all potential victims.
Reaching global agreements on secure software and cyber attacks is difficult because of differences between nations and national intelligence and enforcement activities.
Parties involved in the digital domain can learn better from incidents. Lessons from incidents should also be disseminated as widely as possible.
Digital dependence and the threat of security breaches are increasing. Rapid and fundamental action is needed to prevent societal disruption.
To the relevant European Commissioners: Create European legislature that leads to safer software and that establishes the liability of manufacturers for the consequences of software vulnerabilities.
To software manufacturers: Develop good practices with other manufacturers to make software safer and more secure.
To software manufacturers: Warn and help your customers quickly and effectively when vulnerabilities in software are detected..
To the Dutch Cabinet and to organizations in the Netherlands that use software: Ensure that all potential victims of cyber attacks are alerted quickly and effectively.
To the Dutch Cabinet: Require all organizations to account for the way in which they manage digital risks.
To the relevant Dutch ministers: Encourage that organisations and consumers jointly formulate and enforce safety and security requirements for software manufacturers.
To the Dutch Cabinet: Create a legal basis for the management of digital safety and security.