Month: November 2018

Dutch MoD Defense Cyber Strategy 2018: “Investing in digital military capability” (unofficial full translation)

On 12 November 2018, the Dutch minister of defense released (in Dutch) the MoD’s Defense Cyber Strategy 2018. The initial strategy was released in 2012 and revised in 2015. The new strategy document (.pdf, in Dutch; mirror) is available only in Dutch, as were previous ones. In the post you’re reading now I provide a single-page, unofficial translation of the entire text (~3500 words). A single-page plain text version in Dutch is available here.

Some takeaways (do read the entire text; these takeaways are not a summary):

  • The MoD wants to (publicly) confront perpetrators of cyber attacks with their behavior more often — an example of this was the public outing of a Russian cyber operation on 4 October 2018 — because a state actor “who is (publicly) held accountable for his actions will make a different [risk] assessment than an attacker who can operate in complete anonymity.”
  • The MoD will invest (more) in offensive capabilities, among others for the purpose of attribution (see previous bullet).
  • The MoD is conducting a study into the design, formation and organization of a Cyber ​​Innovation Hub to be set up in 2019, in which government departments, research institutes and companies work together on joint and prioritized security issues in the field of cyber security.
  • As of 2019, the MoD will invest ±6.5 million euros per year in cyber research. This is an increase from the 4 million euros invested in previous years.

Google Translate was used for initial translation of the bulk text, which I then compared line-by-line to the original Dutch text. I corrected translation weirdness and errors (of which there were quite a lot; a reminder that automated translation should not be fully relied upon when details matter), added a few horizontal lines as separators for clarity of exposition / readability, made minor modifications to make the text intelligible to non-Dutch readers, added hyperlinks for easy referencing, and added minor explanation and/or links within [square brackets]. Feel free to contact me with questions or corrections.

I’m committed to the motto “cool URIs don’t change“, so the link you’re currently visiting can be considered a permalink, suitable for use as reference in bibliography if needed/desired — although it is, of course, generally better to reference original sources than unofficial translations.

[Temporary note: over the upcoming week I will re-read the text and correct spelling & grammar errors if any remained; and will also add more links. I will then remove this note.]

Dutch MoD Defense Cyber Strategy 2018: “Investing in digital military capability”


Table of Contents

Introduction

Chapter I: The MoD’s contribution to digital security of the Netherlands and NATO

Chapter II: Winning digitally in military operations

Chapter III: Prerequisites: personnel, knowledge development and innovation, cryptography


Introduction

Our country must be able to rely on the ministry of defense when needed. Acting against serious digital threats to our security, both nationally and internationally, is part of this.

With the deterioration of international security and the tightening of geopolitical conflicts of interest, the MoD’s contribution to our digital security has become even more important. The Cyber ​​Security Assessment Netherlands (CSAN) 2018 shows that the biggest digital threat to our national security comes from nation states. This has consequences for what is expected from the MoD. Moreover, our increasingly digitized country must be prepared for advanced digital threats in the event of an unforeseen military conflict. The MoD has to take responsibility, both at national level and in NATO.

The present Defense Cyber ​​Strategy is established within the framework of the Defense Memorandum, the Integrated Foreign and Security Strategy (GBVS) and the National Cyber ​​Security Agenda (NCSA), and contributes to the implementation of these strategies. It builds on the foundation provided by the first Defense Cyber ​​Strategy in 2012, which initiated the establishment of the Defense Cyber ​​Command (DCC) [read more] and the Joint Sigint Cyber ​​Unit (JSCU) [read more] of the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD), and the strengthening of the Defense Computer Emergency Response Team (DefCERT) and Royal Netherlands Marechaussee. Many steps have been taken since 2012. It is now time to accelerate and connect.

The expanded financial budget established in the coalition agreement, rising to 20 million euros annually per 2021, enables this.

On the basis of this strategy, the MoD invests in cyber capabilities to:

  • Be in charge of its own IT and weapon systems at all times and to ensure its digital resilience. This will remain an important point of attention in the coming years.
  • Even better to know who is threatening our national security in the digital domain. The MIVD plays an indispensable role together with the AIVD.
  • Have more possibilities to disrupt or deter digital attacks.
  • Cooperate with civil partners to ensure the safety of the Netherlands and of our vital infrastructure, and to ensure continuity of vital processes in the event of an unexpected military conflict involving the use of digital attacks.
  • Deploy digital means in a targeted manner to obtain and retain dominance during military operations.

The achievement of digital power for the Netherlands is an ambitious goal. But it is a necessary ambition, given the core tasks of the MoD in protecting its own territory and NATO territory, promoting international legal order, and supporting civil authorities.


Chapter I: Defense’s contribution to the digital security of the Netherlands and NATO

State actors and criminal groups are becoming less and less reticent in the digital domain. Cyber ​​attacks and incidents occur on a daily basis. They can no longer be regarded as isolated. Increasingly, interrelated incidents occur, which together form a campaign of state actors and their proxies, intended to undermine our economy, vital infrastructure, military capabilities, and the democratic order of countries. It should also be taken into account that certain states are targeting industrial control systems in vital sectors in preparation for a possible military conflict. These are activities or operations aimed at creating the conditions for a military operation (shaping the battlefield). The MoD has a responsibility to act on this, in close consultation with civil partners. What is clear, however, is that if an (imminent) cyber attack takes place on such a scale that it can be seen as an (imminent) armed attack, every state has the right to defend itself under international common law and Article 51 of the UN Charter.

Proper defense and security are not enough to keep malicious persons from digital attacks. More and more allies are taking a more active stance in the digital domain (active defense). In the context of both the first and third core tasks of the MoD, a more active defense contribution is necessary within existing structures. To reinforce this, the MoD will invest in the following capacities and concepts during the coming years:

  1. Information: capacity to act and attribution
  2. Contribute to deterrence by military assets in the digital domain
  3. Digital resilience and protection of own networks and systems
  4. Research into national fallback options
  5. Military assistance and support to civilian authorities
  6. Law enforcement (Royal Netherlands Marechaussee)

1 Information

Capabilities

The vast majority of digital attacks can be thwarted by the IT or CERT organization of the affected party. To counter the covert, persistent digital attacks by state actors (Advanced Persistent Threats, APTs), however, (counter-) intelligence research is also required. This research provides unique information with which effective defensive measures can be taken. The MIVD makes information about digital threats available to relevant actors inside and outside the MoD who can take measures based on this, such as DefCERT, the Public Prosecution Service, the National Cyber ​​Security Center (NCSC), and companies. To detect digital espionage or sabotage, technical characteristics acquired by the MIVD and AIVD about cyber attacks can be used in the National Detection Network (NDN). The NDN is a partnership that aims to detect digital threats against vital sectors and the national government better and faster, so that damage can be prevented or limited. The contribution of the MIVD to the NDN will be expanded. New defense tools will be used to develop an active defense against digital attacks. In addition, the number of sensors is being expanded to enable digital attacks to be detected better and faster and to investigate and respond effectively to the threats. In addition to participating in the NDN, the MIVD, as announced in the NCSA, will also participate in the cooperation platform involving NCSC, AIVD and police to quickly share relevant (technical) information about cyber threats at a joint location. In addition, information forms the basis of military capability in the cyber domain. Offensive cyber capabilities build on the intelligence/information position. On the basis of intelligence from the MIVD, the Defense Cyber ​​Command can design military capabilities. Finally, within the framework of the Intelligence and Security Services (ISS) Act [in Dutch: ‘Wiv2017’], the MIVD can also act itself on the basis of intelligence to disrupt acute threats in the digital domain.

Attribution

The increasing cyber threat requires a strong, international response based on international agreements. The status quo is still insufficient. The cabinet wants to (publicly) confront perpetrators of cyber attacks with their behavior more often. This requires detection, and then political, and possibly legal, attribution. Determining who is the actor behind a cyber operation (technical attribution) is therefore an indispensable and complex aspect that requires intensive research. By means of high-quality and knowledge-intensive intelligence research, the MIVD, in collaboration with partners such as the AIVD and the police, tries to discover the actor behind a cyber attack and the actor’s intentions, so that the cabinet can proceed to political attribution and take targeted countermeasures. An active political attribution policy contributes to deterrence and making the Netherlands less attractive as a target of cyber attacks. A state actor who is (publicly) held accountable for his actions will make a different assessment than an attacker who can operate in complete anonymity. The Netherlands thereby contributes to combating impunity in the digital domain.

2. Contribute to deterrence by military assets in the digital domain

Deterrence means that an opponent refrains from (repeating) an attack because he is convinced that costs do not outweigh benefits. Deterrence is not domain-bound, in other words: attacks from another domain can be deterred with cyber resources, and conversely, deterrence of cyber attacks can come from other domains. The operational capacities of the Defense Cyber ​​Command contribute to the total arsenal of deterrence means available to the government. Deterrence makes the Netherlands a less attractive target for (cyber) attacks and is above all a means for conflict prevention. In addition to the ability to attribute attacks, deterrence requires credible offensive capabilities. Through integration in (ongoing) missions and operations, the MoD will work on the visibility and credibility of its digital military capabilities.

NATO is the cornerstone of Dutch security policy for the government. The Netherlands has made a strong case with other allies for the alliance of cyberspace as a military domain. The alliance recognized this at the Warsaw Summit in 2016. Since then, a lot of work has been done to operationalize the digital domain, for example by designing a mechanism for integrating cyber capabilities into NATO missions and operations. This will contribute to the collective task of defense and deterrence. Therefore, at the NATO summit in Brussels in July 2018, the Netherlands declared its willingness to contribute with cyber capacities to allied missions and operations.

3. Digital resilience and protection of own networks and systems

In order to be able to contribute to the digital security of the Netherlands and to guarantee the safe and effective deployment of the Dutch armed forces, it is necessary that the MoD’s own digital resilience adapts to threats. Deployment of the armed forces is therefore regarded as a vital process within the framework of vital infrastructure. The IT systems of the MoD are fully intertwined with business operations, command systems, and sensor and weapon systems. The MoD is dependent on these IT systems and the information available on them. Cyber ​​attacks against IT, sensor, weapon and command systems can undermine deployability and effectiveness of the armed forces. A high level of security awareness and effective protection of systems and networks therefore require sustained effort. Preventive measures form the necessary basis for digital resilience, the combination of awareness, prevention, detection and capacity to act. In order to protect MoD systems, these measures must be implemented across the entire IT chain, from software development to network protection. This also places high demands on the personnel working on the design, security, use and maintenance of IT systems. The knowledge of the staff must be up-to-date, and the staff must have access to the latest techniques.

All defense departments involved must make every effort to protect the MoD from cyber threats. The defensive cyber chain consists of several layers, spread over the entire defense organization. Cyber ​​governance and policy provide direction, focus and frameworks for the efforts in the cyber domain. Security by design means that implementation of security measures is already taken care of when designing IT systems. Security assessments analyze and assess systems for residual risks and compliance and supervision take place on compliance with policies and regulations. Security and surveillance focuses in particular on connections between the MoD and external networks. Incident response ensures mitigation of cyber incidents.

4. Research into national fallback options

It will be investigated which MoD facilities in collaboration with which parties can be used to keep critical processes running when there is a societal disruption of ICT as a result of a digital attack. Facilities such as the physically separated and secured fiber MoD network (the Netherlands Armed Forces Integrated Network, NAFIN) can play a role in this.

5. Military assistance and support to the civil authorities

To contribute to national security, the MoD will strengthen the implementation of the third core task in the digital domain by making a greater contribution to existing civil structures. In view of the nature of the threats, the MoD is focusing in particular on vital infrastructure through more intensive cooperation with the responsible security partners, in particular the NCSC. Supply and demand of cyber capabilities of the MoD are identified in consultation with civil authorities and public and private partners. By being involved in sector-specific developments and threats at an early stage, the MoD will be able to switch to providing assistance and support more effectively if necessary. To achieve this, the MoD wants to make a larger and more tangible contribution to existing civil structures in the field of information sharing and response.

Information sharing

Information Sharing and Analysis Centers (ISACs) [more here; in Dutch] have been set up to create a familiar environment in which organizations from the same sector can share tactical information about (sector-specific) cyber threats, incidents, experiences and mitigating measures, with the aim of strengthening digital resilience. Participants in an ISAC have a pivotal role within their own organization in the field of information security, ICT security, and policy. The NCSC, the AIVD, and the police are connected to most ISACs. The Royal Netherlands Marechaussee is a permanent partner in the Airport ISAC. The permanent network that an ISAC entails and the information that is exchanged is an important added value for all participants. Due to their nature and composition, ISACs offer an ideal platform for gaining more knowledge about sector-specific cyber threats and opportunities of the MoD to contribute to mitigating measures if necessary. The MoD, in consultation with the NCSC and members of the ISACs, will explore whether the MoD’s involvement in the ISACs can be intensified.

Response

The National Response Network (NRN) is a network of CERT organizations, coordinated by the NCSC, with the aim of strengthening technical responses to cyber security incidents. This is done by exchanging knowledge, experience and personnel. This way, cohesion is organized and existing capacities are strengthened. In addition to the NCSC, the current NRN partners include DefCERT, Tax Authorities, Rijkswaterstaat, SURF, and the Information Security Service of municipalities. The MoD will actively contribute to the NRN and strive for expansion of the network. The MoD will also commit to use the NRN as a platform for exercises with vital sectors and the NCSC. Joint exercises ensure that organizations become familiar with each other’s procedures, interests and working methods and can therefore collaborate more effectively if a calamity actually occurs.

6. Law enforcement (Royal Netherlands Marechaussee)

The MoD has a management responsibility in the execution of the police tasks of the Royal Netherlands Marechaussee. The Royal Netherlands Marechaussee must also be equipped in face of increasing cyber threats. In particular the digitization of border processes and increasing digital identity fraud generate risks. Risks that must be controlled by both a better defense and investigation. For the implementation of this, the Royal Netherlands Marechaussee will enter into partnerships with, among others, the police and FIOD.


Chapter II: Digital winning in military operations

Article 97 of the Constitution for the Kingdom of the Netherlands that a Dutch armed force exists, including for “the purpose of maintaining and promoting the international legal order.” The reference in this article to the international legal order is closely linked to Article 90, which states that the government will promote international rule of law. Partly because of increased instability in countries on the edges of Europe, this second core task will also require a lot from the MoD in the coming years. Due to the undermining of the international legal order, the open and free international (trade) flows are also at stake. Safeguarding supply routes on land, at sea, in the air and in the digital domain is an interest of the international community to which the government is committed. The Netherlands is committed to promoting the international legal order, conflict prevention and stabilization.

The Netherlands also contributes to this by taking an integrated approach to military missions and operations in an alliance.

The digital domain will play an important role in every future conflict and the government determines that for the effective execution of the second main task of the armed forces in the digital domain, further development of cyber capacities is necessary. In order to create more dominance in the digital domain when deploying the armed forces for the promotion of the international legal order, Defense will further invest in the following capacities and concepts in the coming years.

1. Creation of composite cyber mission teams

As part of the military capability, cyber capabilities can contribute to military missions and operations. To enable military action in the digital domain, in-depth knowledge must be available at an early stage about vulnerabilities within systems of potential opponents. Based on its statutory tasks, the MIVD supports the DCC with information that is necessary for an effective military deployment in the digital domain. Because intelligence and military operations in the digital domain require similar knowledge and skills, cyber mission teams, consisting of both MIVD personnel and staff of the armed forces, are formed on an international basis. The designated employees operate within the framework of the ISS (in Dutch: Wiv2017) and are placed under the command of the Commander of the Armed Forces within the relevant mandate when deploying the armed forces. If necessary, components from DefCERT and the operational commands will also be added to these teams. In order to be able to test military deployment in the cyber domain for legitimacy, the Royal Netherlands Marechaussee is investing in knowledge-building in this area.

2. Cyber ​​capacities as a fixed component in military planning

The digital aspect is taken into consideration at an early stage of the planning phase of each (potential) mission. This is expressed in (military) advice and analysis by the Operations Directorate and subsequent (operation) planning. When the armed forces are actually deployed to maintain and promote the international legal order, Article 100 of the Dutch constitution applies to the provision of information to the Dutch States General. Article 100 states that the government is obliged to inform the States General in advance of “the deployment or the provision of the armed forces for the maintenance or promotion of the international legal order.” ‘Article 100 letters’ will from now on include a cyber paragraph when relevant to a mission. This paragraph lays down, within the limits of what can be shared publicly, what contribution military cyber capabilities make to the mission or operation in question. In this way, the MoD is promoting awareness, inside and outside its own organization, of the increasing importance of the digital domain as a fully-fledged domain of military action.


Chapter III: Conditions: personnel, knowledge development and innovation and cryptography

The present strategy outlined the developments and priorities that should lead to the MoD being able to effectively implement its three main tasks in the digital domain. This will not be possible without giving substance to the conditions that apply to all these measures: personnel, knowledge development and innovation, and cryptography.

Personnel

To be successful in the digital domain, in-depth knowledge of the domain is indispensable. Cyber ​​and IT professionals have the necessary knowledge and experience. Because of the scarcity of specialists on the labor market, it is not evident that the MoD will always have access to that knowledge. In the coming period, the MoD will investigate possible solutions to improve recruitment and retention of cyber professionals, both military and civilian. Attention is paid to connecting cyber and IT professionals. By establishing career paths, improved insight into the entire human cyber potential can be created and directed more focused on recruitment, retention and career. Also, the use of exchange facilities inside and outside (including market parties) the MoD ensures that the knowledge of cyber professionals remains current, employees are more satisfied and the network of cyber professionals is strengthened.

To offer cyber and IT professionals opportunities for development within the domain, functions will be categorized. In order to prevent competition within the government and promote interoperability, the MoD is committed to uniform job descriptions and equivalent valuations for cyber and IT professionals.

Knowledge development and innovation

Knowledge development and innovation in the field of cybersecurity is necessary to stay ahead of opponents and to cope with new digital threats. Moreover, a high-quality, autonomous knowledge position makes Defense less dependent on cybersecurity expertise and solutions from others. In the NCSA, knowledge development is therefore also mentioned as one of the seven main ambitions in the area of ​​cyber security for the coming years. This concerns both fundamental and applied cybersecurity research. This means multidisciplinary research in the entire knowledge chain that looks at solutions for both the longer and the shorter term. Therefore, in 2018 Defense has also become a member of the Dutch Cyber ​​Security Platform for Higher Education and Research (Dcypher). This platform provides, among other things, for the agenda and coordination of cybersecurity research and higher education.

The recently published third edition of the National Cyber ​​Security Research Agenda (NCSRA) [.pdf] is an important framework for cybersecurity knowledge development in the Netherlands. The MoD has actively contributed to the creation of this agenda. As of 2019, the MoD will expand available means for research in the field of cyber. The MoD will invest almost 6.5 million euros per year in cyber research from 2019 onwards, which is an increase from the 4 million euros in previous years. Where possible, this is done together with other departments, as also announced in the Dutch Digitization Strategy.

Together with a number of other parties, the MoD is conducting a study into the design, formation and organization of a Cyber ​​Innovation Hub to be set up in 2019, in which government departments, research institutes and companies work together on joint and prioritized security issues in the field of cyber security. The aim of the Cyber ​​Innovation Hub is to strengthen cyber knowledge and expertise in the Netherlands, to facilitate innovations and experiments.

EOF

Joint statement from the Belgian, Danish, Dutch, Norwegian & Swiss spy oversight bodies: “Strengthening oversight of international data exchange between intelligence and security services”

The intelligence oversight bodies in five European countries today announced a “new form of cooperation” via a joint statement (.pdf; mirror) that was signed in Bern (CH) by the five heads of national oversight on 22 October 2018. The participants are:

  • 🇧🇪 Belgium: Belgian Standing Intelligence Agencies Review Committee
    • Locally known as `Comité permanent de contrôle des services de renseignements et de sécurité’ (French) and `Vast Comité van Toezicht op de inlichtingen- en veiligheidsdiensten’ (Dutch)
    • Website: http://www.comiteri.be/
  • 🇩🇰 Denmark: Danish Intelligence Oversight Board
  • 🇳🇱 Netherlands: Review Committee on the Intelligence and Security Services
    • Locally known as `Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten’ (CTIVD)
    • Website: https://www.ctivd.nl/
  • 🇳🇴 Norway: EOS Committee – The Norwegian Parliamentary Intelligence Oversight Committee
  • 🇨🇭 Switzerland: Independent Oversight Authority for Intelligence Activities (OA-IA)
    • Locally known as `Unabhängige Aufsichtsbehörde über die nachrichtendienstlichen Tätigkeiten’ (AB-ND)
    • Website: https://www.ab-nd.admin.ch/

According to the statement, it:

  • Describes their project, “which entailed each of them conducting an investigation into their respective countries’ services’ use of information regarding foreign terrorist fighters and sharing our methods, best practices and experiences.”
  • Addresses the challenges they met “when overseeing international data exchange, including the risk of an oversight gap when intelligence and security services cooperate internationally.”
  • Identifies ways to “move forward towards strengthening oversight cooperation, for example through minimizing secrecy between oversight bodies so that certain information can be shared, in order to improve our oversight of international data exchange.”

The challenges to international oversight that are mentioned (and explained) in the statement:

  • “Oversight does not cross national borders”: oversight is limited to national mandates, hence does not have a framework that provides possibilities for international cooperation / matching / comparison / benchmarking.
  • “The challenge of cooperation in the face of secrecy”: speaks for itself.
  • “Assessment of necessity and proportionality”: this can vary depending on, for instance, how different countries interpret and evaluate these; which can include difference is use of margins of appreciation that nation states have under international law with regard to the concept of national security.
  • “Some countries differentiate between citizens and foreigners”: speaks for itself.
  • “Means and methods of data exchange”: informal vs formal, and differences in how exchange takes place in practice.

The most important parts (IMHO, are these paragraphs from the section “5. Oversight of international data exchange – moving forward” (bold emphasis is mine):

“[…]

Due to technological development and increased cooperation, the data exchange between intelligence and security services is intensifying, resulting in an increase of the number of individual data exchanges. The sheer volume of data exchanged may become a challenge in itself. To assess the legitimacy and quality of each individual exchange can become an overwhelming task for the oversight bodies. In addition to conducting spot checks, it is becoming increasingly important to assess the system and framework for data exchange and the existence and functioning of safeguards for the protection of fundamental rights.

To do this effectively, oversight bodies will need to develop new methods. One way forward may be to increasingly use computerized automation and tools developed for conducting oversight of large volumes of data. In order to achieve this, oversight bodies need to expand their IT expertise and knowledge of the services’ systems. Another way to facilitate a more effective oversight would be to take the needs of the oversight bodies into account when the services implement new systems and to strengthen mechanisms of internal and external control.

The oversight bodies of Belgium, Denmark, the Netherlands, Norway and Switzerland will continue to exchange methods and best practices, as well as discuss international challenges to oversight, and the best approaches to overcoming these challenges. We invite oversight bodies from other countries to join us in our efforts to limit the risk of an oversight gap and to improve oversight of international data exchange between intelligence and security services.

 

EOF