NCTV Director of Cyber Security: 'right balance with privacy needed'

Privacy First Foundation regularly organises networking drinks with a prominent speaker on a topical issue. In September this year, for example, we organised a Evening with the Head of the AIVD. On 22 October, it was the turn of a speaker from the world of cyber security. The speaker this time was Mr. Wil van Gemert, Director of Cyber Security of the National Coordinator for Counterterrorism and Security (NCTV, Ministry of Security and Justice). As discussion moderator, we had investigative journalist Brenno de Winter enabled. Click HERE for the invitation to our relations. Would you also like to receive an invitation from now on? Mail us! The following is an abridged account of the lecture and discussion with the audience:

Introduction Privacy First

Chairman Bas Filippini gave a brief introduction to the work of the Privacy First Foundation and introduced Wil van Gemert and Brenno de Winter. Filippini recalls that the government increasingly expects citizens to do everything digitally. This puts the elderly and people with principled objections in particular at a disadvantage. At the same time, the government is getting more and more powers to look into citizens' private digital domain. A current development in this area is Minister Opstelten's plan to allow citizens' computers to be hack. Privacy First strongly opposes this plan, partly because of the violation of letter secrecy. The government is supposed to safeguard citizens' privacy. In that sense, Privacy First and the government share the same goal, albeit from different perspectives. However, Opstelten's hacking plans threaten to erode privacy - and thus democracy. Filippini then gave the floor to Wil van Gemert.

Trends in cyber security

Mr Van Gemert thanked Privacy First for the invitation and kicked off with a comical commercial about speech confusion; click HERE. As in the movie, cyber security is about trust, knowledge and awareness. It is also about finding the right balance between tasks and responsibilities. In his lecture, Van Gemert will successively discuss current trends in cyber security, the tasks of the government, public-private cooperation, the Cyber Security Picture Netherlands, and "security vs privacy?": is there a contradiction here or does it complement each other? And what are the current challenges? Cyber security is all about the confidentiality, reliability, integrity and continuity of data in the digital information society. The first global trend Van Gemert identifies in this respect is 'Big Data': the enormous amount of data that is constantly being stored and which is increasing daily. How can we handle this properly? A second trend is hyperconnectivity: the number of digital (internet) connections is increasing exponentially. This creates an "Internet of Things". The Netherlands has the second highest Internet density in the world; this gives the Netherlands a special position in this field. A third trend is the disappearance of borders, both in time and distance and in terms of work-life. These trends require a change in both the way companies do business and the role of the government in ensuring a secure society. These trends also affect people, consumers, for example through the new capabilities of mobile phones. Big data can be used to real-time, make a very targeted commercial offer to an individual, for example travel insurance if you are at Schiphol Airport. However, when Van Gemert asked how many attendees in the room thought this was a pleasant idea, zero hands went up. Van Gemert himself does not like the idea either: it violates your privacy, you get the feeling you are being followed. Relatively many young people, however, seem fine with it.

Influence of social media

An important aspect in cyber security is mobility: companies want to be able to reach their customers anywhere and employees are less and less tied to a fixed workplace with their employer. Social media is also becoming increasingly important for companies, political parties and the government to know what is going on in a market or society. An interesting case in point is the recent incident involving Vueling Airlines, where radio contact was lost and for some time people took into account a possible hijacking. Since 2001, the procedure has been that such an aircraft ('renegade', SPF) is escorted by F16s. However, suppose all the passengers on board start tweeting that nothing is wrong, how do you deal with that as a government? These are questions currently on the government's mind. Another aspect relates to the role of the government: from a monopoly position to a more dependent role. After all, most of the cyber infrastructure is owned by companies. In addition, there is an authority issue: social media influence the extent to which a government campaign does or does not resonate with a population. A recent example is the government campaign for vaccinations against cervical cancer. The next aspect is that cyber security 'community-driven' is: the community makes itself owner of a particular problem, for example in the case of the Dorifel virus. That community consists of researchers, relevant companies, hackers etc. This 'community' can sometimes provide clarity around a particular issue, unlike, for example, classic detection where the direction lies with the government. In many companies, however, digital IQ is still low; it is therefore a challenge for the government to raise digital IQ in companies, Van Gemert said.

Lack of security concept in cyberspace

The Netherlands is a land of seas and dykes: when water seeps through, we build a dike around it. That classic way of crisis management (containment, or containment) is almost impossible in cyberspace. Companies often do not know exactly where their data is, how it is connected and what effect it will have if there is an outage somewhere. In addition to the human factor, platforms, applications and infrastructures all have their own problems, and the interaction between these four levels often makes a security problem very extensive. In the physical world, we know a safety-concept; think, for example, of safety rules on a construction site. But does a security-concept? And what roles do the government, private sector and citizens have in it? Currently, this is not sufficiently clear. Certain security requirements and traffic rules apply on the highway. But any citizen can also buy a computer and enter the digital highway unsecured.

Public-private partnerships

Since a year and a half, the Netherlands has had a National Cyber Security Strategy. Part of this was the installation of a Cyber Security Council: an independent advisory body to the government. Among other things, the National Cyber Security Strategy agreed that the Netherlands would produce an annual Cyber Security Picture Netherlands of threats and actors. Furthermore, since the beginning of 2012, there has been the operational directorate within the NCTV, which consists of two components: 1) the National Cyber Security Centre, NCSC (which, among other things, acts as an expertise centre) and 2) a policy cluster (which, among other things, supports the answering of parliamentary questions and questions from the private sector). The guiding principle here is public-private cooperation; this creates new coalitions with new forms of participation between government and industry, but also with interest groups. Both the government and private parties and experts participate in the Cyber Security Council and the NCSC. For example, one topic they are jointly working on is cloud computing. Also, the NCSC recently set up an ICT Response Board; in this public-private partnership, a group of people from the government and the private sector can be called upon for advice and assistance in incidents and crisis situations. In addition, there are ISACs in several areas: Information Sharing and Analytical Committees, e.g. for vital infrastructure in the fields of energy, water, finance, etc. This too is public-private cooperation.

Threats in cyberspace

Cyber security has been in the spotlight recently, and positive initiatives sometimes emerge from negative incidents. For instance, there was a unanimous request from the House of Representatives for a hotline security breaches set up. Van Gemert says the following in this context: "The Diginotar affair has highlighted the relevance of the following question: what can the government do in the event of a crisis? How can the government oblige a company that plays an essential role to cooperate to prevent social disruption and harm to society? Do we have those options at all? Our conclusion in July this year was yes, if we could declare a state of emergency on a cyber incident." Furthermore, investment should not only be made in the detection of data breaches, but also in the appropriate response on this, according to Van Gemert. The government's role here focuses on coordination, communication and consultation. In July this year, the second National Cyber Security Picture of threats, targets and actors was published. The biggest threat comes from foreign governments (espionage) and cybercrime. Contrary to what many people think, cyber terrorism poses a smaller threat for the time being. Furthermore, cooperation between ''hacktivists' and foreign state actors (read: secret services) raise concerns.

Privacy & security

On the relationship between privacy and security, Van Gemert argues that, as far as he is concerned, there are "no privacy without security exists. If you don't organise security, you will eventually have no privacy either. You do need to take measures to ensure that your privacy is protected. Both privacy and security have an interest in each other. So information security in that area and agreements around it are necessary. Also to protect privacy, the NCSC publishes daily advice on vulnerabilities that could affect companies and citizens. Our website www.waarschuwingsdienst.nl aims to make citizens more aware and armed against threats. However, we are not a regulator; we cannot impose anything. We can only advise and provide best practices. Between 12 and 22 November next, the government and private partners will spend 10 days focusing on 'awareness' through the Alert Online campaign. This campaign is aimed at both businesses and citizens."

Van Gemert finally stressed the importance of basic digital rights and citizens' self-reliance through knowledge and awareness. For the discussion with the audience, Van Gemert posed three topics: 1) How do security and freedom relate to each other conceptually? And can security also ensure privacy? 2) What is Privacy First's role? Is it always in opposition, or also in coalition? 3) What is the role in cyberspace of our enforcement and surveillance agencies, e.g. the police? What is their role in individual emergency response and enforcement in cyberspace?

Discussion with the audience

Although Van Gemert is not responsible for cybercrime, he is nevertheless willing to say a few words about this on behalf of the Ministry of Security and Justice as well. In response to a question from the audience about the international consequences that 'intervening' in cyberspace from the Netherlands could have, Van Gemert replied that the concept of virtuality requires a different approach from a territorial one if it is unclear where a particular server is located. Here, he makes a comparison with the earlier development of maritime law in international waters. Furthermore, perhaps the country where the damage occurs should be the starting point in terms of jurisdiction. However, unambiguous answers do not yet exist in this area; the national and international rules on this matter are not yet clear. Brenno de Winter emphasises that Dutch hacking-activities abroad could set a dangerous international precedent. What if a country like Iran appropriates the same powers? This concern is shared by others in the audience.

Another question in the audience relates to public-private partnerships as in the case of Diginotar. Reference is also made to Israeli tap centres in the Netherlands. Doesn't this make the Netherlands incredibly vulnerable? Van Gemert replied that this question had indeed become prominent for the government since the Diginotar affair. However, he does not want to discuss the issue of tap centres, as he is not involved in this in terms of policy. After this, it is noted from the audience that, in public-private partnerships in the field of cyber security, Dutch civil society organisations are structurally kept out. De Winter also notes that the NCSC is seen by many as an inaccessible fortress where you are not heard. Van Gemert replies that the NCSC does seek contact with interest groups. The question here is also what role those interest organisations want to have: opposition or coalition? "I am convinced that we need to seek new forms of cooperation between government, business, citizens and interest groups to ensure that our society becomes safer. Seeking that contact is also why I am here," said Van Gemert. Another question from the audience is about detection of hack-attempts. To what extent is this outsourced by the government to companies? Van Gemert replied that the government itself detects using traffic datavens (not on content) as far as vital (government) infrastructure is concerned; in the case of companies, such detection is up to those companies themselves. From the public, it was noted that the government could also play a role in bringing together relevant knowledge and experience per business sector. Another comment from the public relates to the previously assumed lack of international regulation: why does the Netherlands not conform to the already existing Budapest Convention on Cybercrime, and why are the possibilities of this convention insufficiently used? Further comments concern cooperation between Dutch municipalities, the banking and telecoms sectors. They also ask about the threat posed by cyber warfare is and how the Netherlands is preparing for it. On this, Van Gemert refers to cyber as the "fifth battlefield" after the four domains of land, sea, air and space. This is a real development; some 20 countries now have the capacity for it. In the Netherlands, many cuts are being made, but in the cyber domain, investments are actually being made at Defence. At cyber warfare incidentally, there is also a new attribution issue: which country causes the damage and how to respond? During the discussion, reference is also made to the US Patriot Act and the risks of storing data in the cloud. "Think carefully about what you put in the cloud put," Van Gemert advises. Following this, the question arises from the audience as to what extent the government considers the protection of personal data as vital for our infrastructure, to what extent the government is mindful of the risks of identity fraud and theft by linking personal data to BSN numbers, whether people endorse the content of the WRR report iOverheid and whether declaring a cyber-emergency is tantamount to a disaster or war situation in which regular legislation can be overridden with all the privacy risks that entails. It further notes that a police power to hack citizens' computers implies that citizens' computer data could also be altered undetected and then used against those same citizens. Van Gemert replied that personal data is essential, critical data that should be well protected. Besides companies, citizens themselves should also realise this more. As for a state of emergency, Van Gemert replied that it was not declared even in the 1953 flood disaster. In the cyber domain, no additional, new legislation for a state of emergency is necessary. The existing legislation for a state of emergency can only be applied in an extreme situation. The next point of discussion concerns the long-standing dependence of the Netherlands'se government vis-à-vis Microsoft: why does this situation (with associated privacy risks) persist forever? When asked, Van Gemert then clarifies his earlier comments about a cyber emergency: it cannot be invoked if there is an incident, but only if there is widespread social disruption. It is then asked from the audience to what extent the government has a responsibility not to make laws and policies that can be copied and abused by other countries, just as certain dual use equipment should not be supplied by companies to certain countries. Van Gemert replied that UN sanctions lists do indeed exist for certain goods; the AIVD checks them. A free internet abroad is supported in particular by the Ministry of Foreign Affairs. In general, it is also true that as a democratic society you always have a moral guideline have along which to operate. After this, the discussion in the audience returns to the issue of a possible government power to hack abroad. In that context, does permission from a magistrate judge constitute a sufficient safeguard against abuse? Elsewhere in the audience, it is noted that when tapping phone calls, the magistrate judge is now a kind of stamping machine. It is also argued that earlier Van Gemert spoke too easily of five domains of warfare. Traditionally, only three domains of war apply in international law: land, sea and air. In space, the principle of peaceful use of outer space. So why not also a similar, new principle of peaceful use of cyberspace?

In response to a question about safeguarding privacy, Van Gemert replied that he values clarity on what is and is not allowed. Investigative powers can sometimes be used to prove someone's innocence. The challenge is to find the balance between cyber security and privacy, according to Van Gemert. He then drew attention from the audience to the dangers of linking personal data and function creep. Therebesides, our democratic rule of law is not static. Does the government take this into account? To this, Van Gemert reiterates that the challenge lies in finding the right balance. Also, the call from parliament for new legislation after an incident is not always followed up by the government, for instance in the case of terrorism legislation and emergency legislation. It is then noted from the public that a search requires a search warrant, which is verifiable by citizens. That verifiability is lacking when hacking a computer. Van Gemert replied that this control for the citizen is often also lacking when tapping or observing, especially if it does not lead to a case in court. In this context, De Winter notes that existing notification obligations are also not complied with by the government. It is added from the public that all registration also puts pressure on citizens' presumption of innocence. This changes society and makes people conform to an 'all-seeing government'. To this, Van Gemert reiterates that "privacy and security cannot exist without each other". In his view, these kinds of discussions are important to gain more clarity on this and take steps forward. Finally, Van Gemert reiterates the importance of a security concept in cyberspace with sufficient attention to privacy.

Finally

De Winter gives the last word to Privacy First Foundation. Chairman Bas Filippini thanked Van Gemert for the open hand he offered to the opposition this evening. In Privacy First's view, these kinds of discussions are crucial. In recent years, there was too little dialogue with the privacy movement, there was more and more government and less and less citizen participation. Privacy First is therefore happy to accept the invitation to become part of the coalition. "We will be a louse in the fur, but you have to be able to stand that," Filippini concludes.