Month: February 2015

Dutch Joint Sigint Cyber Unit (JSCU), AIVD-MIVD partnership in practice

The February 2015 issue (.pdf, in Dutch) of the Dutch government magazine “Nationale Veiligheid en Crisisbeheersing” contains an article about the Joint Sigint Cyber Unit (JSCU). Here is a translation of that article (hyperlinks are mine):

Mid 2014, the Joint Sigint Cyber Unit (JSCU) of the General Intelligence & Security Service (AIVD) and the Military Intelligence & Security Service (MIVD) was officially launched. Through the establishment of the JSCU, the two Dutch intelligence & security services bundle their activities concerning Signals Intelligence (Sigint) and Cyber. Sigint is the collection and processing of intelligence from telecommunications, and Cyber concerns intelligence and security in relation to computer networks. Both fields are, as a consequence of rapid developments in digital information and communication, an increasingly important part of the work of intelligence and security services. Although the AIVD and MIVD both independently have experience in both Sigint and Cyber, the establishment of a joint unit is the only logical step. The increasing threats, the large overlap between Sigint and Cyber, the necessary and high costs of innovation, and the effective use of scarce public means (funding and personnel) necessitate a joint approach by the AIVD and MIVD.

Far-reaching forms of cooperation are typical for the way in which intelligence & security services operate in the current era. During a joint AIVD/MIVD meeting on December 15th 2014, entitled “Beyond cyberhype, partnership in a new reality”, Rob Bertholee, head of the AIVD, expressed the urgency of cooperation as follows: “The continuous technologization and internationalization of our society make threats more diffuse and unpredictable. Combined with the acceleration that ‘cyber’ provides to these developments, the impact of (cyber) threats only increases. The paradox is that an increasing amount of information is making it significantly more complex to identify (yet unknown) threats. Partnerships and other innovative forms of cooperation are the only answer for intelligence & security services to this new reality. Partnerships are not ‘nice to have’, but ‘need to have’.

The JSCU partnership of the AIVD and MIVD is not by itself. Rather, it is the next example in a series of innovative forms of cooperation that both services entered in recent years. Not only with each other, but increasingly often with third parties. A good example is the National Detection Network (NDN). In the NDN, the AIVD and MIVD closely cooperate with, among others, the National Coordinator for Security and Counterterrorism (NCTV), with organizations responsible for critical infrastructure in the Netherlands, and with IT service providers. Together, the NDN partners coordinate the knowledge and efforts to prevent, fight, and learn from cyber threats.

Another example of network-oriented cooperation is the cyber cooperation between the AIVD, MIVD, the National Cyber Security Center (NCSC) and the National Police. Under the working title “Cat5” the partners initiated a pilot for sharing technical and operational information for detecting digital attacks and digital attackers. This way, cyber damage can be prevented at an early stage. Furthermore, the partners make joint analyses to learn from existing casuistry.


[image also available as 1.6MB .pdf here]

An important benefit of the AIVD and MIVD is the exclusive international cooperation between intelligence & security services world-wide. The information that the AIVD and MIVD receive from partner networks, can be used in cooperations such as the NDN or CAT5. Think for instance of secret technical characteristics of a (possible) cyber attack that the AIVD or MIVD obtain via colleagues from the country that was hit by the attack, or that has been able to prevent it. After removal of sources and methods, other participants in the NDN or CAT5 can use these technical characteristics in their advantage to protect Dutch interests against a possible similar cyber attack. The employees of the JSCU are the primary contact on behalf of the Dutch intelligence & security services for anything related to Sigint and Cyber. They thus have an important role in the (national and international) cooperation networks.

During the “Beyond the cyberhype” meeting, Marc Brinkman, head of the JSCU, described the role of the JSCU as follows: “The JSCU provides the AIVD and MIVD insight in known and unknown threats using Sigint and Cyber data traffic. We are continuously looking for the missing insight that contributes to sufficient security. For the question that would be asked the day after tomorrow. We are aware that the day after tomorrow may be the day that a 15-year old builds something that we cannot counter”. According to Brinkman, this role motives his people to go the extra mile. Brinkman: “Our task requires continuous change and cooperation, also with parties that are perhaps not obvious.”

Based on their own experiences, the AIVD and MIVD know that a partnership is more that “just” cooperate. Within the JSCU, the partnership consists of using each others scarce means, sharing the use of these means, providing access (within the legal framework) to each other’s systems, data and relation networks, and joint decision-making on Sigint and Cyber investments on the basis of a jointly developed vision for the future. Success factors that are recognized by both services include mutual understanding, self-awareness about knowledge and expertise, recognition of knowledge and expertise of the other, willingness to cooperate in teams, and taking into account each other’s emotions and interests.

To illustrate these reflections on future-oriented cooperation, Pieter Bindt, head of the MIVD, wrapped up said meeting with the following words: “The cooperation that the AIVD and MIVD show in the JSCU, is bundled force that yields more than the sum of its parts. We make daily progress in our cooperation, but the formation of the JSCU is a leap. I therefore look forward to the next possible leap: when our services, in a few years, will possible cohabit and work from one location. Imagine what that means for the security of the Netherlands. Together we will be able to cope far more effectively with the increasing and complex threats we face.


[image also available as 0.5MB .pdf here]



[Dutch] Convenant tussen AIVD, MIVD, NCTV, Politie en OM inzake de pilot versterkte samenwerking CAT-5 (Jan 2015)

Op 16 januari 2015 is het volgende convenant gepubliceerd in de Staatscourant, inzake samenwerking tussen  AIVD, MIVD, NCTV, politie en OM ten behoeve van analyse van botnets:

Convenant tussen AIVD, MIVD, NCTV, Politie en OM inzake de pilot versterkte samenwerking CAT-5


De Minister van Binnenlandse Zaken en Koninkrijksrelaties, te dezen vertegenwoordigd door het Hoofd van de Algemene Inlichtingen- en Veiligheidsdienst,

De Minister van Defensie, te dezen vertegenwoordigd door de Directeur van de Militaire Inlichtingen- en Veiligheidsdienst,

De Minister van Veiligheid en Justitie, te dezen vertegenwoordigd door de Nationaal Coördinator Terrorismebestrijding en Veiligheid,

De Politie, te dezen vertegenwoordigd door de Korpschef, en

Het College van Procureurs-generaal van het Openbaar Ministerie, te dezen vertegenwoordigd door het hoofd van het landelijk parket,


  • Dat in het kader van de versterking van de samenwerking op het terrein van cybersecurity door de Algemene Inlichtingen- en Veiligheidsdienst (AIVD), de Militaire Inlichtingen- en Veiligheidsdienst (MIVD), de Nationaal Coördinator Terrorismebestrijding en Veiligheid (NCTV), de Politie en het Openbaar Ministerie (OM) is besloten tot het uitvoeren van een pilot voor een versterkte samenwerking ten aanzien van de analyse van botnets;

  • Dat partijen ten behoeve van deze pilot hebben besloten tot het instellen van een cyber analyse team, genaamd CAT-5, bestaande uit medewerkers van partijen, uitgezonderd het OM, waarbinnen een gezamenlijke analyse van botnets, met het oog op het belang van de nationale veiligheid, wordt verricht;

  • Dat partijen voorts ten behoeve hiervan hebben besloten tot het instellen van een stuurgroep, bestaande uit vertegenwoordigers van alle partijen, die overlegt en een oordeel geeft over de opzet van en de gang van zaken binnen CAT-5, alsmede adviseert over de verstrekking van analyses van CAT-5;

  • Dat partijen, uitgezonderd het OM, in de pilot, met behoud van ieders verantwoordelijkheden en bevoegdheden, technische en operationele gegevens aangaande botnets, die zij door eigen onderzoek of uit samenwerking met andere partijen hebben verkregen, bij elkaar brengen ten behoeve van bovengenoemde gezamenlijke analyse in CAT-5;

  • Dat partijen door genoemde gezamenlijke analyse een beter inzicht kunnen verkrijgen aangaande botnets dan wanneer partijen afzonderlijk analyses uitvoeren en zij daardoor ook de effectiviteit van de uitvoering van hun taken ten aanzien van dit onderwerp kunnen vergroten;

  • Dat partijen CAT-5 wensen onder te brengen bij de AIVD en de werkzaamheden in dat team wensen te laten plaatsvinden onder het regime van de Wet op de inlichtingen- en veiligheidsdiensten 2002;

  • Dat de medewerkers van de AIVD, de medewerkers van de politie en de bij de AIVD gedetacheerde medewerkers van de NCTV, die worden aangewezen om werkzaamheden in CAT-5 te verrichten, met inbegrip van de projectleider, deze werkzaamheden verrichten overeenkomstig de aanwijzingen van het hoofd van de AIVD en onder verantwoordelijkheid van de Minister van Binnenlandse Zaken en Koninkrijksrelaties, en de medewerkers van de MIVD, die worden aangewezen om werkzaamheden in CAT-5 te verrichten, deze werkzaamheden verrichten overeenkomstig de aanwijzingen van de directeur van de MIVD en onder verantwoordelijkheid van de Minister van Defensie;

  • Dat partijen met dit convenant nadere afspraken wensen te maken met betrekking tot de samenwerking in voornoemde pilot;

Gelet op:

  • De artikelen 6, 7, 12, 13, 14, 17, 35 tot en met 41, 43, 58, 60, 62, 85 en 86 van de Wet op de inlichtingen- en veiligheidsdiensten 2002 (WIV2002);

  • Artikel 17 van de Wet politiegegevens (Wpg);

  • De artikelen 8, onderdeel e, en 9 van de Wet bescherming persoonsgegevens (Wbp).

Spreken het volgende af:

Artikel 1 (definities)

In dit convenant wordt verstaan onder:

a. stuurgroep:
de stuurgroep, met daarin vertegenwoordigers van de partijen, onder voorzitterschap van de NCTV, die overlegt en een oordeel geeft over de opzet van en de gang van zaken binnen CAT-5, alsmede adviseert over de verstrekking van analyses van CAT-5;
b. botnet:
een netwerk bestaande uit geautomatiseerde werken die buiten de wil van de rechthebbenden daarvan bijdragen aan centraal gecoördineerde activiteiten;
c. CAT-5:
het cyber analyse team, met daarin medewerkers van de partijen, uitgezonderd het OM, waarbinnen de in artikel 6 bedoelde analyse wordt uitgevoerd;
d. projectleider CAT-5:
de medewerker, bedoeld in artikel 4, eerste lid, die op voorstel van de stuurgroep is aangewezen om de werkzaamheden van de overige medewerkers, bedoeld in artikel 4, eerste lid, te coördineren.

Artikel 2 (doel convenant)

Het doel van dit convenant is het maken van nadere afspraken over de pilot voor de versterkte samenwerking ten aanzien van de analyse van botnets, ten behoeve van het door partijen verkrijgen van een beter inzicht aangaande botnets, met het oog op het belang van de nationale veiligheid, en het vergroten van de effectiviteit van de uitvoering van hun taken ten aanzien van dit onderwerp.

Artikel 3 (onderbrenging)

CAT-5 wordt ondergebracht bij de AIVD.

Artikel 4 (aanwijzing medewerkers van partijen)

  • 1. Partijen, uitgezonderd het OM, wijzen één of meer medewerkers aan om werkzaamheden in CAT-5 te verrichten.

  • 2. De korpschef, genoemd in artikel 60, eerste lid, van de WIV2002, draagt er zorg voor dat de in het eerste lid bedoelde medewerker(s) van de Politie worden aangewezen overeenkomstig artikel 60, tweede lid, van de WIV2002.

  • 3. De medewerkers van de NCTV, die op grond van het eerste lid worden aangewezen om werkzaamheden in CAT-5 te verrichten, zullen die werkzaamheden op basis van een detacheringsovereenkomst bij de AIVD verrichten.

  • 4. De medewerkers, die op grond van het eerste lid worden aangewezen om werkzaamheden te verrichten in CAT-5, zullen voorafgaand aan hun werkzaamheden een A+ veiligheidsonderzoek ondergaan.

  • 5. De in het eerste lid bedoelde medewerkers zijn met betrekking tot alle gegevens, waarvan zij kennis nemen bij het verrichten van hun werkzaamheden in CAT-5 en waarvan zij het vertrouwelijke karakter kennen of redelijkerwijs moeten vermoeden, verplicht tot geheimhouding daarvan ten opzichte van een ieder buiten CAT-5, behoudens voor zover enig wettelijk voorschrift hen tot bekendmaking daarvan verplicht.

Artikel 5 (verstrekking van gegevens aan CAT-5)

  • 1. Partijen, uitgezonderd het OM, verstrekken ten behoeve van de werkzaamheden in CAT-5, met inachtneming van de toepasselijke wettelijke kaders, meer in het bijzonder de artikelen 17, 35, 58 en 62 van de WIV2002, artikel 17 van de Wpg en de artikelen 8, onderdeel e, en 9 van de Wbp, onder de in artikel 7, tweede lid, bedoelde voorwaarde, de bij hen berustende gegevens aangaande botnets voor zover die relevant zijn voor die werkzaamheden.

  • 2. De in het eerste lid bedoelde verstrekking van gegevens laat de bevoegdheid van een partij tot gebruikmaking van de door die partij aangeleverde gegevens in het kader van de eigen taakuitvoering onverlet.

Artikel 6 (analyse van gegevens binnen CAT-5)

  • 1. De medewerkers, bedoeld in artikel 4, eerste lid, verrichten op basis van de krachtens artikel 5, eerste lid, verstrekte gegevens, binnen CAT-5, met inachtneming van het omtrent de verwerking van gegevens bepaalde in de WIV2002, waaronder het in artikel 43 van die wet bepaalde over verwijdering en vernietiging van gegevens, een gezamenlijke analyse van botnets.

  • 2. De werkzaamheden van de medewerkers, bedoeld in het eerste lid, worden gecoördineerd door de projectleider CAT-5.

  • 3. De medewerkers oefenen bij hun werkzaamheden in CAT-5 geen bevoegdheden tot het opsporen van strafbare feiten uit.

  • 4. De medewerkers oefenen bij hun werkzaamheden in CAT-5 geen bijzondere bevoegdheden als bedoeld in paragraaf 3.2.2. van de WIV2002 uit.

Artikel 7 (verstrekking van gegevens vanuit CAT-5)

  • 1. Verstrekking van de in CAT-5 ontwikkelde analyses, met inachtneming van het hieromtrent bepaalde in de WIV2002, aan personen buiten CAT-5 of aan organisaties vindt niet plaats dan nadat dit door de leden van de stuurgroep is besproken.

  • 2. De op grond van artikel 5, eerste lid, door partijen aan CAT-5 verstrekte gegevens, onderscheidenlijk de vermeldingen daarvan in de in de CAT-5 ontwikkelde analyses, worden niet aan personen buiten CAT-5 of de stuurgroep of aan organisaties verstrekt onderscheidenlijk kenbaar gemaakt dan nadat hiervoor uitdrukkelijk toestemming is gegeven door de partij waarvan de desbetreffende gegevens afkomstig zijn.

Artikel 8 (kosten)

De door deze samenwerking ontstane kosten worden, voor zover het personele kosten betreft, gedragen door de partij waartoe dat personeel behoort, en, voor zover het kosten van huisvesting en middelen betreft, gedragen door de AIVD.

Artikel 9 (afdwingbaarheid)

Dit convenant is niet in rechte afdwingbaar.

Artikel 10 (geschillen)

Alle geschillen tussen partijen in verband met dit convenant worden in goed onderling overleg tussen de partijen beslecht.

Artikel 11 (wijziging en opzegging)

  • 1. Indien zich omstandigheden voordoen die aanleiding kunnen geven dit convenant te wijzigen, zullen partijen over de noodzaak hiertoe in onderling overleg treden.

  • 2. Elke partij kan de andere partijen schriftelijk verzoeken dit convenant te wijzigen. Wijzigingen van dit convenant behoeven de schriftelijke instemming van alle partijen.

  • 3. Elke partij kan dit convenant met inachtneming van een opzegtermijn van twee maanden schriftelijk opzeggen, onder vermelding van de reden hiervoor.

  • 4. Wanneer een partij dit convenant opzegt, blijft dit voor de overige partijen in stand, voor zover de inhoud en strekking ervan zich daartegen niet verzet.

Artikel 12 (inwerkingtreding en duur)

  • 1. Dit convenant treedt in werking op de datum van ondertekening door de laatste van de partijen en wordt aangegaan voor de duur van zes maanden.

  • 2. Partijen evalueren de uitvoering en werking van dit convenant omstreeks de datum waarop het convenant ingevolge het eerste lid eindigt.

  • 3. Na afloop van de in het eerste lid genoemde duur, kunnen partijen schriftelijk overeenkomen dit convenant te verlengen voor een door partijen daarbij nader te bepalen periode.

  • 4. Het bepaalde in artikel 7 van dit convenant blijft van toepassing na beëindiging van het convenant.

Artikel 13 (publicatie in Staatscourant)

  • 1. De tekst van dit convenant wordt uiterlijk binnen een maand na ondertekening gepubliceerd in de Staatscourant.

  • 2. Bij wijziging van dit convenant vindt het eerste lid overeenkomstige toepassing.

  • 3. Van opzegging van dit convenant wordt melding gemaakt in de Staatscourant.

Artikel 14 (slotbepalingen)

Dit convenant wordt aangehaald als ‘Convenant tussen AIVD, MIVD, NCTV, Politie en OM inzake de pilot versterkte samenwerking CAT-5’.

Aldus overeengekomen en in vijfvoud opgemaakt,

De Minister van Binnenlandse Zaken en Koninkrijksrelaties, namens deze, Het Hoofd van de Algemene Inlichtingen- en Veiligheidsdienst

De Minister van Defensie, namens deze, De Directeur van de Militaire Inlichtingen- en Veiligheidsdienst

De Minister van Veiligheid en Justitie, namens deze, De Nationaal Coördinator Terrorismebestrijding en VeiligheidDe Korpschef van de Politie,

Het College van Procureurs-generaal, namens deze, Het hoofd van het landelijk parket


“Cyberspace offers huge opportunities” — interview with general and professor Paul Ducheine in Dutch MoD magazine Pijler

On February 12th 2015, an interview (in Dutch) with Dutch professor and general Paul Ducheine was published in the Dutch MoD magazine “Pijler”. Ducheine holds the cyber chair at the Netherlands Defense Academy (NLDA). The original Dutch text was written by Ingmar Kooman. Here is a translation (hyperlinks are mine):

General Ducheine first professor of cyber operations

Foxholes and cyberspace: a world of difference. Tangible sweat versus the online domain. Yet they are linked, because the armed forces will in the future operate both in the physical and non-physical — digital — front. Brigadier General Paul Ducheine prepares the armed forces for that, as the first Dutch cyber professor.

His collar mirrors and epaulettes are brand new. Since February 2nd, engineer Ducheine also holds a military chair in the ‘operations terrain’ of cyberspace, besides his civilian chair. At the University of Amsterdam he is professor of Military Law of Cyber Operations and Cyber Security. At the Faculty of Military Sciences of the Netherlands Defense Academy (NLDA) the brand new general teaches cyber operations.

Fifth domain

Cyberspace, freely translated to the virtual world of computers, is a potential battleground, Ducheine explains. “Next to land, water, air and space, the information arising from those is the fifth domain of military action. Altogether, cyberspace provides digital access to intelligence, which offers huge opportunities”.

Weather, terrain or presence of enemy troops can disrupt the use of for instance ground troops, artillery, or air power, Ducheine explains. “But you do not necessarily have to attack armed forces physically. You can also disrupt, deny or distort information sources. That too can achieve the objective.”

An example of that is operation Orchard. Israeli fighter planes in 2007 destroyed a nuclear installation in Syria. That happened after the Syrian air defense was disrupted by a cyber attack. “But the access to digital networks also created dependencies”, Ducheine emphasizes. “And that makes you vulnerable again, meaning that you need to protect your digital domain.”

Off territory

According to Ducheine, many “significant misconceptions” exist among the public about the phenomenon cyber operations. “Much is yet unknown. Some people think we can carry out cyber operations at will. That we do it very often, and that we attack whatever we can attack.”

As examples he mentions electricity networks, water purification systems, traffic lights, all civil infrastructure, and off-territory for armed forces according to the laws of war. “A civilian object cannot be attacked. The armed forces follow the same rules in cyber operations as in conventional action. And is equally restrictive in it. A cyber operation, too, only takes place after a political decision”, Ducheine says.

A fascinating subject, Ducheine finds. “It is about facts, their legal meaning, political decision-making and the action that government services such as police and the armed forces take on that. This interaction is what I want to convey to the officers we train.”

Open mind

Ducheine does not think every cadet or midshipman must develop into a cyber specialist. “I give them a basic understanding of the possibilities that this domain offers. It contains information, you can use it to communicate and maneuver. And through that, you can have a positive and negative effect in military conflict. I want to open their minds to that.”
Ducheine’s multidisciplinary chair in Breda entails law, technology, military operations and socio-administrative aspects of military cyber operations. At the University of Amsterdam, the general’s research and education only focuses on legal aspects. His chair in Amsterdam offers opportunities to the MoD. “Via PhD programs”, Ducheine explains. “I can guide researchers in their activities. The boys and girls are in Breda with me, but get their PhD in Amsterdam. They will later on apply their knowledge within the armed forces. In addition, this provides access to research experience, knowledge, and a large network. Research is not done in isolation, after all.” The advantages of the mix of military and civilian students are something the Ducheine experiences himself. “Sometimes they ask questions that I had never thought of. That is enriching.”


[Dutch] Verzamelde Kamervragen CDA, D66, ChristenUnie n.a.v. bericht digitale spionage Gemalto door bevriende diensten

UPDATE 2015-03-23: op 23 maart 2015 heeft Plasterk de vragen beantwoord (.pdf); de antwoorden zijn hieronder verwerkt.

Op 25 februari 2015 is de onderstaande lijst (.pdf) gepubliceerd van Kamervragen van het CDA, D66 en de ChristenUnie over het bericht “dat bevriende veiligheidsdiensten digitaal spioneren in Nederland” (en ja, de kwaliteit van de vragen is, laten we zeggen, wisselend). Plasterk is gevraagd deze vragen te beantwoorden in de brief die hem in de regeling van werkzaamheden van 24 februari 2015 is verzocht in reactie op het bericht in de Volkskrant.


  1. Kunt u uitsluiten dat de Algemene Inlichtingen- en Veiligheidsdienst (AIVD) via de omweg van een buitenlandse dienst gebruik maakt van informatie die is verkregen door middel van praktijken die de Nederlandse wet niet toestaat?
      De AIVD werkt op grond van de WIV 2002 en de CTIVD houdt hierop toezicht. Het is de Nederlandse inlichtingen- en veiligheidsdiensten niet toegestaan een buitenlandse dienst te verzoeken een bevoegdheid in te zetten waar de Nederlandse diensten zelf niet over beschikken (de U-bochtconstructie). In rapport 38 heeft de CTIVD vastgesteld dat er geen sprake is van het stelselmatig buiten de wet om verwerven van (persoons)gegevens door de AIVD en de MIVD. Tevens heeft de CTIVD in haar onderzoek geen aanwijzingen gevonden dat de AIVD en de MIVD expliciet verzoeken hebben gericht aan buitenlandse diensten om methoden in te zetten die naar Nederlands recht niet geoorloofd zijn.

      Ik kan niet absoluut en in algemene zin uitsluiten dat de AIVD gegevens van een buitenlandse dienst verkrijgt die mede zijn verkregen door middel van praktijken die de Nederlandse wet niet toestaat, omdat inlichtingen- en veiligheidsdiensten elkaar niet informeren over de herkomst van gegevens.

  2. Hoeveel encryptie-codes van simkaarten zijn mogelijk in handen van de NSA?
      Ik heb de AIVD verzocht onderzoek te doen naar de berichtgeving over Gemalto. Dit onderzoek zal naar verwachting enkele maanden in beslag nemen. Ik zal de Kamer hier te zijner tijd over informeren via de daarvoor gebruikelijke kanalen.
  3. Met welke waarborgen is het productieproces van simkaarten omgeven, gelet op de vertrouwelijkheid van telecommunicatie?
  4. Op welke wijze wordt toezicht gehouden op de handhaving van die waarborgen?
    • ANTWOORD 3 & 4:
      De werking van een simkaart is gebaseerd op internationale technische standaarden. Deze internationale standaarden, waar bedrijfsleven en overheden bij zijn betrokken, dienen ook om veiligheidsaspecten en eisen rond vertrouwelijkheid en integriteit zoveel mogelijk te garanderen. De afnemers van deze producten kunnen daarom eisen stellen aan simkaarten en hebben in dat kader een essentiële rol.

      Op de toepassing van zulke standaarden is geen toezicht. De Telecommunicatiewet kent wel een zorgplicht voor aanbieders van openbare elektronische communicatiediensten om passende technische en organisatorische maatregelen te treffen in het belang van de bescherming van persoonsgegevens en de bescherming van de persoonlijke levenssfeer van abonnees en gebruikers. De aanbieders moeten zorgen dat hun leverancier van simkaarten voldoende veiligheidswaarborgen heeft. Ook zijn aanbieders verplicht om abonnees te informeren over eventuele bijzondere risico’s. De Autoriteit Consument & Markt (ACM) ziet toe op deze bepalingen uit de Telecommunicatiewet. Als aanbieders deze wettelijke verplichtingen niet naleven kan ACM handhavend optreden.


  1. Waarom kunt u de berichtgeving van The Intercept bevestigen noch ontkennen terwijl naar verluid de Britse geheime dienst GCHQ reeds het hacken bevestigd heeft? Verandert dat nu Gemalto naar aanleiding van intern onderzoek bevestigt dat er een poging tot hacken is geweest?
      Zolang het door mij gevraagde onderzoek loopt kan ik geen uitspraken doen over de kwestie. Overigens komt in de berichtgeving naar voren dat GCHQ enkel heeft gesteld zich aan de wet te houden.
  2. Kunt u verduidelijken waarom u niet nader in het openbaar vragen over de hack ter verkrijging van sim-kaarten zou kunnen beantwoorden? Uit de aard van de hack, verricht door GCHQ, blijkt toch juist dat de hoofdzaak niet de werkwijze van de Nederlandse inlichtingen- en veiligheidsdiensten betreft?
  3. Kunt u gemotiveerd aangeven waarom de hack door GCHQ wel of niet onder de definities van cyber crime, cyber terrorism en/of cyber attacks valt? Zo nee, waarom niet?
    • ANTWOORD 2 & 3:
      Zolang het door mij gevraagde onderzoek loopt kan ik geen uitspraken doen over de kwestie. De rapportage hieromtrent zal via de geëigende kanalen plaatsvinden gelet op de noodzaak het actueel kennisniveau alsook de werkwijze van de AIVD geheim te houden.
  4. Welke garanties kunt u Nederlanders geven dat hun telefoon niet gehackt is door buitenlandse geheime diensten?
      Ik kan daarover geen garanties geven. Ook kan ik in het openbaar geen uitspraken doen over onderzoek naar de beschreven activiteiten. In het algemeen geldt dat wanneer in Nederland wordt onderkend dat spionageactiviteiten plaatsvinden, daarnaar onderzoek wordt verricht zodat belanghebbenden, zoals overheidsorganisaties of bedrijven, in staat worden gesteld om maatregelen te treffen.
  5. Heeft de AIVD ook sleutels verkregen? Zo ja, wat is daarmee gebeurd?
      De inlichtingen- en veiligheidsdiensten werken op grond van de Wiv 2002. Over de werkwijze van de inlichtingen- en veiligheidsdiensten kan ik in het openbaar geen mededelingen doen.
  6. Hebben er ook binnen Nederland activiteiten plaatsgevonden door GCHQ of NSA ten aanzien van Gemalto, andere soortgelijke bedrijven en hun sim-kaarten, bijvoorbeeld bij het hoofdkantoor of medewerkers die daarvoor werken?
      Zolang het door mij gevraagde onderzoek loopt kan ik geen uitspraken doen over de kwestie. In hun reguliere werkzaamheden verrichten de AIVD en de MIVD onderzoek naar mogelijke spionageactiviteiten van andere landen. Als in Nederland wordt onderkend dat spionageactiviteiten plaatsvinden, wordt hiernaar onderzoek verricht en worden belanghebbenden, zoals overheidsorganisaties of bedrijven, in staat gesteld om maatregelen te treffen. Ik kan daarover in het openbaar geen mededelingen doen.
  7. Wat zijn binnen de AIVD de gevolgen van het herprioriteren geweest voor de afdeling contraspionage?
      Over herprioriteringen van de werkzaamheden van de AIVD kan ik in het openbaar geen mededelingen doen. Hierover informeer ik u via de gebruikelijke kanalen. Op mijn verzoek verricht de Algemene Rekenkamer een onderzoek naar de effecten van de opeenvolgende bezuinigingsvoorstellen op de organisatie en het werk van de AIVD, waarover de Tweede Kamer binnenkort wordt geïnformeerd.
  8. Zijn er in Nederland door geheime diensten gehackte simkaarten in omloop? Hoeveel zijn dat er en is er overleg met de providers om hen te assisteren dat probleem op te lossen en naar de toekomst toe te voorkomen?
      Aanwijzingen voor dreigingen tegen de telecomsector worden door de AIVD gedeeld in de door het NCSC gefaciliteerde Telecom-ISAC. Information Sharing and Analysis Centres (ISAC’s) zijn door het NCSC gefaciliteerde publiek-private samenwerkingsverbanden waarbij de deelnemers onderling informatie en ervaringen uitwisselen over cyber security op tactisch niveau om gepaste oplossingen te formuleren voor de aanpak van cyberdreigingen en kwetsbaarheden.
  9. Hoe beoordeelt u de stelling van Gemalto dat de gepleegde aanval hooguit tot toegang tot het 2G-netwerk had kunnen leiden en dat 3G en 4G-typen netwerken niet kwetsbaar zijn voor een dergelijke hack?
      Zolang het door mij gevraagde onderzoek loopt kan ik geen uitspraken doen over de kwestie. Overigens heb ik op dit moment geen aanleiding om te twijfelen aan de verklaring van Gemalto (en die van Vodafone) hierover van 25 februari 2015.
  10. Waar kan een Nederlandse burger zijn recht halen als zijn rechten worden geschaad, in dit geval doordat hij rondloopt met een mobiel waarvan de integriteit van de sim-kaart geschaad is? Hoe is de democratische controle hierop geregeld?
      Bij schade kunnen abonnees en gebruikers hun telecomaanbieder hierop aanspreken.
  11. Gaat u de ambassadeurs van de Verenigde Staten en Engeland op het matje roepen? Zo nee, waarom bent u daar niet toe bereid? Zo ja, op welke termijn vindt dat plaats?

      Zolang het door mij gevraagde onderzoek loopt kan ik geen uitspraken doen over de kwestie.


  1. Sinds wanneer bent u op de hoogte van deze spionage?

      Ik ben op de hoogte van de berichtgeving in de media sinds 19 februari 2015.
  2. Op welke wijze heeft u daarna gereageerd?
      Ik heb de AIVD verzocht onderzoek te doen naar de berichtgeving over Gemalto. Ik heb de Tweede Kamer daarnaast mondeling geïnformeerd, onder andere tijdens het Vragenuurtje van 24 februari j.l.. Ook heb ik de Tweede Kamer hierover 26 februari een brief gestuurd (Tweede Kamer, vergaderjaar 2014-2015, 26 643 nr. 353).

      Specifiek ten aanzien van de berichtgeving over het advies dat de ICT-afdeling van de Tweede Kamer aan alle leden van Tweede Kamer heeft gestuurd, heeft contact plaatsgevonden met de Minister voor Wonen en Rijksdienst, het NCSC, de AIVD en de Tweede Kamer.

  3. Wat is er sindsdien in het werk gesteld om te voorkomen dat Nederlanders slachtoffer worden?
  4. Zijn dit praktijken die sinds de herziening van het beleid in de Verenigde Staten en de gesprekken met de bondgenoten, met name de Britten, nu uitgesloten worden geacht?
    1. ANTWOORD 3 & 4:
      Zolang het door mij gevraagde onderzoek loopt kan ik geen uitspraken doen over de kwestie. Ik wil er niet over speculeren of Nederlanders slachtoffer zijn geworden.


Dutch Defense Cyber Strategy — Revised February 2015

UPDATE 2018-11-15: the Dutch Defense Cyber Strategy of 2015 has been revised .

UPDATE 2015-06-04: the report (.doc, in Dutch) of said debate is now available.

UPDATE 2015-03-16: the revised strategy is scheduled for debate in the Dutch Parliament on April 15th 2015 April 21st 2015 (rescheduled).

On February 23rd 2015, the Dutch Minister of Defense sent a 6-page letter (.docx, in Dutch; mirror) that revises the Dutch Defense Cyber Strategy of 2012. It contains seven new priorities that replace the old priorities. As a reminder, these were the priorities set in June 2012:

  1. the establishment of an integral approach;
  2. the strengthening of digital defensibility of the Ministry of Defense (MoD) (“defensive”);
  3. the development of the military capability to perform cyber operations (“offensive”);
  4. the strengthening of the intelligence position in the digital domain (“intelligence”);
  5. the strengthening of the knowledge position and the innovative power of MoD in the digital domain, including the recruitment and retaining of qualified personnel (“adaptive and innovative”);
  6. the intensification of the cooperation at the national and international level (“cooperation”);

And these are the new priorities set in February 2015:

  1. attracting, retaining and developing cyber professionals;
  2. increasing the possibilities within the MoD to quickly innovate in the digital domain;
  3. joining forces at the MoD and intensifying the cooperation with partners;
  4. widening and deepening knowledge of the digital domain within the MoD (including the strengthening of cyber awareness of the entire organization);
  5. digital defensibility of the MoD;
  6. the intelligence capability of the MoD in the digital domain;
  7. the development and use of cyber capabilities as an integral part of military operations (defense, offense and intelligence).

These priorities will guide activities and policy of the MoD in the coming years. The letter elaborates on these priorities, and addresses defensive, offensive, and intelligence aspects of cyber — and also mentions human and signal intelligence, for instance:

Offensive operation in the cyber domain also requires intelligence and preparatory intelligence activities, for instance to gain access to systems and map possible targets. These activities, preceding and during operations, are not limited to the digital domain, but also require other special means, such as human and signal intelligence. Locally obtained data can also be an important part of intelligence support preceding and during operations.

The remainder of this post consists of a translation of the Minister’s letter (some 4800 words).

WARNING: this is an unofficial translation.


One of the most profound changes since the beginning of this century is the exponential development and the massive and global spread of digital technology. The Ministry of Defense is in many ways confronted with the consequences of this ‘digital revolution’. This ‘revolution’ offers opportunities for significantly improving the effectiveness and efficiency of military action, but at the same time introduces risks to uninterrupted functioning of the defense organization and national security that cannot be neglected. To stay ahead in the digital age, the MoD wants to join  forces and deepen cooperation with its partners. The MoD will need to further develop to an effective and innovation-oriented organization, that manages to retain and stay of interest to cyber professionals. This revision of the Defense Cyber Strategy is aimed at that.

The Defense Cyber Strategy (Parliamentary Papers 33 321, nr. 2) of June 2012 has in recent years provided direction, coherence and focus to the integral approach of the development of military capabilities in the digital domain. This involves defense, offense and intelligence. Through this strategy, MoD recognized that digital means are increasingly an integral part of military acting. Since several years, the digital domain (cyberspace) is considered to be the fifth domain for military operations, besides land, air, sea and space. The MoD wants to use this domain optimally to increase her effectiveness. The Defense Cyber Strategy moreover emphasized that the wide dependency on digital means leads to vulnerabilities that need urgent attention.

In the last two years, the MoD made significant steps forward. The intensification that was started by policy letter `MoD after the financial crisis’ of April 28th 2011 (Parliamentary Papers 32 733, nr. 1) and its accelerated continuation in the memo `In the interest of the Netherlands’ (Parliamentary Papers, 33 763 nr. 1), are currently put into effect. The expansion of the Defense Computer Emergency Response Team (DefCERT), the strengthening of the intelligence position in the digital domain of the Military Intelligence & Security Service (MIVD), the establishment of the Joint Sigint Cyber Unit (JSCU) jointly with the AIVD (Parliamentary Papers 29 924, nr.113), and the launch of the Defense Cyber Command (DCC) in 2014, are the basis for the functioning and operating of the MoD in the digital domain. The intensification in the budget of 2015 of structurally 100 million euro (as of 2017) will, as is known, partially be used to strengthen the activity of the MoD in the digital domain. This is an annual investment that increases to 9 million euro as of 2017.

At the same time it is clear that the nature, speed and intensity of developments in the digital domain necessitate periodical revision and, if necessary, change of the strategy. Moreover, since the publication of the Defense Cyber Strategy in 2012, the security context has significantly changed as result of the destabilizing nature of Russia on the European continent, the conflicts in the Middle East and North Africa and the significant terrorism threat that comes with that. The cabinet policy letter `International Security Strategy’ (Parliamentary Papers 33 694 nr.6) emphasizes that the cabinet sees cyber threats as one of the most important future topics in this new security context.

In the General Meeting on digital warfare of March 26th 2014 I promised to revise the Defense Cyber Strategy. With the present letter I fulfill that promise. This revision is meant to give direction to the further development of and investment in digital means at the MoD in the coming years. The National Cyber Security Strategy 2 (NCSS 2) [.pdf] of October 2013 (“From aware to competent”) has served as a government-wide framework for this. The MoD, too, wants to improve its competence and effectiveness in the digital domain. On the basis of this revision, the MoD will in the coming months take the necessary next steps, including on the area of personnel, acquisition and innovation in the cyber domain. Deepening and connecting are keywords in that.

Priorities for the coming years

The principles underlying the Defense Cyber Strategy of 2012 remain relevant. Now that the foundations for defensive, offensive and intelligence means have been built, the present revision is about shifting accents, settings new objectives, and reformulating priorities.

Considering the necessary further strengthening of her digital means, the MoD in the coming years wants to focus on creating the right conditions for success in the digital era. Priorities are:

1. attracting, retaining and developing cyber professionals;
2. increasing the possibilities within the MoD to quickly innovate in the digital domain;
3. joining forces at the MoD and intensifying the cooperation with partners;
4. widening and deepening knowledge of the digital domain within the MoD (including the strengthening of cyber awareness of the entire organization).

By actively working on these priorities in the coming years, the MoD wants to maximally support the strengthening of her digital means. The priorities for the further strengthening of the digital means of the MoD are:

5. digital defensibility of the MoD;
6. intelligence capability of the MoD in the digital domain;
7. development and use of cyber capabilities as an integral part of military operations (defense, offense, and intelligence).

These seven priorities are explained below. They replace the priorities laid down in the Defense Cyber Strategy of 2012.


1. attracting, retaining and developing cyber professionals

Smart, competent and motivated cyber professionals are the most important ‘capabilities’ that the MoD must possess in the digital domain. To be successful in the digital domain, deep knowledge is indispensable, and this knowledge primarily is held by individuals. The MoD will have to put in much effort in the coming years to be of interest to and be able to retain sufficient people with specific knowledge. Because of shortage on the labor market, competitive recruitment and a flexible approach to employment requirements are necessary. Also, alignment is important of the MoD’s personnel policy for cyber professional with the public and private partners. The MoD will furthermore need to leverage the unique significance of her work and the meaning that employees derive from it.

To be attractive to cyber professionals, and to take into account the specific characteristics of this field, the MoD will be flexible with personnel policy. The `Agenda for the future of MoD personnel policy’ (Parliamentary Papers 34 000 X) and the measures that follow from the final report of the temporary committee on government IT projects [.pdf] serve as a basis as much as possible. Because specific knowledge and competences are important in the cyber domain, restrictions that follow from the placement policy of military personnel (such as limited placement period, function assignments, and the system of ranks) must be avoided as much as possible. The MoD will also have to be flexible in salaries to attract and retain cyber professionals.

The MoD also wants to position as an MoD-wide field, by promoting the development of career paths and the exchange of personnel between organizational parts of the MoD. The cooperation and exchange with public partners, such as theNational Cyber Security Center (NCSC), and with private partners are of importance. The cyber chair at the Netherlands Defense Academy (NLDA), the Cyber Education Designation by the Chief of Defense (CDS) and the development of cyber education by the Defense Cyber Expertise Center (DCEC) will contribute to an education and training policy tailored to cyber professionals. Cooperation with international partners, such as the NATO Cooperative Cyber Defense Centre of Excellence (CCD COE) in Tallinn, will in that context have a significant place. The MoD also seeks cooperation with external partners such as universities, renowned educational institutes and the private sector. Lastly, the MoD will expand the number of cyber reserves in the coming years.

2. Effective innovation and acquisition

To be able to effectively innovate and acquire, the MoD will adjust regular process where necessary to the specific characteristics of this dynamical domain. The development and production of weapon systems usually take year. In the digital domain, however, developments are moving rapidly and there is an innovation cycle of months instead of years. Moreover, the development of digital technology is often difficult to predict. To quickly meet an operational need, it is necessary that the MoD can itself develop digital means using commercially acquired digital technology (‘rapid tool development’). The development of digital means for offensive use requires self-developing capability (supported by Concept Development & Experimentation). The MoD will also introduce faster en simpler acquisition and innovation procedures for the digital domain.

3. Joining forces and cooperating

The MoD’s cyber strategy entails an integrated, MoD-wide approach, in which the scarce cyber knowledge, means, personnel and capabilities will be joined as much as possible. Furthermore, close cooperation with national and international partners is of the essence to achieve the MoD’s objectives in the digital domain.

Within the MoD

For the protection of our defense networks, the use of cyber means in military operations, or the gathering of intelligence, often the same knowledge, skills, techniques and materials are used. Therefore it is important that various sections of the MoD work as integrated as possible. This leads to synergy, necessary knowledge sharing, and an effective and efficient use of scarce means and expertise.

The extent and way in which various organizational sections cooperate in the digital domain, is related to the MoD’s tasks on this terrain. This can vary from exchange of employees and the establishment of highly classified connections, to the use of common sensors and supporting information systems. The way in which knowledge and means are bundled also is influenced by legal frameworks and obligations. The Intelligence & Security Act of 2002 (Wiv2002) provides special powers to the MIVD, and a framework for (inter)national cooperation and confidential information exchange. The Royal Military Police (KMar) carries out its tasks on the basis of the Police Act of 2012 (Pw2012). Nonetheless, taking into account the legal framework, more intensive cooperation within the MoD on the area of knowledge and innovation, personnel policy, education and training is possible. The synergy between various parts of the MoD will therefore be actively promoted. In that context, the MoD will also promote co-location of cyber experts.

Together with other parts of government

Due to the interconnectedness in the digital domain, the effectiveness and security of the MoD on this terrain are closely related to the digital defensibility of partners. The classical distinction between military and civil, public and private, and national and international dimensions is less sharp in the digital domain. For instance, national security may be threatened by a large-scale digital attack on one or more public or private organizations. To enhance national digital defensibility, structural cooperation between public and private partners is of the essence. Agreements exist with the National Cyber Security Center (NCSC), that acts as national coordinator, about mutual support and military assistance in the cyber domain. The MoD and NCSC will keep cooperation closely in the interest of a joint view of digital threats and optimal coordination of operational activities. For instance, joint exercises are carried out to further improve the crisis management structure and deepen the civil-military cooperation.

Concerning the KMar, the MoD, as force manager, cooperates closely with the Ministry of Security & Justice and the Public Prosecution Service. The KMar carries out its task on the basis of the Police Act of 2012 and under the authority of, among others, the Public Prosecution Service and the Minister of Security & Justice. Digital technology is increasingly important here as well, for instance in the context of information-driven operations. For the MoD, the police tasks of the KMar within the armed forces are important for safeguarding a responsible military use of the digital domain. The KMar must for instance be able to review the legality of the use of cyber in national and international military operations, and investigate possible criminal offenses in the cyber domain against the armed forces. In addition, the KMar must be able to investigate possible criminal offenses in the digital domain by defense personnel and at defense locations. The digital domain will become more important in all legal tasks of the KMar. Therefore, the MoD will together with the Ministry of Security & Justice and the Public Prosecution Service examine what is needed to equip the KMar for this.

Private sector

The private sector is an important driver of knowledge development and innovation in the digital domain. The Netherlands Defense Industry Strategy (DIS) also shows this. Active cooperation with the private sector is of great importance. Joint research programs. developments of capabilities, and cooperation in education and training are central in this. These can provide important impulses for the development of the various digital means at the MoD.

International partners

Internationally, the MoD specifically seeks cooperation with like-minded countries. The Netherlands sees an important supporting role for the NATO, among others by establishing security standards for member countries, promoting interoperability, and better information and knowledge exchange. The cooperation between NATO and the private sector in the context of the NATO Industry Cyber Partnership (NICP) is relevant to the MoD. In the EU, cooperation within the European Defense Agency (EDA) is important, in which the focus is given to joint research into methods and techniques.

4. Knowledge and cyber awareness: widening and deepening

The pace of technological developments and the variability and unpredictability of the digital domain emphasize the necessity to keep investing in the knowledge level at the MoD. Cooperation and knowledge management are central. The Netherlands Defense Academy, the Defense Cyber Expertise Center (DCEC) and the Defense Staff will promote an innovative and experimental working climate at the MoD. The JSCU, too, will actively contribute to this. Lastly, education and training ensure that cyber knowledge is embedded in the entire defense organization. The DCC will initiate and facilitate education and training that is important at all levels of the organization. The themes will vary from cyber awareness to expert-level skills, depending on the target audience. The DCC intensively cooperation with the warfare centers of other parts of the armed forces, the knowledge elements within the MIVD, the Joint Communications & Information Services Command (JIVC) (including DefCERT), the Chief Information Officer (CIO) and the MoD’s Security Authority.

Structural approach of cyber awareness

It is necessary that defense personnel at all levels of the organization are aware of the possibilities and dangers of the digital domain. Employees can unintentionally pose a risk for the MoD’s digital security through improper or careless use of IT means. To counter this, the MoD will structurally address this in all educations and training. For instance, the Defense Security Authority had already developed course materials and a “digital driver’s license” for defense personnel. Education and training will also be increasingly focused on the possibilities that digital means provide for carrying out defense tasks. Cyber operations will be increasingly important in the design, planning and execution of exercises. The MoD will also train employees and military units to operate under circumstances in which they temporarily cannot use the (full) functionality of networks and systems. Lastly, the MoD will invest in the training of all IT and CIS employees, so that they can detect cyber attacks faster and take the right measures.

Cyber awareness is not only of great importance to the MoD. The same holds for national and international partners. Therefore, the MoD cooperates with (security) partners, such as in the annual Alert Online campaign (aimed at citizens, the government, and the private sector), that will be coordinated by the NCSC.


5. Strengthening digital defensibility

The armed forces are increasingly dependent on the reliability of information. They also strongly rely on high-end communications and information systems, networked weapon systems and logistical systems. Both in military operations and overall operations, the MoD strongly depends on these systems to ensure deployability of the armed forces. The amount of data generated by sensors, weapon systems and command systems (SEWACO systems) and networks is increasing exponentially. Defense networks and systems are furthermore vulnerable to manipulation during development, production, transport and maintenance. Not only the security of systems and networks, but also the security of information itself is thus of the essence. Exclusivity (only authorized access), integrity (no unauthorized changes) and availability (access) of information are paramount.

The Cyber Security Assessment Netherlands 4 (CSBN-4) shows that digital threats are increasing and are becoming more complex and advanced. The MoD and partners increasingly deal with increasingly aggressive forms of espionage, crime and other activities such as cyber sabotage. This not only involves known and common malware. A more urgent problem are targeted, advanced and covert digital breaches, often carried out by by state actors, that cannot be adequately countered through regular security measures. This threat is significant. Non-state actors are an increasingly large risk as well. The knowledge, means and techniques to carry out advanced digital attacks are becoming accessible to everyone.

The use of digital means in military operations has also increased, and is being developed. A cyber attack on IT, sensor, weapon and command systems, or operational logistics, is a severe threat to the deployability and effectiveness of the armed forces. This threat is not limited to mission areas, but also to defense networks and systems elsewhere in the world, and it can also be aimed at Dutch vital infrastructure or allies.

A fully `waterproof’ digital defense is infeasible. By quickly detecting anomalies in (vital) systems and taking extra measures, the damage can be mitigated as much as possible in the case of digital espionage or sabotage. Intelligence are indispensable to act against vulnerabilities in, and threats against networks and systems.

As described in Chapter 4, digital defensibility will be a prominent part of all defense training. The MoD will also establish one Security Operations Center (SOC), in which all management organizations cooperate to monitor and defend all networks, IT services and SEWACO systems of the Netherlands and in mission areas, day and night. This SOC will get extra personnel and will closely cooperate with DefCERT. In case of incidents, DefCERT coordinates contact with other CERTs, collects information about digital vulnerabilities, and provides advice about measures. An independent position of DefCERT toward the SOC is of great importance. The MoD will furthermore keep investing in a high-quality intelligence position in the digital domain. Cooperation between intelligence and the management organizations is of the essence to the MoD’s digital defensibility. To support this, the MoD will prioritize the establishment of facilities that enable the involved parts of the defense organization to exchange highly classified information. It goes without saying the the MoD will renew the security of her systems continuously through the development of innovative protection, detection and mitigation measures. The MoD also requires suppliers to take similar measures. To ensure the security of IT facilities and the supply chain in the future as well, the MoD will change the so-called ABDO regulation. This describes how external service suppliers must handle the MoD’s confidential information.

The security, continuity and innovative power of the IT facilities of the MoD, and the improvement thereof as described in the vision on IT (Parliamentary Papers 31 125 nr.45), are of course important to the further improvement of digital defensibility.

6. Strengthening the intelligence capability in the digital domain

The global digitization of society has far-reaching consequences for intelligence work. The unstable international security situation demands a flexible intelligence capability to gather information at an early stage, as needed for political and military decision-making. In the Netherlands, in allied contexts, and in (potential) mission areas, the MoD is confronted with technically advanced actors that pose a threat in the digital domain to the security interests of the Netherlands, and to a secure and effective execution of military operations.

The MoD needs insight into the means, intentions and activities of opponents to provide itself, the government and for instance allies perspectives of action. To strengthen the MoD’s defensive cyber capabilities, forward-looking capability for the protection of the MoD’s own systems is necessary. In addition, the MoD must be able to identify, counter and influence threats such as espionage. Offensive operation in the cyber domain also requires intelligence and preparatory intelligence activities, for instance to gain access to systems and map possible targets. These activities, preceding and during operations, are not limited to the digital domain, but also require other special means, such as human and signal intelligence. Locally obtained data can also be an important part of intelligence support preceding and during operations.

The MoD’s intelligence task is primarily carried out by the MIVD, under the responsibility of the Minister of Defense. The legal framework for the MIVD’s activities are laid down in the Wiv2002. On the basis of this law, the MIVD can carry out necessary actions to gather intelligence about the digital domain, and perform counterintelligence locally and abroad. It is, taking into account the legal requirements, permitted to enter computers. Considering the legal requirement to protect sources and methods, the law also provides the basis for confidential (inter)national cooperation.

To achieve and maintain sufficient flexibility in the digital domain, modernization of the Wiv2002 is necessary. The cabinet’s viewpoint concerning the renewal of the interception framework laid down in the Wiv2002 (Parliamentary Papers 2014-2015, 33 820, nr. 4) is of the essence to the MoD’s objectives in the digital domain. Access to cable telecommunications is a condition for identifying cyber threat at an early stage and to gather intelligence on the nature of the threat. The ability to explore the digital domain is moreover of the essence to intelligence operations and the support of cyber operations.

The MIVD will develop reporting mechanisms aimed at intelligence consumers. This can involve integrated analysis (so-called `all source products’), an exploration of cyberspace in relation to a potential mission area, or a signature of an advanced cyber threat. Cyber-related research questions will be included in the annual Defense Intelligence & Security Priorities (IVD) to further guide the MIVD’s efforts. The MoD also aims to further integrate the use of special means such as human and signal intelligence and an expansion of analysis capability in support of the information position in the digital domain. Advanced threats, such as aimed at defense-related industry and NATO institutes, are rarely limited to the Netherlands. International cooperation is therefore an important condition for countering such threats. Considering the classified character, this often takes place between intelligence and security services.

One of the core competences for the MoD and the Ministry of the Interior in the coming years is the JSCU, that the MIVD and AIVD established in 2014 (Parliamentary Papers 29 294, nr. 113). The MoD strives for the strengthening of this unit and the cooperation with the AIVD. In this joint unit of the MIVD and AIVD, technical knowledge and expertise concerning sigint and cyber are bundled. The JSCU acquires and disseminates data from technical sources, performs data analysis and technical investigations into cyber threats, and focuses on innovation and knowledge development.

7. Strengthening the use of cyber in military missions

Operational digital means consist of all knowledge, means, and the conceptual framework to predict, influence or deny enemy action in a military operation, as well as the capability to protect own units against similar acts by the enemy. Operational digital means entail defensive, offensive and intelligence elements. They are inseparably part of modern military action.


By offensive cyber capabilities, the MoD means digital means that have as purpose to influence or deny enemy action. This takes place through infiltration of computers, networks, and weapon and sensory systems to influence information and systems. The MoD uses digital means only against military targets.

As a consequence of the intensive use of high-end communications, information and weapon systems, opponents too are depending on the reliability and availability of digital means. Offensive cyber capabilities can therefore, as a part of the total military power, provide an essential contribution to achieving the intended effects. They thereby are an important addition to existing means.


In a military operation, defensive measures against cyber threats are important to ensure the effectiveness and deployability of the armed forces. This starts in the integral preparation for a mission, among others by mapping the most important vulnerabilities in the networks and systems in a mission area, and mapping possible defensive scenarios. In a mission area, networks and systems must be continuously monitored, to intervene in case of breaches. In a cyber attack during a military operation, rapid response may be necessary. A definitive attribution (through intelligence about the way in which and by whom the attack was carried out, and with what objective) is essential. This emphasizes the need for evaluated and validated intelligence, that must be provided timely to the responsible commander. The responsible commander will have to weigh operational interests and intelligence interests, ensure the legitimacy of action, and often have to decide under time pressure. The mandate for the use of digital means will be determined per military operation, partially on the basis of the political risk, the potential collateral damage, the legal framework, and the necessity of secrecy.


A high-quality intelligence position at all levels is a condition for the execution of military missions. Especially in the digital domain, strategic and operational intelligence are interwoven, and must usually be acquired using high-end and sometimes costly means during a longer period. These can be appended by often locally acquired intelligence. An integral intelligence position brings the MoD in the position to properly estimate and influence opportunities, threats and risks.

In case of military operations abroad, the international legal framework is the primary basis and framework for the MIVD’s acting. The Wiv2002 will then be applied analogously insofar the circumstances in the mission area permit.

Tasks and powers

After a cabinet decision on the use of the armed forces, for defense if own or allied territory or the international rule of law, digital means of the armed forces are always under the command of the CDS. The decision to participate in a military operation may be accompanied by national limitations (caveats) on the use of Dutch units, specific weapon systems or interpretation of rules. This also applies to possible use of cyber units or cyber(weapon) systems. The use of cyber means for the third task of the MoD — the support of civil authorities in maintaining rule of law, fighting disasters and humanitarian aid, both nationally and internationally — takes place under civil authority.

If the Netherlands has a legal basis for acting, a clear assignment, purpose and Rules of Engagement must be formulated for cyber units . The legal framework is not different from that for the use of conventional means. The use of strategic cyber means will be determined primarily at the national level. The authority to use tactical cyber means will be determine per operation in the Rules of Engagement.

Capability development

To allow responsible and effective use of digital means in military operations, the MoD will address the following topics in particular:

– the further development of a Defense Cyber Doctrine;
– the development of offensive cyber means and of guidelines for the readiness of cyber units and cyber means that are flexibly composed;
– the setup of defensive digital means during missions;
– the development of cyber (intelligence) means for tactical use;
– the integral of cyber aspects in the operational decision-making process, preceding and during operations.

Offensive cyber means can vary from relatively simple and quick to develop means with a tactical impact to means with a high, strategic impact that require a long time to develop. The complexity and technological quality of these means mostly depend on the desired effects. These means are focused primarily on seizing information and communications networks, and sensory, weapon and command systems of (potential) enemies. Although relatively simple offensive cyber weapons can sometimes be effective for shorter periods, these capabilities distinguish themselves from conventional military capabilities by the fact that they can often only be used only once and are specifically developed for one purpose. It may involve complex means of which development, maintenance and use is labor-intensive and time-consuming. The preparation, development and use are a combination of specialized personnel, available technology, proper intelligence and processes, also to prevent undesired side effects of the use of offensive cyber means. The DCC ensures coordination between the various parts of the MoD and their digital means, and possesses specialists to carry out this task. This ensures an optimal use of cyber means in support of military operations, and prevents redundancy within the MoD.


The MoD has in recent years taken significant steps in the digital domain, and made significant investments. The Defense Cyber Strategy was the basis for that. The memo `In the interest of the Netherlands’ accelerated the implementation. The present revision determines the direction in which the MoD will further develop in the coming years, fully aware that the digital revolution requires flexibility in the application and financing of this strategy. To keep pace with the stormy development in the digital domain, the MoD will carry out a policy review in 2016 and 2017, which will be offered to the House of Representatives.


J.A. Hennis-Plasschaert