Cyber Attacks

Spy vs. ‘Spy’

The Atlantic Alliance has been through many upheavals in its 65-odd years. Since June this year the revelations from Edward Snowden on the communications surveillance practices of the National Security Agency have placed the whole idea of ‘alliance’ in a new light. PRISM, XKeyscore, Special Collection Service. Merkel’s mobile. US embassies revealed as data-gathering vacuum-cleaners. Germany and France lining up against the US to demand that it back off.

And the Netherlands?

Last weekend the NRC produced the first items from Edward Snowden concerning NSA data-collection from Dutch communication channels. The Netherlands has been on the NSA list for “targeting, collecting, or processing” of its communications since 1946, with an uncertain end date (the stated ’1968′ is almost certainly too early). Outrage from expected quarters (PvdA, SP, D 66), while the government remained calm, and others such as the Hague Centre for Strategic Studies’ Rob de Wijk remained “completely unimpressed”. Indonesia, New Guinea – of course the Americans listened in. More revelations from Snowden’s database are definitely on the way.

There are two sides to this story, which has been brewing for a while. The first is the predictable, critical one. The Rutte government has consistently refused to criticize the American eavesdropping, instead hiding behind the EU and staying clear of Hollande and Merkel. In mid-October Interior Minister Ronald Plasterk even said in parliament that he did not mind NSA surveillance of Dutch citizens because “they could also be fanatical terrorists.” He tried to deny this the next day via Twitter, but instead came out with a contradictory “The US is not allowed to spy on Dutch citizens, but if they discover terrorists here then a signal is welcome” (another example of why ministers should stay away from Twitter). Less than a week later, after Tweakers revealed that metadata from 1.8m Dutch phone calls in December 2012 – January 2013 had been collected by the NSA, Plasterk was tougher – the US was using double standards, since it was easier for them to collect data on non-Americans that Americans. He claimed to be in regular contact with NSA chief Keith Alexander about this. Parliament, unimpressed, first called on the CTIVD to investigate AIVD and MIVD activities concerning the exchange of information with foreign services (report expected in January), and then followed the Germans and voted in favour of Alexander Pechtold’s D66 motion for a ‘no-spy treaty‘ in early November. Even Rutte seems in favour, but he remains tight-lipped on the whole affair.

In short, a poor show. The government seems mildly upset about possible NSA activities in the Netherlands, no more than that. But then there is the other, more interesting side to the story. For the past few years the AIVD has taken every opportunity to highlight the snooping of foreign intelligence agencies on Dutch soil, with special reference to the Russians, Chinese, and Iranians. All of a sudden it looked like the Americans should also be on the list – how much did the AIVD know? Or were they not part of the show themselves? Plasterk informed parliament in late October that any attempt to gather information in the Netherlands by a foreign service must go via the AIVD to stay within the law. On the same day the news broke that while US embassies were used as locations for the NSA’s Special Collection Service, this did not include The Hague (or Brussels). The report tellingly remarks that either there was no interest, or “the Americans have access to telephone traffic in another way.”


This is the clue. Another look at the news items over the past five months starts to reveal a different pattern. Already in early July an NRC report included several salient details:

1) The Netherlands is the location of the Amsterdam Information Exchange (AMS-IX), the second-largest transit point for international internet traffic. A perfect site for ‘tapping’ information. In September the Pirate Party’s Dirk Poot added that AMS-IX is going to open an affiliate in the US, placing the system under the regulations of the Patriot Act and the Foreign Intelligence Surveillance Act (FISA): “Unless AMS-IX has a watertight legal defense, the chance is therefore large that the NSA will pretty soon have easy access to the Dutch and European internet traffic that travels via AMS-IX.” Interesting decision – while countries like Brazil are looking to bypass the US as the central node for global internet traffic, the Netherlands looks to burrow in deeper.

2) The undersea internet cable by Katwijk is a vital communications channel and of potentially great interest to the NSA.

3) The Ministry of Defence has contracted the Israeli firm NICE Systems for communications surveillance, to the tune of 17m Euro.

4) The Netherlands is the base for the SWIFT data system for international banking transactions, which in 2006 was revealed to be tracked by the CIA.

Intelligence and Security Law

To this list can be added the news from September that the MIVD and AIVD are establishing a new apparatus,  the Joint SIGINT Cyber Unit. Previously known as Project Symbolon, it will be operational in 2014. This despite the fact that the legal basis for the Unit does not yet exist, because the WIV (Intelligence and Security Law) of 2002 does not sanction the extraction of information from “cable-based telecommunications.” The CTIVD apparently knew this was coming for two years, but failed to inform parliament.

What to draw from all this?

The (unsurprising) conclusion that the Netherlands, thanks to its infrastructure and long Cold War history of (intelligence) cooperation with the US, is (almost) part of the inner circle when it comes to the US-orientated global surveillance networks. The policy of the Dutch government is to maintain that position as far as possible. This continues to be a cornerstone of Dutch security policy. The mild response to the NSA revelations from the political leadership is at least more honest, in this respect, than the flapping around of the Germans and the French.

The NRC, eager to follow up its earlier Wikileaks scoops as the paper of choice for Snowden security leaks, ran another story last weekend on how the Dutch mission to Uruzgan from 2006-2011 – and the provision of communication data by the MIVD’s surveillance base at Eibergen – resulted in the Netherlands entering the sublime world of  the ‘Five Eyes’ inner circle. The morale of the story – as all security commentators have been saying since the AIVD budget came under threat – is that if you have nothing to trade, you are worthless in the world of intelligence. The Uruzgan story is only further confirmation that the Dutch services – and the Dutch government – strive to maintain as effective a working relationship as possible with their American counterparts. Even the NRC journalists, wanting to generate scandal (and so sell papers), seemed to admit this at the end of their article. Its business as usual, guys.

It also puts the recent demands for Dutch participation in international security missions in a slightly new light.

Mali or bust, I reckon.…

Cyber forces heat up the Crimean ‘Cold War’: Will our ‘dykes’ hold out?

There’s no escaping the growing tensions in Ukraine. A conflict on many levels has taken a violent, military turn. The digital dimension took center stage during previous conflicts involving Russia in the former Soviet space, such as with Estonia and Georgia: these conflicts are also referred to as representing the birth of cyberwar. Consequently, they have played a key role in the formation of the current cyber doctrines and the digital forces in the U.S. and in this country.

Russia and Ukraine have long been front-runners in cyberwar and cybercrime activities. It is, given the current tensions – especially with the earlier digital escalation of Moscow’s political disputes with Tbilisi and Tallinn in mind – therefore very likely that cyber-battles are already raging. Yet the cyber dimension has so far been virtually absent from the reporting to date. With the current logic of cyber warfare as a key conflict domain, and given the capabilities of these two cyber heavyweights, something should be going on. That could mean one of two things: either cyber conflict falls through the cracks of the news cycle, or there is simply no cyber dimension, at least for the moment.

Cyber War

What can be learned after further investigation is that actual cyber-attacks are occurring, but don’t yet seem to be in full effect. U.S. military researchers at the U.S. Army Cyber ??Command view current events as a sophisticated build-up towards a knock out. The question for the Netherlands is whether the cyber conflict will spread. The power struggle between Kiev and Moscow may develop further, yet both parties seem to have no appetite for old-fashioned, all-out war. Its the digital dimension that offers a path, alongside the diplomatic maneuvering, for targeted operations to hurt opponents.

Current indications point to Anonymous operations responsible for temporarily knocking out Ukrainian and Russian government websites and leaking documents in an attempt to embarrass Putin. Simultaneously, an obscure movement against the new power in Ukraine moves to depict them as Nazi’s and Fascist’s. They aim to sabotage the online networks of action groups formed from the Maidan square protests. Spill-over towards the West is already visible from this movement, going under the name Anonymous Ukraine, with attacks on Polish systems.

NATO territory therefore is embroiled in the encounter, albeit on a limited, virtual scale. It is plausible that if the crisis drags on, the operations in the cyber domain may follow a more state-centric and devastating scenario. If they don’t, we’ll have learned something about the control the Kremlin exercises over its hacker population.

NATO territory

In many areas this confrontation will affect innocent bystanders. That might even be you and your infrastructure. Nonetheless, some time to prepare exists. In the cyber domain a rule-of-thumb holds that you don’t need comprehensive security, just sufficient security to out-perform your neighbours. This axiom does not hold up when an Advanced Persistent Threat (APT) enters the equation. Industrial systems processed by Supervisory Control and Data Acquisition systems (SCADAs) are one example of valuable but vulnerable targets easily exploited and remotely controlled by a well-equipped attacker. When such determined efforts to attack an opponent transpire, it may sent shock waves of collateral damage over connected businesses and infrastructures.

It would be more than wise to have an eye on Dutch interests in this risk-filled, continuously changing digital sphere. Many government budgets are kept afloat by the promise of doing something with cyber security, so, quite reasonably, a return on investment for this public money is expected. Primarily, we’d expect the National Coordinator for Counter-Terrorism and Security (NCTV) to inform of threats and coordinate a response, in this case by means of the cyber watchdog, the National Cyber Security Centrum. However, the current level of advice has not moved beyond airing concerns over getting a supported Windows version. Yet their mission statement reads that providing security advice to governmental bodies and vital industries is a priority. Dutch society may wonder what insurance that gives when a sudden escalation takes place. Who, actually, is vitally important enough to hear about it in time?

Perhaps the Netherlands can take solace in that its NATO involvement guards against invasive action. Then again, the ambitiously-phrased Dutch cyber programme has only just gone operational. A symbolic declaration of war by pro-Russian hackers has not been met by a response from NATO – this remains outside of NATO competences. To this day, in crisis situations an institutional ‘see no evil, hear no evil’ mode of operations seems to prevail. National and, even more so, multinational organizations are left to their own devices.

Our banks have already felt the effects of sophisticated malware employed by rogue actors from Eastern Europe, operating with near-immunity from their respective governments as long as they don’t damage national interests.  When the notorious Russian Business Network is deployed against our ‘digital dykes’ in a swooping offensive against Western resources, is the latest version of Windows going to protect our assets? Virtually all industries stand to make great losses in both tangible and intangible currencies. Information gives knowledge, knowledge gives power, but when the former is taken away only blind and futile resistance remains.

Therefore the ‘dykes’ will have to be monitored by private efforts. Better yet, build your own dyke, and scale it in accordance with realistic levels of risk. Prevention is key, but you need Situational Awareness to take appropriate measures tailored to your context. It’s the twenty-first century, and temperatures and sea levels are rising. Don’t wait until the boiling point for any alarms to ring.…

The Crimean Cyber-Troubles Ramp Up

The intensified Crimean crisis has seen cyber-warfare as one of its main drivers. Dozens of networks in the Ukraine are infected, government systems among them, with malicious software that secretly performs surveillance, sustains privileged access to networks and databases and may even opt to shut systems down altogether. Alongside this advanced of malware, DoS and DDoS attacks continue to overwhelm servers hosting public and governmental platforms. Confirmed reports claim Ukrainian Members of Parliament have had their mobile phones disabled due to IP-based attacks. More disturbing is that attacks that have not been registered yet are posing the biggest threats.

IP Based Attacks

Forensic analysis of the malware now known as Snake provides indications that the source destination is near Moscow, owing to instances of Russian language and a time stamp deduced from its programming. This many-headed monster previously surfaced in successful attacks on military systems in the U.S. Its signature has since been listed in antivirus software. Despite  receiving a status of notoriety and having been discussed in Foreign Affairs magazine under its referral name Agent BTZ, the makers have been able to elude protective measures by bringing in new components. As we speculated in the previous post, in the Russian Federation professional cyber criminals apparently act as mercenary forces supporting the Kremlin by directing their malware tools to Ukrainian systems.


The cyber-aggression is not entirely one-sided, given that Anonymous #OpRussia continues to leak state documents. The Americans will actively monitor the impact of the Snake. In private circles they may even welcome a further escalation, all the while watching and learning what the intentions and capabilities of Putin’s henchmen are. Quite plausibly, the NSA will be directed to employ its book of tricks, and this time vis-à-vis a sizeable and worthy opponent.

Cyber Crime

Meanwhile, NATO is posturing. A partnership with Ukraine that included exchanges of cyber security practices would make NATO a player that is privy to inside information. Dutch Defense minister Hennis – Plasschaert recently stated NATO was close to including cyber-attacks within the territory of member-states as an Article 5 casus belli. Facts on the ground show Lithuania is being hit hard by attacks attributed to Snake, meaning that a cyber-intervention shouldn’t be too far away. Yet this is obviously not going to happen. Even it were somehow possible to jump in the middle of that arena, nothing could be done short of physical destruction of Russian hardware.

Everyone more exposed’

In such a stalemate, the risks for Western Europe escalate. Measures, if only symbolic, will need to be taken and NATO may get its way with an emboldened mandate to patrol the cyber domain. U.S. military and financial dominance within the organization will provide a blueprint as to what can be expected. In short, NSA’s monitors will return, and this time they’ll bring an invite.

Beyond what effect such a move may have in terms of privacy and civil liberties, it will negatively obfuscate the information security market. When a small selection of vendors are privy to critical information about security issues, which under the guise of Official Secret Acts cannot be shared, it will hinder the security community from becoming sufficiently knowledgeable. Sharing attack vectors, best-practices and lessons learned are the fuel for our security engine, and hence, our security.

But all may not be lost. Not yet, anyway. There is more to it than hoarding information. An information overload generally results in a lack of clear intelligence on which to act. In crisis situations one should not be mesmerized by the snake’s eyes while it’s constricting your room for maneuver to crush you. Therefore, make sure to monitor your systems, upkeep patching and keep your ear to the ground, but don’t miss the chance to be proactive in activating your organizational landscape. Preparation is key. Contact your security vendors on how they plan to deal with the Crimea issues, keep in touch with your supply chain and partner organizations on whether anything out of the ordinary occurs, and even lobby your political representative to fill this gap in national security.

All these actions may help close the information gap: not sharing the information is not a matter of policy or bad intentions, but a habit.

Your organization will definitely be at a disadvantage when it is multinational, since cyber defense is molded in the frame of nation states. In this case you may be at the mercy of NATO’s blue helmets. And don’t forget about the NSA, you won’t find a more attentive listener.…