Stan Hegt is what is called an ‘ethical hacker’. The ethical is that it is ‘benign’, he says himself. In fact, he is a consultant in the field of cybersecurity. Together with a few other specialists, he is the owner of a company Outflank, which researches, advises and train companies and authorities. An important expertise is that they themselves are real hackers and therefore are familiar with the world of digital hacking.
“People all over the world are thinking very much about: what can we do? But they are usually less concerned with the dangers. A city that wants to be safe in this respect must start with it. The basic level is that as a municipality you have the technical security in order. And then I would say: practice, practice, practice.”
Stan Hegt advises the Municipality of The Hague on cybersecurity. He draws a parallel with top sport: if you really want to be good at what you do, if you want to know exactly how to act in reality, you can only do that through enough practice. “You must have experienced exactly what it is like when the threat comes at you”, says Hegt. “You can explain things, but it is never like in the match”. According to him, for example, banks already do such exercises, but he knows no cities where they do. While the 'old-fashioned' disaster exercise seems to be a logical preliminary stage of responding to a cyber-attack. “It is also how you make a human body resilient”, Stan Hegt compares this process with vaccination. “Such an exercise with a cyber-attack is like injecting a little bit of a disease so that the body is ultimately resistant to that disease.”
A city is a bit of an old-fashioned concept in the digital world, which knows no city borders. But organizing awareness in a community is obviously a role for a city government, argues Hegt. “To have the ambition to promote digital security, and being aware of the necessity, that is step one.” Everything you offer to citizens and businesses in the IT field must be drenched in this, he thinks. “And everything that you learn as a municipality, all the pitfalls and lessons, you share with your residents.” The Hague uses Stan Hegt to improve the municipal organization in this area with sessions on ‘cyber awareness’. “I let people experience what it feels when things go wrong. Officials are very good at talking. But dealing with hacking requires different skills.”
Hegt distinguishes four types of hackers:
• the digital criminal, who is aiming at money or valuable information. This form is mainly 'annoying', not so much a huge threat.
• activist citizens, who lay down systems from ideological motives. Harmful, but not yet disastrous.
• terrorists who want to disrupt society as much as possible.
• hackers connected to certain governments who are engaged in a form of digital warfare. "In the next war Rotterdam will not be bombed, but The Hague will be shut down."
There are no examples of real disasters as a result of cyber-attacks yet. “But we are enormously dependent on IT,” says Hegt. "Everywhere there is a plug, everything is IT.” According to him, it is partly luck that we’ve not already experienced greater disruption. "It is possible to shut down hospitals or the energy supply. But the question is what you gain as a hacker.”
Stan Hegt doesn’t have a clear example of a city that has a good level of cybersecurity. “Estonia is often cited as a digital leader. But they are not necessarily good at safety,” he says. He sees an opportunity here for The Hague. “If you do this really well, you as a city can indeed become an example for other communities in the world.”