I am called Marnix, but my official given names are actually Mari Antonius Cornelis Dekker. I was born in Rotterdam, in 1976, just 8 minutes before my twin sister Leontien Dekker, who is a theologist. My father is Kees Dekker, a retired meteorologist, born in Brielle in 1946, and my mother is Ria Kreischer, born in Schiedam in 1946.
I have been working in computer security and #cybersecurity as it is now called, since 2003. Currently I work at ENISA, the EU’s Cybersecurity agency, where I coordinate the activities under the new EU directive on Network and Information Security, working with Commission, EU Member states and private sector to improve the resilience of the EU’s critical sectors.
Before joining ENISA, from 2015 to 2017, I was at the European Commission, supporting the IT security director (formerly called CISO of the Commission), developing the corporate IT security strategy and policy.
I was also worked for ENISA before joining the Commission, from 2010 to 2015. In that period I was leading the work on cloud security and security breach reporting legislation for the EU’s telecom sector.
Before that I worked at KPMG in The Hague as a Senior Consultant. In that period I was seconded to the Dutch ministry of Interior to work to design the interfaces and protocols of the Dutch national online electronic identity/authentication system, DIGID, the backbone of the Dutch e-government. In that period I also developed the first version of e-Recognition, the online identity/authentication system for business-to-government transactions. At KPMG I also did several projects in quality assurance, due dilligence and audit, and I obtained the Certified Information System Auditor (CISA) qualification.
In 2009 I obtained my PhD degree in Computer Security, with a PhD thesis in distributed access control. I also have a Master’s degree in Theoretical Physics from the University of Utrecht. My Master thesis was in Quantum physics.
I started working in IT in 2002, as a computer programmer in a small Italian software company in Pisa. Before that I worked as a sailor in the North Sea offshore industry and as a science teacher in university.
My Linkedin profile has more details.
About this website
Disclaimer: This is a personal blog. The views expressed here are my own, based on professional experience working in the cybersecurity field. They do not necessarily reflect those of my current employer or my past employers.
On this site you can find blogs about computer security, network and information security, slides from past talks, past interviews, some articles I wrote for magazines, some of my academic publications and the start of a infosec tutorial for starters in this field.
To avoid misunderstandings I want to clarify that the work that I do in cybersecurity is not about creating a safe society, where no crime happens. The term cybersecurity, and the name of my employer (a cybersecurity agency) might suggest that I am some kind of police officer, but that is really not the case. In my work, and this is the case for most of my colleagues in the cybersecurity community, we try make sure that the computer systems and information technology is ‘secure’, meaning that it works as you would expect it to work. It is trustable and reliable. Even if you are not very technical, even if you have ‘bad’ intentions. It might help to make an analogy with roads. My job is to make the roads secure, so that everyone can safely and quickly go from A to B. Inevitably good and secure roads can also used by bank robbers, rapists and pedophiles. You can indeed also meet ‘bad’ people on good roads. But catching those people is, in my view, a matter for the police, and not something for us, the people trying to make the road secure.
In fact I am very much against mass-surveillance, data retention (the practice of storing telephone call logs) and the monitoring of online behavior, because it severely erodes our privacy and ultimately leads to a controlled society whose people are not free. Their actions are always monitored and analyzed for consequences. Just imagine implanting a voice recorder in every baby as soon as they can speak. Our thoughts and minds and actions should be free. And they can only be free if they are not monitored and private. The prosecution of crimes is something for the police to do, ex-post, and not for technology companies to block and prevent, ex-ante. Technology companies should not be forced to keep records of everything we do (data retention). Unfortunately this is the case currently. So we have some work to do.
I hate to break the news but crime will always happen and we can not and should want to strive for a zero-crime society. The vast majority of the people do good and try to do good most of the time. Not because they have to, or because of laws, but because they want to. If you like to divide the world in good guys and bad guys, you should go work in a Hollywood film studio, or write a fairy tale. People who think that society should be free of ‘crime’ and devoid of ‘criminals’ have a naive view of politics, laws, and society. They are also forgetting our (sometimes terrible) history. Thank goodness most people are breaking the laws and thank goodness people are law-breakers. If we weren’t we would not be where we are now, and we would be in a terrible state. There is a great article by the cryptographer Moxie Marlinspike called “We should all have something to hide”. Moxie, by the way, developed the state-of-the-art cryptography that is behind the messaging apps Whatsapp and Signal. Countless symbols of humanity, Mandela, Martin Luther King, to name a few, had to break laws to change society for the better. It is naive to think that we can take that away and still have freedom and progress.
Indeed I also believe that any monitoring of the movements, conversations and actions of citizens should be restricted to those few cases that are warranted by a judge, based on evidence of a past or ongoing crime, or a based on a reasonable suspicion that a crime will be committed. Everyone else should be free and our actions not tracked. The world is not a crime scene. We are not prisoners nor suspects in some large crime investigation. I believe that finding the balance between freedom and control, in an age of rapid technological advancements, is one of the big challenges of our present time. And I hope that people will soon realize that our (often irrational) fear of media hyped phenomena like terrorism is in fact counter-productive, costly and not abated by giving up privacy and freedom. Mass-surveillance will not prevent terrorism or crime but give our governments a dangerous amount of control over us, the people. And it would be very unwise to let that continue. Benjamin Franklin, the founding father of the USA, often called the First American, wisely said “Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”
For me usability and security are closely related and they almost always go hand-in-hand. Consider the design of the water tap in your shower, as an analogy: the hot water knob is always right, the cold one always left. This way you can pick the right one blindly – even with soap in your eyes. This for me is security: The system does exactly what you expect it to do. And nothing else. It is clear how it operates and you do not need manuals or technical knowledge.
Safety is a related but fundamentally different concept. Using the analogy of the water tap again: Safety would be a valve limiting the hot water to below 40 degrees Celcius, so you can’t ever get burned. So in some settings security and safety could even be at odds. Kids know this by experience: Safety caps on toxic bottles are impossible to open. For kids at least. But for everyone else it is a bit of fumbling (and actually goes against usability). Another controversial topic is back doors in cryptography. Some politicians may (unwisely) argue that they need access to encrypted communications for to guarantee our safety. Such crypto back doors would go against all principles of information security and in fact break and reduce the security of systems or communications.
I believe many cybersecurity problems are due to insecure computer systems. Computer system not doing what they are supposed to be doing and/or doing things they are not supposed to be doing. Take email. Simply opening an email can put your entire PC, all your family photos, and your bank account at risk. Not to mention your family, friends, colleagues, etc. Instead of just opening the email, your PC has started to do many other things you did not ask for and did not want. In fact I often find myself blaming technology and rarely the user. I see too many in my field who point the finger at the “dumb” user. I would blame the technology for having even basic sandboxes to make sure every email can be opened “safely”.
And last but not least: I see new technology trends, such as cloud computing, smartphones, app stores, social media as major opportunities for improving cyber security, as solutions. And I think it is wrong to view new technology as a threat or a risk. I do understand that after many years of working with insecure technology many of my colleagues have become skeptical over the years, expecting more of the same, but I think it is important to recognize and appreciate the improved security features of new technology. I hate it when people say that software will always have bugs. 🙂