The Hague Municipality’s Council, Monday 30th of September 2019 at 10:25 AM. On this location 3 years ago, the idea for the first edition of this event was established. Today, as chairman I have the pleasure to initiate its third edition, Hâck The Hague 2019. For the third year in a row, the municipality of The Hague and Cybersprint are working together to test the digital security of the city along with its inhabitants.
The room where normally weekly debates are held by the major, legislators and council members is now filled with 79 hackers ready for their briefing. Right after the briefing, they will be searching for ‘code injections’, ‘open directories’, ‘cross-site scriptings’ and other vulnerabilities in the IT systems of The Hague Municipality. Successful hackers will be rewarded with a cash prize along with an entrée ticket to One Conference; the municipality and inhabitants will be rewarded with information security and privacy.
It all started in May 2017 with a request made by councilmember Daniel Scheper, asking for the public to hack the municipality. After a riot in the local media, this call-to-action led to the council decision made on 20th of June 2017 to organise a hacking event. On 29 September 2017 this initiative became a reality, although back then the event was still named “Mystery Bug Bounty The Hague”.
Club Mate in the Town Hall of The Hague
The name of the event is not the only thing that has changed. The event has grown significantly in the past 3 years – from 40 hackers and 3 findings in 2017 to 29 hackers and 107 findings in 2019. However, what remains unchanged is the image of the hackers – sitting at black tables in the middle of the large white hall, shrouded by the specially made Hâck The Hague hoodies. The same goes for the stacked crates with Club Mate and tables filled with snacks. In the meantime, the service the municipality provide to the citizens of the Hague continue.
‘Are you scared they will find something?’
Since 2018, the new CISO of the municipality, Jeroen Schipper, has involved many suppliers in this event. Some of them are dismissive, but Jeroen knows how to work around it by asking “Oh, are you scared they will find something? So, when does your contract end again…?”. There are also other suppliers who are very curious to see what the hackers find. The names of the participating suppliers will not be mentioned. “It’s not about naming & shaming, but about the security of applications that have the name ‘Municipality of The Hague’ attached to it” says Jeroen.
During Hâck The Hague 2019, a supplier explains that a discovered bug had immediately been fixed. “Can we already update the application, so that the hackers can test out the new version too?” they asked. The organisation had no problem with that whatsoever. The hackers also tend to find other vulnerabilities that are outside the scope of HTH. A wonderful bycatch while bug hunting. I understand why the council member in charge of IT, Saskia Bruines, wants all suppliers to participate in Hâck The Hague 2021.
The organisation is a mixed collective of civil servants, entrepreneurs who’ve turned their ethical hacking activities into businesses, and event & communication people. In the ‘controlroom’ above you find Team Lead IT security Peter van Eijk and his team of security civil servants. Adjacent to them you find Chantal Stekelenburg with her colleagues from Zerocopter working hard on the triage via their platform. The people of the co-organiser, Cybersprint, can be found everywhere: the registration booth, talking to journalists and on the main floor with the hackers. In the jury, you find Jeroen representing the municipality and Pieter Jansen, CEO of Cybersprint, representing his company. There are always additional independent members of the jury as well.
Without hackers there would not be a Hâck The Hague. Some of them are attending for the first time. Seasoned hackers like Wesley Neelen en Rik van Duyn have participated multiple times and have been rewarded prizes several times. In 2018, Peter Geissler – a.k.a Bl4sty – helped the organisation when he asked about an IP-address in the rules. “When I needed to announce the right IP-address, it turned out it were the addresses of the hackers themselves, while there were already a lot of vulnerabilities found, like an open filesharing system. WTF?!” It seems hackers also have vulnerabilities. That year Peter received the awards for ‘Most Creative’ and ‘Most Impactful Hack’ for vulnerabilities he discovered in the IT systems of The Hague.
Hâck The Hague has been postponed to 2021, but thankfully there is still a feel of the HTH event on the last Monday of September 2020. At 16:00 I will be a digital chairman of the webinar ‘Hâck The Hague Disclosed’ for about an hour. Together with Jeroen Schipper, Pieter Jansen and Chantal Stekelenburg we will be giving you a behind-the-scenes of Hâck The Hague 2021. We will also be discussing findings from the previous years. In addition, we will also be talking about findings that were not solved (and why) along with the reasons why certain findings take longer to be publicly disclosed.
Will you be joining us? Register for the webinar on Monday 28 September 2020. And I hope to see you on the 27th of September 2021 in the town hall of The Hague during Hâck The Hague 2021.
This is a short version of the chapter ‘Den Haag een stuk veiliger nadat de stad flink gehackt is (The Hague much safer after the city has been severely hacked) from the book ‘Cyberellende was nog nooit zo leuk’ (Cybermisery has never been so much fun’) by Chris van ‘t Hof. The book will be released in December 2020. This chapter is available now to be read (in Dutch).