The ‘Netherlands’ most powerful nerd’ has a new title: TU Delft alumnus of the year. Ronald Prins, co-founder and technical director of Fox-IT, has become a Dutch celebrity thanks to his cybersecurity expertise. His company keeps state secrets safe and hacks major companies to test their digital resilience. But, in his view, the internet is no panacea. “If the internet fails, we have no plan B.”
You are alumnus of the year and will be the first to join the TU Delft wall of fame. Happy about that?
“It is a surprise and something that makes me proud. I have obviously done something right. But I never felt myself to be an amazing student. It took me eight years to graduate. I was up to other things: listening in on the police and cracking software packages. I deliberately lived on the 14th floor in Ronald Holstlaan, because at that height I could hang my antennae from the balustrade. I could intercept half the country from there.”
Were you a diligent student?
“Not at all. I often spent the whole night listening to the police scanner. I had minimal contact with other students and never joined any associations. I had a completely different network. My girlfriend already had a job and I spent a lot of time on my hobby. When I heard strange beeps on the frequency band, I realised: this is interesting, an observation team is trying to hide here. It made it easy for me to sound them out. Their secret is not so much what they say, but who they are following.”
As a student in your 2CV, you were already trailing a van to see who they were following?
“I had a Honda Civic. And they did not have a van. Sometimes it was twelve cars and a helicopter. That is what fascinates me: secrets happen on the street every day and people have no idea about it. I find it exciting trying to get them out into the open. Once I was caught. Although they did not like what I did, it helped keep them on their toes. If I could do it, with no ulterior motives, criminals were capable of it too. This also proved to be the case when I later worked at the predecessor to the NFI (Netherlands Forensic Institute, Ed.). Criminals had big lists of police number plates. As a student, I used to collect that information for fun, but at the NFI, I found out that they have a whole team working to prevent it.”
It sounds like you made a career of your hobby. Would that have been possible without studying at TU Delft?
“To hack effectively, you do not necessarily need a degree. At Fox-IT, we have a lot of guys like that. It’s a shame that you need a university degree to work at other companies in this field. Of course, you do need academics. Customers want well-written reports and we need to be able to communicate with the world outside. But you also need a few gifted amateurs. The main thing I learnt at Delft was to think methodically and analytically. You also develop a common language.”
Would you ever want to be a professor?
“Possibly, but not with too much focus on the technology. What fascinates me now is the public governance aspect of cybersecurity. In the summer, I am going to Harvard, to attend a summer school on cybersecurity and policy-making. As a government, how do you get to grips with the digital world? That is what interests me now. For example, the amendment to the information and security services act is just a single point solution. You need to have much bigger agendas. Currently, we are merely tinkering. The world is changing and we are just modifying existing solutions slightly. Perhaps what you really need is a genuinely rigorous approach. It would make a good subject for a doctorate. But, knowing me, I probably lack the discipline required.”
Can the university world keep pace with the internet world?
“It amazes me how often the government turns to the universities when they face a security issue. But it’s very much an empirical field. It’s difficult to set up a lab and simulate a situation in which North Korea is hacking Sony. But in some areas, the academic world is making real progress. TU Delft, for example, is doing excellent work on quantum cryptography. It will be a building block that will benefit us a lot. But I have also had students in tears, guys working here part-time and determined to specialise in a totally sound and academically worthy field. But the professor blocks it and suggests something really theoretical instead. This is not Leiden. You have Fox-IT on the other side of the motorway, make use of it.”
You are always talking about guys. Are there no girls?
“Very occasionally, but they are often very unsure about what they want. Perhaps they are more interested in having a social life.”
Is that not possible if you work for Fox-IT?
“Of course, but many guys opt to work through the night on major projects. They stay on site, ending up at a hotel. They just don’t want to stop. That is what hackers are like. When you are working on a problem, you lie awake at night thinking about it. You’d be better off at your keyboard.”
What idea was it that made you launch Fox-IT in 1999?
“I used to play squash a lot with Menno, my partner and good friend. He suggested starting up a business. We had no well-crafted business plan, but we wanted to focus on forensic research. We taught the police how to conduct digital investigations and gave lessons to journalists. Running training courses is perfect for a start-up – you have few overheads and there’s cash flow straight away. The police then approached us, asking if we could help secure their data. That’s how we began to build up security expertise.”
Do you sometimes see start-ups at YesDelft that interest you?
“I earned a bit of money from the takeover of Fox-IT (in 2015, by British company NCC Group, Ed.) and am considering which start-ups I could become involved in. I have to admit it is extremely difficult deciding which one is likely to succeed. I also find it difficult to identify the secret of Fox-IT’s success. We did what the market was asking for. As we were starting out, the dot.com bubble burst. That made security important.”
In the media, you are often outlining doomsday scenarios, of hackers opening up sluices, for example. Do your warnings have an effect?
“I see them as realistic scenarios. We conduct penetration tests at sluices and they always work. Slowly I am starting to see things change, although whether this is because of my warnings, I have no idea. Perhaps it is realistic that people only take action when something goes wrong. There is also such a thing as too much security. The main point is how dependent we are becoming on the internet. This is not a really serious security issue in the sense that the Iranian government may suddenly disconnect us. But if the power suddenly fails, and the internet crashes, we will discover that we rely on the digital world and have no plan B.”
What could plan B be?
“Still having flows of funds in cash. If the internet crashes, it is no longer possible to bank electronically or pay for your shopping. Motorway camera systems will no longer work, bringing the country to a standstill. We secure the communications at embassies. I notice that the Germans still have large radio antennae sitting on the roofs. This means they have back-up in a crisis. We have cut all of that, even at Defence. If the internet stops working, we will be in trouble. We have to carefully think about that, or at least accept the risk we are taking.”
Another risk of a digital society is the undermining of our privacy by online surveillance.
“Currently, all kinds of bad guys are breaching our privacy. I would prefer to see the government given more space to take control online. Of course, there need to be proper safeguards to prevent the government actually breaching our privacy. There are lots of scare stories about it. In fact, the police have no interest in tapping the man in the street.”
As a citizen, how do you know what the government is up to?
“Citizens need to know what governments are capable of digitally, what resources they have to encroach on people’s privacy and when they are used. The government needs to be transparent about it, as do the security services. But it is crazy that I keep having to come and explain why it is important for the AIVD (General Intelligence and Security Service) to have more powers. Why don’t they do that themselves?”
How far should these powers go?
“I feel that there should be a balance between people’s freedom and the technology that the government can deploy. Technology can make you so powerful that citizens no longer even have a chance to make the odd mistake. We must not have a situation in which every breach of the law is automatically prosecuted. That would be like living in a police state. There always needs to be room for leeway and room for people’s own responsibilities.”
Ronald Prins graduated in 1995. After studying, he joined the judicial laboratory, the forerunner to the Dutch Forensic Institute. There, he conducted digital investigations, domestically and abroad. In 1998, he moved to the Homeland Security Service (now the AIVD) where he exerted a lot of influence on the development of the Information and Security Services Act, which was ultimately enforced in 2002 and is currently being amended in the Council of State. In 1999, he and his partner Menno van der Marel founded Fox-IT. The company’s work includes online security testing and digital forensics. It also secures state secrets and government communications. Fox-IT was acquired for EUR 133 million by the British NCC Group in 2015. Prins and Van der Marel continue to manage the company. Prins focuses on external communications, often appearing as an expert in the media. He is married with four sons.