"Cybercrime is industrially scalable, but resilience is not yet." This is one of the key strategic themes for the Netherlands’ digital security, both today and in years to come, according to the Cyber Security Stategy Netherlands 2022 - 2028 (NLCS).
In May, the Digital Trust Center (DTC) announced that it was optimistic about the potential of security.txt as a standard. A quick survey by the DTC among public and private organisations in the field of cybersecurity regarding the utility of security.txt revealed broad support. Cybersecurity experts agree that this relatively simple measure can provide a scalable solution for sharing threat intelligence with companies that could become the victims of a cyberattack due to a vulnerability.
The importance of security.txt
Security.txt is a text file containing the contact details of the IT manager of a company or organisation. Because this file is stored in an agreed location on a web server, security researchers, ethical hackers or threat intelligence distributors such as the DTC can immediately report any security issues to the right person or department. This enables companies and organisations to take steps to prevent or limit the damage, and in turn benefits security across the whole business community.
Benefits and disadvantages
Organisations that exchange threat information also recommend the use of security.txt. The DTC has experienced first-hand that the reporting process could be made more efficient when sharing threat information with the business community.
Publishing email addresses in a location that is publicly accessible can lead to abuses, such as phishing or commercial spam. But cybersecurity experts agree that the risk of additional spam outweighs the risk of a missed security warning.
Recommended standard
The new internet standard is documented in RFC 9116 amd is currently being reviewed by the Standardisation Forum. This organisation will decide whether open ICT standards will become mandatory across central government. The results of the expert study are expected next spring.
The Internet Standards Platform, the organisation behind Internet.nl, has already been working on security.txt. A new test item for security.txt has been added to the website test on Internet.nl in close collaboration with the DTC. This test item checks whether the security.txt file is present and can be read.
An appeal to use security.txt
Together with a large number of ambassadors, the DTC wishes to promote the use of security.txt by companies and IT service providers. This simple security measure can significantly improve the exchange of threat information, and therefore the resilience of the Dutch business community too. Various communication tools to promote the use of security.txt are available in the security.txt Toolkit.