‘Who is the captain of the crisis ship?’

INTERVIEW SEBASTIAAN VAN 'T ERVE

TEXT: MARJOLEIN VAN TRIGT

‘Cyber mayor’ Sebastiaan van 't Erve says he is on an emotional rollercoaster at the time of the interview. The farewell to the municipality of Lochem, where he is leaving after eleven years as mayor, is not something he is uneasy about. And then, to his surprise, he has also been elected IT politician of the year 2024.

As De Dijk once sang, ‘a man only knows what he misses when she is not there’. Sebastiaan van 't Erve suspects that the same applies to his election as IT politician of the year 2024. Perhaps the readers of iBestuur, AG Connect and Binnenlands Bestuur voted for him partly because of his departure as mayor, he thinks. ‘I think the award is a nice recognition for what I have been doing behind the scenes for years, namely connecting people and organisations from the municipal to the European level.’ His fame as a manager with a passion for IT is partly due to the hack on Lochem in 2019. The attackers had been in the systems for more than six months and were discovered just before they could start taking data hostage. Nevertheless, the consequences for the municipality were major. 'It was the first time I really looked into the abyss,' says Van 't Erve, looking back. 'A few years earlier, we were faced with a ransomware attack two days before the elections, which locked all systems. We were able to restore the backups quite easily. That was also my first thought during the attack in 2019. Until it turned out that we had to rebuild all the systems. What then came to a standstill? Everything, it turned out, from paying out benefits to flushing the toilet, because sewage pumping stations are now also smart and therefore vulnerable.' The most important lesson learned was about taking responsibility. 'We knew that we had to implement two-factor authentication everywhere, but even in my own organization it was decided that implementing two-factor authentication everywhere was still difficult...'

Plan B

Even though Lochem has made enormous strides since then, cyber resilience remains a stubborn subject. We are not as well prepared for the current threats as we should be.' For example, does Lochem have a plan B if Donald Trump ever decides to impose sanctions on Europe, leaving us without American tech companies? 'To be honest, the entire Dutch government will then no longer be able to do anything. We are almost entirely Microsoft-based. It is far too extensive to say: "don't worry, we will be back online within a week." We need to have that honest conversation now. If politicians want a plan B to be ready, it will cost time, money, effort and attention. Are we willing to do that? That question needs to be answered at a political level.'

Computer systems form the backbone of modern society. Although the Dutch government is taking cyber resilience more seriously than before, not everyone is fully aware of what that means. Van 't Erve: 'The starting point of the BIO (Baseline Information Security Government, ed.) is comply or explain. In simple terms, it is sufficient to do your best. You do not necessarily have to be able to demonstrate that you have actually taken all the measures that apply to your sector. That mindset needs to change. If you do not want to be offline for more than 48 or 72 hours with your basic digital services, then you can start preparing for that. But that is not a free decision.' Van 't Erve advocates due diligence, such as in the financial sector, where an auditor comes to check whether an organization has done its homework. 'And no, you cannot prevent all risks with that either.'

Responsibility

He sees it as a social responsibility to show others what he saw when he looked into the abyss. 'I was approached by a CISO from a large city who said: "It's great that you had some basic IT back in order within 24 hours after the hack, but it helps that your organization is in one building and that you have been working on standardization and complexity reduction of your IT for years. In a somewhat large city, it will probably take months to get what you have back on track." That shocked me. What would happen if you no longer had a sewer system in a large city, could no longer collect waste and stopped paying benefits?'

It is not an unthinkable scenario, as evidenced by the experiences of Estonia and Ukraine. From a conversation with the head of digital security in Ukraine, Van 't Erve learned that in such a case it matters very little what belongs to the municipality, what belongs to the water board and what has to be decided in interdepartmental coordination consultation. 'A wave comes over you that it no longer matters. The real question then is how you ensure that water comes out of the tap again and electricity comes out of the socket to meet the basic needs and to protect the residents.'

Cyber crisis management

When he resigns as mayor on 31 March, he will take a few weeks off, after which he will devote renewed energy to his PhD trajectory. As an external PhD candidate, he is investigating how local governments can deal with a cyber crisis. 'The conclusion so far is that cyber crisis management is still in its infancy. A lot is happening at national and international level, but too little attention is paid to the practical question of how to manage a cyber crisis at a local level. There are all kinds of procedures and protocols, but when does an incident become a crisis? When does it require something special?'

He compares that moment, from incident to crisis, to a garden hose that springs loose from the coupling and flies in all directions. Two months after the hack on Lochem, he was called by the Ministry of Justice and Security, which has a standard data link with municipalities, because of the issuing of the certificate of good conduct (VOG). 'They wanted to know if there was anything wrong with us, because of the hack. On the one hand, you could say that they were there on time, but on the other hand, they were the only party that came back to it, while at the time we had around 170 standard connections.' He believes that too little attention is paid to this chain dependency. 'Who is the captain of the crisis ship?'

Threat

Van 't Erve gives a cheerful and routine answer, until the conversation turns to the reason why he declined a third term as mayor. This is partly due to threats to his family from the criminal circuit. He emphasizes that the bucket was already quite full before that and that this was not the straw that made him overflow. 'There is a major challenge to govern this country well. Polarization, disinformation and undermining do not make it any easier. As a society, we must try to maintain the democratic constitutional state. The political culture is slowly shifting. We must not forget that in every municipality there are people who have volunteered to govern the municipality. We should be grateful to those municipal councilors. C'est le ton qui fait la musique and I do not like the tone of the moment. What Xi Jinping does in China with Taiwan, Putin with Ukraine or Trump with Greenland, revolves around the law of the strongest. But in our polder country we have understood long ago that everything we want to tackle requires cooperation and looking further.'

Digital autonomy

It is a small step from the threats to the democratic constitutional state to the power of the tech companies that support the global bullies. Van 't Erve is optimistic that the Netherlands can take a different direction. 'What would happen if the European municipalities decided together to put their data in their own data center somewhere in Europe? Then you could suddenly create a new piece of the market. Not on the scale of Amazon or Microsoft, but you could take a relevant step. We can simply achieve that.'

His hope is that in the Dutch Digitalization Strategy, fundamental choices will be made for all governments about digital autonomy. 'And once we have made the choice, we will have to bear it together. Our system administrators will save us if a real crisis comes. Forget the hierarchy, because preparing for a crisis is all about cooperation. But we are good at cooperation in the Netherlands.' They will miss him, there in Lochem.

iBestuur 54, April 2025