Essay by Charles S. Viar: “The Dark Art: Intelligence, Counterintelligence, and the Mind of the State” (2009)

Repost of an essay from 2009 by Charles S. Viar (Twitter: @Charles_S_Viar), present chairman of the Center for Intelligence Studies in Washington D.C. (reposted here for layout reasons; in accordance with the copyright notice at the bottom of the essay):


Intelligence, Counterintelligence, and the Mind of the State

Charles S. Viar

Although the origins of intelligence have been lost in the mists of time, the practice is at least as ancient as warfare. In what is perhaps the oldest written reference to an intelligence operation, The Book of Numbers recounts God’s command that Moses dispatch a reconnaissance team to scout the Israelite advance upon the Promised Land:

Send thou men, that they may search the land of Canaan, which I give unto the Children of Israel. Of every tribe of their fathers shall ye send a man, everyone a ruler among them…

Had the Canaanites possessed an effective counterintelligence capability, the story of the Israelite assault might have ended differently. For even a minimal foreknowledge of their intentions and capabilities would have made it possible for the Canaanites to organize a more effective defense. But as may be inferred from the Bible, they failed to detect the operation directed against them.

For that, they paid a fearsome price.


Narrowly defined as “evaluated information,” intelligence is a dynamic process that involves the collection, analysis, and dissemination of data to national policymakers and other government officials of lesser rank. Intelligence serves to forewarn them of likely actions, events, and developments within their sphere of responsibility; and aids in matching available resources to threats and opportunities alike. As such, it is the sine qua non of effective statecraft.

More broadly, intelligence also serves as a force-multiplier. Much as Archimedes Lever makes it possible to magnify mechanical force transmitted across space, covert and clandestine intelligence operations make it possible for states to enhance the power they project beyond their frontiers. History is littered with examples of small and middling states exercising disproportionate influence through the deft application of secret intelligence.

Given the enormous – and occasionally decisive – advantages conferred by effective intelligence in the Great Game of Nations, well-governed states seek to maximize the effectiveness of their own intelligence services and to protect themselves against hostile services deployed against them. Domestic security typically provides one level of defense, and counterintelligence another.


Although counterintelligence has been recognized as an integral component of state security since the Chinese military scholar Sun Tzu published The Art of War in the Fourth or Fifth century BC, the concept remains muddled. For almost two and a half millennia, the term itself has defied definition.

According to James Angleton, the legendary former Chief of CIA Counterintelligence, the term is ineffable. Although Angleton’s Deputy Chief for Operations generally concurred, he believed counterintelligence could nonetheless be described in terms of core functions. Angleton’s Deputy Chief for Analysis, however, disagreed with both. According to Raymond G. Rocca, counterintelligence is self-defined: it applies to any action undertaken to counter, i.e., negate, the efforts of hostile intelligence services.

Having studied under all three of the practitioners listed above, the writer of this paper eventually concluded Rocca’s understanding is more nearly correct; and has since argued that counterintelligence can be best illustrated by contrast. Where counterespionage – or security – seeks to neutralize individual spies and spy rings, counterintelligence attempts to neutralize hostile intelligence services as a whole.


In a more perfect world, intelligence services would aspire to comprehensive coverage of their targets. But in actual practice, physical, organizational, political, and budgetary constraints have traditionally forced them to limit their collection activities to data pertaining to the targeted state’s organization, capabilities, and intentions. More recently, intelligence services have been tasked with gathering financial, economic, and technical data as well; and with the development of remote collection techniques, the amount of raw data collected by major intelligence services has become staggering in both scope and volume.

From a theoretical standpoint, intelligence collection and analysis should not be especially difficult. But given the fact that intelligence services routinely devote a substantial portion of their resources to deception operations designed to deceive their adversaries, the task is far more difficult than it first appears. Tables of organization and orders of battle can be faked, deployment patterns and readiness indicators manipulated, and communications traffic played for purpose. Indeed, almost any sort of intelligence data can be fabricated and fed to foreign intelligence services through sacrificial spies, dangles, false defectors, and dispatched agents.

This inherent vulnerability to hostile deception operations lays bare what Angleton formally referred to as the Epistemological Problem:

Given the fact that foreign intelligence services routinely mount large and carefully crafted deception operations against us, how can we know what we believe to be true is actually so?

In less guarded moments, he called it “That damnable question.”


As intelligence practitioners will attest, it is a damnable question indeed. Nonetheless, there are two solutions to the problem – one partial, the other complete.

The first solution is to look at intelligence data in terms of a jigsaw puzzle extending across time. After fitting together as many of the pieces as possible, one may flag those that are known to be true beyond doubt. Subsequent pieces that fit with those may be presumed true, in the absence of contrary evidence.

Although this approach has considerable merit – including especially the way it facilitates intuitive judgments – the results it generates are both probabilistic and tentative. The likelihood that new data may significantly alter the pattern is high.

In contrast, the second solution can provide definitive answers – but only rarely, when two relatively unlikely events occur simultaneously: 1) a high-level penetration agent confirms the validity of specific intelligence data, and 2) a code break “backstops” the veracity of the confirming agent. In the world of intelligence, certainty depends upon serendipity.

The recruitment of high-level penetration agents is rare, and code breaks are even more so. They occur together perhaps once a decade, and when they do intelligence analysts emerge from their garrets to enjoy a brief moment of clarity. But when the agent is lost or the codes are changed, they are condemned to wander once more through what Angleton termed “The Wilderness of Mirrors” – an Epistemological Hell from which neither truth nor falsehood may be surely obtained.


Determining the validity of intelligence data thus depends in part on recruiting from the enemy’s ranks senior political office holders or high-ranking government officials, and in part upon breaking their codes. But once affected, these unlikely circumstances open a window to other intriguing possibilities – including, specifically, offensive counterintelligence operations designed to penetrate, infiltrate, and suborn the target’s intelligence service in order to play it back against the state it serves. The ultimate goal of such operations is to entice or provoke the targeted state into undertaking ruinous and self-destructive actions.

As Angleton observed, successful politicians and senior government officials are a remarkably homogenous lot. For the most part, they derive from roughly comparable social circumstances and share core formative experiences in common. They attend the same schools – or at least the same types of schools – and are imbued with the same canon. They also hold remarkably similar beliefs and values, and share certain characteristic attitudes regarding the larger world. Together these form something akin to a collective psyche, or what Angleton termed the “Mind of the State.”

If states have minds, they also have states of mind – and as with individuals, it is their state of mind that makes them most vulnerable to deception. For a state of mind is a predisposition to belief or action; and if that predisposition can be accurately gauged, tempting or provoking the targeted decision-makers to ruin becomes a plausible exercise in perception management.


If there is a single failing common to decision-makers throughout history, it is an excessive faith in intelligence. For reasons that remain obscure, decision-makers seem unable or unwilling to grasp the implications of the Epistemological Problem Angleton described. Despite ample warnings, they almost invariably place far more credence in intelligence reports than they deserve; and it is upon this most basic failing that offensive counterintelligence plays.

In The Art of War, Sun Tzu wrote “Supreme excellence is to subdue the enemy without fighting” and argued this end may best be achieved by manipulating the “Golden Threads” of intelligence – that is, the lines of communications that connect agents recruited from within the enemy’s camp to one’s own.  The first Golden Thread may be activated by sacrificing deliberately misinformed low-level agents for capture, dangling double agents for enemy recruitment, and dispatching false defectors to the enemy’s camp. The second is brought into play by querying the agent-in-place to determine how the enemy decision-makers have interpreted the false information they delivered. If the information evokes the intended state of mind, the false message can be reinforced by repeating the process in different ways. If not, it can be modulated until it does.

By these means offensive counterintelligence operations can create a false picture of reality in the minds of targeted decision-makers, much as an artist paints an image upon a sheet of canvass. Brush stroke by brush stroke, the attacking service can exploit the enemy intelligence service it suborned to systematically manipulate the Mind of the State.


The many critics of offensive counterintelligence argue that strategic deception operations of the size and scale suggested above are far too complex and complicated to be practical, as they are doomed to eventually collapse under their own weight. The criticism is true at least in part, but nonetheless disingenuous. Intelligence operations of any sort have a relatively short shelf life; and unless shut down by those who initiated them or uncovered by their intended targets, they will ALL eventually collapse for similar cause.

Perhaps more to the point, modern history is strewn with examples of successful strategic deceptions including the TRUST operation of the 1920’s, which saved the nascent Soviet state from ruin; the Soviet-sponsored WIN operation that forced the United States to abandon its post-war efforts to liberate Eastern Europe; and the Anglo-American deception operation that made possible the successful invasion of Normandy in 1944. All of these operations were conducted in the manner outlined above, and each inflicted massive damage upon the states they targeted.

Unfortunately, the United States abandoned its national counterintelligence capability in December of 1974 – and with it, the ability to mount large-scale strategic deception operations. Redefined and re-envisioned by successive administrations, counterintelligence had been reduced to little more than a security function until the Clinton Administration partially resurrected it after disastrous and overlapping penetrations of the CIA and the FBI were uncovered in the 1990’s. Expanded and reorganized in the aftermath of 9-11, a National Counterintelligence Executive now exists as a semi-autonomous supervisory agency. And yet despite the many long overdue reforms that have been undertaken since 2001, U.S. counterintelligence remains hobbled by an obtuse and legalistic definition, conceptual confusion, tangled jurisdictions, and – above all – by institutional timidity. For while offensive counterintelligence operations are now officially recognized, they remain tightly controlled and rarely sanctioned. They are tactical operations, most often mounted in reprisal.

Despite ample modern precedents, strategic deception operations of the sort advocated by Sun Tzu and refined by Angleton remain beyond the pale. This is unfortunate and – for those that seek to limit the suffering caused by armed conflict – deeply disconcerting.

For in the Great Game of Nations, offensive counterintelligence remains the only plausible means for achieving victory without war. For if only in theory, it is the primary offensive instrument of state.

Published by the Center for Intelligence Studies.
1016 K Street NE. Washington, DC. 20002
202 / 399-0292

Copyright 2009. This paper may be reproduced in part or in whole for civic or educational purposes, provided that context is preserved and full attribution is given


[Dutch] Nederlandse aanpak tegengaan statelijke dreigingen (citaten uit kamerbrief Grapperhaus dd 18 april 2019)

Voor eigen doeleinden (waaronder quick reference) licht ik hieronder de tabel “Aanpak tegengaan statelijke dreigingen” en bijlage van de kamerbrief van Grapperhaus d.d. 18 april 2019 over statelijke dreigingen uit.

1. Tabel: “Aanpak tegengaan statelijke dreigingen”

Aanpak tegengaan statelijke dreigingen
A. Systematiek belangen dreiging weerbaarheid Volgens een vaste systematiek van belangen-dreiging-weerbaarheid wordt bezien welke veiligheidsbelangen beschermd moeten worden, wat de dreiging is vanuit statelijke actoren voor de nationale veiligheid en hoe de weerbaarheid vergroot kan worden. Dit is een constant proces. Hierbij zijn bij uitstek de lidstaten van de EU en NAVO en binnen Nederland meerdere ministeries, lokaal bestuur en private organisaties betrokken. Dat vergt coördinatie en verbinding.
De Minister van Justitie en Veiligheid richt zich, vanuit het perspectief van nationale veiligheid, in samenspraak met andere departementale partners op coördinatie en afstemming tussen de verschillende betrokkenen, verantwoordelijkheden, initiatieven, projecten en informatiestromen.
In deze lijn is onlangs een Taskforce Economische Veiligheid opgericht die in het teken staat van kwetsbaarheden en beheersmaatregelen van het 5G-netwerk.
B. Verbetering informatiepositie Er wordt ingezet op verbetering van de informatiepositie en informatiedeling tussen en met gelijkgestemde partijen, zowel nationaal als internationaal om tijdig zicht te krijgen op en duiden van de (potentiële) dreigingen. Daartoe moet informatie delen gemakkelijker en logischer worden, waardoor een gedeeld normbeeld kan ontstaan.
Waar nodig worden interdepartementale trusted communities ingericht of versterkt.
Werkafspraken rondom specifieke onderwerpen zorgen er voor dat indien nodig informatie snel kan worden gedeeld en handelingsperspectief voor handen is.
Ook in internationaal verband vindt nauwe samenwerking plaats ten aanzien van dreiging en best practices in de aanpak.
Ambassades hebben een belangrijke monitoring- en signaleringsfunctie ter bevordering van het situationeel bewustzijn.
Nederland neemt in EU-verband deel aan het Rapid Alert System, waar direct informatie wordt uitgewisseld in geval van desinformatie campagnes.
In Nederland wordt de civiel-militaire samenwerking geïntensiveerd.
C. Bewustwording & oefenen Bewustwording vormt een belangrijke schakel in het verhogen van de weerbaarheid tegen de dreiging vanuit statelijke actoren.
Er wordt fors ingezet op bewustwording bij onder andere inkopers, ambtenaren, gemeenten, vitale infrastructuur, CEO’s en richting het publiek door middel van bijvoorbeeld bijeenkomsten, voorlichting en communicatiemateriaal. Een voorbeeld hiervan is de bewustwordingscampagne desinformatie die is gestart.
Op nationaal en internationaal niveau wordt geoefend op identificatie van en respons op statelijke dreigingen, mede door het ontwikkelen van en oefenen met scenario’s. Deelname aan oefeningen van NAVO (CMX) en EU (PACE) wordt voortgezet.
D. Integrale kennisontwikkeling Door middel van een integrale onderzoeksagenda en kennisontwikkeling op het gebied van weerbaarheid tegen statelijke dreigingen wordt gezamenlijk kennis opgebouwd.
E. Maatregelen ter verdediging en afschrikking Nederland zet zich ook in voor verdere ontwikkeling van maatregelen ter verdediging en afschrikking.
Diplomatiek: Binnen het responskader heeft het kabinet verschillende diplomatieke instrumenten tot haar beschikking om statelijke dreigingen tegen te gaan.
Ter verdediging van de nationale veiligheid zet Nederland zich, waar mogelijk in samenwerking met internationale partners, in voor verdere ontwikkeling van een effectief diplomatiek responskader, inclusief attributie. Zo kan bij aanvallen van statelijke actoren worden gekozen om tot (publieke) attributie over te gaan.
De aanpak op ongewenste buitenlandse inmenging blijft actueel en verbreed zich naar meerdere landen.
Politieke beïnvloeding wordt tegengegaan door toerusting en bescherming politieke ambtsdragers, een verkenning registratieplicht lobbyisten, veilig verloop van de verkiezingen door het onderkennen van bijzondere signalen, beïnvloeding en desinformatie.
In de Defensienota en het Nationaal Plan zet Defensie in op versterking van capaciteiten oa op het gebied van inlichtingen, cyber en contra-hybrid. In de nieuwe Defensienota zal volgend jaar ingegaan worden op verdere doorontwikkeling ten behoeve van nationale en internationale veiligheid.
F. Economie en Veiligheid Het instrumentarium om onze economische veiligheid te borgen tegen nationale veiligheidsrisico’s moet op orde zijn. Maatwerk, proportionaliteit en aandacht voor de verschillende belangen die spelen zijn daarbij belangrijke uitgangspunten van de aanpak.
Ten aanzien van economische veiligheid wordt onder andere gewerkt aan een uitwerking van een investeringstoets op nationale veiligheidsrisico’s bij overnames en investeringen, aan de ontwikkeling en uitrol van beleid en richtlijnen bij inkoop en aanbesteding bij de overheid en binnen de vitale infrastructuur. Ook wordt gewerkt aan een uitbreiding van de kennisregeling ivm weglekken gevoelige technologie via het academische vlak.
Bij het toetsen van nationale veiligheidsrisico’s wordt gebruik gemaakt van consistente, en technisch up to date zijnde criteria.
G. Digitale aanpak Het kabinet zet middels de Nederlandse Cybersecurity Agenda (NCSA), die in april 2018 aan uw Kamer is verzonden, de Internationale Cyberstrategie en de GBVS, in op een digitaal veilig Nederland. In de aanpak wordt ook rekening gehouden met de invloed van statelijke actoren.
Zo wordt bijvoorbeeld geïnvesteerd in het versterken van de weerbaarheid van digitale processen en een meer robuuste infrastructuur en wordt de digitale slagkracht verder op orde gebracht om te kunnen reageren op de toename van de digitale dreiging en grootschalige cyberincidenten die de nationale veiligheid bedreigen.
In een aparte brief wordt uw Kamer, in samenhang met het CSBN 2019, nog voor de zomer geïnformeerd over de jaarlijkse voortgang van de NCSA.
H. Internationale samenwerking Nederland zet zich in internationaal verband in lijn met de Geïntegreerde Buitenland- en Veiligheidsstrategie in voor:
Goede samenwerking in EU- en NAVO-verband, als ook tussen EU en NAVO, op het gebied van situationeel bewustzijn, weerbaarheid en respons. In EU-verband staan de 22 actiepunten centraal zoals geformuleerd in het Gezamenlijk Kader voor de Bestrijding van Hybride Bedreigingen (2016). In NAVO-verband is de NATO Strategy on NATO’s role in Countering Hybrid Warfare (2015) het leidend kader.
Accurate (internationale) informatiepositie in nauwe samenwerking met internationale partners om informatie uit te wisselen. In EU- en NAVO verband en ad hoc met gelijkgezinde partners.
Het bevorderen van de internationale rechtsorde en een effectief multilateraal systeem op het gebied van statelijke dreigingen. Om de toenemende dreiging het hoofd te bieden zet NL, waar mogelijk en relevant, in op gezamenlijke respons en attributie van operaties.
Geloofwaardige afschrikking tegen statelijke dreigingen in bondgenootschappelijk verband, onder andere in NAVO-verband. In juli 2018 is besloten tot instelling van Counter Hybrid Support Teams (CHST), ofwel NAVO-teams die bondgenoten kunnen adviseren en assisteren rondom hybride dreigingen.
Benutting van het European Centre of Excellence on Countering Hybrid Threats als netwerkorganisatie en platform voor expertiseontwikkeling. Nederland is hier sinds 2018 bij aangesloten.
Verbeterde samenwerking tussen de verschillende EU instellingen om onderwerpen met de noodzakelijke samenhang te adresseren (zoals onder meer desinformatie, verkiezingen, cybersecurity, crisisbeheersing, vitale infrastructuur en buitenlandse overnames).
Met het aantreden van een nieuwe Europese Commissie in 2019 ontstaat een belangrijk momentum om een lans te breken voor een consistentere aanpak op het gebied van interne veiligheid, waaronder statelijke dreigingen.1

1Staat van de Europese Unie 2019, Kamerstuk 35 078, nr. 1.

2. Bijlage: “Accenten van de aanpak statelijke dreigingen”

Bijlage: Accenten van de aanpak statelijke dreigingen

De aanpak rondom het tegengaan van statelijke dreigingen bestaat uit een aantal generieke maatregelen, zoals beschreven in de brief. Gezien de dreiging, de te beschermen belangen en de recente casuïstiek ligt daarnaast het accent van de aanpak de komende periode op de thema’s:

(1) ongewenste buitenlandse inmenging gericht op diaspora, (2) beschermen democratische processen en instituties en (3) economische veiligheid.

Binnen deze thema’s zijn voor een deel al belangrijke stappen gezet en zijn ook weer nieuwe facetten onderkend die een versterkte aanpak behoeven. In deze bijlage treft u de aanpak op deze thema’s aan inclusief uitkomsten ex-ante analyses op economische veiligheid.

1. Ongewenste buitenlandse inmenging gericht op diaspora

Ongewenste buitenlandse inmenging gericht op de diaspora betreft doelbewuste, vaak stelselmatige en in vele gevallen heimelijke activiteiten van statelijke actoren (of actoren die aan statelijke actoren zijn te relateren) in Nederland of gericht op Nederlandse belangen, die door de nagestreefde doelen, de gebruikte middelen of ressorterende effecten het politieke en maatschappelijke systeem kunnen ondergraven. Nederlandse burgers moeten, ongeacht hun achtergrond, in de Nederlandse rechtsstaat in staat zijn om in vrijheid eigen keuzes te maken als het gaat om de inrichting van hun leven, politieke voorkeur en de band met hun land van oorsprong of dat van hun ouders. Contacten vanuit een statelijke actor met Nederlandse burgers dienen op transparante wijze plaats te vinden en op basis van vrijwilligheid en mogen niet leiden tot het exporteren van spanningen naar Nederlands grondgebied of een negatieve invloed op de integratie of de binding met de Nederlandse samenleving.

In het afgelopen jaar zijn verschillende voorbeelden geweest van ongewenste buitenlandse inmenging gericht op diaspora waarover uw Kamer is ingelicht.1 De aanpak op ongewenste buitenlandse inmenging is een generieke – landen neutrale – aanpak waarover uw Kamer eerder is ingelicht.

Betrokken departementen en diensten staan doorlopend in nauw contact om op basis van een gezamenlijke en gestructureerde werkwijze een beeld te vormen en indien nodig te besluiten tot gecoördineerde actie en opschaling. Bij (dreigende) incidenten wordt gebruik gemaakt van een divers instrumentarium. Dit loopt uiteen van monitoren en informeren, tot maatregelen in het kader van de openbare orde en veiligheid. Daarnaast heeft het kabinet verschillende diplomatieke instrumenten, zoals het voeren van een dialoog met landen van zorg of een diplomatieke vertegenwoordiger in Nederland persona non grata verklaren, om ongewenste buitenlandse inmenging tegen te gaan.

Ook zet het kabinet in op maatregelen om de weerbaarheid van betrokken gemeenten en gemeenschappen te verhogen als het gaat om ongewenste buitenlandse inmenging. Het gaat hier zowel om het creëren van bewustwording als het ondersteunen van gemeenten en gemeenschappen bij de ontwikkeling van een handelingsperspectief om ongewenste buitenlandse inmenging die de integratie kunnen belemmeren tegen te gaan.

Ongewenste buitenlandse inmenging blijft een actueel thema (motie Becker2, waarover u voor de zomer wordt geïnformeerd en financiering als modus operandi van statelijke actoren 3), maar ook vanwege ontwikkelingen in andere landen en veranderingen in de migratiestromen. Dit rechtvaardigt een onverminderde inzet op dit onderwerp.

1 Onder meer via de volgende Kamerstukken:

  • –  Beantwoording Kamervragen over het bericht dat de Turkse president Erdogan campagne wil voeren in het buitenland voor de Turkse presidents- en parlementsverkiezingen in juni,TK, vergaderjaar 2017-2018, 2591
  • –  Antwoorden Kamervragen over het bericht ‘Russische trollen ook actief in Nederland’ /ingezonden 7 sept 2018. Kamerstuk nr 14250
  • –  Brief sancties Iran, 8 januari 2019, Tweede Kamer, vergaderjaar 2018–2019, 35 000 V, nr. 56
  • –  Tweede Kamer, vergaderjaar 2018–2019, 32 735, nr. 209
  • –  Beantwoording Kamervragen over het bericht «So werden Erdogan-Kritiker in Deutschland per App denunziert» ) Tweede Kamer, vergaderjaar 2018–2019, Aanhangsel

2  Motie van het lid Becker c.s. over een contrastrategie ten aanzien van ongewenste diasporapolitiek, Tweede Kamer, 30821-56.
Kamerbrief Integrale aanpak Problematisch gedrag en ongewenste buitenlandse financiering van maatschappelijke en religieuze instellingen, Tweede Kamer, 2018-2019, 29614 nr. 108

2. Beschermen democratische processen en instituties

Het tweede accent van de aanpak richt zich op het tegengaan van het ondermijnen van de democratische rechtsstaat door statelijke actoren. Via verschillende maatregelen wordt hier op ingezet:

Tegengaan politieke beïnvloeding door staten Al eerder werd in het kader van ongewenste buitenlandse inmenging aangekondigd dat wordt ingezet op het vergroten van de weerbaarheid van – met name lokale – politieke ambtsdragers. Daarbij richten we ons op twee lijnen, te weten (1) het beschermen van politieke ambtsdragers (hierbij gaat het om het zorgdragen voor de veiligheid en integriteit van politieke ambtsdragers) en (2) het toerusten van politieke ambtsdragers (gericht op het versterken van de kennis, kunde en het handelingsvermogen van politieke ambtsdragers) om ondermijning van de democratische rechtsorde effectief tegen te kunnen gaan. Verder vindt rondom het handelingsvermogen en het verhogen van transparantie in het politiek-bestuurlijke domein een verkenning plaats naar de wenselijkheid en mogelijkheid van een registratieplicht voor lobbyisten. De Verenigde Staten, Australië en Canada, kennen al een dergelijke registratieplicht.

Veilige verkiezingen Acties van statelijke actoren kunnen schade toebrengen aan de politieke en bestuurlijke integriteit wanneer deze onafhankelijke volksvertegenwoordiging, besluitvorming of rechtspraak compromitteert, of wanneer er twijfel is over de vrijheid, eerlijkheid en anonimiteit van verkiezingen. De democratische samenleving komt onder druk te staan, wanneer inmengingsactiviteiten bijdragen aan een gebrek aan acceptatie van de legitimiteit van de overheid of een gebrek aan solidariteit in de samenleving, polarisatie en enclavevorming. Of wanneer intolerantie verspreid wordt en vrijheden beperkt worden. Verschillende departementen en operationele en lokale partners dragen, onder coördinatie van de minister van BZK, tezamen zorg voor veilige verkiezingen vanuit de eigen verantwoordelijkheid. Binnen het Europees verkiezingsnetwerk worden kennis en expertise tussen de lidstaten en de instellingen uitgewisseld. Het kabinet heeft daarbij met name oog voor de onderkenning van bijzondere signalen, ongewenste beïnvloeding en desinformatie.

Tegengaan desinformatie De verspreiding van desinformatie met als doel de democratische rechtsorde te ondermijnen en te destabiliseren is een reële dreiging. Deze dreiging manifesteert zich veelal online. Het kabinet ziet de verspreiding van desinformatie als een probleem waarbij van verschillende partijen in de samenleving gevraagd wordt dat zij hun verantwoordelijkheid nemen, zoals private actoren, de media en wetenschap4. De inzet van het kabinet is daarbij met name gericht op het tegengaan van heimelijke beïnvloeding van de publieke opinie door statelijke actoren (of actoren die aan statelijke actoren zijn te relateren). Belangrijke uitgangspunten voor het kabinet bij het zoeken naar een juiste reactie zijn onder andere dat waarborging van de vrijheid van meningsuiting en vrije pers, democratie en rechtsstaat voorop staan en de focus op campagnes in plaats van individuele nieuwsberichten. Wanneer echter sprake is van een bedreiging van de economische of politieke stabiliteit of nationale veiligheid door inmenging van statelijke of daaraan gelieerde actoren, is een reactie van de overheid gegrond.

In de brede aanpak5 wordt gewerkt aan maatregelen om voorbereid te zijn op desinformatie, signalen te herkennen, deze te duiden, mogelijke proportionele respons te formuleren en indien gewenst uit te voeren zonder afbreuk te doen aan de eerdergenoemde vrijheden. Doordat desinformatie zich veelal online manifesteert, stopt het niet bij de grens. Nederland hecht daarom waarde aan internationale samenwerking en kennisuitwisseling op dit onderwerp. In dat kader verwelkomt Nederland het Europese Actieplan Desinformatie, zoals ook uiteengezet in het BNC-fiche Actieplan Desinformatie (d.d. 25 januari 2019). Een voortvloeisel uit het Actieplan is de Nederlandse deelname in EU-verband aan het Europees Verkiezingsnetwerk en het Rapid Alert System (RAS). In het Europees Verkiezingsnetwerk wordt de overkoepelende aanpak van desinformatie en bescherming van verkiezingen besproken en kennis uitgewisseld tussen lidstaten en EU-instellingen. Het RAS verbindt analisten en beleidsmakers uit EU-lidstaten en de StratCom Taskforces van EDEO om real time informatie uit te wisselen als er sprake is van desinformatiecampagnes. Het Nationaal Crisis Centrum van de NCTV vervult de rol van nationaal Point of Contact voor het RAS, het ministerie van BZK vervult een dergelijke rol voor het Europees verkiezingsnetwerk waarbij alle relevante departementen zijn aangesloten.

4 Kamerbrief van de minister van BZK inzake desinformatie en beïnvloeding verkiezingen (13 december 2018) 5Tweede Kamer, vergaderjaar 2018-2019, 30821, nr 51

Tevens is Nederland lid van de informele ‘International Partnership to Counter State Sponsored Disinformation’ waarin onder meer de VS, het VK, Baltische en Noordse staten vertegenwoordigd zijn. Het partnerschap heeft tot doel analyses en rapportages over de verspreiding van desinformatie te delen en samenwerking richting techbedrijven te faciliteren.

3. Aanpak Economische Veiligheid Een derde accent is gericht op economische veiligheid. Hieronder vindt u de resultaten van de analyse die is uitgevoerd naar kwetsbaarheden in vitale sectoren alsmede de aanvullende beheersmaatregelen die van belang zijn om de risico’s voor de nationale veiligheid op het gebied van economische veiligheid verder te beperken.

Sectorale ex-ante analyses In het Regeerakkoord heeft het kabinet de bescherming van vitale sectoren aangekondigd, na zorgvuldige analyse van risico’s voor nationale veiligheid. In deze analyses is er bijzondere aandacht voor de risico’s als gevolg van veranderende zeggenschap.6 Het doel is om potentiële risico’s voor de nationale veiligheid per vitale sector te identificeren, en om daarbij te bepalen in hoeverre het bestaande instrumentarium van de overheid voldoende waarborgen biedt. In deze brief deel ik de uitkomsten van de sectorale ex-ante analyses met u en daarbij kom ik tegemoet aan de motie-Van den Berg c.s.7 en de motie-Graus.8

Uit de analyses blijkt dat vrijwel alle vitale sectoren op enigerlei wijze beschermd zijn tegen ongewenste zeggenschap. Daarbij is er een divers beeld van de mate en aard van de bescherming. Een aantal sectoren is in overheidshanden. De Nederlandse overheid kan daardoor (mede) bepalen aan wie en onder welke voorwaarden een bedrijf wordt verkocht. Daarbij worden ook nationale veiligheidsbelangen meegewogen. Een aantal sectoren worden beschermd door sectorale wetgeving. Uit de analyse op telecommunicatie blijkt dat in deze sector ongeadresseerde risico’s bij verandering in zeggenschap bestaan. Het kabinet heeft al in een eerder stadium besloten hier direct actie op te nemen en heeft inmiddels een wetsvoorstel over ongewenste zeggenschap in de telecommunicatiesector ter consultatie aangeboden aan uw Kamer9. Conclusies sectorale ex-ante analyses:

  •   De vitale sectoren, de inzet politie, inzet defensie, de nucleaire sector, openbare drinkwatervoorziening, vitale kerende en beherende objecten en de mainports Schiphol en Rotterdam zijn (grotendeels) in handen van de overheid. Voor een groot deel betreft dit kerntaken van de overheid, waarvan de zeggenschap van de overheid niet verandert. De risico’s voor de nationale veiligheid als gevolg van verandering van zeggenschap zijn hier daarom niet van toepassing.
  •   De vitale sector energie is voor wat betreft de transport- en distributienetwerken in handen van de overheid. De energielevering is verspreid over meerdere aanbieders, wat de risico’s verkleint. Daarnaast heeft de Minister van Economische Zaken en Klimaat de taak en bevoegdheid om een eventuele verandering van zeggenschap binnen de gas- en energieproductie te beoordelen.10 De risico’s voor de nationale veiligheid als gevolg van verandering van zeggenschap zijn daarom voldoende beheerst.
  •   De vitale sector telecommunicatie kent nationale veiligheidsrisico’s als gevolg van veranderende zeggenschap, die nog onvoldoende kunnen worden beheerst door wettelijke normen te stellen en daar toezicht op te houden. De risico’s voor de nationale veiligheid als gevolg van verandering van zeggenschap zullen daarom geborgd worden met aanvullende wetgeving.
  •   De vitale sectoren betalingsverkeer en chemie kennen strenge normen, en bijhorend publiek toezicht, om respectievelijk de integriteit van gegevens en de fysieke veiligheid te borgen die de belangrijkste risico’s voor de nationale veiligheid vormen. De risico’s voor de nationale veiligheid worden daarmee voldoende beheerst binnen deze sectoren. Uit de analyses blijkt dat de continuïteit en inzetbaarheid van (vrijwel) alle vitale processen, zowel in handen van overheid als bedrijfsleven, sterk afhankelijk zijn van private ondernemingen die goederen, diensten of technologie leveren. Dat betekent dat er kwetsbaarheden kunnen ontstaan bij aanbesteding en toelevering. Het kabinet neemt daarom de volgende maatregelen. 6 Regeerakkoord ‘Vertrouwen in de toekomst’, paragraaf 2.4. 7 Tweede Kamer, vergaderjaar 2016-2017, 29 826, nr. 84. 8 Tweede Kamer, vergaderjaar 2017-2018, 34 775 XIII, nr. 116. 9 Tweede Kamer, vergaderjaar 2018-2019, 35 153, nr. 5 10 Zie de Elektriciteitswet 1998 en de Gaswet.


A. Oprichting Taskforce Economische Veiligheid

Er is een Taskforce Economische Veiligheid opgericht waarin, onder voorzitterschap van de NCTV, de balans tussen nationale veiligheidsbelangen en economische belangen nader verkend wordt, casuïstiek kan worden besproken en economische en veiligheidsbelangen integraal worden gewogen. Momenteel staat de Taskforce in het teken van de kwetsbaarheid van 5G telecommunicatienetwerken en welke maatregelen nodig zijn om risico’s te beheersen.

B. Betere benutting en aanscherping van huidige wet- en regelgeving ter bescherming van nationale veiligheid

Nederland beschikt over een aantal instrumenten die (beter) kunnen bijdragen aan de bescherming van nationale veiligheidsrisico’s bij private ondernemingen. Het betreft onder meer private juridische beschermingsconstructies, sectorale regelgeving, contractuele afspraken, de Ondernemingskamer en het aanwijzen van vertrouwensfuncties. Het kabinet is bezig met een evaluatie en aanscherping van huidige wet- en regelgeving, zodat deze beter kunnen worden benut.

C. Beschermen van nationale veiligheid bij inkoop en aanbesteding

Het kabinet zal de nationale veiligheidsrisico’s die door de afhankelijkheden kunnen ontstaan verder in kaart brengen en bezien hoe deze mogelijke risico’s bij onder andere inkoop en aanbesteding beheerst kunnen worden. In 2018 is voor veilige inkoop en aanbesteding binnen het rijk een instrumentarium ontwikkeld en ingevoerd door het kabinet. Op dit moment wordt bezien hoe dit ook ingezet kan worden binnen onderdelen van de vitale infrastructuur en mede overheden. Het kabinet gaat daarnaast de mogelijkheid van het neerleggen van nationale veiligheidsrichtlijnen voor het gebruik van producten en diensten binnen de Rijksoverheid, vitale infrastructuur en medeoverheden actiever inzetten. Ook werkt het kabinet in het kader van inkoop en aanbesteding aan de Nationale Cyber Security Agenda (NCSA) aan aanvullende cybersecurity- criteria bij inkoop van eigen ICT-middelen door de overheid. Bij deze eisen zullen ook economische veiligheidsoverwegingen worden meegenomen om de weerbaarheid tegen statelijke actoren te verhogen.

D. Beschermen nationale veiligheid bij overnames en investeringen

In de EU wordt ingezet op een verdere versterking van het samenwerkingsmechanisme op het gebied van buitenlandse investeringen. Enerzijds is er tot een raamwerk besloten voor de toetsing door individuele lidstaten van buitenlandse investeringen aan nationale veiligheid of de openbare orde. Anderzijds faciliteert en verplicht de verordening tot het uitwisselen van informatie tussen lidstaten en de Europese Commissie. De verordening vraagt om het realiseren van een samenwerkingsmechanisme waarvoor ook in Nederland processen voor onder andere informatie- uitwisseling moeten worden ingericht. Het raamwerk legt geen verplichtingen op voor een investeringstoets maar stelt wel kaders voor lidstaten die een toets wensen te implementeren.

Binnen dit Europese kader werkt het kabinet aan een uitwerking van een investeringstoets. Dit is een instrument ‘of last resort’ voor nationale veiligheidsrisico’s waarbinnen ruimte is voor maatwerk. Bestaande sectorale wetgeving zal daarbij het uitgangspunt zijn. Op deze manier krijgen, binnen het Europese kader, ook de nationale beleidswensen over de inhoud en reikwijdte van een breder beschermingsmechanismen plek. In de uitwerking zal gekeken worden naar overkoepelende ‘parapluwetgeving’ waar ook bestaande en toekomstige sectorale wetgeving goed op aangesloten is. Hierbij is het uitgangspunt dat een verbod in het kader van de investeringstoets alleen daar wordt ingezet indien er geen alternatieve effectieve beschermingsmaatregelen voor handen zijn.

Initiatieven die raken aan dit thema Naast deze set aan maatregelen om nationale veiligheidsrisico’s beheersbaar te maken zijn er nog een aantal andere initiatieven die onder andere raken aan dit thema. Hierbij staat de beschikbaarheid van kritische technologie en kennis centraal. Ongewenste kennis- en technologieoverdracht kan plaatsvinden in geval van bijvoorbeeld faillissementen en overname van start-ups en het risico van ongewenste kennis- en technologieoverdracht via de weg van (academisch) onderwijs en onderzoek. Er wordt onderzocht op welke manier de kennisregeling kan worden uitgebreid naar andere risicolanden en bijvoorbeeld opleidingen waar zeer specifieke technische kennis kan worden opgedaan11.

11 Zie tevens Kamerbrief, ‘Verscherpen toezicht op studenten en onderzoekers uit risicolanden’, Tweede Kamer, vergaderjaar 2018-2019, 30821, nr.70

Met een verkenning naar digitaal financieel economische spionage is het beeld ten aanzien van deze dreiging aangescherpt, en is bezien welk instrumentarium, complementair aan de maatregelen uit zoals de Internationale Cyber Strategie en de Nationale Cyber Security Agenda, van toepassing is om deze dreiging te mitigeren. Aanvullend instrumentarium, zoals bijvoorbeeld vergroting van het bewustzijn van deze dreiging, wordt in de verschillende beleidsterreinen opgenomen, zo ook in de aanpak tegengaan statelijke dreigingen. Het gaat hier ook om het inzetten van internationale samenwerking en diplomatieke instrumenten (inclusief attributie) zoals die in het kader van de EU Cyber Diplomacy Toolbox en om het benutten van bestaande WTO procedures ter zake waar opportuun.



Dutch govt intelligence tasks for AIVD and MIVD, 2019-2022 (in Dutch: “Geïntegreerde Aanwijzing Inlichtingen en Veiligheid” aka “GAI&V” aka “GA”)

[TEMPORARY NOTICE, 2019-04-26: until this notice is removed, minor changes may be to improve spelling/grammar/legibility. The current post is 99-100% camera-ready.]

This post provides information about the tasking of the Dutch intelligence activities in 2019-2022 based on recent official public documents. The “Geïntegreerde Aanwijzing Inlichtingen en Veiligheid 2019-2022” policy (aka “GAI&V” aka “GA”), which literally translates to “Integrated Instruction on Intelligence & Security 2019-2022”, describes the Dutch cabinet decisions on tasking of the Dutch intelligence & security services AIVD (general / non-military) and MIVD (military) for 2019-2022. The GA has a public body and a secret appendix. The remainder of this post is based on:

Side note: Dr. Paul Abels, professor of intelligence at Leiden University and former AIVD official, has warned that the introduction of the GA — first seen in 2018 — comes at the risk of politicization of intelligence, because the GA is established by the cabinet, and hence prone to politics (at least in theory; no claim is made that the present GA has characteristics of intent to misuse intelligence for political purposes).

[Related reading: Annual Report 2018 of the Dutch General Intelligence and Security Service (AIVD) (unofficial full translation)]

Translation of the Note of Explanation that accompanied the GA (some parts omitted or slightly adapted for readability):

The GAI&V, or GA for short, is established by the prime minister, i.e., the minister of General Affairs; the minister of the Interior; and the minister of Defense. The GA determines what investigations the AIVD and MIVD are to carry out, divided by countries, regions and themes, and it lays down a planning and priorities. The GA does not only determine what investigations the AIVD and MIVD each need to carry out, but also what investigations must be carried out in joint effort by both services, as per the cooperation laid down in Article 86 of the Intelligence & Security Services Act of 2017 (“Wiv2017”).

The GA is made for a period of four years and evaluated annually. The classified appendix of the GA describes intelligence objectives, agreements for cooperation between the AIVD and MIVD, and an elaboration on the desired scope and depth of investigations.

The topics of investigation are determined to gather intelligence that is hard or impossible to obtain via other means, for instance diplomatic channels, to support the Dutch government in establishing foreign policy and in international negotiations. This concerns information that is crucial to national security and is only available at foreign intelligence & security services, or that can only be obtained by the AIVD and/or MIVD. This means the activities of the AIVD and MIVD are complementary to existing tasks of the ministry of Foreign Affairs and its representations abroad (e.g. Dutch embassies abroad). The foreign intelligence task must not be assessed in a narrow sense of immediate use for the Dutch government. Joint European efforts, efforts in allied context, and efforts in international law are taken into account when answering the questions whether and to what extent a certain theme is in the interest of national security. The intelligence yields can be used in bilateral and multilateral cooperation with other countries, insofar possible within the legal framework.

The ability to detect and identify developments that are unknown or not readily visible is of importance to the government, in order for the government to be able to investigate how to respond to sudden, unexpected developments or (imminent) incident in foreign countries, and regarding the response of foreign governments to terrorist threats; or to prepare for civil missions in which the Netherlands participates.

The investigatory themes relate to the ‘a-task’ of the AIVD (national security) and to the ‘a-task’ and ‘c-task’ of the MIVD (security & readiness of the Dutch military; and protecting and promoting the international rule of law).

The unstable and less predictable security environment of the Netherlands is an expression of globally changing power relations, where power and initiative shift to countries who have a different look on the world than us. The threat mostly comes from countries with big geopolitical ambitions. Foreign states are seeking for information to modernize their armed forces, to strengthen their economy, to influence political decision-making or to create strategic dependencies, to thereby increase their geopolitical position. To achieve such objectives, they carry out espionage. This can involve classical espionage, but also digital espionage, and increasingly often a combination of both. Hacking provides a means to sabotage, to use acquired information in decision-making or to influence public opinion. Foreign corporate takeovers and foreign investments are used to create strategic dependence on them.

The terrorist threat in the Netherlands is still an important investigatory theme for the AIVD and MIVD. This threat stems mostly from the global jihadist movement. The AIVD and MIVD carry out intensive investigations into jihadist and radicalized persons and organizations, both domestically and abroad. They also investigate citizens who turned foreign fighter, and returnees. Partner organizations are informed so that they can take measures, leading for instance to possible arrests and criminal prosecution of returnees.

Furthermore, developments in various weapon programs in “countries of concern”, such as North Korea, Iran and countries in the Middle East pose an increasing threat to international security. This involved the development and proliferation of WMDs, means of transportation (ballistic missiles), and chemical and biological weapons. The MIVD investigates military-technological developments in foreign countries, so that the Dutch armed forces can be prepared en protected adequately against existing and future threats.

The AIVD and MIVD investigate developments within right-wing extremism to get insight into radicalization of persons and groups inspired by right-wing extremism. Left-wing extremists are often active in multiple areas, often in changing groups (‘opportunity-based coalitions’), and sometimes operate internationally. Acts against the ministry of Defense from left-wing activist and/or left-wing extremist persons and groups are mainly focused on four themes: recruitment of new employees, the defense industry, the potential storage of nuclear weapons, and the involvement of Defense in execution of the policy on asylum and aliens.

From the outlines of the MIVD year plan for 2019 (note: this is mostly about the MIVD, but touches on themes relevant to both AIVD & MIVD):

Investigation into foreign countries

The investigation into foreign countries offers the Dutch government and armed forces information and perspectives for acting in conflict prevention and management. In 2019, the MIVD will conduct investigations into Afghanistan, Mali, Syria and Iraq. The deployment of Dutch soldiers in enhanced Forward Presence (eFP) is also supported by the MIVD. In addition, the MIVD, together with the AIVD, is investigating the political and socio-economic crisis in Venezuela and the possible impact on the Kingdom of the Netherlands.

Counterproliferation and proliferation of military technology

Weapons of mass destruction pose a major threat to international peace and security. The Netherlands has signed treaties aimed at preventing the proliferation of such weapons. The AIVD and the MIVD are jointly investigating countries that are suspected of working, or contradicting them, to develop weapons of mass destruction and their means of delivery.

The MIVD also investigates military-technological developments in other countries and the proliferation of high-quality military technology and weapon systems to crisis areas, so that the Dutch armed forces can be properly equipped against existing and future threats.

Espionage and foreign influence

Espionage, influencing and sabotage pose a serious and growing threat to the Netherlands and its allies. States that have major geopolitical ambitions are looking for information to modernize their armed forces, to strengthen their economy or to influence political decision-making. This may involve classic espionage, but also digital espionage and, increasingly often, a combination of both. Hacking offers opportunities for sabotage and influencing political and administrative decision-making or public opinion through the use of hacked information. Countries also try to obtain information or create strategic dependencies through takeovers or investments.

Radicalization and extremism

The investigation into phenomena of radicalization, of whatever form, among Defense personnel will be continued in 2019. The aim of this investigation is to identify undesirable behavior in a timely manner. The MIVD advises on measures to be taken to identify and deal with these threats. Promoting awareness and understanding requires constant attention.

Outlines of other tasks and objectives in 2019

In addition to the priorities described above, other tasks and objectives for 2019 are given below.

Security screenings

The MIVD has the task of conducting security investigations, as laid out in the Wiv2017 and in the Security Investigations Act (Wvo). Since 1 October 2018, the AIVD and MIVD have been working together in the Security Investigations Unit (UVO). This implements the Dessens Committee’s recommendation to form a joint organization for security investigations. In 2019, the policies on security investigations by the AIVD and MIVD will harmonized, as recommended by the Review Committee on the Intelligence and Security Services (CTIVD).

Regulation of general security requirements for defensie industry companies (ABDO)

The ABDO regulation requires that Defense industry companies are screened. The Ministry of Defense is dependent on third parties for the implementation of large-scale projects and carrying out certain tasks. In addition to the mandatory screening, the MIVD will also carry out investigations in 2019 into espionage and cyber activities that foreign powers may develop against the Defense industry. An important point for attention in this regard are companies that are actively involved in the replacement of defense equipment. The Ministry of Defense will collaborate more closely with the Netherlands Industries for Defense & Security Foundation (NIDV) in the field of cyber security, with the objective of strengthening the (digital) security of the Dutch defense industry and making defense companies more aware of the threat.

Colocation of AIVD and MIVD

As stated in the annual plan letter from the AIVD that was sent to your House on 21 December 2018 (Parliamentary Papers, 30 977, no. 153), there have been a number of developments that have led to a new study into the physical integration of the joint housing at Frederik Barracks and financial consequences. This study takes a little more time than expected. We will inform you about this shortly.

Readers who understand Dutch may also be interested in taking a look at the FY 2019 budget plans for the Dutch MoD, published on 18 September 2018.


Annual Report 2018 of the Dutch General Intelligence and Security Service (AIVD) (unofficial translation)

UPDATE 2019-05-14: the AIVD has now published an official translation of the Annual Report 2018. To state the obvious: henceforth, one probably should reference that url, not my blog.

UPDATE 2019-04-29: the AIVD sent a tweet indicating that an (official) English translation of the Annual Report 2018 will be released in a few weeks. I will add a link to it when it is available. If you have doubts or questions about any part of my unofficial  translation, feel free to contact me to ask for verification — I’ll be happy to double-check for correctness / accuracy.

Below follows an unofficial translation of the Annual Report 2018 of the Dutch General Intelligence and Security Service (GISS, known in Dutch as AIVD). The text below is ~9200 words in total. Hyperlinks and parts between [] brackets were added by me.

Translation was done paragraph-by-paragraph via Google Translate and subsequently correcting or otherwise improving each translated paragraph (precision/accuracy matters in translation of such documents). If you have questions or suggestions/corrections, feel free to contact me.

Some points of interest:

  • Anticipated growth of the AIVD: “In the past year we have welcomed over 190 new colleagues. In 2019 we hope to attract 200 new employees.”
  • There will be a National Crypto Vision/Strategy policy (it is not yet available): “One of the contributions to better information security is the preparation of the National Cryptovision and Strategy, which was launched in 2018.”
  • There will be a new National Security Strategy policy, expected to be released before the parliamentary summer break (i.e., before 5 July 2019).

[Related reading: Dutch cabinet’s decisions regarding the intelligence tasking of AIVD and MIVD for 2019-2022 (in Dutch: “Geïntegreerde Aanwijzing Inlichtingen en Veiligheid” aka “GAI&V” aka “GA”)]

AIVD Annual Report 2018

Table of Contents


In front of you is the public annual report of the AIVD for 2018. The annual report offers an opportunity for us to provide insight into what we, and our two thousand colleagues, have dealt with and deal with globally every day. We hereby account for our work and offer a view of our field of work. It gives politics, press and the public a view of our activities.

In a country under democratic rule of law as we know it in the Netherlands it is, in addition to critical internal checks, essential that there is thorough external control of a service that has far-reaching investigatory powers.

Debates about us in parliament and in the media are often based on the oversight reports of the Dutch Review Committee on the Intelligence and Security Services (CTIVD). This committee was established per the Intelligence and Security Services Act of 2002 (Wiv2002). Over the past seventeen years, the CTIVD has conducted around fifty quite diverse investigations into the AIVD and has published frank, and largely public, reports on this.

In addition to the CTIVD, the new Intelligence and Security Services Act of 2017 (Wiv2017) that was enacted last year established an additional check on our work. After the minister has approved a request from us to exercise a special power, the independent Review Board for the Use of Powers (TIB) will review the legality of the minister’s decision.

The TIB and the CTIVD are strict and critical in their oversight, and rightfully so. It does not make our work easy at all times, but we as AIVD know that oversight is of great importance to us and to society.

Of course, parliamentary scrutiny also takes place. The standing committee on the Interior supervises the ins and outs of the AIVD to the extent that this is possible in public. With regard to classified and operational information, the minister is accountable to the parliamentary Committee for the Intelligence and Security Services (CIVD) for our actions.

Our work and the law do not allow us to speak openly about our activities. Also in this public annual report we cannot show the back of our tongue. Yet we are not so much a ‘secret service’ – as such you would not know about our existence – but above all ‘a service with secrets’. This is the only way in which we can recognize threats timely. The fact that two committees supervise and report on this gives us our license to operate. They ensure the legitimacy of functioning in a democracy. As a result, society can be confident that we are doing the right thing here and that we are doing it right, in the interest of national security and the democratic constitutional state.

Dick Schoof
Director General
General Intelligence & Security Service


The AIVD has not often received so much attention as it did in the year 2018. The reason for this was primarily the new Intelligence and Security Services Act of 2017 (Wiv2017). In March of that year, the Dutch electorate was allowed to vote on that law in an advisory referendum [NOTE: advisory referendum, hence non-binding].

The new law, which entered into force on 1 May 2018, is necessary to cope with contemporary threats at a time when society in all its facets is permeated by and dependent on internet technology.

The Wiv2017 also exists to give citizens the certainty that data are collected as targeted as possible and are only stored if they are important for our work. Other data must be destroyed immediately. From now on, an independent committee will also review the ministerial authorizations to use a special, infringing power before we can actually exercise that power.

We worked hard to prepare our organization to work in accordance with that law before the law entered into force. Yet the implementation of the law turned out to have a greater impact than anticipated. It took more time and effort to implement the safeguards, including independent ex ante oversight, in our work processes because this deeply affects the core of our work: the acquisition and processing of data. This has permanently changed our work.

At the same time, the threats that the Netherlands faces are complex and aggressive. Almost all of them have a significant digital component. Nation-states try to acquire information on decision-making and influence it, to steal trade secrets, and to intimidate and influence their (former) citizens who now live in the Netherlands. They also try to obtain access and persistence in systems for vital processes in our country. This offers them the opportunity to commit sabotage.

The arrest of seven suspects for the preparation of a terrorist attack, as well as some incidents that have occurred, show that our country can still be a target of jihadist or radical Islamic terrorism.

In addition, public debates are polarizing as population groups become increasingly opposed to each other. There is growing suspicion of the government, fueled by, among other things, extremist statements. Certain radical elements also try to separate groups of young Muslims from Dutch society by encouraging them to distance themselves from it.

All this is set against ever-changing international developments.

The situation in the Middle East remains tense and unstable. The security situation in Iraq and Syria is still poor. The so-called “caliphate” of the Islamic State in Iraq and al-Sham (ISIS) has already lost its ground. The terrorist threat has not diminished. ISIS has gone underground and manages to disrupt the region almost daily with attacks. Al Qaeda is also still active and is manifesting itself more and more.

Chemical weapons were also used in the fight in Syria in 2018. In April, dozens of civilians lost their lives in an attack with chlorine gas on the city of Douma.

The historical contradictions between major players Iran and Saudi Arabia have a decisive influence on the geopolitical situation.

The reputation of the progressive and modernizing Saudi crown prince Bin Salman has suffered a blow after the critical journalist Jamal Khashoggi was killed in the Saudi consulate in Turkey.

The uncertainty for Iran is growing now that the United States has withdrawn from the nuclear agreement [NOTE: this refers to the INF Treaty]. The European Union remains committed to the agreement with Iran. The non-proliferation treaty that had its 50-year anniversary in 2018 is under pressure due to increasing tensions, decreasing support for international partnerships and the protectionist attitude of various leaders.

A direct nuclear threat from North Korea seemed to have subsided in 2018 when heads of state Donald Trump and Kim Jong-un shook hands and North Korea said it was prepared to dismantle nuclear facilities. The results of the discussions are very uncertain.

The tension between Russia and the West remains high. President Putin is trying to position Russia as a world power, also to strengthen his position in his own country. He tries to sow discord within NATO and the EU in order to weaken his opponents and acts aggressively towards the Baltic states.

The attempts by the Russian military intelligence service GRU to poison a former intelligence officer in the UK and to hack into the network of the Organization for the Prohibition of Chemical Weapons (OPCW) in The Hague show the brutality with which this service operates.

On the other side of the world, Venezuela — the largest neighbor of the Kingdom of the Netherlands — is in a deep crisis. The deplorable situation in which the country finds itself, both politically and economically, causes the population to suffer severely. This has led to millions of refugees, which also has consequences for the stability of the areas within the Kingdom, Aruba, Bonaire, and Curaçao. In 2018 we prepared more than 300 intelligence reports on all these developments in the world around us that are important for the Dutch government’s foreign policy. A significant number of the reports served as support for the Dutch membership of the United Nations Security Council in the first half of 2018.

From all our investigations together we have prepared more than 900 written intelligence products, including official messages [in Dutch: “ambtsberichten”], intelligence messages and analyses, risk analyses, threat assessments and information security advice. Increasingly often we also inform our intelligence consumers orally about our findings.

In 2018, the Prime Minister, together with the minister of the Interior and the minister of Defense, set the priorities for the investigations of the AIVD and the MIVD for the coming years. Close consultation was also held with the minister for Justice & Security and the minister of Foreign Affairs.

These agreements are laid down in the Integrated Instruction [in Dutch: “Geïntegreerde Aanwijzing”, or “GA”] on intelligence & security. This states what information authorities need from the AIVD and MIVD to be able to take responsibility for national security. Both services have their own research areas and focus. The GA is evaluated annually.

The national and international developments demonstrate the importance of our work. That is why the government has made funding available for growth of the AIVD in 2018 and 2019. In the past year we have welcomed over 190 new colleagues. In 2019 we hope to attract 200 new employees.

Espionage and foreign interference

We call activities that foreign countries carry out to collect information in and about the Netherlands, and thereby harm our interests, ‘espionage’. Espionage can take place digitally, for example by breaking into a system, or physically by humans. This can be important political information, for example with regard to decision-making processes and viewpoints of the government. Foreign countries can also try to steal (business) secrets through espionage in order to boost their own economy.

Countries can also try to harm Dutch interests in a different way, namely by influencing processes in the Netherlands. We place this under ‘unwanted foreign interference’: covert political influence, influence and intimidation of their emigrated (former) countrymen, sabotage and abuse of the Dutch IT infrastructure. Foreign countries thereby attempt to undermine the Dutch political, economic and social systems.

When states use digital means for espionage and sabotage in order to achieve their own political, military, economic and/or ideological goals at the expense of Dutch interests, we speak of an ‘offensive cyber program’. Our studies show that countries such as China, Iran and Russia have such cyber programs that target the Netherlands.


Anyone who has specific or specialist knowledge can be the target of espionage. Not everyone is aware of this. Our research is aimed at protecting the political and economic security of the Netherlands by detecting threats and alerting individuals and authorities in a timely manner.

In the field of espionage, the year 2018 was characterized primarily by the brutality that intelligence officers demonstrated. The attempt by the Russian military intelligence service GRU to gain access to the OPCW network in The Hague shows how far this agency goes.

Our investigations have also shown that digital espionage is becoming increasingly complex. State actors increasingly make use of common methods and techniques, which makes it difficult to determine the origin of an attack (attribution). In addition, state actors are increasingly using internet service providers and managed service providers as a springboard to penetrate a target. These service providers often have in-depth, extensive and structural access to information from organizations or individuals in the course of operating their business. Such methods make detection, analysis and attribution of digital attacks more difficult.

More and more countries are focusing on political and/or economic espionage. We see in our investigations that China, Iran and Russia are at the forefront of this.

Political espionage

To Russia, our country is an interesting target for espionage. The strategic importance of Dutch politics and jurisprudence has increased sharply for Russia since the demise of flight MH17 in July 2014. There is, and will continue to be, a need to obtain information about the course of the investigation into the disaster. The likelihood of this only increases now that the Netherlands has held Russia liable for its share in the downing of the aircraft.

The Netherlands also has Russia’s interest for a long time because of its membership of NATO and the EU. The Russians would like to find out what position the Netherlands takes in these partnerships. In order to gain insight into this, the intelligence services also use classical espionage tools, such as the recruitment of human resources, in addition to digital means.

For other countries, it may be of interest to gain insight into the traffic between a Dutch diplomatic post abroad and the Dutch ministry of Foreign Affairs. We have observed that a number of Dutch embassies in the Middle East and Central Asia were the target of digital attacks carried out by a foreign intelligence service in 2017 and 2018. The digital attacks on these embassies confirm the structural attention of intelligence services for the ministry of Foreign Affairs.

Economic espionage

The biggest threat by far in the field of economic espionage comes from China. This espionage is fueled by Chinese economic policy plans, such as “Made in China 2025” and the “New Silk Roads”, with which the country can increase its economic and geopolitical influence.

These plans not only lead to economic opportunities, but also to increasing competition with Western and hence also Dutch companies. China uses a wide range of (covert) resources to undermine the earning capacity of Dutch companies and which can eventually result in economic and political dependencies. One of these means is (digital) economic espionage.

China is interested in Dutch companies from the high-tech, energy, maritime and life sciences & health sectors.

Another threat to national security is related to globalization. As a result, there is growing economic interaction, digitization, internationalization of labor markets and production processes, and also the liberalization of corporate location and investment policy. This offers more possibilities for (covert) acquisition of Dutch technology and companies. For example, companies can be taken over by foreign companies that are under the influence of their government, or that can easily obtain cheap state funds, creating an uneven economic playing field.

Theft of research findings also takes place within legitimate partnerships between academic and knowledge institutions. This way, Dutch innovations disappear across the border.

The safety awareness and resilience of Dutch business and knowledge institutions against these risks do not seem sufficient. This poses a risk to the economic security of our country.

Covert political influencing

It is perfectly legitimate that a country tries to defend its own interests with and in other countries with an open mind. However, if this transcends regular diplomatic or political lobbying because a country operates under a false flag, we speak of covert political influence.

Covert influence can be directly aimed at political decision-making, but can also take place indirectly if it is aimed at manipulating public perception. The spreading of disinformation is a means that can be used for this. Intelligence services often play a role in covert influencing operations. Russia is a country that has been continuously mentioned in recent years when it comes to interference in the political processes of other countries. It has traditionally been very adept at secretly influencing the image and public opinion in other countries, which can have a disruptive effect on decision-making processes. An example of influencing by Russia is the dissemination of disinformation by proclaiming various speculations regarding the MH17 disaster, which obscures the investigation. We have also found that attempts have been made from Russia, with limited effect, to influence the Dutch online on social media.

We also see that there are states, including China, that try to influence opinions and publications about their own country through educational and knowledge institutions. This may concern countries with which scientific cooperation is relatively fruitful, for example. But that comes at the risk that a dependency on that foreign government arises, for example when investigations are funded by China or when research is conducted that involves a need to travel to that country to carry out research there. That gives that country a certain dominant position that is sometimes abused. Journalists face opposition in a similar way. In the case of unpleasant publications, for example, there may be a threat of withholding work permits.

Countries that we see to be engaged in covert political influencing include China and Russia.

Influencing and intimidating diaspora

States try to influence people in the Netherlands who have emigrated from that country (diaspora), focused on their own domestic political objectives. In some cases, these emigrants still have a passport from their country of origin or have family living there, but have already been living in the Netherlands for some time. It can also be about people who have fled their country of birth for political reasons, and become victims of harassment in the Netherlands. Such intelligence and interference activities create a permanent sense of insecurity in the communities concerned. National tensions from abroad are thereby imported into our country. The influencing sometimes goes so far that people feel limited in the exercise of their fundamental rights, such as freedom of expression. The security services of these states are not afraid to put pressure on the families of emigrants in their country of origin.

Iran is interested in people and organizations that are known to oppose the current Iranian regime. The AIVD has strong indications that Iran is involved in two murders on Dutch territory, in 2015 in Almere and in 2017 in The Hague. Both cases concerned opponents of the current regime. Following the results of the intelligence investigation by the AIVD, the Netherlands has taken measures against two Iranian diplomats.

Countries that we see to be willing to influence and put pressure on their emigrated (former) countrymen include China, Iran, Russia and Turkey.

Sabotage and abuse of infrastructure

States can also pose a threat to the independence and independence of the Netherlands by enabling digital sabotage of vital infrastructure. They do this by gaining access and then embedding themselves in IT systems of vital processes. The AIVD has seen that attempts have been made to this end.

We have not yet detected an intent to actually carry out sabotage actions on Dutch vital infrastructure. A disruption in, for example, the energy supply in countries around us can also have consequences for the Netherlands. The geopolitical unrest in the world makes a sabotage action more conceivable. Russia, for example, has an offensive cyber program for disruption and even sabotage of the vital infrastructure.

The Netherlands also has a special responsibility for the IT infrastructure through which internet traffic flows from virtually all over the world. Just as our country feels responsible for air traffic traveling via Schiphol or cargo ships calling at the port of Rotterdam. Our IT infrastructure is being misused by some countries to carry out digital espionage, influencing and sabotage activities against other countries. These activities harm the international legal order and interests of other countries, in particular allies.

Countries that we see involved in sabotage and/or misuse of the IT infrastructure include Iran, North Korea and Russia.

Activities and results

From our investigations, we have been able to provide insight into the risks of espionage and foreign interference for the Netherlands and for companies. We have visited various agencies, given hundreds of (awareness) presentations and informed government partners such as the National Coordinator for Counterterrorism and Security (NCTV) and various ministries about our findings. The account managers of the intelligence services at the police also play an important role in this.

We have released around 40 intelligence reports on espionage and unwanted foreign interference.

The number of questions to the AIVD about the continuity and integrity of crucial and vital systems within and outside the government has increased in the past year. This is one of the reasons why we have developed and installed accelerated detection tools within the central government to be able to recognize attacks in time. For this, the AIVD had been allocated extra money for 2018.

We were also asked for advice on the risks to national security in the rollout of a renewed C2000 system [NOTE: C2000 is a TETRA-based radio communication system for emergency services; it can also be used by the intelligence services]. The AIVD finds it undesirable that the Netherlands is dependent on the hardware or software of companies from countries for which it has been established that they are conducting an offensive cyber program against Dutch interests for the exchange of sensitive information or for vital processes. We provide insight to involved parties such as ministries about the relationships between such companies and their government, so that they can weigh the risks. It is important to look at the possibilities, intentions and interests of the states involved and the national legislation. It is also important that the Dutch user ensures that he always has control over his own data.

In 2018, the AIVD and the MIVD jointly drew up the Cyber Intelligence Assessment [in Dutch: “Cyber Inlichtingenbeeld”]. This is a classified report written for almost the entire central government and contains an outline of the current threat assessment and expected developments.

With an extra allocated budget, we have strongly focused on recruiting new employees and technical experts for investigations into digital threats. The recruitment of high-quality technical staff and intelligence staff with technical affinity requires considerable effort, certainly in the current labor market.

In the international context, we have worked closely with foreign counterparts and exchanged knowledge with them about developments regarding foreign interference attempts. We were able to provide them with relevant information in specific cases.

Read more at [only available in Dutch].

(Jihadist) terrorism and radical islam

Within the area of terrorism, the AIVD pays most attention to jihadist terrorism, but terrorism is not solely related to jihadists. The breeding ground for jihadist-terrorist violence can be formed by radical Islam, of which salafism is the best-known variant.

Jihadist terrorism

Last year there was an increase in incidents in the Netherlands with a jihadist, terrorist or radical Islamic background. In the years before, the Netherlands remained unaffected in terms of attacks and there were mainly terrorist incidents in the countries around us. Randomly selected victims fell in stabbings at everyday & freely accessible locations, with apparently little preparation.

Incidents and arrests

Since the murder of Theo van Gogh in 2004, there have been no more incidents in our country by extremist and terrorist jihadists, until last year. A number of incidents took place in 2018 in which the perpetrator probably acted or wanted to act on the basis of a jihadist or radical Islamist motive.

On 5 May 2018 a Syrian man stabbed three people in The Hague. The Public Prosecution Service suspects the man, who has serious psychological problems, of attempted murder with a terrorist motive.

On 31 August 2018 a stabbing took place at Amsterdam Central Station in which a 19-year-old Afghan, who came from Germany, seriously injured two people. The man stated that he wanted to take revenge for a cartoon competition about the prophet Mohammed, which PVV [aka Freedom Party] leader Geert Wilders had announced in the spring.

A few days earlier, a Pakistani was arrested at The Hague’s central train station who wanted to attack the PVV leader for the same reason. The suspect turned to Geert Wilders because, in his eyes, the cartoon competition was insulting the prophet. The Public Prosecution Service charged him with preparing a terrorist attack.

In addition, various arrests were made of jihadists in the Netherlands. For example, the cooperation of the AIVD with various international and national partners on 17 June 2018 led to the arrest of three people in Rotterdam. Two of them are suspected of preparing a terrorist attack in France. It is not ruled out that they also considered Dutch targets.

Perhaps the most striking event in the Netherlands was the arrest of seven jihadists on 27 September 2018. Our investigations showed that they belonged to a jihadist network that originated in the city of Arnhem, and that they were preparing for a large-scale terrorist attack at an event in our country.

The AIVD has been investigating the people involved in a jihadist network in Arnhem for a long time. These members were part of the core of the jihadist movement in the Netherlands. On 25 April 2018 we issued a first official message to the National Prosecutor for Counterterrorism about preparations made by the group to carry out an attack on a large-scale event. In addition, they wanted to make as many victims as possible. It is very worrying that a part of the jihadist movement in the Netherlands has the intention to carry out a major attack on such “soft targets”. The cell is said to have been inspired by ISIS, but most likely operated independently for this attack. The members had contact with other jihadists at home and abroad, but did not share the plans for this attack with people outside their own group.

Jihadist threat against the West

The current jihadist threat is characterized by a constant threat of more complex and relatively simple attacks in and against the West. This is done by globally operating jihadist organizations, such as ISIS and Al Qaida, and smaller jihadist networks or individuals. The incidents of the past year and the many arrests show that the jihadist threat is still present in Western Europe.

Threat from ISIS and Al Qaida

Despite the disintegration of the so-called caliphate and the loss of territory, ISIS continues to pose a threat. In 2018, for example, the organization claimed responsibility in Europe for attacks in Liege (Belgium), Trèbes, Paris and Strasbourg (France). However, the decline of the caliphate and the loss of strength at ISIS have led to a reduction in the attraction to jihadists

Al Qaeda also wants to hit the West with attacks. In recent years it has been able to work on strengthening its organization in the shelter of ISIS. Networks and departments that are counted as Al Qaeda still focus on attack planning against the West.

Threats from foreign fighters

There are two aspects to the potential threat posed by travelers. On the one hand, there are fighters who have left who still choose to stay with terrorist groups such as Al Qaeda and ISIS in Syria and / or Iraq. They are in regular contact with the “home front” in the West. In this way they contribute to the further embedding of jihadist ideas in communities in the West. They use these contacts to encourage people to (support for) attacks.

On the other hand, considerable numbers of fighters from Syria and Iraq have since returned to Europe, including the Netherlands. At the end of 2018, there were around 55.

The returnees include women, with or without children, and men. For each person who returns, the Dutch government makes an assessment of the extent to which this constitutes a threat. At the end of 2018 some 135 jihadists with a Dutch background were among terrorist groups in Syria and Iraq.

The challenge for the AIVD, and for the entire Dutch government, is to find out the purpose for which people return. Have they been disillusioned by the harsh conditions, have they fled and are they missing in Dutch free society? Have they been traumatized by the confrontation with or participation in violence? Are they contacting jihadists in the Netherlands here and are they giving the movement an extra boost? Have they been sent by the organization there to commit an attack in the West or to support it?

Identified returnees are arrested and are on trial. We estimate that some of these jihadists will probably not abandon their ideas during their prison sentence and afterwards. They can join the jihadist networks from which they originate or form new networks.

The Dutch detention system where terrorism suspects and convicts are placed together and not among other prisoners, largely prevents non-extremist prisoners from being radicalized and recruited by jihadists. That does happen in other European countries. The Dutch system can lead to unwanted mutual influence and the formation of new networks. In addition, many detained jihadists will be released in Europe in the coming years. The AIVD expects detained jihadists and released (ex-) jihadists to form an important part of the threat assessment.

The jihadist movement in the Netherlands exists of some 500 persons

The jihadist movement in the Netherlands is a dynamic entity of individuals and groups that adhere to the jihadist ideology.This movement has no hierarchy or well-defined structure. Many jihadists are in contact with each other in both the real and the virtual world. Many undertake activities as a group. Various groups are in contact with each other or with jihadist groups and individuals abroad. In addition, there are jihadists who stand alone and live in isolation from like-minded people.

We count over 500 people as being part of the jihadist movement in the Netherlands.Several thousand people in the Netherlands sympathize with jihadist ideas without really belonging to the movement.

The jihadist movement in the Netherlands is mainly pro-ISIS, but there are also jihadists who align more with Al Qaeda. In recent years the movement has been very focused on the war in Syria and the caliphate of ISIS. More than 300 jihadis traveled to that region. Now that there is no longer a physical caliphate, that focus has decreased. There is a phase of reorientation in which the jihadists are now focusing more on spreading their teachings or ideology and on strengthening their networks.

Whether the movement becomes larger and more powerful depends on several factors. This includes the emergence of new leaders and new sources of inspiration, or issues that arise and can re-mobilize the movement. The war in Syria was such a momentum at the start of this decade. Even in the current phase of reorientation, the jihadist movement in the Netherlands is threatened, as demonstrated by, among other things, the arrests of the Arnhem network.

Unconventional means of attack

Last year, incidents took place that involved the possible use of unconventional means of attack in the form of biological substances, such as in Germany and Italy. We see that such knowledge is disseminated by including the manuals for making and using chemical agents and biological poisons in propaganda expressions.

Activities and results

In 2018 we published more than 100 intelligence reports on developments within jihadist and radical Islamic terrorism. We were able to provide the Public Prosecution Service with information about their criminal investigations via 35 official messages. In addition, we have issued official reports on this to the Immigration and Naturalization Service (8 reports), to the Ministry of Foreign Affairs (3 reports) and to mayors (2 reports). We also issued a publication on the state of affairs with regard to ISIS and Al Qaeda in relation to the struggle in Syria. [FOOTNOTE 1: ‘De erfenis van Syrië, mondiaal jihadisme blijft dreiging voor Europa’, AIVD, November 2018.]

Cross-border threats require a cross-border response. International cooperation between colleges remains crucial in the fight against terrorism, as was proven again in 2018.

This collaboration is partly anchored in the Counter Terrorism Group (CTG). This is a collaboration between the security services from the EU countries plus Norway and Switzerland. The platform, based in our country, that directly shares information about jihad fighters, simplifies cooperation and contributes to gaining a better understanding of transnational and international connections.

This cooperation strengthens our intelligence position and that of the affiliated partners. Specifically, this cooperation leads to the earlier recognition, identification and arrest of potential jihadist perpetrators in Europe.

Read more at [only available in Dutch].

Radical islam

The AIVD’s investigation into radical Islam focuses on two types of threat that can arise from radical Islam. On the one hand there is the threat of further radicalization towards the (violent) jihadist ideology. On the other hand, there is a threat to the democratic legal order from an intolerant religious ideology. We are dealing here with a phenomenon that is at odds with our democratic legal order, but is still moving within the legal frameworks. Our research focuses largely on certain driving factors in the Salafi spectrum.

Unwanted foreign investments

The AIVD investigates the extent to which Islamic institutions receive financial support from abroad, including the Gulf States. This support can be accompanied by interference on an ideological level. If this foreign influence poses a threat to the democratic legal order, it has our attention. We work closely together on this issue in a European context.

Radical influence within education

The AIVD notes that radical Islamist promotors are able to position themselves strongly within the range of education for young Muslims. For example, after-school lessons in Arabic and Islam. Such educational programs are also attractive for pupils with a moderate background.

This is partly due to the fact that they often have few or no good alternatives to after-school Islamic education.

At first glance, these educational initiatives appear to be easily accessible and innocent. However, we believe that children and young adults are alienated from society by this interpretation of education and may be hindered in their participation in society. This is caused by the intolerant and anti-democratic ideas of the initiators. In the long term, this can put social cohesion under pressure and thereby undermine the democratic legal order.

In the past, only a few established mosques and educational institutions spreaded this philosophy, but the offer has now become widespread. A new generation of eloquent preachers has been trained and is developing their own initiatives to spread their message. Online drivers also see opportunities to reach their target group quickly and easily. Our research also shows the influence of a few individuals who adopt a dual attitude towards (violent) jihadist ideology, because they are not directly opposed to it. This may create a breeding ground for jihadism.

Activities and results

Six official messages and 12 intelligence reports were issued on developments regarding radical Islam.

The AIVD collaborates on this with the NCTV, various ministries and local authorities. We support both national and regional governments based on concrete examples.

In this way we offer tools with regard to a phenomenon that is at odds with the democratic legal order, but that is (still) mainly lawful. In the past year we have given presentations to various municipalities and other government partners.

Read more at [only available in Dutch].

Non-jihadist terrorist organizations

The AIVD notes that in 2018 the Kurdish Workers Party PKK did not intend to carry out attacks in Europe. The PKK’s primary goal is to be removed from the EU list of terrorist organizations. The use of force in Europe would not contribute to that. However, the organization does have the potential for violence and is able to mobilize PKK supporters in a short time.

The PKK organized solidarity demonstrations in Europe – also in the Netherlands – for the victims who fell as a result of the Turkish military action in the Syrian Afrin. Under the name #fightforAfrin, arson attacks against Turkish targets were committed in a number of European countries – particularly in Germany – resulting in property damage. The call for this came from a youth group that is not officially covered by the PKK, but possibly linked to it.

Activities and results

In the context of the investigation into non-jihadist terrorist organizations, we issued 4 intelligence reports and 2 official messages in 2018.

Read more at>[only available in Dutch].


Extremism is the active pursuit and/or support of profound changes in society that can endanger (the continued) existence of the democratic legal order. This can happen with undemocratic methods, such as violence and intimidation, which can undermine the functioning of the democratic legal order.

Although the themes within extremism in general still have a “left” and “right” signature, that subdivision can no longer always be made. Indeed, there are beliefs about which both “left” and “right” are concerned. This is often the result of discontent and mistrust of the government.

In most cases, civil disobedience is involved, such as during protests against nature policy in the Oostvaardersplassen and against gas extraction in Groningen. These protests usually do not transcend activism and therefore there is no immediate threat to the democratic legal order.

We do, however, consider it conceivable that splinter groups or loners will be inspired by activism and seek refuge in extremism. The AIVD has the task of identifying when this activist anger degenerates into extremist activities.

Hate of the foreign/unknown, preference for own race

For certain right-wing extremists, immigration is still synonymous with Islamization. In their view, immigration and Islamization pose a danger to Dutch identity.

For these right-wing extremists, it feels like the government is selling Dutch culture by admitting refugees from Islamic countries. A visible representative of that philosophy is, for example, the group Identitair Verzet [in English: Identity-based Resistance].

The anti-Islam position has many supporters inside extremism, with men becoming less and less exclusive as before. The anti-government sentiment that prevails within this group also attracts sympathizers who have no history of right-wing extremism. They also have distrust of (European) politics and sometimes also of science and (mass) media.

It goes without saying that the AIVD does not consider criticism of Islam, immigration or the government itself as a form of right-wing extremism. After all, such opinions are protected by the freedom of expression. We view such expressions as extremist when they turn into hate speech, intimidation and threats.

Some of the extremists even argue for the prevention of mixing of races. This ethnic-nationalistic ideology is heard within the circle of supporters of the alt-right ideology, such as the “study society” Erkenbrand. In themselves, they say they have nothing against the existence of multiple races, but the Netherlands is for the Dutch.

There are also extremists who are convinced of white supremacy. These people take an anti-democratic position and pursue a racist society in which people are not considered equal. This is contrary to the democratic legal order.

Resistence against ’cause’ of migrant flows

From the “left” there has traditionally been opposition to immigration and asylum policy. The policy is considered to be too strict.

Within the opposition to the immigration and asylum policy, a shift of attention can be seen towards defense industry companies. These are companies that deliver goods to the Ministry of Defense. The reasoning is as follows: without defense order companies there would be less war, so fewer refugees and therefore fewer migrant flows. Companies are also charged for supplying materials to the European Border Guard to stop migrants at the European external borders. The Anti-Fascist Action (AFA) last year joined a number of non-violent campaigns against these types of companies.

In addition, attention is also paid to the “traditional” targets, such as the makers and implementers of the immigration and asylum policy, the Immigration and Naturalization Service, the National Agency of Correctional Institutions and the construction companies of detention centers. Actions against asylum policy were conducted less strongly last year than a few years ago.

Ideology based on own identity

A notable development within activism and extremism is the fragmentation of ideologies that fall back on one’s own identity.For example, there are organized anti-racists based on their own identity who oppose the — in their eyes — colonial legacy of the Netherlands and who reject the support of “white” supporters.

Activities and results

Based on official messages from the AIVD, the Public Prosecution Service has launched a criminal investigation into an extremist who wanted to use violence against Muslims. This ultimately led to a conviction by the court in early December 2018.

In 2018 we issued a total of 21 official messages related to extremism and prepared 8 intelligence reports. On the developments within right-wing extremism we published “Right-wing extremism in the Netherlands, a phenomenon in motion” in October 2018. [FOOTNOTE 2: “Rechts-extremisme in Nederland, een fenomeen in beweging“, AIVD, October 2018.]

Read more at [only available in Dutch].

For a secure Netherlands

The chapters above deal with the threats that we see for national security and the risks that exist for Dutch interests. We inform various partners with unique information relevant to them from our investigations. With this we enable them to take their responsibility for national security. We call this the creation of an action perspective.

The AIVD itself has limited possibility to take action. But with an official message, for example, we offer the Public Prosecution Service handles to start a criminal investigation into activities that pose a threat to national security and that can also be prosecuted.

In addition, this concerns information for, for example, ministries, executive organizations, mayors, educational institutions and also companies. The latter are especially important when they play a role in vital processes in our society. Think of companies from the energy sector or civil aviation. We want to promote the resilience of the Netherlands by informing, informing and, where possible, advising all these authorities about threats that could affect them and therefore anyone in the Netherlands.

There is also frequent cooperation with Dutch parties that play a role in export control, such as the Ministry of Foreign Affairs and customs. We are regularly asked for advice regarding an application for an export license. In addition, we have informed the Ministry of Foreign Affairs several times about unsolicited acquisition attempts that have been identified. This often concerns goods that can be used for the development or production of weapons of mass destruction or their means of delivery.

We also provide information to relevant parties about the risks of involvement in the dissemination of knowledge and goods for weapons of mass destruction (proliferation). We advise them on what they can do to identify suspicious transactions. In this way we have been able to recognize and prevent various acquisition attempts.

In 2018 we issued 32 official messages to the Ministry of Foreign Affairs with regard to proliferation and export control.

Read more at [only available in Dutch].

“Safe” people in trusted/essential functions

At various places in society, positions of trust exist where an employee can harm national security. These positions exist among others at the central government, the National Police and companies involved in critical infrastructure.

Preventing the acquisition of knowledge and goods

Countries such as Iran, Pakistan and Syria are looking towards the Netherlands and other Western countries for the knowledge and goods they need for the development of weapons of mass destruction. In a joint unit of AIVD and MIVD we are investigating how these countries are trying to obtain the required knowledge and goods and we are trying to prevent this. To this end, intensive knowledge was exchanged with fellow foreign services in the past year.

The positions of trust are designated by the relevant minister. We conduct security investigations to assess whether we can issue a “declaration of no objection” (VGB) to a (candidate) trust officer. We also enable the relevant authorities to take responsibility for national security by conducting security investigations.

The Ministerial Regulation on Security Investigations Unit entered into force on 1 October 2018. [FOOTNOTE 3: Ministeriële regeling over taken van de Unit Veiligheidsonderzoeken, Staatscourant, nr. 53581, September 2018.] This creates the framework for merging the AIVD’s Security Investigations business unit and the MIVD’s Security Investigations Office Safety investigations (UVO). In anticipation of this cooperation, the policy of the MIVD and AIVD in the field of security investigations was aligned per March 2018. [FOOTNOTE 4:
Beleidsregel Veiligheidsonderzoeken, Staatscourant, nr. 10266, 21 Februari 2018.] First steps were taken in 2018 to also standardize the work processes of both organizations. The idea behind merging is: one policy, one system, one location.

Also in 2018, the electronic Personal Information Form (eOPG) became available for some of the employers. This is currently only available for investigations carried out by the AIVD. The process has been fully digitized for this group. This concerns the application that the employer makes and the personal information that the employee must enter for the investigation. The people who have to undergo a safety investigation log in with DigiD in a secure environment.

In 2018, the AIVD and the mandate holders (National Police and Royal Netherlands Marechaussee) jointly carried out nearly 44,000 security investigations into persons who (wanted to) assume a position of trust. That number hardly deviates from the number of investigations (more than 45,000) conducted in 2017.

The point of departure is that 90% of the security investigations conducted by the AIVD itself must be completed within the maximum legal decision period of 8 weeks. With nearly 89%, this goal was almost achieved.

The main cause of this is the substantially increased inflow of the number of security investigations. The AIVD completed almost 20% more investigations in 2018 than in 2017. This increase is almost entirely due to the increased demand for investigations in civil aviation, which we had to handle. In addition, preparation for the joint Security Investigations Unit also used available resources.

Screening of a person at the request of others

In addition to the security investigations, another type of screening is part of our duties. In those cases we look up information about specific persons in our own systems. This is done at the request of others. An example of this is a request from the Prime Minister for a reference screening of a candidate-minister of government.

This type of screening via our own systems was not explicitly laid down as a task in previous law, i.e., the Wiv2002. With the introduction of the Wiv2017 law this has become an explicit task.

In 2018 we conducted 31 reference screenings and issued official messages about the results to the relevant authorities.

Read more at [only available in Dutch].

Role in the protection of persons

Just like the MIVD, the National Police and the NCTV, the AIVD has a role in the Monitoring and Protection System for the protection of certain persons. This system is aimed at the safe and undisturbed functioning of dignitaries such as politicians and members of the Royal Family, diplomatic representations and international organizations.

The essence of the system is that it not only looks at the concrete threat of, for example, jihadist terrorists and left and right extremists, but also at conceivable threat. With risk analyses, threat analyses and threat assessments we enable the NCTV to decide on possible security measures.

In the past year, we have drawn up a total of 1 risk analysis, 10 threat analyses and 51 threat assessments in the context of the Monitoring and Protection System.

Read more at [only available in Dutch].

Information security

One expertise of the AIVD is advising the central government on the protection of confidential and state-secret information. We also develop means ourselves to keep such information secure.

One of the contributions to better information security is the preparation of the National Cryptovision and Strategy, which was initiated in 2018. This is done together with other departments. The business community and knowledge institutions also provide input for this. The National Cryptovision and Strategy describes how cryptographic security measures to protect sensitive information will continue to be available in the future.

A lot of oral presentations were given to stakeholders from the National Communication Security Agency [NBV, aka NL-NCSA] of the AIVD last year. In addition, 44 written threat intelligence products were released.

Read more at [only available in Dutch].

A new law

On 1 May 2018 the new Intelligence and Security Services Act, Wiv 2017, entered into force. The law is a consequence of the report of the Dessens commission from 2013 that concluded that a change to the old Wiv (from 2002) was necessary because it was no longer adequate. [FOOTNOTE 5: ‘Evaluatie Wet op de inlichtingen- en veiligheidsdiensten 2002’, 3 December 2013.] In order to continue to carry out our duties, modernization of our investigatory powers was necessary. In addition, the law offers a considerable reinforcement of privacy guarantees.

Modern investigatory powers

The speed of technological developments was not taken into account in the Wiv 2002. Nowadays, everyone uses Internet applications for communication and other data exchange. This leads to data traffic that rages across the world in large quantities and with great speed via cables. Regarding communication transported “on the cable”, the old law only allowed interception based on a specific selector/characteristic of a specific person or organization.

The essence of the AIVD’s work is to make unprecedented threats visible. Without access to digital data streams, it is not possible to identify new threats. An example: if we know that digital attacks on the Netherlands are being carried out frequently from a certain part of the world and we have been able to find out via which fiber optic traffic that traffic is running, then we can investigate that data flow for characteristics that we extract from the attacks. In this way we can determine in time what the attack is aimed at, not after the malicious software has already reached the target and caused damage.

The technology for this research assignment-oriented (OOG) interception on internet cables requires extensive technical preparation. In 2018 we have therefore not yet exercised this power.


The use of internet technology results in large amounts of communication data, and all types of such data are mixed. This means we can potentially make bigger infringements on privacy and regarding more people.

For example, when intercepting and investigating certain data flows through research assignment-oriented (OOG) interception, there is a risk that we will also intercept traffic from people who do not mean any harm. Intercepted data that is determined to be irrelevant to our investigation is immediately destroyed. This concerns approximately 98% of the data collected.

Under the Wiv2002, the use of a large number of special powers required permission from the minister of the Interior. With the Wiv2017, after the minister’s approval and prior to exercise of powers, approval is also required from the independent Review Board for the Use of Powers. Moreover, the Wiv2017 prescribes stricter retention periods than its predecessor.

In the advisory referendum of 21 March 2018 on the Wiv2017, 49.4% of the voters voted against and 46.5% voted in favor of the law.

After the referendum, the government promised extra guarantees to address the outcome of the referendum. For example, it was promised that the consideration notes on foreign cooperation partners would be completed earlier than prescribed by the law (1 May 2020), namely before 1 January 2019. For all foreign services that we have a cooperation with, the written considerations have been completed. A consideration note assesses the extent to which a foreign counterpart and the country in question meets legal criteria and to what extent cooperation is possible.

Furthermore, wee will also ask the minister for approval on an annual basis for (further) retaining the data we collected via research assignment-oriented interception. There was no such interim assessment prescribed in the original law. We have to substantiate whether, and if so, why we still want to save them in order to determine relevance at a later date. After 3 years, the data will be destroyed regardless, except of course for the data that we have determined to be relevant to our investigation.

A policy rule is drawn up that, when requesting approval for the use of a special power, we must state explicitly how we want to use a power “as targeted/focused as possible”, in addition to the standing requirements of necessity, proportionality and subsidiarity.

The government virtually excludes that OOG interception will be used in the coming years for research into cable communication that has its origin and destination in the Netherlands [NOTE: this refers to domestic-domestic communication. Communication between Dutch citizens that takes place via foreign providers, such as Facebook and the like, travels via the US and is considered domestic-foreign communications under the Wiv2017]. An exception to this is research into digital attacks in which the Dutch digital infrastructure is abused. OOG interception may be needed to detect such threats.

Processing of medical data is permitted only if it occurs in addition to the processing of other data, that is, if someone is the subject of an ongoing investigation and the medical data forms the final piece of information that AIVD needs to properly identify a threat. If the AIVD encounters medical data that we are not allowed to view, we will immediately remove it.

Careful consideration is always given when sharing data about a journalist with foreign services. This also takes into account the [societal] function of an individual and the protection of their privacy and security. If the services determine that a journalist is present in data collections, they will not share that data unless it is necessary for national security. [FOOTNOTE 6: Kamerbrief met reactie op raadgevend referendum Wiv, dossier 34588, nr. 70]

Impact on our work

The core of our work consists of acquiring and processing data. The new law and the additional safeguards for citizens in the form of, among other things, independent ex ante oversight and stricter retention periods have led to extra efforts for us.

As is apparent from this annual report, the geopolitical developments and the threat assessment also demanded great commitment from our employees. It has proved difficult to combine implementation of the new law with a non-decreasing commitment to operational task performance. The impact of the implementation was greater than initially anticipated.

For example, the ex ante approval process by the TIB required habituation. In an interim report from the TIB in November 2018, the TIB indicated that they rejected approximately 5% of the requests for approval. [FOOTNOTE 7: Voortgangsbrief Toetsingscommissie Inzet Bevoegdheden, TIB, 1 November 2018.]

In addition, at the request of the government, the Review Committee on the Intelligence and Security Services (CTIVD) carried out a baseline measurement and published a report on it. This critical progress report, released in early December, gave a first insight into progress of the implementation of the new law. [FOOTNOTE 8: Voortgangsrapportage Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten over de werking van de Wiv 2017; CTIVD, 4 December 2018.]

The CTIVD’s investigation focused on elements of modernized powers such as the duty of care, responsible limitation of data processing, and OOG interception (including automated data analysis).

The committee also looked at the other parts of the law that provide for the protection of citizens. The CTIVD investigated the available possibilities for submitting a complaint or reporting abuse.

The CTIVD indicated in its progress report where the service ran the risk of unlawful acts. She based her judgment on the policy and procedures as they were designed and set up at that time. The CTIVD did not find actual cases of an illegal act.

The committee also described in its report that many parts of the law are very complex, such as the principle of data reduction. This involves the destruction of data that appears to be irrelevant. This requires the necessary adjustments in the system and in technical implementation.

The reports from the TIB and the CTIVD gave us the signal to establish implementation of all facets of the law as a priority for 2019, in addition to our primary duties. We seek a considerable reduction of the risks identified by the TIB and CTIVD in their next reports.

Read more at [only available in Dutch].

Appendix: statistics [in original Dutch; not translated]




Dutch MoD Defense Cyber Strategy 2018: “Investing in digital military capability” (unofficial full translation)

On 12 November 2018, the Dutch minister of defense released (in Dutch) the MoD’s Defense Cyber Strategy 2018. The initial strategy was released in 2012 and revised in 2015. The new strategy document (.pdf, in Dutch; mirror) is available only in Dutch, as were previous ones. In the post you’re reading now I provide a single-page, unofficial translation of the entire text (~3500 words). A single-page plain text version in Dutch is available here.

Some takeaways (do read the entire text; these takeaways are not a summary):

  • The MoD wants to (publicly) confront perpetrators of cyber attacks with their behavior more often — an example of this was the public outing of a Russian cyber operation on 4 October 2018 — because a state actor “who is (publicly) held accountable for his actions will make a different [risk] assessment than an attacker who can operate in complete anonymity.”
  • The MoD will invest (more) in offensive capabilities, among others for the purpose of attribution (see previous bullet).
  • The MoD is conducting a study into the design, formation and organization of a Cyber ​​Innovation Hub to be set up in 2019, in which government departments, research institutes and companies work together on joint and prioritized security issues in the field of cyber security.
  • As of 2019, the MoD will invest ±6.5 million euros per year in cyber research. This is an increase from the 4 million euros invested in previous years.

Google Translate was used for initial translation of the bulk text, which I then compared line-by-line to the original Dutch text. I corrected translation weirdness and errors (of which there were quite a lot; a reminder that automated translation should not be fully relied upon when details matter), added a few horizontal lines as separators for clarity of exposition / readability, made minor modifications to make the text intelligible to non-Dutch readers, added hyperlinks for easy referencing, and added minor explanation and/or links within [square brackets]. Feel free to contact me with questions or corrections.

I’m committed to the motto “cool URIs don’t change“, so the link you’re currently visiting can be considered a permalink, suitable for use as reference in bibliography if needed/desired.

Dutch MoD Defense Cyber Strategy 2018: “Investing in digital military capability”

Table of Contents


Chapter I: The MoD’s contribution to digital security of the Netherlands and NATO

Chapter II: Winning digitally in military operations

Chapter III: Prerequisites: personnel, knowledge development and innovation, cryptography


Our country must be able to rely on the ministry of defense when needed. Acting against serious digital threats to our security, both nationally and internationally, is part of this.

With the deterioration of international security and the tightening of geopolitical conflicts of interest, the MoD’s contribution to our digital security has become even more important. The Cyber ​​Security Assessment Netherlands (CSAN) 2018 shows that the biggest digital threat to our national security comes from nation states. This has consequences for what is expected from the MoD. Moreover, our increasingly digitized country must be prepared for advanced digital threats in the event of an unforeseen military conflict. The MoD has to take responsibility, both at national level and in NATO.

The present Defense Cyber ​​Strategy is established within the framework of the Defense Memorandum, the Integrated Foreign and Security Strategy (GBVS) and the National Cyber ​​Security Agenda (NCSA), and contributes to the implementation of these strategies. It builds on the foundation provided by the first Defense Cyber ​​Strategy in 2012, which initiated the establishment of the Defense Cyber ​​Command (DCC) [read more] and the Joint Sigint Cyber ​​Unit (JSCU) [read more] of the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD), and the strengthening of the Defense Computer Emergency Response Team (DefCERT) and Royal Netherlands Marechaussee. Many steps have been taken since 2012. It is now time to accelerate and connect.

The expanded financial budget established in the coalition agreement, rising to 20 million euros annually per 2021, enables this.

On the basis of this strategy, the MoD invests in cyber capabilities to:

  • Be in charge of its own IT and weapon systems at all times and to ensure its digital resilience. This will remain an important point of attention in the coming years.
  • Even better to know who is threatening our national security in the digital domain. The MIVD plays an indispensable role together with the AIVD.
  • Have more possibilities to disrupt or deter digital attacks.
  • Cooperate with civil partners to ensure the safety of the Netherlands and of our vital infrastructure, and to ensure continuity of vital processes in the event of an unexpected military conflict involving the use of digital attacks.
  • Deploy digital means in a targeted manner to obtain and retain dominance during military operations.

The achievement of digital power for the Netherlands is an ambitious goal. But it is a necessary ambition, given the core tasks of the MoD in protecting its own territory and NATO territory, promoting international legal order, and supporting civil authorities.

Chapter I: Defense’s contribution to the digital security of the Netherlands and NATO

State actors and criminal groups are becoming less and less reticent in the digital domain. Cyber ​​attacks and incidents occur on a daily basis. They can no longer be regarded as isolated. Increasingly, interrelated incidents occur, which together form a campaign of state actors and their proxies, intended to undermine our economy, vital infrastructure, military capabilities, and the democratic order of countries. It should also be taken into account that certain states are targeting industrial control systems in vital sectors in preparation for a possible military conflict. These are activities or operations aimed at creating the conditions for a military operation (shaping the battlefield). The MoD has a responsibility to act on this, in close consultation with civil partners. What is clear, however, is that if an (imminent) cyber attack takes place on such a scale that it can be seen as an (imminent) armed attack, every state has the right to defend itself under international common law and Article 51 of the UN Charter.

Proper defense and security are not enough to keep malicious persons from digital attacks. More and more allies are taking a more active stance in the digital domain (active defense). In the context of both the first and third core tasks of the MoD, a more active defense contribution is necessary within existing structures. To reinforce this, the MoD will invest in the following capacities and concepts during the coming years:

  1. Information: capacity to act and attribution
  2. Contribute to deterrence by military assets in the digital domain
  3. Digital resilience and protection of own networks and systems
  4. Research into national fallback options
  5. Military assistance and support to civilian authorities
  6. Law enforcement (Royal Netherlands Marechaussee)

1 Information


The vast majority of digital attacks can be thwarted by the IT or CERT organization of the affected party. To counter the covert, persistent digital attacks by state actors (Advanced Persistent Threats, APTs), however, (counter-) intelligence research is also required. This research provides unique information with which effective defensive measures can be taken. The MIVD makes information about digital threats available to relevant actors inside and outside the MoD who can take measures based on this, such as DefCERT, the Public Prosecution Service, the National Cyber ​​Security Center (NCSC), and companies. To detect digital espionage or sabotage, technical characteristics acquired by the MIVD and AIVD about cyber attacks can be used in the National Detection Network (NDN). The NDN is a partnership that aims to detect digital threats against vital sectors and the national government better and faster, so that damage can be prevented or limited. The contribution of the MIVD to the NDN will be expanded. New defense tools will be used to develop an active defense against digital attacks. In addition, the number of sensors is being expanded to enable digital attacks to be detected better and faster and to investigate and respond effectively to the threats. In addition to participating in the NDN, the MIVD, as announced in the NCSA, will also participate in the cooperation platform involving NCSC, AIVD and police to quickly share relevant (technical) information about cyber threats at a joint location. In addition, information forms the basis of military capability in the cyber domain. Offensive cyber capabilities build on the intelligence/information position. On the basis of intelligence from the MIVD, the Defense Cyber ​​Command can design military capabilities. Finally, within the framework of the Intelligence and Security Services (ISS) Act [in Dutch: ‘Wiv2017’], the MIVD can also act itself on the basis of intelligence to disrupt acute threats in the digital domain.


The increasing cyber threat requires a strong, international response based on international agreements. The status quo is still insufficient. The cabinet wants to (publicly) confront perpetrators of cyber attacks with their behavior more often. This requires detection, and then political, and possibly legal, attribution. Determining who is the actor behind a cyber operation (technical attribution) is therefore an indispensable and complex aspect that requires intensive research. By means of high-quality and knowledge-intensive intelligence research, the MIVD, in collaboration with partners such as the AIVD and the police, tries to discover the actor behind a cyber attack and the actor’s intentions, so that the cabinet can proceed to political attribution and take targeted countermeasures. An active political attribution policy contributes to deterrence and making the Netherlands less attractive as a target of cyber attacks. A state actor who is (publicly) held accountable for his actions will make a different assessment than an attacker who can operate in complete anonymity. The Netherlands thereby contributes to combating impunity in the digital domain.

2. Contribute to deterrence by military assets in the digital domain

Deterrence means that an opponent refrains from (repeating) an attack because he is convinced that costs do not outweigh benefits. Deterrence is not domain-bound, in other words: attacks from another domain can be deterred with cyber resources, and conversely, deterrence of cyber attacks can come from other domains. The operational capacities of the Defense Cyber ​​Command contribute to the total arsenal of deterrence means available to the government. Deterrence makes the Netherlands a less attractive target for (cyber) attacks and is above all a means for conflict prevention. In addition to the ability to attribute attacks, deterrence requires credible offensive capabilities. Through integration in (ongoing) missions and operations, the MoD will work on the visibility and credibility of its digital military capabilities.

NATO is the cornerstone of Dutch security policy for the government. The Netherlands has made a strong case with other allies for the alliance of cyberspace as a military domain. The alliance recognized this at the Warsaw Summit in 2016. Since then, a lot of work has been done to operationalize the digital domain, for example by designing a mechanism for integrating cyber capabilities into NATO missions and operations. This will contribute to the collective task of defense and deterrence. Therefore, at the NATO summit in Brussels in July 2018, the Netherlands declared its willingness to contribute with cyber capacities to allied missions and operations.

3. Digital resilience and protection of own networks and systems

In order to be able to contribute to the digital security of the Netherlands and to guarantee the safe and effective deployment of the Dutch armed forces, it is necessary that the MoD’s own digital resilience adapts to threats. Deployment of the armed forces is therefore regarded as a vital process within the framework of vital infrastructure. The IT systems of the MoD are fully intertwined with business operations, command systems, and sensor and weapon systems. The MoD is dependent on these IT systems and the information available on them. Cyber ​​attacks against IT, sensor, weapon and command systems can undermine deployability and effectiveness of the armed forces. A high level of security awareness and effective protection of systems and networks therefore require sustained effort. Preventive measures form the necessary basis for digital resilience, the combination of awareness, prevention, detection and capacity to act. In order to protect MoD systems, these measures must be implemented across the entire IT chain, from software development to network protection. This also places high demands on the personnel working on the design, security, use and maintenance of IT systems. The knowledge of the staff must be up-to-date, and the staff must have access to the latest techniques.

All defense departments involved must make every effort to protect the MoD from cyber threats. The defensive cyber chain consists of several layers, spread over the entire defense organization. Cyber ​​governance and policy provide direction, focus and frameworks for the efforts in the cyber domain. Security by design means that implementation of security measures is already taken care of when designing IT systems. Security assessments analyze and assess systems for residual risks and compliance and supervision take place on compliance with policies and regulations. Security and surveillance focuses in particular on connections between the MoD and external networks. Incident response ensures mitigation of cyber incidents.

4. Research into national fallback options

It will be investigated which MoD facilities in collaboration with which parties can be used to keep critical processes running when there is a societal disruption of ICT as a result of a digital attack. Facilities such as the physically separated and secured fiber MoD network (the Netherlands Armed Forces Integrated Network, NAFIN) can play a role in this.

5. Military assistance and support to the civil authorities

To contribute to national security, the MoD will strengthen the implementation of the third core task in the digital domain by making a greater contribution to existing civil structures. In view of the nature of the threats, the MoD is focusing in particular on vital infrastructure through more intensive cooperation with the responsible security partners, in particular the NCSC. Supply and demand of cyber capabilities of the MoD are identified in consultation with civil authorities and public and private partners. By being involved in sector-specific developments and threats at an early stage, the MoD will be able to switch to providing assistance and support more effectively if necessary. To achieve this, the MoD wants to make a larger and more tangible contribution to existing civil structures in the field of information sharing and response.

Information sharing

Information Sharing and Analysis Centers (ISACs) [more here; in Dutch] have been set up to create a familiar environment in which organizations from the same sector can share tactical information about (sector-specific) cyber threats, incidents, experiences and mitigating measures, with the aim of strengthening digital resilience. Participants in an ISAC have a pivotal role within their own organization in the field of information security, ICT security, and policy. The NCSC, the AIVD, and the police are connected to most ISACs. The Royal Netherlands Marechaussee is a permanent partner in the Airport ISAC. The permanent network that an ISAC entails and the information that is exchanged is an important added value for all participants. Due to their nature and composition, ISACs offer an ideal platform for gaining more knowledge about sector-specific cyber threats and opportunities of the MoD to contribute to mitigating measures if necessary. The MoD, in consultation with the NCSC and members of the ISACs, will explore whether the MoD’s involvement in the ISACs can be intensified.


The National Response Network (NRN) is a network of CERT organizations, coordinated by the NCSC, with the aim of strengthening technical responses to cyber security incidents. This is done by exchanging knowledge, experience and personnel. This way, cohesion is organized and existing capacities are strengthened. In addition to the NCSC, the current NRN partners include DefCERT, Tax Authorities, Rijkswaterstaat, SURF, and the Information Security Service of municipalities. The MoD will actively contribute to the NRN and strive for expansion of the network. The MoD will also commit to use the NRN as a platform for exercises with vital sectors and the NCSC. Joint exercises ensure that organizations become familiar with each other’s procedures, interests and working methods and can therefore collaborate more effectively if a calamity actually occurs.

6. Law enforcement (Royal Netherlands Marechaussee)

The MoD has a management responsibility in the execution of the police tasks of the Royal Netherlands Marechaussee. The Royal Netherlands Marechaussee must also be equipped in face of increasing cyber threats. In particular the digitization of border processes and increasing digital identity fraud generate risks. Risks that must be controlled by both a better defense and investigation. For the implementation of this, the Royal Netherlands Marechaussee will enter into partnerships with, among others, the police and FIOD.

Chapter II: Digital winning in military operations

Article 97 of the Constitution for the Kingdom of the Netherlands that a Dutch armed force exists, including for “the purpose of maintaining and promoting the international legal order.” The reference in this article to the international legal order is closely linked to Article 90, which states that the government will promote international rule of law. Partly because of increased instability in countries on the edges of Europe, this second core task will also require a lot from the MoD in the coming years. Due to the undermining of the international legal order, the open and free international (trade) flows are also at stake. Safeguarding supply routes on land, at sea, in the air and in the digital domain is an interest of the international community to which the government is committed. The Netherlands is committed to promoting the international legal order, conflict prevention and stabilization.

The Netherlands also contributes to this by taking an integrated approach to military missions and operations in an alliance.

The digital domain will play an important role in every future conflict and the government determines that for the effective execution of the second main task of the armed forces in the digital domain, further development of cyber capacities is necessary. In order to create more dominance in the digital domain when deploying the armed forces for the promotion of the international legal order, Defense will further invest in the following capacities and concepts in the coming years.

1. Creation of composite cyber mission teams

As part of the military capability, cyber capabilities can contribute to military missions and operations. To enable military action in the digital domain, in-depth knowledge must be available at an early stage about vulnerabilities within systems of potential opponents. Based on its statutory tasks, the MIVD supports the DCC with information that is necessary for an effective military deployment in the digital domain. Because intelligence and military operations in the digital domain require similar knowledge and skills, cyber mission teams, consisting of both MIVD personnel and staff of the armed forces, are formed on an international basis. The designated employees operate within the framework of the ISS (in Dutch: Wiv2017) and are placed under the command of the Commander of the Armed Forces within the relevant mandate when deploying the armed forces. If necessary, components from DefCERT and the operational commands will also be added to these teams. In order to be able to test military deployment in the cyber domain for legitimacy, the Royal Netherlands Marechaussee is investing in knowledge-building in this area.

2. Cyber ​​capacities as a fixed component in military planning

The digital aspect is taken into consideration at an early stage of the planning phase of each (potential) mission. This is expressed in (military) advice and analysis by the Operations Directorate and subsequent (operation) planning. When the armed forces are actually deployed to maintain and promote the international legal order, Article 100 of the Dutch constitution applies to the provision of information to the Dutch States General. Article 100 states that the government is obliged to inform the States General in advance of “the deployment or the provision of the armed forces for the maintenance or promotion of the international legal order.” ‘Article 100 letters’ will from now on include a cyber paragraph when relevant to a mission. This paragraph lays down, within the limits of what can be shared publicly, what contribution military cyber capabilities make to the mission or operation in question. In this way, the MoD is promoting awareness, inside and outside its own organization, of the increasing importance of the digital domain as a fully-fledged domain of military action.

Chapter III: Conditions: personnel, knowledge development and innovation and cryptography

The present strategy outlined the developments and priorities that should lead to the MoD being able to effectively implement its three main tasks in the digital domain. This will not be possible without giving substance to the conditions that apply to all these measures: personnel, knowledge development and innovation, and cryptography.


To be successful in the digital domain, in-depth knowledge of the domain is indispensable. Cyber ​​and IT professionals have the necessary knowledge and experience. Because of the scarcity of specialists on the labor market, it is not evident that the MoD will always have access to that knowledge. In the coming period, the MoD will investigate possible solutions to improve recruitment and retention of cyber professionals, both military and civilian. Attention is paid to connecting cyber and IT professionals. By establishing career paths, improved insight into the entire human cyber potential can be created and directed more focused on recruitment, retention and career. Also, the use of exchange facilities inside and outside (including market parties) the MoD ensures that the knowledge of cyber professionals remains current, employees are more satisfied and the network of cyber professionals is strengthened.

To offer cyber and IT professionals opportunities for development within the domain, functions will be categorized. In order to prevent competition within the government and promote interoperability, the MoD is committed to uniform job descriptions and equivalent valuations for cyber and IT professionals.

Knowledge development and innovation

Knowledge development and innovation in the field of cybersecurity is necessary to stay ahead of opponents and to cope with new digital threats. Moreover, a high-quality, autonomous knowledge position makes Defense less dependent on cybersecurity expertise and solutions from others. In the NCSA, knowledge development is therefore also mentioned as one of the seven main ambitions in the area of ​​cyber security for the coming years. This concerns both fundamental and applied cybersecurity research. This means multidisciplinary research in the entire knowledge chain that looks at solutions for both the longer and the shorter term. Therefore, in 2018 Defense has also become a member of the Dutch Cyber ​​Security Platform for Higher Education and Research (Dcypher). This platform provides, among other things, for the agenda and coordination of cybersecurity research and higher education.

The recently published third edition of the National Cyber ​​Security Research Agenda (NCSRA) [.pdf] is an important framework for cybersecurity knowledge development in the Netherlands. The MoD has actively contributed to the creation of this agenda. As of 2019, the MoD will expand available means for research in the field of cyber. The MoD will invest almost 6.5 million euros per year in cyber research from 2019 onwards, which is an increase from the 4 million euros in previous years. Where possible, this is done together with other departments, as also announced in the Dutch Digitization Strategy.

Together with a number of other parties, the MoD is conducting a study into the design, formation and organization of a Cyber ​​Innovation Hub to be set up in 2019, in which government departments, research institutes and companies work together on joint and prioritized security issues in the field of cyber security. The aim of the Cyber ​​Innovation Hub is to strengthen cyber knowledge and expertise in the Netherlands, to facilitate innovations and experiments.