I am called Marnix, but my official given names are actually Mari Antonius Cornelis Dekker. I was born in Rotterdam, in 1976, just 8 minutes before my twin sister Leontien Dekker, who is a theologist. My father is Kees Dekker, a retired meteorologist, born in Brielle in 1946, and my mother is Ria Kreischer, born in Schiedam in 1946.
I have been working in computer security and #cybersecurity as it is now called, since 2003. Currently I work at ENISA, the EU’s Cybersecurity agency, where I coordinate the activities under the new EU directive on Network and Information Security, working with Commission, EU Member states and private sector to improve the resilience of the EU’s critical sectors.
Before joining ENISA, from 2015 to 2017, I was at the European Commission, supporting the CISO (the role CISO has since been changed to IT security director), responsible for setting IT security strategy and policy, and liaising between the IT security organization and senior management.
From 2010 to 2015 I was also worked for ENISA before joining the Commission. In that period I was leading the work on cloud security and security breach reporting legislation for the EU’s telecom sector.
Prior to that I worked at KPMG in The Hague as a Senior Consultant. In that period worked as IT architect at the Dutch ministry of Interior to work to design the interfaces and protocols of the Dutch national online electronic identity/authentication system, DIGID, the backbone of the Dutch e-government. Subsequently I developed the protocols for version 1.0 of e-Recognition, the online identity/authentication system for business-to-government transactions. At KPMG I also did several projects in audit, quality assurance, due dilligence, and I obtained the Certified Information System Auditor (CISA) qualification.
I started working in IT in 2002, as a computer programmer in a small Italian software company in Pisa. Before that I had mostly done teaching work: Software trainer in companies, science teacher in different university faculties and a university college. During a break in my studies I worked for 1.5 years as a sailor in the North Sea offshore industry.
In terms of academic background: In 2009 I obtained my PhD degree in Computer Security, with a PhD thesis in distributed access control. I also have a Master’s degree in Theoretical Physics from the University of Utrecht. My Master thesis was in Quantum physics (decoherence).
My Linkedin profile has some more details.
About this website
This is a personal blog. The views expressed here are my own, based on professional experience working in the cybersecurity field. They do not necessarily reflect those of my current employer or my past employers, and my blogposts are not necessarily directly related to what I am working on at the moment for my employers.
On this site you can find blogs about computer security, network and information security, slides from past talks, past interviews, some articles I wrote for magazines, some of my academic publications and the start of a infosec tutorial for starters in this field.
About my cybersecurity work
To avoid misunderstandings I want to clarify that the work that I do in cybersecurity is not about creating a safe society, where no crime happens. The term cybersecurity, and the name of my employer (a cybersecurity agency) might suggest that I am some kind of police officer, but that is really not the case.
In my work, and this is the case for most of my colleagues in the cybersecurity community, for example cryptographers, security architects, vulnerability researchers, etc. we try make sure that the computer systems and information technology is ‘secure’, meaning that it works as you would expect it to work, that it is trustable and reliable, for the user. It might help to make an analogy with roads. My job is to make the roads secure, so that everyone can safely and quickly go from A to B. Inevitably good and secure roads are also used by bank robbers. You can indeed meet ‘bad’ people on good roads. But catching those ‘bad’ people is, in my view, a matter for the police, and not something for us, the people trying to make the road secure.
In fact I am very much against mass-surveillance, data retention (the practice of storing telephone call logs) and the monitoring of online behavior, because it severely erodes our privacy and ultimately leads to a controlled society whose people are not free; their actions always monitored and scrutinized. Just imagine implanting a voice recorder in every baby as soon as they can speak. Our thoughts and minds and actions should be free. And they can only be free if they are not monitored and private. The prosecution of crimes is something for the police to do, ex-post, and not for technology companies to block and prevent, ex-ante. Technology companies should not be forced to keep records of everything we do (data retention). Also the European Court of Justice ruled this kind of approach violates the Code of Human Rights.
I hate to break the news, but crime will always happen and we can not and should want to strive for a zero-crime society. The vast majority of the people do good and try to do good most of the time. Not because they have to, or because of laws, but because they want to. If you like to divide the world in good guys and bad guys, you should go work in a Hollywood film studio, or write a fairy tale. People who think that society should be free of ‘crime’ and devoid of ‘criminals’ have a naive view of politics, laws, and society. They are also forgetting our (sometimes terrible) history. Thank goodness most people are breaking the laws and thank goodness that it was possible for our ancestors to break the law. Otherwise we would not be where we are now. Our history, in Europe and in the USA, is one of revolutions and fights for independence, for recognition, for legal changes, and so on. There is a great article by the cryptographer Moxie Marlinspike called “We should all have something to hide”. Moxie, by the way, developed the state-of-the-art cryptography that is behind the messaging apps Whatsapp and Signal. Countless symbols of humanity, Mandela, Martin Luther King, to name a few, had to break laws to change society for the better. It is naive and dangerous to think that we can take that away and still have freedom and progress.
Indeed I also believe that any monitoring of the movements, conversations and actions of citizens should be restricted to those few cases that are warranted by a judge, based on evidence of a past or ongoing crime, or a based on a reasonable suspicion that a crime will be committed. Everyone else should be free and our actions not tracked. The world is not a crime scene. We are not prisoners nor suspects in some large crime investigation. I believe that finding the balance between freedom and control, in an age of rapid technological advancements, is one of the big challenges of our present time.
And I agree with Bruce Schneier’s point of view on our ability of humans and society to do risk management: I hope that people will soon realize that our (often irrational) fear of media hyped phenomena like terrorism is in fact counter-productive, costly and not abated by giving up privacy and freedom. We should more worry about driving a car. Mass-surveillance will not prevent terrorism or crime, but give our governments, and commercial companies, a dangerous amount of control over us, the people. And it would be very unwise to let that continue. Benjamin Franklin, the founding father of the USA, often called the First American, wisely said “Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”
For me usability and security are closely related and they almost always go hand-in-hand. Consider the design of the water tap in your shower, as an analogy: the hot water knob is always right, the cold one always left. This way you can pick the right one blindly – even with soap in your eyes. This for me is security: The system does exactly what you expect it to do. And nothing else. It is clear how it operates and you do not need manuals or technical knowledge.
Safety is a related but fundamentally different concept. Using the analogy of the water tap again: Safety would be a valve limiting the hot water to below 40 degrees Celcius, so you can’t ever get burned. So in some settings security and safety could even be at odds. Kids know this by experience: Safety caps on toxic bottles are impossible to open. For kids at least. But for everyone else it is a bit of fumbling (and actually goes against usability). Another controversial topic is back doors in cryptography. Some politicians may (unwisely) argue that they need access to encrypted communications for to guarantee our safety. Such crypto back doors would go against all principles of information security and in fact break and reduce the security of systems or communications.
I believe many cybersecurity problems are due to insecure computer systems. Computer system not doing what they are supposed to be doing and/or doing things they are not supposed to be doing. Take email. Simply opening an email can put your entire PC, all your family photos, and your bank account at risk. Not to mention your family, friends, colleagues, etc. Instead of just opening the email, your PC has started to do many other things you did not ask for and did not want. In fact I often find myself blaming technology and rarely the user. I see too many in my field who point the finger at the “dumb” user. I would blame the technology for having even basic sandboxes to make sure every email can be opened “safely”.
And last but not least: I see new technology trends, such as cloud computing, smartphones, app stores, social media as major opportunities for improving cyber security, as solutions. And I think it is wrong to view new technology as a threat or a risk. I do understand that after many years of working with insecure technology many of my colleagues have become skeptical over the years, expecting more of the same, but I think it is important to recognize and appreciate the improved security features of new technology. I hate it when people say that software will always have bugs. 🙂