A Peek Behind the Scenes of Project ‘Melissa’

In October 2023, several parties signed a remarkable collaborative venture. The Public Prosecution Service, the National Cyber Security Centre, the police and the interest group Cyberveilig Nederland, among others, collaborate with several private parties, including Kennedy Van der Laan, in the fight against ransomware and cyberattacks. They do so under the name ‘Project Melissa’. Petra Oldengarm, the director of Cyberveilig Nederland (Cyber Secure Netherlands), gives us a peek behind the screens of this collaboration and explains what organisations can do themselves to increase their digital resilience. “The early detection of incidents is very important. This tends to be overlooked”.

Melissa is a name that catches the eye and will attract almost anyone’s attention. The parties that sat down together decided to name the project after this ‘lady’ especially because of the interesting anecdote attached to it. “During a two-day session in a hotel near Utrecht, we found out that several partners were negotiating with the same person, who introduced herself as Melissa. She worked at a kind of telephone helpdesk,” says Petra Oldengarm. They have never been able to detect who this ‘Melissa’ really is, but in the session concerned, information was dug up that helped the police in their investigations. “This is exactly the reason why we founded ‘Melissa’, Oldengarm says.

The sector organisation, with over one hundred members, collaborates with Kennedy Van der Laan, the Public Prosecution Service and the National Cyber Security Centre in the project. The objective of ‘Melissa’ is to share knowledge and expertise around ransomware incidents and to learn from each other. Oldengarm: “The interest of making the Netherlands cyber-resilient comes first. All parties have committed themselves to this goal. Naturally, commercial interests also play a role, but the main incentive is what we call the greater good.”

Oldengarm explains what makes it is so special that this is a public-private collaboration. “Of course, the sharing of data as we do is only possible on strict conditions. You cannot just disclose and compare everything, especially in this kind of very sensitive issues. But as we started looking at it with met Rosalie Brand – Partner Cybersecurity at Kennedy Van der Laan – it appeared that more was possible than we thought.
Together with Rosalie and lawyers of the other participants, we established the legal framework, allowing us to collaborate in good and effective ways.” The project could only start properly after this had been done, and it was made public last October. “The stakes of such a public-private collaboration are high”, says Oldengarm. “Companies and governmental organizations all own part of the information available. By bringing these several flows of information together, we can lay the puzzle to arrive at solutions.” It is also a matter of give and take. “Cyber security companies can definitely use the things they hear at our sessions to their advantage. But it is equally important for them to contribute their own information, so that other parties can also learn from of it. It works both ways. That is what we agreed with each other.”

At the meetings, the participants give each other presentations and discuss current cases in the field of ransomware-related incidents. All this happens in strict confidence, Oldengarm says. Of course, any leak of information must be prevented at all costs. “Sometimes the police involves us in current investigations. There have been a few large police operations in the past eighteen months in which Melissa participants were involved. We were able to make quite a lot of impact there.”

The prevention of ransomware attacks or mitigating the consequences of such attacks play a large role within ‘Melissa’. For companies and organisations that are confronted with such attacks, the financial consequences may be incalculable. Oldengarm mentions a recent example of an important operation that has potentially prevented great distress. “One of our participants discovered that a specific ransomware family named ‘Cactus’ used a particular method for breaking in. It then turned out that other participants saw a similar pattern. Via our network, we then had a scan made of the vulnerability of organisations in both the Netherlands and abroad.” Oldengarm describes how this project managed to warn a great number of the organisations that were scanned in time. “They could either prevent falling victim to the attack, or the attack was still at an early stage, so that the damage could be limited.”

Every year, the National Cyber Security Centre issues a threat assessment in which developments and trends in the field of cyber security and resilience are mapped out. As the 2024 edition is in the making at the time of writing, not much can be said about it yet, but Oldengarm observes that a number of trends will persist. Oldengarm: “We have been noticing for quite some time that ransomware attacks pose a threat to national security, which is an important motive for our collaboration. But this is not the only thing that cybercriminals do. We also see increasing numbers of CEO fraud – fake payment requests to employees that appear to come from a CEO – and WhatsApp fraud, by which swindlers try to wheedle WhatsApp users out of money. And then there is DDoS attacks, of course. Another ever-greater threat comes from state actors, who are spying out of economic interest more often. These are countries with an offensive cyber program that targets the Western world directly.”

Also in the legal field there is lots to come, as the director of Cyberveilig Nederland well knows. The NIS2 Directive, the successor of the current Network and Information Systems Directive (‘NIS’), is best known. This Brussels-made Directive is currently being converted into national legislation, and will be named the ‘Cyber Security Act’ in the Netherlands. The NIS2 dictates that many more enterprises than before should secure themselves, and that they can claim help from the government to do so. This new legislation now covers 8,000 vital businesses and organisations, says Oldengarm. “The law will also apply to local governments such as municipalities and to more companies in vital sectors, such as the food chain.”

She expects that digital resilience will increase as a result of this broader scope of legislation. “There is a whole list of conditions one has to meet, which makes it a lot more concrete than the NIS. And the scope is special too. Unlike before, you have to ensure as a company and organisation that your suppliers in the chain are also 'safe'. That requires drastic action.” Oldengarm says that organisations can do a lot to improve their own digital resilience. “The NIS2 Directive lists all kinds of measures to prevent incidents. But what it does not mention – and this has rather surprised me – is the early detection of incidents. Ideally, you want to identify incidents at an early stage. The sooner you detect an incident, the bigger the chance that you can prevent large damage.” She thinks that big investments into such detection are a must. “This tends to be overlooked, also from a European perspective.”

Everyone in the cyber security sector is now curious about what the new cabinet will do. Oldengarm has read the outline coalition agreement: “I think that the efforts for adequate cyber resilience will remain intact. Cutbacks are hitting other sectors in particular."

On the other hand, she does think that more investments are needed. Cyberveilig Nederland already appealed for this to the previous cabinet. “But then again, when it comes to money, of course it's never enough. In any case, I am glad that there is more attention for this dossier in politics, especially in Parliament, and hopefully this will lead to sufficient attention for this dossier in the future."