There’s a new cyberpower in the world. Last month, Dutch reporters from Nieuwsuur and de Volkskrant revealed that in mid-2014 the Dutch Joint Sigint Cyber Unit (JSCU) infiltrated the computer networks of the infamous Russian hacker group “Cozy Bear.”
Hacking by its very nature is a secretive business. Although numerous states reportedly are interested in the development of offensive cybercapabilities, we typically hear about only a small set of state actors conducting operations. The public disclosure of Dutch intelligence success — based on leaked information — has important signaling effects, both internationally and domestically. And it bumps the Netherlands high in the world pecking order of offensive cybercapability.
There’s a paradox about signaling offensive cybercapability
It is difficult for an actor to prove its offensive cybercapability without playing its hand — and losing this advantage. This is in part because cybercapabilities are difficult to showcase — other than waving your hand with a USB stick containing malicious code. As strategic studies scholar Thomas Rid notes, “You can’t parade a code on the streets of Moscow.”
My research on the transitory nature of cyberweapons also explains that once a country’s cybercapability is exposed, the adversary can often relatively easily adapt its systems to avert intrusion. Revelations about a country’s cybercapability after the fact are therefore essential to gauge an actor’s ability to conduct cyberoperations.
These factors create a number of paradoxical dynamics. The release of classified NSA documents by Edward Snowden was perhaps the most embarrassing episode in the history of the intelligence agency. Yet the Snowden disclosures also exposed the U.S. government’s impressive arsenal, including at least 231 offensive cyberoperations in 2011. As RAND Corporation scholars David Gompert and Martin Libicki point out, the leaks ironically “broadcast how deeply the NSA can supposedly burrow into the systems of others.”
After Kaspersky Lab, a Russian anti-virus company, reported in 2014 on the espionage platform “Animal Farm,” many analysts believed the French government to be behind the sophisticated intel capabilities embedded in the malware. The French government initially denied any role.
During a lecture in mid-2016, however, Bernard Barbier, the former technical head of France’s external intelligence agency, admitted his agency had developed the malware. Security blogger Bruce Schneier points out Barbier “talked about a lot of things he probably shouldn’t have.” But for France, this post-hoc confirmation of capabilities likely enhanced the government’s reputation in this new area of conflict.
A well-placed leak — or just lucky timing?
It remains unclear whether the signaling was intentional in the Dutch case. Access to the computer networks of Cozy Bear was already lost — perhaps because the Russians were alerted after earlier Washington Post revelations. And the Dutch government may see a diplomatic backlash from the Trump administration as the intelligence helps the FBI investigation — similar to what some say happened to Australia after officials passed information about Trump’s possible campaign links to Moscow, triggering the initial Russia inquiry.
There were certainly gains at home from this type of signaling. Last Friday, Dutch Prime Minister Mark Rutte didn’t go into any detail about the case but told members of the media he was “immensely proud” of the intelligence unit’s success. And Rutte used the occasion to stress the importance of a controversial Dutch intelligence law from June 2017 that would allow the government to conduct large-scale, untargeted tapping of Internet traffic. Even though it is certain the law will come into effect on May 1, critics were able to enforce a national “advisory referendum” on the issue this March. With the government under pressure, the achievement of the Dutch intelligence apparatus is a very welcome PR success.
What’s next for the Netherlands?
As of now, Dutch cybercapability has yet to produce a major military activity. It remains to be seen just how the JSCU, a relatively small unit, is organized within the General Intelligence and Security Service and the Military Intelligence and Security Service.
The two Dutch reporters who broke the case mistakenly wrote that JSCU has the authority to conduct computer networks attacks. This is not the case; the JSCU cannot “disrupt, deny, degrade, or destroy.” It can, however, conduct computer network exploitation — that is, espionage.
Of course, network exploitation and network attacks can be quite similar. As former NSA and CIA director Michael Hayden states in his book, “Playing the Edge”: “Reconnaissance should come first in the cyber-domain. … How else would you know what to hit, how, when — without collateral damage?”
At the moment, it remains unclear to what degree the JSCU capabilities support the maturation of the Dutch military cybercommand — which does have full authority to attack computer networks. Although organizational integration and coordination between network espionage and network attacks may be beneficial — increasing the opportunity for knowledge transfer and more efficient allocation of resources — my research on organizational integration indicates it is not a given within any government.
In the U.S. government, for instance, NSA and U.S. Cyber Command have numerous coordination problems. Not least among them is the fact that the NSA is not always willing to share capabilities with the military as it increases the risk that its espionage efforts — exploiting the same vulnerabilities and following similar coding procedures — also are exposed. Dutch cybercapabilities historically reside in the intelligence community, as well. It would be hardly surprising if the Dutch government is dealing with similar organizational problems.
Finally, (cyber) power comes with a price. Russian hackers — and other actors — may now see the Dutch intelligence services as a more interesting target. Russia may retaliate accordingly — and publicly — against the Dutch to signal mutual vulnerability. At least the Dutch government seems to have taken precautions, choosing to tabulate election results by hand earlier this year.
Max Smeets (@SmeetsMWE) is a postdoctoral fellow in cybersecurity at the Center for International Security and Cooperation, Stanford University. He is also a nonresident cybersecurity policy fellow at New America.