On December 16th 2015, the Dutch government submitted a “year plan letter” to the House of Representatives that covers the outlines of the General Intelligence & Security Service (AIVD) priorities in 2016. It is a follow-up to, and references, the first-ever year plan letter, submitted on June 23rd 2015. A translation of that earlier letter is available here.

The remainder of this post consists of a translation of the paragraphs that describe the focus areas regarding intelligence. Links, parts in [], typos and translation errors are mine.

[…]

National security and the role of the AIVD

Security is a core task of the government. The AIVD ensures national security by timely identification of threats, (political) developments and risks that are not immediately visible. To this end, the AIVD carries out domestic and foreign investigations, taking into account the safeguards of the Dutch Security & Intelligence Act of 2002 (.pdf) (Wiv2002). Collecting and interpreting intelligence is not an objective on and by itself. It is an essential condition to thwart terrorist attacks, disrupt terrorist traveling, detect espionage, and, more generally, support government policy to protect the democratic rule of law and other important state interests. The AIVD shares specific knowledge and information with its partners (for instance public administrators, policy makers, the National Police) and instigates other organizations to act.

Integrated Intelligence & Security Policy [Dutch: “Geïntegreerde Aanwijzing I&V”]

On June 23rd 2015 I informed the House of Representatives about the priorities and accents of the AIVD in 2015 (Parliamentary Papers 30 977, nr. 119), for the first time on the basis of an Integrated Intelligence & Security Policy. This Integrated Policy describes the intelligence needs of various intelligence consumers and is the basis for the year plans of the AIVD and the Military Intelligence & Security Service (MIVD). The Integrated Policy also takes into account prior budgets increases appointed by the government for the multi-year budget of the AIVD. The priorities and accents laid down in my letter of June 23rd are largely continued in 2016, because the Integrated Policy lays down the intelligence need for multiple years. At the same time it must be observed that worrying developments keep taking place within various existing areas of interest. The threat concerning jihadist terrorism, the instability at the borders of Europe, the large increase of migration flows and the changes in global power relations require undiminished attention and efforts within the AIVD’s investigations.

Priorities and accents of AIVD investigations

Concerning the legal tasks of the AIVD, insight is given below into the (changed) priorities and accents that are put central in 2016 in each focus areas:

Jihadist terrorism

The Netherlands has a terrorist threat level that is qualified as “substantial” since March 2013. In my letter of June 23rd I describe the current developments concerning jihadist terrorism, such as regarding the threat from jihadists from the Netherlands that have traveled abroad, jihadist groups that have an international agenda, and the increasing role of old transnational networks. I also state that different, unrelated elements can come together, such as mavericks, sympathizers, diffuse local networks, and relations or inspirations with other networks and groups. These threats remain current. The tragic events in Paris on November 13rd emphasize this. The efforts of the AIVD therewith remain focused, undiminished, on the timely identification of said national and international jihadist threats, to provide relevant government organizations with perspectives to act. Furthermore, the efforts are focused on preventing Dutch youngster from traveling to conflict zones and on the timely identification of the threat from (returned) jihadist fighters. In addition, the AIVD attempts to disrupt the supportive and recruiting activities regarding participation in violent international jihad. Especially concerning this topic, active cooperation takes place with domestic and foreign organizations, including the NCTV, the National Police, the Public Prosecution Service, municipalities, and Child Protective Services. International cooperation takes place with various foreign intelligence & security services, and within Europe, operational information is frequently exchanged within the Counter Terrorist Group (CTG). In the Spring of 2016, the AIVD chairs the CTG, and the AIVD has prioritized the further intensification of this cooperation.

Migration flows

The AIVD investigates possible security risks for the Netherlands and Dutch interests as result of the strongly increased migration flows to Europe. This investigation takes place from the perspectives mentioned above, including (jihadist) terrorism, radicalization, left-wing and right-wing extremism and tensions between groups inside the Netherlands. Investigation into specific countries also takes place. Where necessary, the progress of these investigation is discussed at the national and international level with the AIVD’s partners.

Radicalization

In the coming years, radicalization of various groups inside the Netherlands remains a cause for concern. The persisting international tensions provide a breeding group that, in combination with the national situation and personal circumstances, in the near future keeps resulting in a climate in which radicalization takes place. The recent AIVD/NCTV publication “Salafism in the Netherlands, diversity and dynamics” provides the most recent insight in the anti-democratic and intolerant character of parts of the salafist spectrum, combined with the risks for the democratic rule of law that is associated with their growth as observed by the AIVD.

The AIVD emphasized that the threat that stems from (the growth of) radical islam in the Netherlands is twofold: on the one hand, it can result in violence in the form of jihadist terrorism. On the other hand, it can by itself pose a threat to the democratic rule of law, because of the intolerant and anti-democratic thoughts that are spread. The AIVD investigates both types of threats. The investigation of persons and organizations that propagate jihadist thoughts helps in getting timely insight into jihadists, and thereby facilitates the AIVD’s investigation of jihadist terrorism. The investigation into non-jihadist radical islam helps, among others, the NCTV, the local governments, and other relevant organizations in taking measures against individuals who instigate others into anti-integrative and intolerant isolationism.

Left-wing and right-wing extremism

With regard to the investigation of left-wing and right-wing extremism, the developments and related priorities and accents described in my letter of June 23rd remain in place. The investigatory efforts regarding this area of interest will be continued in 2016. The interpretation of the factual threat that the AIVD attributes to left-wing and right-wing extremism is essential in providing the NCTV and local and national authorities with perspectives for acting.

Proliferation of WMDs

WMDs are potentially a great threat to international peace and security. The Netherlands has signed international treaties focused on preventing the proliferation of such weapons. The joint Unit Counter-Proliferation of the AIVD and MIVD investigates countries that are suspected of developing WMDs and means of transmission, or already posses those, in violation of these treaties. The priorities for the (joint) investigation by both services remain in place for 2016.

Investigation of countries

The AIVD’s investigation of countries is carried out to provide the government with background information and perspectives for acting and to use in discussion on topics that affect the Dutch national and international political interests. This investigation is increasingly closely related to the AIVD’s security tasks. Countries regarding which a joint intelligence need is laid down for the AIVD and MIVD in the Integrated Policy are investigated in close (operational) cooperation and consultation with the MIVD. The intelligence need laid down in the Integrated Policy for investigation of countries remains unchanged in 2016.

(Digital) espionage and cyber threats

The intelligence need concerning foreign intelligence activities inside the Netherlands (espionage) or aimed against the Dutch interests remains unchanged in 2016. The investigation is aimed at identifying undesired activities and disrupting those, or by providing perspectives to act to the relevant authorities. Concerning digital espionage, anonymity and profitability of digital attacks provides unprecedented new possibilities for perpetrators and their clients to serve their political and/or economical interests. Examples of observed digital attacks, aimed at espionage and gathering sensitive and valuable information, are numerous and the threat and (potential) damage is great. It can also involve digital attacks aimed at sabotage or societal disruption. The AIVD investigates such cyber attacks and works closely together with the MIVD, the National Cyber Security Center (NCSC) and the NCTV.

[…further paragraphs omitted from translation concern the recruitment of new employees, the draft Dutch intelligence bill, security screenings, budget stuff, co-location of AIVD & MIVD at Frederikskazerne in The Hague, IT and accountability…]

(signed by Ronald Plasterk, the Minister of Internal Affairs & Kingdom Relations)

EOF

UPDATE 2016-10-31: in case anyone wonders: the Dutch gov’t statement on encryption was made with consent of the Dutch General Intelligence & Security Service (AIVD) and the Dutch Nat’l Counter Terrorism Coordinator (NCTV) — notwithstanding the recent call of the head of the AIVD called [Volkskrant article, in Dutch] for ways to access encrypted WhatsApp (etc.) chats.

UPDATE 2016-10-04: the Dutch House of Representatives today voted in favor of a motion that requests the government to uphold its standpoint on encryption made in January 2016 (see the remainder of this post), and to actively advocate that standpoint internationally and within the EU. The motion was filed by Kees Verhoeven, MP for the D66 party (social-liberal / progressive) during the (extended) General Meeting on privacy and the topic of (not) weakening encryption, that took place on of September 27th. An official but uncorrected stenogram, in Dutch, from that meeting is available here (.docx).

UPDATE 2016-01-20: during a General Meeting on cyber security, the state secretary for Security & Justice, Klaas Dijkhoff,  confirmed (in Dutch) that the Dutch government does not seek weakening encryption: “yes, we are serious about that”.

TL;DR: on January 4th 2016, the Dutch government stated that it will, at this time, not take restrictive legal measures considering the development, availability and use of encryption within the Netherlands. Some things to keep in mind:

• they explicitly state ‘at this time’ — the possibility remains that their position changes in the future;
• current Dutch law provides some forms of compelled decryption:
  • first, two provisions exist in intelligence law regarding targeted hacking and targeted interception.
    • The targeted interception power requires prior approval from the minister: if the minister approves a request for targeted interception, the services can then themselves compel “anyone” to help decrypt the intercepted communication;
    • The targeted hacking power (currently) does not require prior approval from the minister; the services can themselves decide to hack a system and to compel “anyone” to help decrypt data;
    • Note: the law does not forbid the use of the compelled decryption powers against a target, but for obvious reasons — e.g. maintaining operational secrecy — it seems likely the compelled decryption powers will typically only be used against third parties, for instance a provider, a roommate, etc.;
  • second, one provision exists in the code of criminal procedure (criminal law) regarding access to a secured computer as part of a criminal investigation. The law forbids the use of this power against a suspect (because of nemo tenetur, i.e., the right to not self-incriminate);
• in July 2015, the Dutch government proposed compelled decryption for untargeted (bulk) interception in a draft intelligence bill (intelligence law). The draft bill is currently being revised and is expected to be submitted to the House of Representatives by the end of Q1/2016. AFAIK it is expected that the final bill, that will be debated in the House of Representatives, will still include the new decryption provision. The status of the bill can be viewed here;
• in December 2015, the Dutch government stated they cancelled the decryption provision in the final version of a cybercrime bill (more) (part of criminal law) which would have granted LE the power to, after approval from a magistrate (but not a court), compel suspects of certain “very serious criminal offenses” to decrypt their data under penalty three years imprisonment or a fine of up to ~20k euro. The stated reason for the cancellation: incompatibility with nemo tenetur. Why the government initially included this provision in the draft cybercrime bill — notably following a rather critical study by professor Bert-Jaap Koops — but now cancelled it in the final cybercrime bill, is not clear (to me). The status of the bill can be viewed here.
  

On January 4th 2016, the Dutch government released a statement on encryption. It is covered by El Reg. Here is a full, unofficial translation of that statement (~1600 words; hyperlinks and parts in [] were added by me):

Government position on encryption

We hereby submit the government position on encryption. This fulfills promises made during the General Meeting of the Telecom Council of June 10th 2015 (Parliamentary Papers 2014-2015, 21501-33, nr. 552) and the General Meeting of the JHA Council of October 7th 2015.

Introduction

Encryption is increasingly easy to obtain and use, and increasingly common in regular data communication. The government, the private sector and citizens increasingly use encryption to protect the confidentiality and integrity of communication and stored data. That is important for public trust in digital products and services, and for the Dutch economy, in the light of the rapidly developing digital society. At the same time, encryption obstructs access to information necessary for prosecution services and intelligence & security services when malicious persons (such as criminals and terrorists) use it. The recent attacks in Paris, where the terrorists possibly used encrypted communications, lead to the justified question what is needed to provide these services with proper insight into attack planning, and to maintain that insight.

The duality described in the previous paragraph was also heard in the public debate in the past months about the dilemmas of the use of encryption. The House [of Representatives; i.e., the lower house] has also discussed this. During the General Meeting of the Telecom Council it was asked what the government intends to do regarding the promotion of strong encryption. Besides that, the House requested the government to establish a position on encryption.

Next, the importance of encryption for the system and information security of the government and the private sector, and for the constitutional protection of privacy and confidential communication, will be discussed. The importance of prosecution of serious criminal offenses and the protection of national security will be laid down. Finally, after weighing of the interests, a conclusion is drawn.

The Dutch situation can not be discussed without taking into account the international context. Software for strong encryption is increasingly available world-wide, and is already integrated in products or services. Considering the broad availability and use of advanced encryption techniques, and the cross-border nature of data traffic, options to act at a national level are limited.

Importance of encryption for the government, private sector and citizens

Cryptography plays a key role in technical security in the digital domain. Many cyber security measures in organizations depend strongly on the use of encryption. Secure storage of passwords, the protection of laptops against loss or theft, and the secure storage of backups are more difficult without the use of encryption. The protection of data transferred via the internet, for instance during internet banking, is only possible through the use of encryption. Due to the connectedness of systems and the global branches and various paths that communication can travel, the risk of interception, breach, access or manipulation of information and communication is always present.

The government increasingly communicates with citizens via digital means, and provides services where confidential data is exchanged, such as the use of DigiD [a national authentication system that Dutch citizens can use to log in to the IRS, the cadastre, their municipality, etc.] or declaring taxes. As stated in the coalition agreement of 2012, citizens and companies should be able to carry out their interactions with the government entirely digitally by 2017. The government has the responsibility to ensure that confidential data is protected against access by third parties: encryption is indispensable for this. The protection of communication within the government also depends on encryption, such as the security of the exchange of diplomatic messages, and military communication.

For companies, encryption is essential to store and transfer business information securely. The ability to use encryption strengthens the international competitiveness of the Netherlands, and promotes an attractive climate for businesses and innovation, including startups, data centers and cloud computing. Trust in secure communication and storage of data is essential for the (future) growing potential of the Dutch economy, that mainly resides in the digital economy.

Encryption supports the protection of privacy and the confidentiality of citizens’ communications, because it provides them with a means to protect the confidentiality and integrity of personal data and communications. This is also important for exercising the right to free speech. It enables citizens, but also persons who hold an important democratic profession, such as journalists, to communicate confidentially.

Encryption thus enables everyone to ensure the confidentiality and integrity of communication, and defend against, for instance, espionage and cyber crime. Fundamental rights and freedoms, as well as security interests and economic interests, benefit from this.

Encryption, prosecution services and intelligence & security services

The investigatory powers and means available to the services, must be equipped for the present and future digital reality. Effective, lawful access to data promotes the security of the digital and physical world. Encryption used by malicious persons hinders access to data by the prosecution services and intelligence & security services. The services experience these barriers for instance when they investigate the distribution and storage of child pornography, while supporting military missions abroad, while countering cyber attacks, and when they want to gain and maintain insight into terrorists who are planning attacks. Criminals, terrorists and opponents in armed conflicts are often aware that they can attract attention of the services, and also posses advanced encryption methods that are difficult to circumvent or break. The use of such methods requires little technical knowledge, because encryption is often integral part of the internet services that they too can use. That complicates, delays, or makes it impossible to gain (timely) insight in communication for the purpose of protecting national security and the purpose of prosecuting criminal offenses. Furthermore, court hearings and the providing of evidence in court for a conviction can be severely hindered.

The right to privacy and confidentiality of citizens’ communication

As mentioned before, the use of encryption supports citizens in ensuring privacy and confidentiality of their communication. Said lawful access to data and communication by prosecution services and intelligence & security services constitutes a breach of the confidentiality of citizens’ communication.

Confidentiality of communication involves the constitutional protection for privacy and the right to protection of correspondence [letters, snail mail], telephone communication and telegraph communication (hereafter: ‘confidentiality of communications’). These constitutional rights are laid down in, respectively, Article 10 and Article 13 of the Dutch constitution. Besides that, these fundamental rights are laid down in Article 8 ECHR and Article 7 and Article 8 of the Charter of Fundamental Rights of the EU (insofar EU law is affected).

The protection of constitutional rights applies to the digital world. Said constitutional regulations and international regulations provide the framework to counter unlawful breaches. Said rights are not absolute, meaning that limitations can be established insofar they meet the requirements set by the Dutch constitution and the ECHR (and insofar European Union law is affected, the EU Charter). A limitation is permissible when it serves a legitimate purpose, is established by law, and the limitation is foreseeable and cognizable [=transparent]. Furthermore, the limitation must be necessary in a democratic society. Finally, the infringement must be proportional, which means that the government’s purpose of the infringement must be proportional in relation to the infringement on the right to privacy and/or the right to confidentiality of communications.

These requirements provide the framework for weighing the interests involved in encryption, such as the right to privacy and the right to confidentiality of communications, public and national security, and the prevention of criminal offenses. This framework, insofar it involves the special powers of the intelligence & security services, is also laid down in the Intelligence & Security Act of 2002 (‘Wiv2002’, Article 18 and Article 31). The obligations [for third parties] to cooperate with decryption laid down in the Wiv2002 (Article 24, third paragraph, and Article 25, seventh paragraph) and in the Code of Criminal Procedure (‘WvSv’, Article 126m, sixth member) can be invoked if the related special powers are exercised after such weighing.

Discussion and conclusion

Nowadays it is increasingly less often possible to break encryption. Furthermore, it is increasingly less often possible to demand unencrypted data from service providers. Increasingly often, modern uses of encryption mean that data is processed by the service providers only in encrypted form. Considering the importance of investigation and prosecution, and the interests involved with national security, these developments necessitate the search for new solutions.

Currently, there is no outlook on possibilities to, in a general sense, for instance via standards, weaken encryption products without compromising the security of digital systems that use encryption. For instance by introducing a technical doorway [=backdoor, exceptional access] in an encryption product that would enable prosecution services to access encrypted files, digital systems can become vulnerable to criminals, terrorists and foreign intelligence services. This would have undesirable consequences for the security of communicated and stored information, and the integrity of IT systems, which are increasingly important to the functioning of society.

In carrying out their legal tasks, prosecution services and intelligence & security services are partially relying on cooperation from providers of IT products and services. Given this dependence, consultation is necessary with providers regarding effective data provisioning in case of the use of their services by malicious persons, while taking into account everyone’s role and responsibilities, as well as the legal frameworks.

Given this discussion, we draw the following conclusion:

The government has the duty to protect the security of the Netherlands and to prosecute criminal offenses. The government emphasizes the necessity of lawful access to data and communication. Furthermore, governments, companies and citizens benefit from maximum security of digital systems. The government endorses the importance of strong encryption for internet security, for supporting the protection of citizens’ privacy, for confidential communication by the government and companies, and for the Dutch economy.

Therefore, the government believes that at this time it is not desirable to take restricting legal measures concerning the development, availability and use of encryption within the Netherlands. The Netherlands will propagate this conclusion, and the arguments that underlie it, internationally [recall: the Netherlands holds the Presidency of the Council of the EU in the first half of 2016; priorities (see slide 2) for the JHA Council include cybersecurity and efforts to tackle cybercrime, and priorities for the EU-US ministerial JHA meeting include data protection, PNR data, counterterrorism and jihadism]. Regarding the promotion of strong encryption, the Minister of Economic Affairs will follow-up on the intent of the amendment (Parliamentary Papers 2015-2016, 34300 XIII, nr.10) on the budget of the Ministry of Economic Affairs [=grant EUR 500k to OpenSSL].

(signed by the Minister of Security & Justice and the Minister of Economic Affairs)

Further reading:

• 2018-02-15: Five million euro for Europol’s “decryption platform” (blog by Matthias Monroy / @matthimon).
• 2017-10-19: EU Commission says it does not seek crypto backdoors, will propose legal framework in early 2018 for Member States to help each other access encrypted devices (this blog)
• 2016-xx-xx: from the U.S.: Exploring Encryption and Potential Mechanisms for Authorized Government Access to Plaintext: Proceedings of a Workshop (NAP, Open Access; regards a workshop that took place in June 2016)
• 2016-01-14: French government rejects crypto backdoors as “the wrong solution” (Ars Technica)
• 2016-01-06: The Father of Online Anonymity Has a Plan to End the Crypto War (Wired). Wired is reporting on David Chaum’s plan to end the crypto war with PrivaTegrity, a backdoor scheme that requires cooperation between nine server administrators from nine countries. Chaum reportedly developed it “as a side project for the last two years along with a team of academic partners at Purdue, Radboud University in the Netherlands, Birmingham University and other schools”. Recall this sentence in the above translation of the Dutch gov’t statement on encryption: “Currently, there is no outlook on possibilities to, in a general sense, for instance via standards, weaken encryption products without compromising the security of digital systems that use encryption“. It is unclear (to me) whether the authors of the Dutch gov’t statement were aware of Chaum’s idea at the time they wrote that sentence. For details on Chaum et al.’s “cMix” scheme, see cMix: Anonymization by High-Performance Scalable Mixing (.pdf, 2016). [UPDATE 2016-01-08: here is a critical view on PrivaTegrity that suggests such a system will fail, due to the human/geopolitical problems surrounding the use of it.]
• 2015-12-08: The second crypto war is not about crypto (Jaap-Henk Hoepman aka @xotoxot)

EOF

Op 30 november 2015 verscheen een regeringsbrief van ministers Van der Steur (V&J), Plasterk (BZK) en Koenders (BuZa) waarin de bevoegdheden, taken en rollen van de Europese Unie en de EU-lidstaten op het gebied van contraterrorisme worden uitgelegd. Voor eigen doeleinden bewaar ik hier een kopie van de inhoud van de bijlage (.pdf) bij dat kamerstuk.

Bijlage Kamerbrief CT bevoegdheids-, taak en rolverdeling Europese Unie – Lidstaat

1. Relevante algemene CT-bepalingen EU-verdragen

In de EU-verdragen (EU-verdrag en EU-werkingsverdrag) zijn verschillende bepalingen relevant als het gaat om terrorismebestrijding. Drie terreinen zijn het meest relevant:

– Het Gemeenschappelijk Buitenlands en Veiligheidsbeleid (GBVB), waaronder het gemeenschappelijk buitenlands en defensiebeleid (hoofdstuk 2 van het EU-verdrag).

In het kader van het Gemeenschappelijk Buitenland en Defensiebeleid (art. 43 VEU) kan de Unie civiele en militaire middelen inzetten, ook met het oog op terrorismebestrijding. Tevens kan de EU sanctiewetgeving aannemen. In het kader van het GBVB wordt met eenparigheid van stemmen besloten.

– Ruimte van vrijheid, veiligheid en recht (titel V van het VWEU)

Hierbij valt te denken aan politiële en justitiële samenwerking in het kader van terrorismebestrijding, bijvoorbeeld via Europol. Ook relevant is art. 75 VWEU dat het Europees Parlement en de Raad de bevoegdheid geeft om bij gewone wetgevingsprocedure verordeningen aan te nemen die een kader stellen voor beheersmaatregelen met betrekking tot kapitaal- en betalingsverkeer. Verder kunnen, op basis van art. 83 VWEU, het EP en de Raad richtlijnen met minimumvoorschriften vaststellen betreffende de bepaling van strafbare feiten en sancties in verband met vormen van bijzonder zware criminaliteit met een grensoverschrijdende dimensie, inclusief terrorisme.

– Solidariteitsclausule (artikel 222 EU-VWEU).

Deze clausule bepaalt dat de EU en de lidstaten uit solidariteit gezamenlijk optreden indien een lidstaat getroffen wordt door een terroristische aanval, een natuurramp of een door de mens veroorzaakte ramp. Volgens verklaring 37 bij de Verdragen is het aan elke lidstaat om de meest geschike middelen te kiezen om aan zijn solidariteitsverplichting jegens een getroffen lidstaat te voldoen.

De EU mag enkel optreden indien zij daartoe een bevoegdheid heeft (artikel 5, lid 1 EU-verdrag). De bovenstaande gebieden van bevoegdheden van de EU vormen geen exclusieve bevoegdheid van de EU. Voor wat betreft de Ruimte van Vrijheid, Veiligheid en Recht (titel V VWEU) gaat het om gedeelde bevoegdheden, waarbij zowel de EU als de lidstaten bevoegd zijn op te treden. De lidstaten oefenen hun bevoegdheid uit voor zover de Unie haar bevoegdheid niet heeft uitgeoefend (artikel 2, lid 2 VWEU). In het geval van het GBVB blijven de lidstaten bevoegd zelfstandig maatregelen te nemen zolang die maatregelen maar niet in strijd komen met het GBVB-beleid van de Unie.

Tot slot wordt gewezen op artikel 4, lid 2 van het EU-verdrag. In deze bepaling is vastgelegd dat dat EU essentiële staatsfuncties eerbiedigt, waaronder de nationale veiligheid. Met name de nationale veiligheid blijft een uitsluitende verantwoordelijkheid van elke lidstaat. Dat laat echter onverlet dat de Unie bevoegd is om maatregelen te nemen, als in bovengenoemde gevallen, die raken aan de nationale veiligheid. Hoewel de lidstaten dus verantwoordelijk zijn en blijven voor de nationale veiligheid, kunnen maatregelen van de Unie op bijvoorbeeld het terrein van terrorismebestrijding, maar ook dataprotectie, nationale maatregelen begrenzen. Het is echter aan de lidstaat om op te treden en die veiligheid te waarborgen. In dit verband is van belang dat, zoals ook blijkt uit bovengenoemde bepalingen, de Unie grote waarde hecht aan nationale veiligheid.

2. Mandaten

Bij de mandaten van de verschillende Europese organisaties, agentschappen of instellingen die op het terrein van terrorismebestrijding actief zijn, alsmede die van de Europese Contra Terrorisme Coördinator, geldt dat hun bevoegdheden beperkt zijn. De mandaten hebben een ondersteunend en faciliterend karakter. Hieronder behandel ik allereerst de EDEO (inclusief de EU CTC en INTCEN), en daarna de bevoegdheden van andere relevante EU-spelers en van de Financial Intelligence Unit.

1. EDEO

Artikel 27 lid 3 van het VEU is de rechtsbasis voor de Europese Dienst voor Extern Optreden (EDEO). De inrichting en werking van EDEO zijn conform art. 27 lid 3 VEU vastgesteld bij besluit van de Raad.¹ Als functioneel autonoom orgaan valt EDEO onder het gezag van de Hoge Vertegenwoordiger van de Europese Unie (HVEU) en dient ter ondersteuning van de HVEU om zijn mandaat op het gemeenschappelijk buitenland en veiligheidsbeleid (GBVB) uit te oefenen. EDEO draagt de zorg voor een samenhangend extern optreden van de EU, zoals beschreven in de artikelen 18 en 27 van het VEU. Voor wat betreft contra-terrorisme, houdt EDEO zich bezig met de externe dimensie van CT in nauwe samenwerking met de lidstaten in de Raadswerkgroep COTER en andere relevante EU-instellingen. Het is de taak van EDEO de externe CT-samenwerking te coördineren, samen met de EU-Lidstaten te zorgen voor capaciteitsversterking in derde landen en te zorgen voor coherentie en efficiëntie. De algemene doelstellingen van het EU-externe beleid op gebied van CT zijn²:

• Het opstellen en, na goedkeuring van de Raad, implementeren van specifieke EU CT regionale strategieën en actieplannen, zoals: de Syrië/Irak CT/Foreign Fighters strategie,de EU-Pakistan CT/security strategie, de Sahel ontwikkeling en veiligheidsstrategie en het EU Hoorn van Afrika/Jemen CT-Actieplan;
• EU capaciteitsversterkende programma’s in derde landen om CT-inspanningen te ondersteunen samen met key partners en donoren, en;
• Multilaterale CT-coördinatie, waarin EDEO de implementatie van relevante VN-resoluties ondersteunt.

2. EU CTC

De Europese Contra Terrorisme Coördinator (CTC) – de heer Gilles de Kerchove d’Ousselghem – valt onder de Raad en is verantwoordelijk voor:

• Binnen de Raadsstructuren zorgdragen voor effectieve coördinatie en coherentie van EU beleid op het gebied van terrorismebestrijding; in het bijzonder door het effectief promoten en tijdig implementeren van de EU-strategie voor terrorismebestrijding.
• de samenwerking en de dialoog over initiatieven voor terrorismebestrijding tussen de Raad, de Europese Commissie en het Europees Parlement versterken, waarbij de bevoegdheidsverdeling in acht genomen moet worden;
• zorgdragen dat derde landen en internationale organisaties nota nemen van de hoge prioriteit die de strijd tegen terrorisme binnen de EU geniet, en hiertoe contacten onderhouden.

De CTC werkt binnen het secretariaat-generaal van de Raad en zal het werk van de Raad coördineren en regelmatig aan de Raad rapporteren.

3. INTCEN

Het EU Intelligence Analysis Centre (INTCEN) is kort na de aanslagen van 9/11 opgericht door de Europese Raad als organiek onderdeel van het Raadssecretariaat. De naam was toen EU SITCEN (EU Situation Centre). Besluit 2010/427/EU tot vaststelling van de organisatie en de werking van de Europese dienst voor extern optreden (EDEO) is de rechtsbasis voor INTCEN. In artikel 4, derde lid, sub a, derde gedachtestreepje, is bepaald dat EU SITCEN deel uitmaakt van EDEO.

Bij intern besluit van medio maart 2012 is de naam van EU SITCEN veranderd in EU INTCEN. Recent is het afstoten van taken dat gepaard ging met de overgang van SITCEN naar INTCEN weer teruggedraaid door het management van EDEO. Naast een analyse-eenheid, voornamelijk bemenst door de nationale experts uit de lidstaten, en een open bronnen centrum, zal opnieuw een crisisroom en een consulaire bijstandseenheid deel uitmaken van INTCEN.³

4. Europol

In art. 88 VWEU krijgt Europol de opdracht het optreden van de politie-instanties en andere wetshandhavingsdiensten van de lidstaten, en hun wederzijdse samenwerking, bij de voorkoming en bestrijding van georganiseerde criminaliteit, terrorisme en andere vormen van ernstige criminaliteit waarbij twee of meer lidstaten betrokken zijn, te ondersteunen en te versterken. Het mandaat, de bevoegdheden en de taken van Europol zijn vastgelegd in het Europol Raadsbesluit⁴

Europol ondersteunt lidstaten door:

• Het faciliteren van de uitwisseling van informatie, in overeenstemming met nationaal recht, tussen Europol Liaison Officieren;
• Het verzorgen van operationele analyses ter ondersteuning van operaties;
• Het opstellen van strategische rapporten (bijv. het EU Terrorism Situation and Trend Report – TE-SAT) en misdaadanalyses op basis van informatie en intelligence die Europol ontvangt van lidstaten en derde landen, en;
• Het voorzien in expertise en technische steun voor onderzoeken en operaties van de lidstaten binnen de EU.

Europol ondersteunt de lidstaten ook door misdaadanalyses en harmonisatie van onderzoekstechnieken in lidstaten te promoten.

– European Counter Terrorism Centre
De European Counter Terrrorism Centre (ECTC) wordt per 1 januari 2016 binnen de bestaande organisatiestructuur van Europol opgericht. Het ECTC valt binnen het bestaande mandaat van Europol en wordt opgericht om ondersteuning te geven aan de activiteiten van de EU-lidstaten in de strijd tegen terrorisme, zonder dat de verantwoordelijkheid van de nationale bevoegde autoriteiten van de EU lidstaten wordt geraakt. Doel is het bevorderen van informatie-uitwisseling en maximaal gebruik van de bestaande instrumenten en systemen, aanpakken van financiële activiteiten van terroristen en het monitoren van internet om extremistische informatie tegen te gaan.

• EU Internet Referral Unit

Het EU Internet Referral Unit (EU IRU) zal onderdeel vormen van het ECTC bij Europol en is per 1 juli 2015 als pilot van start gegaan en bouwt voort op het Check-the-Web initiatief. De EU IRU vloeit voort uit de gemeenschappelijke verklaring van de informele Europese Raad van 12 februari 2015 en de besluitvorming in de JBZ-raad van 12-13 maart 2015 om Europol een grotere rol te geven bij het tegengaan van extremistische informatie op internet. Dit houdt in:

• het coördineren van en delen van extremistische informatie op internet met de relevante partners;
• het uitvoeren en ondersteunen van het snel verwijderen van deze informatie op internet in samenwerking met de industrie, en;
• het ondersteunen van bevoegde autoriteiten door strategische en operationele analyses.

De EU IRU valt binnen het mandaat van Europol (art. 3 en 4(1) Europol Raadsbesluit). In art. 5(2) van het Europol Raadsbesluit is vastgelegd dat het ondersteunen van de lidstaten bij het verzamelen en analyseren van informatie op internet om te helpen bij de opsporing van strafbare feiten die door internet zijn mogelijk gemaakt of met behulp van internet zijn gepleegd één van de taken van Europol is. Europol is volgens art. 25(4) van het Europol Raadsbesluit bevoegd om met inachtneming van de bepalingen inzake gegevensbescherming rechtstreeks gegevens, met inbegrip van persoonsgegevens, uit voor het publiek beschikbare bronnen zoals media en openbare gegevens en commerciële aanbieders inlichtingen te halen en te verwerken.

• Werkgroep Dumas

Deze werkgroep is in 2014 opgericht. Het doel van de werkgroep is om de problemen en behoeftes die lidstaten hebben i.r.t. tot de problematiek van strijders (jihadgangers) naar strijdgebieden in kaart te brengen en op te lossen. Hierbij geldt dat Europol de werkgroepen faciliteert (d.m.v. vergaderlocaties, financieren reiskosten, leveren van adviseur/moderator), maar dat de werk- en subwerkgroepen wordt geleid door één of meer lidstaten (drivers, co-drivers) en dat het inhoudelijke werk ook wordt gedaan door lidstaten. De lidstaten moeten zelf met een concreet probleem, behoefte, plan, oplossing of eindproduct komen. Te denken valt daarbij bijvoorbeeld aan verbetering van informatie-uitwisseling en het delen van beste praktijken en ervaringen.

De werkgroep wordt geleid door Italië en richt zich op het:

• opstellen van een alerteringslijst van jihadgangers (co-driver Oostenrijk);
• verbeteren van de samenwerking met derde partijen (co-drivers Hongarije en Spanje);
• uitwisselen van beste praktijken (co-drivers Frankrijk en Verenigd Koninkrijk);
• opstellen van indicatoren om jihadgangers te onderkennen (co-drivers Duitsland en Luxemburg), en;
• de aanpak van personen die de jihadgang mogelijk maken, zogeheten facilitatoren, te verbeteren (drivers Spanje en het Verenigd Koninkrijk).

5. Eurojust

Art. 85 VWEU formuleert de opdracht van Eurojust. Deze bestaat in het ondersteunen en versterken van de coördinatie en de samenwerking tussen de nationale autoriteiten die belast zijn met het onderzoek en de vervolging van zware criminaliteit welke twee of meer lidstaten schaadt of een vervolging op gemeenschappelijke basis vereist, op basis van de door de autoriteiten van de lidstaten en Europol uitgevoerde operaties en verstrekte informatie.

6. Financial Intelligence Unit (FIU)

De Financial Intelligence Unit-Nederland (FIU-Nederland) maakt onderdeel uit van de rechtspersoon Staat der Nederlanden, maar is beheersmatig ondergebracht bij de politie als een zelfstandig, onafhankelijk en herkenbaar opererende entiteit. Beleidsmatig valt ze onder het Ministerie van Veiligheid en Justitie (artikel 12 Wwft).

De FIU heeft als hoofdtaak ongebruikelijke transacties nader te onderzoeken en te verrijken met aanvullende informatie, om te bezien of deze transacties verdacht verklaard kunnen worden en zodoende gedeeld kunnen worden met opsporings- en inlichtingendiensten (artikel 13 Wwft).

De FIU is op basis van de Wet ter voorkoming van witwassen en financieren van terrorisme (artikel 16 Wwft) het enige en centrale meldpunt, waar diverse meldplichtige instellingen ongebruikelijke transacties dienen te melden.

De missie van de FIU is om met haar financial intelligence misdaad, vooral witwassen en de financiering van terrorisme, te voorkomen en te bestrijden met het oog op het waarborgen van de integriteit van het (Nederlandse) financiële stelsel.

Witwassen van geld en de financiering van terrorisme is alleen door gezamenlijke (inter)nationale inspanningen effectief te bestrijden. Door de FIU wordt derhalve bewust geïnvesteerd in het onderhouden en verdiepen van internationale samenwerking met partners. Niet alleen op het gebied van operationele gegevensuitwisseling maar ook wat betreft de overdracht en uitwisseling van kennis en ervaring.

De FIU neemt hiertoe deel aan internationale gremia als de Financial Action Task Force on money laundering (FATF), de Egmont Groep, het FIU.NET en in het FIU Platform binnen de Europese Unie. Daarnaast werkt de FIU op basis van bilaterale samenwerkingsverbanden samen met buitenlandse FIU’s en opsporingsdiensten.

Tot slot werkt de FIU in Koninkrijksverband, nauw samen met de koninkrijksdelen Curaçao, Aruba en Sint Maarten. Dienstverleners die zijn gevestigd op de BES-eilanden, Caribisch Nederland geheten, dienen de ongebruikelijke transacties te melden bij de FIU-Nederland.

7. FRONTEX

Frontex is het Europese agentschap dat de taak heeft om lidstaten te ondersteunen op het gebied van management van de buitengrenzen. Het agentschap speelt een cruciale rol als het gaat om steun aan lidstaten die te kampen hebben met hoge instroom van illegale migratie via de buitengrenzen. Dit vindt met name plaats door middel van de gezamenlijke operaties die door Frontex worden gecoördineerd en waarbij personeel en materieel van lidstaten wordt ingezet. Bij deze gezamenlijke operaties blijven de lidstaten primair verantwoordelijk voor het grensmanagement. De rol van Frontex bij contraterrorisme is beperkt, aangezien het agentschap zich met name richt op ondersteuning bij grensmanagement, gerelateerd aan illegale migratie. Wel heeft Frontex het bewustzijn bij grenswachters verhoogd op het gebied van (contra)terrorisme. Tevens heeft het agentschap vanuit zijn expertise bijgedragen aan het opstellen van risico-indicatoren, die grensautoriteiten gebruiken bij het herkennen van terroristische reisbewegingen.

8. Atlas-netwerk

Het Atlas-netwerk bestaat uit speciale interventie eenheden uit Europese lidstaten. Het Raadsbesluit uit 2008⁵ voorziet in de mogelijkheid dat deze eenheden samenwerken, bijvoorbeeld door gezamenlijke trainingen en oefeningen (art.5).

Art. 3 voorziet in bijstand van speciale interventie eenheden aan andere lidstaten in geval van crisissituaties. Echter, alleen op verzoek (lid 1). Deze bijstand kan bestaan uit het ter beschikking stellen van uitrusting of deskundigheid, of door het uitvoeren van acties, zo nodig met gebruikmaking van wapens (lid 2). De functionarissen van deze eenheden treden daarbij op in een ondersteunende functie (lid 3) en onder verantwoordelijkheid, gezag en leiding van de verzoekende lidstaat en overeenkomstig het recht van de verzoekende lidstaat (lid 3 sub a). Daarnaast zijn deze functionarissen gehouden aan de bevoegdheden die hun krachten hun nationale wetgeving zijn toegekend (lid 3 sub b).

Dit Raadsbesluit is genomen ter verbetering van de samenwerking in crisissituaties tussen de speciale interventie eenheden van de lidstaten van de Europese Unie en bevat algemene voorschriften en voorwaarden. Zoals aangegeven aan de Eerste en Tweede Kamer verschaft het Raadsbesluit slechts een algemene wettelijke basis aan het inroepen of verlenen van bijstand⁶, zodat Nederland in voorkomende gevallen gespecificeerde bilaterale afspraken zal moeten maken.

9. RAN-CoE

Het Radicalisation Awareness Network (RAN) is in 2011 opgericht door de Europese Commissie als een netwerk van eerstelijnsprofessionals (zie voor het handvest van het RAN onderstaande link).⁷ Het RAN is gericht op de preventie van radicalisering en gewelddadig extremisme en behelst inmiddels meer dan 1500 eerstelijnswerkers uit 28 EU lidstaten. RadarAdvies voert het secretariaat van het RAN. In 2015 heeft RadarAdvies de aanbesteding voor de opvolger van het RAN gewonnen; het Radicalisation Awareness Network Centre of Excellence (RAN CoE). Naast het netwerk gaat het RAN CoE meer doen aan beleidsadvies en onderzoeksbegeleiding. Bovendien zal het RAN CoE naast EU lidstaten ook derde landen gaan ondersteunen.

Het RAN CoE positioneert zich als een spil in het verbinden, ontwikkelen en verspreiden van expertise op het terrein van preventie van radicalisering en gewelddadig extremisme. Dit betekent het bevorderen van een inclusieve dialoog tussen praktijkbeoefenaars, beleidsmakers en academici. Door dit te doen ontwikkelt het centrum hoogwaardige kennis en expertise en ondersteunt daarmee zowel de Europese Commissie als de lidstaten. Bovendien assisteert RAN CoE in het vormgeven van de onderzoeksagenda van de Commissie, en onderhoudt het contact met preventieve initiatieven binnen en buiten de EU.

1^ Raadsbesluit 2010/427/EU, 26 juli 2010.

2^ http://eeas.europa.eu/fight-against-terrorism/index_en.htm

3^ http://eeas.europa.eu/factsheets/docs/20150206_factsheet_eu_intcen_en.pdf

4^ Raadsbesluit 2009/371/JBZ, 6 april 2009.

5^ Raadsbesluit 2008/617/JBZ, 23 juni 2008.

6^ Brief van de Ministers van Justitie en BZK en de staatssecretaris van Justitie aan de voorzitters van de Eerste en Tweede Kamer van 1 november 2007, Kamerstukken 23 490, nr. 477/CD (onder kopje 9).

EOF

UPDATE 2016-01-20: staatssecretaris Dijkhoff stelde vandaag tijdens het AO over cybersecurity: “(…) Ik kom op het encryptiestandpunt. Dat is naar de Kamer gestuurd. De meeste vragen kwamen, samengevat, neer op de vraag of wij wat daarin stond, echt menen. Mijn antwoord is: ja, dat menen we echt. (…)” (bron).

UPDATE 2016-01-04: en daar is ie: het kabinetsstandpunt encryptie. TL;DR: “Derhalve is het kabinet van mening dat het op dit moment niet wenselijk is om beperkende wettelijke maatregelen te nemen ten aanzien van de ontwikkeling, de beschikbaarheid en het gebruik van encryptie binnen Nederland.”.

UPDATE 2015-12-15: post van Bits of Freedom: Hoogwaardige encryptie essentieel voor vrijheid en economie

Minister Van der Steur stelt in de uitstelbrief van 23 november over de beloofde toezending van kabinetsstandpunt op het gebied van encryptie dat ernaar wordt gestreefd dat standpunt nog dit jaar aan de Tweede Kamer toe te sturen:

“Op 8 oktober jl. tijdens het AO JBZ heb ik u toegezegd te komen met een kabinetsstandpunt op het gebied van encryptie. Het afronden van dit standpunt blijkt meer tijd te vergen dan de maand die ik had voorzien. De complexiteit van het vraagstuk, de dilemma’s en de afstemming die hiermee samenhangt vragen een zorgvuldige behandeling en weging.

Wij streven ernaar u voor het einde van dit jaar het kabinetsstandpunt toe te sturen.

Hiermee zal tevens aan de toezegging worden voldaan van de Minister van Economische Zaken, gedaan tijdens het AO Telecomraad op 10 juni jl., om te komen met een gezamenlijke notitie over de dilemma’s rondom encryptie (Kamerstuk 21 501-33, nr. 552).”

Dat een kabinetsstandpunt over encryptie wordt vastgesteld volgt op de agendering van het onderwerp tijdens de informele JBZ-Raad in Riga op 31 januari 2015, waar EU-contraterrorismecoördinator Gilles de Kerchove dit onder de aandacht van lidstaten heeft gebracht. Diens precieze woorden staan hier (.pdf) op p.10 onder ” f) Encryption/interception”:

Since the Snowden revelations, internet and telecommunications companies have started to use often de-centralized encryption which increasingly makes lawful interception by the relevant national authorities technically difficult or even impossible. The Commission should be invited to explore rules obliging internet and telecommunications companies operating in the EU to provide under certain conditions as set out in the relevant national laws and in full compliance with fundamental rights access of the relevant national authorities to communications (i.e. share encryption keys).

Hoewel in de geannoteerde agenda (.pdf) voor de JBZ-Raad van 8 & 9 oktober 2015 niet werd gerefereerd aan encryptie, gebeurde dat wél in de begeleidende brief:

Naar aanleiding van het verslag van de op 9 en 10 juli 2015 gehouden informele Raad Justitie en Binnenlandse Zaken heeft de vaste commissie voor Veiligheid en Justitie van uw Kamer verzocht om nader te worden geïnformeerd over wat wordt bedoeld met het in dat verslag genoemde probleem van encryptie.

Het gaat hier om encryptie van data, gebruikt en/of aangeboden door de industrie, over internet en in telecommunicatie. Die encryptie belemmert het werk van politie en diensten om gelegitimeerde toegang te krijgen tot communicatie van terroristen. Tijdens de informele JBZ-Raad in Riga op 29 en 30 januari 2015 is dit probleem nadrukkelijk door de EU-contraterrorisme coördinator onder de aandacht gebracht van de lidstaten.

Volgens het verslag van het algemeen overleg op 7 oktober 2015 van de vaste cie-V&J en de vaste cie-Europese Zaken met minister Van der Steur stelde mevrouw Berndsen-Jansen (D66) hierover het volgende:

(…) In een begeleidend briefje bij de geannoteerde agenda schrijft de minister dat encryptie van data, gebruikt en/of aangeboden door de industrie, over internet en in telecomcommunicatie het werk van politie en diensten belemmert om gelegitimeerde toegang te krijgen tot communicatie van terroristen. Dat heeft de aandacht van mijn fractie getrokken, want wat bedoelt de minister hier nu eigenlijk te zeggen? Bedoelt hij dat alle encryptie een achterdeur moet hebben voor politie en justitie? Is dat niet een herhaling van de discussie over de bewaarplicht telecomgegevens? Is het verder een nadrukkelijk thema op de cybersecurityconferentie die Nederland tijdens het voorzitterschap zal organiseren?

Daarop antwoordde minister Van der Steur:

(…) encryptie: is dat onderdeel van de cyberconferentie of een speerpunt tijdens het Nederlands voorzitterschap? Het onderwerp van de encryptie zal niet op de agenda van de cyberconferentie staan en is geen speerpunt van het kabinet en het voorzitterschap. Nationaal hebben we namelijk nog geen standpunt ingenomen over encryptie. Het is wel duidelijk dat de georganiseerde misdaad en terroristen in toenemende mate gebruikmaken van encryptie. Dat is een actueel probleem voor politie en de inlichtingen- en veiligheidsdiensten. Het debat daarover gaan we binnenkort voeren, maar er is nog geen kabinetsstandpunt over geformuleerd.

We kijken met belangstelling uit naar het standpunt van het Nederlandse kabinet — met in het achterhoofd:

1. het concept-wetsvoorstel voor de Wiv20xx, waarin onder meer de reikwijdte van bestaande ontsleutelplichten wordt uitgebreid naar (nader te bepalen) “aanbieders van een communicatiedienst” (internetproviders, hosting-/cloudproviders, etc.), en:
2. het nog te verschijnen concept-wetsvoorstel voor de wet bestrijding cybercrime, met ontsleutelplicht voor personen die worden verdachten van een strafbaar feit waarvoor voorlopige hechtenis mogelijk is (grofweg: feiten waar 4 jaar celstraf op staat)
3. ontwikkelingen inzake Europese privacywetgeving (waarbij de JBZ-Raad overigens betrokken is).

Op 9 december 2015 vindt een algemeen overleg van de vaste cie-V&J plaats over terrorismebestrijding. Leestip voor de tussentijd: Who’s right on crypto: An American prosecutor or a Lebanese coder? (el Reg, 24 november 2015).

EOF

On October 14th 2014, the Dutch government published (in Dutch) the fifth edition of the “Cyber Security Assessment Netherlands” trend report, aka “CSAN-2015” (in Dutch: “CSBN-5”) . Its aim is “to offer insight into developments, interests, threats and resilience in the field of cyber security over the period from April 2014 to April 2015”. The publication was established using information from the following sources:

• The various ministries
• Military Intelligence and Security Service (MIVD)
• Defence Computer Emergency Response Team (DefCERT)
• General Intelligence and Security Service (AIVD)
• National High Tech Crime Unit, Dutch National Police
• Public Prosecution Service
• Representatives of the critical infrastructure sectors and NCSC partner organisations
• National Coordinator for Security and Counterterrorism (NCTV)
• National Management Organisation for Internet Providers (NBIP)
• Internet Standards Platform (Dutch: “Platform Internetstandaarden”)
• Bits of Freedom
• ICT Netherlands
• Dutch Payments Association
• Confederation of Netherlands Industry and Employers (VNO-NCW)
• Scientific institutions
• Universities
• Experts in the field of cyber security

On November 17th, the government published an English translation. Here is the updated threat matrix table (click image to enlarge):

And here is the summary (~2300 words):

Summary

The Cyber Security Assessment Netherlands (CSAN) is published annually by the National Cyber Security Centre and drawn up in close collaboration between public and private parties. The aim is to offer insight into developments, interests, threats and resilience in the field of cyber security over the period from April 2014 to April 2015.

The focus of the CSAN lies on the developments in the Netherlands, but important developments abroad have also been included. The CSAN is a factual description, with guidance based on insights and expertise from government departments, critical infrastructure sectors and the academic community. For this CSAN, the NCSC has renewed its collaboration with a large number of parties, both public parties (e.g. the police, intelligence and security services and the Public Prosecution Service), academic institutions and private parties (such as the critical infrastructure sectors).

Over the past few years, more attention has been paid to the dependence on IT. Countries attach increasing importance to the internet and IT becomes indispensable. More and more insight is gained into the number of incidents, which also allows for more targeted measures being taken to increase cyber security, for larger and smaller organisations. Phishing and cryptoware, however, continue to pose a threat to the Netherlands as a whole.

Core findings

Cryptoware and other ransomware constitute the preferred business model for cyber criminals

Criminals use cryptoware (ransomware) increasingly often in order to achieve their goals. Unlike other common malware, such as Remote Access Tools (RATs), criminals use cryptoware to block access to data using encryption. The willingness of people and organisations to pay the criminals results in high average proceeds per target for criminals. That is why they can make relatively large investments per infection. More advanced forms, for example aimed at web applications, have also been identified. The popularity of the use of ransomware and, in particular, cryptoware will further increase in the next few years.

Geopolitical tensions manifest themselves increasingly often in (impending) digital security breaches

States and other actors that seem to act in line with the interests of these states increasingly use digital attacks and cyber operations. The aim is to represent their interests and to influence geopolitical relations or developments. Digital attacks are an attractive alternative and addition to conventional military and espionage means. Their scope and impact are large and the costs and risks are low. In the past year, conflicts, attacks or political issues were often the reason for digital attacks. It is often difficult to trace back the actor who carried out the actual attack, and to determine the extent to which a state actor played a leading role in the attack.

Phishing is often used in targeted attacks and can barely be recognised by users

Phishing (‘fishing’ for login and other user data) plays a key role in carrying out targeted digital attacks. Users are hardly able to recognise phishing e-mails in targeted attacks. A successful phishing campaign gives attackers access to internal networks of organisations and the information stored on these networks. Means to make authentic e-mail recognisable as such (e.g. digital signatures, Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC)) are only used in practice to a limited extent. This ensures that phishing continues to be a low-threshold and effective method of attack for attackers.10

Availability becomes more important as alternatives to IT systems are disappearing

Important social processes come to a standstill if the corresponding IT systems and analogue alternatives are unavailable. The phasing out of analogue alternatives to IT systems therefore makes the availability of these systems even more important. This is especially true if these IT systems support important social processes such as transport, financial transactions or energy supply. The measures that banks have taken against DDoS attacks show that it is possible to take effective measures in order to increase availability of digital facilities. However, organisations often wait to take such measures until IT systems have already experienced availability problems.

Vulnerabilities in software are still the Achilles heel of digital security

Software is a crucial part of our digital infrastructure, because software opens up the possibilities of hardware and the ever growing amount of data. Software suppliers in 2014 again released thousands of updates in order to repair vulnerabilities in their software. Organisations sometimes do not install updates due to the obstacles they encounter when installing them. As long as the updates have not been installed, parts of their network will continue to be vulnerable. Such vulnerabilities allow actors penetrating networks via phishing or zero-day

Key questions

The key questions of this CSAN 2015 are:

1. What events or what activities by which actors could affect IT interests, what tools do they use and what are the developments in this respect? (threats)
2. To what extent is the Netherlands resilient to vulnerabilities in IT, could these lead to an impact on IT interests and what are the developments in this respect? (resilience)
3. Which Dutch interests are being adversely affected and to what degree, by restrictions of the availability and reliability of IT, breach of the confidentiality of information stored in IT or damage to the integrity of that information, and what are the developments in this respect? (interests)

Insight into threats and actors

Table 1 provides insight into the threats that the various actors have posed over the period between April 2014 and April 2015 to the targeted ‘governments’, ‘private organisations’ and ‘citizens’.

Criminal organisations and state actors continue to pose a threat to these three target categories. This threat has become more specific. For most organisations, the manifestations of less advanced actors form a smaller part of the total than before. In some cases, the red colour conceals that a high threat level can increase as well. The paragraphs on criminals and state actors in Chapter 2 discuss this in more detail.

Manifestations

Growth in number of incidents with ransomware and cryptoware continues

The rise of ransomware and cryptoware in 2013 continued in 2014 and 2015, also in the Netherlands. Ransomware and cryptoware is malware that holds IT systems ‘hostage’ by making them unavailable and demands a ransom. Cryptoware also encrypts the data that is stored. Various cryptoware variants caused many incidents over the past period. Infections were caused by, for example, Cryptolocker, CryptoFortress, Cryptowall and CTB locker. In the Netherlands, organisations are often affected by such infections.

DDoS attacks continue to take place, but measures prevent disruptions more often

DDoS attacks remain a concern in the Netherlands. After the wave of DDoS attacks in early 2013, service providers have invested in measures to prevent these attacks. Frequent and serious DDoS attacks on websites of governments and private organisations are still being detected. The origin of the problems is therefore still in place. As a result of the increased attention to anti-DDoS measures, however, services are often not disrupted.

Espionage attacks, which become more and more frequent, start with spearphishing

In the past year, the Netherlands was dealing much more often with digital espionage attacks that posed a threat to national security and economic interests. Research conducted by the AIVD and MIVD showed that, in 2014, Dutch government institutions were often the target of advanced digital espionage attacks. Most of these attacks were carried out using spearphishing e-mails containing attachments infected with malware or links to malware websites.

Threats: actors

The biggest threat continues to be posed by professional criminals and state actors

The digital skills of criminals continue to develop. Last year saw, for example, several digital attacks by criminals which were notable for their good organisation, accurate implementation and technical sophistication. Moreover, more countries carry out digital attacks on or via the infrastructure of Dutch organisations. The biggest digital espionage threat is posed by foreign intelligence services.

Terrorists do not yet pose a serious threat, but their capabilities are, however, growing

Although the potential of terrorist actors in the digital field is growing, they do not yet pose a serious threat due to their limited technical capabilities. There are no indications of a specific threat against the Netherlands. In the context of digital attacks carried out by terrorists, the biggest threat is currently posed by jihadism. So far, digital attacks with jihadist motives in the Netherlands were limited to small-scale attacks that required little knowledge and manpower.

Conflicts, attacks and incidents provide a context for digital attacks

Various actors use national and international conflicts, attacks and incidents as a reason to carry out digital attacks. In the past year, for example, many digital attacks and cyber operations were observed which can be placed in a geopolitical context, such as the malware attacks related to the conflict in the Ukraine. It is often very difficult to link these attacks to parties. Both state actors and activist hackers with patriotic motives have the intentions and tools to carry out these attacks.

Threats: Tools

Dissemination of cryptoware is a lucrative criminal activity

The proceeds generated by criminals using cryptoware are high. Approximately 10 percent of Dutch reporting parties say they have paid criminals in order to regain access to files. The proceeds probably amount to several hundreds of euros per person per payment. The relevant criminals do their best to expand their market by looking for other means to infect (such as SD cards, USB sticks and network sources) and by using other encryption methods (for example by corrupting systems over a long period).

Phishing, or spearphishing in particular, is the most frequently used tool for targeted attacks

The parties who carried out various targeted attacks that were discovered in the past period often succeeded in their efforts by making use of spearphishing, with a phishing e-mail being sent to one person or a limited group of persons. Apart from spearphishing, actors also still use classic phishing as a tool. The Netherlands is a particularly popular target for phishers. This may have to do with the relatively good economic situation and the strong euro.

Malvertising continues to pose a danger to internet users

Advertisements have been incorporated in many websites, which sometimes have a high number of visitors. One malicious ad may therefore have a large impact in a short period of time. If a user opens a website that contains a malicious ad, this will often result in all kinds of vulnerabilities in the user’s system being exploited fully automatically, so without any further user interaction. Nowadays, cyber criminals also abuse advertisement networks to attack specific user groups. They use on-line advertising auctions to this end.

Resilience: vulnerabilities

Publicity campaigns for vulnerabilities make prioritising more difficult

The past reporting period shows a development with much more publicity regarding technical vulnerabilities. Various sectors have reported that these publicity campaigns involve a risk: due to the great deal of attention that is paid to individual vulnerabilities, the issues of the day may divert attention from structural solutions. In that case, management will not always make decisions based on the correct information and will receive the impression that security officers are insufficient prepared.

Raising awareness alone will not help prevent phishing

The quality of phishing texts has become even better. Individual users can hardly be blamed for falling victim to them. Technical measures to prevent phishing are, however, still used up to a limited extent. For example, less than 10 percent of government domain names are protected against phishing attacks using the open standards DKIM, SPF and DMARC.

Resilience: measures

Security of open source software comes at a price

The Heartbleed vulnerability showed that open source software is not automatically safer, even if it is used frequently. The publicity surrounding this bug resulted in large internet companies joining forces in April 2014 in the Core Infrastructure Initiative. The initiative invests in the open source basic infrastructure of the internet and improves the basic security of the internet. However, it currently only covers a small part of the open source projects responsible for the infrastructure of the internet. This kind of financing is not available for other projects.

Recruitment in cyber security: many vacancies, few people

The labour market for cyber security professionals has, for some time now, been characterised by a large difference between the supply of and demand for (technical) cyber security professionals. The number of vacancies is increasing; the government has also actively recruited staff members in this area over the past period. Organisations often experience difficulties in filling job vacancies. This applies to technical cyber security positions in particular.

Detection capacity is essential for the discovery of advanced attacks

Advanced attacks, so-called Advanced Persistent Threats (APTs), are difficult to detect. These attacks, aimed at organisations in various sectors, often circumvent existing security measures. It often takes months or years before the attacks are discovered, which may result in a serious extent and impact of the damage for the organisations affected. Although an increasing number of organisations have special software to protect them against APTs, it appears that the prevention of such attacks is mostly unexplored territory for many organisations.

Interests

New areas of application result in vulnerabilities and debate

More IT is installed in cars, aircraft and other means of conveyance. This requires attention for the security of this IT. For a security problem in an entertainment system should not affect the operation of the vehicle. A lack of security may, in such a case, even have fatal consequences. Such risks may also arise if the software used contains bugs, a licence expires or a network service is no longer available. Security often has no priority in the development of such new applications.

Interests of critical infrastructure are large but stable

The interests protected by the critical infrastructure remain large but show little change. Consultations with representatives of organisations in those sectors have made this evident. Although the security of information and systems each time creates new challenges, the underlying motivations for security have hardly changed.

Alternatives to IT systems are disappearing

If IT systems that support social processes are not available, it is, in a growing number of cases, no longer possible to rely on analogue alternatives. The availability of these IT systems thus becomes more important: failure is not an option. At the same time, the underlying technology is more complex than with analogue systems. Moreover, these systems can be attacked more easily if they can be accessed via the internet.

EOF