Discussion Prompt: The Dutch Temporary Cyber Act: Necessary measure or disproportionate expansion of power?

See all contributions to this question.

Growing cyber threats to Dutch national security reveal an urgent need to amend current  powers of intelligence and security services. The proposed “Cyber Act” aims to address these challenges by granting bulk interception and hacking capabilities, and by allowing for greater flexibility in the oversight process. However, further clarification is needed on the scope of the Act.

In my opinion, there is an urgent need for a new bill that amends the bulk interception and hacking powers of Dutch intelligence and security services. In this blog post, I share the essential points that I presented during a ‘round table hearing‘ at the Dutch parliament on 5 April 2023. 

The (cyber)threat

The cyberthreat the proposed legislation aims to address should be completely clear. The Dutch General Intelligence and Security Service (AIVD) first reported about ‘digital infringements on Dutch vital ICT infrastructures’ in 2007. This message highlighting the risks of digital espionage to our national security has been reiterated in every annual report since 2013. These reports explicitly mention various victims of digital espionage, including Dutch ministries, telecom providers, universities, educational institutions, think tanks, and biotechnology companies.

Our Military Intelligence and Security Services (MIVD), as well as the National Cyber Security Centre (NCSC), have echoed these concerns. In fact, the NCSC considers the threat posed by ‘state actors’ to cybersecurity as the most significant among all threats, surpassing even the threats posed by criminal actors. 

The problem

In 2021, the Dutch intelligence and security services raised concerns regarding challenges they encountered in their cyber operations. These issues primarily stem from the “legality review” process conducted by the newly established Investigatory Powers Commission (TIB). The TIB is responsible for granting or denying warrants for investigatory powers, including bulk interception and hacking.

The proposed Cyber Act  

To address these challenges, a bill has been introduced, which I refer to as the ‘Cyber Act’. This proposed legislation specifically addresses bulk interception and hacking capabilities and proposes significant changes to the oversight system in the Netherlands. It is crucial to emphasise that the scope of the bill is limited to operations conducted by Dutch intelligence and security services that target the gathering of intelligence related to “offensive cyber operations of foreign states”. 

The aim of the proposed bill is to amend and partially shift the oversight of bulk interception and hacking as investigatory powers from the Investigatory Powers Commission (TIB) to the Dutch Review Committee on Intelligence and Security Services, allowing for greater flexibility for intelligence and security services. It seeks to establish a more dynamic oversight process that aligns with the technical realities of these powers. 

It is also noteworthy that the proposal grants the Dutch Review Committee on Intelligence and Security Services the (binding) power to halt an operation and (ultimately) order the deletion of unlawfully processed data when specific investigatory powers are employed. Currently, this oversight body lacks any binding authority in its task of overseeing intelligence and security services. Additionally, the proposed legislation introduces an appeals procedure for decisions made by the Dutch oversight bodies, enabling a judge to make the final determination regarding the legality of actions and decisions. 

Bulk interception 

Bulk interception serves as a notable example that illustrates how investigatory powers are amended in the Cyber Act. One significant challenge in the current application of bulk interception as an investigatory power is the disagreement between the intelligence and security services (and their responsible ministers who authorise these powers) and the Investigatory Powers Commission (TIB) regarding the level of focus that should be applied to bulk interception.

It is important to clarify that bulk interception is inherently non-targeted in nature. It involves the interception of large volumes of data (bulk) after it is collected at a specific location. This process differs from, for instance, wiretapping. With wiretapping, data associated with a particular identifying number, such as a telephone number or IP address is intercepted. Bulk interception captures a greater volume of data, including unidentified numbers that may be connected to potential national security threats. In a cybersecurity context, bulk interception can be used to collect intelligence about the IT infrastructure utilised by foreign actors engaging in covert activities on Dutch infrastructure.

The Cyber Act aims to do more justice to the untargeted nature of bulk interception, but solely within the context of gathering intelligence related to the threat of offensive cyber operations conducted by state actors that pose a risk to national security. While the bill includes numerous detailed provisions, which I will not delve into here, I believe the arguments put forth in support of the proposals are compelling. Therefore, it is in my view necessary to amend the law. In fact, I think we should consider an even more substantial role for intelligence and security services in combating cybersecurity threats.

Addressing the threat of cybercrime to national security

The issue of cybercrime posing a threat to national security deserves attention. I emphasised that the Dutch National Security Centre identified ransomware as a national security threat. I agree with this assessment, insofar ransomware attacks have severe economic consequences or disrupt vital infrastructures. Regrettably, we have already witnessed ransomware incidents targeting the Port of Rotterdam, hospitals, and municipalities in the Netherlands.

In the Netherlands, there is a strict separation between the investigation of criminal activities and the investigation of national security threats. It is evident to me that the Dutch Intelligence and Security Services should investigate ransomware attacks that pose a risk to national security. However, it remains unclear whether such investigations are currently being carried out. While the Dutch Cyber Act appears to primarily focus on state actors, I would appreciate clarification on whether it also encompasses ransomware activities conducted by criminal organisations.