Month: November 2011

Trust, Privacy & Security in Dutch Govt “I-Strategy” 2012-2015

UPDATE 2017-12-19: the Dutch gov’t released (in Dutch) the successor to the I-Strategy 2012-2015, entitled “Strategische I-agenda Rijksdienst 2017”, which (loosely) translates to “Strategic I-Agenda Federal Government 2017”.

UPDATE 2012-03-06: according to the 2012 eGovernment report (.pdf) issued by the United Nations, the Dutch effort in eGovernment ranks #2 in the world. The Republic of Korea ranks #1.
 
UPDATE 2011-12-19: the Dutch Scientific Council for Government Policy (WRR) published an English translation of the famous iOverheid report. Here it is! 

On November 15th 2011, the Dutch government published (.pdf) their “I-Strategy” information strategy for 2012-2015. Below is my careful translation of the “Trust and Information Security” section. Any unnatural use of the English language is due to me translating as literal as possible, avoiding (mis)interpretation. Hyperlinks and parts between […] are mine.

Trust and Information Security
The Dutch cabinet wants citizens to be able to trust the way in which the Dutch government handles the storage and use of digital data. The government is responsible for reliability of the information that is used, and for diligent and legal use of data received from third parties. To accomplish this, permanent investment is needed in the government’s defensibility [Dutch: “weerbaarheid”] against (un)intentional breaches, in increasing the capacity to recover in case of unhoped-for successful breaches and in processes concerning the handling of privacy-sensitive data. Part of increasing the defensibility is having solid information security concepts. An important aspect of that is the investment in data security, in addition to device and network security. That enables device independent laboring (including bring or choose your own device). Wherever specific security requirements apply for classified information, the knowledge and expertise of the Dutch General Intelligence and Security Service (AIVD) will be used. Network security will be improved by reducing the number of internet connections that the government [Dutch: “rijksdienst”] has. That will be done through a government-level shared internet connection [Dutch: “Rijksinternetverbinding”]. This leads to simplified maintenance, higher quality, cost reduction and risk mitigation. A second aspect is the change from unconscious risk-aversion to conscious and responsible risk management. Employees should be able to, and want to, handle information safely. The desired use of self-selected means, combined with the enormously increased possibilities to communicate (social media), mean that a civil servant in 2011 must be more conscious than ever about the risks involved in the use of digital means, and thus also understand them. The government [Dutch: “Rijksdienst”] will support employees by providing adequate means and clear rules and advise. Also, the ensuring of common agreements about information security with internal and external parties needs to be strengthened. That will be, among others, realized by harmonizing the process and the elements of the oversight of compliance. As announcement in the letter about DigiNotar (26643, nr. 189), the Minister of Security and Justice will develop mandatory breach notification for IT incidents for organizations fulfilling crucial societal functions. Such a form of transparency increases the trust in the security of the government [Dutch: “Rijksdienst”]. An optimal capacity to recover is essential to quickly rehabilitate from the consequences of breaches of IT infrastructure. For that, additional instruments will be developed that enable the government to intervene sufficiently. Here too, framework and oversight are essential instruments. There will also be looked at further strengthening of research and expertise at the government, as has also been done in the [Dutch] National Cyber Security Strategy (NCSS) (.pdf).

In context of the Compact Government program [Dutch: “Compacte Rijksdienst”] will, under responsibility of the Minister of Security and Justice, be worked toward development of one government-wide [Dutch: “rijksbrede”] operational IT security function, that ensures scarce knowledge and expertise. To that end, the development of the National Cyber Security Center as announced in the NCSS will be joined.

Following the iGovernment report [Dutch: “iOverheid” (.pdf)] from the Dutch Scientific Counsil for Government Policy (WRR), the government decided to, as stated in the government response to WRR report (26 643, nr. 211), expand existing measures related to the governance of large IT projects with measures for the protection of privacy. The ministerial CIO’s play a central role in that. The expansion is planned as follows. The current requirements for the content of project plans for large IT projects (26 643, nr. 135) will be supplemented with the demand to state whether the project involves privacy-sensitive data and linkage or data enrichment. The project plan will state, with arguments, whether a Privacy Impact Assessment or a similar instrument applies. This information will be used in establishing a risk profile for the project, that will be done by the client and the departmental CIO. This risk profile partially determines whether the project will be reported to Parliament [Dutch: “de Kamer”] through the annual business report [Dutch: “Jaarrapportage bedrijfsvoering”] and the government’s IT dashboard (Rijks ICT-dashboard). If the risk profile results in the observation that the project is high-risk, the project will be included in this report and the dashboard.

The departmental CIO considers, as usual, all information from the project plan in his assessment at the beginning of a project, or during its execution. If this assessment relates to the use of privacy-sensitive data and linkage or data enrichments, the departmental CIO will seek advise from the data protection officer, that has been appointed in every Ministry and oversees the application and enforcement of the Dutch Data Protection Act. The IT project clients are obliged to report changes related to the use of privacy-sensitive data and linkage of data enrichments to the departmental CIO, who will decide whether a new assessment is needed. This expansion of the requirements related to the governance of IT projects will stimulate the diligent use of privacy-sensitive data, increase the involvement of the departmental CIO and ensure the information supply to the Parliament [Dutch: “de Kamer”].

The current Dutch administration seems to have well-informed attention for both security and privacy. The consistent use of the clause “privacy-sensitive data and linkage or data enrichment” (Dutch: “privacygevoelige gegevens en koppelingen of verrijking daarvan“) may characterize pending rules concerning privacy protection. The well-reasoned criticism against careless use of personal data expressed in the iOverheid report has apparently had significant impact. Personally, I’m very pleased with this section of the Dutch I-Strategy 2012-2015.

Protecting Against Espionage: U.S. & Netherlands

UPDATE 2012-06-07: 

 


 

====== START OF ORIGINAL BLOGPOST FROM 2011-11-17 ======

In October 2011, the U.S. Office of the National Counterintelligence Executive (ONCIX) published the Report to Congress on Foreign Economic Collection and Industrial Espionage 2009-2011 (.pdf). Earlier, Dutch intelligence service AIVD published an analysis of vulnerability to espionage (.pdf). I cite the Executive Summary of both reports below, intending to give these publications a little extra exposure.

1/2. U.S.-NCIX: “Report to Congress on Foreign Economic Collection and Industrial Espionage 2009-2011”

Executive Summary

Foreign economic collection and industrial espionage against the United States represent significant and growing threats to the nation’s prosperity and security. Cyberspace—where most business activity and development of new ideas now takes place—amplifies these threats by making it possible for malicious actors, whether they are corrupted insiders or foreign intelligence services (FIS), to quickly steal and transfer massive quantities of data while remaining anonymous and hard to detect.

US Technologies and Trade Secrets at Risk in Cyberspace

Foreign collectors of sensitive economic information are able to operate in cyberspace with relatively little risk of detection by their private sector targets. The proliferation of malicious software, prevalence of cyber tool sharing, use of hackers as proxies, and routing of operations through third countries make it difficult to attribute responsibility for computer network intrusions. Cyber tools have enhanced the economic espionage threat, and the Intelligence Community (IC) judges the use of such tools is already a larger threat than more traditional espionage methods.

Economic espionage inflicts costs on companies that range from loss of unique intellectual property to outlays for remediation, but no reliable estimates of the monetary value of these costs exist. Many companies are unaware when their sensitive data is pilfered, and those that find out are often reluctant to report the loss, fearing potential damage to their reputation with investors, customers, and employees. Moreover, victims of trade secret theft use different methods to estimate their losses; some base estimates on the actual costs of developing the stolen information, while others project the loss of future revenues and profits.

Pervasive Threat from Adversaries and Partners

Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.

  • Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.
  • Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.
  • Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.

Outlook

Because the United States is a leader in the development of new technologies and a central player in global financial and trade networks, foreign attempts to collect US technological and economic information will continue at a high level and will represent a growing and persistent threat to US economic security. The nature of the cyber threat will evolve with continuing technological advances in the global information environment.

  • Over the next several years, the proliferation of portable devices that connect to the Internet and other networks will continue to create new opportunities for malicious actors to conduct espionage. The trend in both commercial and government organizations toward the pooling of information processing and storage will present even greater challenges to preserving the security and integrity of sensitive information.
  • The US workforce will experience a cultural shift that places greater value on access to information and less emphasis on privacy or data protection. At the same time, deepening globalization of economic activities will make national boundaries less of a deterrent to economic espionage than ever.

We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.

The relative threat to sensitive US economic information and technologies from a number of countries may change in response to international economic and political developments. One or more fast-growing regional powers may judge that changes in its economic and political interests merit the risk of aggressive cyber and other espionage against US technologies and economic information.

Although foreign collectors will remain interested in all aspects of US economic activity and technology, we judge that the greatest interest may be in the following areas:

  • Information and communications technology (ICT), which forms the backbone of nearly every other technology.
  • Business information that pertains to supplies of scarce natural resources or that provides foreign actors an edge in negotiations with US businesses or the US Government.
  • Military technologies, particularly marine systems, unmanned aerial vehicles (UAVs), and other aerospace/ aeronautic technologies.
  • Civilian and dual-use technologies in sectors likely to experience fast growth, such as clean energy and health care/pharmaceuticals.

Cyberspace provides relatively small-scale actors an opportunity to become players in economic espionage. Under- resourced governments or corporations could build relationships with hackers to develop customized malware or remote-access exploits to steal sensitive US economic or technology information, just as certain FIS have already done.

  • Similarly, political or social activists may use the tools of economic espionage against US companies, agencies, or other entities, with disgruntled insiders leaking information about corporate trade secrets or critical US technology to “hacktivist” groups like WikiLeaks.

2/2. Netherlands-AIVD: “Analysis of vulnerability to espionage”

Executive Summary
The Dutch Minister of the Interior and Kingdom Relations (BZK) acknowledges that economic, strategic, technical and scientific espionage form a current threat to Dutch national safety and security. To gain a deeper understanding of this threat, and in order to make recommendations for its further reduction, the General Intelligence and Security Service of the Netherlands (AIVD) and the Directorate General for Safety and Security (DGV) at the Ministry of BZK have jointly analysed the risks from espionage in the areas of economic welfare & scientific potential, public administration and critical infrastructure. In the process of conducting its counterespionage analyses, the AIVD has observed that a number of foreign intelligence services are actively gathering information in sectors within these areas of attention.

Through various interviews and through use of available intelligence data from the AIVD, information and data were identified that would harm the Dutch national security if attained by foreign intelligence services/governments. Such data or collections of data are referred to in this report as core interests. The various ways in which core interests are vulnerable to espionage are referred to as vulnerabilities. These too have been analysed. As a result, the analysts concerned make a number of general recommendations based on the insights and conclusions described in this report. These recommendations point the way towards a follow-up policy trajectory under the umbrella of the Dutch national strategy of safety and security. In this follow-up policy trajectory the general recommendations will have to be made concrete and assigned to action owners.

Core interests

The analysis reveals that core interests can be found in all sectors investigated. These core interests can roughly be divided into the following categories:

  • Datasets and blueprints: this relates to databases, designs and drawings in organisations;
  • Positions and strategy: for example, policy premises, long-term philosophy and negotiating strategies;
  • Emerging core interests and infrastructure: for example, scientific innovations that may be able to make important contributions to the Dutch economy in the future.

Vulnerabilities

The most important pretexts for espionage activities by foreign intelligence services can be categorised as ‘people’ and ‘technology’. Intelligence services try to obtain information relevant to them via people who have direct or indirect access to this information or by deploying technical devices in order to hack, tap or monitor. The various ways of intercepting telecommunications form a significant vulnerability in this context. The analysis also reveals that the increasing interconnectivity and complexity of computer systems and the linking of data storage systems increase vulnerability of sensitive data. Outsourcing activities such as system and server management, data warehousing and data processing likewise carry the risk of espionage.

Targeted policy in both the private and public sector can serve to strengthen resistance to espionage and make the core interests of the Netherlands more secure. The quality of this policy will determine the extent to which core interests are vulnerable to intelligence activities. The analysis shows that certain policy decisions have inadvertently increased vulnerability to espionage activities in a few sectors. The promotion of knowledge migration from and to the Netherlands, for instance, has had the undesirable side-effect of enabling intelligence officers to conceal themselves relatively easily among the student population.

Counteracting intelligence activities requires those who are at risk of being spied on to be aware of the fact that they may be interesting to foreign services. It also requires them that they are aware of how intelligence activities are carried out. The analysis shows that awareness of espionage in the sectors concerned is often low. This limited awareness is visible on three levels:

  • Awareness of the value of information: organisations and individual workers sometimes fail to realise, or insufficiently realise, the value of the information they possess or to which they can obtain access;
  • Awareness of security: the security and safety of core interests do not always command sufficient attention in organisations; other considerations often take priority in their policy;
  • Weighing up interests: short-term organisational interests and/ or government interests are (often) given precedence over long-term interests. The defection of strategic knowledge or activity relevant for long-term Dutch national safety and security to other countries is given insufficient attention.

Recommendations

Based on these conclusions, three main recommendations are made for further strengthening resistance to espionage:

  • Actively strengthen awareness among managers and workers in government, industry and institutions of the value of the information they have and of the possible interest foreign governments may have in this information.
  • Work on changing the culture around security. In this respect users, the organisation of data flows and databases and the techniques used for detecting incidents are important focus areas.
  • When formulating policy, pay explicit attention to protecting core interests and the effects of policy on the Netherlands’ interests in the longer term. These recommendations are illustrated in chapter 10 with a number of possible, more concrete prospects for action. It is not within the remit of the analysis to make such actions more concrete or assign them; this will have to be done by the policy departments concerned in a follow-up policy trajectory.

More resources for the Netherlands: