Author: mrkoot

Joint statement from the Belgian, Danish, Dutch, Norwegian & Swiss spy oversight bodies: “Strengthening oversight of international data exchange between intelligence and security services”

UPDATE 2019-03-19: the Dutch minister of the Interior has responded (in Dutch) to the joint statement, as per request of the Dutch oversight committee (CTIVD). I added a translation of that response to the post below.

The intelligence oversight bodies in five European countries today announced a “new form of cooperation” via a joint statement (.pdf; mirror) that was signed in Bern (CH) by the five heads of national oversight on 22 October 2018. The participants are:

  • 🇧🇪 Belgium: Belgian Standing Intelligence Agencies Review Committee
    • Locally known as `Comité permanent de contrôle des services de renseignements et de sécurité’ (French) and `Vast Comité van Toezicht op de inlichtingen- en veiligheidsdiensten’ (Dutch)
    • Website: http://www.comiteri.be/
  • 🇩🇰 Denmark: Danish Intelligence Oversight Board
  • 🇳🇱 Netherlands: Review Committee on the Intelligence and Security Services
    • Locally known as `Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten’ (CTIVD)
    • Website: https://www.ctivd.nl/
  • 🇳🇴 Norway: EOS Committee – The Norwegian Parliamentary Intelligence Oversight Committee
  • 🇨🇭 Switzerland: Independent Oversight Authority for Intelligence Activities (OA-IA)
    • Locally known as `Unabhängige Aufsichtsbehörde über die nachrichtendienstlichen Tätigkeiten’ (AB-ND)
    • Website: https://www.ab-nd.admin.ch/

According to the statement, it:

  • Describes their project, “which entailed each of them conducting an investigation into their respective countries’ services’ use of information regarding foreign terrorist fighters and sharing our methods, best practices and experiences.”
  • Addresses the challenges they met “when overseeing international data exchange, including the risk of an oversight gap when intelligence and security services cooperate internationally.”
  • Identifies ways to “move forward towards strengthening oversight cooperation, for example through minimizing secrecy between oversight bodies so that certain information can be shared, in order to improve our oversight of international data exchange.”

The challenges to international oversight that are mentioned (and explained) in the statement:

  • “Oversight does not cross national borders”: oversight is limited to national mandates, hence does not have a framework that provides possibilities for international cooperation / matching / comparison / benchmarking.
  • “The challenge of cooperation in the face of secrecy”: speaks for itself.
  • “Assessment of necessity and proportionality”: this can vary depending on, for instance, how different countries interpret and evaluate these; which can include difference is use of margins of appreciation that nation states have under international law with regard to the concept of national security.
  • “Some countries differentiate between citizens and foreigners”: speaks for itself.
  • “Means and methods of data exchange”: informal vs formal, and differences in how exchange takes place in practice.

The most important parts (IMHO, are these paragraphs from the section “5. Oversight of international data exchange – moving forward” (bold emphasis is mine):

“[…]

Due to technological development and increased cooperation, the data exchange between intelligence and security services is intensifying, resulting in an increase of the number of individual data exchanges. The sheer volume of data exchanged may become a challenge in itself. To assess the legitimacy and quality of each individual exchange can become an overwhelming task for the oversight bodies. In addition to conducting spot checks, it is becoming increasingly important to assess the system and framework for data exchange and the existence and functioning of safeguards for the protection of fundamental rights.

To do this effectively, oversight bodies will need to develop new methods. One way forward may be to increasingly use computerized automation and tools developed for conducting oversight of large volumes of data. In order to achieve this, oversight bodies need to expand their IT expertise and knowledge of the services’ systems. Another way to facilitate a more effective oversight would be to take the needs of the oversight bodies into account when the services implement new systems and to strengthen mechanisms of internal and external control.

The oversight bodies of Belgium, Denmark, the Netherlands, Norway and Switzerland will continue to exchange methods and best practices, as well as discuss international challenges to oversight, and the best approaches to overcoming these challenges. We invite oversight bodies from other countries to join us in our efforts to limit the risk of an oversight gap and to improve oversight of international data exchange between intelligence and security services.

UPDATE 2019-03-19: the Dutch minister of the Interior has responded (in Dutch) to the joint statement, as per request of the Dutch oversight committee (CTIVD). My unoffficial translation of the body of her letter:

“[…]

Core statement

In the joint statement, the oversight bodies point out that cooperation between intelligence and security agencies, both bilateral and multilateral, has intensified over recent years. After all, the international character of the terrorist threat necessitates such cooperation. The oversight bodies speak of a risk of a gap in oversight, because the oversight is strictly national and — different from the intelligence cooperation — ends at the country border. The oversight bodies state that national legislation can impede the exercise of effective oversight regarding developments in such cooperation. The five oversight bodies therefore initiated a project in which they shared experiences and methods, without sharing classified information between them.

A necessary step to effectuate the cooperation of the oversight bodies should, according to the oversight bodies, be that national oversight bodies are permitted to communicate about classified topics. The oversight bodies note that once intelligence and security services have exchanged classified information, there would be no reason for national oversight bodies to lag behind. That however requires that the Dutch law be amended, because the legal confidentiality obligation precludes such a course of action. Besides, in explaining its position, the CTIVD informed me that the intended information exchange should be limited in absolute terms and at least restricted to information that the oversight bodies already have access to in the course of their supervisory duties.

Considerations

I recognize the interest expressed by the oversight bodies, namely that the international exchange of information between intelligence and security services meets an adequate level of data protection, and that this can be monitored. I have drawn attention to this in various bilateral discussions with colleagues from abroad. I therefore welcome cooperation in this context between national oversight bodies. However, the amendment of the Intelligence and Security Services Act 2017 (Wiv2017), to make it possible to exchange classified information between oversight bodies, encounters objections.

The risk of an oversight gap, perceived by the CTIVD, is primarily related to the structure of national oversight by the various oversight bodies. There are significant differences between the supervisors. For example, the Dutch oversight system arranges that the CTIVD may also investigate the international cooperation of the services, which is not the case for every oversight body. It is not reasonable to amend the Wiv2017, because the amendment would only have an effect on the Dutch oversight body, and does not mandate a legal authority to foreign oversight bodies to exchange their state-secret information with the Dutch body. Furthermore, the exchange of classified information between oversight bodies has an impact on ministerial responsibilities. For the cooperation of the AIVD [aka GISS] or MIVD [aka DISS] with foreign services and the fact that classified data are shared with those services, the Minister of Defense and I are respectively [sic] fully responsible and can be held accountable by Parliament. Even if, for example, there is compromise of classified data. The Wiv2017 positions the CTIVD as an independent body, for which the Minister of Defense and I have only limited responsibility, namely only for the legal framework as such. This position is also endorsed by the CTIVD.

The foregoing does not change the fact that I share the interest pursued by the oversight bodies. I do, however, expect more relief if more attention is paid to the topic of oversight and if agreements are made within the framework of entering into bilateral or multilateral cooperation between intelligence and security services. I would like to dedicate myself to this.”

EOF

No, the Dutch minister of defense did NOT say that the Netherlands is at “cyberwar” with Russia

UPDATE 2018-11-12: politics… sigh. The minister was interviewed by journalist Eelco Bosch van Rosenthal (Twitter: @eelcobvr) during tonight’s Nieuwsuur tv broadcast. The interview was in Dutch – here follows my translation of the initial part of the interview, which essentially renders my original post obsolete. Bosch van Rosenthal: “First, let’s get semantics out of the way. Last month you sort of confirmed that the Netherlands is in a cyberwar; you later backtracked a bit on that. Is it a cyberwar?” Minister Bijleveld: “Well, I did not distance myself from it […]. You can debate about whether or not to use the word ‘war’ […]. Attacks are being aimed at us and [those are] a form of war; you can describe it as such”. (I shall refrain from commenting about reasons for upholding a statement that was never really made to begin with; other than noting that it of course remains true that there is no ‘war’ in a legal/formal sense.)

(Note wrt this post: I recommend anyone who understands Dutch to actual watch + listen to today’s WNL Op Zondag show — and try to forget the pretext/frame already imposed on your brain by the news headlines while doing so; i.e., watch/listen as if you’ve never read anything about it. And either then form an opinion about the headlines; or remain undecided for the time being.)

News headlines today in the Netherlands and subsequently in international media suggest that Dutch minister of defense Ank Bijleveld has said that the Netherlands is at “cyberwar” with Russia. These reports are misleading and misrepresent reality.

On Sunday 14 October 2018, during an interview in the right-leaning Dutch tv show “WNL Op Zondag”, journalist Yoeri Albrecht brought forward the words “propaganda war” and “cyber war”; this was in the context of the disruption of a Russian cyber operation as revealed on 4 Oct 2018 — which is about intelligence & espionage, not about war (semantics matter).

The host, journalist Rick Nieman, then asked the minister: “a ‘cyberwar’, as mentioned by Yoeri by the way, is that a good description?”. The minister somewhat loosely confirmed that, without much deliberation, in a way that to me clearly was only meant to be conducive to a conversation (in an informal setting); not to confirm that we are “at war”. Yet, Omroep WNL published a piece that cherry-picked & overemphasized that side-step detail, ignoring the aforementioned details, through the following headline:

  • Omroep WNL: “Defense minister Bijleveld: ‘Netherlands is at cyberwar with Russia'”

Subsequently, reports started appearing from other Dutch media:

  • NOS: “Minister Bijleveld bevestigt: we zijn in cyberoorlog met de Russen” (link)
  • NU.nl: “Minister Bijleveld: ‘Nederland in cyberoorlog met Rusland'” (link)
    • Note: the NU.nl even states ‘Minister Bijleveld spreekt van een “cyberoorlog” in het televisieprogramma WNL op Zondag’, which is hard to interpret other than as suggesting that Bijleveld herself mentioned the word “cyberoorlog” (English: “cyberwar”). She never mentioned that word a single time.
  • AD.nl: “Bijleveld: Nederland in cyberoorlog met Russen” (link)
  • (many more)

And reports then started to appear in international media, for instance:

  • Guardian: “Netherlands in a ‘cyberwar’ with Russia, says defence minister” (link)

…including RT (formerly known as Russia Today) & Sputnik Int’l:

  • RT: “Netherlands in cyberwar with Russia? Dutch defense minister says ‘YES’” (link)
  • Sputnik Int’l: “Netherlands in ‘Cyberwar’ With Russia – Defense Minister” (link)

The minister’s response, especially in its context and given the precise words & intonation etc., in no way warrants headlines of the likes seen here. Also, note that the minister herself did not mention the word “cyber war” a single time during the entire show. The minister could, and perhaps should, have objected to the word “war” — which, let me repeat it once more, was brought forward by others — but didn’t at that time. But neither the lack of explicit refutation nor (even) the confirmation, taking the context into account, warrant such headlines.

I hold the Dutch ‘fourth estate’ in high regard. But in my opinion, the Dutch journalists/editors who chose to spin the WNL conversation into dubious headlines failed us as a society today (a little bit); perhaps in an instance of ‘medialogica‘. While Dutch journalists are not responsible for what e.g. RT & Sputnik do, they do have a moral responsibility to be accurate in reporting, especially regarding these matters, taking into account geopolitical developments. That responsibility includes anticipating potential re-use / abuse of news in support of ongoing information operations — by which I’m not implying they should not report something, but by which I am claiming that due diligence is necessary when reporting about these sensitive topics.

Failing to take such responsibility means accepting the risk that one becomes a useful idiot to others — which I also stated in a tweet (it’s a bit offensive, but for good reason). Today’s headlines were misleading and unnecessarily provided informational cannon fodder for ongoing information operations that may also be aimed against the Netherlands.

EOF

In early 2018, two Russians were apprehended in The Hague over suspicions of intending to compromise Swiss gov’t lab’s computer network on behalf of Russian foreign intelligence agency GRU

UPDATE 2018-09-18: the Dutch and Swiss envoys to Russia have been summoned by the Russian ministry of Foreign Affairs yesterday, according to NRC Handelsblad. Also, reportedly, the Swiss & Russian minister of foreign affairs will meet next week in New York “on the sidelines of the United Nations General Assembly.”

According to reports by Dutch news paper NRC Handelsblad and Swiss news paper Tages-Anzeiger published on 13 September 2018, western intelligence agencies thwarted a plot involving two Russians intending to compromise the computer network of a Swiss government laboratory — the Spiez Laboratory, which carries out investigations related to nuclear, biological and chemical weapons and defense (CBRN).

The two were apprehended in The Hague (NL) in early 2018 and allegedly carried (unspecified) equipment with them that can be used to compromise computer networks. They are believed to work for GRU, Russia’s foremost foreign intelligence agency. The apprehension was the result of cooperation between various European intelligence services, reportedly including the Dutch Military Intelligence & Security Organization (MIVD).

The Spiez laboratory has been commissioned by the Organization for the Prohibition of Chemical Weapons (OPCW) to carry out investigations related to the poisoning of Russian double agent Skripal and the use of chemical weapons by the Russian-support Assad regime.

Switzerland’s federal intelligence agency NDB confirmed knowledge about the discovery and expulsion of the two. NDB states that it has “cooperated actively with Dutch and British partners” and has thereby “contributed to preventing illegal actions against a sensitive Swiss infrastructure”.

NRC Handelsblad states that according to the public prosecutor in Bern (CH), the two Russians have been subject of a criminal investigation since March 2017 on suspicions of compromising a computer system of anti-doping agency WADA. In September 2016, WADA stated that Russian espionage operator group Tsar Team (aka Fancy Bear aka APT-28) had compromised its Anti-Doping Administration and Management System (ADAMS) database via “an International Olympic Committee (IOC)-created account for the Rio 2016 Games”; specifically via the account of Yuliya Stepanova, who WADA qualifies as “key whistleblower” for the WADA commission that exposed widespread doping in Russian athletics. (Note: if WADA’s attribution of that attack to the Tsar Team is accurate, it is possible that the two caught in The Hague are operators of the Tsar Team.)

The Spiez laboratory had already been a target of hacking attempts earlier this year, according to a spokesperson of the laboratory. “We defended ourselves against that. No data was lost”, the spokesperson stated to NRC Handelsblad and Tages-Anzeiger.

On 14 April 2018, Russian foreign minister Sergei Lavrov stated he had obtained the confidential Spiez lab report about the Skripal case “from a confidential source”. That report confirmed earlier findings made by a British laboratory. The OPCW states that its protocols do not involve dissemination of lab reports to OPCW member states. It remains unknown how Lavrov got hold of it.

In the aftermath of the Salisbury incident, the Dutch government expelled two employees of the Russian embassy in The Hague. In a letter (.pdf) sent to the Dutch parliament on 26 March 2018 — the day on which a large number of countries announced bilateral measures against Russia —, the ministers of foreign & internal affairs stated that they decided to expel the two “in close consultation with allies and partners”. The Russians were ordered to leave the Netherlands within two weeks. It is unknown whether the two expelled Russians are those who were apprehended in The Hague.

In a November 2017 parliamentary letter from Dutch minister of internal affairs Ollongren, the minister stated that Russian intelligence officers are “structurally present” in the Netherlands in various sectors of society to covertly collect intelligence. She stated that Russia in addition to classical (human) intelligence methods also deploys digital means to influence decision-making processes and public opinion.

Dutch policy debate on 5G spectrum is in deadlock: telco’s and military intelligence have opposing legitimate interests in 3.5GHz band

UPDATE 2018-12-19: the Dutch government has reportedly (NOS, in Dutch) decided to move the sigint collection facility in Burum (NL) to another country (!), something that chief of military intelligence Onno Eichelsheim expressed (NRC Handelsblad, in Dutch) concerns over in an interview. It is unclear which country or countries have been considered. Obviously, if the Dutch want to uphold existing operations and ways of working, it must be a country that has laws that are compatible with the Dutch laws, notably a legal framework that includes bulk search & selection of communication (at least for ether communication, as the Burum facility focuses on satcom).

The Dutch policy debate on 5G spectrum is caught in deadlock: there are opposing legitimate interests of Dutch telecom providers and the Dutch Military Intelligence and Security Service (MIVD) in the 3.5GHz band. The House of Representatives discussed 5G on 29 March 2018. The 3.5GHz band, the most promising of the three standardized 5G bands (700MHz, 3.5GHz, and 26GHz), is also the band that in the northern half of the Netherlands — above the ‘Amsterdam-Zwolle’ line that cuts the Netherlands in half — is fully reserved for the MIVD’s satellite station in Burum, part of the National Sigint Organization (NSO; which is now part of the Joint Sigint Cyber Unit aka JSCU). In 2016 there was a similar situation when telecom operators sought to improve 4G connectivity using the 3.4GHz band (presumably too close to 3.5GHz).

Below follows an unofficial translation of an article printed in the 4 May 2018 issue of Technisch Weekblad.

Dutch policy debate on 5G spectrum is in deadlock

The deployment of a nation-wide 5G network in the Netherlands may end up being seriously delayed because the most important 5G band (3.5GHz) is reserved for the Dutch intelligence services until 2026. The AIVD and MIVD eavesdrop on ether communications via their satellites dishes in the Frisian place of Burum.

Telecom providers and other industry parties raised an alarm about this in the House of Representatives on 29 March 2018. Earlier, MP William Moorlag (Labour Party / PvdA) even argued that the MIVD antennas should be moved to drilling platforms at sea.

The National Frequency Plan prescribes that until 2026, only the intelligence services are permitted to use the 3.5GHz band on territory north to the Amsterdam-Zwolle axis. Licenses can be issued for territory south to that axis, but only under such restrictions that it is doubtful telecom parties will be interested, says 5G expert Toon Norp of TNO Research. Norp: ‘The discussion about the use of the 3.5GHz band has reached a deadlock. Both the MoD and telecom providers have legitimate interests.’

5G for cars

5G is the next generation of mobile data communication technology. Its bandwidths are 3-10x that of 4G, connections are established 20x faster (lower latency) and a million devices per square kilometer should be able to connect. 5G should realize the internet of things. The low latency is important for communication between self-driving cars. For smartphones, 5G is not a necessity, although the high connection/device density is an advantage. Dutch telecom provider KPN states: ‘4G connects people, 5G connects society’.

Whether 5G will indeed arrive at a large scale is uncertain. GSMA expects the share of 5G connections in the global data communications to grow from 2% in 2020 to 12% in 2025. More than half of the 750 telecom operator chiefs interviewed by the GSMA mentioned ‘lack of a clear business case’ as biggest threat to 5G. The required investments are estimated at 150 billion euro globally on an annual basis. This is largely due to the fine-grained network of antennas that is required to achieve high throughput and low latency.

According to the standard, 5G will use three bands: 700MHz, 3.5GHz, and 26GHz. The 700MHz band, which has the longest waves, does not offer high throughput and is mostly useful to help support a nation-wide network. The 26GHz millimeter band has very high throughput, but due to its short waves has a short range and can only be used for the last couple of hundred meters of a mobile connection. The 3.5GHz band combines the best of both: high throughput and good range. It is the presumed backbone of 5G, but is reserved for use by the MIVD.

Action plan

Next year, part of the 700MHz band for 5G will be auctioned off, but according to Norp, that provides little solace. ‘It is merely a very short band that is auctioned, just 30MHz wide. At most three operators can participate there, while the 3.5GHz band has hundreds of MHz of room.’

Norp expects that 5G networks on the 3.5 GHz band can largely be deployed via existing 3G/4G antenna locations. But simply using the 3G and 4G bands for 5G is not an option for the near future, because equipment manufacturers will first make their 5G equipment work with the internationally agreed bands. Notably the 3.5GHz band.

State secretary Mona Keijzer (Economic Affairs) announced she will present directions for solutions to end the deadlock, and that she will elaborate on those in her Digital Connectivity Action Plan. Norp hopes a creative solution will be found to allow telecom provides and the MoD to share the 3.5GHz band. At the longer term, the MIVD will no longer be able to control the 3.5GHz band. ‘Because Germany will use the 3.5GHz band for 5G’, according to Norp. Regardless of the Dutch government’s policy, the MIVD will get competition on the 3.5GHz band.

 

EOF

EU Commission says it does not seek crypto backdoors, will propose legal framework in early 2018 for Member States to help each other access encrypted devices

UPDATE 2018-02-15: Five million euro for Europol’s “decryption platform” (blog by Matthias Monroy / @matthimon).

On 18 October 2017, the European Commission (EC) announced an upcoming anti-terrorism package, which addresses, inter alia, encryption challenges in criminal investigations. From the Q&A:

[…]

4. Supporting law enforcement in criminal investigations online

What is the role of encryption in criminal investigations?

Law enforcement and judicial authorities are increasingly facing challenges posed by the use of encryption by criminals in the context of criminal investigations. This is not only limited to serious crimes: in many cases, electronic data may be the only information and evidence available to prosecute and convict criminals. The challenges are not only due to attempts by criminal users to disguise their electronic communication and privately stored data, but also due to the default option of many communication services to apply encryption. The use of encryption by criminals, and therefore its impact on criminal investigations, is expected to continue to grow in the coming years.

How is the Commission proposing to support Member States on encryption?

Following consultation with Member States and stakeholders, the Commission has proposed today:

  • to support Europol to further develop its decryption capability;
  • to establish a network of centres of encryption expertise;
  • to create a toolbox for legal and technical instruments;
  • to provide training for law enforcement authorities, supported by €500,000 from the ISF–Police fund in 2018;
  • to establish an observatory for legal and technical developments;
  • to establish a structured dialogue with industry and civil society organisations.

In early 2018, the Commission will present proposals to provide for a legal framework to facilitate access to electronic evidence.

[…]

It is unclear what this might mean in practice, but Rebecca Hill (Twitter: @BekiHill) reported at El Reg that security commissioner Julian King (Twitter: @JKingEU) said the following:

“The commission’s position is very clear – we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon.”

Hill (correctly) states:

“How exactly… we don’t know. Maybe someone has an RSA-cracking supercomputer up their sleeve they’re keeping secret. Maybe someone’s particularly good with a soldering iron and can read off keys from extracted flash memory chips.

What we do know is that the thrust of the plan boils down to asking member states to help each other by sharing their knowledge on dealing with encryption and creating a observatory to keep an eye on the latest tricks of the trade.”

On 16 October 2017, two days before the announcement by the EC, Maryant Fernández Pérez (Twitter: @maryantfp) stated the following in a blog post at EDRi:

“Saying ‘no’ to backdoors is a step into the right direction, but not the end of the debate, as there are still many ways to weaken encryption. The answer to security problems like those created by terrorism cannot be the creation of security risks. On the contrary, the EU should focus on stimulating the development and the use of high-grade standards for encryption, and not in any way undermine the development, production or use of high-grade encryption.

We are concerned by the potential inclusion of certain aspects of the Communication, such as the increase of capabilities of Europol and what this may entail, and references to removal of allegedly “terrorist” content without accountability in line with the Commission’s recent Communication on tackling illegal content online. We remain vigilant regarding the developments in the field of counter-terrorism.”

The EC statement that it does not seek backdoors should not be interpreted as meaning that Member States’ intelligence services / communities won’t, individually or in voluntary cooperation with peers or industry, pursue influencing crypto standards for kleptographic objectives (such as NSA did with Dual_EC_DRBG) regardless of EU-level policy. It simply means that the EC does not pursue EU-level policy on that — at this time, anyway.

Cryptanalytic efforts, such as the Edgehill (GCHQ) program, will obviously remain in existence in individual Member States, as they do elsewhere in the world (notably in the U.S.) — and the EC announcement’s Q&A excerpt cited above states the EC will seek to support Europol to further develop its decryption capability.

The EC’s announcement also says they will promote “structured dialogue with industry and civil society organisations”, with unstated objectives. To speculate: objectives might include convincing those engaged in dialogue that strong end-to-end crypto should not be enabled by default, and/or making sure certain information other than message content is still emitted and observable, and/or or otherwise changing software/hardware/protocol design (e.g. hardware backdoors – read for instance this paper) or implementation to suit LE/intel needs. Which includes needs that must, in addition to privacy interests, also be addressed to maintain democratic values. [UPDATE 2017-12-14: something along those lines seems to be happening in the U.S., going by the following statement by FBI director Christopher Wray cited by @emptywheel : “[…] The FBI is actively engaged with relevant stakeholders, including companies providing technological services, to educate them on the corrosive effects of the Going Dark challenge on both public safety and the rule of law, and with the academic community and technologists to work on technical solutions to this problem”.]

To be continued.

Related reading:

EOF