Month: May 2020

Netherlands Court of Audit: ministry of Foreign Affairs still practices insufficient information security

Note: I have mixed feelings about repeating/amplifying this information by posting a translation here, but deficiencies similar to the observations by the Court of Audit can also be found in public reports in other countries (Anglosphere and beyond). I.e., information security in foreign affairs realms is a generic(-ish) point of attention, not a Dutch one.

On 20 May 2020, Dutch news paper Volkskrant published (in Dutch) an article about an audit report (in Dutch; mirror) regarding the ministry of Foreign Affairs. The report comes from the Netherlands Court of Audit, which is responsible for auditing national government expenditure.

The Volkskrant article spawn from an anonymous tip sent to Dutch whistleblower website Publeaks.nl (more) and appeared on the same day that the Court’s audit report was published.

Key takeaway from the article (TL;DR):

“According to the whistleblower, ‘state secrets are at risk’ and the IT system and encryption of information were outdated and unsafe in ‘the days of Hawija and MH17’.”

The Court is clear about its assessment of the state of information security at the ministry of Foreign Affair. Translating a part of the conclusion on p.17 of the Court’s audit report:

Moreover, the Minister paints a very positive picture of this to the Lower House of Parliament. This is illustrative of the lack of recognition of the importance of good information security at the Ministry of Foreign Affairs that we have observed for a number of years in succession. Especially at the Ministry of Foreign Affairs we expect better understanding into the importance of good information security in view of the threat from state actors, among others.

For the third year in a row, the ministry does not comply with the regulations for information security that apply within the national government. That is why the Netherlands Court of Audit qualifies information security at the Ministry of Foreign Affairs as a serious deficiency.

Table 3: Deficiencies at the Ministry of Foreign Affairs
(translated: “Information security: Deficiency | Deficiency | Severe deficiency”

The Court makes the following recommendations, in addition to upholding last year’s recommendations:

  • Ensure that documentation, such as an information security strategy/vision, is formalized at the appropriate level to provide guidance and support for information security in accordance with organizational requirements and relevant laws and regulations.
  • Provide an overarching annual plan for information security with the translation into projects that include budget, staffing and supplies. This is an instrument for steering the realization of information security goals in accordance with the policy, mission and strategy, and the support for this.
  • Describe the risk management process with the most important elements such as control, acceptance and ownership of risks in order to achieve the correct security of information and information systems within the context of the organizational objectives.

The Court notes that security is a strong as the weakest link and that cross-departmental systems do not yet have clear owners/responsibilities (bold emphasis added):

We note that there is a real risk in the chain of information exchange. There are strong interdependencies between ministries in exchanging state-secret, company-confidential and privacy-sensitive information. Due to the large differences in the levels of information security, risks arise when exchanging information. The weakest link in the chain determines the strength of the chain as a whole. It is important that mutual relationships, differences and dependencies between the links in the chain are clear to every ministry. It is presently unclear who is responsible for cross-departmental chains of information systems that.

The remainder of this post is an English translation of the Volkskrant article. It is a manually corrected version of an automated translation via DeepL.com.

Netherlands Court of Audit: state secrets of ministry of Foreign Affairs still poorly secured
(source)

The Ministry of Foreign Affairs does not have its information security and does too little to solve this. As a result, there is risk of compromise of its state secrets. Minister Blok unjustly paints ‘a very positive picture to the House of Representatives’ of improvement plans.

Natalie Righton and Hessel von Piekartz
20 May 2020, 16:08

This conclusion was reached by the Court of Auditors on Wednesday in a hard-hitting report entitled Verantwoordingsonderzoek Buitenlandse Zaken 2019 (Accountability audit report Foreign Affairs 2019). All ministries present their annual reports on ‘judgement day’, as the accounting day on the third Wednesday in May is also referred to. The Court of Audit audits them and expresses an opinion on their operations in the past year.

Foreign Affairs does not meet its own minimum requirements for information security. The problem is serious and persistent. This ultimately means a risk, also for the protection of state-sensitive information’, says Ewout Irrgang, a member of the Netherlands Court of Audit.

The state auditor describes the inadequate security as a ‘serious imperfection’. According to Irrgang, that is ‘a very serious opinion’. This year, of all government departments, only the IT habitat of the Ministry of Foreign Affairs was given that label.

State secrets

According to the Court, malicious parties are actively looking for weaknesses in the security of Foreign Affairs’ information systems.

Sabotage, theft, and the leaking of state secret, business confidential and privacy-sensitive information’ are lurking around the corner, writes the Court of Audit in its report. There are indications that cyber criminals are plunging into this and the number of false e-mails about the coronavirus has risen sharply. For example, fake emails are being sent on behalf of the World Health Organization with malicious, dangerous malware,’ states the Court of Audit in its report.

Other examples of the weak security at the Ministry of Foreign Affairs are easy to crack passwords, information exposed to interception, and the central storage of sensitive information. It is safer to store data compartmentalized, i.e. in small chunks, so that not everyone can access the entire file.

Information security is particularly important in times of crisis, such as the corona crisis, according to the Court of Auditors. Diplomats exchange information digitally even more than usual, because they work from home, make video calls and hold telephone consultations.

The approximately 5,000 diplomats from The Hague and the 144 embassies and consulates send a lot of information that is of interest to cyber criminals. Think of information about Russia’s involvement in the MH17 disaster or the consequences of the Dutch bombardment of Hawiya. The lack of security applies both to the laptops and telephones that diplomats use when they are on the road, and to the official computers at headquarters or embassies.

According to the Court of Audit, Minister Blok of Foreign Affairs is too optimistic about the state of information security.

No priority

To the annoyance of the State Inspector, the State Department does too little to put security in order. This is the third year in a row that the Court of Auditors has concluded that these problems exist. The situation has not improved, but has actually worsened, which irritates the Court of Audit.

This is illustrative of the lack of recognition of the importance of good information security at the Ministry of Foreign Affairs that we have observed for a number of years in succession. It is precisely at the Ministry of Foreign Affairs that we expect more insight into the importance of good information security in view of the threat from state actors, among others,’ says the Court of Audit.

Despite earlier warnings, no fewer than ten of the eleven information systems used by diplomats have not received a stamp of approval.

Back to paper

It was already announced last year that both the EU and NATO are threatening not to send any more electronic documents from Brussels to The Hague if Foreign Affairs does not get its security in order. Minister Blok wrote to the House of Representatives on 9 December that this is why ‘the highest priority is being given’ to getting the accreditation (approval) of the information systems in order.

Remarkably, he emphasized that Foreign Affairs might ‘fall back on the traditional way’ if the department no longer received digital information from international partners.

By this the minister means physical letters, according to worried IT people who contacted the Volkskrant anonymously. One of them concludes that the information security of the Ministry of Foreign Affairs is ‘a big mess’.

According to the whistleblower, ‘state secrets are at risk’ and the IT system and the encryption of information was outdated and unsafe in ‘the days of Hawija and MH17 .

For the Court of Audit, the Minister’s suggestion to fall back on paper mail is an ‘illustration that not much priority is being given’ to the problem, according to fellow member Irrgang.

Response from Minister Blok

In a response to the harsh conclusions of the Court of Audit, Minister Blok stated on Wednesday that information security is certainly a priority for the department. There is no doubt that inadequate information security can have far-reaching and disruptive consequences’, Blok said in a written response. According to the minister, hard work is being done on improvements.

We’re taking this very seriously and we’re working on it,’ adds a spokesman Wednesday. On the possibility of state secrets leaking, he says that to date he ‘has not experienced anything going wrong. My experience is that we are functioning reasonably well in that regard’. The Minister endorses the Court’s new recommendations, such as a plan of action.

MP Sjoerd Sjoerdsma (D66 party) says it’s ‘worrying’ that the ministry does not yet have control over its information security. It becomes even more annoying when it turns out that Minister Blok consistently presents progress in a more positive way than is actually the case and downplays the consequences of this problem. This is not acceptable at a time when cyber attacks and espionage are increasing rapidly,’ says Sjoerdsma.

New brochure on espionage from the Dutch General Intelligence & Security Service (AIVD) – unofficial English translation

Note: this post is only of interest to those not already (self-)informed about the basics of intelligence and espionage and those who in general take an interest in what the AIVD communicates to the public.

On 26 May 2020, the Dutch General Intelligence & Security Service (AIVD) released a new brochure (.pdf, in Dutch) to inform the general Dutch public about threat of espionage. The post below is an unofficial English translation of that brochure (a manually corrected version of an automated translation by DeepL.com). The AIVD will likely release an English translation itself; when it is released, I will add a link to it here.

Parts in [] brackets were added by me.

Espionage – How do you recognize it and what can you do about it?

Espionage is of all times and poses a major threat to the Netherlands. At the same time, espionage is almost invisible and few people are aware of its dangers. All kinds of foreign countries are spying in the Netherlands. Not only via digital means, but also in the classic way: humans. Why does espionage happen and why is it harmful? How do you recognize it and what can you do about it?

What is espionage?

Passing on knowledge about Dutch foreign policy, copying and, for a fee, handing over documents from the European Commission, or hacking into a high-tech company to steal business secrets. They’re all examples of espionage. But what is espionage? Espionage is the surreptitious gathering of intelligence (information) or objects (e.g. products or machines). It may involve sensitive (personal) information, technology or state secrets, for example.

The Netherlands is an attractive target for espionage. Our country is a member of the North Atlantic Treaty Organization (NATO) and the European Union (EU) and has interesting information at its disposal. We are also host to numerous international organizations such as the Organization for the Prohibition of Chemical Weapons (OPCW) and the International Criminal Court (ICC). Dutch universities and the private sector also have a great deal of knowledge and high-quality technology at their disposal. The task of the General Intelligence and Security Service (AIVD) is to identify and help end espionage and to raise awareness of it.

Who is spying and why?

All kinds of foreign countries are spying within and against the Netherlands in order to obtain information or objects from which they can benefit. There are various reasons to spy. A foreign country can, for example, keep an eye on its emigrated countrymen abroad to check whether they pose a threat to the foreign country’s regime. Or they can map out the political situation and the decision-making process in the Netherlands in order to influence it. They can also steal economic knowledge to advance their own economy.

Some countries spy on a large scale and have professional intelligence services at their disposal that carry out this work to the best of their ability. The AIVD investigates these countries. Which foreign countries pose the greatest threat depends very much on the (inter)national situation. Relations between countries can change rapidly, leading to new players appearing on the espionage scene.

How are they spying?

Foreign intelligence services spy in various ways. Nowadays a lot of spying is done digitally: intelligence services hack into computers to steal information without being seen. Ministries, research centers and companies in the high-tech, chemical and energy sectors are frequently attacked digitally.

Espionage is also still done in the traditional way, by approaching people to gain access to information through them. Employees of intelligence services look for interesting interlocutors (sources) such as civil servants, scientists, top officials and journalists. Supporting personnel can also be interesting to intelligence services, because they can also have access to confidential information.

Why is espionage harmful?

Espionage takes place out of sight from society. For many people it is hard to imagine that espionage is harmful to national security, but this surreptitious way of gathering information can have a major impact. If, for example, another country gains access to secret information, that country can use the information to influence decision-making or take other measures. Countries can use information about their own population abroad to intimidate or even eliminate opponents.

Espionage can also cause economic damage. As soon as other countries have access to confidential business information, it has an impact on the financial position of those companies. If blueprints and unique equipment are copied, the country that is spying no longer has to pay the (often high) R&D costs itself. This can result in the Dutch company selling fewer products or being unable to compete with the foreign company. Scientific projects whose results and methods are secretly copied for use in another country may result in the financing no longer being profitable. There is also a risk that knowledge about atomic technology will fall into the wrong hands. It is therefore important that confidential information or technology cannot simply be diverted to other countries.

How do you recognize espionage?

Espionage is largely human work. Let’s say you have interesting information, and you stand out to a foreign intelligence service because of it. They then try to get in touch with you through one of their employees. That person will try to establish a relationship of trust with you. For example, he or she poses as a diplomat, journalist or entrepreneur in order to get in touch with you in a natural way [i.e., inconspicuous]. However, you may notice certain signs indicating that you are dealing with an employee of a foreign intelligence service.

Intelligence services often carry out extensive preparatory investigations into people who may be of interest to them. On the Internet, for example, they look for people who have access to sensitive files. They also look for information about a person’s private life, such as hobbies or membership of a sports club, to get to know someone better. This information is used to get in touch with you ‘spontaneously’.

Was the first contact successful? Then more meetings often follow. You will be taken out to dinner, receive gifts and may think you are building a friendship. Appointments mainly take place outside, and the foreign intelligence employee appears to be extremely interested in your private affairs. But all this time he or she has only one goal: get you to spy. Eventually, the intelligence officer will ask you to provide information for a fee. In the beginning this may be trivial information, a test to see how far you are prepared to go, but later on it will also include sensitive documents to which you have access.

What can you do against espionage?

It already helps to be aware of the fact that espionage exists. If you get a strange feeling during a contact, it is always wise to exercise restraint and report this to your employer’s security department. By recognizing signals, you can be ahead of espionage. Do you suspect espionage by a foreign intelligence service? Then report this to your employer and the AIVD: aivd.nl/contact

Be aware of the potential value of information about your work and network. Information you can easily access, such as innocent-looking files or working conditions [note: it’s unclear what the AIVD is referring to with the Dutch word “werkomstandigheden” – perhaps salary information, corporate structure, culture, and/or internal policies], can be of interest to an intelligence service. An intelligence service may also be interested in your relationship with important people.

Find a good balance in what you share online about yourself and your work. For example, do not mention on LinkedIn or Facebook that you’re working on sensitive files. Be aware of what you share and especially with whom.

Protect your equipment. Intelligence services may be interested in the information on your phone or laptop. Be alert to phishing mails, make use of security software and keep software up to date. During business trips it is wise to keep equipment that contains valuable information with you and not to check it in as luggage. Also read the AIVD publication ‘On a trip abroad – Security risks en route‘.

Getting in contact with someone from another country does of course not automatically mean you are dealing with an intelligence service.

However, it is good to be aware of the nature of the relationship. Make sure you do not become dependent on the other person and be aware of the underlying intentions of your contacts.

Want to know more?
Would you like to know more about espionage and the role of the AIVD? Then go to aivd.nl/spionage.

Colophon
This brochure is a publication of:

The General Intelligence and Security Service
aivd.nl
P.O. Box20010|2500ea The Hague
May 2020