Speech by Dutch Secretary of Defense at Cyber Symposium on June 27th 2012

Here is an unauthorized (but careful!) translation of the speech (.pdf, in Dutch) given by the Dutch Secretary of Defense J.S.H. Hillen during the Netherlands Defense Academy (NLDA) Cyber Symposium that took place on June 27th 2012. The Dutch MoD released their Defense Cyber Strategy (.pdf, in Dutch) during that event.

Hyperlinks and parts between [] are mine.

If you see errors, please drop me a line at koot at uva dot nl .

The sword in the digital domain

On November 1st 1911 the first Italian pilot, Giulio Gavotti, dropped four bombs on Turkish gantries in Libya. He therewith performed the first airstrike in history. A new domain for warfare was born.

Not everyone realized this. In the same year, Frenchman Ferdinand Foch, who would later become field marshal during WWI, stated that “flying is fun as a sport but useless as means of warfare”.

Three decades later, in WWII, the deadly effect of the air weapon became clear and Foch was proven wrong. Or, as Erwin Rommel, the German general, sighed at the end of the war:

“Somebody that, even with the most modern weapons, has to fight an enemy that dominates the air, fights as a savage against European units, with the same limitations and the same chance of success.”

And now another new domain emerged for military action. A domain that has been created by man. Besides ground, air, sea and space, cyber has now become the fifth domain for military action.

This digital domain and the application of digital means as weapon or instrument of intelligence are developing strongly. Where does this development lead? And what this it mean for the Dutch armed forces?

It is right that the Dutch Defense Academy organizes a full-day conference focusing on these questions. I predict: many days such as these will follow. Because 100 years after 1911 we are standing, in my conviction, at the beginning of an important change in military action. A development that will change `the face of battle’, as the Brit John Keegan stated, in the coming decades.

The internet has turned out to be a huge enrichment to society and a motor for economic growth. Digital means make possible what seemed impossible before.

The MoD wants to use these possibilities optimally. The digital technology enables the armed forces to perform its tasks more effectively and more adequately. Almost all weapon systems function thanks to the use of IT components. Command and control and logistical support heavily rely on digital systems. The armed forces are nearly just as dependent on IT as [popular Dutch online bookstore] Bol.com. Without digital means both our society and our armed forces can barely function. The have become of vital importance.

The emergence of the digital domain has also not been appreciated by everyone. Thomas Watson, chairman of IBM, stated in 1943 that there would be a global market for, perhaps, five computers.

What is also noticed — and now I come to the other side of the digital phenomenon — is a lack of awareness about the risks associated with the explosive growth of computer networks. In the development of hardware and software, and the set up of networks, barely any attention was — and is — spend on security. Even though the first computer virus already emerged in 1971.

In other words, the attention for the protection of networks did not keep up with the growth of the digital domain.

Only in recent years we see a catching up. Cyber security is now gaining increasing attention.

And rightfully so, because the digital threat is real. This threat can disrupt a society that depends on IT in various ways. Not only technically: think of failure of the banking system. But also psychologically: think of the fear, the panic and possibly giving in to an aggressor that can act when our digital systems are sabotaged on a large scale. The consequences of an attack will not be limited to the digital domain but also have far-reaching consequences for society as a whole.

Our society has to arm itself against this threat. That also holds for the armed forces. The Stuxnet and Flame attacks made clear that conflicts can also be fought in the digital domain and that the impact of this can be big.

Many things are unclear regarding the nature of digital conflicts. How will state and non-state actors use the digital domain to achieve their political goal? What will cyber weapons of the future look like? It is speculation for now.

We can, however, not afford to wait submissively and see what others come up with. Nearly everything that someone can imagine, so history teaches us, will eventually be made. Think about the fantastical stories by Jules Verne.

So will digital weapons probably emerge faster than expected as fixed component of military arsenals. The MoD has to have imaginative power, both to make full use of the possibilities that the digital domain offers as well as to arm against what is coming.

But what does it mean to be the sword in cyberspace? How should the armed forces perform her special tasks and responsibilities in the digital domain?

The digital challenge is, so much is clear, also a frontier from a military perspective. In the physical world, boundaries are generally well-defined, and threats and adversaries can be mapped.

In the digital domain, this is far less clear.

In this domain, there is no delineated military area of operation.

Nor is there any physical violence.

And yet it is conceivable that disturbance of digital systems disrupts entire societies or eliminates military targets.

It is of great importance that the MoD be prepared for this new reality, where the virtual and real world flow into one another.

Therefore, today I will send to the Dutch Parliament the defense strategy for military operation in the digital domain. The Defense Cyber Strategy [.pdf, in Dutch] will provide guidance, coherence and focus to the development of the military power in the digital domain.

Integral approach
The first priority is the establishment of an integral approach. Due to the broad and multiform character of the digital domain, central coordination is needed of all activities that are associated with military acting in the digital domain.

Our starting point is that the MoD cyber capabilities must be fully integrated in our military acting. The power of digital capabilities lies within the possibilities they offer to support and enhance this acting in all domains.

MoD will not establish a separate department within armed force for acting in the digital domain. The operational cyber capabilities will however be placed in the Defense Cyber Command in the land forces in 2014.

Defensive
Our second priority is the strengthening of digital defensibility of MoD, i.e., the defensive side. Digital self-defense entails the protection of networks, the monitoring and analysis of data traffic, identification of digital attacks and the response to those.

The Joint Information Provisioning Command (JIVC) that is being established and DefCERT have a prominent role in this.

But there is also a responsibility for every MoD employee. The most important vulnerability that can result in loss or compromise of information is related to unintentional actions by employees, such as careless and improper use of IT. Every MoD employee must become aware of the risks associated with digital means.

Offensive
The third priority is perhaps the most striking: the development of military power to perform cyber operations.

As `sword’ the armed forces must, in my opinion, be able to act offensive in the digital domain. Eliminating an adversary remains the special task of the armed forces. Also in the digital domain. Knowledge of offensive methods and techniques is, moreover, necessary for strengthening the digital defensibility.

Many still associate the word cyber attack with the lonely hacker who is able to take down the Pentagon’s network from his  attic room. The digital domain as asymmetrical arena where David can hit Goliath right between the eyes. This appeals to our imagination but probably has little to do with future reality. Stuxnet and Flame are technologically very complex and therefore costly. Not something that an amateur enthusiast can build in an evening.

The development of offensive operational capabilities is still in a very early stage. Much remains unclear about the nature of these capabilities, the possibilities that they can offer to a commander and the effects that can be achieved with them.

In the development of offensive operational capabilities of the armed forces, the knowledge and capabilities of the Dutch Military Intelligence Service (MIVD) will be use. The Chief of Defense [currently general Tom Middendorp] can employ offensive means based on a government mandate in a military operation. The legally required separation between the tasks and responsibilities of the Chief of Defense and the MIVD remains intact. The aforementioned Defense Cyber Command accounts for readiness of offensive cyber capabilities.

Intelligence
I already mentioned the MIVD. The strengthening of the intelligence position in the digital domain is our fourth priority.

Information is of vital importance to the armed forces. Due to the rise of the digital domain and the increasing interconnectedness of systems, the possibilities for gathering information have increased dramatically. Having a full-fledged intelligence position in the digital domain is need both for protection of one’s own infrastructure as well as carrying out operations.

They must have insight both in the technical threat as well as in the attacker’s intentions. They shall also have to posses the power to disrupt and end attempts of digital espionage.

Adaptive and innovative
In order to be successful at the said territories within the digital domain — defensive, offensive -and- intelligence –, more is needed: strengthening the knowledge position and the innovative power of MoD in the digital domain. This is then the fifth priority of our approach. The establishment of a cyber chair at the Netherlands Defense Academy (NLDA) in 2014, that will among others research the aspects of international law, is part of this. But also the recruitment and retainment of qualified personnel are specifically related to this priority.

The speed of developments in the digital domain demands a lot of adaptivity and innovation from the MoD. They must be able to implement new technology quickly and have short innovation cycles.

The MoD will therefore invest in digital technology and research. The Defense Cyber Expertise Center (DCEC) will be the place where knowledge is brought together. For research and development, but also education, training and practice, the MoD will have a `cyber laboratory’ and a test environment.

A special challenge to the MoD is the recruitment and retainment of qualified personnel that is also able to function within a military environment. To gather and retain the necessary knowledge, expertise and skill, specific attention will be paid to staff policy and education. Specific careers for `digital soldiers’ are certainly conceivable.

Our armed forces explicitly opens itself to people who have digital knowledge, but from whom the government hardly makes use: the `white hat hacker’-community, or bonafide hackers. They often point out leaks to us. We must not be angry about that, but make use of it, because that is how we make each other stronger. Why would a `white hat hacker’ not want to help defend his own country? Especially when he does not even have to crawl through mud, but can remain sitting behind his computer.

Cooperation
The intensification of cooperation in national and international levels is, finally, our sixth priority.

In the digital domain public and private, civilian and military national and international actors act at the same time. A joint approach is necessary.

To the MoD it is important to work together with public and private parties within the framework of the National Cyber Security Strategy [.pdf]. As operator of first-rate digital networks and systems, the MoD is an important partner both nationally and internationally.

At the international level, the MoD will seek cooperation with countries that endorse a similar approach and that operate at the same level regarding development. The primary goal of cooperation is the exchange of knowledge. After that it can be examined whether there are possibilities for collaborative development of capabilities.

During the recent Chicago summit, the NATO stated that it will strengthen the defensibility of its own networks and systems and those of allies. It is not plausible that cyber capabilities will be developed in NATO-cooperation. The organization must however develop a vision regarding the use of cyber capabilities during collaborative operations.

Concluding
The importance of the digital domain and the speed with which it develops puts yields big challenges to us. The Dutch armed forces makes the necessary conclusions and wants to become the prominent player that fits our country.

The MoD must develop a full-fledged cyber capability. Here more than in other areas, standing still amounts to declining. The speed at which the digital domain develops will then result in falling behind very quickly.

That is the challenge that we face now. The Defense Cyber Strategy that I will send to the Parliament, will be a guidance in achieving our goals.

Today I started this talk by referring to the first airstrike by the Italian pilot Giulio Gavotti in 1911. Even before the plane had been invented the British science fiction author H.G. Wells already predicted that “when air dominance is achieved by own of the fighting armies, the war becomes a conflict between one force that can see and on force that is blind”. It won’t surprise me that when this prediction is translated to the digital domain, it will soon become reality.

And now the moment has come to make it all official by offering the strategy to Parliament. Of course I will do so digitally.

EOF

Leave a Reply

Your email address will not be published. Required fields are marked *