Dutch govt response to Parliamentary questions concerning U.S. spying / AMS-IX expansion to U.S.

Posted on by mrkoot

UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.

UPDATE 2013-11-07: Automatisering Gids reports (in Dutch) that AMS-IX evades the PATRIOT Act in its expansion to the U.S.:

“AMS-IX has found a legal structure to operate in the U.S. without having to deal with the PATRIOT Act in the Netherlands.

AMS-IX is setting up a fully independent company in Delaware which will manage the exchange nodes in the United States. This also means that employees and directors cannot be exchanged between the two organizations. The U.S. company is a subsidiary of AMS-IX BV, that acts as the sole shareholder. The U.S.-based entity will be granted access to the necessary intellectual property through licensing.

This structure is devised with the international law firm Jones Day and aims to protect the Dutch AMS-IX BV and the AMS-IX Association against U.S. laws such as the USA PATRIOT Act.

Earlier the plans of AMS-IX for expansion into the United States were opposed because of the possible interference of the U.S. justice and security services in the Dutch establishment of AMS-IX.

AMS-IX takes into account a possible extension of the PATRIOT Act that would allow the construction to still become subject to U.S. jurisdiction. In that case, an independent Dutch foundation can be set up within a week to further separate the activities. AMS-IX chooses the current structure because the benefits from economy of scale.”

This is the provisional end of the story.

UPDATE 2013-11-06: AMS-IX USA Inc. to Deploy an Open-IX Internet Exchange in New York  

 

On October 15th, the Dutch cabinet responded (.pdf, in Dutch) to Parliamentary questions concerning planned AMS-IX expansion to U.S. in the light of U.S. spying. The response is only available in Dutch; here is my English translation. Hyperlinks are mine.

WARNING: this is an unofficial translation.

Answers to Parliamentary questions by Members of Parliament Van Raak (SP party) and Oosenbrug (PvdA party)Questions by Van Raak (SP party) to the Secretary of the Interior and Kingdom Relations concerning the danger of the Amsterdam internet exchange AMS-IX being required to hand over data to the U.S. National Security Agency (NSA) (submitted September 24th 2013).
Original Dutch: “Vragen van het lid Van Raak (SP) aan de minister van Binnenlandse Zaken en Koninkrijksrelaties over het gevaar dat het Amsterdamse internetknooppunt AMS-IX gegevens moet afstaan aan de Amerikaanse National Security Agency (NSA) (ingezonden 24 september 2013)”

Do you remember your remark that the Amsterdam Information [sic] Exchange (AMS-IX) is `the most important internet-exchange of the Netherlands and the second-biggest exchange in the world’?Yes
Original Dutch: “1 Herinnert u zich nog uw opmerking dat de Amsterdam Information Exchange (AMS-IX) ‘het belangrijkste internet-knooppunt van Nederland en het op één na grootste ter wereld’ is? [0]
Ja.”

Is it true that AMS-IX is considering expanding its activities to the U.S.?
That is known from media reports. Meanwhile it has become clear that on September 27th, the majority of members of the AMS-IX association voted in favor of the establishment of a legal entity in the U.S., during an extraordinary general meeting. The Board of Directors of the AMS-IX association will further examine the formation of a legal entity in the U.S.
Original Dutch: “2 Klopt het dat deze AMS-IX overweegt haar activiteiten uit te breiden naar de Verenigde Staten?
Dit is bekend uit de mediaberichten. Inmiddels is ook bekend dat op 27 september jongstleden in een buitengewone algemene ledenvergadering van de vereniging AMS-IX een meerderheid van de leden voor de opzet van een juridische entiteit in de VS heeft gestemd. De Raad van Bestuur van de vereniging AMS-IX zal de formatie van een juridische entiteit in de VS verder onderzoeken.”

Do you share our concern that the AMS-IX, by expanding to the U.S., risks becoming subject to U.S. legislation and can be forced to hand over information to the NSA?
If a company conducts activities on U.S. territory, these activities are subject to U.S. legislation, such as the Patriot Act and the Foreign Intelligence and Surveillance Act. Under this U.S. legislation, the provider can be forced, if mandated so by a U.S. court, to comply with requests of the U.S. authorities. The scope of the U.S. legislation and the possible violations of privacy are discussed in the joint EU-US expert group that was established following the revelations by Mr. Snowden. This group discusses the protection of privacy and electronic data of citizens, with the aim of understanding each other’s programs and how they are anchored in the rule of law.
The operating company of AMS-IX, AMS-IX B.V., has reported on its website that it explores the legal possibilities and the risks of expansion to the U.S. AMS-IX B.V. has sought legal advice from various parties on the applicability of U.S. law.
Original Dutch: “3 Deelt u de vrees dat de AMS-IX door deze uitbreiding de kans loopt onder de Amerikaanse wetgeving te vallen en gedwongen kan worden informatie af te staan aan de NSA?
Indien een bedrijf activiteiten op het grondgebied van de VS uitvoert, dan vallen deze activiteiten onder de Amerikaanse wetgeving, waaronder de Patriot Act en de Foreign Intelligence and Surveillance Act. Op basis van deze Amerikaanse wetgeving kan de aanbieder, na tussenkomst van een Amerikaanse rechter, verplicht worden mee te werken aan verzoeken van de Amerikaanse autoriteiten. De reikwijdte van de Amerikaanse wetgeving en de mogelijke schendingen van de persoonlijke levenssfeer zijn onderwerp van gesprek van de gezamenlijke EU-VS-expertgroep, die naar aanleiding van de onthullingen van de heer Snowden is ingesteld. Deze groep bespreekt de bescherming van de persoonlijke levenssfeer en elektronische gegevens van burgers, met als doel inzicht in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtsstaat.
De werkmaatschappij van AMS-IX, AMS-IX BV, heeft op haar website gemeld de juridische mogelijkheden en de risico’s van de uitbreiding naar de VS te verkennen. AMS-IX B.V. heeft bij diverse partijen juridisch advies ingewonnen over de toepasselijkheid van de Amerikaanse wetgeving.”

Are you willing to request advice on this from the Dutch National Cyber Security Center (NCSC)?
No. The NCSC is the knowledge and expertise center on cyber security, implemented the so-called computer emergency response task, and is responsible for crisis coordination in the event of a cyber crisis. Advising on the expansion of a Dutch legal entity to the U.S. is not a task of the NCSC.
Original Dutch: “4 Bent u bereid het Nationaal Cyber Security Centrum advies te vragen over deze kwestie?
Nee. Het Nationaal Cyber Security Centrum is het kennis- en expertisecentrum op het gebied van cyber security, geeft invulling aan de zogeheten computer emergency response-taak en is verantwoordelijk voor de crisiscoördinatie in het geval van een cybercrisis. Adviseren over de uitbreiding van een Nederlandse rechtspersoon in de VS behoort niet tot de taken van het Nationaal Cyber Security Centrum.”

Can you ensure that the AMS-IX will not conduct activities in the U.S. before the Parliament has full certainty that the data of Dutch citizens are safe at all times?
No. Dutch companies are free to expand abroad. Dutch companies that conduct activities in the U.S., must be aware that in the case of seizing or provisioning of data, the requirements of the Dutch Data Protection Act (DPA) must be met regarding the provision of data to third countries that lack adequate data protection. Under the DPA, the responsibility for assessing the circumstances in which data can be passes to such countries firstly lies on the company that is responsible for the data processing (Article 76 DPA).
Original Dutch: “5 Kunt u verzekeren dat de AMS-IX geen activiteiten in de Verenigde Staten gaat ontplooien voordat de Kamer volledige zekerheid heeft dat gegevens van Nederlandse burgers te allen tijde veilig zijn?
Nee. Het staat Nederlandse bedrijven vrij om zich in het buitenland te vestigen. Nederlandse bedrijven die ook in de Verenigde Staten actief zijn, dienen er op bedacht te zijn dat in het geval van vordering van gegevens of doorgifte van gegevens, de verstrekking daarvan dient te voldoen aan de eisen die de Nederlandse Wet bescherming persoonsgegevens (Wbp) stelt aan de verstrekking van gegevens aan derde landen waar naar Europees recht geen passend niveau van gegevensbescherming bestaat. De Wbp legt de verantwoordelijkheid voor het beoordelen van de omstandigheden waaronder gegevens naar een derde land kunnen worden doorgegeven in de eerste plaats bij het bedrijf dat voor de verwerking verantwoordelijk is (art. 76 Wbp).”

[0] Aanhangsel Handelingen, vergaderjaar 2012-2013, nr. 2649

Questions by Van Raak (SP party) to the secretaries of Economic Affairs, and Security and Justice concerning the possible expansion of the AMS-IX to the U.S. (submitted September 30th 2013)
Original Dutch: “Vragen van het lid Oosenbrug (PvdA) aan de ministers van Economische Zaken en van Veiligheid en Justitie over een mogelijke uitbreiding van de AMS-IX naar de Verenigde Staten (ingezonden 30 september 2013)”

Are you aware of the intention of the AMS-IX to set up shop in the U.S.?
Yes.
Original Dutch: “1 Heeft u kennisgenomen van het voornemen van de Amsterdam Internet Exchange (AMS-IX) om een filiaal in de Verenigde Staten te openen? [2]
Ja.”

Can you give us insight in the risks of expansion the the U.S. for the protection of data exchanged over the AMS-IX? How can the U.S. government use its Patriot Act and FISA in this?
[Same answer given to first question by Van Raak. See above.]
Original Dutch: “2 Kunt u inzicht geven in de risico’s van uitbreiding naar de Verenigde Staten voor de bescherming van gegevens die over de AMS-IX uitgewisseld worden? Op welke wijze kan de Amerikaanse overheid haar Patriot en FISA wetgeving hierbij gebruiken?
Indien een bedrijf activiteiten op het grondgebied van de VS uitvoert, dan vallen deze activiteiten onder de Amerikaanse wetgeving, waaronder de Patriot Act en de Foreign Intelligence and Surveillance Act. Op basis van deze Amerikaanse wetgeving kan de aanbieder, na tussenkomst van een Amerikaanse rechter, verplicht worden mee te werken aan verzoeken van de Amerikaanse autoriteiten. De reikwijdte van de Amerikaanse wetgeving en de mogelijke schendingen van de persoonlijke levenssfeer zijn onderwerp van gesprek van de gezamenlijke EU-VS-expertgroep, die naar aanleiding van de onthullingen van de heer Snowden is ingesteld. Deze groep bespreekt de bescherming van de persoonlijke levenssfeer en elektronische gegevens van burgers, met als doel inzicht in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtsstaat.
De werkmaatschappij van AMS-IX, AMS-IX BV, heeft op haar website gemeld de juridische mogelijkheden en de risico’s van de uitbreiding naar de VS te verkennen. AMS-IX B.V. heeft bij diverse partijen juridisch advies ingewonnen over de toepasselijkheid van de Amerikaanse wetgeving.”

Do you see a difference between the protection of personal data in the U.S. concerning U.S. citizens and others? If so, do you see it as a reason to restrict the full provisioning of data to U.S. authorities?
Yes. The U.S. Constition, particularly the Fourth Amendment, only applies to U.S. citizens. The Fourth Amendment requires judicial review in order to permit search and seizure.

Under Article 76 of the Dutch DPA,personal data may only be transferred to countries outside the EU that provide a so-called adequate level of protection. In other cases, transmission is only possible under a legal exception or a license from the Dutch Ministry of Security and Justice. Dutch companies operating in the U.S. must be aware that in the case of seizing or provisioning of data, the requirements of the Dutch Data Protection Act (DPA) must be met regarding the provision of data to third countries that lack adequate data protection. Under the DPA, the responsibility for assessing the circumstances in which data can be passes to such countries firstly lies on the company that is responsible for the data processing (Article 76 DPA).
Original Dutch: “3 Ziet u ook een verschil in bescherming van persoonsgegevens in Amerika, tussen de gegevens van Amerikaanse ingezetenen en anderen? Zo ja, ziet u daarin reden om het volledig ter beschikking stellen van gegevens aan de Amerikaanse overheden te beperken?
Ja. De Amerikaanse grondwet, in het bijzonder het Vierde Amendement, is alleen van toepassing op Amerikaanse burgers. Het Vierde Amendement vereist een rechterlijke toets bij bevelen tot doorzoeking en inbeslagneming.
Op grond van artikel 76 van de Nederlandse Wet bescherming persoonsgegevens mogen persoonsgegevens alleen worden doorgegeven aan landen buiten de EU die een zogeheten passend beschermingsniveau bieden. In de overige gevallen is doorgifte alleen mogelijk op grond van een wettelijke uitzondering of een vergunning van de Minister van Veiligheid en Justitie. Nederlandse bedrijven die ook in de Verenigde Staten actief zijn, dienen er op bedacht te zijn dat in het geval van vordering van gegevens of doorgifte van gegevens, de verstrekking daarvan dient te voldoen aan de eisen die de Nederlandse Wet bescherming persoonsgegevens (Wbp) stelt aan de verstrekking van gegevens aan derde landen waar naar Europees recht geen passend niveau van gegevensbescherming bestaat. De Wbp legt de verantwoordelijkheid voor het beoordelen van de omstandigheden waaronder gegevens naar een derde land kunnen worden doorgegeven in de eerste plaats bij het bedrijf dat voor de verwerking verantwoordelijk is (art. 76 Wbp).”

To what extent do you see an increase in the risk of people being prosecuted by U.S. companies, such as information law professor Van Eijk expected?
At present, there only is consensus on the establishment of a legal in the U.S. It is not yet clear what legal form that entity will get. The Board of Directors of the AMS-IX association is doing further research into the possible structure.
Original Dutch: “4 In hoeverre ziet u een vergroting van het risico dat mensen vervolgd worden door Amerikaanse bedrijven, zoals hoogleraar informatierecht Van Eijk verwacht?
Op dit moment is er alleen sprake van instemming met de opzet van een juridische entiteit in de VS waarbij het nog niet duidelijk welke juridische vorm die entiteit zal krijgen. De Raad van Bestuur van de AMS-IX Vereniging doet nader onderzoek naar de mogelijke structuur.”

Is it true that on September 27th, members of the AMS-IX association decided on the desirability of expanding into the U.S.? If so, what is the next stage that the AMS-IX will follow in the development of the expansion to America?
Yes. AMS-IX has consulted its members on September 27th (also see the website www.ams-ix.net). A majority approved of the expansion to the U.S. AMS-IX states the following: “With the approval of our members, the Board of Directors of the AMS-IX association will further examine the formation of a legal entity in the U.S. The best possible structures for the establishment of a legal entity will be further examined and shared with our members. The structure should protect the current operational activities of the AMS-IX, and the customers and members, against commercial, legal, financial and technical risks, and most specifically interception activities by U.S. authorities.” The options for this legal entity are now being developed and the members will be informed about this by the AMS-IX.
Original Dutch: “5 Is het correct dat de leden van de AMS-IX op 27 september beslissen over de wenselijkheid van uitbreiding naar de Verenigde Staten? Zo ja, wat is het vervolgtraject dat de AMS-IX zal volgen in de ontplooiing van de uitbreiding naar Amerika?
Ja. AMS-IX heeft haar leden op 27 september geraadpleegd. (zie ook de website www.ams-ix.net) Daarbij heeft een meerderheid ingestemd met de uitbreiding naar de VS. AMS-IX meldt daarbij het volgende: “Met de goedkeuring van onze leden, zal de Raad van Bestuur van de AMS-IX vereniging de formatie van een juridische entiteit in de VS verder onderzoeken. De best mogelijke structuren voor het opzetten van deze juridische entiteit zullen worden bekeken en met onze leden worden gedeeld. De structuur dient de huidige operationele activiteiten van de AMS-IX BV en de klanten en leden van de AMS-IX vereniging te beschermen tegen commerciële, juridische, financiële en technische risico’s en meest specifiek tegen interceptie- activiteiten door de overheidsinstanties in de VS.” De opties voor deze juridische entiteit worden nu uitgewerkt en de leden worden hierover door AMS-IX nader geïnformeerd.”

Do you agree that the AMS-IX is vital infrastructure that is of national importance? How is the public interest in the AMS-IX guaranteed, and do you see reasons to reinforce this assurance?
AMS-IX is an important link in the Dutch ICT infrastructure. As the largest internet exchange in the world [sic] and more than 600 connected networks, AMS-IX contributes to a more attractive business climate for ICT companies in the Netherlands. AMS-IX is of economic importance to the Netherlands as Digital Gateway to Europe. This is recognized in the Digital Agenda [2] of the Dutch administration. AMS-IX is currently not considered to be vital infrastructure. Sufficient built-in guarantees exist concerning continuity. Currently we are working on an interdepartmental review of the vital sectors, including a review the position of AMS-IX.
Original Dutch: “6 Deelt u de mening dat de AMS-IX vitale infrastructuur vormt, die van nationaal belang is? Hoe is het publieke belang dat de AMS-IX dient op dit moment geborgd en ziet u reden om deze borging te versterken?
AMS-IX vormt een belangrijke schakel in de Nederlandse ICT-infrastructuur. Als grootste internetknooppunt (internet exchange) ter wereld met meer dan 600 aangesloten netwerken draagt AMS-IX bij aan een aantrekkelijker vestigingsklimaat van ICT-bedrijven in Nederland. AMS-IX van economisch belang voor Nederland als Digital Gateway to Europe. Dit wordt onderkend in de Digitale Agenda [1] van het kabinet. AMS-IX is op dit moment niet aangemerkt als vitale infrastructuur. Er zijn overigens voldoende waarborgen ingebouwd ten behoeve van de continuïteit. Momenteel wordt gewerkt aan een interdepartementale herijking van de vitale sectoren, waarbij ook de positie van AMS-IX wordt bezien.”

Does the AMS-IX currently conduct activities abroad, or does it have plans to do so? How are these activities legally and technically organized?
Yes. AMS-IX is a private company of which the AMS-IX association is sole shareholder. The voting rights rest with the members. These are various providers of Internet traffic [sic]. AMS-IX is involved in three internet exchanges abroad. These activities are managed directly by AMS-IX B.V., that has contracts with local partners.

1) AMS-IX Caribbean (Curacao). This internet exchange is organizationally and legally placed directly under AMS-IX B.V., which is registered in the local chamber of commerce. Parties that exchange Internet traffic at this point have a contract with AMS-IX B.V. and are not members of the AMS-IX association.

2) AMS-IX Hong Kong. This internet Exchange is a collaboration between AMS-IX B.V. and Hutchison Global Communications (HGC). AMS-IX B.V. designs, builds and manages the technical platform. HGC carries out customer relations. Customers enter into a contract with HGC and are not members of AMS-IX association. AMS-IX B.V. receives a fee per connection.

3) AMS-IX East Africa (Mombasa, Kenya) . This internet exchange is under construction. It is a collaboration between AMS-IX B.V., the Kenya Internet Exchange Point (KIXP) and the company Seacom. AMS-IX redesigns and rebuilds an existing exchange and will manage it. KIXP provides technical personnel. Seacom provides the data center and acts as a seller. Parties that connect directly to the exchange are customer of AMS-IX B.V..
Original Dutch: “7 Ontplooit de AMS-IX op dit moment al andere buitenlandse activiteiten, of zijn hier plannen voor? Op welke wijze zijn deze activiteiten juridisch en technisch georganiseerd?
Ja. AMS-IX is een besloten vennootschap waarvan de vereniging AMS-IX enig aandeelhouder is. Het stemrecht binnen de vereniging berust bij de leden. Dit zijn diverse aanbieders van internetverkeer. AMS-IX is betrokken bij drie buitenlandse internet exchanges. Deze activiteiten vallen rechtsreeks onder AMS-IX BV die contracten heeft met lokale partners.
1) AMS-IX Caribbean (Curaçao). Deze internet exchange valt organisatorisch en juridisch rechtstreeks onder AMS-IX BV, die plaatselijk ingeschreven staat in de kamer van koophandel. Partijen die op dit punt internetverkeer uitwisselen hebben een contract met AMS-IX BV en zijn geen lid van de vereniging AMS-IX.
2) AMS-IX Hong Kong. Deze internet exchange is een samenwerking tussen AMS-IX BV en Hutchison Global Communication (HGC). AMS-IX BV ontwerpt, bouwt en beheert het technisch platform. HGC behandelt het klantcontact. Klanten gaan een contract aan met HGC en zijn geen lid van de vereniging AMS-IX. AMS-IX BV ontvangt een vergoeding per aansluiting.
3) AMS-IX East Africa (Mombasa, Kenia). Deze internet exchange is in opbouw. Het is een samenwerking tussen AMS-IX BV, het Kenya Internet Exchange Point (KIXP) en het bedrijf Seacom. AMS-IX herontwerpt en herbouwt een reeds bestaande exchange en zal deze beheren. KIXP levert technisch personeel. Seacom levert het datacentrum en treedt op als verkoper. Partijen die direct aansluiten op de exchange worden klant van AMS-IX BV.”

Are you willing to advise the AMS-IX Board of Directors on how to Dutch interests can be best served through a robust legal and technical construction between the Dutch and foreign branches?
Dutch companies are free to expand abroad. It is not reasonable that the government advises in this. AMS-IX stated that it examines the further legal development abroad with the aim of establishes a robust legal and technical construction. Moreover, the Ministry of Economic Affairs immediately contacted the AMS-IX after publication of the intention to expand to the U.S. and concerns about that.
Original Dutch: “8 Bent u bereid om het bestuur van de AMS-IX te adviseren over de manier waarop de Nederlandse belangen optimaal gediend kunnen worden door een robuuste juridische en technische constructie tussen de Nederlandse en buitenlandse vestigingen? Zo ja, op welke wijze wilt u dit doen?
Het staat Nederlandse bedrijven vrij om in het buitenland te ondernemen. Het ligt niet in de rede dat de overheid daarin adviseert. AMS-IX heeft overigens aangegeven de verdere juridische uitwerking in het buitenland verder te verkennen om te komen tot een robuuste juridische en technische constructie. Overigens heeft het ministerie van Economische Zaken direct na bekendmaking van het voornemen en de zorgen daarover contact gelegd met AMS-IX.”

[2] http://nos.nl/artikel/553680-nederland-opent-deur-voor-nsa.html

[3] Zie voor de meest recente actualisatie d.d. 4 februari 2013 Kamerstukken 29515, nr 346

Related:

EOF

Dutch govt response to Parliamentary questions about NSA wiretapping international phone traffic

Posted on by mrkoot

UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.

UPDATE 2013-11-01: also see Dutch govt position concerning U.S. spying for economic purposes + answers to Parliamentary questions re: Snowden/Le Monde 

 

On October 11th, the Dutch cabinet responded (.pdf, in Dutch) to Parliamentary questions about the NSA intercepting international phone traffic via telecom providers. The response is only available in Dutch; here is my English translation. Hyperlinks are mine.

WARNING: this is an unofficial translation.

Answers by the Dutch Ministry of the Interior and Kingdom Relations, the Ministry of Economic Affairs, and the Ministry of Security and Justice to questions by Dutch ParliamentQuestions by Members of Parliament Schouw and Verhoeven (D66 party) to the secretaries of the Ministry of the Interior and Kingdom Relations, the Ministry of Economic Affairs, and the Ministry of Security and Justice about the U.S. National Security Agency (NSA) wiretapping telephone communications via telecom providers (submitted September 18th 2013).
Original Dutch: “Vragen van de leden Schouw en Verhoeven (beiden D66) aan de ministers van Binnenlandse Zaken en Koninkrijksrelaties, van Economische Zaken en van Veiligheid en Justitie over het bericht dat de Amerikaanse National Security Agency (NSA) via telecomaanbieders het internationaal telefoonverkeer afluistert (ingezonden 18 september 2013)”

Are you aware of the news that the U.S. intelligence service NSA has been eavesdropping since 2011 on telephone traffic that is routed via the Belgian telecom provider Belgacom? [0]
Yes.
Original Dutch: “1 Heeft u kennisgenomen van het bericht dat de Amerikaanse inlichtingendienst NSA zich sinds 2011 toegang verschaft tot telefoonverkeer dat via de Belgische telecomprovider Belgacom verloopt? [0]”
Ja.
What is your response to the fact that the U.S. intelligence service NSA has gained access to one of the largest telecom companies in a direct neighbor country of the Netherlands?
The article in De Standaard (English translation) states, among others, that no certainty exists about who is responsible for the compromise of the infrastructure of the Belgian company Belgacom. Covert activities of state actors can not be ruled out, in principal.
Original Dutch: “2 Wat is uw reactie op het gegeven dat de Amerikaanse inlichtingendienst NSA zich toegang heeft verschaft tot een van de grootste telecombedrijven in een direct buurland?
Het bericht in De Standaard meldt onder meer dat niet zeker is wie verantwoordelijk is voor de inbreuk op de infrastructuur van het Belgische bedrijf Belgacom. Heimelijke activiteiten van statelijke actoren zijn in beginsel niet uit te sluiten.”

Did similar security breaches on communication infrastructure of Dutch telecom providers occur in the last two years? If so, what was the nature of the breach, how often did it occur and did it involve placement of malware by a foreign intelligence service?There are no indications for a similar breach of the infrastructure of Dutch providers of telecommunication services. The General Intelligence and Security Service (AIVD) is running an investigation as a result of the news. There are no indication yet that the Netherlands is a direct target of the attack. The breach of KPN in early 2012 was, by the way, no activity of an state actor. KPN has taken additional security measures as a result of that breach.
The AIVD has repeatedly highlighted the vulnerabilities of the Dutch IT infrastructure and the threat of digital espionage. The Dutch society and economy is highly dependent on IT, and the IT infrastructure is highly vulnerable. In addition, digital attacks are increasingly complex and advanced. The impact of digital attacks on the national security and the economic well-being of society can be particularly strong.
Original Dutch: “3 Zijn er afgelopen twee jaar vergelijkbare veiligheidsinbreuken geweest op de communicatieinfrastructuur van Nederlandse telecomaanbieders? Zo ja, wat was de aard van de inbreuk, hoe vaak heeft het zich voorgedaan en was er sprake van malware geplaatst door een buitenlandse inlichtingendienst?
Er zijn geen aanwijzingen voor een vergelijkbare inbreuk op de infrastructuur van Nederlandse aanbieders van telecommunicatiediensten. De AIVD doet onderzoek naar aanleiding van de berichten. Er zijn vooralsnog geen aanwijzingen dat Nederland een direct doelwit is van de aanval.
De inbreuk bij KPN in het voorjaar van 2012 was overigens geen activiteit van een statelijke actor. KPN heeft naar aanleiding van die inbreuk aanvullende veiligheidsmaatregelen genomen.
De AIVD heeft herhaaldelijk gewezen op de kwetsbaarheden van de Nederlandse ICT- infrastructuur en de dreiging van digitale spionage. De afhankelijkheid van de Nederlandse samenleving en de economie van ICT is aanzienlijk, en de kwetsbaarheid van de ICT is hoog. Digitale aanvallen worden daarnaast steeds complexer en geavanceerder. De impact van digitale aanvallen op de nationale veiligheid en het economisch welzijn van de samenleving kan bijzonder groot zijn.”

Do you know whether Dutch telecom providers commissioned an examination for very advanced malware on their communications infrastructure in the last three years? If so, what is the outcome? If not, do you intend to insist that these companies commission such an investigation, considering the U.S. practice and possible hacks by other nations?
Private parties, including the providers of public electronic communication services, are responsible for the security of their own infrastructure. The Telecommunications Act obliges the providers to ensure the integrity and security of their networks and services, and the confidentiality and availability of services. This involves technical and organizational measures. The major provides structurally use their own capacity. If they deem it necessary, they involve expertise of third parties. Recent media reports underline the importance of these measures. If necessary, the government can require the provider to take certain technical or organizational measures or to commission a security examination by an independent party (fifth and sixth paragraph of section 11a of the Telecommunications Act). Following the news reports, KPN commenced additional investigations.
The AIVD and National Cyber Security Center (NCSC) support vital sectors in securing IT infrastructure. The AIVD has, among others, developed a method for the analysis of vulnerability to espionage. Digital espionage is one of the areas of interest. This method has been brought to the attention of vital sectors to support them in eliciting vulnerabilities.
Original Dutch: “4 Is u bekend of Nederlandse telecomaanbieders afgelopen drie jaar een veiligheidsonderzoek hebben laten uitvoeren naar zeer geavanceerde malware op hun communicatie-infrastructuur? Zo ja, wat is daarvan de uitkomst? Zo nee, bent u in het licht van de Amerikaanse praktijken en mogelijke hacks door andere landen, voornemens om bij telecomaanbieders aan te dringen op een dergelijk onderzoek?
Private partijen, waaronder aanbieders van openbare elektronische communicatiediensten, zijn zelf verantwoordelijk voor de veiligheid van hun infrastructuur. De Telecommunicatiewet (Tw) bevat voor deze aanbieders verplichtingen voor de borging van de integriteit en de veiligheid van hun netwerken en diensten, waaronder het waarborgen van de vertrouwelijkheid van de telecommunicatie en de beschikbaarheid van de dienstverlening. Het gaat daarbij om technische en organisatorische maatregelen. De grote aanbieders zetten hiervoor structureel eigen capaciteit in. Indien zij dat nodig achten, zetten zij hiervoor expertise van derden in. De recente berichten in de media onderstrepen het belang van deze maatregelen. Indien daar aanleiding voor is, kan de aanbieder worden verplicht bepaalde technische of organisatorische maatregelen te nemen of een veiligheidscontrole door een onafhankelijke deskundige te laten uitvoeren (art. 11a vijfde resp. zesde lid van de Telecommunicatiewet).
Naar aanleiding van de berichtgeving is KPN gestart met het uitvoeren van aanvullende onderzoeken.
De AIVD en het NCSC ondersteunen de vitale sectoren bij het beveiligen van hun ICT- infrastructuur. De AIVD heeft onder meer een methodiek ontwikkeld voor de analyse van kwetsbaarheden voor spionage. Digitale spionage is daarbij één van de aandachtspunten. Deze methodiek is bij de vitale sectoren onder de aandacht gebracht om hen te ondersteunen de eigen kwetsbaarheden inzichtelijk te maken.”

Have you, or have the Dutch telecom providers, in recent years received requests from the U.S. intelligence service NSA or other foreign intelligence services to provide access to international phone traffic? If so, how did you respond?
The government does not know whether foreign powers approached Dutch telecom providers. No public statements are made about contacts between the Dutch intelligence and security services and foreign services.
Original Dutch: “5 Heeft u of Nederlandse telecomaanbieders afgelopen jaren verzoeken ontvangen van de Amerikaanse inlichtingendienst NSA dan wel andere buitenlandse inlichtingendiensten, om toegang te verschaffen tot internationaal telefoonverkeer? Zo ja, wat was daarop de reactie?
Het is de regering niet bekend of buitenlandse mogendheden Nederlandse aanbieders van telecommunicatie hebben benaderd. Over contacten tussen de Nederlandse inlichtingen- en veiligheidsdiensten en buitenlandse diensten worden in het openbaar geen mededelingen gedaan.”

Did you bring up the topic of hacks on European, and Dutch communication systems in particular, with the U.S. government? If so, what was the outcome of those conversations? If not, do you intend to bring up the privacy violation of Dutch citizens with the U.S. government?
Are you willing to actively put the infringements by the U.S. and possibly other countries on the agenda of the next Council of Justice and Home Affairs (JHA Council) and to plead for a joint European stand against these violations of the privacy of European citizens?
The European Commissioners of Justice and Home Affairs have consulted the U.S. Attorney General on June 14th following the media reports. An EU-US expert group is currently addressing the protection of privacy and of electronic data of citizens, with the aim of mutual understanding of each other’s programs and how those are anchored in the rule of law. The Dutch government supports this initiative. It is expected that the expert group will complete its final report this fall. PRISM was discussed in the margins of the JHA Council of October 7th.
Original Dutch: “6 Heeft u de hacks op Europese, en Nederlandse communicatiesystemen in het bijzonder, aan de orde gesteld bij de Amerikaanse regering? Zo ja, was de uitkomst van die gesprekken? Zo nee, bent u voornemens de privacyschending van Nederlandse burgers aan de orde te stellen bij de Amerikaanse regering?
7 Bent u bereid de inbreuken door de VS en mogelijk ook andere landen, actief te agenderen in de eerstvolgende Raad van Justitie en Binnenlandse Zaken (JBZ-Raad) en te pleiten voor gezamenlijk Europees optreden tegen deze schendingen van privacy van Europese burgers?
6 & 7: De Eurocommissarissen van Justitie en van Binnenlandse Zaken hebben naar aanleiding van mediaberichten op 14 juni jl. overleg gevoerd met de Amerikaanse minister van Justitie. Inmiddels buigt een EU-VS expertgroep zich over de bescherming van de persoonlijke levenssfeer en van elektronische gegevens van burgers, met als doel wederzijds inzicht in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtsstaat. De Nederlandse regering steunt dit initiatief. Naar verwachting voltooit de expertgroep dit najaar zijn eindrapport. Het onderwerp PRISM is besproken en marge van de JBZ-raad van 7 oktober jl.”

[0] http://www.standaard.be/cnt/dmf20130915_00743233 (English translation)

Related:

EOF

SURFnet: ‘AMS-IX should not set up shop in U.S.; we ought to deliberate on U.S. spying capabilities’

Posted on by mrkoot

UPDATE 2013-11-07: Automatisering Gids reports (in Dutch) that AMS-IX evades the PATRIOT Act in its expansion to the U.S.:

“AMS-IX has found a legal structure to operate in the U.S. without having to deal with the PATRIOT Act in the Netherlands.

AMS-IX is setting up a fully independent company in Delaware which will manage the exchange nodes in the United States. This also means that employees and directors cannot be exchanged between the two organizations. The U.S. company is a subsidiary of AMS-IX BV, that acts as the sole shareholder. The U.S.-based entity will be granted access to the necessary intellectual property through licensing.

This structure is devised with the international law firm Jones Day and aims to protect the Dutch AMS-IX BV and the AMS-IX Association against U.S. laws such as the USA PATRIOT Act.

Earlier the plans of AMS-IX for expansion into the United States were opposed because of the possible interference of the U.S. justice and security services in the Dutch establishment of AMS-IX.

AMS-IX takes into account a possible extension of the PATRIOT Act that would allow the construction to still become subject to U.S. jurisdiction. In that case, an independent Dutch foundation can be set up within a week to further separate the activities. AMS-IX chooses the current structure because the benefits from economy of scale.”

This is the provisional end of the story.
 
UPDATE 2013-11-06: AMS-IX USA Inc. to Deploy an Open-IX Internet Exchange in New York 
UPDATE 2013-10-02: here is a blogpost (in Dutch) about how some of the AMS-IX members voted. 
UPDATE 2013-09-30: AMS-IX is expanding to the U.S.: 123 out of some 600 members voted in favor of expanding, 102 opposed, 14 abstained. The U.S. branch of AMS-IX will obviously be subject to FISA and the Patriot Act. One possible outcome is that the U.S. will get more / easier access to EU internet traffic that travels via AMS-IX. The AMS-IX management will examine how the Dutch/European AMS-IX can be legally protected. @sigwinch adds: “Internal AMS-IX post claims ‘INC’ would not expose ‘BV’ directly to US law but org/ops firewall needed to complete pic.

 

AMS-IX, the Amsterdam Internet Exchange, is one of the largest internet exchanges in the world. On September 23rd, AMS-IX issued a press release about a proposal to set up shop in the U.S. for possible expansion. On September 27th, the Dutch NOS brought the news that one of the biggest AMS-IX members, SURFnet, is against the proposal, citing concerns about U.S. spying capabilities.

Below I my translation of the NOS news report of September 27th. After reading it, go read Considerations on the expansion of AMS-IX to the US, posted by Bits of Freedom on September 25th. Do NOT forget to read the comments there.

SURFnet against establishment AMS-IX internet hub in U.S.

The proposal of the Amsterdam Internet Exchange (AMS-IX, the most important internet exchange of the Netherlands) to set up shop in the United States is not supported by SURFnet, one of its most important users.

Today, members of the AMS-IX will vote on the directors’ proposal to set up shop in the United States. Some are concerned that it will invite activities of American secret services such as the NSA.

Wiretapping capabilities
SURFnet provides for internet communication between universities, academic hospitals and other scientific institutions. In an email message addressed to other members, SURFnet explains that is against the proposal, among other because of concerns about the wiretapping capabilities of the Americans.

“If data are collected under U.S. law, foreign users only have very limited protection, because U.S. constitutional guarantees do not apply to them,” states SURFnet.

Legal extremism
More and more experts are speaking out against the plan of the AMS-IX. Professor Bart Jacobs (Radboud University) states that it is incomprehensible “that our own critical Internet Exchange AMS-IX” wants to open a branch in the U.S.

According to Jacobs, the AMS-IX thereby voluntarily subjects itself to the Patriot Act, meaning that U.S. authorities can compel access to our internet traffic. “Snowden will ask himself: do they still not understand things in the Netherlands?”

XS4ALL-cofounder Rop Gonggrijp states that “considering the growing legal extremism in the U.S., and recent revelations”, the potential consequences of the AMS-IX proposal should be thoroughly investigated first.

I commend SURFnet for acting prudent, cautious, diligent, in this serious matter.

Related:

EOF

Project Symbolon completed: the Dutch Joint SIGINT Cyber Unit (JSCU) is born

Posted on by mrkoot

UPDATE 2014-07-03: June 15th 2014: Dutch Joint Sigint Cyber Unit (JSCU) officially started
UPDATE 2014-03-07: the JSCU will officially start on May 1st 2014
UPDATE 2013-12-12: according to the Dessens report, there is an `Executive Board JSCU’ (Dutch: “de `Bestuursraad’ JSCU”) that consists of the three Secretary-Generals of General Affairs (chair), the Interior, and Defense. Plans exist to extend the `Executive Board’ for other issues than just the JSCU. In the opinion of the Dessens Committee these developments `fit well with the recommendation to give these three persons a joint coordinating role of the intelligence and security services’.

 

Here’s an English translation of an article in Dutch news paper NRC Handelsblad of September 24th 2013. Hyperlinks are mine.

MIVD and AIVD carry out operations in cyberspace under a new nameThe Dutch General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) join forces in a new unit, the Joint SIGINT Cyber Unit (JSCU), focused on cyber operations and eavesdropping of radio traffic. The JSCU was previously known under the working title Project Symbolon.

This was confirmed by a spokesperson of the services. The unit must be operational at the beginning of 2014. Some 350 people will be working there.

The JSCU head quarters will be located in the AIVD building in Zoetermeer. Other departments will be located in The Hague, where the MIVD is located. The existing joint AIVD/MIVD organization that intercepts and analyzes satellite traffic, the National SIGINT Organization (NSO), will be merged into the new unit. The NSO operates at two locations: dish antennas to receive signals are located in Burum, and the analysis is carried out in Eibergen. These two locations will remain operational.

The JSCU is tasked with, among others, developing instruments to counter “advanced” threats such as cyber attacks. The security of many Dutch government services was endangered as a result of the hijacking of electronic signatures issued by certificate authority DigiNotar. Cooperation with intelligence services of allies to recognize threats and developing responses are crucial, according to the AIVD and MIVD.

The quartermaster appointed by the AIVD and MIVD completed the blueprint for the new organization. The legal framework within which the JSCU should operate is not yet complete, however. The current Dutch Intelligence and Security Act 2002 (Wiv 2002) does not permit the services to wiretap “cable-bound communications” under all circumstances. When it was drafted in 2002, this clause was not significant as all international voice, text and data communication was carried, at some point among the path, via a wireless connection. Today, this is different.

The so-called commission-Dessens is now investigating if and how the Dutch law needs to be changed. The conclusions of the commission’s inquiry are expected to appear in 2013.

The establishment of this joint AIVD/MIVD unit was planned in the Dutch MoD Cyber Strategy (.pdf, September 2012, in English):

In the coming years, the [MIVD] will expand its capability for the covert gathering of information in cyberspace. This includes infiltration of computers and networks to acquire data, mapping out relevant sections of cyberspace, monitoring vital networks, and gaining a profound understanding of the functioning of and technology behind offensive cyber assets. The gathered information will be used for early-warning intelligence products, the composition of a cyber threat picture, enhancing the intelligence production in general, and conducting counterintelligence activities. Cyber intelligence capabilities cannot be regarded in isolation from intelligence capabilities such as signals intelligence (SIGINT), human intelligence (HUMINT) and the [MIVD]’s existing counterintelligence capability. A decisive factor for the effectiveness of operations is the combined deployment of scarce expertise and assets. With that in mind, the [MIVD] and the [AIVD] are intensifying their cooperation in the areas of cyber and SIGINT by establishing a joint SIGINT-Cyber Unit. The establishment of this unit should further improve the effectiveness of the national cyber intelligence capability. The [MIVD] will also contribute to the further development of the National Cyber Security Assessment which is being formulated under the responsibility of the National Coordinator for Counterterrorism and Security of the Ministry of Security and Justice.

EOF

Belgacom — “On the brink of catastrophe” (translation)

Posted on by mrkoot

UPDATE 2018-09-20: according to Belgian news paper De Tijd, a new confidential report by the Belgian public prosecutor delivered to the Belgian government contains new clues pointing to GCHQ’s involvement in the Belgacom hack. The public prosecutor investigated a link to a computer in Indonesia, and when asking for information about its IP address, had learned that the British government had also asked questions about it. Furthermore, computers traced to other countries could be linked to the U.K., because some had been paid using anonymous prepaid payment cards that had been bought in the U.K. And lastly, when computer specialists were able to secure a copy of the malware back in 2013, it was found to contain names like `Daredevil’ and `Warriorpride’; from documents leaked via Snowden it is apparent that these names can be linked to CNE activities by GCHQ and the NSA.
UPDATE 2014-12-13: 10 new documents released. Three new stories. latter two in Dutch. 1)  The Inside Story of How British Spies Hacked Belgium’s Largest Telco (The Intercept), 2) Lees hier hoe de Britse geheime dienst GCHQ Belgacom aanviel (in Dutch, NRC Handelsblad), 3) Britse spionage bij Belgacom ging veel verder dan bekend (in Dutch, NRC Handelsblad)
UPDATE 2014-11-24: Secret Malware in European Union Attack Linked to U.S. and British Intelligence (The Intercept)
UPDATE 2014-10-26: GCHQ cyber-attack cost €15m, says Belgacom security head Fabrice Clement (Computing.co.uk)
UPDATE 2014-05-30: Slides from Hack in the Box 2014 Amsterdam: HITB2014AMS – Day 2 – On Her Majesty’s Secret Service: GRX & A Spy Agency
UPDATE 2013-12-04: Flemish newspaper De Tijd reports (in Dutch) that Belgacom is still struggling to control the remains of the malicious spyware at BICS. The remaining malware is said to be “so complex” that it baffles experts.
UPDATE 2013-11-10: here are a few Snowden-slides from GCHQ that mention Belgacom (click to enlarge). Der Spiegel reported (in English) that GCHQ used fake, malicious LinkedIn and Slashdot sites to lure Belgacom engineers and get malware on their computers to obtain access to a GPRS roaming exchange (GRX) router system operated by Belgacom-subsidiary BICS. 

 
UPDATE 2013-09-27: The Belgacom compromise reinforces the correctness of the “Two Axioms for the Information Age” (I don’t know who first coined these): 1) Any device with software-defined behaviour can be tricked into doing things its creators did not intend; 2) Any device connected to a network of any sort, in any way, can be compromised by an external party.

 

Here is a careful English translation of this original article by Peter De Lobel and Nikolas Vanhecke in Belgian news paper De Standaard. Hyperlinks and parts in [] are mine.

On the brink of catastrophe (2013-09-21)

Ping. It’s Friday the 13th. Around 11 o’clock in the morning, the IT consultants that Belgacom employs at its largest customers in the private and public sector receive a message. The message doesn’t say much, except for an urgent request to cancel all appointments of that forenoon. An “emergency conference call” will take place instead.

The news that is brought in that call makes the IT consultants gasp for breath.  A piece of malicious software has been found on the network of BICS, a daughter company of Belgacom. It is hard to grasp even for well-informed insiders. The BICS network is so wide and deep that it is promptly clear to everybody that this is not just a Belgian problem. This problem is at least of European proportions. Because whoever controls BICS, controls the communication of a large part of the world. “This could have been larger than 9/11”, says one source who closely followed the case. Without a grain of irony.

The pressure on the teams of the Dutch digital defender Fox-IT, that started cleaning up together with an army of Belgacom employees last weekend, was enormous.

It was their second attempt, various sources confirm. A first attempt to remove the villainous software from the infected computers at Belgacom in the last weekend of August was cancelled. “At the time, not all conditions were met required to remove everything at once”, it was said. Some computers turned out to run the alternative operating system Linux, known of the penguin logo, not Windows. “The risk was too big that we could not remove everything at once.  In that case you should not touch it. Or the adversary will know that the virus has been found”, states someone politically involved.

Strict conditions

The investigation of the hacking started on July 19th, when Belgacom went to court. During their work, investigators at the intelligence services, police and justice were very wary of a leak about the entire operation. In early September they informed the Belgian cabinet on strict conditions: the list of attendees of that meeting was kept closely. If a politician would have wanted to reveal the news before the malware was dealt with, the investigators would press charges for breach of confidentiality of the investigation. “We could not risk everything going wrong due to someone talking”, it is said.

Belgacom was not infected with some common viruses, but with very professional malware that costed lots of money to develop. “We had to re-invent ourselves to do this”, an investigator said. “In other investigations there is a fixed idea of where you’re going, but in in this case it was continuously starting over because it was so difficult to get a grasp of the malware”.

Gradually it became clear that the hackers are not only interested in the communications in the Middle-East, where BICS holds a solid position via South-African minority shareholder MTN. “They have been looking around and took what they could”, state sources involved in the investigation. They are clear about one thing: the attack originated from the United States. “We determine that by the signature of the malware, but especially by where the trails lead.  They partially run through the UK. We think the US is the main destination. And the past weeks at the US Embassy, you notice some embarrassment when you request exchange of information.” Yesterday, the German weekly magazine Der Spiegel reported that the UK intelligence service GCHQ (Government Communications Headquartes) are responsible for the attacks. It based that claim on slides disclosed by whistleblower Edward Snowden. The news that GCHQ is behind the Belgacom attack is a surprise to at least the services working on the affair.

The malware could do anything

The malware at Belgacom actually consists of a complex system of complementary viruses. They are all connected. If a problem is imminent or if they are detected, they can signal each other. “It is somewhat like a human virus, which also mutates continuously”, states someone involved who monitors the situation for his service.  “For example, one part is responsible for searching and storing information, while another part is continuously looks for pathways to the internet to transfer information. Other pieces of code are responsible for circumventing firewalls, or carry out surveillance.  If someone detects the hacking or attempts to remove a part of it, the virus that is acting as a guard promptly signals the other parts. Because you don’t know what the malware is capable of, everything can go horribly wrong at the last step.”

The cost of the entire detection and cleaning operation is correspondingly high. Fox-IT, the Dutch cyber security/defence company that is commissioned by Belgacom to first make inventory of the problems and then solve them, is a familiar name. “For the first two weeks they estimated the costs to be one million euro”, states a well-placed source. And then adds that the entire operation lasted ten weeks. Moreover, Fox-IT did not expect that, at a certain point, it had to allocate all of its employees to this case. A price tag of over five million euro, then? “It won’t be far off.”

But what was so terrifying about this cyber attack? And why the panic that something would go wrong? Telephone data about conversations with countries such as Afghanistan, Yemen and Syria that disappear, how could that have such an impact? They are ‘just’ stolen phone data, right? The involved expert sitting opposite us, looks dead serious.  There is drama in his voice, but considering the contents of what he says, that is not unjustified. “This was highly performing malware and it was present in the nerve centre of communications.  Anything that a highly privileged network operator of Belgacom could do, this system could do as well. I don’t have to make a drawing of it? It had all the keys, all the passwords and full control. We must dare to classify this as a big crisis. This could have been a catastrophe. And people don’t seem to realize.”

Sensitive customers

Perhaps it wouldn’t hurt to make that drawing. BICS calls itself a “wholesale carrier”. Two words, four syllables, but behind it is a network that spans the entire globe and the beating heart of which is located in our capital, Brussels. BICS provides the hardware infrastructure that carries internet traffic, phone conversations, text messages and mobile data of telecom companies and government institutions. And the more sensitive the customer, the more likely he is the end up at BICS. The daughter company of Belgacom markets itself with the argument that they never ever look at what travels over its cables. “We provide the cables for you, and you just send whatever you want over them”, is what it basically boils down to.

A glance at the list of BICS’ customers makes one dizzy. The financial transport center Swift, Electrabel, bpost, Belgocontrol, they are all connected to BICS.  The NATO in Evere, the European Commission and Parliament, SHAPE, the Supreme Headquerters Allied Powers Europe, in Bergen; BICS, BICS, BICS. Even the headquarters of the NATO Allied Air Command, in Ramstein, Germany, from where the 2011 air attacks on Libya where coordinated, depends on BICS. Among the military, it is pointed out that military communications has an extra layer of security; but that pointing-out happens with a degree of humility that is very unusual to the military.  “Every organisation, not just the government, must now begin to wonder whether it is dependent of one single provider, of one single network. And specially how well it is secured itself”, states someone who was at the front row of the affair. “Belgacom, that is critical infrastructure. How can Belgium keep running without it? Those are the questions that we must ask now.  Because the organisation responsible for the attack has in fact the capability to completely disrupt Belgacom and BICS.” A different source confirms, reluctantly, the doom scenarios: “You can’t think of it. It would be larger than 9/11. The planes would pretty much fall out of the sky.” As a figure of speech?  “Hm, yeah.”

Lifeline

A governmental source points out the consequences of even a limited disruption of phone communications and internet. “If a crisis occurs, what is the first thing a human does? Grasp their phone. Imagine that that lifeline is lost.  Not just for you, but also for the emergency services, hospital, the fire department…? And for the police? At first glance it isn’t, because they use the Astrid network [a Belgian national radio communications network intended for emergency services].  But that network only works apart from BICS for local communications.  For interregional communications it is just as dependent on BICS as the rest. Hence, it is no coincidence that police chief Catherine De Bolle started looking for a backup for the communications system of the federal police on that Friday the 13th, just before the big cleaning operation would have started.

How long would it take before Belgacom was up and running again after a destructive cyber attack, is unclear. “But it is clear that we are not prepared to counter this type of attacks right now”, states a high-ranking source. “That awareness must finally start to grow. I am very apprehensive for the feeling of relief that I already observe in some people. ‘Ah well, that has been nicely dealt with. It’s over.’ It’s not, mind you. Whoever doesn’t realise, this week, that it is urgent, will never get it. Playing things down now is dangerous.”

After De Standaard brought the news of large-scale hacking at Belgacom, it turned out that the Ministry of Foreign Affairs and the cabinet of the prime minister had been hacked. “And this is merely the top of the iceberg”, states a source who was involved in the problems at Belgacom.  Because telecom is one thing, but there are many other critical sectors that are the fundament of a country. Transportation, for example. Trains, trams, busses, highways, airplanes, everything involves computer networks and everywhere one should be cautious for cyber attacks. The energy supply is another critical fundament. And last but not least: the banking sector of a country. Luxembourg has already contacted the Belgian cyberservices [?] to obtain more information about the malware that hit Belgacom.

Awareness

Besides budgets and well-paid IT personnel, the remedy against the growing cyberthreat will be found in improved awareness. “Belgium wants to invest in knowledge and innovation, but if one sector is vulnerable to espionage, it is that one. Just as many computers of the global diplomatic network of Foreign Affairs have post-its one them with the passwords, many small companies are slacking in their security”, a cyber specialist states. “And if you dare ask whether their Chinese interns are thoroughly screened, they look at you as if you’re from another planet.” Whether the gravity of the situation is apparent to everyone, is doubtful. In official communications, Belgacom states that it currently has no evidence of impact on its customers or their data.  Understandly, the company does not want to trigger hysteria, but it sounds like down-playing nonetheless. “What should we write then?”, states spokesman Jan Margot in his response. “The infection was at dozens of computers in our own system. They have been cleaned together with the entire network.”

BICS too doesn’t say much about it. “There are no indications of an impact on the telecomnetwork of BICS”, it states in a press release.  “A number of our IT systems are integrated in the infrastructure of Belgacom and are affected in that way, but that remained outside the network that carries customer traffic.”

“That’s all put rather euphemistically”, according to the investigators involved.  “But you cannot accuse them of lying. A lot of thought went into every comma of the communication.”

Joke

Did Belgium become the joke of de European mainland as a result of the compromise of Belgacom? Intelligence services are continuously in contact with each other and exchange information. For the image of our country, the past week has been anything but stellar, but it is emphasised nonetheless that in such contacts it is often also about personal relations between people. “Moreover, all countries have problems and everyone tries to rise above them.”

What about ethics? Isn’t it schizophrenic that our country, Belgium, receives information about threats that the US or others have stolen from us? “That is the eternal paradox”, a recipient of such information states. Diplomatically it is the hardest. But if you receive information about a serious threat such as terrorism, you cannot ignore it. Then you have different things on your mind.

EOF