UPDATE 2018-11-15: the Dutch Defense Cyber Strategy of 2015 has been revised .
UPDATE 2015-02-23: the Dutch Defense Cyber Strategy of 2012 has been revised ; seven priorities replace the six priorities set in 2012.
UPDATE 2014-10-22: The Dutch Defense Cyber Command exists as per September 25th 2014. Details here.
Here is an unofficial translation of the entire Dutch Defense Cyber Strategy document (.pdf, in Dutch) that was published by the Ministry of Defense on June 27th 2012. Don Eijndhoven already wrote a proper (English) piece about this on June 29th.
The below is an as-literal-as-possible translation of the entire Defense Cyber Strategy document. Also see here my translation of the entire speech given by the Secretary of Defense when presenting the Defense Cyber Strategy.
Dear Dutch govt, if you are reading this: please start publishing cyber-related policy documents in English (as NCTV and NCSC sometimes already do, but the MoD still doesn’t).
Hyperlinks and parts between [] are mine.
If you see spelling/grammar errors, please drop me a line at koot at uva dot nl .
Introduction
The digital domain [0] is, next to land, air, sea and space, the fifth domain for military acting. This domain and the application of digital means as weapon or means of intelligence are undeniably developing strongly. Digital means will increasingly be an integral part of military acting and lead to modernizations. The dependence on digital means, however, also leads to vulnerabilities that need urgent attention. The impact on society of a large-scale cyberattack can be huge. The effects can, like a terror attack, result in large-scale upheaval and societal disruption. In the military domain, infrastructure and weapon systems can be affected such that there no longer is an effective defense. The Dutch armed forces makes the necessary conclusions from this and inspires to act as a `sword force’ in the digital domain too.The three main tasks of the MoD [1] are leading for the efforts of the armed forces in the digital domain too. They must therefore be able to act against a digital threat to society or to international legal order. In that, there is an increasing overlap between the first and third main task. The separation between main tasks remains of importance, however, because the principles and procedures for the use of the armed forces are different for each task. The constitutional rules apply without limitation to the digital domain. The use of the armed forces will therefore be based on a government mandate in international operations and based on a request for assistance to civil authorities (usually the Secretary of Security & Justice).
To guarantee the deployability/availability of the armed forces and increase its effectiveness, the MoD strengthens its digital defensibility and develops the capability to perform cyber operations. For the coming years, the Defense Cyber Strategy provides direction, coherence and focus for the integral approach for the development of military capability in the digital domain. Therewith, the MoD implements the cyber intensification outlined in the policy letter Defense after the credit crunch [.pdf, in Dutch] and to the defense part of the National Cyber Security Strategy (NCSS) [.pdf, in English].
The armed forces want to make optimal use of the possibilities offered by the development of digital technology. This technology is already being used by the MoD on a large scale and enables it to perform its task more effectively and more adequately. For example, nearly all weapons systems function due to the use of IT components. Command and control, and logistical support rely heavily on digital systems. In addition, the information position and situational awareness of the armed forces are significantly improved using digital means. Digital networks and systems, including both weapon systems and measurement/control systems, and the information they carry, have become of vital importance to the armed forces.
The dependence of the armed forces on digital technology, however, also makes it vulnerable. It is essential that MoD protects the reliability [3] of its own networks, systems and information, and prevents information theft. The MoD use remain vigilant and invest in high-end means and knowledge in order to keep the defense against digital attacks at the required level. The MoD also must get more insight into the threats that the MoD is exposed to in the digital domain so that it can protect itself against them effectively.
Considering that not only our own digital systems are vulnerable but also those of (potential) adversaries, the digital domain can also be used for (military) acting against an adversary or to improve one’s own intelligence position. Therefore, the MoD considers digital means specifically as operational capabilities — as weapon or means of intelligence — that must become integral part of the operational power of the armed forces. That includes the protections of one’s own networks, systems and information during military operations, the use of offensive capabilities and the gathering of intelligence related to military operations. Because all parts of the MoD use IT intensively, far-reaching joint cooperation is necessary.
Due to the broad and multiform character of the digital domain and in order to use the MoD’s scares means optimally, central control and coordination are needed of all activities associated with the military acting in the digital domain. The speed of developments in the digital domain is very demanding regarding MoD’s adaptivity and innovation. MoD must be able to implement new technology quickly and be able to cope with short cycles of innovation. The dynamics and complexity of the digital domain require continuous adjustment of (initial) needs for knowledge, expertise, skills and techniques, and way of acting.
As a result of the strong interconnectedness in the digital domain and the dependence on similar technology, an integral approach is also necessary at the national and international level. The classical separation of military and civilian, public and private and national and international actors is less clear in the digital domain. For example, national security can be threatened by a large-scale attack at a private organization. In defending against such a large-scale attack, cooperation bet ween various parties in necessary, including with the victim organization itself, the National Cyber Security Center (NCSC), the intelligence services, law enforcement and possibly also the armed forces.
Priorities
Given this background, the Defense Cyber Strategy includes six priorities that will guide the MoD to achieve its goals in the digital domain:1. the establishment of an integral approach;
2. the strengthening of digital defensibility of the MoD (“defensive”);
3. the development of the military capability to perform cyber operations (“offensive”);
4. the strengthening of the intelligence position in the digital domain (“intelligence”);
5. the strengthening of the knowledge position and the innovative power of MoD in the digital domain, including the recruitment and retaining of qualified personnel (“adaptive and innovative”);
6. the intensification of the cooperation at the national and international level (“cooperation”);The development of the digital threat for the MoD
Due to its intensive use of high-end (satellite) communication systems, information systems, sensory systems, navigational systems, logistical systems and weapon systems, the Dutch defense organization is dependent on reliable internal and external networks and on digital technology. It is therefore vulnerable to digital attacks.
Various countries now posses offensive cyber capabilities for military purposes, or are in the process of developing them. Non-state actors too can be a threat to the armed forces by disrupting systems and information provisioning. In modern conflict, the distinction between combatants and non-combatants becomes vague, and so does the delineation of operational terrain. The acting by “adversaries” will increasingly often be in digital form and probably extends to the “home front”.
The biggest threat to the MoD in the digital domain on the medium-to-long term is due to high-end and complex digital offensive capabilities that are targeted at a specific (military) target and can severely limit the the armed forces’ ability to act. A lack of knowledge about and lack of insight into digital possibilities to carry out attacks is a real risk to the armed forces.
Already today, armed forces and companies involved in the development and production of high-end military technology are continuously confronted with — attempts to — digital attacks and espionage activity. The strategic and economic value of the information in this sector is high. The MoD will have to be alert at an early stadium on the covert introduction of vulnerabilities (“backdoors”) in information and communication systems. The complexity of and amount of components in systems increase this risk. Intelligence services very probably won’t hesitate to manipulate equipment prior to its delivery to potential opponents.
Priority 1: An integral approach
The MoD’s cyber capabilities are an important and real addition to existing military capabilities. The value of digital means is in the possibilities they offer to support and enhance acting across all lines and in all domains. Digital means strengthen the acting of the armed forces in all functions of military acting: logistics, command and control, intelligence, protection, maneuver and striking power. This strategy therefore assumes an integral approach both regarding supporting processes (readiness, operational support, maintenance) and operational deployment (both independent and as part of acting of other units, possibly under civil authority).In the context of military operations, operational cyber capabilities will be used increasingly often, mainly to support conventional acting of the armed forces, but also as an independent weapon. It is necessary that operational cyber capabilities become part of the total military capabilities of the Dutch armed forces. For that, the MoD has to make significant investments in the strengthening of cyber capabilities. The MoD will not establish a separate military component of armed forces for acting in the digital domain. Eligible cyber capabilities will be brought together in 2014 as a joint unit in the Defense Cyber Command (DCC) that will become administratively part of the Royal Netherlands Army (CLAS) under `single service management’.
An operational cyber capability entails all knowledge and means required to predict, influence or disrupt adversary actions via digital means, and to defend oneself against similar cyber operations from the adversary, during operational deployment. This takes place via infiltration of computers, computer networks, weapon and sensory system software and software to gather information and intelligence and influence systems. An operational cyber capability thus entails deployable defensive, intelligence-related and offensive elements.
In the planning and preparation of operations, aspects that are relevant to the digital domain are also taken into account. The digital domain thereby is an integral part of the joint operational planning process. Here, both the potential influence of the digital domain on the ordered task and the effects that can be achieved via the use of cyber capabilities are taken into consideration. An operational commander therefore has his own capabilities and can request intelligence capabilities to gather cyber information, process it and provide it timely for the decision-making process. This entails both the threat against one’s own networks and systems as the possibilities to exploit the adversaries’ vulnerabilities. A good situational awareness in the digital domain is part of the total situational awareness of the commander.
For operation in the digital domain it is necessary that the mandate accommodates this, and that the Rules of Engagement describe how offensive cyber capabilities may be used.
Priority 2: Defensive
Networks and systems are vulnerable to attacks and disruptions, both from the inside and outside. The defense against this entails the protection of networks, the monitoring and analysis of data traffic, the identification of digital attacks and the response to them.The MoD is evidently responsible for the security of its own networks and systems. The MoD has to be prepared to cyber threats and be able to protect itself against it in order to ensure the deployability/availability of the armed forces. The MoD therefore has to be familiar with the potential threats in the digital domain and the vulnerability of its own networks and systems. The MoD will therefore perform a risk analysis that will be the basis for establishing which minimal security measures are required. The measures to be taken and usability will need to be balanced, and a coherent set of staff, physical and information security measures will be endeavored. Networks and systems processing and storing highly classified information will be subject to a stronger security regime. Unauthorized access to that data could, after all, result in (very) severe damage to the MoD, to the government or our allies. For networks and systems processing unclassified or lowly classified information, a smaller set of security measures suffices.
It has to be assumed that a persistent and technologically highly developed adversaries will be able to compromise (parts of) networks and systems nonetheless. Establishing an all encompassing digital defense is nearly impossible and, moreover, prohibitively expensive. Therefore, in the protection of one’s own digital infrastructure, as much flexibility as possible must be build in, both regarding the (passive) security of networks as the active response to an attack. Priority must be given to the protection of information and information exchange. In addition, systems must be defensible by being able to respond quickly to an attack and be able to adjust themselves to keep functioning.
The most important vulnerability that can result in the loss or compromise of information is usually due to improper and careless use of IT. Therefore it is necessary that every MoD-employee is aware of the risks associates with the use of digital means. Digital security awareness shall therefore be integral part of all defense education programs. In addition, MoD-employees must be trained in working under circumstances in which they can temporarily not make use of the (full) functionality of networks and systems.
The MoD will (continuously) improve the protection of its networks and systems. This will be done by the Joint Information Provisioning Command (JIVC) that is being established and is expected to be operational in Q1/2013. The JIVC realizes adequate and high-end security and guards all networks and systems. Illegal and anomalous use will be noticed. The MoD’s Computer Emergency Response Team (DefCERT) guards the security of systems and networks, taking into account current threat levels. DefCERT, which will become part of the JIVC, must identify and analyze risks to and vulnerabilities of the most important MoD networks 24×7 and advise the MoD about security measures that need to be taken. DefCERT too has to have a proper cyber situational awareness. DefCERT therefore works together within MoD with other parts of the JIVC and the Military Intelligence Service (MIVD). Outside of the MoD, they will cooperate with the NCSC, NATO and other CERTs and with companies that have specific knowledge or means. This can entail both information exchange as (personnel) support in case of calamities.
The available defensive cyber capabilities must be used both to protect the MoD’s IT-infrastructure and to protect the MoD’s unique weapon and sensory systems. These are capabilities for the protection of both MoD’s generic networks and systems by the JIVC and the operational networks and systems during deployment by the DCC. The MoD will also improve the reliability of weapon and sensory systems by improving the insight into digital vulnerabilities and by strengthening the control over development, the supply chain and use of IT components. Specific attention is given to procurement of both software and hardware for digital defensibility. During the procurement or development of new systems, potential risks to the reliability must be taken into account from the start. These risks have to be, if possible, mitigated by security requirements or security measures.
Priority 3: Offensive
Offensive cyber capabilities are the capabilities for the purposes of influences or disrupting adversary actions. The MoD must have the knowledge and capabilities to act offensively in the digital domain, both to be able to establish an effective defense and to support operations.This entails the development of (knowledge about) complex and high-tech means and techniques specifically aimed at enhancing one’s own military capabilities. A cyber attack on an air defense systems can, for example, increase the effectiveness of one’s own air strikes while the risk of collateral damage is decreased.
An offensive cyber capability can be a force multiplier and therewith increase the effectiveness of the armed forces. By the development of a robust cyber capability the Netherlands can be a prominent player within NATO on this area.
The development of offensive operational capabilities is at a very early stage internationally. Much remains unclear about the nature of these capabilities, the possibilities that they can offer and the effects that can be achieved with them. Offensive cyber capabilities distinguish themselves from conventional military capabilities because they are often only usable once and mostly have a short lifespan. High-end cyber capabilities are barely comparable to generally known, relatively low-threshold and widespread methods of attack. It comprises complex means for which the development is requires very specific knowledge and is therefore costly and time-consuming. It is a challenge that it is hard to guarantee the desired effects because the adversary can at any moment discover its own vulnerability and protect itself.
In the development of offensive operational capabilities, the knowledge and means available at the MIVD will be used as much as possible. Considering the scarcity of qualified personnel, the knowledge and means must be used as effectively as possible, and it must be prevented that similar means are developed at the same time within the MoD. The knowledge, means and cooperative relations of the MIVD will therefore be used optimally in the development and use of offensive means by the Chief of Defense (CDS). The CDS can use these offensive means during military operation based on a mandate from the government. The legally required separation between the tasks and the responsibilities of the CDS and the MIVD remains intact. Offensive means can also be used to prevent or thwart a cyber attack and to ensure the freedom of one’s own ability of military action in the digital domain (`active defense’). The DCC accounts for readiness of offensive cyber capabilities for operational use. The Taskforce Cyber will develop a doctrine for acting in the digital domain, develop use case scenario’s and specify the effects and consequences of offensive means. This will by done through tests, training and practice, among others.
Priority 4: Intelligence
The rise of the digital domain and the increasing interconnectedness of systems have dramatically increased the possibilities for gathering information. The possession of a high-end intelligence position in the digital domain is a precondition both for the protection of one’s own infrastructure and for carrying out operations. The MoD must have insight into the threats in the digital domain to which it can be exposed in order to protect itself against them effectively. This requires insight both into the technical threat and into the possibilities and intentions of (potential) adversaries and attackers. The MIVD must therefore have intelligence capabilities to gather, analyze and report about this information. In addition, the MIVD has to have the capability to disrupt and put an end to intelligence activity of others. The intelligence activities of the MIVD will evidently be carried out within the legal framework.In the next years, the MIVD will expand its capabilities for covertly collecting information within the digital domain. The activities entail the infiltration of computers and networks to obtain data, the mapping of relevant parts of the digital domain, the monitoring of vital networks and the understanding of the mechanisms and techniques behind means of attack. The gathered information will be used for early warning intelligence products, the establishment of a National Cyber Assessment (CSBN), the strengthening of the intelligence production in a broad sense and the carrying out of counter intelligence. The digital domain can not be seen separately from intelligence capabilities such as signals intelligence (SIGINT), human intelligence (HUMINT) and the MIVD’s existing counter intelligence capabilities. Decisive for the effectiveness is the combined use of scarce expertise and means. The MIVD and AIVD will therefore intensify the collaboration regarding cyber and SIGINT by establishing a common SIGINT-Cyberunit. The establishment of this unit must further increase the effectiveness of the national cyber intelligence capability. The MIVD will also contribute to the development of the CSBN that is written under the responsibility of the National Coordinator for Counterterrorism and Security (NCTV) and the Ministry of Security and Justice.
A complex challenge is the attribution of identified attacks and attempted attacks. If it cannot be determined what the source of a threat or attack is, who is carrying them out and for what purpose, the possibilities for an effective response are limited. The MIVD will increase the possibilities for attribution by the use of all possible intelligence sources and forensic research, and collaborate with, among others, the JIVC, the General Intelligence & Security Service (AIVD), the Netherlands Forensics Institute (NFI) and law enforcement (the KLPD and the Royal Netherlands Marechaussee (KMar)). In addition, intensive and confidential international cooperation is often essential in determining the identity of the attacker and taking effective protection measures.
Priority 5: Adaptive and innovative
The speed of developments in the digital domains demands adaptivity and innovation from the MoD. The MoD must be able to quickly implement new technology and cope with short cycles of innovation. The dynamics and complexity of the digital domain demand continuous adjustment of (initial) needs for knowledge, expertise, skills and techniques, and way of acting.The MoD must have the knowledge to monitor relevant developments and adjust to them quickly and effectively. The MoD invests in people,technology, research and development to be able to acquire or develop the necessary cyber capabilities timely and deploy them. The Defense Cyber Expertise Center (DCEC) will be the central entity for the enhancement of knowledge development, assurance and dissemination. The DCEC must bring the MoD’s knowledge on the area of cyber operations to a high level and maintain it there. This is aimed both at knowledge development (among others: R&D and concept development and experimentation) and at knowledge transfer (practice, training and education) within the MoD. The DCEC will intensively cooperate with knowledge institutions such as TNO.
For sustainable improvement of security of networks and systems, the MoD must be able to respond quickly and effectively to new development, be able to test and apply new technologies at an early stage and closely cooperate with private companies and academia. Tenders and acquisition in the digital domain will be set up such that it is tuned to the variable/unstable character of this domain, and at the same time ensure the reliability of means and business processes. In the digital domain, the private sector is the motor of innovation, also regarding the security and protection of IT infrastructure. The MoD thus has to make optimal use of this innovative power. The sourcing policy of the MoD can contribute to this.
For research and development, but also for education, training and practice, the MoD will possess a `cyber laboratory’ and a test environment. This cyberlab can be used by the various MoD organizations and also be available to partners. Components can be at various physically locations and be connected remotely.
A specific challenge to MoD is the recruitment and retaining of qualified personnel that is also able to work in a military environment. The required military personnel capacity will partially be achieved by the use of cyber reserves. To acquire and retain the necessary knowledge, expertise and skills, specific attention is paid to staff policy and education. Specific career paths will be developed to anchor the knowledge and experience of MoD-employees on the cyber terrain. By cooperating with the NCSC, law enforcement and the private sector, exchange of personnel can be stimulated. This ensures proper development of experience and can offer employees an interesting career perspective.
Additional research is necessary on the impact of digital means as operational capability and the threat from it to the armed forces, both technologically, procedurally and legally. The MoD will tune to research that is being done elsewhere in the Netherlands and internationally. The MoD also carries out research by itself. In 2014, a chair in digital defensibility and cyber operations will be establish at the Netherlands Defense Academy (NLDA).
Priority 6: Cooperation
Digital security depends on the capability of countries and organizations to protect the digital domain, individually and in cooperation. The digital domain is, by nature, a domain in which public and private, civil and military and national and international actors act at the same time and are interdependent. In addition, the techniques used by attackers are largely similar and make use of generic vulnerabilities in networks and systems. A collaborative approach of digital insecurity is therefore necessary to enhance digital security in a sustainable way.Nationally
For the MoD it is important to cooperate closely with public and private parties within the framework of the NCSS. The MoD is represented in the Cyber Security Council (CSR) and participates in the NCSC.As operator of high-end digital networks and systems, the MoD is an important partner that possesses special knowledge and capabilities. Based on the MoD’s third main task, the MoD can, if requested, make available this knowledge and capabilities to civil authorities. After a formal request and permission conform the legal ground for support or conform the rules for providing supporting, it is possible to act under authority of the requesting party. The way in which capabilities can be made available within the context of cyber operations will be further elaborated. Besides that, there is reason to examine whether the MoD’s digital means can be involved in administrative agreements about the specifically guaranteed availability of the armed forces within the context of the Intensification Civil Military Cooperation (ICMS) program. The MoD’s capabilities will have to contribute to the improvement of security and reliability of the entire Dutch digital domain.
In organizing a collaborative approach, it is important that roles, tasks and responsibilities are clear. For this, at initiative of the NCTV it will be examined whether the current crisis management structure is adequate for making a large-scale digital disruption manageable quickly and effectively. The MoD will contribute to this.
Cooperation with public partners, universities and the private sector is also needed at the area of R&D, education and staffing. Different parties are coping with the same challenges, such as limited budgets and scarcity of qualified personnel. New possibilities for strategic cooperation must be examined. The MoD contributes to the National Cyber Security Research Agenda [.pdf, in English] and, in the context of the cabinet’s private sector policy, to the specific attention that is being paid to cyber security in the `top sector High Tech’. In this context the MoD will also work closely together with other departments, knowledge institutions and the private sector. Alliances with the private sector will be sought regarding the development of means.
Internationally
Internationally, the MoD seeks cooperation with countries that have a similar ambition and approach as the Netherlands, and that operate at a similar level. The main purpose of such cooperation is knowledge exchange. At a later stage it will be examined what the possibilities are regarding joint development of means and techniques and joint setup of capabilities.For the MoD, NATO is the primary organization for cooperation for increasing defensibility in the digital domain. The MoD therefore contributes to the development and execution of NATO policy. As emphasized during the Chicago summit in May 2012, the NATO will increase the defensibility of its own networks and systems, and those of allies that are essential to the functioning of NATO. The Netherlands also endorses NATO’s ambition to increase the joint capability for intelligence analysis. It is not plausible that cyber capabilities will be developed in NATO cooperation. NATO must, however, develop a vision on the use of cyber capabilities during NATO operations.
The MoD also supports the EU initiative to establish an integral internet security strategy. For the MoD it is important that the EU and NATO intensively cooperate in improving the defensibility of member states. For that, it is important that the information exchange between both organizations is intensified on this area.
Finally
The priorities outlined in this strategy must ensure that the armed forces can act effectively and adequately in the digital domain. By investing in digital defensibility and operational capabilities, the Netherlands maintains high-end and technologically advanced armed forces that is versatile and can perform its tasks in all domains. In the budget and the annual report, the Parliament will be informed about the progress of the execution of this strategy. In 2016 the policy will be reviewed.[0] At this time, there is no internationally accepted definition of the term digital domain (cyberspace). In this strategy, the digital domain is considered to be all entities that are (or can be) digitally connected. The domain entails both permanent connections and temporary or regional connections and always concerns in some way the data (data, information, code, etc.) present in this domain.
[1] The three main tasks of the MoD are:
1. Protection of our terrain and that of our allies, including the Caribbean part of the Kingdom;
2. Promotion of international legal order and stability;
3. Assistance to civil authorities in law enforcements, disaster control and humanitarian aid, both nationally and internationally.[2] By reliability we mean availability, integrity and confidentiality.
EOF