On June 16, the Dutch General Intelligence & Security Service (AIVD) announced that they prevented a Russian military intelligence officer from gaining access as an intern to the International Criminal Court (ICC) in The Hague. The ICC is of interest to the GRU because it investigates possible war crimes committed by Russia in Georgia (2008) and Ukraine.

The GRU officer traveled from Brazil to the Netherlands in April 2022 using a cover identity, making him a so-called “illegal”. He planned to start an internship with the ICC, which would have given him access to the ICC’s building and systems. This would have enabled the GRU to collect intelligence, spot and recruit sources, and possibly influence criminal proceedings.

On his arrival at Schiphol Airport, the AIVD informed the Immigration & Naturalization Service (IND), after which the officer was refused entry to the Netherlands and put on the first plane back to Brazil as persona non grata.

The AIVD assessed the officer as a “potentially very serious” threat to both national security and the security of the ICC as well as, due to the outlook of him acquiring access to the ICC, allies.

In a first-ever for the AIVD, it also released translations of a partially redacted 4-page document that describes the “extensive and complex” cover identity of the officer. It was originally written in Portuguese, “probably created around mid-2010” and “likely written” by the officer himself, and according to the AIVD provides insight into his modus operandi. The cover identity hid any and all links between him and Russia. According to the AIVD, the construction of this kind of cover identity “generally takes years to complete”.

In the note accompanying the document, the AIVD says that Russian intelligence services “spend years” on the construction of cover identities for illegals, to which end they “collect information on how other countries register and store personal data”, or illegally procure or forge identity documents. Information in the cover identity “can therefore be traceable to one or more actual persons, living or dead” as well as to (fake) individuals “who only exist on paper or in registries of local authorities”.

A week after Poland announced it expels 45 Russian diplomats, the foreign ministries of Belgium, the Czech Republic, Ireland and the Netherlands announced on March 29, 2022 that they too will expel Russian diplomats. A day later, Slovakia followed up by announcing expulsion of another 35 Russian diplomats.

The Czech Republic, who in 2021 called on EU and NATO to expel Russian diplomats in solidarity against Moscow, expels one diplomat from the embassy in Prague on a 72-hour notice. In a tweet the Czech ministry of foreign affairs stated that “Together with our Allies, we are reducing the Russian intelligence presence in the EU.”

Belgium expels 21 diplomats from the embassy in Brussels and consulate in Antwerp. Minister Sophie Wilmès stated the measure is taken to protect national security and is unrelated to the war in Ukraine. “Diplomatic channels with Russia remain open, the Russian embassy can continue to operate and we continue to advocate dialogue”, Wilmès said.

The Netherlands expels 17 diplomats from the embassy in The Hague. According to minister Wopke Hoekstra they are secretly active as intelligence officers. Hoekstra bases this on information from Dutch intelligence & security services AIVD and MIVD. The embassy in the Hague has 75 registered diplomats, of which 58 will remain. Hoekstra says the decision was taken with “a number of like-minded countries”, based on grounds of national security. Like his Belgian colleague, Hoekstra adds he wants diplomatic channels with Russia to remain open.

Ireland expels 4 “senior officials” from the embassy in Dublin for engaging in activities “not […] in accordance with international standards of diplomatic behavior”. They were suspected of being undercover military officers of the GRU and were already on the radar of Garda Síochána, the Irish national police and security service, for some time.

Furthermore, Slovakia announced it will “reduce the staff of the Russian embassy in Bratislava by 35”, after already having expelled three diplomats earlier in March, and charging two people with espionage for Russia. The official statement of the Slovakian government does not mention specifics beyond the statement that “we regret to note that […] the Russian diplomatic mission has not shown any interest in operating correctly on our territory.”

Dutch intelligence scholar Ben de Jong points out in NRC Handelsblad that the absence of France and Germany limits the strength of the political signal that is sent to Russia. Based on its own sources, NRC writes that the expelled diplomats in the Netherlands “presumably” were active in collecting secret information about weapon deliveries to Ukraine, political and military decision-making in NATO and the EU, and discussion about new sanctions.

De Jong also points out that besides the use of diplomatic covers and illegals, Russian secret services likely have representatives in companies such as Gazprom and Aeroflot who are not affected by the expulsion and can continue their operations, albeit without the protection of a diplomatic cover. Another intelligence scholar points out that new diplomats will eventually be registered.

The Belgian and Dutch ministers cite national security as ground for the expulsion rather than the expulsions being a sanction over the war in Ukraine. The apparent coordinated effort is however seen as a joint political statement to the Russian government.

Russian foreign ministry spokeswoman Maria Zakharova told AFP that “responses will be provided on the basis of the principle of reciprocity.”

• This is an English translation of a piece in Dutch by Johan Leupen and Jan Fred van Wijnen published in Dutch newspaper Het Financieele Dagblad (FD) on 7 February 2022. (Please reference that paper, not my blog.)
• Takeaways:
  • The AIVD observed an increase in the scope and frequency in targeting and recruitment attempts by Chinese and Russian intelligence services focusing on Dutch high-tech companies.
  • The AIVD launches an awareness campaign (more) with examples of fictitious but realistic example cases, which is intended to inform the public and increase societal resilience.
• Other reads:
  • 2022-02-15: Dutch intelligence service warns public about online recruitment by foreign spies (IntelNews)
  • 2022-02-10: Foreign spies target Australians on dating websites, messaging apps, report warns (IntelNews)

Thousands of employees at Dutch high-tech companies are systematically being approached by secret services from China and Russia who are trying to steal company secrets. This is done through fake accounts on LinkedIn, the largest business network in the world. The spies pose as fellow scientists or engineers. They also impersonate consultants or recruiters.

Dutch and other Western secret services are shocked by the number of successful contact attempts, in which people have ultimately been made to share sensitive information through blackmail or bribery. After the first contact via LinkedIn, the relationship is quickly made more “personal,” says Director Erik Akerboom of the General Intelligence and Security Service AIVD. The new contact acts flattering about your knowledge and expertise. ‘You get a request to translate something. After that, personal contact may follow at a conference.’

Awareness campaign

The scale and clout of the Russian and Chinese infiltration attempts have reached such proportions that the AIVD is sounding the alarm. Later this week, the service will launch a warning campaign via social media to make Dutch employees and officials aware of the dangers.

Last year, the Netherlands expelled two Russian spies from the country. They had enticed employees of several Dutch high-tech companies to sell information. The first contacts were made through LinkedIn, AIVD chief Erik Akerboom says to the FD. One of the Russians, who is an intelligence officer with the secret service SVR, created fake identities as a scientist, consultant and recruiter for this purpose. The AIVD would not say which companies were involved.

For years, China and Russia have been purposefully trying to get advanced technology into Western countries, including the Netherlands. This is done through company takeovers, but also through cyber attacks and classic espionage. The AIVD has previously warned that such attempts undermine the Dutch economy.

No ban

Dutch high-tech companies do not prohibit their employees from creating a profile on LinkedIn. ‘We do have protocols for the information people share on social networks,’ said a spokesperson for chip manufacturer NXP. ‘Everything an employee posts is legally checked.’ ASML, which is not allowed to sell its advanced chip machines to China because of an American boycott, does not prohibit activity on LinkedIn or other networks either. The company does make its employees aware of the risks.

Intelligence work by the AIVD shows that China and Russia are operating systematically, says Akerboom. Social networks like LinkedIn or Instagram are constantly being copied and stored in databases. They analyze them to get their sights on targets. They are dealing with people who have access to special technological knowledge. The data is combined with information acquired from outright hacks in their organization, looking for specific personal data.’

Potential targets are ‘ranked’, says the AIVD chief. The non-friendly services then look at the level of influence the potential targets have within their own organization, their position within a business network, and their access to important information. ‘The rankings determine which people they prioritize for their recruitment efforts.’

Fake recruitment agency

British and American intelligence agencies have previously warned against this type of espionage. Sometimes fake recruiting agencies are created. After initial contact via LinkedIn, a target is persuaded to drop by for an interview about a new job. By sharing confidential information about their current employer, the victim becomes vulnerable to blackmail. The Chinese secret service is said to focus mainly on expats who still have family in China. This makes them extra sensitive to pressure to share information.

The targeted spying via LinkedIn began in 2009, according to Cody Barrow, director of threat analysis at cybersecurity firm EclecticIQ in Amsterdam. Previously, he worked in the US as a ‘senior intelligence officer’ at the Department of Defense and the National Security Agency (NSA). ‘In that year I myself received my first LinkedIn request from an attractive woman I didn’t know. Once the spies become friends, and can read your full profile, they check if you use certain keywords. Or code words for software programs you work with.’

For example, if a spy were to read that an NSA employee works with the program Wrangler, the contact immediately becomes a higher priority for the spy. This is because it means that the employee is involved in gathering and analyzing information via satellite imagery.

Invites accepted carelessly

Barrow estimates that over the past ten years “many thousands of Dutch people” have received LinkedIn requests from Chinese spies. Requests are often accepted uncritically, especially if the requester already appears to share various contacts with the target. Moreover, many people are susceptible to flattering remarks. AIVD chief Akerboom says he is “not surprised” by the estimate of several thousand. Barrow thinks that half of these have also accepted a request.

Warning of such practices is a good thing in itself, but the AIVD itself should take much more proactive action against them, cyber security expert Ronald Prins believes. For example, the services could issue preventive warnings about an ongoing offensive. Or break into state-led hacker groups and share more knowledge. ‘So far, the service only comes into action when military applications are at stake. When are they going to make an effort for the economic security of the Netherlands?’

The AIVD has already expressed to the House of Representatives its desire for a broader mandate, to also defend commercial companies and ‘the earning capacity of the Netherlands’. The cabinet that took office last month allocated an extra €300 million for the security services in the coalition agreement, but there are no concrete plans yet about how this will be spent.

Response from LinkedIn

‘We actively look for signs of state-sponsored activity(s) on the platform and take swift action against actors with malicious intent to protect our members. We do not wait for requests for removal, our Threat Intelligence Team removes fake accounts using information we discover and information obtained from various sources, including government agencies. Creating a fake account or fraudulent activity with the intent to lie to or mislead our members is a violation of our terms of service.’

UPDATE: 2020-12-14 09:00 UTC: small guest contribution to IntelNews: Holland expels two Russian diplomats, summons Kremlin envoy to issue protest.

UPDATE: 2020-12-13 11:05 UTC: the AIVD released bits of recorded video of one contact moment between the SVR officer and one of his assets in NL. It was shown today on national TV during “WNL op Zondag”, where Akerboom was present to explain and annotate the recent developments. The episode, in Dutch, can be watched here (skip to ~32m30s). Here’s a screenshot I took from that episode (SVR officer is at the left; his source at the right):

UPDATE 2020-12-10 18:49 UTC: reportedly, AIVD director Erik Akerboom (Twitter: @dg_akerboom) said that the AIVD detected “relatively intensive” contact between the SVR officer and sources in the Dutch high-tech sector “in at least ten cases”, indicating that the SVR officer had at least ten sources.

On 10 December 2020, the Dutch minister of the Interior, Kajsa Ollongren, sent a letter (in Dutch) to the House of Representatives to inform the parliament about the disruption of a Russian espionage operation.

Two Russians using a diplomatic cover to commit espionage on behalf of the Russian civil foreign intelligence agency SVR have been expelled from the Netherlands. Both were accredited as diplomat at the Russian embassy in The Hague. The minister says the SVR intelligence officer built a “substantial” network of sources (i.e., he was a case officer) working in the Dutch high-tech sector. He pursued information about AI, semiconductors and nano technology; knowledge that has both civil and military applications. In some cases the sources got paid for their cooperation.

The Dutch civil intelligence & security service AIVD disrupted the operation. On 9 December 2020, the Russian ambassador to the Netherlands was summoned by the Dutch ministry of Foreign Affairs. The Russian ambassador was told that the two Russians have been designated as Persona Non Grata (PNG), i.e., they are expelled from the Netherlands.

This case involves multiple companies and one educational institute, whose identities are not revealed. The minister states that the espionage “has very likely caused damage to the organizations where the sources are or were active, and thereby to the Dutch economy and national security.”

The minister states that the Immigration and Naturalization Service (IND) will take legal action against one source on the basis of immigration law.

The minister also announces the Dutch administration will look into possibilities to criminalize the act of cooperating with a foreign intelligence service. Currently, that act on and by itself is not a punishable offense. Legal possibilities do already exist regarding violation of confidentiality of official secrets and company secrets, however. For related developments at the EU level, check out the Trade secrets page of the European Commission.

Finally, the minister points out that this case shows “that threats from foreign states against the Netherlands are real”, and that a broader follow-up will take place of the parliamentary letters “Countering foreign state threats” of 18 April 2019 and “Knowledge security in higher education and science” of 27 November 2020.

Three side notes:

• For a brief peek into one aspect of the work life of case officers (and their occasional supporting officers), see Physical Counter Surveillance – Dry Cleaning and Evading Capture (September 2019).
• For (self-)protection, see New brochure on espionage from the Dutch General Intelligence & Security Service (AIVD) – unofficial English translation (May 2020).
  • For further (background) reading, check out the website of the U.S. National Counterintelligence and Security Center, part of the U.S. Office of the Director of National Intelligence (ODNI); it has a lot of good training & reading material.
  • For even further (background) reading, notably the aspect of humans and susceptibility/vulnerability to being recruited as spies/sources, I recommend the Selected Reports page of the U.S. DOD Defense Human Resources Activity website. And search Google for “MICE” and “RASCLS”.
• Also for (self-)protection, Dutch readers may want to inform themselves about in the appendix of the parliamentary letter of 18 April 2019 that the minister refers to: Nederlandse aanpak tegengaan statelijke dreigingen (April 2019).

If you’re at an organization that has a need for insight into protection against insider threats, I recommend checking out Signpost Six. It was founded by @Elsine_van_Os, who formerly worked at the Dutch military intelligence & security service MIVD.

The remainder of this post is a translation of the main body of the minister’s letter on the disrupted espionage operation.

[…]
Disruption
As mentioned in the annual reports of the AIVD, the Netherlands is a target of Russian intelligence services who covertly collect information that is valuable to Russia, including economic & scientific information.

The AIVD recently ended operations of a Russian intelligence officer of the civil foreign intelligence service SVR. The Russian national, who was employed at the Russian embassy as an accredited diplomat, was involved in espionage on technology and science. He built a substantial network of sources, all of whom are or were employed in the Dutch high-tech sector. The intelligence officer was interested in information about, among others, artificial intelligence, semiconductors, and nano technology. Much of this technology is of use both for civil and military applications.

The Russian intelligence officer made contact with persons who have access to sensitive information within the high-tech sector, and in some cases paid for that. A second Russian SVR officer, also accredited as diplomat, fulfilled a supporting role.

Companies and educational institute have been informed
The high-tech sector in the Netherlands holds high-quality and unique knowledge. The espionage has very likely caused damage to the organizations where the sources are or were active, and thereby to the Dutch economy and national security.

The sources of the Russian intelligence officer have been contacted by the AIVD to disrupt their activities. In a number of cases, the AIVD has submitted an official notification to the companies and educational institute involved such that they can take measures. In one case, an official notification was sent to the Immigration and Naturalization Service (IND). The IND will take legal measures against one source. The AIVD is investigating whether further official notifications can be sent to the IND.

No comments can be made about the identities of the sources and which companies and educational institute are involved.

Persona Non Grata
As a result of the detected espionage activities, the Russian ambassador has been summoned by the Dutch Ministry of Foreign Affairs on 9 December 2020, and has been told that the intelligence officer, as well as the supporting SVR worker, have been designated as Persona Non Grata (PNG).

Criminalization of espionage
Due to the increased vulnerability of the Netherlands for espionage, the Dutch administration has examined the added value of criminalization of espionage. Criminal law already provides legal possibilities to act against crimes involving violation of confidentiality of official secrets and company secrets. However, espionage in the sense of persons covertly collaborating with a foreign intelligence service is currently not a punishable office. The administration has established that additional criminalization is desirable and will examine how that can been pursued, and then initiate a legislative process.

Follow-up
This case shows, again, that threats from foreign states against the Netherlands are real. We will further inform you about the broader approach in follow-up to the Parliamentary Letters “Countering foreign state threats” of 18 April 2019 and “Knowledge security in higher education and science” of 27 November 2020.

Awareness
The AIVD is committed to raising awareness about espionage risks and, where possible, explains to companies, governments and educational institutes how they can prevent this, both now and in the future.

On 23 October 2020, the Dutch state secretary for Economic Affairs and Climate Policy, Mona Keijzer, sent a letter (in Dutch) about submarine communication cables to our House of Representatives. This post provides an English translation of that letter.

Takeaways:

• Distinction must be made between intercontinental cables and non-intercontinental cables. Only the former require underseas repeaters/amplifiers to carry the signal over a (very) long distance.
• Risks related to the economic end-of-life being reached generally are about intercontinental cables — such as TAT-14. that directly connects the U.S. and the Netherlands. TAT-14 became operational in 2001 and will be disconnected in the nearby future. The state secretary says that this does not affect the Dutch, as most communication between the Netherlands and the U.S. is already transported via other countries.
• A new submarine cable between the Netherlands and the United Kingdom will be laid in 2021, which can also be used for direct communication between the Netherlands and the U.S.
• The state secretary explicitly recognizes the added value of laying new submarine cables, and promises to explore options to help facilitate that through, among others, licensing for landing stations. This is a follow-up to a request made by market parties, who also indicated that it would be desirable that the Dutch government plays a stronger role. The state secretary also points out that co-financing from the EU is possible for laying new cables.

The text below this line is the translation of the letter. Note: hyperlinks and parts in square []-brackets were added by me.

During the General Consultation on Digitization of 11 March 2020, I promised MP Verhoeven of the D66 fraction to give an overview of the problems, research, and actions in the field of submarine cables. Subsequently, during the General Consultation on Telecommunications of 11 June 2020, I promised MP Van den Berg of the CDA fraction to write a letter to your House about the outcome of the discussions with the sector about the investments in submarine cables. With this letter I fulfill this commitment and cover the valuable conversations I have had with market parties.

It is important to emphasize that the Netherlands has very good digital connections, both on land, at sea, and in the air. Both our mobile and fixed connections are among the best in the world [reference: https://zoek.officielebekendmakingen.nl/kst-26643-547.html]. For example, many submarine cables come ashore in the Netherlands, as can be seen on the picture elsewhere in this letter. This digital infrastructure is important for our economy and society and it is therefore important to maintain and expand this world-class digital infrastructure.

For a good understanding of submarine communication cables, a distinction must be made between submarine cables running between continents (intercontinental cables) and submarine cables within Europe. European submarine cables do not need active amplifiers on the ocean floor, because of the short distance they span. Intercontinental cables span a longer distance and therefore require such equipment. This makes it relatively easy to increase the capacity of existing cables to the United Kingdom or Denmark. Only the active equipment ashore needs to be renewed.

Increasing the capacity on intercontinental cables is more difficult, because in some cases the underwater amplifiers also need to be replaced. Therefore, when parties talk about risks around the lifetime of submarine cables [e.g. 25 years] they generally refer to these intercontinental cables. The research report by Stratix, about which MP Amhaouch of the CDA fraction asked questions during the General Consultation on Digitization of 11 March 2020, addresses whether there is a problem due to submarine cables being at the end of their economic life and whether new cables are expected to be laid soon. This research report can be found on the site of the national government.

Submarine cables in North-West Europe (source)

Stratix’ quick scan, as well as earlier research conducted in 2018, shows that cables can be active beyond the end of their economic life. However, because the equipment is outdated, the cable’s capacity will not increase in the long run. According to Stratix, the conclusion of the submarine cable industry was that there is no reason to assume that problems will arise in the short term. In addition, it was indicated that there currently is no demand for more capacity via a (new) transatlantic submarine cables to the Netherlands. If such demand arises, the new international submarine cables to Denmark, the United Kingdom, Ireland and France can be used, because of the good land and submarine connections we have with those countries. For example, there already are submarine cables to the United Kingdom and Denmark that can be used for this purpose. The most important conclusion of the Stratix study therefore is that there is sufficient submarine cable capacity to and around the Netherlands, and that market parties do not expect a shortage in the short or long term.

An important development for the longer term is that the market for submarine cable connections is changing. Where previously consortia of telecom companies, such as KPN, were laying a submarine cable, this is increasingly being done by individual non-telecom companies and mostly digital platforms, such as Google and Facebook and Microsoft. Furthermore, it has become clear that a transatlantic cable, the TAT-14 cable, which was laid in the past by a consortium and landed in the Netherlands, will be disconnected. A lot of traffic from the Netherlands already is transported to the U.S. via other countries, however. Given our geographical position, this is not illogical.

As I promised to your House, I have spoken to market parties about these developments, also on the basis of the letter that various parties have addressed to me on this subject [those parties were Stichting Digitale Infrastructuur Nederland, Dutch Data Center Association, Fiber Carrier Association and SURF]. From these discussions and the round table I organized on 29 September 2020, various insights have emerged. First of all, it is nice to be able to report that next year a new submarine cable will be laid between the United Kingdom and the Netherlands, which will also be connected to Ireland. Data traffic can be carried to the U.S. directly via this cable. Secondly, it appears that there is a diffuse picture about the added value of direct intercontinental connections over connections via other countries. Parties that have large data centers in the Netherlands, for example, indicate that they do not see any problem in this in the future. During the round table discussion I organized, it was also emphasized that the disappearance of cables generally has no consequences for Dutch users, but it is desirable for the Netherlands to be easily accessible, and therefore direct cables can be of added value.

I also see that submarine cables add value to the Dutch digital infrastructure. I want to explicitly express my positive opinion about the added value of laying new submarine cables. Therefore, if market parties or consortia of parties are considering laying a new submarine cable to the Netherlands, I am willing to facilitate this, for example in the licensing process.

This was also requested during the round table held with market parties. It was also indicated that it would be desirable that the Dutch government plays a stronger role. It was explicitly stated that this is not about paying for these cables, but about facilitating the landing. I will look at the laws and practical objections that might stand in the way of this. For example, parties have indicated that laying cables in the North Sea could be difficult in the future. I recognize this, and it is inherent in an intensively used North Sea. I feel it is important to leave room for new submarine cables, and this has been included in the National Environmental Vision [in Dutch: “Nationale Omgevingsvisie” aka NOVI] sent to your House by the Minister of the Interior and Kingdom Relations. As mentioned in this vision, this aspect will be further elaborated in the North Sea program. With regard to both the licensing and the North Sea program, I will contact other governments and ministries, including the Ministry of the Interior and Kingdom Relations.

A good investment climate for the installation of these cables is desirable. If a submarine cable lands in the Netherlands, this can stimulate business activity surrounding it. The Netherlands Foreign Investment Agency (NFIA) can play an acquiring or facilitating role where possible. In addition, European funds are also available for the construction of submarine cables. If market parties wish to lay these cables, co-financing from the EU is possible. I will also bring these funds to the attention of market parties.

Over the past few months, various discussions have taken place with market parties and a round table has been convened. Sea cables continue to have my attention as part of the digital infrastructure and in addition to the aforementioned actions I will continue to actively monitor developments in the coming period.

UPDATE 2020-10-26: I replaced the word “cryptophones” with “two-way radios” everywhere because in this (historic) context, the use of the word “cryptophones” is anachronistic and needlessly confusing.

This is a translation of a piece published at Nu.nl today, covering an upcoming story by investigative journalists of Dutch radio program Argos (Twitter: @Argosradio1) about how Operation Rubicon, the German-U.S. joint operation involving Crypto AG, (may have) affected the Netherlands.

• Note 1: at the time of writing, nothing about this is mentioned yet on the website or Twitter account of Argos. Nu.nl is however a reliable online news site.
• Note 2: hyperlinks were added by me.

‘Two-way radios of Dutch police and Royal Netherlands Marechaussee (KMar; military police) could be eavesdropped by the NSA’
23 October 2020 13:46

For years, Dutch police and security units reportedly used specially secured two-way radios that could be eavesdropped on by the U.S. intelligence agency NSA.

That was revealed by documents that Dutch radio program Argos has seen.

Among others, the Dutch police and Royal Netherlands Marechaussee [military police] purchased hundreds of Swiss-made Ascom SE-660 Crypto devices. These two-way radios used encryption to protect the confidentiality of conversations.

It would now be clear that these devices contained a backdoor placed by the NSA. This allowed the NSA to eavesdrop on the communication. It is unclear how often conversations have actively been eavesdropped.

Use by special services

In the Netherlands, the equipment was commonly used by special services, including the department that protects diplomats, and the Special Security Missions Brigade. The devices were also used by the International Criminal Tribunal for the former Yugoslavia (ICTY) in The Hague.

Earlier this year it become clear that backdoors had been placed in the radios. This was part of Operation Rubicon, in which the German foreign intelligence service BND and the NSA jointly secretly acquired Crypto AG.

The acquisition enabled Germany and the U.S. to eavesdrop on the so-called secured conversations since the 1970s. This became evident when anonymous sources talked to The Washington Post and ZDF.

Impact on the Netherlands previously unknown

Previously it was clear that many countries could be eavesdropped in that way, but the exact impact on the Netherlands was not clear until now. The documents that Argos has seen show the extent to which Dutch police services were affected.

According to an anonymous source, at least 625 of the Ascom devices were bought by the Netherlands. A spokesperson of the Royal Netherlands Marechaussee stated that about 150 were in use. The Dutch police could not yet share numbers.

UPDATE 2020-10-28: Spy agency ducks questions about ‘back doors’ in tech products (Reuters) and NSA: We’ve learned our lesson after foreign spies used one of our crypto backdoors – but we can’t say how exactly (The Register). Takeaway: “NSA now asserts that it cannot locate [the lessons learned] document [about the Juniper incident]”, according to Wyden spokesman Keith Chu.

On 10 June 2020, the office of U.S. Senator Ron Wyden submitted questions (.pdf) to Juniper Networks about the status of the investigation that Juniper announced four years ago to clarify questions about the presence of the intentionally weakened Dual_EC_DRBG random bit generator in Juniper NetScreen firewalls. For more about Dual_EC_DRBG, see the Wikipedia entry about the NSA program Bullrun and Daniel J. Bernstein et al.’s website on Dual_EC.

Due to the importance of this topic, I repost the content of Wyden et al.’s letter below.

We write to seek information about Juniper Networks’ investigation of several likely backdoors in its NetScreen line of firewalls.

In December of 2015, Juniper announced that it had discovered unauthorized code in the software it distributed to customers between 2012 and 2015 for its NetScreen firewalls. Soon after Juniper revealed this security breach, cybersecurity researchers determined that the code was likely an encryption backdoor that could be exploited by a sophisticated adversary to unmask the encryption used to protect data flowing over virtual private networks.

Alarmingly, the suspicious code that Juniper discovered in 2015 did not create the backdoor — it apparently modified one that was seemingly already there. Subsequent analysis by an international team of leading experts determined that, in fact, a backdoor had likely been added to Juniper’s products as far back as 2008. According to the researchers, the unauthorized code Juniper discovered in 2015 merely changed the keys to this pre-existing backdoor.

The researchers determined that sometime between 2008 and 2009, Juniper quietly added a National Security Agency (NSA) designed encryption algorithm to its products. This encryption algorithm, known as Dual_EC_DRBG, had, since 2005, been the subject of criticism by independent cryptographers who argued that it probably contained a backdoor. In spite of these warnings, the National Institute of Standards and Technology (NIST), which issues U.S. government standards for encryption algorithms, standardized Dual_EC_DRBG in 2006. However, after Edward Snowden’s disclosures in 2013, NIST withdrew the algorithm. In a post-mortem published in 2014, a senior NIST cryptographer confirmed that NSA had in fact created Dual _ EC _DRBG, that he had been told that NSA did not want to answer questions about possible backdoors, and that, in retrospect, it “should not have been included” in the official NIST standard.

Soon after Juniper revealed in 2015 that it discovered unauthorized code in its products, Juniper announced that it was conducting an investigation into the matter. According to media reports at the time, the Federal Bureau of Investigation also launched an investigation. It has now been over four years since Juniper announced it was conducting an investigation, but your company has still not revealed what, if anything, it uncovered. The American people and the companies and U.S. government agencies that trusted Juniper’s products with their sensitive data — still have no information about why Juniper quietly added an NSA-designed, likely-backdoored encryption algorithm, or how, years later, the keys to that probable backdoor were changed by an unknown entity, likely to the detriment of U.S. national security.

Over the past year, Attorney General William Barr and other senior government officials have renewed their call for technology companies to subvert the encryption in their products in order to facilitate government surveillance. Juniper’s experiences can provide a valuable case study about the dangers of backdoors, as well as the apparent ease with which government backdoors can be covertly subverted by a sophisticated actor. To that end, we would appreciate answers to the following questions by July 10, 2020:

1. In August of 2009, Juniper obtained joint certification from the U.S. and Canadian governments, certifying that Juniper’s Netscreen products running ScreenOS satisfied the Federal Information Processing Standards (FIPS) for cryptographic modules. Despite the fact that Dual_EC_DRBG was then a FIPS-certified algorithm, Juniper did not disclose the inclusion of Dual_EC_DRBG in its FIPS application, although Juniper disclosed the use of several other FIPS-certified algorithms. Why did Juniper not disclose to NIST that its products used the Dual_EC_DRBG algorithm?

2. Rather than using the “Q” value for the Dual_EC_DRBG algorithm specified in the NIST standard, Juniper used a different Q value when it originally added Dual_EC_DRBG to its products, sometime between 2008-2009. Please explain why Juniper opted to use a different Q value, how it was generated and by whom. If Juniper did not generate this Q value following the procedures described in NIST Special Publication 800-90, please explain why.

3. What were the results of Juniper’s investigation following its 2015 discovery of unauthorized code?
a. Who was responsible for conducting the investigation?
b. What was the scope of the investigation?
c. If a written report was produced, please provide us with a copy.

4. Did the investigation examine Juniper’s decision to add and retain support for the Dual _ EC _DRBG algorithm in Juniper’s ScreenOS software, long after cryptography experts publicly raised serious questions regarding a potential backdoor in Dual_EC_DRBG? If not, why not?

5. According to the research team that studied the Juniper backdoors, at or around the same time that Juniper added support in ScreenOS for the Dual_EC_DRBG algorithm, Juniper also increased the Internet Key Exchange nonce size from 20 bytes to 32 bytes. The research team argues that this change would make it easier for a sophisticated adversary to exploit backdoors in Dual_EC_DRBG. Did Juniper’s investigation look into the decision to increase the size of the nonce? If yes, what did Juniper discover? If not, why not?

6. Please identify the Juniper employees who approved the changes to ScreenOS described in questions 4 and 5.

7. Did Juniper’s investigation uncover any information relating to the source of the unauthorized code revealed by Juniper in December 2015, and in particular, the code that altered the Q value in the Dual_EC_DRBG algorithm? 

8. Did the results of the investigation include any recommendations to prevent future security incidents? If yes, has Juniper implemented all of the recommendations?

Thank you for your attention to this important matter. If you have any questions about this request, please contact Chris Soghoian in Senator Wyden’s office.

[…signatures…]

Note: I have mixed feelings about repeating/amplifying this information by posting a translation here, but deficiencies similar to the observations by the Court of Audit can also be found in public reports in other countries (Anglosphere and beyond). I.e., information security in foreign affairs realms is a generic(-ish) point of attention, not a Dutch one.

On 20 May 2020, Dutch news paper Volkskrant published (in Dutch) an article about an audit report (in Dutch; mirror) regarding the ministry of Foreign Affairs. The report comes from the Netherlands Court of Audit, which is responsible for auditing national government expenditure.

The Volkskrant article spawn from an anonymous tip sent to Dutch whistleblower website Publeaks.nl (more) and appeared on the same day that the Court’s audit report was published.

Key takeaway from the article (TL;DR):

“According to the whistleblower, ‘state secrets are at risk’ and the IT system and encryption of information were outdated and unsafe in ‘the days of Hawija and MH17’.”

The Court is clear about its assessment of the state of information security at the ministry of Foreign Affair. Translating a part of the conclusion on p.17 of the Court’s audit report:

Moreover, the Minister paints a very positive picture of this to the Lower House of Parliament. This is illustrative of the lack of recognition of the importance of good information security at the Ministry of Foreign Affairs that we have observed for a number of years in succession. Especially at the Ministry of Foreign Affairs we expect better understanding into the importance of good information security in view of the threat from state actors, among others.

For the third year in a row, the ministry does not comply with the regulations for information security that apply within the national government. That is why the Netherlands Court of Audit qualifies information security at the Ministry of Foreign Affairs as a serious deficiency.

The Court makes the following recommendations, in addition to upholding last year’s recommendations:

• Ensure that documentation, such as an information security strategy/vision, is formalized at the appropriate level to provide guidance and support for information security in accordance with organizational requirements and relevant laws and regulations.
• Provide an overarching annual plan for information security with the translation into projects that include budget, staffing and supplies. This is an instrument for steering the realization of information security goals in accordance with the policy, mission and strategy, and the support for this.
• Describe the risk management process with the most important elements such as control, acceptance and ownership of risks in order to achieve the correct security of information and information systems within the context of the organizational objectives.

The Court notes that security is a strong as the weakest link and that cross-departmental systems do not yet have clear owners/responsibilities (bold emphasis added):

We note that there is a real risk in the chain of information exchange. There are strong interdependencies between ministries in exchanging state-secret, company-confidential and privacy-sensitive information. Due to the large differences in the levels of information security, risks arise when exchanging information. The weakest link in the chain determines the strength of the chain as a whole. It is important that mutual relationships, differences and dependencies between the links in the chain are clear to every ministry. It is presently unclear who is responsible for cross-departmental chains of information systems that.

The remainder of this post is an English translation of the Volkskrant article. It is a manually corrected version of an automated translation via DeepL.com.

Netherlands Court of Audit: state secrets of ministry of Foreign Affairs still poorly secured
(source)

The Ministry of Foreign Affairs does not have its information security and does too little to solve this. As a result, there is risk of compromise of its state secrets. Minister Blok unjustly paints ‘a very positive picture to the House of Representatives’ of improvement plans.

Natalie Righton and Hessel von Piekartz
20 May 2020, 16:08

This conclusion was reached by the Court of Auditors on Wednesday in a hard-hitting report entitled Verantwoordingsonderzoek Buitenlandse Zaken 2019 (Accountability audit report Foreign Affairs 2019). All ministries present their annual reports on ‘judgement day’, as the accounting day on the third Wednesday in May is also referred to. The Court of Audit audits them and expresses an opinion on their operations in the past year.

Foreign Affairs does not meet its own minimum requirements for information security. The problem is serious and persistent. This ultimately means a risk, also for the protection of state-sensitive information’, says Ewout Irrgang, a member of the Netherlands Court of Audit.

The state auditor describes the inadequate security as a ‘serious imperfection’. According to Irrgang, that is ‘a very serious opinion’. This year, of all government departments, only the IT habitat of the Ministry of Foreign Affairs was given that label.

State secrets

According to the Court, malicious parties are actively looking for weaknesses in the security of Foreign Affairs’ information systems.

Sabotage, theft, and the leaking of state secret, business confidential and privacy-sensitive information’ are lurking around the corner, writes the Court of Audit in its report. There are indications that cyber criminals are plunging into this and the number of false e-mails about the coronavirus has risen sharply. For example, fake emails are being sent on behalf of the World Health Organization with malicious, dangerous malware,’ states the Court of Audit in its report.

Other examples of the weak security at the Ministry of Foreign Affairs are easy to crack passwords, information exposed to interception, and the central storage of sensitive information. It is safer to store data compartmentalized, i.e. in small chunks, so that not everyone can access the entire file.

Information security is particularly important in times of crisis, such as the corona crisis, according to the Court of Auditors. Diplomats exchange information digitally even more than usual, because they work from home, make video calls and hold telephone consultations.

The approximately 5,000 diplomats from The Hague and the 144 embassies and consulates send a lot of information that is of interest to cyber criminals. Think of information about Russia’s involvement in the MH17 disaster or the consequences of the Dutch bombardment of Hawiya. The lack of security applies both to the laptops and telephones that diplomats use when they are on the road, and to the official computers at headquarters or embassies.

According to the Court of Audit, Minister Blok of Foreign Affairs is too optimistic about the state of information security.

No priority

To the annoyance of the State Inspector, the State Department does too little to put security in order. This is the third year in a row that the Court of Auditors has concluded that these problems exist. The situation has not improved, but has actually worsened, which irritates the Court of Audit.

This is illustrative of the lack of recognition of the importance of good information security at the Ministry of Foreign Affairs that we have observed for a number of years in succession. It is precisely at the Ministry of Foreign Affairs that we expect more insight into the importance of good information security in view of the threat from state actors, among others,’ says the Court of Audit.

Despite earlier warnings, no fewer than ten of the eleven information systems used by diplomats have not received a stamp of approval.

Back to paper

It was already announced last year that both the EU and NATO are threatening not to send any more electronic documents from Brussels to The Hague if Foreign Affairs does not get its security in order. Minister Blok wrote to the House of Representatives on 9 December that this is why ‘the highest priority is being given’ to getting the accreditation (approval) of the information systems in order.

Remarkably, he emphasized that Foreign Affairs might ‘fall back on the traditional way’ if the department no longer received digital information from international partners.

By this the minister means physical letters, according to worried IT people who contacted the Volkskrant anonymously. One of them concludes that the information security of the Ministry of Foreign Affairs is ‘a big mess’.

According to the whistleblower, ‘state secrets are at risk’ and the IT system and the encryption of information was outdated and unsafe in ‘the days of Hawija and MH17 .

For the Court of Audit, the Minister’s suggestion to fall back on paper mail is an ‘illustration that not much priority is being given’ to the problem, according to fellow member Irrgang.

Response from Minister Blok

In a response to the harsh conclusions of the Court of Audit, Minister Blok stated on Wednesday that information security is certainly a priority for the department. There is no doubt that inadequate information security can have far-reaching and disruptive consequences’, Blok said in a written response. According to the minister, hard work is being done on improvements.

We’re taking this very seriously and we’re working on it,’ adds a spokesman Wednesday. On the possibility of state secrets leaking, he says that to date he ‘has not experienced anything going wrong. My experience is that we are functioning reasonably well in that regard’. The Minister endorses the Court’s new recommendations, such as a plan of action.

MP Sjoerd Sjoerdsma (D66 party) says it’s ‘worrying’ that the ministry does not yet have control over its information security. It becomes even more annoying when it turns out that Minister Blok consistently presents progress in a more positive way than is actually the case and downplays the consequences of this problem. This is not acceptable at a time when cyber attacks and espionage are increasing rapidly,’ says Sjoerdsma.

Note: this post is only of interest to those not already (self-)informed about the basics of intelligence and espionage and those who in general take an interest in what the AIVD communicates to the public.

On 26 May 2020, the Dutch General Intelligence & Security Service (AIVD) released a new brochure (.pdf, in Dutch) to inform the general Dutch public about threat of espionage. The post below is an unofficial English translation of that brochure (a manually corrected version of an automated translation by DeepL.com). The AIVD will likely release an English translation itself; when it is released, I will add a link to it here.

Parts in [] brackets were added by me.

Espionage – How do you recognize it and what can you do about it?

Espionage is of all times and poses a major threat to the Netherlands. At the same time, espionage is almost invisible and few people are aware of its dangers. All kinds of foreign countries are spying in the Netherlands. Not only via digital means, but also in the classic way: humans. Why does espionage happen and why is it harmful? How do you recognize it and what can you do about it?

What is espionage?

Passing on knowledge about Dutch foreign policy, copying and, for a fee, handing over documents from the European Commission, or hacking into a high-tech company to steal business secrets. They’re all examples of espionage. But what is espionage? Espionage is the surreptitious gathering of intelligence (information) or objects (e.g. products or machines). It may involve sensitive (personal) information, technology or state secrets, for example.

The Netherlands is an attractive target for espionage. Our country is a member of the North Atlantic Treaty Organization (NATO) and the European Union (EU) and has interesting information at its disposal. We are also host to numerous international organizations such as the Organization for the Prohibition of Chemical Weapons (OPCW) and the International Criminal Court (ICC). Dutch universities and the private sector also have a great deal of knowledge and high-quality technology at their disposal. The task of the General Intelligence and Security Service (AIVD) is to identify and help end espionage and to raise awareness of it.

Who is spying and why?

All kinds of foreign countries are spying within and against the Netherlands in order to obtain information or objects from which they can benefit. There are various reasons to spy. A foreign country can, for example, keep an eye on its emigrated countrymen abroad to check whether they pose a threat to the foreign country’s regime. Or they can map out the political situation and the decision-making process in the Netherlands in order to influence it. They can also steal economic knowledge to advance their own economy.

Some countries spy on a large scale and have professional intelligence services at their disposal that carry out this work to the best of their ability. The AIVD investigates these countries. Which foreign countries pose the greatest threat depends very much on the (inter)national situation. Relations between countries can change rapidly, leading to new players appearing on the espionage scene.

How are they spying?

Foreign intelligence services spy in various ways. Nowadays a lot of spying is done digitally: intelligence services hack into computers to steal information without being seen. Ministries, research centers and companies in the high-tech, chemical and energy sectors are frequently attacked digitally.

Espionage is also still done in the traditional way, by approaching people to gain access to information through them. Employees of intelligence services look for interesting interlocutors (sources) such as civil servants, scientists, top officials and journalists. Supporting personnel can also be interesting to intelligence services, because they can also have access to confidential information.

Why is espionage harmful?

Espionage takes place out of sight from society. For many people it is hard to imagine that espionage is harmful to national security, but this surreptitious way of gathering information can have a major impact. If, for example, another country gains access to secret information, that country can use the information to influence decision-making or take other measures. Countries can use information about their own population abroad to intimidate or even eliminate opponents.

Espionage can also cause economic damage. As soon as other countries have access to confidential business information, it has an impact on the financial position of those companies. If blueprints and unique equipment are copied, the country that is spying no longer has to pay the (often high) R&D costs itself. This can result in the Dutch company selling fewer products or being unable to compete with the foreign company. Scientific projects whose results and methods are secretly copied for use in another country may result in the financing no longer being profitable. There is also a risk that knowledge about atomic technology will fall into the wrong hands. It is therefore important that confidential information or technology cannot simply be diverted to other countries.

How do you recognize espionage?

Espionage is largely human work. Let’s say you have interesting information, and you stand out to a foreign intelligence service because of it. They then try to get in touch with you through one of their employees. That person will try to establish a relationship of trust with you. For example, he or she poses as a diplomat, journalist or entrepreneur in order to get in touch with you in a natural way [i.e., inconspicuous]. However, you may notice certain signs indicating that you are dealing with an employee of a foreign intelligence service.

Intelligence services often carry out extensive preparatory investigations into people who may be of interest to them. On the Internet, for example, they look for people who have access to sensitive files. They also look for information about a person’s private life, such as hobbies or membership of a sports club, to get to know someone better. This information is used to get in touch with you ‘spontaneously’.

Was the first contact successful? Then more meetings often follow. You will be taken out to dinner, receive gifts and may think you are building a friendship. Appointments mainly take place outside, and the foreign intelligence employee appears to be extremely interested in your private affairs. But all this time he or she has only one goal: get you to spy. Eventually, the intelligence officer will ask you to provide information for a fee. In the beginning this may be trivial information, a test to see how far you are prepared to go, but later on it will also include sensitive documents to which you have access.

What can you do against espionage?

It already helps to be aware of the fact that espionage exists. If you get a strange feeling during a contact, it is always wise to exercise restraint and report this to your employer’s security department. By recognizing signals, you can be ahead of espionage. Do you suspect espionage by a foreign intelligence service? Then report this to your employer and the AIVD: aivd.nl/contact

Be aware of the potential value of information about your work and network. Information you can easily access, such as innocent-looking files or working conditions [note: it’s unclear what the AIVD is referring to with the Dutch word “werkomstandigheden” – perhaps salary information, corporate structure, culture, and/or internal policies], can be of interest to an intelligence service. An intelligence service may also be interested in your relationship with important people.

Find a good balance in what you share online about yourself and your work. For example, do not mention on LinkedIn or Facebook that you’re working on sensitive files. Be aware of what you share and especially with whom.

Protect your equipment. Intelligence services may be interested in the information on your phone or laptop. Be alert to phishing mails, make use of security software and keep software up to date. During business trips it is wise to keep equipment that contains valuable information with you and not to check it in as luggage. Also read the AIVD publication ‘On a trip abroad – Security risks en route‘.

Getting in contact with someone from another country does of course not automatically mean you are dealing with an intelligence service.

However, it is good to be aware of the nature of the relationship. Make sure you do not become dependent on the other person and be aware of the underlying intentions of your contacts.

Want to know more?
Would you like to know more about espionage and the role of the AIVD? Then go to aivd.nl/spionage.

Colophon
This brochure is a publication of:

The General Intelligence and Security Service
aivd.nl
P.O. Box20010|2500ea The Hague
May 2020

On 9 April 2020 the Dutch government announced (in Dutch) that the Council of Ministers approved the establishment of an independent committee to evaluate the Intelligence and Security Services Act of 2017 (“Wiv2017”). In the legislative process that followed the draft bill — back then referred to as “Wiv20xx” — released in 2015, the House of Representatives and the Senate had requested the government to add an evaluation clause to the law, which the government accepted and was subsequently included in the Coalition Agreement 2017-2021 (.pdf; coalition partners being VVD, CDA, D66 & CU).

The announcement states that the committee’s task is broad: it evaluates the entire law. Based on prior official documents it can be expected that the committee will also explicitly examine, from a legal perspective, the way of working of the new ex ante oversight committee introduced by the Wiv2017, the “Toetsingscommissie Inzet Bevoegdheden” aka TIB. According to the coalition agreement, specific attention will also be paid to whether “arbitrary mass collection of data of citizens in the Netherlands or abroad” is (not) taking place. Be reminded that the Wiv2017 introduced so-called “OOG interception”, which for the first time ever in the Netherlands laid down explicit legal provisions for bulk-like interception of communications on non-ether links, e.g. optic-fiber & copper cables. Prior to the Wiv2017, legal provisions only existed for bulk interception of ether links, e.g. HF radio & satcom. Also, the prohibition of so-called “sigint search” on domestic-domestic communication was removed per the Wiv2017 (“sigint search” is that phase that precedes “sigint select”. “Sigint search” is, roughly speaking, browsing/searching network links that can be intercepted to identify channels/links/places of possible interest to the legal tasks of the intelligence services. Data can be intercepted in bulk from there for subsequent querying in the “sigint select” phase to obtain communication matching specific persons, organizations and/or keywords as part of an ongoing investigation). Depending on outcome of the evaluation it is possible that changes will be proposed to the current law, for instance the addition of new legal safeguards and improvements to the oversight mechanisms.

The remainder of this post consists of an (unofficial) translation of the announcement that the government released yesterday.

Evaluation Committee for the Intelligence and Security Services Act

News release | 09-04-2020 | 14:45

The Council of Ministers has approved the establishment of an independent committee to evaluate the Intelligence and Security Services Act of 2017. This implements the decision, laid down in the coalition agreement, to evaluate the Act no later than two years after its entry into force on 1 May 2018.

The evaluation committee is chaired by Mrs R.V.M. (Renee) Jones-Bos and will start its work as of 1 May 2020 insofar the measures to combat the Coronavirus allow. In addition to the chairperson, six other members will be appointed. Their appointment will take place as soon as the AIVD has concluded their security screening procedure with positive results. The composition of the committee will take into account the knowledge and expertise required for the evaluation in the areas of legislation, operational knowledge of the work of intelligence and security services, digital security and data analysis, human rights and privacy.

The committee is charged with evaluating the law itself, not with evaluating the proper functioning of the services. The evaluation has a broad scope. An important research question is whether the objectives of the law, i.e., modernisation of the powers of the intelligence services and strengthening of the safeguards, are being achieved. The committee must also examine whether the new law has proved to be a workable instrument in practice for the performance of the services’ tasks and what bottlenecks and points for attention exist in the application of the law.

The committee will release its findings in a public evaluation report. The date of delivery of the report will be determined after consultation with the chairperson and will depend on the impact that the Corona measures have on the progress of the committee’s work. For the time being, publication is expected before the end of this year.