January 18, 2017

The 5-year anniversary of this weblog

Today is the 5-year anniversary of this weblog, so this time we will look back at the main developments and the highlights from the 108 articles that have been published here so far.

The very first posting was on January 18, 2012, and contained a video about the White House Situation Room, providing a nice look at the telecommunications equipment used at the highest level of the US government.

The first header of this weblog from January 2012, showing communications equipment
in the watch center of the US National Counterterrorism Center (NCTC)

Initially, this weblog was called Top Level Telecommunications, as it was the intention to write about the communications equipment used by high-level government and military officials.

This fills a gap, because about crypto equipment for secure communications, there were already some very good websites, like those from Jerry Proc and the Dutch Crypto Museum, while for example the White House Museum and Cryptome provided great photos of the phones used by the US president, but without a more technical description of their functions.

In this way, a range of articles were written about the various phones used by president Obama. Then in October 2012 there was an extensive piece about the most important and exclusive communications link in the world: the Washington-Moscow Hotline. For many people it was an eye-opener that there were actually no red telephones on this hotline.

Besides the phones of the US president, there were articles describing the telephone equipment used by the Israeli prime minister, by the Dutch queen, by the popes, as well as by North-Korean dictator Kim Jong-un.

Also provided were a list of highly secure mobile phones and a solution by General Dynamics to secure high-end commercial smartphones.

The second header of this weblog from October 2013, showing the NSA's National Security
Operations Center (NSOC), with the old name, but also the new domain name

Then, in June 2013, the Snowden-leaks started, which would result in the largest number of highly secret documents about NSA and GCHQ ever published. For this weblog, they provided a unique opportunity to describe the modern ways of intercepting communications as detailed as the methods to protect them and so the focus shifted from Top Level Telecommunications and Communications Security (COMSEC) to Signals Intelligence (SIGINT).

After for example new insights into the PRISM program and slides about other collection programs, it was described that the NSA tool BOUNDLESSINFORMANT only shows metadata and that the screenshots from BOUNDLESSINFORMANT can be misleading, which was eventually confirmed in February 2014 when it came out that the Dutch government tried to hide the truth about metadata collection as shown in the BOUNDLESSINFORMANT charts.

Carefully studying the original NSA documents made clear that they often did not support the stories in the press or the way they were presented by Snowden himself. The NSA presentations and reports made clear that the agency is extremely capable in intercepting communications, but they show no evidence for global mass surveillance in the sense that all our communications are continuously monitored, stored and analysed.

Other examples: in July 2014, Glenn Greenwald came with a last big story that was intended to prove that NSA was spying on ordinary American citizens, but actually the original document shows that it was not NSA, but FBI that monitored 5 Americans. In February 2015 it was reported that NSA and GCHQ had stolen SIM card keys from companies like Gemalto, but this didn't put "billions of cellphones" at risk as this was clearly an operation for tactical military purposes.

This kind of close and critical examination of the Snowden documents became an almost unique feature of this weblog as only very few other people took the time and effort for similar analysis.

Although sometimes controversial, the articles about the Snowden-revelations became highly appreciated by a very wide range of people, which led to a huge increase of readers and also of followers of the twitter-account @electrospaces.

The name Electrospaces was initially chosen for the URL of this weblog (http://electrospaces.blogspot.com) and is derived from Electrospace Systems Inc. (ESI), a former company that manufactured the sophisticated and futuristic looking telephone devices used for the Defense Red Switch Network (DRSN) and therefore also by the US president and the military leadership.

An Electrospace MLP-2 telephone from the early 1980s

With this weblog now being not only about top level telecommunications equipment anymore, and the need for a short name on twitter, the initial name was replaced by Electrospaces.net, which also became the new and easier-to-use domain name. Accordingly the new name was presented on the header of this weblog as of January 2016.

Fans of top level telecommunications equipment were not forgotten, with articles about State Department red phones, the phones of NSA director Alexander, those of US Director of National Intelligence James Clapper, and of the Dutch prime minister. A final comprehensive overview of the presidential communications equipment under Barack Obama combines the information from earlier postings about Obama's phones.

Meanwhile, this weblog provided the first description of NSA's largest cable tapping program: DANCINGOASIS and identified the DRTBOX and the DRT surveillance systems for collection of wireless signals for tactical military purposes. And there was a detailed overview of FAIRVIEW: Collecting foreign intelligence inside the US.

The Snowden documents also revealed an overwhelming number of NSA codewords, internal organizational designators and the SIGADs which denote collection facilities, for which separate lists were compiled here in order to keep track of them - and they are still the most complete ones available.

Other lists contain codewords from GCHQ, CSE and BND and explain the numerous abbreviations and acronyms found in the disclosed documents. For a better understanding of the context, an overview of the complicated US classification system, as well as of NSA's legal authorities was created.

The current header of this weblog from January 2016, still showing the NSA's National
Security Operations Center (NSOC) but now with the new name Electrospaces.net
and the three topics which are covered here.

A range of articles became dedicated to developments in Germany: starting with how secure the Merkel-Phone is and how NSA targeted her mobile phone to an extensive coverage of the hearings of the parliamentary commission that investigates spying by NSA and the cooperation between NSA and BND (twitter hashtag: #NSAUA).

These seemingly endless hearings are transcribed by volunteers of the German digital rights organization Netzpolitik.org, but as they reveal many interesting details that confirm or complement things from the Snowden-documents, it proved to be worthwhile to summarize them here in English too.

Some notable results from these hearings were many interesting details about the joint NSA-BND operation Eikonal, which was recognized as being part of NSA's RAMPART-A program here for the first time, as well as that BND didn't care much about foreign NSA selectors.

In collaboration with the French weblog about intelligence & defence Zone d'Intérêt, articles were published about what if Google was an intelligence agency, followed by analysis of the new intelligence laws in France and the Netherlands, with articles about similar laws of other countries to follow in the future.

Finally, some numbers: the most popular article on this weblog became the one about how Obama's BlackBerry was secured from April 2013 with over 100.000 pageviews. Second is a piece from July 2014 about the new phones aboard Air Force One with was read about 72.000 times. Third comes a detailed description of INCENSER, or how NSA and GCHQ are tapping internet cables which got some 65.000 pageviews. The overall total of pageviews for this weblog is currently almost 2,3 million!

- Washingtonian: 5 Questions for a Dutch Blogger Who’s Obsessed With the White House’s Phones

January 14, 2017

The presidential communications equipment under Barack Obama

(Updated: January 31, 2017)

Over the past five years, a range of articles on this weblog covered the secure and non-secure phones used by president Barack Obama, whether in the White House, at his Summer residence or aboard Air Force One.

With Donald Trump taking over the US presidency in a few days, it's a good moment to look back and provide a comprehensive overview of the communications equipment during Obama's time in office.

Additional context for this was provided by a background story from the New York Times from April last year, as well as by several other sources, which show an almost complete overhaul of the communication systems of the Obama White House.

Preparations under George W. Bush

For the communications systems used by the president of the United States it was more important to be reliable, than to be up-to-date, and so the equipment often served decades, almost until the moment that there are few officials left who know how to maintain it.

Modernization started under the presidency of George W. Bush, not directly to keep up with the rapid rise of internet communications, but because the existing system failed during the attacks on September 11, 2001. As the 9/11 Commission report says:
"The President told us he was frustrated with the poor communications that morning. He could not reach key officials, including Secretary Rumsfeld, for a period of time. The line to the White House shelter conference room and the Vice President kept cutting off."

Conference room of the Presidential Emergency Operations Center (PEOC). September 11, 2001
In the drawer there's a small version of the Integrated Services Telephone (IST)
(White House photo - click to enlarge)

These failures led to an overhaul of communications systems and the installment of new equipment. Bush' deputy chief of staff Joe Hagin ordered for example the upgrade of the Intel 486 computers, replacement of the slow and cumbersome Lotus Notes e-mail system, and White House staff members started using the first BlackBerries.

From August 2006 to May 2007 the famous Situation Room in the West Wing basement underwent the biggest renovation since this facility was created under the Kennedy administration. It was transformed from one simple conference room with a small office space into a multi-room facility with high tech communications equipment, much like we got used to from fictional movies and tv-series:

Video about the White House Situation Room. December 2009.
(White House video - click to play)

Simultaneously, a new and highly secure telephone system was established that should prevent failures like on 9/11: the Executive Voice over Secure IP-network, which connects the president with all major decision makers, like the secretaries of State, Defense and Homeland Security and the Director of National Intelligence.

For this network, common Cisco 7975 unified IP phones are used, but instead of the bezel or faceplate being standard silver, it's bright yellow, which is the color code for the highest classification level: Top Secret/SCI. The phones themselves have no encryption capability, there are separate network encryptors, probably from General Dynamics' TACLANE familiy.

Obama calls the French president Hollande using the Cisco IP phone with
yellow faceplate for secure communications. Key Largo, Florida, March 8, 2014
(White House photo by Pete Souza - click to enlarge)

Before this new IP-network was installed, the president's secure phone calls went through the Defense Red Switch Network (DRSN), which is the secure telephone network for the entire US military. In 2001, the DRSN was still circuit-switched, but its special multilevel precedence and preemption (MLPP) functionality couldn't prevent the glitches during the September 11 attacks.

The DRSN uses custom-made telephone devices, the latest model being the Integrated Services Telephone 2 (IST-2), which can be used for both secure and non-secure phone calls. Probably because of this combined functionality, president George W. Bush got an IST-2 in the Oval Office and so this was also the phone that Obama found on his desk when he took over the Presidency in January 2009:

A single IST-2 telephone on Obama's desk, March 29, 2009
(White House photo by Pete Souza)

Although it was useful to have just one phone for secure and non-secure calls, the IST-2 was probably a bit too military-looking, and also a special cover plate had to be made to cover the 50 direct line buttons, to prevent visitors from seeing who Obama's primary phone contacts were:

The IST-2 telephone with cover plate. The wooden box with the presidential
seal and the red button is an emergency call device
(click to enlarge)

In March or early April 2011, the single IST-2 on the president's desk was replaced by two more common phone sets:

- A black Avaya/Lucent 8520T, which is for the internal White House telephone network that was installed in 1996 and can be used for all non-secure phone calls.

- A dark gray Cisco 7975G Unified IP Phone with expansion module 7916, which is for the highly secure Executive Voice over Secure IP-network, but instead of the yellow faceplate, the phone in the Oval Office has the standard silver one, probably to make it not stand out too much. Although this phone came on the president's desk under Obama, the system itself was already operational since 2007.

The Cisco 7975, Lucent 8520 and iPad 2 on Obama's desk, July 31, 2011
(White House photo by Pete Souza)

In the Oval Office, this configuration would stay in use until the Summer of 2015. The same telephone sets could be found in the office of the president's personal assistent, which is right next to the Oval Office, as well as in the West Wing offices of other White House staff members who may need secure voice communications:

Obama in the office of his personal assistent, with a black Avaya/Lucent 8520T
for non-secure and the gray IST-2 for secure phone calls, May 24, 2010.
Left of the television there's a smaller Avaya/Lucent 8410D.
(White House photo by Pete Souze)

President Obama bids farewell to his personal secretary Katie Johnson. June 10, 2011.
(Cisco 7975 IP phone for secure and the Avaya/Lucent 8520T for non-secure calls)
(White House photo by Pete Souza - click to enlarge)

The office of Ben Rhodes, deputy national security adviser for strategic communications,
with a black Avaya/Lucent 8520 and the Cisco IP phone with yellow faceplate.
Also note the white file cabinet with KABA MAS high security lock.
(photo: Doug Mills/The New York Times - click to enlarge)

In March 2011, president Obama received an iPad 2 directly from Apple founder Steve Jobs ahead of the commercial release. As of January 31, 2012, this device was used to provide Obanma with portions of the President's Daily Brief (PDB), a summary of the most important intelligence assessments. This electronic way of delivery allows analysts to add video and audio clips and interactive graphics. For security reasons, the wireless connections of the president's iPad are disabled.

New equipment under Barack Obama

Immediately after becoming the 44th president of the United States in January 2009, a problem arose with the BlackBerry that Barack Obama was almost addicted to before he was elected. The president using a BlackBerry was considered a big security risk, as foreign intelligence agencies could easily track the president's movements and intercept his communications.

Secured BlackBerry

Obama definitely wanted to keep his BlackBerry, so the White House Communications Agency (WHCA) and the National Security Agency (NSA) came up with a solution: in cooperation with engineers from BlackBerry manufacturer Research In Motion (RIM) they secured a set of regular BlackBerries with the SecurVoice application.

Somewhere in May or June 2009, this highly secured BlackBerry was delivered to president Obama as well as to a group of up to twenty people with whom he liked to stay in close contact with. This because it's only possible to have secure communications if both ends are using the same encryption method or device.

President Obama using his secured BlackBerry 8900 in the limousine while
traveling to the airport in Jakarta, Indonesia. November 10, 2010.
(White House Photo by Pete Souza - click to enlarge)

As of 2009, the White House Communications Agency (WHCA) started upgrading its Washington Area System network, modernizing six network switches in Washington, transiting secure telephone units to IP-based phones, purchasing 24 secure deployable voice switches, upgrading narrow and wideband satellite systems, and conversing the radio network used for presidential travels to an IP-based system.

As part of the Senior Leadership Communication System (connecting the president, vice president, Congress, secretary of Defense, chairman of the Joint Chiefs, etc.) the WHCA established a nationwide network that would survive a high-altitude electromagnetic pulse (HEMP) from a nuclear blast. This network would consist of fiber-optic rings with redundant connections with HEMP and non-HEMP networks.

For all this, the WHCA asked an extra $ 24.7 million for its 2009 procurement budget, which also included upgrading the Head of State network to an IP-network. This system is used by the president to communicate with foreign leaders, but unfortunately we have no additional information about it, so it's not clear which heads of state are connected to it and whether and how it is secured.

A small room within the White House Situation Room where the president
"can make a head-of-state phonecall from the Situation Room itself"
(screenshot from a White House video)

Cool phones?

Even though Obama inherited a fully modernized Situation Room and a sophisticated IST-2 phone on his desk, and was also provided with a uniquely secured BlackBerry, he still expressed his disappointment of the communications equipment he found in the White House. During a meeting with fundraisers in April 2011, he said:

"I always thought I was gonna have like really cool phones and stuff," and: "We can't get our phones to work." Acting out his exasperation: "Come on, guys. I'm the president of the United States! Where's the fancy buttons and stuff and the big screen comes up? It doesn't happen."

Although this wasn't really the case for the president's own equipment, it did apply to other White House employees. The New York Times reported that West Wing aides were stuck "in a sad and stunning state of technological inferiority: desktop computers from the last decade, black-and-white printers that could not do double-sided copies, aging BlackBerries (no iPhones), weak wireless Internet" and desktop phones from the mid-1990s.

Part of this problem was that responsibility for White House technology has long been divided between four agencies, each with their own chief information officer:
- the National Security Council (NSC)
- the Executive Office of the President (EOP)
- the US Secret Service (USSS)
- the White House Communications Agency (WHCA)
That led to a series of Band-Aid solutions over the years, as one agency or another has attempted piecemeal upgrades to White House gear.

"Composite of several images of the President and his national security team during meetings
in the Situation Room discussing the mission against Osama bin Laden" - May 2011.
On the table we see the Cisco with yellow faceplate and an STE secure phone.
(White House Photo by Pete Souza - click to enlarge)

Even in March 2016, when a full IT modernization had already started (see below), Obama said that the pop-culture depiction of presidential-grade technology and the real world are far apart: movies and TV shows "make it appear as if I’m in the [Situation] room and moving things. [We] have half a finger print and a half an hour later I’m tracking a guy on streets of Istanbul. Doesn’t work that way, no. Sometimes I’m just trying to get a connection."

After all the system upgrades, trying to get a connection should not be a problem anymore. Real-time monitoring of military of intelligence operations may be different, but the White House was eager to show that at least they were capable of doing so during the moments when US Navy SEALS killed Osama bin Laden on May 1, 2011:

President Obama in one of the small conference rooms of the Situation Room,
following the operation against Osama Bin Laden. May 1, 2011.
(White House Photo by Pete Souza - click to enlarge)

In the air

With quite some improvements of the ground-based communications systems, the equipment aboard Air Force One was still lagging behind. For their modernization, an $ 81 million contract was awarded to L-3 Communications in 2009. This included replacing outdated analog systems, providing fixed bandwidth switching and integrated secure/non-secure video teleconferencing.

By August 2012, all the old phone sets from the 1980s had been replaced by the Airborne Executive Phone (AEP), which is able to make both secure and non-secure calls from a single handset. It also provides Multiple Independent Levels of Security (MILS) for digital voice and internet data access.

President Obama talks on the phone aboard Air Force One. April 10, 2014.
The Airborne Executive Phone has the red light on, which means it's a secure call.
(White House Photo by Pete Souza - Click to see the full version)

After the upgrade of the phone system, administration officials still had to sent e-mails over an air-to-ground internet connection that was often no better than dial-up modems from the mid-1990s.

Current White House deputy chief of staff for operations Anita Decker Breckenridge told The New York Times that this wasn't acceptable anymore and that she has since worked with the Air Force to upgrade the president’s plane to broadband speeds: "This is the Oval Office in the sky. Talk about a network that didn’t work."

On the road

The Airborne Executive Phone was also installed in the presidential limousine: in the next picture we can recognize a dark gray version of the device between the seats, underneath the presidential seal. President Obama seems to be using a Motorola RAZR flip-phone, for which there's a cradle right next to the side-window.

Previously, an earlier Motorola clamshell phone was used inside the limousine, which means that there must also be a picocell inside, as the heavily armored vehicle will act as a Faraday cage that blocks wireless signals. In the picture, Obama also has two BlackBerries and his iPad in a cover:

President Obama talks on the phone with Aurora Mayor Steve Hogan during the
motorcade ride to Palm Beach International Airport. July 20, 2012.
(White House Photo - Click to enlarge)

(The WHCA also provides secure and non-secure telephones at every location the president visits while traveling. These phones are slightly different and will be described in a separate article later on)

On vacation

"Presidents don't get vacations, they just get a change of scenery" - so when president Obama was on Summer vacation at the Blue Heron Farm in Chilmark on the island of Martha's Vineyard, the White House Communications Agency (WHCA) would install all the necessary equipment, especially for secure communications.

In the following picture we see Obama during his vacation in August 2011, with on the table two common white Panasonic KX-TS108W office phones, which the WHCA provides for non-secure calls. For highly secure calls, two Cisco 7975G Unified IP Phones with yellow faceplate were installed:

> Read more: Obama on vacation

President Obama monitoring Hurricane Irene with his assistant John Brennan and
some other officials. Martha's Vineyard, Massachusetts, August 26, 2011
(White House photo by Pete Souza - click to enlarge)

The New York Times reported about a situation during Obama's Summer vacation in 2014: when White House aides accompanying the president struggled with their laptops as they tried to revise a presidential statement, they could not get on-the-road tech support from the WHCA because the agency’s staff members were not authorized to log in to computers issued by the Executive Office of the President.

IT modernization

After this incident in Martha's Vineyard, White House deputy chief of staff for operations Anita Breckenridge was determined to finally fix the mess of the presidential communications systems.

By March 2015 she had hired David Recordon, who designed and maintained the office technology for Mark Zuckerberg and the other employees at Facebook, to modernize the White House IT systems. Just 28 years old, he was appointed as the first Director of White House Information Technology. "It was an interesting challenge and world for me" according to Recordon.

For this overhaul, the White House didn't need to request additional money - it was paid out of the existing technology budgets for the various agencies involved. In some cases, money was saved by eliminating duplications: the four agencies involved no longer negotiate their own contracts with cellphone companies and no longer buy duplicate copies of software licenses.

President Obama in his private study in the Treaty Room of the White House. We see two
black Avaya/Lucent 8410 phones, a computer screen and an HP laser printer. March 2009.
(Callie Shell/Aurora Photos - click to enlarge)

New IP phones

After almost 20 years, the old internal White House telephone network with the black Avaya/Lucent telephones was replaced by a new IP-based system with the latest Cisco IP phones from the 8800-series.

These phones have full-color (video)screens, WiFi and Bluetooth connectivity (although likely disabled for security reasons), and speed-dial buttons that can be configured online - for the old desktop phones only few staff members knew how to program them. Many White House aides now carry the most recent iPhones, but Obama still carries his own specially modified BlackBerry.

The new IP phone system seems to have been first rolled out in the White House staff offices in the Eisenhower Executive Office Building (EEOB) right across the street, where the new phones were first seen in this picture from November 2015:

White House staffers in the social media office of the White House
in the Eisenhower Executive Office Building. November 2015
(photo: Stephen Crowley/New York Times - click to enlarge)

Later, the new phones also made their way to the office of Obama's personal secretary, right next to the Oval Office, where they replaced the old Avaya/Lucent Lucent 8520T and now sit next to the older Cisco IP phone for the highly secure Executive Voice over Secure IP-network (here also with the standard silver instead of the yellow faceplate):

Obama presents a birthday cake to his personal secretary Ferial Govashiri,
in her office just outside the Oval Office. August 30, 2016
(White House photo/Pete Souza - click to enlarge)

Strangely enough, this new Cisco IP phone was not yet installed on the president's desk in the Oval Office. There, a much simpler telephone from a different manufacturer had replaced the old big black Lucent 8520 by May 2015. The new Avaya 9608 IP phone is a very common office phone with just an average monochrome display and only a few direct line buttons:

President Obama talks on his phone for secure calls with Secretary of State
John Kerry. In front of it there's the new Avaya 9608, July 13, 2015.
(White House photo by Pete Souza - Click to enlarge)

This Avaya IP phone was also placed underneath the side-table in the seating area of the Oval Office, as can be seen in the following picture. In the seating area there's always the same set of telephones as on the president's desk, but when the president makes a phone call, he usually uses the ones on his desk. The phones in the seating area can then be used by his aides or advisers to listen in to the call.

President Obama and FBI Director James Comey speak to members of
the media in the Oval Office of the White House, June 13, 2016.
(AP Photo/Pablo Martinez Monsivais - click to enlarge)

However, in November 2016, the Avaya phone underneath the side table had been replaced by the more futuristic looking Cisco IP phone from the 8800-series, but on the president's desk there still seems to be the simpler Avaya device.

Jann Wenner visits president Obama in the Oval Office, the day
after the 2016 presidential election, November 9, 2016.
(White House photo/Pete Souza - click to enlarge)


A close look at the high-resolution version of a photo from December 24, 2016, shows that also on the president's desk, the Avaya phone has been replaced by what can be recognized as the new Cisco from the 8800-series, with some kind of module on the back.

Meanwhile, readers of this weblog have recognized that the box on the back is because this Cisco 8841 IP Phone has been modified in order to meet Telephone Security Group (TSG) standards, including on-hook security for the headset and speakerphone, in this case by Advanced Programs, Inc. (API). The modified phones can also be recognized by the bright red secure hold button:

On the very last day of the Obama administration, just hours before Donald Trump was inaugurated, all the offices of the White House West Wing were empty, leaving just the new communications equipment:

Empty desks in the White House press offices, with a new Cisco IP phone, a new computer
screen and keyboard with integrated smartcard reader. January 20, 2017.
(photo: David Nakamura/The Washington Post - click to enlarge)

New computers

Besides the new telephone system, director of White House Information Technology David Recordon also installed a new computer network. The New York Times reported that first he tried to map the miles of Ethernet cables and phone wires inside the walls of the White House. His team of technicians eventually discovered and removed 13,000 pounds of abandoned cables that no longer served any purpose.

"They had been installed over the decades by different organizations using different standards, different techniques, from different eras" Recordon said. "They were finding these pipes that just had bundles of cable that had been cut off over the years, no longer used. So we just started pulling it out."

With the wiring fixed, Recordon started replacing the old computers by new ones with fast, solid-state drives and fast processors, as well as installing color printers. The WiFi is now made strong enough to live-stream for example an event on Facebook from the Roosevelt Room. And finally, the White House has started requiring users to log on to their computers with two-factor authentication using a smartcard and a pincode.

An Avocent KVM-switch and a smartcard-reader with a smart ID card
inserted, as seen in Ben Rhodes' White House office
(photo: Doug Mills/The New York Times)

Links and sources
- The New York Times: Obama Boosted White House Technology; Trump Sees Risk (Dec. 2016)
- The White House: How the Presidential Transition Works in the Social Media Age (Oct. 2016)
- The New York Times: Technology Upgrades Get White House Out of the 20th Century (Apr. 2016)
- Comparison of Cisco IP phones: Impressions of the 8861 (Aug. 2015)
- Many more pictures at Cryptome: Obama Phones (Jan. 2012)
- NBC News documentary: Inside the Obama White House (2009)
- See also: The White House Museum

December 29, 2016

Obama used a cybersecurity link for the first time to warn Russia

(Updated: January 7, 2017)

Shortly before the recent US presidential election, a dedicated cybersecurity hotline with Moscow was used by president Obama to warn the Russian government not to interfere with the election process through hacking operations.

Press reports compared the cybersecurity with the "Red Phone", which many people believe is used on the Hotline between Washington and Moscow. That's not true, and also Obama's message seems not to have been transmitted by phone, but through an e-mail channel which is maintained by the Nuclear Risk Reduction Center (NRRC).

The Nuclear Risk Reduction Center (NRRC) at the US State Department,
which also maintains the cybersecurity communications link
between US and Russian Computer Emergency Readiness Teams
(screenshot from a State Department video)

Obama's message

The fact that on October 31, US president Obama sent the Russians a direct message through the cyber channel was first reported on December 16. Three days later, NBC News came with some details about the content of the message. According to anonymous officials, it included phrases like "International law, including the law for armed conflict, applies to actions in cyberspace" and that the US "will hold Russia to those standards."

However, another senior intelligence official told NBC that the message was "muddled" because there was no bright line laid down and no clear warning given about the consequences. According to the official, the Russian response was non-committal. It's worrying that these government officials are leaking the content of the message, thereby undermining the necessary confidentiality of such an important hotline.

Obama's warning message was not about the hacking of the Democratic National Committee (DNC) or of it's chairman John Podesta, which director of national intelligence James Clapper had previously said was conducted with the knowledge of the Russian leadership. Instead, the warning reportedly only referred to the concerns about hacking around the election process itself.


On December 29, 2016, the White House announced actions "in response to the Russian government’s aggressive harassment of U.S. officials and cyber operations aimed at our election." As most visible action, 35 Russian intelligence operatives under diplomatic cover were expelled and two Russian compounds were closed, but although that seemed to be a response to the Russian hacking operations, it was actually a retaliation for the harassment of US diplomats over the past 2 years.
Regarding Russian hacking, only several GRU officials, two Russian hackers and a few Russian companies were named. Also some technical information was published in a Joint Analysis Report (JAR) by the FBI and the US-CERT, to identify Russian cyber attacks, but experts considered this information inconsistent and hardly useful.

US president Obama and Russian president Putin during
the G-8 summit in Northern Ireland in June 2013
(photo: Kevin Lamarque/Reuters - click to enlarge)

The cybersecurity link

On June 17, 2013, shortly after the start of the Snowden-revelations, the White House announced that during the G-8 summit in Northern Ireland, Russia and the United States had agreed upon several confidence-building measures (CBMs) to reduce the mutual danger from cyber threats. This includes the regular exchange of technical information about malware and other kinds of risks to critical systems, which appear to originate from each other’s territory and/or could be misperceived as an attack.

Such information is exchanged between the US Computer Emergency Readiness Team (US-CERT), which is part of the National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland Security (DHS), and its Russian counterpart. To provide secure and reliable communication lines for the formal inquiries about cybersecurity incidents, this task was delegated to the Nuclear Risk Reduction Center (NRRC - see below).

Secure voice line

Besides the information channel via the NRRC, the White House and the Kremlin also agreed to set up a direct secure voice communications line between the US Cybersecurity Coordinator at the White House and the Deputy Secretary of the Security Council of Russia, in case there should be a need to directly manage a crisis situation arising from a cybersecurity incident.

The announcement said that this direct voice line "will be seamlessly integrated into the existing Direct Secure Communication System ("hotline") that both governments already maintain" - which indicates that this line runs over the same redundant and secure satellite link as the Direct Communications Link (DCL, which is the official name of the Hotline) and the Direct Voice Link (DVL) between both heads of state.

We have no information about how this direct cybersecurity voice line is secured, but earlier, similar high-level bilateral telephone links consisted of Secure Telephone Equipment (STE), provided by the US.


As the press reports say that Obama's message was sent via the NRRC, we have to assume that it was in the form of an e-mail, and not a call through the secure voice channel. It was also reported that "the Obama administration had never used the cyber line before", but it's not really clear whether that means that the president never sent a message this way, or that the system was never used in any way.

The latter would mean that since 2013 no information about suspicious network intrusions has been exchanged between Russia en the US. The secure voice line for cybersecurity incidents has then probably also never been used - this kind of high-level direct phone lines seem rarely used in general.

Watch center of the National Cybersecurity and Communications Integration Center (NCCIC),
which includes the US-CERT. On the right there's an STE secure telephone.
(photo: Saul Loeb/AFP/Getty Images - click to enlarge)


The Nuclear Risk Reduction Center

The relay of cybersecurity messages is now one of the tasks of the Nuclear Risk Reduction Center (NRRC), which is located in the US Department of State (DoS). Its Russian equivalent is part of the Russian Ministry of Defence. The Cyber Security Protocol agreed upon in 2013 is the latest of 14 arms control treaties and agreements for which the NRRC exchanges information with more than 55 foreign governments and international organizations.

The NRRC consists of a watch center that operates 24 hours a day, 365 days a year and is staffed by Department of State Foreign Service officers, civil servants, and technical support personnel. They provide and receive inspection notifications, exchanges of data regarding strategic offensive arms, prior notifications of major exercises or unit restructurings, and other treaty-required communications.

The NRRCs were established by an agreement between the United States and the former Soviet Union from September 15, 1987 in order to build confidence through information exchange about their nuclear arsenals. The centers became operational on April 1, 1988. After the split-up of the Soviet Union in 1991 this secure data link, officially called Government-to-Government Communication Link (GGCL), was extended to Ukraine, Belarus and Kazakhstan.

Initially, these communication links consisted of facsimile devices, with (one-time pad) encryption conducted by personal computers and the random keys provided on 5¼ inch floppy disks, just like on the Washington-Moscow Hotline. As of late 1995, the NRRC communications shifted to encrypted e-mail with an additional chat channel for coordination purposes.

State Department video about the Nuclear Risk Reduction Center (2012)
(click to play)


Red Phone versus Hotline

It may be more than clear now that Obama's warning message had nothing to do with a "Red Phone", but it should be mentioned that the White House and the military did use red phones, although not for international, but for internal communications between the president and the military command centers. This was achieved through a secure military telephone network: the Defense Red Switch Network (DRSN).

Through popular culture, the image of a red telephone became projected to the direct communications link between Washington and Moscow, but this is false: the Hotline was never a phone line, as it was set up in 1963 as a teletype connection, which in 1988 was replaced by facsimile units. Since 2008 the Hotline is a highly secure computer link over which messages are exchanged by e-mail.

What the Hotline terminal at the Pentagon looks like nowadays can be seen in the following picture, which was released on the occasion of the 50th anniversary of this communications link in 2013:

The Washington-Moscow Hotline terminal room at the Pentagon (2013)
(photo: www.army.mil - click to enlarge)

Other options?

Besides the cybersecurity channels, the NRRC and the Hotline, the US government has two additional channels for direct communications with the Kremlin: the Foreign Affairs Link (FAL) between the State Department and the Russian foreign ministry, and the Defense Telephone Link (DTL) between de defense ministries of both countries. Both are secure phone lines, which also exist with a range of other countries.

This means that president Obama had several other options for transmitting his warning to Russia. It seems the NRRC cybersecurity channel was chosen because it was about the threat of cyber attacks, but still, such a warning message seems not what that channel is meant for, which is the exchange of technical information about actual intrusions that could be misinterpreted as a deliberate attack.

Therefore, the Foreign Affairs Link (FAL) would probably have been more appropriate: US secretary of state John Kerry could have called his Russian counterpart to issue the warning. But generally, for important messages in which every word counts, written communications are preferred, so that left only the NRRC or the Hotline.

Using the Hotline was probably considered too dramatic, and therefore the remaining option was the cybersecurity channel maintained by the NRRC.

Links and sources
- NextGov: Obama's cyber legacy: He did (almost) everything right and it still turned out wrong (2017)
- The Washington Post: Obama administration is close to announcing measures to punish Russia for election interference (2016)
- EmptyWheel: Now the spooks are laking criticism of Obama's sole use of the "Red Phone" (2016)
- NBC News: What Obama Said to Putin on the Red Phone About the Election Hack (2016)
- The New York Times: White House Confirms Pre-Election Warning to Russia Over Hacking
- The White House: U.S.-Russian Cooperation on Information and Communications Technology Security (2013)

December 16, 2016

A perspective on the new Dutch intelligence law

(Updated: January 17, 2017)

Since the Snowden-revelations, several countries adopted new laws governing their (signals) intelligence agencies, but instead of restricting the collection capabilities, they rather expand them. Previously we examined the new laws that have recently been implemented in France. This time we will take a look at the Netherlands, where a new law for its two secret services is now being discussed by the parliament.

The situation in the Netherlands is different in at least two major aspects from many other countries. First, there is no institutional separation between domestic security and foreign intelligence as the two secret services combine both tasks. Second, the current law restricts bulk or untargeted collection to wireless communications only, so cable access is only allowed for targeted and individualized interception.

The headquarters of the General Intelligence and Security Service AIVD
in Zoetermeer, not far from The Hague
(photo: NOS - click to enlarge)

Secret services

The two Dutch secret services, which were both created during a major reorganisation in 2002, are:

- General Intelligence and Security Service (Dutch: Algemene Inlichtingen- en Veiligheidsdienst, or AIVD), which falls under the Interior Ministry and is mainly responsible for domestic security issues, but also has a small branch that gathers intelligence information from and about foreign countries. In 2015, AIVD had over 1300 employees and a budget of 213 million euros.

- Military Intelligence and Security Service (Dutch: Militaire Inlichtingen- en Veiligheidsdienst, or MIVD), which falls under the Defence Ministry and is mainly responsible for military intelligence related to peacekeeping missions and military operations overseas. They also have to provide security for the armed forces. In 2015, MIVD had over 800 employees and a budget of approximately 85 million euros.

The Netherlands has no separate signals intelligence agency, but in 2014, the Joint Sigint Cyber Unit (JSCU) was created as a joint venture of AIVD and MIVD. The JSCU integrates the collection of signals intelligence and cyber defense operations on behalf of both agencies. The unit is located in the AIVD headquarters building in Zoetermeer and has a workforce of some 350 people. The head of JSCU is also the point-of-contact for foreign signals intelligence agencies, like NSA and GCHQ. The JSCU operates two listening stations: a relatively large satellite intercept station near the northern village of Burum, and a very capable High Frequency radio listening post in Eibergen near the German border.

The fact that the Dutch secret services combine both domestic security and foreign intelligence tasks, also means that there’s just one legal framework for both, and that authorisations are not only required for domestic operations, but also for foreign ones. Therefore, the Dutch services don’t have to separate foreign and domestic communications, which proved to be such a painful job for NSA and the German BND.

The headquarters of the Military Intelligence and Security Service MIVD
at the compound of the Frederik Barracks in The Hague

Dutch capabilities

During an interview with Dutch television in January 2015, Edward Snowden said that "the US intelligence services don't value the Dutch for their capabilities, they value them for their accesses, they value them for their geography, they value them for the fact that they have cables and satellites... a sort of vantage point that enables them to spy on their neighbours and others in the region in a unique way."

This doesn't show much familiarity with the issue, as the Dutch services have no "cables" yet and "satellites" are mainly intercepted for their foreign traffic. In reality, what makes Dutch intelligence interesting for NSA isn't spying on their neighbours, but their spying overseas: data they collect during military missions in Afghanistan and Mali, during navy missions around the Horn of Africa, by the quiet Dutch submarines, and radio traffic from the Middle East intercepted at the Eibergen listening post.

Some numbers

In 2009, the Dutch government provided the number of targeted interceptions conducted by the secret services: 1078 by AIVD and just 53 by MIVD. This number doesn’t seem very high (especially taking in account that targets often use multiple phone numbers) - but in the same year, French intelligence services were allowed to tap 5029 phone lines, although it’s not clear whether these number count in the same way.

Dutch government refuses to publish such numbers for more recent years, saying that that would give to much insight in the modus operandi of the agencies. A strange argument, because such numbers say nothing about the targets and also because countries like the US and Germany regularly publish even more detailed numbers. Like the police, the secret services also request metadata (verkeersgegevens or printgegevens) from the telecoms, but for this there are no numbers available.

Secret services vs. police force

In 2014, Dutch police conducted over 25.000 phone and internet taps, which is way more often than in other countries (it seems that Snowden had this in mind when he erroneously said that the Dutch secret services are the “surveillance kings of Europe”). The reason for this is that Dutch police rarely conducts undercover, observation and bugging operations, which are considered much more controversial and intrusive than phone taps.

Originally, targeted interception by the police was only allowed for crimes that could be sentenced with 4 years or more imprisonment and only for phone numbers used by the suspect himself, but with a new law on special criminal investigation methods from the year 2000, these restrictions were abolished.*

The Dutch police force has its own unit for targeted interceptions and in 2006 operated at least one IMSI-catcher (the AIVD two), which may be used both for finding out unknown phone numbers of known suspects, as well as for the targeted interception of phone calls. It’s also allowed to use Wifi-catchers.* Unlike in France, Dutch secret services do not work on or support police investigations under the authority of a judge.

Eavesdropping authorities of Dutch police and secret services.
Situation until new laws will probably be passed in 2017.
(click to enlarge)

Oversight bodies

The Netherlands there is a quite thorough oversight for the intelligence and security services. This is conducted by the independent commission CTIVD and the parliamentary commission CIVD:

The main oversight body is the Review Committee for the Intelligence and Security Services (Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten, or CTIVD), which consists of three independent members, appointed by royal decree, who are supported by a secretariat of 10 people. The strength of this commission is that it has the right to access all documents and computers systems and speak to all employees: commission members can actually walk in, pull open drawers and log into the networks of both AIVD and MIVD.

The CTIVD publishes an annual report, but also conducts investigations on specific matters, like targeted interception in general or specific cases based upon press revelations. This results in a steady flow of reports, most of them public, which provide a detailed insight into the work of the Dutch services, of course without revealing specific methods or other sensitive details.

The other oversight body is the Committee for the Intelligence and Security Services (Commissie voor de Inlichtingen- en Veiligheidsdiensten, or CIVD), comprising the leaders of all political parties represented in the Second Chamber of the Dutch parliament. In this commission, which meets about 10 times a year in utmost secrecy, the party leaders are briefed by the responsible ministers and the heads of both secret services.

Within the context of the CIVD, the party leaders have the right to read classified documents, but when they make notes, even those notes are considered classified and may not leave the secure room. They can also ask, through the minister, to question employees of the secret services, but they have no powers to force them, nor to hear them under oath.


According to scholars and historians, the CIVD commission isn’t really fit to conduct thorough oversight. The party leaders are involved with way too many other political issues, and therefore they not always attend the commission meetings. A leak from this commission in February 2014 also made clear that the government can apparently rather easily report about things in such a way that the party leaders miss the actual importance of it.

Independent experts proposed that the commission should at least be extended with specialized members of parliament so intelligence issues receive full attention and better understanding, but this proposal was rejected by the party leaders. They seem not really interested in the work of AIVD and MIVD, which is especially worrying given the very secretive way the Dutch government deals with intelligence issues.

The Dutch satellite intercept station near Burum, operated by JSCU
(photo: ANP - click to enlarge)

Towards a new law

Currently, the two Dutch security and intelligence services are still governed by the Intelligence and Security Services Act from 2002 (Dutch: Wet op de inlichtingen- en veiligheidsdiensten, or Wiv). In February 2013, an evaluation commission for this law was installed, led by Stan Dessens. In its report from December of that year, the commission recommended that the intelligence services would be allowed to also conduct bulk collection on cable-bound communications. But given increased public scrutiny since the Snowden revelations earlier that year, the commission also urged for stronger oversight and more transparency.

It then took until July 2015 before the government published its proposal for a new law. This was followed by an internet consultation, in which anyone could submit an opinion about the proposal through a government website. This resulted in over 1100 reactions, 500 of them public and most of them very critical (it should be noted though that (the highly critical) digital rights organization Bits of Freedom provided an online tool for easily submitting standardized reactions).

Given this amount of critique, including from major telecommunication providers and internet companies, the government reconsidered its proposal. On April 15, 2016 the draft was discussed in the council of ministers. The new text wasn’t released, but the government announced that some changes had been made:

- A new independent review commission (Toetsingscommissie Inzet Bevoegdheden, or TIB) that has to approve all requests for both the new bulk cable access and the existing targeted interceptions. This commission will be different from the existing independent oversight commission CTIVD and will actually consist of just 1 member and two substitutes, who have to be judges with at least 6 years of experience.

- When AIVD or MIVD want to intercept the communications between lawyers and their clients or between journalists and their sources, there has to be prior approval by the district court of The Hague. This extra protection is required by the rulings of the European Court for Human Rights.

- The government will pay for the costs of the untargeted cable tapping, which are estimated at 15 million in 2017, 25 million in 2018 and 35 million in 2019. The initial plan was to let the telecommunication companies pay for the necessary equipment on their networks, something they strongly opposed. The government plans to get one access location ready for bulk interception each year, so the agencies can gradually get used to this new method. In 2020, there will be four access locations, which will be chosen according to specific information needs and in consultation with the telecoms.

On April 29, the newspaper De Volkskrant disclosed the full text of the revised proposal, including the over 400-page explanatory memorandum (Memorie van Toelichting, or MvT). Here it was read that the government had replaced the original "untargeted interception" (ongerichte interceptie) by a horrible new term meaning something like "interception according to research assignment" (onderzoeksopdrachtgerichte interceptie) - clearly meant to sound more focused and limited, in order to counter the popular image of an indiscriminate dragnet.

This revised proposal was sent to the Council of State, which must be consulted before a law is submitted to parliament. Instead of a legal review of the full proposal, the Council only addressed a few topics. The controversial bulk cable access is considered necessary enough to be in accordance with the European Convention on Human Rights (ECRM), provided that there’s strong and independent oversight.

However, the Council expressed serious doubts about the effectiveness of newly proposed TIB commissioner, which lacks the expertise and capacity of the existing CTIVD commission. The proposed approval by the TIB could therefore end up like a "rubber stamp". It would be better to give the CTIVD commission the right of non-binding prior approval and the Council advises the government to change the draft in this way, before sending it to parliament.

Another point of critique is that data collected in bulk may be kept for 3 years, which the Concil thinks is too long and has to be shortened significantly. The Council was also especially concerned about the analysis of "big data" and wants to see a more general vision on how big data analysis affects the work of the secret services, like to what extent there’s a shift from collecting data to analysing already existing data sets.

After receiving the Council of State’s consultation from September 21, some changes were made, with the most important one being that the TIB is extended from one commissioner to a commission of three, with 2 judges, one member with for example technical expertise, and its own secretariat - thereby ignoring the main point of the Council of State’s recommendation.

The final proposal was discussed by the Dutch cabinet on October 28 and subsequently submitted to parliament. In December, the responsible parliamentary commission consulted the oversight committee, secret service officials and outside experts. The Second Chamber of parliament is expected to vote on the new law in the first week of February, which is just before the Dutch general elections on March 15, 2017.


AMS-IX internet Exchange co-location at the National Institute for Subatomic Physics
Will the Dutch services select cables at this kind of locations for bulk collection?
(photo: Martin Alberts/Stadsarchief Amsterdam - click to enlarge)

Bulk cable access

The most important and most controversial new feature of the proposed intelligence law is the bulk collection of cable-bound communications. In the proposed law, the regulations for bulk collection will be made "technology independent", so they apply to both wireless communications (SHF satellite and HF radio) and fiber-optic cable traffic (internet and telephony). For this, the new law introduces a framework of 3 stages:

1. Acquisition (article 48):
Selecting specific cables and satellite channels from specific internet providers and satellites. Then conduct filtering to let through or block certain types of traffic (peer-to-peer, music and movie streams, etc.) and/or traffic from/to particular countries of interest. The remaining data may be stored for up to 3 years.
It should be noted that this means that both metadata and content are simply stored, like put in a big box, where at NSA and GCHQ content is only buffered for several days using the XKEYSCORE system, which prevents unnecessary storage of content that is not of interest.

2. Preparation (article 49):
   a. Search the communication links to determine the type of traffic and the persons or organisations it belongs to. The law mentions this as part of stage 2, suggesting that it follows upon stage 1, but actually this activity supports and therefore goes parallel to the selection of the right cables and channels during stage 1.
   b. Look for new, or verify already known selectors related to known targets, and look for new targets related to selectors already known - this is actually a kind of contact-chaining like in stage 3, but here not for the sake of analysis, but to see whether the stored bulk actually contains data or new selectors that match already approved selectors of known targets.
(This stage 2 is very artificially composed and the whole process would be much clearer and simpler when section a. would be incorporated in stage 1 and section b. in stage 3)

3. Processing (article 50):
   a. Conduct metadata analysis using the metadata from the stored bulk sets of data. These can be used for contact-chaining, creating a pattern-of-life or other kinds of analysis in which the collected metadata can also be correlated with other datasets.
   b. Selecting the content of communications by picking them out of the stored bulk data sets when there’s a match with approved selectors.

For each of these stages AIVD and MIVD need a prior authorisation from their respective minister, which is valid for up to 12 months (3 months for the content selection of stage 3). Each authorisation will then have to be approved by the TIB commission.

The government already expects that authorisations for stage 1 and 2 will often be combined. As these stages are part of a continuous process, the Council of State also noticed that it seems not very realistic to make such clear distinctions and acquire separate authorisations. This means that in practice, authorisations will likely be combined for all 3 stages, thereby largely mitigating the goal of the system.

Overview of the 3 stages for bulk access to cable-bound communications
as proposed by the new Intelligence and Security Services Act
(click to enlarge)

Just like with the sudden introduction of the TIB commissioner, this 3-stage authorisation scheme seems primarily aimed at comforting the public opinion. The government presents them as safeguards against abuses, but they actually make things unnecessarily complicated with a substantial risk that they will end up to be counterproductive.

These extra safeguards were introduced partly because the government couldn’t very well explain why the new bulk collection of cable communications is actually that necessary. The standard example used by the interior minister is about access to cables from the Netherlands to Syria, but communications related to known targets can already be covered by targeted interception, while for example Facebook and Whatsapp messages actually go through cables from the US.

Supposed purposes

On April 20, 2016, public broadcaster NOS revealed a confidential document that apparently addressed internet providers and contains some more specific examples for the proposed bulk cable access. For example when people from a fictitious city of 400.000 inhabitants communicate with a certain chat service, this should be interceptable. Also internet traffic for a maximum of 200 people has to be 'searched', but it isn’t clear whether that applies to the example of the city, or whether this is a total.

Another example from the document is about public wifi hotspots. Communications of people accessing certain hotspots and/or using these to visit certain foreign websites must also be interceptable. The document also speaks about telephone traffic between a Dutch city and a foreign country as well as about the internet traffic between someone in a Dutch city and in a foreign country in which for example bittorrent is used. All this must be interceptable.

There are no rules for "minimizing" (anonymising) the results of this kind of collection, likely because both secret services have both a domestic and a foreign intelligence task, so they are not prohibited from using domestic data, like agencies in other countries.

Overview of the safeguards for untargeted cable access (in Dutch)
Stage 2 is only mentioned where it prepares for stage 3
(source: Dutch government - click to enlarge)

The champions in cable tapping are NSA and GCHQ, but there we already see a shift towards cyber defense and hacking operations, things that got much less attention in the Dutch public opinion and (probably therefore) also not in the new law.

Cyber security monitoring

The proposed bulk cable access is not only meant for intercepting communications, but also for cyber security purposes. The strange thing is that this isn’t explicitly mentioned in the new law itself, but only, and even rather short, in the explanatory memorandum. It is said that the new articles 48 and 49 make it possible for AIVD and MIVD to scan cable-bound network traffic for malware signatures and other anomalies which may pose a threat for national security.

This cyber security monitoring may only take place after prior approval by the minister, who will specify on which particular part of the cable infrastructure and for which goal the network monitoring or network detection may take place. Where bulk cable access for intercepting and analysing communications will only be conducted on sets of data that are stored offline, the cyber security task can also take place online: traffic will then be analysed in real-time by for example a DPI (Deep Packet Inspection) system.

The explanatory memorandum mentions real-time online monitoring only for cyber security purposes. Later on, it is said that bulk collection for the purpose of intercepting communications is less intrusive than a traditional targeted interception, because the latter results in an online and real-time collection of all the target’s communications, while the bulk collection only provides the limited set of data that has been stored offline. This distinction isn’t explicitly mentioned in the proposed law itself, so it’s unclear whether real-time monitoring and filtering systems are also allowed for interception purposes.


Antennas of the HF radio intercept station in Eibergen, operated by JSCU
(photo: Peter Zandee/De Gelderlander - click to enlarge)

Third party hacking

Another important new feature in the new law is about network and computer hacking. Already under the current law from 2002, both secret services are allowed to hack into digital systems and networks, but only those being used by a particular target (Dutch police isn’t allowed to hack, but another new law is expected to change that soon). Additional to this, the proposal will also allow AIVD and MIVD (or JSCU on their behalf) to hack computer systems used by third parties, whenever that is necessary to get access to a target’s computer.

Obviously, so-called hard targets can secure their systems in a way that it is hardly possible to break in, or they can avoid online systems as much as possible, so the only option will be to get access through third parties near or in contact with such a target. But still this extension of powers is remarkable because this is one of the most controversial methods that came to light in recent years. GCHQ for example hacked the network of the Belgian telecom company Belgacom as a means to get access to still unknown targets.

Despite third party hacking is probably just as controversial as the bulk cable tapping, the government didn’t introduce separate authorisations for the various steps in the hacking process, like they did for untargeted interception. This means that hacking operations, no matter how intrusive or extensive, require only a single authorisation set (minister + TIB commission).

However, each authorisation by the minister has to make sure that the use not only of hacking methods, but also of all other special intelligence methods is in accordance with these three basic rules:

- Necessity: a method must be necessary to fulfill the intelligence or counter-intelligence mission.

- Proportionality: the consequences of a method have to be in proportion to its goal.

- Subsidiarity: a method may only be used when the goal cannot be achieved through a less intrusive method.

Contributions to this article were made by Zone d'Intérêt, a French weblog about intelligence & defence, on which this article was also published as part of an ongoing series about new laws on intelligence and security services.

On December 30, 2016, members of parliament submitted hundreds of questions about the draft Intelligence and Security Services Act, but no substantial changes were proposed. In its answers from January 18, 2017, the government stuck to its initial position. The only change worth mentioning is that when during untargeted interception data are considered not of interest, they have to be deleted immediately - the word "immediately" wasn't in the original text.

However, the government's answers also provided some clarity, as it was said that the untargeted cable access doesn't mean that the secret services will get access to a complete fiber-optic cable (through cable-splitting), but that instead the telecoms will likely only copy specific and selected channels (through port mirroring) and provide these to the government for further processing, which is a more targeted and flexible way.

Given that members of parliament were mainly focused at the untargeted interception, or "dragnet" as many call it, there was less attention for the new hacking capabilities and nothing was clarified about how the services will use the new cable access for cyber security purposes.

On february 8, the Second Chamber of the Dutch parliament discussed the proposal during a 9-hour debate in which several parties proposed over 40 amendments to the new law, but again the government wasn't willing to change anything. The vote was on February 14, 2017 and the law passed with a fairly large majority. Now the new law will be reviewed by the Senate or First Chamber of parliament, but it's expected that it will pass there too.

Links and sources
- Bits of Freedom: Moties en amendementen bij de nieuwe Wiv (Febr. 2017)
- Netkwesties.nl: Graag wat meer technische inbreng bij debat over nieuwe wetgeving (Dec. 2016)
- Tweede Kamer: Hoorzitting/rondetafelgesprek inzake de nieuwe Wiv (Dec. 2016)
- BoF protest website: www.geensleep.net (Dec. 2016)
- NRC.nl: De geheime dienst is een gemakkelijke zondebok (Nov. 2016)
- Tweede Kamer: Wetsvoorstel 34588 (Oct. 2016)
- Volkskrant.nl: 'Onschuldige burgers hebben niet zoveel te vrezen' (Apr. 2016)
- Volkskrant.nl: Kabinet houdt vast aan massaal aftappen internetverkeer (Apr. 2016)
- Bart Jacobs: Select while you collect - Over de voorgestelde interceptiebevoegdheden voor inlichtingen- en veiligheidsdiensten (Jan. 2016)
- Blog.cyberwar.nl: [Dutch] Lijstje van reacties van organisaties op de Wiv-consultatie (Sept. 2015)
- Bart Jacobs: Vluchtig en Stelselmatig. Een bespreking van interceptie door inlichtingen- en veiligheidsdiensten (Febr. 2015)