Dutch Minister of Defence: Cyber to get its share

Dutch Defence minister Hans HillenConfirming earlier official documents published by the Dutch government, the new Dutch Defence minister Hans Hillen re-stated that the Dutch armed forces will indeed be spending part of its budget for 2011 on Cyber Warfare related activities. This confirmation can be found in the online transcript of the debate.

The relevant paragraph containing said confirmation reads:

<…>”And then there are the technological advances. Right now we’re faced with Wikileaks. You can judge this all you like, and they do so gratuitously in America, but at the same time this acts as a severe warning about leaks in information flows. If WikiLeaks can do it, others can too. Apparently our connections are vulnerable too. This should be a warning for us to be more careful. Cyber Warfare will be a far greater point on our agenda tomorrow or the day after that. ”

<….> “I have one more topic that goes to Personnel, but also to decisionmaking. Its about the furnishing of Defence and involves Cyber. I don’t want to spend too much time on this, because I still have some decisions to make, but Cyber will receive some serious attention. It will be discussed with positive light in the upcoming policy letter.”

I don’t suppose that this would be the time to point out to Minister Hillen the finer points about Wikileaks, in that Wikileaks itself was not the perpetrator of the leak but the receiving party. Instead it was 22-year-old US Army intelligence analyst PFC Bradley Manning who leaked classified information (to which he had access without breaking in) to Wikileaks. Since this is a matter of internal security and vetting of your personnel, something I hope the Dutch Defence department already does as a matter of standard, I fail to see how this relates to Cyber spending but I digress. Any progress is progress and The Netherlands can surely need it.

Dutch Dept. of Defence CIO speaks on Cyber Warfare

Major General Koen Gijsbers(Apologies for my tardiness regarding the posting of this information, I was too engrossed in work to post this sooner. I had planned to see this talk of Major General Gijsbers myself, but I was denied access at the door due to too many people already being in the room. Therefore the information below is gleaned from an article on security.nl (in Dutch) and the (Dutch) slides he used during his presentation.)

Maj. General Koen Gijsbers spoke at the InfoSecurity convention in Utrecht on november 4th this year, and his take on Cyber Warfare confirms a lot of what I previously posted. Regardless of budget cuts, the Dutch Department of Defence still wants to invest in the development of cyber warfare capabilities. “Our citizens expect that if everything stops working in the Netherlands, the army will come in and help out. For that to be possible, our networks need to remain operational.” he said during his presentation. “However, we are not just investing in defence. If you only defend yourself, you’ll eventually lose the war too.”

Gijsbers went on to say that the most gain can be had in cyber defence, even though the Defence network is already heavily secured. Another major point they will be focusing on is Awareness. “The main point is that people need to be aware that there are consequences to their actions”.  For instance, USB sticks are strictly off-limits around confidential systems. In those rare cases where they are allowed, they use encrypted USB sticks. Gijsbers goes on to note that it doesn’t even matter what is on the sticks. “Whether there is useful information on the sticks is irrelevant. If someone finds a DoD USB stick they can read, even if it’s useless information, your image is damaged severely.”

When asked if the Netherlands possessed offensive cyber capabilities, the General noted that there are several countries that are being suspected of having offensive capabilities. None of them ever publicly admitted it, and he wasn’t about to be the first. He did add that you need knowledge of offensive capabilities to defend yourself properly, so we can safely assume that there will be some research on offensive capabilities going on.

Unlike some other countries, the Netherlands doesn’t have a specific battalion for cyber warfare. This may change in the future. Its one of the things currently being considered by the ministry, Gijsbers said. “In this day and age you have to compete with other capabilities, and the budget is getting cut. We may develop special cyber warfare units in the future.”.

When asked how the General felt about privacy and control issues currently being debated, he stated that the army has no intention to control the internet. “We’re not in charge of the Internet. Its just another theatre we operate in, and we have to accept that as it is.” He went on to say that the government shouldn’t try to solve every problem. “There’s a line between the government, citizens and corporate entities. We all have to chip in.”

He wasn’t opposed to cyber reservists; volunteers that help in securing systems. Estonia created such an organization of reservists after the cyber attacks in 2007, and the US also has a large core of such reservists. “I think its a great idea. Its a great idea because there are a large number of reservists that were actually trained by the army at some point, and have the capabilities to help us. The question is how to organize something like this? ” He added that military knowledge probably wouldn’t become a requirement to help out, if such an organization ever came into existence.

Dutch government to design Cyber Defence doctrine

Cyber WarfareIn the past I’ve always said that the Dutch government needs to do more in the area of Cyber Warfare / Cyber Security because there didn’t seem to be too much going on. Our Defence department didn’t post anything about starting up a Cyber Command, nor was there any government activity to be seen. However, though it wasn’t easy to find, there does finally appear to be some movement on the horizon.

During a meeting about the 2010 Defence budget, members Knops (CDA), Voordewind (CU) and Eijsink (PVDA) established that there was no mention of Cyber Warfare in the budget. They note that Cyber Warfare is an issue of great concern, and submitted motion 32 123x nr. 66 (in Dutch) to start interdepartemental development of a Cyber Security Strategy and urges The Netherlands to start actively participating in NATO initiatives on the subject.

In a letter by the Minister of Defence (again in Dutch), Eimert van Middelkoop acknowledges that rapid developments in technology have also led to certain threats such as cyber crime and cyber warfare. He describes what is understood by the term Cyber Warfare and how it relates to his department, along with how various other ministries also have responsibilities regarding cyber security issues.

A brief overview:

  • Interdepartmental coordination of Cyber Security in general is handled by the Ministry of the Interior through the National Security Program;
  • Cyber Crime is handled by the Ministry of Justice;
  • Cyber Terrorism falls under the National Coordinator of Counter-Terrorism (NCTb);
  • Cyber Defence is a shared responsibility between the Ministry of Defence and the Ministry of the Interior;
  • National Critical Infrastructure is handled by the Ministry of Economics

Minister van Middelkoop asserts that commercial parties also have a role to fulfill in the development and implementation of a cyber security strategy, to which I can only wholeheartedly agree. The next paragraph of this most clarifying letter confirms the existance of the Defence departments’ own CERT (DEFCERT), and its responsibilities towards defending its networks. In a separate letter he mentions that DEFCERT is growing and is expected to be fully operational in 2012.

Probably the most important information that can be obtained from this letter is in the final paragraph. It contains The Netherlands’ intentions in this area, which resemble those of Great Britain:

  • Creation of a Cyber Defence doctrine and implementation of a strategy;
  • Development of a Cyber Incident Responce strategy;
  • Investigation of Cyber Intelligence Gathering and the legal ramifications thereof;
  • Establishment of bilateral communications and best practices with NATO and the CCDCOE in Tallinn, Estonia

Compared to what has been released by the Dutch government on this topic, its a lot of information that suddenly became available. As a concerned Dutch citizen, I am very happy to see that this threat is finally addressed. With the dependency on technology growing every day, cyber security will continue to grow in importance along with it. If we do not work towards creating a safer cyberspace now, the consequences could be dire.