Dutch MoD releases Defense Cyber Strategy

At long last, the Dutch Ministry of Defense has published a crucial piece of Cyber Doctrine by publishing its Cyber Strategy [PDF Alert – Dutch]. It was given quite a nice introduction by the Dutch Minister of Defense Hans Hillen, who introduced it during the MoD’s Cyber Symposium in Breda on the 27th of june. During this introduction it was also asserted that over 90% of all attacks to Dutch military systems and networks was of Chinese origin, which made me wonder why we haven’t heard any political outcry yet, but I digress as this is not the topic I had in mind of treating today. Let’s get to the document in question: It’s a total of 18 pages long and the introduction of the Dutch Cyber Defense Strategy is, as is often the case in such documents, very telling. The language used should be looked at as defining terms by which the rest of the document can be interpreted.

In the introduction the Dutch MoD acknowledges that they use the digital domain for (satellite-)communications, information-, sensor-, navigation-, logistical- and weapons systems, that are dependent on secure internal and external networks of digital technology and that  this makes them vulnerable to cyber attacks.

They also acknowledge that other countries are developing offensive cyber capabilities and that non-state actors are also capable of forming a threat to Defense forces by attacking digital systems and networks. What’s interesting is that this strategy also acknowledges the blur of the lines between the combatant and the non-combatant, and also the blurring of the borders of any operational areas. Both are key components of the “Fourth Generation Warfare” principle and it seems that the Dutch MoD has at least partially accepted this principle. What makes this so interesting is that they are declaring that non-combatants may also be actively targeted. In essence, they are putting the world on notice that walking around without a uniform is no longer an automatic safe haven, and that if you’re involved with any kind of cyber attack, part of a militia or a terrorist, you have a bull’s-eye on your head. No matter where you are. Plain and simple.

The last paragraph of the introduction specifically mentions that the Military Industrial complex is already a major and consistent target of cyber attacks because they develop and produce high-grade military technology. The strategic and economic value of their digital assets is high and as such these need to be very well guarded, also in the Cyber aspect. This ties in nicely with my earlier articlebased on the MIVD’s yearly report.

For those interested in what official Dutch political documents and official questions this document ties into, here’s the official answer:

The Defense Cyber Strategy was created in answer to:

  • The publication ‘Defensie na de kredietcrisis’ of April 8th, 2011 (“Kamerstuk 32 733, nr. 1”);
  • The piece to be covered by the MoD in the National Cyber Security Strategy as I covered earlier (“Kamerstuk 26643, nr. 174”);
  • The advice given on Digital Warfare by the Advisory Council on International Questions (AIV);
  • The Advice Commission’s (CAVV) answer to the questions posed in “Kamerstuk 33 000-X, nr. 79”;

 Right, so we have that covered. Now let’s get to the meat of the document. From the onset it looks pretty promising. The strategy has six driving points and they are very broad (but relevant): 

  1. Creating an integral and integrated approach;
  2. Increasing digital resillience of the entire MoD (Cyber Defense);
  3. Developing the capability to carry out cyber operations (Cyber Offense);
  4. Reinforcing intelligence gathering in the digital domain (Cyber Intelligence);
  5. Increasing knowledge and innovative power of the MoD in the digital domain, including recruiting and keeping qualified personnel (“adaptive and innovative”);
  6. Intensifying collaboration nationally and internationally. 

Integral Approach
The main point of the first pillar is that the Dutch cyber capabilities should be an important and considerable addition to the existing military capabilities of the Dutch armed forces. The strategy makes good mention of the diverse nature of Cyber and how cyber capabilities should be developed along all avenues. This means that they should be supportive of logistics, command, intelligence, force protection, maneuverability but also, of course, offensive operations. It is predicted that use of such capabilities will increase over time and this is why the MoD will need to seriously invest in this area. Another interesting point here is that it is made clear that Cyber will not become its own combatant command, but instead will be placed as a joint command called the Defense Cyber Command under the Command Landforces (CLAS). Finally, the strategy expresses that operations commanders will eventually be able to decide whether they wish to use cyber capabilities to tackle a problem or not.

As can be expected, the document details that the Dutch armed forces are vulnerable to cyber attacks and that it is of critical concern that defensive measures are taken. Military systems and networks are, naturally, to be protected by the Armed forces and to this end a risk assessment will be performed. What is somewhat surprising is that there is no concrete goal attached to the level of security the MoD wishes to attain. The document is not without a healthy dose of realism though, because it is mentioned that persistent, technically advanced adversaries will be able to breach (parts of) systems and networks despite the defensive measures. Focal points of the defensive strategy are the protection of information and information exchange, which I feel is a warranted and workable stance to take. Another important point is that they intend to have the entire military go through relevant security awareness training, which is never a bad idea.

Interestingly, the term “active response” is mentioned too, which is a clear hint towards applying Active Defense. Active Defense is generally accepted as being a term for an automated security system that automatically attacks whoever attacks a protected network or system. The idea is that for cyber defenses to have a viable chance against lightning-fast cyber attacks, the defenses need to be able to respond equally fast, and so automation is considered a necessity. You can compare the concept with, say, an automated gun turret as you see them in computer games or indeed the movie Terminator Salvation. It’s a nice concept, until you realize that its extremely simple for attackers to obfuscate their origins. Its equally simple to make an attack come from elsewhere, such as an ally or even one’s own system. Imagine this digital turret turning around and turning your internal network into a sieve because some clever attacker made your automated defense consider your internal network as hostile. Doesn’t seem like such a good idea anymore, right? So let’s hope this part of the strategy gets thought out a little more before its implemented.

The strategy outlines that all these defensive measures will be poured into the Joint Information Facility Command (JIVC – it loses a little in translation, I know) which is to be operational in 2013. JIVC will work closely with the MoD’s CERT Team (DefCERT) to protect its networks and systems. Both parties will need high-grade situational awareness, which they will obtain through working closely with Military Intelligence (MIVD).

Lastly the strategy mentions that special attention will be given to the ‘digital resilliency’ (or rather “Weerbaarheid”, a term in Dutch that also implies security) during the purchase of any hard- or software. I was also most pleased to find that they will be paying close attention to their supply chain, which indicates that they are very much aware of supply chain corruption, which is an underserved area of security that is generally considered to be available only to nation states, mostly due to having relatively deep pockets. Clearly, whoever wrote this strategy has been paying attention to what’s going on.

The Dutch MoD defines operational cyber capabilities as having the purpose of manipulating or denying the opponent’s movements. They are speaking about developing complex and high-grade means of amplifying their own military power and use it as a force multiplier. Not a bad idea for a small army such as ours, if you ask me. The strategy acknowledges that offensive cyber capabilities development is still in its infancy, and that cyber ‘weapons’ generally are a one-shot affair with a shelf-life. For people in the cyber warfare business, this is not news but I feel its still important to get such basics right in important doctrinal documents such as this one.

What is interesting is that the Strategy mentions that the MoD will lean heavily on the MIVD for developing its arsenal. I don’t quite understand how the most capable cyber weapons developers are apparently sitting at an Intelligence agency, but I’m positive this is largely attributed to the fact that I don’t work there, and is in no way part of some kind of internal powerplay. Either way, it’s the Defense Cyber Command (DCC) that will be developing and wielding the offensive capabilities. This is about all that is written about offensive capabilities, and if you are thinking that its somewhat meager, I would have to agree with you. Then again I didn’t expect them to reveal that Stuxnet was just the beginning and the major Dutch plot to take over the world (that all Dutchies worldwide know about and are working towards) is still right on track, did you? Moving on.

One of the obvious heavy points of the Dutch military cyber strategy is cyber intelligence. Having high-quality, actionable intelligence is indeed critical to all areas so this is more or less expected. The MIVD is the main focal point here, with activities including generating early warning capabilities, producing threat assessments, gathering intelligence and engaging in counterintelligence through HUMINT and SIGINT. They will also make a big contribution to the Cyber Security Assessment of the Netherlands (CSBN), which is the purview of the National Coordinator of Counterterrorism and Safety (NCTV). As I reported earlier in my article on the MIVD’s plans, this includes a strong collaboration with the Dutch national intelligence agency AIVD. Now, before anyone dies of acronym overload, its good to know that in this particular segment there really isn’t anything new to report. Attribution is still a major issue that Intelligence is there to counter, and it too is mentioned specifically. Everything else was reported in said earlier article, so if you wish to learn more, please check it here.

Adaptive and Innovative
This pillar is actually a lot more interesting than its name suggests. What they mean is research and R&D on all things Cyber. As any person with an MBA degree worth his salt will tell you, Innovation is a crucial element of any corporation’s survival in the long term. In an environment so incredibly susceptible to change, and not to mention HOSTILE, being able to adapt and innovate is absolutely paramount. This strategy document acknowledges that, and places the responsibility for research and development squarely on the shoulders of a new to-be-formed military center called the Defense Cyber Expertise Center (DCEC). Its main tasks are to develop knowledge, safeguard it and spread it around. Essentially this place is going to be the MoD’s Cyber Warfare university, with its own research department and the whole 9 yards. Somewhere in 2014 the Dutch Military Academy will also constitute a Chair for ‘Digital Resilience’ and ‘Cyber Operations’, which ties in nicely. Some parts of these are already in place, so finishing that up shouldn’t be too hard.

Natural allies include various national labs such as the TNO and the National Cyber Security Center (NCSC). Interesting bit here is also that they mention that some of the knowledge will also become accessible to cyber reservists. The mere mention of this means that cyber reservists are still on the table, and this particularly interested me. If this does indeed get picked up, I guarantee you I will be writing about it.

This last pillar, while important, really doesn’t reveal anything new. It lists the various collaborations on a national (the NCSC, the National Cyber Security Council, the High Tech Crime team of the Police, NCTV and the Intensifying Civil Military Collaboration (ICMS) project) and international level (EU, NATO), with the declaration of intent to continue on this path. The Netherlands already joined the Cooperative Cyber Defence Center of Excellence in Tallinn, Estonia and there isn’t a whole lot more going on in the area of international collaboration for the various Militaries.

Overall Assessment
I must say that I was quite pleased with this document. Sure, there is nothing really new under the sun, but then again they didn’t seem to miss a whole lot of the crucial stuff either. With the many debates going on about Cyber Warfare all over the globe, it’s easy to focus too much on some aspects, and ignore others. In all, I feel this strategy is workable. I would like to observe though that, like the National Cyber Security Strategy, this document is more of a To-Do List than an expression of strategic vision.

Strategy is about saying “I want to be at this stage in the next 10 years”. It’s supposed to be an expression of vision and not a list of things to do. I miss such underlying objectives in this document. I would have liked to have seen statements such as “By 2015, the Netherlands will be on the bleeding edge of Cyber Intelligence gathering” or “By 2020 the Netherlands will have the most comprehensive arsenal of cyber weapons in Europe”. Nevermind that you may never achieve the goals, just expressing these desires gives people a stronger sense of purpose. Strategy is what you want to achieve and Tactics is how to get there. It’s a big difference and in this light, I would sooner call this a Defense Cyber Tactical Plan. But hey: They did a fairly good job and im happy we are at least moving forward. It’s about time we did, too.