Discussion Prompt: The Dutch Temporary Cyber Act: Necessary measure or disproportionate expansion of power?

See all contributions to this question.

The Dutch secret services want more legal leeway to fight Russian and Chinese cyber attacks and therefore a new temporary Cyber Operations Act has been proposed. Because the bill sticks to the existing provisions for traditional intelligence gathering, it doesn’t fit the specific methods used for cyber defence.

Currently, a government proposal for the Temporary Cyber Operations Act is pending before the Lower Chamber of the Dutch parliament. This act, among other things, relaxes the rules on hacking and cable tapping from the Intelligence and Security Services Act (Wiv), which came into effect in 2018.

The new bill is particularly criticised for the provision which allows the two Dutch secret services, the AIVD and the MIVD, to store data streams from Internet cables in bulk for six months without having to be “as targeted as possible,” as required by the law as it is to date. However, this relaxation only applies to the exploratory phase, in which it’s determined what kind of data runs over which cables. The following phases of the untargeted interception effort still have to be “as targeted as possible”.

A peculiarity of the bill is that it only applies to investigations into “countries with an offensive cyber program directed against the Netherlands or Dutch interests”, in other words: Russia, China, Iran and North Korea. Therefore, it’s not so much about traditional intelligence gathering about those countries, but about cyber defence: countering digital espionage and manipulation of digital infrastructure. Cyber defence is of great importance to our modern society, but during the discussions surrounding the 2018 advisory referendum on the introduction of the Wiv, this aspect remained undiscussed.

Yet the official explanatory memorandum of the Wiv from 2016 already stated that untargeted cable interception is important not only for intelligence gathering, but also for detecting and monitoring cyber attacks. For the latter, however, the Wiv provides no specific rules, despite the fact that both functions have a different methodology: for intelligence, you zoom in further and further by applying successive filters and selection methods to the data stream that has been intercepted. This also allows you to discover signatures of malware and characteristics of hacker devices that may pose a threat. For effective cyber defence, however, you must then zoom out in order to detect as many of those threats as soon as possible.

This zooming out requires not only monitoring data streams as broadly as possible, but also combining the results with information from databases that have been obtained from hacks or commercial parties. Another difference is that intelligence about, for example, terrorism or arms trafficking can be extracted from foreign data streams, whereas cyber defence also requires a view of domestic cables, since cyber attacks often make use of the Dutch digital infrastructure, either to directly attack targets in the Netherlands, or as a steppingstone for attacks against other countries.

So while effective cyber defence requires a wider aperture than traditional intelligence gathering, it doesn’t have to go as deep, because it only needs certain technical identifiers, not personal information that would pose greater risks for privacy. This distinction is currently missing, both in the Wiv and in the proposed Cyber Operations Act.

From classified documents that came out via Edward Snowden, we know that the NSA was already engaged in large-scale cyber defence a decade ago. In the US, cyber security replaced terrorism as top priority for the intelligence community as early as 2013, and just as the Americans fought terrorism in close cooperation with European partners, they are undoubtedly doing the same now in the area of cyber defence.

By sharing threat information with each other, the intelligence services involved can create the widest possible field of vision, similar to websites where private parties exchange data about malware worldwide. This may explain why data already collected during the exploratory phase of the untargeted cable interception will also be allowed to be shared with foreign partners. Because the bill doesn’t limit this to technical data for cyber defence purposes, the Council of State had no choice but to strongly disapprove such sharing.

Cyber attacks, especially from Russia and China, are only expected to increase in the coming years. It is therefore important to combat them as effectively as possible, but like the Wiv, the proposed Temporary Cyber Operations Act remains stuck in the framework of traditional intelligence gathering. As a result, the existing frictions between law and practice and between the secret services and the oversight bodies are unlikely to be resolved.

It would be better to create a separate legal framework for cyber defence, with procedures, safeguards and criteria tailored to the specific methods and needs of this field. Explicit regulations for cyber defence would also raise awareness among the general public for this important effort of the Dutch intelligence and security services.