UPDATE 2012-09-05: R.V. sent me a link to this Pastebin (mirror) dated August 15th 2011 that basically states that the botnet is expected to be completed in 3.5 months (December 2011) and would be sold to 12 buyers worldwide. If sold at $8000 each, that would sum to $96000. Of course, this Pastebin could have been copied by a scammer who then put it on the deep web, (ab)using the leverage of some internet trail that makes the scam more credible. I’d love to receive more information about this. You can contact me via e-mail: koot at uva dot nl, and via Twitter: @mrkoot.

UPDATE 2012-09-03: this post caught more attention than I bargained for. Let me emphasize that the offer is IMHO probably a scam/hoax. There are a lot of vaguely used buzzwords and some claims are simply very unlikely to be true. For example, the claim that the bot is coded in assembly and has `no dependencies’ is AFAIK practically irreconcilable with the rich feature set that is claimed and that, as I interpreted it, includes some form of interoperability w/Tor and I2P. Then again, I am confident that magician-grade engineers exist that are able to create something that more or less approximates this offer. But even if the offer is a scam/hoax, it has its merits: it inspires the reader to think about behavior/features that might be observed in future malware. Which of these features are technically feasible? Which practical uses could they have? The buzzwords “GPS” and “VoIP” caught my attention. What are today’s possibilities and uses for creating malware that spreads to mobile devices and (only) runs when the device is at a certain location or, for that matter, is triggered by certain NFC/RFID communication with, say, passport/eID/driverslicense chips? Also, while I have no idea what the author meant with `VoIP logic bomb’, it *is* known that VoIP may be used as covert channel — see e.g. Covert Channels in SIP for VoIP signalling (.pdf) — and could as such be used to deliver payloads to a bot. 

====== START OF ORIGINAL BLOGPOST OF 2012-09-02 ======

The botnet offering cited below from the deep web describes many interesting technical characteristics. You need $8000 and three IP addresses you are able to use as C&C, and get a personalized copy of the bot that has a hardcoded/obfuscated max of 10k zombies. The offer has been around since July 22nd 2012, possibly earlier. If the offer is real, it sure is a feature-rich piece of crimeware. I stripped the contact name, Bitcoin # and e-mail address (I’m sure you’ll be able to find it elsewhere).

[REDACTED] botnet for sale

Run on windows clients – I need 3 C&C server IP addresses to hardcode and obfuscate 

bot coded in assembly no dependencies
Each build has maximum of 10k bots to ovoid widespread av detection.
Basic bot uses socks5.
built in ssh client
(fast-flux)
Bot is built with 30k pre generated 256 bit AES keys.
1 256 bit AES key for logs
1 256 bit AES key ssh
1 256 bit AES key socks 5
hwid it selects a pre-generated key 256 bit AES key.
Bot writes encrypted data into common file using stenography process injection
Download/Upload Socks5
Bot sends data to a collector bot via socks5 through ipv6 which makes NAT traversal a trivial matter.
Using ipv6 in ipv4 tunnel.


Collector bot assembly /tor and i2p Plug-ins C++ /Assuming 10k bots
Bots will be assigned into small groups of 25. And are assigned 400 collectors bots which is evenly 200 tor and 200 i2p.
Collector packages the encrypted logs and imports them into a .zip or rar archive and uses sftp to upload through tor to a bullet proof server Note the Ukraine is best know.

(Domain-flux .onion panel can be easily moved)
Using a Ubuntu Server on bullet proof server.  / Using tor and Privoxy. Panel can be routed through multiple cracked computers using proxychains and ssh.  / Server uses a simple .onion panel with php5 and apache2 and mysql. You might ask what happens if bullet proof server is down. The collector bots can be loaded with 5 .onion panels. If panel fails for 24 hours its removed from all Collectors and bot will go to the next one and so forth. A python Daemon runs and unzip the data and Imports it into a mysql database were it remains encrypted.

The bot master uses my Dark Umbrella.net panel to connect to the remote Bullet Proof server through a vpn and then through tor using ssh to run remote commands on server and sftp to upload and download. Running tor through a log less vpn through with a trusted exit node on the tor network. .net panel connects to mysql database database is decrypted on .NET panel (Note must real Bullet Proof hosting is not trust worthy this solves that issue) and imported into a local .mdb database. Then later the bot Master should encrypt database folder on true crypt. Commands are sent to bots individually rather then corporately like most bot nets. This allows for greater anonymity It will be possible to send commands corporately but strongly discouraged. Collector bots download and upload large files through i2p.

1.Connects remotely to rpc daemon through backconect and simplifying metasploit (Working)
2.Social network cracker. (Beta)
3.Statics. (Working)
4.Anonymity status. (Working)
5.Decrypt-er. Decryption codes in highly obfuscated.net limiting each build to 10k bots. (Working)
6.Daemon status (Working)
7.logs (Working)
8.Metasploit connects via rpc. (working)
9. GPS tracked Assets by Google maps and using net-book with a high powered external usb wifi attenas.
Starts an automatic attack if wep if wpa2 grabes handshake. If open starts basic arp spoofing attack. Common browser exploits. (alpha)
10.Teensy spread. (in development)
11.vnc back connect. (working)
12. Advanced Persistent threat. Fake Firefox, Fake Internet Explorer, Fake Chrome. Fake Windows Security Essentials. (in development allows for excellent custom Bot-master defined keyloging)
13. Dark search bot index file is downloaded allowing easy searching of hard drives. (Working)
14. voip logic bomb. bot computer is sent via a voip call file once played through voip the microphone hears mp3 file and the dormant payload is activated in bot that is the logic bomb. (Extra- Alpha)
Each Panel is hwid
1 unique build per Copy embedded into panel.

Everything is provided in English only manuals for setup: you need 3 servers for C&C and // one- BULLET proof server collector for -/ everything is working and can be setup within hours: Only serious players –  for sale $8000 -bitcoin – [REDACTED]

[REDACTED]

EOF

Reverse Deception: Organized Cyber Threat Counter-Exploitation (July 2012) was written by Sean Bodmer (@spydurw3b), Max Kilger (@digitalprofiler), Gregory Carpenter and Jade Jones. All authors either are or have been associated with the U.S. DoD and have knowledge & experience from (varying) military contexts. Below are the notes I took while reading this book. Unless mentioned otherwise, hyperlinks are mine.

I was happy to see that the authors start off by referencing Joint Publication 3-13.4 Military Deception (.pdf, 2006) and Fundamental Elements of the Counterintelligence Discipline (.pdf, 2006), the latter being a study by (or on behalf of) the U.S. Office of the National Counterintelligence Executive (NCIX). The book at times follows a structure in the form of: “cite from military/CI literature, then explain how it applies to the cyber realm”. Although not every item from non-cyber literature can be mapped to cyber in an obvious way, this text structure inspires readers to dream up possible mappings themselves. The authors reference a lot of stuff from military context that I was previously unaware of, such as the Soviet concept of Reflexive Control (.pdf, 6MB) by Vladimir and Victorina Lefebvre.

Deception is explained by and large in terms of manipulating the behavior of another to the benefit of oneself without the permission of the other. It is stated that the intent of deception is “to get the adversary to act confidently and predictably”.

Below are my notes for each chapter.

CHAPTER 1: STATE OF THE ADVANCED CYBER THREAT
On p.4, a list of criteria is provided that “should be identified as quickly as possible in order to discern between a Persistent Threat and an Advanced Persistent Threat” (these criteria are referenced throughout the book):

• Objectives
• Timeliness
• Resources
• Risk tolerance (by the adversary)
• Skills and methods
• Actions
• Attack origination points
• Numbers involved in the attack
• Knowledge source

Next, the authors map these criteria onto Moonlight Maze, Stakkato, Titan Rain, Stormworm, GhostNet, Byzantine Hades aka Foothold aka Candor aka Raptor, Operation Aurora, Stuxnet, RBN, “next generation of botnets and operators” (weird item in this list) and Operation Payback.

CHAPTER 2: WHAT IS DECEPTION
On p.25, the six principles of (military) deception are cited from JP 3-13.4:

1. Focus: The deception must target the adversary decision maker capable of taking the desired action(s);
2. Objective: The deception must cause an adversary to take (or not to take) specific actions, not just believe certain things;
3. Centralized planning: MILDEC operations should be centrally planned and directed in order to achieve unity of effort;
4. Security: Friendly forces must deny knowledge of a force’s intent to deceive and the execution of that intent to adversaries;
5. Timeliness: A deception operation requires careful timing and action;
6. Integration: Fully integrate each military deception with the operation that it is supporting.

These principles are then explained in detail.

From p.40, the authors list and explain ten deception maxims that are used by the military:

1. Magruder’s Principle (exploitation of adversary’s perception or bias)
2. Limitations to Human Information Processing
3. Multiple Forms of Surprise; following the SALUTE maxim from reconnaissance reporting:
   1. Size
   2. Activity
   3. Location
   4. Unit/Uniform
   5. Time
   6. Equipment
4. Jones’ Dilemma (i.e.: deception becomes more difficult as the number of channels of information available to the target increases. However, within limits, the greater the number of controlled channels the greater the likelihood the deception will be believed)
5. Choice of Types of Deception
6. Husbanding of Deception Assets
7. Sequencing Rule (i.e., deception activities should be sequenced so as to maximize the portrayal of the deception story for as long as possible)
8. Importance of Feedback
9. Beware of Possible Unwanted Reactions
10. Care in the Design of Planned Placement of Deceptive Material

CHAPTER 3: CYBER COUNTERINTELLIGENCE
This chapter begins by explaining the 19 items that aforementioned study by NCIX on counterintelligence (CI) identified as skills every CI-professional should have:

1. Knowledge of National CI Structure and Agency Missions
2. Knowledge of Interagency Memoranda of Understanding and Procedure
3. Knowledge of Foreign Intelligence Service or Terrorist Group Culture and Tradecraft (which the authors chose to explain by merely including the know-your-enemy quote from Sun Tzu)
4. Basic Investigative and Operational Techniques and Tools (authors reference the US-DoJ report Investigative Uses of Technology: Devices, Tools, and Techniques (.pdf, Oct 2007)
5. Asset Development and Handling (Including Difference Between Liaison and Clandestine Sources)
6. Asset Validation
7. Liaison
8. Interviewing and Debriefing Techniques
9. Surveillance and Countersurveillance
10. Principles of Collection and Analysis
11. Research and Technology Protection
12. Operational Cycle for Double Agent Operations (who, what, when, where, why, how)
13. OPSEC
    • Identification of critical information
    • Analysis of threats (Insider threats, Extremists, Foreign Intelligence Services, Terrorist groups foreign/domestic, Hackers/crackers, Organized crime groups, Criminals)
    • Analysis of Vulnerabilities
    • Assessment of Risk
    • Application of OPSEC measures
14. Legal Aspects of Investigations, Including Executive Order 12333, the Attorney General Guidelines, and the Foreign Intelligence Surveillance Act
15. Joint and Interagency Operations
16. Listening, Communication, and Writing Skills
17. Knowledge of CI Terminology
18. Reporting Procedures and Methods
19. Classification and Dissemination Rules

The authors proceed by elaborating on the nine criteria for distinguishing between PT and APT. For every criterion except “Resources” and “Knowledge source”, the authors propose that it can be assigned an escalating threat level between 1 and 10. Examples are provided of how/what event to map to which threat level. I’m not confident that such mappings will work in practice, and the provided mappings are not very convincing — but I’m willing to try. Imperfect (and probably rather subjective) quantification may help “sizing up” a threat. For the “Resources” and “Knowledge source” criteria, the authors suggest qualitative explanations.

Interesting reference in the conclusion: http://www.cyberlawclinic.org/casestudy.asp

CHAPTER 4: PROFILING FUNDAMENTALS
This chapter refers to research done on the profiling of cyber adversaries, notably:

• Kilger, Stutzman and Arkin, (2004) “Profiling.” In The Honeynet Project Know Your Enemy. Addison Wesley Professional (pp. 505-556)
• Holt and Kilger (2008), “Techcrafters and Makecrafters: A Comparison of Two Populations of Hackers” ($), 2008 WOMBAT Workshop On Information Security Threats Data Collection and Sharing (pp.67-78). Amsterdam
• Chiesa and Ducci (2009), “Profiling Hackers: The Science of Criminal Profiling Applied to the World of Hacking” (Amazon). Boca Raton: Auerbach Publishing.
• Parker, Shaw, Stroz, Devost and Sachs (2004), “Cyber Adversary Characterization: Auditing the Hacker Mind” (.pdf). Rockland, MA: Syngress.
• Bongardt (2010), “An introduction to the behavioral profiling of computer network intrusions” (.html), Forensic Examiner.

Profiling is then dissected into Retrospective vs Prospective Profiling, and Inductive vs Deductive profiling.

The following Information Vectors are discussed: time, geolocation, skill, motivation, weapons and tactics, and finally socially meaningful communications and connections. The latter is illustrated w/a social network plot of Russian hacking gangs.

The chapter contains an excellent list of references at the end.

CHAPTER 5: ACTIONABLE LEGAL KNOWLEDGE FOR THE SECURITY PROFESSIONAL
Short (15 page) chapter that references various online sources for court cases (Fastcase.com, FindLaw.com, Justia.com, Google Scholar, Nolo.com), explains a few legal concepts (Annotated codes, Bill, Bill number, Chapter, Chaptered, Citation, Code, Engrossed, Enrolled, Legislative history, Session Laws, Statutory scheme, and Title) and provides concise information on how to interprete a statute (law) and how to communicate w/lawyers.

CHAPTER 6: THREAT (ATTACKER) TRADECRAFT
Interesting collection of very recent (May 2012) information pertaining to cybercrime, including screenshots taken from underground fora and exploit kit control panels, list of recent exploit kits. list of vulnerabilities observed in recent exploit kits. Also contains a proper level of detail on the underground economy (leasing/subleasing models for pwned access, prices, etc).

CHAPTER 7: OPERATIONAL DECEPTION
Four detective-style “tall tales” about operational deception that the authors state to have taken from real life (pseudonomized), each compelling (to me anyway) and containing a proper level of detail (also but not primarily technical).

CHAPTER 8: TOOLS AND TACTICS
Good discussions on honeypots/nets/walls, including sme (101–level) honeynet architecture (centralized, distributed, federated, confederated). Also contains concise overview of tools such as Metasploit, IDA Pro, Encase, THC Hydra, FOCA and Backtrack. (Obviously, if you are seeking to learn how to -use- these tools, you want to RTFM. This book has a different focus.)

CHAPTER 9: ATTACK CHARACTERIZATION TECHNIQUES
Comprehensive analysis of (only) SpyEye (Zeus-like) trojan w/many screenshots, statistics and graphs (SpyEye by country, # of SpyEye hosts by ASN. List of ASN names + country codes of ASNs highest in use by botnet operators.

CHAPTER 10: ATTACK ATTRIBUTION
Excellent chapter on profiling. Mentions research on “sentiment-identification engines” (e.g. Saplo Sentiment Analysis, Alchemy Sentiment Analysis) and “WarmTouch” (anyone know a URL for that?) to assess the level of threat posed by a specific insider (Shaw and Stroz,2004), and that “the automation of the analysis of socially meaningful objects is still in its very early stages”.

The subchapter “Profiling Vectors” elaborates upon the vectors discussed earlier in chapter 4. It slightly overlaps / repeats statements from chapter 4 and uses slightly different words to refer to the same concepts:

• Chapter 4: time, geolocation, skill, motivation, weapons and tactics, and finally socially meaningful communications and connections
• Chapter 10: time, motivations (MEECES: Money, Ego, Entrance to Social Group, Cause, Entertainment, Status), Social Networks, Skill Level

Next, strategic applications of profiling are discussed.

The final part of the chapter focuses on “the civilian cyber warrior”, “an emerging archetype that appears to have the potential to become a very serious threat withn the cyber threat matrix”. The authors state that the power relation between the nation-state and the individual is changing to the benefit of the latter; it is pointed out that this might also hold for Chinese criminal hacking gangs vs the Chinese govt. (Be reminded that not every Chinese hacker is in cahoots w/the Chinese govt.)

This chapter has another good list of references at the end.

CHAPTER 11: THE VALUE OF APTS
This chapter discusses the economic value of APTs. It refers to Value Network Analysis (VNA). Such analysis is then (informally) applied to the RSA hack of 2011 and to Operation Aurora. For the latter, it is suggested that from the perspective of the adversary, “it’s as if they were following a typical business plan”:

• Step 1: Obtain a Financial Stream (Victim: Morgen Stanley)
• Step 2: Customer Lock-in for Recurring Revenue (Victim: Symantec)
• Step 3: Expand into New Markets (Victim: Juniper Networks)
• Step 4: Diversify Commercial Offerings (Victim: Canadian Dow Chemical)
• Step 5: Reduce Infrastructure Costs (Victim: Rackspace)
• Step 6: Repeat Steps 3-5 (Victims: Adobe and Northrop Grumman)

The final part of the chapter discusses the topic of stealing Bitcoins, using a fictional scenario of an application used by migrant workers to “easily send money to their family or anyone else in their social network”.

CHAPTER 12: WHEN AND WHEN NOT TO ACT
Common sense suggestions for deciding whether, once a threat has been identified, to block or to monitor it, and how to communicate within your organization and w/law enforcement.

CHAPTER 13: IMPLEMENTATION AND VALIDATION
Deming-style management cycle explained: Observe-Orient-Decide-Act. Discusses how to ‘vet’ deceptions, perceptual consistency and engagements.

SpyEye trojan is extensively revisited w/many additional screenshots and explanations of features.

At the end it is mentioned that “[t]o date, honeypots have been widely distributed only by a handful of private organizations and vendors. There are small groups within international governments, like the United States, United Kingdom,China, and the United Arab Emirates, who have a national-level based honeygrid (…).”

(MY) CONCLUSION
If you want to learn / be inspired to think about deception/MILDEC as means of counterintelligence (CI) in cyberspace, I recommend this book. If you already work in CI, you may find it useful to evaluate your existing beliefs. The book will not provide a ready-to-implement deception strategy, but does provide plenty (and good) information and references that will get you started. As always, RTFM; in this case the Joint Publications and referenced research.

Minor editorial comments: the pie chart on p.5 needs better explanation (what am I looking at?). On p.11 it is stated: “The method is in use today, and has been defined as phishing, spear phishing, and whaling”; the “NOTE”-box on that page then only defines “spear phishing” and leaves out “whaling”, while the latter is a far less well-known term. The book contains overly repetitive quotes (Sun Tzu ad nauseam) and, as if the authors ran out of serious sources for quotes, a quote from Men in Black and a quote from Ghostbusters. On p.64, a little bit of text was written from the “I”-perspective, but it is not clear which of the four authors wrote that text and hence unclear who “I” refers to. These are, however, nitty gritty unimportant details that are -completely- trumped by book’s overall merits.

Related links:

• 2014-xx-xx:  “The Devil Does Not Exist: The Role of Deception in Cyber” (video of Black Hat 2014 USA talk by red teaming expert Mark Mateski; Twitter: @redteamjournal)
• 2002-xx-xx: The Moral Limits of Military Deception ($, academic paper, John Mark Mattox)

EOF

UPDATE 2018-11-15: the Dutch Defense Cyber Strategy of 2015 has been revised .

UPDATE 2015-02-23: the Dutch Defense Cyber Strategy of 2012 has been revised ; seven priorities replace the six priorities set in 2012.

UPDATE 2014-10-22: The Dutch Defense Cyber Command exists as per September 25th 2014. Details here.

Here is an unofficial translation of the entire Dutch Defense Cyber Strategy document (.pdf, in Dutch) that was published by the Ministry of Defense on June 27th 2012. Don Eijndhoven already wrote a proper (English) piece about this on June 29th.

The below is an as-literal-as-possible translation of the entire Defense Cyber Strategy document. Also see here my translation of the entire speech given by the Secretary of Defense when presenting the Defense Cyber Strategy.

Dear Dutch govt, if you are reading this: please start publishing cyber-related policy documents in English (as NCTV and NCSC sometimes already do, but the MoD still doesn’t).

Hyperlinks and parts between [] are mine.

If you see spelling/grammar errors, please drop me a line at koot at uva dot nl .

Introduction
The digital domain [0] is, next to land, air, sea and space, the fifth domain for military acting. This domain and the application of digital means as weapon or means of intelligence are undeniably developing strongly. Digital means will increasingly be an integral part of military acting and lead to modernizations. The dependence on digital means, however, also leads to vulnerabilities that need urgent attention. The impact on society of a large-scale cyberattack can be huge. The effects can, like a terror attack, result in large-scale upheaval and societal disruption. In the military domain, infrastructure and weapon systems can be affected such that there no longer is an effective defense. The Dutch armed forces makes the necessary conclusions from this and inspires to act as a `sword force’ in the digital domain too.

The three main tasks of the MoD [1] are leading for the efforts of the armed forces in the digital domain too. They must therefore be able to act against a digital threat to society or to international legal order. In that, there is an increasing overlap between the first and third main task. The separation between main tasks remains of importance, however, because the principles and procedures for the use of the armed forces are different for each task. The constitutional rules apply without limitation to the digital domain. The use of the armed forces will therefore be based on a government mandate in international operations and based on a request for assistance to civil authorities (usually the Secretary of Security & Justice).

To guarantee the deployability/availability of the armed forces and increase its effectiveness, the MoD strengthens its digital defensibility and develops the capability to perform cyber operations. For the coming years, the Defense Cyber Strategy provides direction, coherence and focus for the integral approach for the development of military capability in the digital domain. Therewith, the MoD implements the cyber intensification outlined in the policy letter Defense after the credit crunch [.pdf, in Dutch] and to the defense part of the National Cyber Security Strategy (NCSS) [.pdf, in English].

The armed forces want to make optimal use of the possibilities offered by the development of digital technology. This technology is already being used by the MoD on a large scale and enables it to perform its task more effectively and more adequately. For example, nearly all weapons systems function due to the use of IT components. Command and control, and logistical support rely heavily on digital systems. In addition, the information position and situational awareness of the armed forces are significantly improved using digital means. Digital networks and systems, including both weapon systems and measurement/control systems, and the information they carry, have become of vital importance to the armed forces.

The dependence of the armed forces on digital technology, however, also makes it vulnerable. It is essential that MoD protects the reliability [3] of its own networks, systems and information, and prevents information theft. The MoD use remain vigilant and invest in high-end means and knowledge in order to keep the defense against digital attacks at the required level. The MoD also must get more insight into the threats that the MoD is exposed to in the digital domain so that it can protect itself against them effectively.

Considering that not only our own digital systems are vulnerable but also those of (potential) adversaries, the digital domain can also be used for (military) acting against an adversary or to improve one’s own intelligence position. Therefore, the MoD considers digital means specifically as operational capabilities — as weapon or means of intelligence — that must become integral part of the operational power of the armed forces. That includes the protections of one’s own networks, systems and information during military operations, the use of offensive capabilities and the gathering of intelligence related to military operations. Because all parts of the MoD use IT intensively, far-reaching joint cooperation is necessary.

Due to the broad and multiform character of the digital domain and in order to use the MoD’s scares means optimally, central control and coordination are needed of all activities associated with the military acting in the digital domain. The speed of developments in the digital domain is very demanding regarding MoD’s adaptivity and innovation. MoD must be able to implement new technology quickly and be able to cope with short cycles of innovation. The dynamics and complexity of the digital domain require continuous adjustment of (initial) needs for knowledge, expertise, skills and techniques, and way of acting.

As a result of the strong interconnectedness in the digital domain and the dependence on similar technology, an integral approach is also necessary at the national and international level. The classical separation of military and civilian, public and private and national and international actors is less clear in the digital domain. For example, national security can be threatened by a large-scale attack at a private organization. In defending against such a large-scale attack, cooperation bet ween various parties in necessary, including with the victim organization itself, the National Cyber Security Center (NCSC), the intelligence services, law enforcement and possibly also the armed forces.

Priorities
Given this background, the Defense Cyber Strategy includes six priorities that will guide the MoD to achieve its goals in the digital domain:

1. the establishment of an integral approach;
2. the strengthening of digital defensibility of the MoD (“defensive”);
3. the development of the military capability to perform cyber operations (“offensive”);
4. the strengthening of the intelligence position in the digital domain (“intelligence”);
5. the strengthening of the knowledge position and the innovative power of MoD in the digital domain, including the recruitment and retaining of qualified personnel (“adaptive and innovative”);
6. the intensification of the cooperation at the national and international level (“cooperation”);

The development of the digital threat for the MoD

Due to its intensive use of high-end (satellite) communication systems, information systems, sensory systems, navigational systems, logistical systems and weapon systems, the Dutch defense organization is dependent on reliable internal and external networks and on digital technology. It is therefore vulnerable to digital attacks.

Various countries now posses offensive cyber capabilities for military purposes, or are in the process of developing them. Non-state actors too can be a threat to the armed forces by disrupting systems and information provisioning. In modern conflict, the distinction between combatants and non-combatants becomes vague, and so does the delineation of operational terrain. The acting by “adversaries” will increasingly often be in digital form and probably extends to the “home front”.

The biggest threat to the MoD in the digital domain on the medium-to-long term is due to high-end and complex digital offensive capabilities that are targeted at a specific (military) target and can severely limit the the armed forces’ ability to act. A lack of knowledge about and lack of insight into digital possibilities to carry out attacks is a real risk to the armed forces.

Already today, armed forces and companies involved in the development and production of high-end military technology are continuously confronted with — attempts to — digital attacks and espionage activity. The strategic and economic value of the information in this sector is high. The MoD will have to be alert at an early stadium on the covert introduction of vulnerabilities (“backdoors”) in information and communication systems. The complexity of and amount of components in systems increase this risk. Intelligence services  very probably won’t hesitate to manipulate equipment prior to its delivery to potential opponents.

Priority 1: An integral approach
The MoD’s cyber capabilities are an important and real addition to existing military capabilities. The value of digital means is in the possibilities they offer to support and enhance acting across all lines and in all domains. Digital means strengthen the acting of the armed forces in all functions of military acting: logistics, command and control, intelligence, protection, maneuver and striking power. This strategy therefore assumes an integral approach both regarding supporting processes (readiness, operational support, maintenance) and operational deployment (both independent and as part of acting of other units, possibly under civil authority).

In the context of military operations, operational cyber capabilities will be used increasingly often, mainly to support conventional acting of the armed forces, but also as an independent weapon. It is necessary that operational cyber capabilities become part of the total military capabilities of the Dutch armed forces. For that, the MoD has to make significant investments in the strengthening of cyber capabilities. The MoD will not establish a separate military component of armed forces for acting in the digital domain. Eligible cyber capabilities will be brought together in 2014 as a joint unit in the Defense Cyber Command (DCC) that will become administratively part of the Royal Netherlands Army (CLAS) under `single service management’.

An operational cyber capability entails all knowledge and means required to predict, influence or disrupt adversary actions via digital means, and to defend oneself against similar cyber operations from the adversary, during operational deployment. This takes place via infiltration of computers, computer networks, weapon and sensory system software and software to gather information and intelligence and influence systems. An operational cyber capability thus entails deployable defensive, intelligence-related and offensive elements.

In the planning and preparation of operations, aspects that are relevant to the digital domain are also taken into account. The digital domain thereby is an integral part of the joint operational planning process. Here, both the potential influence of the digital domain on the ordered task and the effects that can be achieved via the use of cyber capabilities are taken into consideration. An operational commander therefore has his own capabilities and can request intelligence capabilities to gather cyber information, process it and provide it timely for the decision-making process. This entails both the threat against one’s own networks and systems as the possibilities to exploit the adversaries’ vulnerabilities. A good situational awareness in the digital domain is part of the total situational awareness of the commander.

For operation in the digital domain it is necessary that the mandate accommodates this, and that the Rules of Engagement describe how offensive cyber capabilities may be used.

Priority 2: Defensive
Networks and systems are vulnerable to attacks and disruptions, both from the inside and outside. The defense against this entails the protection of networks, the monitoring and analysis of data traffic, the identification of digital attacks and the response to them.

The MoD is evidently responsible for the security of its own networks and systems. The MoD has to be prepared to cyber threats and be able to protect itself against it in order to ensure the deployability/availability of the armed forces.  The MoD therefore has to be familiar with the potential threats in the digital domain and the vulnerability of its own networks and systems. The MoD will therefore perform a risk analysis that will be the basis for establishing which minimal security measures are required. The measures to be taken and usability will need to be balanced, and a coherent set of staff, physical and information security measures will be endeavored. Networks and systems processing and storing highly classified information will be subject to a stronger security regime. Unauthorized access to that data could, after all, result in (very) severe damage to the MoD, to the government or our allies. For networks and systems processing unclassified or lowly classified information, a smaller set of security measures suffices.

It has to be assumed that a persistent and technologically highly developed adversaries will be able to compromise (parts of) networks and systems nonetheless. Establishing an all encompassing digital defense is nearly impossible and, moreover, prohibitively expensive. Therefore, in the protection of one’s own digital infrastructure, as much flexibility as possible must be build in, both regarding the (passive) security of networks as the active response to an attack. Priority must be given to the protection of information and information exchange. In addition, systems must be defensible by being able to respond quickly to an attack and be able to adjust themselves to keep functioning.

The most important vulnerability that can result in the loss or compromise of information is usually due to improper and careless use of IT. Therefore it is necessary that every MoD-employee is aware of the risks associates with the use of digital means.  Digital security awareness shall therefore be integral part of all defense education programs. In addition, MoD-employees must be trained in working under circumstances in which they can temporarily not make use of the (full) functionality of networks and systems.

The MoD will (continuously) improve the protection of its networks and systems. This will be done by the Joint Information Provisioning Command (JIVC) that is being established and is expected to be operational in Q1/2013. The JIVC realizes adequate and high-end security and guards all networks and systems. Illegal and anomalous use will be noticed. The MoD’s Computer Emergency Response Team (DefCERT) guards the security of systems and networks, taking into account current threat levels. DefCERT, which will become part of the JIVC, must identify and analyze risks to and vulnerabilities of the most important MoD networks 24×7 and advise the MoD about security measures that need to be taken. DefCERT too has to have a proper cyber situational awareness. DefCERT therefore works together within MoD with other parts of the JIVC and the Military Intelligence Service (MIVD). Outside of the MoD, they will cooperate with the NCSC, NATO and other CERTs and with companies that have specific knowledge or means. This can entail both information exchange as (personnel) support in case of calamities.

The available defensive cyber capabilities must be used both to protect the MoD’s IT-infrastructure and to protect the MoD’s unique weapon and sensory systems. These are capabilities for the protection of both MoD’s generic networks and systems by the JIVC and the operational networks and systems during deployment by the DCC. The MoD will also improve the reliability of weapon and sensory systems by improving the insight into digital vulnerabilities and by strengthening the control over development, the supply chain and use of IT components. Specific attention is given to procurement of both software and hardware for digital defensibility. During the procurement or development of new systems, potential risks to the reliability must be taken into account from the start. These risks have to be, if possible, mitigated by security requirements or security measures.

Priority 3: Offensive
Offensive cyber capabilities are the capabilities for the purposes of influences or disrupting adversary actions. The MoD must have the knowledge and capabilities to act offensively in the digital domain, both to be able to establish an effective defense and to support operations.

This entails the development of (knowledge about) complex and high-tech means and techniques specifically aimed at enhancing one’s own military capabilities. A cyber attack on an air defense systems can, for example, increase the effectiveness of one’s own air strikes while the risk of collateral damage is decreased.

An offensive cyber capability can be a force multiplier and therewith increase the effectiveness of the armed forces. By the development of a robust cyber capability the Netherlands can be a prominent player within NATO on this area.

The development of offensive operational capabilities is at a very early stage internationally. Much remains unclear about the nature of these capabilities, the possibilities that they can offer and the effects that can be achieved with them. Offensive cyber capabilities distinguish themselves from conventional military capabilities because they are often only usable once and mostly have a short lifespan. High-end cyber capabilities are barely comparable to generally known, relatively low-threshold and widespread methods of attack. It comprises complex means for which the development is requires very specific knowledge and is therefore costly and time-consuming. It is a challenge that it is hard to guarantee the desired effects because the adversary can at any moment discover its own vulnerability and protect itself.

In the development of offensive operational capabilities, the knowledge and means available at the MIVD will be used as much as possible. Considering the scarcity of qualified personnel, the knowledge and means must be used as effectively as possible, and it must be prevented that similar means are developed at the  same time within the MoD. The knowledge, means and cooperative relations of the MIVD will therefore be used optimally in the development and use of offensive means by the Chief of Defense (CDS). The CDS can use these offensive means during military operation based on a mandate from the government. The legally required separation between the tasks and the responsibilities of the CDS and the MIVD remains intact. Offensive means can also be used to prevent or thwart a cyber attack and to ensure the freedom of one’s own ability of military action in the digital domain (`active defense’). The DCC accounts for readiness of offensive cyber capabilities for operational use. The Taskforce Cyber will develop a doctrine for acting in the digital domain, develop use case scenario’s and specify the effects and consequences of offensive means. This will by done through tests, training and practice, among others.

Priority 4: Intelligence
The rise of the digital domain and the increasing interconnectedness of systems have dramatically increased the possibilities for gathering information. The possession of a high-end intelligence position in the digital domain is a precondition both for the protection of one’s own infrastructure and for carrying out operations. The MoD must have insight into the threats in the digital domain to which it can be exposed in order to protect itself against them effectively. This requires insight both into the technical threat and into the possibilities and intentions of (potential) adversaries and attackers. The MIVD must therefore have intelligence capabilities to gather, analyze and report about this information. In addition, the MIVD has to have the capability to disrupt and put an end to intelligence activity of others. The intelligence activities of the MIVD will evidently be carried out within the legal framework.

In the next years, the MIVD will expand its capabilities for covertly collecting information within the digital domain. The activities entail the infiltration of computers and networks to obtain data, the mapping of relevant parts of the digital domain, the monitoring of vital networks and the understanding of the mechanisms and techniques behind means of attack. The gathered information will be used for early warning intelligence products, the establishment of a National Cyber Assessment (CSBN), the strengthening of the intelligence production in a broad sense and the carrying out of counter intelligence. The digital domain can not be seen separately from intelligence capabilities such as signals intelligence (SIGINT), human intelligence (HUMINT) and the MIVD’s existing counter intelligence capabilities. Decisive for the effectiveness is the combined use of scarce expertise and means. The MIVD and AIVD will therefore intensify the collaboration regarding cyber and SIGINT by establishing a common SIGINT-Cyberunit. The establishment of this unit must further increase the effectiveness of the national cyber intelligence capability. The MIVD will also contribute to the development of the CSBN that is written under the responsibility of the National Coordinator for Counterterrorism and Security (NCTV) and the Ministry of Security and Justice.

A complex challenge is the attribution of identified attacks and attempted attacks. If it cannot be determined what the source of a threat or attack is, who is carrying them out and for what purpose, the possibilities for an effective response are limited. The MIVD will increase the possibilities for attribution by the use of all possible intelligence sources and forensic research, and collaborate with, among others, the JIVC, the General Intelligence & Security Service (AIVD), the Netherlands Forensics Institute (NFI) and law enforcement (the KLPD and the Royal Netherlands Marechaussee (KMar)). In addition, intensive and confidential international cooperation is often essential in determining the identity of the attacker and taking effective protection measures.

Priority 5: Adaptive and innovative
The speed of developments in the digital domains demands adaptivity and innovation from the MoD. The MoD must be able to quickly implement new technology and cope with short cycles of innovation. The dynamics and complexity of the digital domain demand continuous adjustment of (initial) needs for knowledge, expertise, skills and techniques, and way of acting.

The MoD must have the knowledge to monitor relevant developments and adjust to them quickly and effectively. The MoD invests in people,technology, research and development to be able to acquire or develop the necessary cyber capabilities timely and deploy them. The Defense Cyber Expertise Center (DCEC) will be the central entity for the enhancement of knowledge development, assurance and dissemination. The DCEC must bring the MoD’s knowledge on the area of cyber operations to a high level and maintain it there. This is aimed both at knowledge development (among others: R&D and concept development and experimentation) and at knowledge transfer (practice, training and education) within the MoD. The DCEC will intensively cooperate with knowledge institutions such as TNO.

For sustainable improvement of security of networks and systems, the MoD must be able to respond quickly and effectively to new development, be able to test and apply new technologies at an early stage and closely cooperate with private companies and academia. Tenders and acquisition in the digital domain will be set up such that it is tuned to the variable/unstable character of this domain, and at the same time ensure the reliability of means and business processes. In the digital domain, the private sector is the motor of innovation, also regarding the security and protection of IT infrastructure. The MoD thus has to make optimal use of this innovative power. The sourcing policy of the MoD can contribute to this.

For research and development, but also for education, training and practice, the MoD will possess a `cyber laboratory’ and a test environment. This cyberlab can be used by the various MoD organizations and also be available to partners. Components can be at various physically locations and be connected remotely.

A specific challenge to MoD is the recruitment and retaining of qualified personnel that is also able to work in a military environment. The required military personnel capacity will partially be achieved by the use of cyber reserves. To acquire and retain the necessary knowledge, expertise and skills, specific attention is paid to staff policy and education. Specific career paths will be developed to anchor the knowledge and experience of MoD-employees on the cyber terrain. By cooperating with the NCSC, law enforcement and the private sector, exchange of personnel can be stimulated. This ensures proper development of experience and can offer employees an interesting career perspective.

Additional research is necessary on the impact of digital means as operational capability and the threat from it to the armed forces, both technologically, procedurally and legally. The MoD will tune to research that is being done elsewhere in the Netherlands and internationally. The MoD also carries out research by itself. In 2014, a chair in digital defensibility and cyber operations will be establish at the Netherlands Defense Academy (NLDA).

Priority 6: Cooperation
Digital security depends on the capability of countries and organizations to protect the digital domain, individually and in cooperation. The digital domain is, by nature, a domain in which public and private, civil and military and national and international actors act at the same time and are interdependent. In addition, the techniques used by attackers are largely similar and make use of generic vulnerabilities in networks and systems. A collaborative approach of digital insecurity is therefore necessary to enhance digital security in a sustainable way.

Nationally
For the MoD it is important to cooperate closely with public and private parties within the framework of the NCSS. The MoD is represented in the Cyber Security Council (CSR) and participates in the NCSC.

As operator of high-end digital networks and systems, the MoD is an important partner that possesses special knowledge and capabilities. Based on the MoD’s third main task, the MoD can, if requested, make available this knowledge and capabilities to civil authorities. After a formal request and permission conform the legal ground for support or conform the rules for providing supporting, it is possible to act under authority of the requesting party. The way in which capabilities can be made available within the context of cyber operations will be further elaborated. Besides that, there is reason to examine whether the MoD’s digital means can be involved in administrative agreements about the specifically guaranteed availability of the armed forces within the context of the Intensification Civil Military Cooperation (ICMS) program. The MoD’s capabilities will have to contribute to the improvement of security and reliability of the entire Dutch digital domain.

In organizing a collaborative approach, it is important that roles, tasks and responsibilities are clear. For this, at initiative of the NCTV it will be examined whether the current crisis management structure is adequate for making a large-scale digital disruption manageable quickly and effectively. The MoD will contribute to this.

Cooperation with public partners, universities and the private sector is also needed at the area of R&D, education and staffing. Different parties are coping with the same challenges, such as limited budgets and scarcity of qualified personnel. New possibilities for strategic cooperation must be examined. The MoD contributes to the National Cyber Security Research Agenda [.pdf, in English] and, in the context of the cabinet’s private sector policy, to the specific attention that is being paid to cyber security in the `top sector High Tech’. In this context the MoD will also work closely together with other departments, knowledge institutions and the private sector. Alliances with the private sector will be sought regarding the development of means.

Internationally
Internationally, the MoD seeks cooperation with countries that have a similar ambition and approach as the Netherlands, and that operate at a similar level. The main purpose of such cooperation is knowledge exchange. At a later stage it will be examined what the possibilities are regarding joint development of means and techniques and joint setup of capabilities.

For the MoD, NATO is the primary organization for cooperation for increasing defensibility in the digital domain. The MoD therefore contributes  to the development and execution of NATO policy. As emphasized during the Chicago summit in May 2012, the NATO will increase the defensibility of its own networks and systems, and those of allies that are essential to the functioning of NATO. The Netherlands also endorses NATO’s ambition to increase the joint capability for intelligence analysis. It is not plausible that cyber capabilities will be developed in NATO cooperation. NATO must, however, develop a vision on the use of cyber capabilities during NATO operations.

The MoD also supports the EU initiative to establish an integral internet security strategy. For the MoD it is important that the EU and NATO intensively cooperate in improving the defensibility of member states. For that, it is important that the information exchange between both organizations is intensified on this area.

Finally
The priorities outlined in this strategy must ensure that the armed forces can act effectively and adequately in the digital domain. By investing in digital defensibility and operational capabilities, the Netherlands maintains high-end and technologically advanced armed forces that is versatile and can perform its tasks in all domains. In the budget and the annual report, the Parliament will be informed about the progress of the execution of this strategy. In 2016 the policy will be reviewed.

[0] At this time, there is no internationally accepted definition of the term digital domain (cyberspace). In this strategy, the digital domain is considered to be all entities that are (or can be) digitally connected. The domain entails both permanent connections and temporary or regional connections and always concerns in some way the data (data, information, code, etc.) present in this domain.

[1] The three main tasks of the MoD are:
1. Protection of our terrain and that of our allies, including the Caribbean part of the Kingdom;
2. Promotion of international legal order and stability;
3. Assistance to civil authorities in law enforcements, disaster control and humanitarian aid, both nationally and internationally.

[2] By reliability we mean availability, integrity and confidentiality.

EOF

Here is an unauthorized (but careful!) translation of the speech (.pdf, in Dutch) given by the Dutch Secretary of Defense J.S.H. Hillen during the Netherlands Defense Academy (NLDA) Cyber Symposium that took place on June 27th 2012. The Dutch MoD released their Defense Cyber Strategy (.pdf, in Dutch) during that event.

Hyperlinks and parts between [] are mine.

If you see errors, please drop me a line at koot at uva dot nl .

The sword in the digital domain

On November 1st 1911 the first Italian pilot, Giulio Gavotti, dropped four bombs on Turkish gantries in Libya. He therewith performed the first airstrike in history. A new domain for warfare was born.

Not everyone realized this. In the same year, Frenchman Ferdinand Foch, who would later become field marshal during WWI, stated that “flying is fun as a sport but useless as means of warfare”.

Three decades later, in WWII, the deadly effect of the air weapon became clear and Foch was proven wrong. Or, as Erwin Rommel, the German general, sighed at the end of the war:

“Somebody that, even with the most modern weapons, has to fight an enemy that dominates the air, fights as a savage against European units, with the same limitations and the same chance of success.”

And now another new domain emerged for military action. A domain that has been created by man. Besides ground, air, sea and space, cyber has now become the fifth domain for military action.

This digital domain and the application of digital means as weapon or instrument of intelligence are developing strongly. Where does this development lead? And what this it mean for the Dutch armed forces?

It is right that the Dutch Defense Academy organizes a full-day conference focusing on these questions. I predict: many days such as these will follow. Because 100 years after 1911 we are standing, in my conviction, at the beginning of an important change in military action. A development that will change `the face of battle’, as the Brit John Keegan stated, in the coming decades.

The internet has turned out to be a huge enrichment to society and a motor for economic growth. Digital means make possible what seemed impossible before.

The MoD wants to use these possibilities optimally. The digital technology enables the armed forces to perform its tasks more effectively and more adequately. Almost all weapon systems function thanks to the use of IT components. Command and control and logistical support heavily rely on digital systems. The armed forces are nearly just as dependent on IT as [popular Dutch online bookstore] Bol.com. Without digital means both our society and our armed forces can barely function. The have become of vital importance.

The emergence of the digital domain has also not been appreciated by everyone. Thomas Watson, chairman of IBM, stated in 1943 that there would be a global market for, perhaps, five computers.

What is also noticed — and now I come to the other side of the digital phenomenon — is a lack of awareness about the risks associated with the explosive growth of computer networks. In the development of hardware and software, and the set up of networks, barely any attention was — and is — spend on security. Even though the first computer virus already emerged in 1971.

In other words, the attention for the protection of networks did not keep up with the growth of the digital domain.

Only in recent years we see a catching up. Cyber security is now gaining increasing attention.

And rightfully so, because the digital threat is real. This threat can disrupt a society that depends on IT in various ways. Not only technically: think of failure of the banking system. But also psychologically: think of the fear, the panic and possibly giving in to an aggressor that can act when our digital systems are sabotaged on a large scale. The consequences of an attack will not be limited to the digital domain but also have far-reaching consequences for society as a whole.

Our society has to arm itself against this threat. That also holds for the armed forces. The Stuxnet and Flame attacks made clear that conflicts can also be fought in the digital domain and that the impact of this can be big.

Many things are unclear regarding the nature of digital conflicts. How will state and non-state actors use the digital domain to achieve their political goal? What will cyber weapons of the future look like? It is speculation for now.

We can, however, not afford to wait submissively and see what others come up with. Nearly everything that someone can imagine, so history teaches us, will eventually be made. Think about the fantastical stories by Jules Verne.

So will digital weapons probably emerge faster than expected as fixed component of military arsenals. The MoD has to have imaginative power, both to make full use of the possibilities that the digital domain offers as well as to arm against what is coming.

But what does it mean to be the sword in cyberspace? How should the armed forces perform her special tasks and responsibilities in the digital domain?

The digital challenge is, so much is clear, also a frontier from a military perspective. In the physical world, boundaries are generally well-defined, and threats and adversaries can be mapped.

In the digital domain, this is far less clear.

In this domain, there is no delineated military area of operation.

Nor is there any physical violence.

And yet it is conceivable that disturbance of digital systems disrupts entire societies or eliminates military targets.

It is of great importance that the MoD be prepared for this new reality, where the virtual and real world flow into one another.

Therefore, today I will send to the Dutch Parliament the defense strategy for military operation in the digital domain. The Defense Cyber Strategy [.pdf, in Dutch] will provide guidance, coherence and focus to the development of the military power in the digital domain.

Integral approach
The first priority is the establishment of an integral approach. Due to the broad and multiform character of the digital domain, central coordination is needed of all activities that are associated with military acting in the digital domain.

Our starting point is that the MoD cyber capabilities must be fully integrated in our military acting. The power of digital capabilities lies within the possibilities they offer to support and enhance this acting in all domains.

MoD will not establish a separate department within armed force for acting in the digital domain. The operational cyber capabilities will however be placed in the Defense Cyber Command in the land forces in 2014.

Defensive
Our second priority is the strengthening of digital defensibility of MoD, i.e., the defensive side. Digital self-defense entails the protection of networks, the monitoring and analysis of data traffic, identification of digital attacks and the response to those.

The Joint Information Provisioning Command (JIVC) that is being established and DefCERT have a prominent role in this.

But there is also a responsibility for every MoD employee. The most important vulnerability that can result in loss or compromise of information is related to unintentional actions by employees, such as careless and improper use of IT. Every MoD employee must become aware of the risks associated with digital means.

Offensive
The third priority is perhaps the most striking: the development of military power to perform cyber operations.

As `sword’ the armed forces must, in my opinion, be able to act offensive in the digital domain. Eliminating an adversary remains the special task of the armed forces. Also in the digital domain. Knowledge of offensive methods and techniques is, moreover, necessary for strengthening the digital defensibility.

Many still associate the word cyber attack with the lonely hacker who is able to take down the Pentagon’s network from his  attic room. The digital domain as asymmetrical arena where David can hit Goliath right between the eyes. This appeals to our imagination but probably has little to do with future reality. Stuxnet and Flame are technologically very complex and therefore costly. Not something that an amateur enthusiast can build in an evening.

The development of offensive operational capabilities is still in a very early stage. Much remains unclear about the nature of these capabilities, the possibilities that they can offer to a commander and the effects that can be achieved with them.

In the development of offensive operational capabilities of the armed forces, the knowledge and capabilities of the Dutch Military Intelligence Service (MIVD) will be use. The Chief of Defense [currently general Tom Middendorp] can employ offensive means based on a government mandate in a military operation. The legally required separation between the tasks and responsibilities of the Chief of Defense and the MIVD remains intact. The aforementioned Defense Cyber Command accounts for readiness of offensive cyber capabilities.

Intelligence
I already mentioned the MIVD. The strengthening of the intelligence position in the digital domain is our fourth priority.

Information is of vital importance to the armed forces. Due to the rise of the digital domain and the increasing interconnectedness of systems, the possibilities for gathering information have increased dramatically. Having a full-fledged intelligence position in the digital domain is need both for protection of one’s own infrastructure as well as carrying out operations.

They must have insight both in the technical threat as well as in the attacker’s intentions. They shall also have to posses the power to disrupt and end attempts of digital espionage.

Adaptive and innovative
In order to be successful at the said territories within the digital domain — defensive, offensive -and- intelligence –, more is needed: strengthening the knowledge position and the innovative power of MoD in the digital domain. This is then the fifth priority of our approach. The establishment of a cyber chair at the Netherlands Defense Academy (NLDA) in 2014, that will among others research the aspects of international law, is part of this. But also the recruitment and retainment of qualified personnel are specifically related to this priority.

The speed of developments in the digital domain demands a lot of adaptivity and innovation from the MoD. They must be able to implement new technology quickly and have short innovation cycles.

The MoD will therefore invest in digital technology and research. The Defense Cyber Expertise Center (DCEC) will be the place where knowledge is brought together. For research and development, but also education, training and practice, the MoD will have a `cyber laboratory’ and a test environment.

A special challenge to the MoD is the recruitment and retainment of qualified personnel that is also able to function within a military environment. To gather and retain the necessary knowledge, expertise and skill, specific attention will be paid to staff policy and education. Specific careers for `digital soldiers’ are certainly conceivable.

Our armed forces explicitly opens itself to people who have digital knowledge, but from whom the government hardly makes use: the `white hat hacker’-community, or bonafide hackers. They often point out leaks to us. We must not be angry about that, but make use of it, because that is how we make each other stronger. Why would a `white hat hacker’ not want to help defend his own country? Especially when he does not even have to crawl through mud, but can remain sitting behind his computer.

Cooperation
The intensification of cooperation in national and international levels is, finally, our sixth priority.

In the digital domain public and private, civilian and military national and international actors act at the same time. A joint approach is necessary.

To the MoD it is important to work together with public and private parties within the framework of the National Cyber Security Strategy [.pdf]. As operator of first-rate digital networks and systems, the MoD is an important partner both nationally and internationally.

At the international level, the MoD will seek cooperation with countries that endorse a similar approach and that operate at the same level regarding development. The primary goal of cooperation is the exchange of knowledge. After that it can be examined whether there are possibilities for collaborative development of capabilities.

During the recent Chicago summit, the NATO stated that it will strengthen the defensibility of its own networks and systems and those of allies. It is not plausible that cyber capabilities will be developed in NATO-cooperation. The organization must however develop a vision regarding the use of cyber capabilities during collaborative operations.

Concluding
The importance of the digital domain and the speed with which it develops puts yields big challenges to us. The Dutch armed forces makes the necessary conclusions and wants to become the prominent player that fits our country.

The MoD must develop a full-fledged cyber capability. Here more than in other areas, standing still amounts to declining. The speed at which the digital domain develops will then result in falling behind very quickly.

That is the challenge that we face now. The Defense Cyber Strategy that I will send to the Parliament, will be a guidance in achieving our goals.

Today I started this talk by referring to the first airstrike by the Italian pilot Giulio Gavotti in 1911. Even before the plane had been invented the British science fiction author H.G. Wells already predicted that “when air dominance is achieved by own of the fighting armies, the war becomes a conflict between one force that can see and on force that is blind”. It won’t surprise me that when this prediction is translated to the digital domain, it will soon become reality.

And now the moment has come to make it all official by offering the strategy to Parliament. Of course I will do so digitally.

EOF

On July 6th the Dutch government stated that legislation will be established later this year that will require organizations in the following six vital sectors to notify the Dutch government about security breaches:

• electricity
• gas
• telecom
• transport (Schiphol airport, mainports Rotterdam)
• drinking water
• surface water management

The requirement will also apply to the financial sector and to the government itself. It is stated that the impact of disruption of service is large in each of these sectors, and that cascade-effects to other sectors can easily occur, making large-scale societal disruption a real risk.

The security breach notification requirement will be tuned to legislation and regulations at national and European levels. Helping prevent societal disruption will the primary concern. The National Cyber Security Center (NCSC) will offer help and advice to the organization or to the sector, intending to end the breach and limit effects of the breach that could also occur elsewhere. In case the crisis structure is scaled up,  the NCSC can account for operational response within that structure. By publishing security advisories, the impact at third parties can be limited.

In order to act quickly and prevent possible societal disruption, the government seeks public-private partnership. In case of a threat of societal disruption, the government must be able to intervene. Therefore, the government gets increasing sectoral intervention possibilities at its disposal. This includes the authority to obtain information, the authority of administrative enforcement of designations and the authority to appoint an officer on behalf of the government.

With this legislation, the Dutch cabinet implements the motion Hennis-Plasschaert  (VVD party) that emerged in the aftermath of the DigiNotar incident and asks for mandatory security breach notification for organizations involved in vital information systems.

Sources:

• Press statement by the National Coordinator for Counterterrorism (NCTb) (July 6th 2012, in Dutch)
• Letter from Ministry of Security & Justice to Parliament (.pdf, July 6th 2012, in Dutch)

UPDATE 2018-12-09: all updates moved to the bottom.

This post provides a selection of resources on Electromagnetic Pulse (EMP) threats. (Note: I’m neither a physicist nor electrical engineer and hence have nothing useful to say about EMP myself. Be wary of any person who makes claims to knowledge about EMP threats w/o citing sources and w/o having relevant authority, such as a degree in said disciplines.)

In 1990, the Engineering and Design – Electromagnetic Pulse (EMP) and Tempest Protection for Facilities document was published; it focuses on U.S. government facilities.

Between 2001 and 2010 (and still?), the U.S. had an EMP Commission — excellent resource, providing e.g. the Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack (53MB .pdf, April 2008, 208 pages) + Executive Report (.pdf, 2004 (note — it’s dated four years earlier than the current version of the main report), 62 pages)

In 2006, the Washington State Department of Health published a factsheet about EMP.

In 2008, the Congressional Research Service published a report on High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat Assessment” (.pdf) (recommended read).

In 2009, there was a discussion on a forum for pilots about a New Scientist article that argued that a commercial aircraft could be brought down by DIY EMP bombs. Also in 2009, the U.S. Patent Application for an Electromagnetic pulse (EMP) hardened information infrastructure was filed.

In 2010, Business Insider had an article “Gauging The Threat Of An Electro-Magnetic Pulse Attack In The US“.

In 2011, some items appeared about Newt Gingrich’s interest in EMP: this blogpost by Dick Destiny (some profanity there) and this post on decodedscience.com.

In February 2012, the U.K. Defence Committee published the report Developing Threats: Electro-Magnetic Pulses (EMP). It refers to statements made by the U.S. EMP Commission.

In April 2012, the U.K. report, or rather this Telegraph news article about it, led to Parliamentary questions (.pdf) in the Netherlands. In response to those questions, Dutch Secretary of Defense Hans Hillen stated that he sees the EMP threat as “low” for the Netherlands. Here is my (unofficial) translation of the actual questions & answers:

1. Are you aware of the article “Britain at risk from ‘GoldenEye’ electromagnetic pulse attack from space, MPs warn“?Yes.
2. Do you still support your relativistic perspective on the threat of EMP that you expressing during the debate on the policy letter “Defence after the credit crisis: a smaller force in a troubled world” on June 6th 2011, in which you suggested that EMP is a remnant of the Cold War, that the EMP instrument is not practically applicable and that the threat can be considered to be low for the Netherlands?Yes, I consider this threat to be low. Also see the answers to questions 4 and 5.
3. If so, how do you interpret the warning from the British Defence commission, which contradicts your vision, about the big risks for British national security? Are you aware that also the U.S. EMP commission and several leading U.S. politicians have warned of the great dangers of an EMP attack earlier?I have taken note of the report of the British Defence commission and the references therein to rulings of the U.S. EMP commission and U.S. politicians. The information that is available to me gives me no reason to change my position. Also see the answers to questions 4 and 5.
4. How do you assess the specific comments of the President of the British Defence committee, James Arbuthnot, about the probability of an EMP attack considering that it is a convenient way to use a small number of nuclear weapons to create a large devastating effect?An electromagnetic pulse caused by a nuclear explosion can disrupt or destroy unprotected electronic systems by burning out electronic circuits. To create a nuclear EMP attack that has the greatest possible effect, an explosion of a nuclear weapon at several hundred kilometers height is necessary. This requires a launch vehicle that is only at the disposal of States. The Dutch intelligence services assess the likelihood of a nuclear EMP attack as low.
5. Do you, like the British parliamentarians, see major risks in the possibility for terrorists to build a primitive non-nuclear EMP weapon that is devastating on a smaller scale? If not, why?It is possible to build small, improvised non-nuclear EMP-weapons using commercially available componnents. The area in which such a weapon can cause damage, however, is small. The impact of a terrorist attack using an improvised EMP-weapon is, therefore, comparable to that of an attack using a conventional explosive. The main objective of such terrorist attacks is to frighten the population, more than causing damage itself. Prevention is the appropriate protection against such attacks.
6. What do you think of the criticism of the British Defence Committee that the British Ministry of Defence is unwilling to take these threats seriously? Do you see a similar situation in the Netherlands? If not, why?
7. What do you think of the advice of the British Defence committee that the U.K. ough to immediately protect its critical infrastructure against EMP attacks?I abstain from commenting on the specific British situation. The Dutch intelligence services monitor the proliferation of nuclear weapons. In addition, the terrorist threat is monitored by the National Coordinator for Counterterrorism (NCTV). The Parliament is informed quarterly about developments about this through the Terrorist Threat Assessment Netherlands.
8. Can you support with financial data your earlier claims that protection of critical infrastructure against EMP carries “enormous costs” with it? If not, why?Given the amount of electronic systems, their applications and the scope of potential measures, the costs of protection will be very high. Considering the answers to the previous questions, I foresee that establishing a detailed estimate will require a disproportionate effort.
9. Are you willing to promote that an interdepartmental working group is formed to make inventory of the dangers of EMP for the Netherlands and advise about the possibilities to protect the Dutch critical infrastructure against the consequences of EMP? If not, why?I don’t see the need for this.

Other informative resources:

• Susceptibility of some electronic equipment to HPEM threats ($), August 2004, D. Nitsch et al. (US Armed Forces)
• Electromagnetic Pulse Threats in 2010, November 2005, Colin R. Miller (USAF)
• U.S. Rep. Roscoe Bartlett (R-Maryland) page on Electromagnetic Pulse, May 2006
• EMP: A National-Scale Threat to the U.S. Infrastructure, April 2007, George H. Baker, The Critical Infrastructure Protection Report
• Slides on Electromagnetic Pulse (EMP) (.pdf), April 2009, Joe St Sauver
• The EMP threat: fact, fiction, and response (part 1), January 2010, Yousaf M. Butt, The Space Review
• The EMP threat: fact, fiction, and response (part 2), February 2010, Yousaf M. Butt, The Space Review
• Improvised EMP Devices [Part 1]: Possibilities and Realities, October 2011, Vera Knutsdottir, Defense Media Network
• Improvised EMP Devices [Part 2]: Enabling Technologies and Skills, October 2011, Vera Knutsdottir, Defense Media Network
• Improvised EMP Devices [Part 3]: Operational Concepts and Targets, November 2011, Vera Knutsdottir, Defense Media Network
• Improvised EMP Devices [Part 4]: Weapons Effects and Countermeasures, November 2011, Vera Knutsdottir, Defense Media Network
• Risk-Based Critical Infrastructure Priorities for EMP and Solar Storms, 2011, George H. Baker, Security Analysis and Risk Management Association Newsletter

UPDATES (new to old)

UPDATE 2021-05-21: E-Bombs: The Allure and Peril of High-Power Microwave Weapons (by Christopher McFadden, at Interesting Engineering)

UPDATE 2020-06-18: Everything I’ve learned about solar storm risk and EMP attacks (Chris Said. Note: like me, Said is not an EE or physicist expert, just a person who took a non-professional interest in this theme. He states: “I read congressional testimony, think tank technical reports, a book, academic papers, insurance company assessments, several industry technical reports, and multiple reports in the trade media. What I found was at times contradictory. Somewhat troublingly, both sides of the issue accused each other of bias from financial incentives. Overall, my view is that while some of the EMP and solar storm risk is overhyped, it remains a serious issue, and one of the main tail risks we should be preparing for.”)

UPDATE 2019-08-22: The Real Threat Posed by EMPs (The Cipher Brief)

UPDATE 2019-03-26: White House issues Executive Order on Coordinating National Resilience to Electromagnetic Pulses (EMPs)

UPDATE 2018-11-xx: new report (.pdf, 69 pages; mirror) from the U.S. DoD Electromagnetic Defense Task Force, by Maj David Stuckenberg, Amb. R. James Woolsey, Col Douglas DeMaio; edited by Dr. Ernest Allan Rockwell.

UPDATE 2018-03-21: Strategic Primer on Electromagnetic Threats, by the American Foreign Policy Council (AFPC; a conservative non-profit U.S. foreign policy think tank)

UPDATE 2017-10-01: Dutch article explaining what North Korea could achieve through h-bombs (note: not related to EMP)

UPDATE 2017-09-04: Understanding North Korea’s EMP threat to the U.S. (Dennis Santiago, Huffington Post)

UPDATE 2017-05-03: A North Korean Nuclear EMP Attack? … Unlikely (blogpost by Jack Liu, U.S. Korea Institute at SAIS)

UPDATE 2016-03-19: comment from Winn Schwartau in response to a YouTube-video on EMP posted on LinkedIn: “There is actually a reasonable solution to terrestrial effects of CME that every decent EE should intuitively understand. It’s a fundamental analogue outgrowth of Time Based Security, applying the math and Just Fricking Doing It. Oy. Satellites are toast, but we CAN keep the majority of the lights on. When someone really gives an IT… let me know. (No offense… but so tired of the ignorance, apathy and arrogance that was as is still endemic to The Entire Security Industry.”

UPDATE 2015-06-10: Ex-CIA Director: We’re Not Doing Nearly Enough To Protect Against the EMP Threat (Slashdot)

UPDATE 2015-02-xx: Electromagnetic Pulses (EMPs): Myths vs. Facts (.pdf, factsheet by the Edison Electrical Institute)

UPDATE 2014-10-22: Countering Electromagnetic Pulse (EMP) Threats (.pdf, slides by US Ambassador Henry F. Cooper, Chairman of High Frontier)

UPDATE 2014-09-15: EMP, Debunked: The Jolt That Could Fry The Cloud (John Barnes, article in Information Week)

UPDATE 2014-05-08: Electromagnetic Pulse: Threat to Critical Infrastructure (.pdf, testimony by dr. Peter Vincent Pry given before the US House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. Pry is executive director of the Task Force on National and Homeland Security, a Congressional advisory board.)

UPDATE 2014-04-xx: Electromagnetic Pulse (EMP): An Overview of Threats and Mitigation Solutions for Operations Centers and Substations (.pdf, slides by Michael A. Caruso presented at 2014 Int’l Conference of Doble Clients)

UPDATE 2013-08-27: Protecting America Against “Permanent Continental Shutdown” From Electro-Magnetic Pulse Events (.pdf, slides by Chuck Manto of the InfraGard National Electromagnetic Pulse Special Interest Group, presented at Idaho National Laboratories)

UPDATE 2013-10-xx: Terminal Blackout: Critical Electric Infrastructure Vulnerabilities and Civil-Military Resiliency (.pdf, paper by Ayers & Chrosniak, US Army War College CSLD)

UPDATE 2012-07-30: EU FP7 project, 2012-2015: STRUCTURES, Strategies for Improvement of Critical Infrastructure Resilience to EM Attacks

UPDATE 2012-07-21: 1975 Introduction to Explosive Magnetic Flux Compression Generatos by Los Alamos (.pdf, document from the Los Alamos Scientific Laboratory. Via Cryptocomb).

UPDATE 2011-xx-xx: EMP myths (by Jerry Emanuelson, B.S.E.E.), appendix from Oak Ridge National Laboratories/Metatech EMP Report.

EOF

UPDATE 2012-11-09: and the winner is…. Dutch technology start-up BusinessForensics that submitted a solution for in-memory big data analysis (Dutch). Congrats!

The Dutch Ministry of Defense (MoD) annually issues a “Defense Innovation Competition”, a competition that is intended to get input from and foster relations with Dutch industry and SME. This year’s theme is “CYBER Operations 2.0”. The project document (.pdf, in Dutch) describes it as follows:

For operations and command, the Dutch MoD relies on radio and satellite connections and the internet. But developments such as WiFi, smartphones and tablets will eventually make their appearance in the armed forces. The difference between military radio networks and the internet is therefore becoming more diffuse. And cyber is therewith definitively added to the domain of Defense.Guided by the Dutch National Cyber Security Strategy, the government, industry and knowledge institutions join forces. Externally, the MoD closely cooperates with these other players in the cyber security chain. But internally, the MoD must guarantee the integrity of its own information provisioning, networks and IT infrastructure. Therefore, the MoD is actively pursuing enhanced digital defensibility and the development of cyber as an operation capability. Regarding cyber, the MoD is expeditious and innovative; under the motto “Cyber, more than Defense!”, the MoD must be able to operate in the same way it does in other dimensions (land, sea, air, space), in other words, the MoD must also defend, delay, maneuver, attack and gather intelligence in the cyber dimension. Cyber Security thus entails more than Cyber Defence: for the MoD, it means: Cyber Operations. To this end, the MoD founded the Taskforce Cyber in January 2012.

In order to guarantee its future military capability (power) in the cyber domain, the MoD is in need of new technologies and innovations. With the Defense Innovation Competition 2012, the MoD is challenging the SME and Dutch industry. Use your innovation, your creativity and technological ingenuity to make a tangible contribution to the future of cyber operations.

The proposals are judged by seven criteria:

1. Applicability/implementability
2. Innovation
3. Feasibility
4. Quality (in terms of language, argumentation)
5. Competence, reputation of submitting entity
6. Risk analysis of follow-up phase

The MoD has reserved EUR 200k to make the winning idea become reality. The deadline for submitting proposals is August 22nd 2012. Participation is restricted to Dutch industry and SME.