The Atlantic Alliance has been through many upheavals in its 65-odd years. Since June this year the revelations from Edward Snowden on the communications surveillance practices of the National Security Agency have placed the whole idea of ‘alliance’ in a new light. PRISM, XKeyscore, Special Collection Service. Merkel’s mobile. US embassies revealed as data-gathering vacuum-cleaners. Germany and France lining up against the US to demand that it back off.
And the Netherlands?
Last weekend the NRC produced the first items from Edward Snowden concerning NSA data-collection from Dutch communication channels. The Netherlands has been on the NSA list for “targeting, collecting, or processing” of its communications since 1946, with an uncertain end date (the stated ’1968′ is almost certainly too early). Outrage from expected quarters (PvdA, SP, D 66), while the government remained calm, and others such as the Hague Centre for Strategic Studies’ Rob de Wijk remained “completely unimpressed”. Indonesia, New Guinea – of course the Americans listened in. More revelations from Snowden’s database are definitely on the way.
There are two sides to this story, which has been brewing for a while. The first is the predictable, critical one. The Rutte government has consistently refused to criticize the American eavesdropping, instead hiding behind the EU and staying clear of Hollande and Merkel. In mid-October Interior Minister Ronald Plasterk even said in parliament that he did not mind NSA surveillance of Dutch citizens because “they could also be fanatical terrorists.” He tried to deny this the next day via Twitter, but instead came out with a contradictory “The US is not allowed to spy on Dutch citizens, but if they discover terrorists here then a signal is welcome” (another example of why ministers should stay away from Twitter). Less than a week later, after Tweakers revealed that metadata from 1.8m Dutch phone calls in December 2012 – January 2013 had been collected by the NSA, Plasterk was tougher – the US was using double standards, since it was easier for them to collect data on non-Americans that Americans. He claimed to be in regular contact with NSA chief Keith Alexander about this. Parliament, unimpressed, first called on the CTIVD to investigate AIVD and MIVD activities concerning the exchange of information with foreign services (report expected in January), and then followed the Germans and voted in favour of Alexander Pechtold’s D66 motion for a ‘no-spy treaty‘ in early November. Even Rutte seems in favour, but he remains tight-lipped on the whole affair.
In short, a poor show. The government seems mildly upset about possible NSA activities in the Netherlands, no more than that. But then there is the other, more interesting side to the story. For the past few years the AIVD has taken every opportunity to highlight the snooping of foreign intelligence agencies on Dutch soil, with special reference to the Russians, Chinese, and Iranians. All of a sudden it looked like the Americans should also be on the list – how much did the AIVD know? Or were they not part of the show themselves? Plasterk informed parliament in late October that any attempt to gather information in the Netherlands by a foreign service must go via the AIVD to stay within the law. On the same day the news broke that while US embassies were used as locations for the NSA’s Special Collection Service, this did not include The Hague (or Brussels). The report tellingly remarks that either there was no interest, or “the Americans have access to telephone traffic in another way.”
This is the clue. Another look at the news items over the past five months starts to reveal a different pattern. Already in early July an NRC report included several salient details:
1) The Netherlands is the location of the Amsterdam Information Exchange (AMS-IX), the second-largest transit point for international internet traffic. A perfect site for ‘tapping’ information. In September the Pirate Party’s Dirk Poot added that AMS-IX is going to open an affiliate in the US, placing the system under the regulations of the Patriot Act and the Foreign Intelligence Surveillance Act (FISA): “Unless AMS-IX has a watertight legal defense, the chance is therefore large that the NSA will pretty soon have easy access to the Dutch and European internet traffic that travels via AMS-IX.” Interesting decision – while countries like Brazil are looking to bypass the US as the central node for global internet traffic, the Netherlands looks to burrow in deeper.
2) The undersea internet cable by Katwijk is a vital communications channel and of potentially great interest to the NSA.
3) The Ministry of Defence has contracted the Israeli firm NICE Systems for communications surveillance, to the tune of 17m Euro.
4) The Netherlands is the base for the SWIFT data system for international banking transactions, which in 2006 was revealed to be tracked by the CIA.
To this list can be added the news from September that the MIVD and AIVD are establishing a new apparatus, the Joint SIGINT Cyber Unit. Previously known as Project Symbolon, it will be operational in 2014. This despite the fact that the legal basis for the Unit does not yet exist, because the WIV (Intelligence and Security Law) of 2002 does not sanction the extraction of information from “cable-based telecommunications.” The CTIVD apparently knew this was coming for two years, but failed to inform parliament.
What to draw from all this?
The (unsurprising) conclusion that the Netherlands, thanks to its infrastructure and long Cold War history of (intelligence) cooperation with the US, is (almost) part of the inner circle when it comes to the US-orientated global surveillance networks. The policy of the Dutch government is to maintain that position as far as possible. This continues to be a cornerstone of Dutch security policy. The mild response to the NSA revelations from the political leadership is at least more honest, in this respect, than the flapping around of the Germans and the French.
The NRC, eager to follow up its earlier Wikileaks scoops as the paper of choice for Snowden security leaks, ran another story last weekend on how the Dutch mission to Uruzgan from 2006-2011 – and the provision of communication data by the MIVD’s surveillance base at Eibergen – resulted in the Netherlands entering the sublime world of the ‘Five Eyes’ inner circle. The morale of the story – as all security commentators have been saying since the AIVD budget came under threat – is that if you have nothing to trade, you are worthless in the world of intelligence. The Uruzgan story is only further confirmation that the Dutch services – and the Dutch government – strive to maintain as effective a working relationship as possible with their American counterparts. Even the NRC journalists, wanting to generate scandal (and so sell papers), seemed to admit this at the end of their article. Its business as usual, guys.
It also puts the recent demands for Dutch participation in international security missions in a slightly new light.
Mali or bust, I reckon.…
Oversight of the intelligence services is now the big topic. While half the population apparently expects their phones to be tapped, politics is finally starting to rumble on the issue. Its been a long time coming.
Back in January 2001 Dutch Defence Minister Frank de Grave informed parliament that the United States would soon be able to collect data from everything, including cable communications. That was before 9/11. The events of that September morning only multiplied a thousandfold the determination of the US intelligence apparatus to avoid anything similar again – an understandable reaction. But to succeed, they also needed the cooperation of allied services for data, information, sources, access. Nothing strange here: Madrid, London, van Gogh, there were enough threats and enough foiled plots to cooperate.
Yet it pretty soon went in extreme directions. Invading Iraq based on fake evidence. Abu Ghraib. Guantanamo. Rendition. Security at what price? And was this even about security at all, or was the US itself going rogue? Twelve years on and the surveillance practices of the NSA look more sinister than safety-first.
Code-breaking and surveillance has been going on for centuries, but what is different now is the scale. The problem is that collecting everything does not mean preventing every threat from becoming a reality. What does this actually produce? Who checks this? Most would be in favor of an effective intelligence/security service, but we also need to see effective oversight from both the government and the parliament. The services are still part of the apparatus of the state, and the state should be democratically accountable.
These days, few people seem to have good words for the AIVD. Leadership problems, awkward relations with the political masters at the Ministry of Interior. Unable to present itself and what it does in an effective way. Defensive. The MIVD, smaller and better at staying out of the headlines, gets more respect. How the two work together in the future is a crucial issue for Dutch security. The recently-created Joint Cyber-Security Unit, with over 300 personnel drawn from both services, is a potential step forward, but its the NCIV that is driving this, and its too early to tell if its a real paradigm shift. Both services have been through a difficult year of budget cuts, in particular the AIVD, which at one point faced the end of its international role.
One way forward would be that the MIVD becomes the international service and the AIVD the domestic, as it was before 2002 with the BVD. It is difficult to change institutional cultures like this. But keeping the AIVD’s international role means introducing cuts elsewhere, and now we have the Minister of the Interior Ronald Plasterk saying that less attention will be given to security for governmental communications. This is no solution either.
Lack of effective oversight is now the main issue. Last weekend the NRC, with its Dutch Snowden Series now up and running, focused on the AIVD’s practice of targeting suspect websites and collecting data on all the users, while the 2002 Intelligence and Security Law (WIV) only permits gathering data on specific suspects.
The Dessens Committee issued a report on Monday covering the legal basis for the Dutch services. Dessens was set up in line with the long-standing agreement to examine the 2002 law after ten years. Unsurprisingly, the report states that the (WIV), which does not allow for data retrieval from cables, is now inadequate and needs updating. The report balances these extra powers with extra controls from the CTIVD. But the report did not have a mandate to examine exactly what the serves have been doing, or why – it is a document concerned purely with the legal ramifications.
The CTIVD will be issuing its own report at the end of the year, but that will be another missed opportunity. It was supposed to cover how the Dutch services gathered ‘big data’ and what information was being drawn from it on suspects (or otherwise). Instead its aim was altered to cover the ‘specific needs’ of the services. Dessens hardly mentioned the issue of cooperation with foreign services – it remains to be seen how far the CTIVD report will cover it as well.
Beyond that, there is little evidence that the so-called ‘Committee Stiekem’, which keeps the parliamentary party leaders informed, plays any useful role at all.
Not only has the level of political oversight always been poor, but the standard of reporting in the media has not been much better. The collection of big data by the NSA does not refer to eavesdropping, its purely the gathering of telephone numbers, IP-addresses, material from which networks can be mapped. All the attention goes to the AIVD, but the Netherlands really has three services, with the National Signals Intelligence Organisation (NSO), set up in 2007, being the third. Considering its capabilities, the NSO is in many ways the most relevant in the NSA debate. Yet so far Plasterk has received the most criticism, while the Ministry of Defence’s MIVD has been left alone, and hardly anyone ever mentions the Ministry’s responsibility for the NSO.
In fact, the service that actually carries out the most collection of communications data, that tracks the most individuals and that makes the Netherlands one of the most ‘tapped’ countries in general, never gets a mention at all: the National Police. They are not covered by the CTIVD and they are not in the Dessens report either.
To its credit, the Dessens report does also emphasize the need for greater transparency – it recognizes the role of the media in raising issues of concern, and it even promotes the value of historical research on the intelligence and security services. It is to be hoped that at least this aspect will be carried through.…
On 10 December Minister of the Interior Ronald Plasterk presented a National Human Rights Action Plan to parliament. This is a first for the Netherlands, and in doing so it joined a select group of 28 other nations (including, interestingly enough China, Nigeria, and Venezuela). The report – neatly issued on the 65th anniversary of the Universal Declaration of Human Rights – confirms that the HR situation here is pretty solid, and that this provides crucial credibility for the promotion of human rights abroad as a central part of Dutch foreign policy. Nothing unexpected here. Some areas of concern – discrimination in the labour market, information privacy, the treatment of immigrants, violence in the home – but on the whole a clean sheet.
Yet for all the positive, self-reflective motives behind this move, how far does it really go? There are plenty of blind spots. Five days before the report’s publication was the Sint Niklaas celebration, with its ‘harmless’ black peter ribaldry that had attracted the ire of the UN Human Rights Committee’s advisors earlier in the year. This cause celebre brought out the classic Dutch retort to any criticism – ‘We know what we are doing, there is no need to get upset. And if you do get upset, well, you just don’t understand our culture.’ Nice self-defeating exclusionary logic.
Ok, too trivial maybe. But there are more telling examples buried in the past. In June 2012 three prominent Dutch research institutes (Military History, War Holocaust and Genocide Studies, and the KITLV) requested €1.8m for a comprehensive study of the military record during the independence war of Indonesia in 1945-49. The goverment’s reply was negative. One of the MPs who supported the move was Frans Timmermans. A second attempt this year – this time with Timmermans on the government side, as Foreign Minister – resulted in another negative. Timmermans spun his 180 degrees neatly by declaring that there was no support within Indonesia itself for such a potentially disrupting study, and it would upset the existing positive relations between the two nations.
This twin-rejection flies in the face of a gradual, albeit painful opening up on the violence of that war. Foreign Minister Ben Bot had already declared in 2005 that the Netherlands had been “on the wrong side of history” in its attempt to keep the colony. At the end of 2011 the government did apologize for the massacre at Rawagede, where 400 locals were shot in 1947. Details on the excessive use of force are gradually leaking out to reveal not occasional but widespread occurrences.
But for all the well-meaning attitude of the government, there are places in the past and the present that the Human Rights Action Plan won’t reach. With respect to Ben Bot, the Dutch tend to see themselves consistently and firmly on the right side of everything. Anyone who questions this is irrelevant. Or disruptive. Unnecessary. Definitely an outsider. After all, in the end, ‘we know what we are doing’. Just ask that black pete guy.
There’s no escaping the growing tensions in Ukraine. A conflict on many levels has taken a violent, military turn. The digital dimension took center stage during previous conflicts involving Russia in the former Soviet space, such as with Estonia and Georgia: these conflicts are also referred to as representing the birth of cyberwar. Consequently, they have played a key role in the formation of the current cyber doctrines and the digital forces in the U.S. and in this country.
Russia and Ukraine have long been front-runners in cyberwar and cybercrime activities. It is, given the current tensions – especially with the earlier digital escalation of Moscow’s political disputes with Tbilisi and Tallinn in mind – therefore very likely that cyber-battles are already raging. Yet the cyber dimension has so far been virtually absent from the reporting to date. With the current logic of cyber warfare as a key conflict domain, and given the capabilities of these two cyber heavyweights, something should be going on. That could mean one of two things: either cyber conflict falls through the cracks of the news cycle, or there is simply no cyber dimension, at least for the moment.
What can be learned after further investigation is that actual cyber-attacks are occurring, but don’t yet seem to be in full effect. U.S. military researchers at the U.S. Army Cyber ??Command view current events as a sophisticated build-up towards a knock out. The question for the Netherlands is whether the cyber conflict will spread. The power struggle between Kiev and Moscow may develop further, yet both parties seem to have no appetite for old-fashioned, all-out war. Its the digital dimension that offers a path, alongside the diplomatic maneuvering, for targeted operations to hurt opponents.
Current indications point to Anonymous operations responsible for temporarily knocking out Ukrainian and Russian government websites and leaking documents in an attempt to embarrass Putin. Simultaneously, an obscure movement against the new power in Ukraine moves to depict them as Nazi’s and Fascist’s. They aim to sabotage the online networks of action groups formed from the Maidan square protests. Spill-over towards the West is already visible from this movement, going under the name Anonymous Ukraine, with attacks on Polish systems.
NATO territory therefore is embroiled in the encounter, albeit on a limited, virtual scale. It is plausible that if the crisis drags on, the operations in the cyber domain may follow a more state-centric and devastating scenario. If they don’t, we’ll have learned something about the control the Kremlin exercises over its hacker population.
In many areas this confrontation will affect innocent bystanders. That might even be you and your infrastructure. Nonetheless, some time to prepare exists. In the cyber domain a rule-of-thumb holds that you don’t need comprehensive security, just sufficient security to out-perform your neighbours. This axiom does not hold up when an Advanced Persistent Threat (APT) enters the equation. Industrial systems processed by Supervisory Control and Data Acquisition systems (SCADAs) are one example of valuable but vulnerable targets easily exploited and remotely controlled by a well-equipped attacker. When such determined efforts to attack an opponent transpire, it may sent shock waves of collateral damage over connected businesses and infrastructures.
It would be more than wise to have an eye on Dutch interests in this risk-filled, continuously changing digital sphere. Many government budgets are kept afloat by the promise of doing something with cyber security, so, quite reasonably, a return on investment for this public money is expected. Primarily, we’d expect the National Coordinator for Counter-Terrorism and Security (NCTV) to inform of threats and coordinate a response, in this case by means of the cyber watchdog, the National Cyber Security Centrum. However, the current level of advice has not moved beyond airing concerns over getting a supported Windows version. Yet their mission statement reads that providing security advice to governmental bodies and vital industries is a priority. Dutch society may wonder what insurance that gives when a sudden escalation takes place. Who, actually, is vitally important enough to hear about it in time?
Perhaps the Netherlands can take solace in that its NATO involvement guards against invasive action. Then again, the ambitiously-phrased Dutch cyber programme has only just gone operational. A symbolic declaration of war by pro-Russian hackers has not been met by a response from NATO – this remains outside of NATO competences. To this day, in crisis situations an institutional ‘see no evil, hear no evil’ mode of operations seems to prevail. National and, even more so, multinational organizations are left to their own devices.
Our banks have already felt the effects of sophisticated malware employed by rogue actors from Eastern Europe, operating with near-immunity from their respective governments as long as they don’t damage national interests. When the notorious Russian Business Network is deployed against our ‘digital dykes’ in a swooping offensive against Western resources, is the latest version of Windows going to protect our assets? Virtually all industries stand to make great losses in both tangible and intangible currencies. Information gives knowledge, knowledge gives power, but when the former is taken away only blind and futile resistance remains.
Therefore the ‘dykes’ will have to be monitored by private efforts. Better yet, build your own dyke, and scale it in accordance with realistic levels of risk. Prevention is key, but you need Situational Awareness to take appropriate measures tailored to your context. It’s the twenty-first century, and temperatures and sea levels are rising. Don’t wait until the boiling point for any alarms to ring.…
The intensified Crimean crisis has seen cyber-warfare as one of its main drivers. Dozens of networks in the Ukraine are infected, government systems among them, with malicious software that secretly performs surveillance, sustains privileged access to networks and databases and may even opt to shut systems down altogether. Alongside this advanced of malware, DoS and DDoS attacks continue to overwhelm servers hosting public and governmental platforms. Confirmed reports claim Ukrainian Members of Parliament have had their mobile phones disabled due to IP-based attacks. More disturbing is that attacks that have not been registered yet are posing the biggest threats.
Forensic analysis of the malware now known as Snake provides indications that the source destination is near Moscow, owing to instances of Russian language and a time stamp deduced from its programming. This many-headed monster previously surfaced in successful attacks on military systems in the U.S. Its signature has since been listed in antivirus software. Despite receiving a status of notoriety and having been discussed in Foreign Affairs magazine under its referral name Agent BTZ, the makers have been able to elude protective measures by bringing in new components. As we speculated in the previous post, in the Russian Federation professional cyber criminals apparently act as mercenary forces supporting the Kremlin by directing their malware tools to Ukrainian systems.
The cyber-aggression is not entirely one-sided, given that Anonymous #OpRussia continues to leak state documents. The Americans will actively monitor the impact of the Snake. In private circles they may even welcome a further escalation, all the while watching and learning what the intentions and capabilities of Putin’s henchmen are. Quite plausibly, the NSA will be directed to employ its book of tricks, and this time vis-à-vis a sizeable and worthy opponent.
Meanwhile, NATO is posturing. A partnership with Ukraine that included exchanges of cyber security practices would make NATO a player that is privy to inside information. Dutch Defense minister Hennis – Plasschaert recently stated NATO was close to including cyber-attacks within the territory of member-states as an Article 5 casus belli. Facts on the ground show Lithuania is being hit hard by attacks attributed to Snake, meaning that a cyber-intervention shouldn’t be too far away. Yet this is obviously not going to happen. Even it were somehow possible to jump in the middle of that arena, nothing could be done short of physical destruction of Russian hardware.
‘Everyone more exposed’
In such a stalemate, the risks for Western Europe escalate. Measures, if only symbolic, will need to be taken and NATO may get its way with an emboldened mandate to patrol the cyber domain. U.S. military and financial dominance within the organization will provide a blueprint as to what can be expected. In short, NSA’s monitors will return, and this time they’ll bring an invite.
Beyond what effect such a move may have in terms of privacy and civil liberties, it will negatively obfuscate the information security market. When a small selection of vendors are privy to critical information about security issues, which under the guise of Official Secret Acts cannot be shared, it will hinder the security community from becoming sufficiently knowledgeable. Sharing attack vectors, best-practices and lessons learned are the fuel for our security engine, and hence, our security.
But all may not be lost. Not yet, anyway. There is more to it than hoarding information. An information overload generally results in a lack of clear intelligence on which to act. In crisis situations one should not be mesmerized by the snake’s eyes while it’s constricting your room for maneuver to crush you. Therefore, make sure to monitor your systems, upkeep patching and keep your ear to the ground, but don’t miss the chance to be proactive in activating your organizational landscape. Preparation is key. Contact your security vendors on how they plan to deal with the Crimea issues, keep in touch with your supply chain and partner organizations on whether anything out of the ordinary occurs, and even lobby your political representative to fill this gap in national security.
All these actions may help close the information gap: not sharing the information is not a matter of policy or bad intentions, but a habit.
Your organization will definitely be at a disadvantage when it is multinational, since cyber defense is molded in the frame of nation states. In this case you may be at the mercy of NATO’s blue helmets. And don’t forget about the NSA, you won’t find a more attentive listener.…