Month: July 2012

The Dutch Defense Cyber Strategy of 2012

UPDATE 2018-11-15: the Dutch Defense Cyber Strategy of 2015 has been revised .

UPDATE 2015-02-23: the Dutch Defense Cyber Strategy of 2012 has been revised ; seven priorities replace the six priorities set in 2012.

UPDATE 2014-10-22: The Dutch Defense Cyber Command exists as per September 25th 2014. Details here.

Here is an unofficial translation of the entire Dutch Defense Cyber Strategy document (.pdf, in Dutch) that was published by the Ministry of Defense on June 27th 2012. Don Eijndhoven already wrote a proper (English) piece about this on June 29th.

The below is an as-literal-as-possible translation of the entire Defense Cyber Strategy document. Also see here my translation of the entire speech given by the Secretary of Defense when presenting the Defense Cyber Strategy.

Dear Dutch govt, if you are reading this: please start publishing cyber-related policy documents in English (as NCTV and NCSC sometimes already do, but the MoD still doesn’t).

Hyperlinks and parts between [] are mine.

If you see spelling/grammar errors, please drop me a line at koot at uva dot nl .

Introduction
The digital domain [0] is, next to land, air, sea and space, the fifth domain for military acting. This domain and the application of digital means as weapon or means of intelligence are undeniably developing strongly. Digital means will increasingly be an integral part of military acting and lead to modernizations. The dependence on digital means, however, also leads to vulnerabilities that need urgent attention. The impact on society of a large-scale cyberattack can be huge. The effects can, like a terror attack, result in large-scale upheaval and societal disruption. In the military domain, infrastructure and weapon systems can be affected such that there no longer is an effective defense. The Dutch armed forces makes the necessary conclusions from this and inspires to act as a `sword force’ in the digital domain too.

The three main tasks of the MoD [1] are leading for the efforts of the armed forces in the digital domain too. They must therefore be able to act against a digital threat to society or to international legal order. In that, there is an increasing overlap between the first and third main task. The separation between main tasks remains of importance, however, because the principles and procedures for the use of the armed forces are different for each task. The constitutional rules apply without limitation to the digital domain. The use of the armed forces will therefore be based on a government mandate in international operations and based on a request for assistance to civil authorities (usually the Secretary of Security & Justice).

To guarantee the deployability/availability of the armed forces and increase its effectiveness, the MoD strengthens its digital defensibility and develops the capability to perform cyber operations. For the coming years, the Defense Cyber Strategy provides direction, coherence and focus for the integral approach for the development of military capability in the digital domain. Therewith, the MoD implements the cyber intensification outlined in the policy letter Defense after the credit crunch [.pdf, in Dutch] and to the defense part of the National Cyber Security Strategy (NCSS) [.pdf, in English].

The armed forces want to make optimal use of the possibilities offered by the development of digital technology. This technology is already being used by the MoD on a large scale and enables it to perform its task more effectively and more adequately. For example, nearly all weapons systems function due to the use of IT components. Command and control, and logistical support rely heavily on digital systems. In addition, the information position and situational awareness of the armed forces are significantly improved using digital means. Digital networks and systems, including both weapon systems and measurement/control systems, and the information they carry, have become of vital importance to the armed forces.

The dependence of the armed forces on digital technology, however, also makes it vulnerable. It is essential that MoD protects the reliability [3] of its own networks, systems and information, and prevents information theft. The MoD use remain vigilant and invest in high-end means and knowledge in order to keep the defense against digital attacks at the required level. The MoD also must get more insight into the threats that the MoD is exposed to in the digital domain so that it can protect itself against them effectively.

Considering that not only our own digital systems are vulnerable but also those of (potential) adversaries, the digital domain can also be used for (military) acting against an adversary or to improve one’s own intelligence position. Therefore, the MoD considers digital means specifically as operational capabilities — as weapon or means of intelligence — that must become integral part of the operational power of the armed forces. That includes the protections of one’s own networks, systems and information during military operations, the use of offensive capabilities and the gathering of intelligence related to military operations. Because all parts of the MoD use IT intensively, far-reaching joint cooperation is necessary.

Due to the broad and multiform character of the digital domain and in order to use the MoD’s scares means optimally, central control and coordination are needed of all activities associated with the military acting in the digital domain. The speed of developments in the digital domain is very demanding regarding MoD’s adaptivity and innovation. MoD must be able to implement new technology quickly and be able to cope with short cycles of innovation. The dynamics and complexity of the digital domain require continuous adjustment of (initial) needs for knowledge, expertise, skills and techniques, and way of acting.

As a result of the strong interconnectedness in the digital domain and the dependence on similar technology, an integral approach is also necessary at the national and international level. The classical separation of military and civilian, public and private and national and international actors is less clear in the digital domain. For example, national security can be threatened by a large-scale attack at a private organization. In defending against such a large-scale attack, cooperation bet ween various parties in necessary, including with the victim organization itself, the National Cyber Security Center (NCSC), the intelligence services, law enforcement and possibly also the armed forces.

Priorities
Given this background, the Defense Cyber Strategy includes six priorities that will guide the MoD to achieve its goals in the digital domain:

1. the establishment of an integral approach;
2. the strengthening of digital defensibility of the MoD (“defensive”);
3. the development of the military capability to perform cyber operations (“offensive”);
4. the strengthening of the intelligence position in the digital domain (“intelligence”);
5. the strengthening of the knowledge position and the innovative power of MoD in the digital domain, including the recruitment and retaining of qualified personnel (“adaptive and innovative”);
6. the intensification of the cooperation at the national and international level (“cooperation”);

The development of the digital threat for the MoD

Due to its intensive use of high-end (satellite) communication systems, information systems, sensory systems, navigational systems, logistical systems and weapon systems, the Dutch defense organization is dependent on reliable internal and external networks and on digital technology. It is therefore vulnerable to digital attacks.

Various countries now posses offensive cyber capabilities for military purposes, or are in the process of developing them. Non-state actors too can be a threat to the armed forces by disrupting systems and information provisioning. In modern conflict, the distinction between combatants and non-combatants becomes vague, and so does the delineation of operational terrain. The acting by “adversaries” will increasingly often be in digital form and probably extends to the “home front”.

The biggest threat to the MoD in the digital domain on the medium-to-long term is due to high-end and complex digital offensive capabilities that are targeted at a specific (military) target and can severely limit the the armed forces’ ability to act. A lack of knowledge about and lack of insight into digital possibilities to carry out attacks is a real risk to the armed forces.

Already today, armed forces and companies involved in the development and production of high-end military technology are continuously confronted with — attempts to — digital attacks and espionage activity. The strategic and economic value of the information in this sector is high. The MoD will have to be alert at an early stadium on the covert introduction of vulnerabilities (“backdoors”) in information and communication systems. The complexity of and amount of components in systems increase this risk. Intelligence services  very probably won’t hesitate to manipulate equipment prior to its delivery to potential opponents.

Priority 1: An integral approach
The MoD’s cyber capabilities are an important and real addition to existing military capabilities. The value of digital means is in the possibilities they offer to support and enhance acting across all lines and in all domains. Digital means strengthen the acting of the armed forces in all functions of military acting: logistics, command and control, intelligence, protection, maneuver and striking power. This strategy therefore assumes an integral approach both regarding supporting processes (readiness, operational support, maintenance) and operational deployment (both independent and as part of acting of other units, possibly under civil authority).

In the context of military operations, operational cyber capabilities will be used increasingly often, mainly to support conventional acting of the armed forces, but also as an independent weapon. It is necessary that operational cyber capabilities become part of the total military capabilities of the Dutch armed forces. For that, the MoD has to make significant investments in the strengthening of cyber capabilities. The MoD will not establish a separate military component of armed forces for acting in the digital domain. Eligible cyber capabilities will be brought together in 2014 as a joint unit in the Defense Cyber Command (DCC) that will become administratively part of the Royal Netherlands Army (CLAS) under `single service management’.

An operational cyber capability entails all knowledge and means required to predict, influence or disrupt adversary actions via digital means, and to defend oneself against similar cyber operations from the adversary, during operational deployment. This takes place via infiltration of computers, computer networks, weapon and sensory system software and software to gather information and intelligence and influence systems. An operational cyber capability thus entails deployable defensive, intelligence-related and offensive elements.

In the planning and preparation of operations, aspects that are relevant to the digital domain are also taken into account. The digital domain thereby is an integral part of the joint operational planning process. Here, both the potential influence of the digital domain on the ordered task and the effects that can be achieved via the use of cyber capabilities are taken into consideration. An operational commander therefore has his own capabilities and can request intelligence capabilities to gather cyber information, process it and provide it timely for the decision-making process. This entails both the threat against one’s own networks and systems as the possibilities to exploit the adversaries’ vulnerabilities. A good situational awareness in the digital domain is part of the total situational awareness of the commander.

For operation in the digital domain it is necessary that the mandate accommodates this, and that the Rules of Engagement describe how offensive cyber capabilities may be used.

Priority 2: Defensive
Networks and systems are vulnerable to attacks and disruptions, both from the inside and outside. The defense against this entails the protection of networks, the monitoring and analysis of data traffic, the identification of digital attacks and the response to them.

The MoD is evidently responsible for the security of its own networks and systems. The MoD has to be prepared to cyber threats and be able to protect itself against it in order to ensure the deployability/availability of the armed forces.  The MoD therefore has to be familiar with the potential threats in the digital domain and the vulnerability of its own networks and systems. The MoD will therefore perform a risk analysis that will be the basis for establishing which minimal security measures are required. The measures to be taken and usability will need to be balanced, and a coherent set of staff, physical and information security measures will be endeavored. Networks and systems processing and storing highly classified information will be subject to a stronger security regime. Unauthorized access to that data could, after all, result in (very) severe damage to the MoD, to the government or our allies. For networks and systems processing unclassified or lowly classified information, a smaller set of security measures suffices.

It has to be assumed that a persistent and technologically highly developed adversaries will be able to compromise (parts of) networks and systems nonetheless. Establishing an all encompassing digital defense is nearly impossible and, moreover, prohibitively expensive. Therefore, in the protection of one’s own digital infrastructure, as much flexibility as possible must be build in, both regarding the (passive) security of networks as the active response to an attack. Priority must be given to the protection of information and information exchange. In addition, systems must be defensible by being able to respond quickly to an attack and be able to adjust themselves to keep functioning.

The most important vulnerability that can result in the loss or compromise of information is usually due to improper and careless use of IT. Therefore it is necessary that every MoD-employee is aware of the risks associates with the use of digital means.  Digital security awareness shall therefore be integral part of all defense education programs. In addition, MoD-employees must be trained in working under circumstances in which they can temporarily not make use of the (full) functionality of networks and systems.

The MoD will (continuously) improve the protection of its networks and systems. This will be done by the Joint Information Provisioning Command (JIVC) that is being established and is expected to be operational in Q1/2013. The JIVC realizes adequate and high-end security and guards all networks and systems. Illegal and anomalous use will be noticed. The MoD’s Computer Emergency Response Team (DefCERT) guards the security of systems and networks, taking into account current threat levels. DefCERT, which will become part of the JIVC, must identify and analyze risks to and vulnerabilities of the most important MoD networks 24×7 and advise the MoD about security measures that need to be taken. DefCERT too has to have a proper cyber situational awareness. DefCERT therefore works together within MoD with other parts of the JIVC and the Military Intelligence Service (MIVD). Outside of the MoD, they will cooperate with the NCSC, NATO and other CERTs and with companies that have specific knowledge or means. This can entail both information exchange as (personnel) support in case of calamities.

The available defensive cyber capabilities must be used both to protect the MoD’s IT-infrastructure and to protect the MoD’s unique weapon and sensory systems. These are capabilities for the protection of both MoD’s generic networks and systems by the JIVC and the operational networks and systems during deployment by the DCC. The MoD will also improve the reliability of weapon and sensory systems by improving the insight into digital vulnerabilities and by strengthening the control over development, the supply chain and use of IT components. Specific attention is given to procurement of both software and hardware for digital defensibility. During the procurement or development of new systems, potential risks to the reliability must be taken into account from the start. These risks have to be, if possible, mitigated by security requirements or security measures.

Priority 3: Offensive
Offensive cyber capabilities are the capabilities for the purposes of influences or disrupting adversary actions. The MoD must have the knowledge and capabilities to act offensively in the digital domain, both to be able to establish an effective defense and to support operations.

This entails the development of (knowledge about) complex and high-tech means and techniques specifically aimed at enhancing one’s own military capabilities. A cyber attack on an air defense systems can, for example, increase the effectiveness of one’s own air strikes while the risk of collateral damage is decreased.

An offensive cyber capability can be a force multiplier and therewith increase the effectiveness of the armed forces. By the development of a robust cyber capability the Netherlands can be a prominent player within NATO on this area.

The development of offensive operational capabilities is at a very early stage internationally. Much remains unclear about the nature of these capabilities, the possibilities that they can offer and the effects that can be achieved with them. Offensive cyber capabilities distinguish themselves from conventional military capabilities because they are often only usable once and mostly have a short lifespan. High-end cyber capabilities are barely comparable to generally known, relatively low-threshold and widespread methods of attack. It comprises complex means for which the development is requires very specific knowledge and is therefore costly and time-consuming. It is a challenge that it is hard to guarantee the desired effects because the adversary can at any moment discover its own vulnerability and protect itself.

In the development of offensive operational capabilities, the knowledge and means available at the MIVD will be used as much as possible. Considering the scarcity of qualified personnel, the knowledge and means must be used as effectively as possible, and it must be prevented that similar means are developed at the  same time within the MoD. The knowledge, means and cooperative relations of the MIVD will therefore be used optimally in the development and use of offensive means by the Chief of Defense (CDS). The CDS can use these offensive means during military operation based on a mandate from the government. The legally required separation between the tasks and the responsibilities of the CDS and the MIVD remains intact. Offensive means can also be used to prevent or thwart a cyber attack and to ensure the freedom of one’s own ability of military action in the digital domain (`active defense’). The DCC accounts for readiness of offensive cyber capabilities for operational use. The Taskforce Cyber will develop a doctrine for acting in the digital domain, develop use case scenario’s and specify the effects and consequences of offensive means. This will by done through tests, training and practice, among others.

Priority 4: Intelligence
The rise of the digital domain and the increasing interconnectedness of systems have dramatically increased the possibilities for gathering information. The possession of a high-end intelligence position in the digital domain is a precondition both for the protection of one’s own infrastructure and for carrying out operations. The MoD must have insight into the threats in the digital domain to which it can be exposed in order to protect itself against them effectively. This requires insight both into the technical threat and into the possibilities and intentions of (potential) adversaries and attackers. The MIVD must therefore have intelligence capabilities to gather, analyze and report about this information. In addition, the MIVD has to have the capability to disrupt and put an end to intelligence activity of others. The intelligence activities of the MIVD will evidently be carried out within the legal framework.

In the next years, the MIVD will expand its capabilities for covertly collecting information within the digital domain. The activities entail the infiltration of computers and networks to obtain data, the mapping of relevant parts of the digital domain, the monitoring of vital networks and the understanding of the mechanisms and techniques behind means of attack. The gathered information will be used for early warning intelligence products, the establishment of a National Cyber Assessment (CSBN), the strengthening of the intelligence production in a broad sense and the carrying out of counter intelligence. The digital domain can not be seen separately from intelligence capabilities such as signals intelligence (SIGINT), human intelligence (HUMINT) and the MIVD’s existing counter intelligence capabilities. Decisive for the effectiveness is the combined use of scarce expertise and means. The MIVD and AIVD will therefore intensify the collaboration regarding cyber and SIGINT by establishing a common SIGINT-Cyberunit. The establishment of this unit must further increase the effectiveness of the national cyber intelligence capability. The MIVD will also contribute to the development of the CSBN that is written under the responsibility of the National Coordinator for Counterterrorism and Security (NCTV) and the Ministry of Security and Justice.

A complex challenge is the attribution of identified attacks and attempted attacks. If it cannot be determined what the source of a threat or attack is, who is carrying them out and for what purpose, the possibilities for an effective response are limited. The MIVD will increase the possibilities for attribution by the use of all possible intelligence sources and forensic research, and collaborate with, among others, the JIVC, the General Intelligence & Security Service (AIVD), the Netherlands Forensics Institute (NFI) and law enforcement (the KLPD and the Royal Netherlands Marechaussee (KMar)). In addition, intensive and confidential international cooperation is often essential in determining the identity of the attacker and taking effective protection measures.

Priority 5: Adaptive and innovative
The speed of developments in the digital domains demands adaptivity and innovation from the MoD. The MoD must be able to quickly implement new technology and cope with short cycles of innovation. The dynamics and complexity of the digital domain demand continuous adjustment of (initial) needs for knowledge, expertise, skills and techniques, and way of acting.

The MoD must have the knowledge to monitor relevant developments and adjust to them quickly and effectively. The MoD invests in people,technology, research and development to be able to acquire or develop the necessary cyber capabilities timely and deploy them. The Defense Cyber Expertise Center (DCEC) will be the central entity for the enhancement of knowledge development, assurance and dissemination. The DCEC must bring the MoD’s knowledge on the area of cyber operations to a high level and maintain it there. This is aimed both at knowledge development (among others: R&D and concept development and experimentation) and at knowledge transfer (practice, training and education) within the MoD. The DCEC will intensively cooperate with knowledge institutions such as TNO.

For sustainable improvement of security of networks and systems, the MoD must be able to respond quickly and effectively to new development, be able to test and apply new technologies at an early stage and closely cooperate with private companies and academia. Tenders and acquisition in the digital domain will be set up such that it is tuned to the variable/unstable character of this domain, and at the same time ensure the reliability of means and business processes. In the digital domain, the private sector is the motor of innovation, also regarding the security and protection of IT infrastructure. The MoD thus has to make optimal use of this innovative power. The sourcing policy of the MoD can contribute to this.

For research and development, but also for education, training and practice, the MoD will possess a `cyber laboratory’ and a test environment. This cyberlab can be used by the various MoD organizations and also be available to partners. Components can be at various physically locations and be connected remotely.

A specific challenge to MoD is the recruitment and retaining of qualified personnel that is also able to work in a military environment. The required military personnel capacity will partially be achieved by the use of cyber reserves. To acquire and retain the necessary knowledge, expertise and skills, specific attention is paid to staff policy and education. Specific career paths will be developed to anchor the knowledge and experience of MoD-employees on the cyber terrain. By cooperating with the NCSC, law enforcement and the private sector, exchange of personnel can be stimulated. This ensures proper development of experience and can offer employees an interesting career perspective.

Additional research is necessary on the impact of digital means as operational capability and the threat from it to the armed forces, both technologically, procedurally and legally. The MoD will tune to research that is being done elsewhere in the Netherlands and internationally. The MoD also carries out research by itself. In 2014, a chair in digital defensibility and cyber operations will be establish at the Netherlands Defense Academy (NLDA).

Priority 6: Cooperation
Digital security depends on the capability of countries and organizations to protect the digital domain, individually and in cooperation. The digital domain is, by nature, a domain in which public and private, civil and military and national and international actors act at the same time and are interdependent. In addition, the techniques used by attackers are largely similar and make use of generic vulnerabilities in networks and systems. A collaborative approach of digital insecurity is therefore necessary to enhance digital security in a sustainable way.

Nationally
For the MoD it is important to cooperate closely with public and private parties within the framework of the NCSS. The MoD is represented in the Cyber Security Council (CSR) and participates in the NCSC.

As operator of high-end digital networks and systems, the MoD is an important partner that possesses special knowledge and capabilities. Based on the MoD’s third main task, the MoD can, if requested, make available this knowledge and capabilities to civil authorities. After a formal request and permission conform the legal ground for support or conform the rules for providing supporting, it is possible to act under authority of the requesting party. The way in which capabilities can be made available within the context of cyber operations will be further elaborated. Besides that, there is reason to examine whether the MoD’s digital means can be involved in administrative agreements about the specifically guaranteed availability of the armed forces within the context of the Intensification Civil Military Cooperation (ICMS) program. The MoD’s capabilities will have to contribute to the improvement of security and reliability of the entire Dutch digital domain.

In organizing a collaborative approach, it is important that roles, tasks and responsibilities are clear. For this, at initiative of the NCTV it will be examined whether the current crisis management structure is adequate for making a large-scale digital disruption manageable quickly and effectively. The MoD will contribute to this.

Cooperation with public partners, universities and the private sector is also needed at the area of R&D, education and staffing. Different parties are coping with the same challenges, such as limited budgets and scarcity of qualified personnel. New possibilities for strategic cooperation must be examined. The MoD contributes to the National Cyber Security Research Agenda [.pdf, in English] and, in the context of the cabinet’s private sector policy, to the specific attention that is being paid to cyber security in the `top sector High Tech’. In this context the MoD will also work closely together with other departments, knowledge institutions and the private sector. Alliances with the private sector will be sought regarding the development of means.

Internationally
Internationally, the MoD seeks cooperation with countries that have a similar ambition and approach as the Netherlands, and that operate at a similar level. The main purpose of such cooperation is knowledge exchange. At a later stage it will be examined what the possibilities are regarding joint development of means and techniques and joint setup of capabilities.

For the MoD, NATO is the primary organization for cooperation for increasing defensibility in the digital domain. The MoD therefore contributes  to the development and execution of NATO policy. As emphasized during the Chicago summit in May 2012, the NATO will increase the defensibility of its own networks and systems, and those of allies that are essential to the functioning of NATO. The Netherlands also endorses NATO’s ambition to increase the joint capability for intelligence analysis. It is not plausible that cyber capabilities will be developed in NATO cooperation. NATO must, however, develop a vision on the use of cyber capabilities during NATO operations.

The MoD also supports the EU initiative to establish an integral internet security strategy. For the MoD it is important that the EU and NATO intensively cooperate in improving the defensibility of member states. For that, it is important that the information exchange between both organizations is intensified on this area.

Finally
The priorities outlined in this strategy must ensure that the armed forces can act effectively and adequately in the digital domain. By investing in digital defensibility and operational capabilities, the Netherlands maintains high-end and technologically advanced armed forces that is versatile and can perform its tasks in all domains. In the budget and the annual report, the Parliament will be informed about the progress of the execution of this strategy. In 2016 the policy will be reviewed.

[0] At this time, there is no internationally accepted definition of the term digital domain (cyberspace). In this strategy, the digital domain is considered to be all entities that are (or can be) digitally connected. The domain entails both permanent connections and temporary or regional connections and always concerns in some way the data (data, information, code, etc.) present in this domain.

[1] The three main tasks of the MoD are:
1. Protection of our terrain and that of our allies, including the Caribbean part of the Kingdom;
2. Promotion of international legal order and stability;
3. Assistance to civil authorities in law enforcements, disaster control and humanitarian aid, both nationally and internationally.

[2] By reliability we mean availability, integrity and confidentiality.

EOF

Speech by Dutch Secretary of Defense at Cyber Symposium on June 27th 2012

Here is an unauthorized (but careful!) translation of the speech (.pdf, in Dutch) given by the Dutch Secretary of Defense J.S.H. Hillen during the Netherlands Defense Academy (NLDA) Cyber Symposium that took place on June 27th 2012. The Dutch MoD released their Defense Cyber Strategy (.pdf, in Dutch) during that event.

Hyperlinks and parts between [] are mine.

If you see errors, please drop me a line at koot at uva dot nl .

The sword in the digital domain

On November 1st 1911 the first Italian pilot, Giulio Gavotti, dropped four bombs on Turkish gantries in Libya. He therewith performed the first airstrike in history. A new domain for warfare was born.

Not everyone realized this. In the same year, Frenchman Ferdinand Foch, who would later become field marshal during WWI, stated that “flying is fun as a sport but useless as means of warfare”.

Three decades later, in WWII, the deadly effect of the air weapon became clear and Foch was proven wrong. Or, as Erwin Rommel, the German general, sighed at the end of the war:

“Somebody that, even with the most modern weapons, has to fight an enemy that dominates the air, fights as a savage against European units, with the same limitations and the same chance of success.”

And now another new domain emerged for military action. A domain that has been created by man. Besides ground, air, sea and space, cyber has now become the fifth domain for military action.

This digital domain and the application of digital means as weapon or instrument of intelligence are developing strongly. Where does this development lead? And what this it mean for the Dutch armed forces?

It is right that the Dutch Defense Academy organizes a full-day conference focusing on these questions. I predict: many days such as these will follow. Because 100 years after 1911 we are standing, in my conviction, at the beginning of an important change in military action. A development that will change `the face of battle’, as the Brit John Keegan stated, in the coming decades.

The internet has turned out to be a huge enrichment to society and a motor for economic growth. Digital means make possible what seemed impossible before.

The MoD wants to use these possibilities optimally. The digital technology enables the armed forces to perform its tasks more effectively and more adequately. Almost all weapon systems function thanks to the use of IT components. Command and control and logistical support heavily rely on digital systems. The armed forces are nearly just as dependent on IT as [popular Dutch online bookstore] Bol.com. Without digital means both our society and our armed forces can barely function. The have become of vital importance.

The emergence of the digital domain has also not been appreciated by everyone. Thomas Watson, chairman of IBM, stated in 1943 that there would be a global market for, perhaps, five computers.

What is also noticed — and now I come to the other side of the digital phenomenon — is a lack of awareness about the risks associated with the explosive growth of computer networks. In the development of hardware and software, and the set up of networks, barely any attention was — and is — spend on security. Even though the first computer virus already emerged in 1971.

In other words, the attention for the protection of networks did not keep up with the growth of the digital domain.

Only in recent years we see a catching up. Cyber security is now gaining increasing attention.

And rightfully so, because the digital threat is real. This threat can disrupt a society that depends on IT in various ways. Not only technically: think of failure of the banking system. But also psychologically: think of the fear, the panic and possibly giving in to an aggressor that can act when our digital systems are sabotaged on a large scale. The consequences of an attack will not be limited to the digital domain but also have far-reaching consequences for society as a whole.

Our society has to arm itself against this threat. That also holds for the armed forces. The Stuxnet and Flame attacks made clear that conflicts can also be fought in the digital domain and that the impact of this can be big.

Many things are unclear regarding the nature of digital conflicts. How will state and non-state actors use the digital domain to achieve their political goal? What will cyber weapons of the future look like? It is speculation for now.

We can, however, not afford to wait submissively and see what others come up with. Nearly everything that someone can imagine, so history teaches us, will eventually be made. Think about the fantastical stories by Jules Verne.

So will digital weapons probably emerge faster than expected as fixed component of military arsenals. The MoD has to have imaginative power, both to make full use of the possibilities that the digital domain offers as well as to arm against what is coming.

But what does it mean to be the sword in cyberspace? How should the armed forces perform her special tasks and responsibilities in the digital domain?

The digital challenge is, so much is clear, also a frontier from a military perspective. In the physical world, boundaries are generally well-defined, and threats and adversaries can be mapped.

In the digital domain, this is far less clear.

In this domain, there is no delineated military area of operation.

Nor is there any physical violence.

And yet it is conceivable that disturbance of digital systems disrupts entire societies or eliminates military targets.

It is of great importance that the MoD be prepared for this new reality, where the virtual and real world flow into one another.

Therefore, today I will send to the Dutch Parliament the defense strategy for military operation in the digital domain. The Defense Cyber Strategy [.pdf, in Dutch] will provide guidance, coherence and focus to the development of the military power in the digital domain.

Integral approach
The first priority is the establishment of an integral approach. Due to the broad and multiform character of the digital domain, central coordination is needed of all activities that are associated with military acting in the digital domain.

Our starting point is that the MoD cyber capabilities must be fully integrated in our military acting. The power of digital capabilities lies within the possibilities they offer to support and enhance this acting in all domains.

MoD will not establish a separate department within armed force for acting in the digital domain. The operational cyber capabilities will however be placed in the Defense Cyber Command in the land forces in 2014.

Defensive
Our second priority is the strengthening of digital defensibility of MoD, i.e., the defensive side. Digital self-defense entails the protection of networks, the monitoring and analysis of data traffic, identification of digital attacks and the response to those.

The Joint Information Provisioning Command (JIVC) that is being established and DefCERT have a prominent role in this.

But there is also a responsibility for every MoD employee. The most important vulnerability that can result in loss or compromise of information is related to unintentional actions by employees, such as careless and improper use of IT. Every MoD employee must become aware of the risks associated with digital means.

Offensive
The third priority is perhaps the most striking: the development of military power to perform cyber operations.

As `sword’ the armed forces must, in my opinion, be able to act offensive in the digital domain. Eliminating an adversary remains the special task of the armed forces. Also in the digital domain. Knowledge of offensive methods and techniques is, moreover, necessary for strengthening the digital defensibility.

Many still associate the word cyber attack with the lonely hacker who is able to take down the Pentagon’s network from his  attic room. The digital domain as asymmetrical arena where David can hit Goliath right between the eyes. This appeals to our imagination but probably has little to do with future reality. Stuxnet and Flame are technologically very complex and therefore costly. Not something that an amateur enthusiast can build in an evening.

The development of offensive operational capabilities is still in a very early stage. Much remains unclear about the nature of these capabilities, the possibilities that they can offer to a commander and the effects that can be achieved with them.

In the development of offensive operational capabilities of the armed forces, the knowledge and capabilities of the Dutch Military Intelligence Service (MIVD) will be use. The Chief of Defense [currently general Tom Middendorp] can employ offensive means based on a government mandate in a military operation. The legally required separation between the tasks and responsibilities of the Chief of Defense and the MIVD remains intact. The aforementioned Defense Cyber Command accounts for readiness of offensive cyber capabilities.

Intelligence
I already mentioned the MIVD. The strengthening of the intelligence position in the digital domain is our fourth priority.

Information is of vital importance to the armed forces. Due to the rise of the digital domain and the increasing interconnectedness of systems, the possibilities for gathering information have increased dramatically. Having a full-fledged intelligence position in the digital domain is need both for protection of one’s own infrastructure as well as carrying out operations.

They must have insight both in the technical threat as well as in the attacker’s intentions. They shall also have to posses the power to disrupt and end attempts of digital espionage.

Adaptive and innovative
In order to be successful at the said territories within the digital domain — defensive, offensive -and- intelligence –, more is needed: strengthening the knowledge position and the innovative power of MoD in the digital domain. This is then the fifth priority of our approach. The establishment of a cyber chair at the Netherlands Defense Academy (NLDA) in 2014, that will among others research the aspects of international law, is part of this. But also the recruitment and retainment of qualified personnel are specifically related to this priority.

The speed of developments in the digital domain demands a lot of adaptivity and innovation from the MoD. They must be able to implement new technology quickly and have short innovation cycles.

The MoD will therefore invest in digital technology and research. The Defense Cyber Expertise Center (DCEC) will be the place where knowledge is brought together. For research and development, but also education, training and practice, the MoD will have a `cyber laboratory’ and a test environment.

A special challenge to the MoD is the recruitment and retainment of qualified personnel that is also able to function within a military environment. To gather and retain the necessary knowledge, expertise and skill, specific attention will be paid to staff policy and education. Specific careers for `digital soldiers’ are certainly conceivable.

Our armed forces explicitly opens itself to people who have digital knowledge, but from whom the government hardly makes use: the `white hat hacker’-community, or bonafide hackers. They often point out leaks to us. We must not be angry about that, but make use of it, because that is how we make each other stronger. Why would a `white hat hacker’ not want to help defend his own country? Especially when he does not even have to crawl through mud, but can remain sitting behind his computer.

Cooperation
The intensification of cooperation in national and international levels is, finally, our sixth priority.

In the digital domain public and private, civilian and military national and international actors act at the same time. A joint approach is necessary.

To the MoD it is important to work together with public and private parties within the framework of the National Cyber Security Strategy [.pdf]. As operator of first-rate digital networks and systems, the MoD is an important partner both nationally and internationally.

At the international level, the MoD will seek cooperation with countries that endorse a similar approach and that operate at the same level regarding development. The primary goal of cooperation is the exchange of knowledge. After that it can be examined whether there are possibilities for collaborative development of capabilities.

During the recent Chicago summit, the NATO stated that it will strengthen the defensibility of its own networks and systems and those of allies. It is not plausible that cyber capabilities will be developed in NATO-cooperation. The organization must however develop a vision regarding the use of cyber capabilities during collaborative operations.

Concluding
The importance of the digital domain and the speed with which it develops puts yields big challenges to us. The Dutch armed forces makes the necessary conclusions and wants to become the prominent player that fits our country.

The MoD must develop a full-fledged cyber capability. Here more than in other areas, standing still amounts to declining. The speed at which the digital domain develops will then result in falling behind very quickly.

That is the challenge that we face now. The Defense Cyber Strategy that I will send to the Parliament, will be a guidance in achieving our goals.

Today I started this talk by referring to the first airstrike by the Italian pilot Giulio Gavotti in 1911. Even before the plane had been invented the British science fiction author H.G. Wells already predicted that “when air dominance is achieved by own of the fighting armies, the war becomes a conflict between one force that can see and on force that is blind”. It won’t surprise me that when this prediction is translated to the digital domain, it will soon become reality.

And now the moment has come to make it all official by offering the strategy to Parliament. Of course I will do so digitally.

EOF

In 2012, Netherlands Will Establish Mandatory Breach Notification for Vital Sectors

On July 6th the Dutch government stated that legislation will be established later this year that will require organizations in the following six vital sectors to notify the Dutch government about security breaches:

  • electricity
  • gas
  • telecom
  • transport (Schiphol airport, mainports Rotterdam)
  • drinking water
  • surface water management

The requirement will also apply to the financial sector and to the government itself. It is stated that the impact of disruption of service is large in each of these sectors, and that cascade-effects to other sectors can easily occur, making large-scale societal disruption a real risk.

The security breach notification requirement will be tuned to legislation and regulations at national and European levels. Helping prevent societal disruption will the primary concern. The National Cyber Security Center (NCSC) will offer help and advice to the organization or to the sector, intending to end the breach and limit effects of the breach that could also occur elsewhere. In case the crisis structure is scaled up,  the NCSC can account for operational response within that structure. By publishing security advisories, the impact at third parties can be limited.

In order to act quickly and prevent possible societal disruption, the government seeks public-private partnership. In case of a threat of societal disruption, the government must be able to intervene. Therefore, the government gets increasing sectoral intervention possibilities at its disposal. This includes the authority to obtain information, the authority of administrative enforcement of designations and the authority to appoint an officer on behalf of the government.

With this legislation, the Dutch cabinet implements the motion Hennis-Plasschaert  (VVD party) that emerged in the aftermath of the DigiNotar incident and asks for mandatory security breach notification for organizations involved in vital information systems.

Sources: