Netherlands says armed forces could tackle ransomware attacks

Business Continuity Management / Disaster Recovery, Critical Infrastructure Security, Cybercrime

Officials and experts debate legality and diplomatic ramifications of the declaration

Prajeet Nair (@prajeetspeaks) •
October 8, 2021

The Dutch government has said it could use intelligence agencies or military services to counter cyber attacks – including ransomware attacks – that threaten the country’s national security.

See also: Live Webinar | How to deal with cyber insurance in the midst of the ransomware era

“If a ransomware attack, whether financially or not, crosses the threshold of (manifesting) a threat to national security, for example due to the failure of vital sectors, then the government has other resources, ”he added. Foreign Minister Ben Knapen said in a letter responding to a parliamentary inquiry into how the country could potentially respond to ransomware attacks.

Knapen says it is important that states are held accountable and that measures such as sanctions can be imposed if their actions violate accepted standards of behavior in cyberspace, such as authorizing cross-border criminal cyber operations, including understood against ransomware attacks.

“An example of the latter case is the taking offline (or taking offline) of an IT infrastructure that is part of the attack infrastructure or used for digital espionage or sabotage. In addition to the action of the intelligence and security services (I&V), the Netherlands can also retaliate with the armed forces, ”notes Knapen (see: Netherlands Cybercrime increased by 127% in 2020).

In addition, Knapen indicates that the Defense Cyber ​​Command may also conduct a counterattack using the armed forces to avoid enemy action or to protect an essential state interest, depending on the international legal basis and after a government decision.

Hugo van den Toorn, head of offensive security at Outpost24, told Information Security Media Group that the letter describes a structured collaborative approach to preventing and responding to ransom attacks in particular.

“According to the letter, some threat actors have reached the same level of capacity as state sponsored actors, which is the reason for the concern and the review of collaborative action. If certain thresholds (financial ) are overwhelmed, the military could be called upon to help either diplomatically, by sharing intelligence, helping with take downs or, ultimately, carrying out counterattacks, ”Toorn notes.

Legal considerations

As there is no agreed definition of digital ransomware in international law, how ransomware operations qualify for a response will need to be considered on a case-by-case basis, Knapen explains.

The international legal framework offers the possibility of taking countermeasures in certain circumstances, in particular with regard to the definition of the law of State responsibility for countermeasures ”in the cyber context, which is:“ Cons -measures are acts (or omissions) which would normally constitute a breach of an obligation under international law, but are lawful because they are a response to a prior breach of an obligation under international law by another State ”, Knapen notes.

Jake Williams, CTO of cybersecurity firm BreachQuest, says how the Dutch deal with the problem of non-state actors is important.

“Much of the opposition to the military response to ransomware and cybercrime has been linked to the fact that it is a response to a law enforcement problem. This paper highlights attribution issues in determining whether an operation is state sponsored, state sanctioned, or simply state ignored. apparently indicates that military use is a legal option, as not taking action against ransomware actors operating from your borders is no different than actually sponsoring the action, ”notes Williams, a former member of The United States National Security Agency’s elite hacking team.

Knapen said the Netherlands will focus on tools for the practical implementation of the standards, with priority given to the initiative for responsible state behavior in cyberspace in the context of international security within the United Nations. .

“The Netherlands will pay particular attention to the implementation of relevant standards for ransomware,” Knapen notes.

Diplomatic ramifications

Countries are held accountable for their actions and inaction through diplomatic responses such as actions against cross-border cyber criminal operations and measures such as sanctions, which are more powerful if designed in a broad coalition context, said Knapen.

“Within the EU, therefore, the Netherlands took a leading role in the EU toolkit for cyber diplomacy and the adoption of the EU’s ninth cyber sanctions regime in May 2019, and the countries -Bas are committed to further develop these instruments. tools to respond faster and more vigorously to cyber incidents. Recent EU declarations and sanctions show that these instruments are delivering concrete results, “he notes.

Knapen is also pushing for diplomatic channels for bilateral cooperation between countries in judicial investigations against ransomware, which he believes can be useful if cooperation through international judicial channels is insufficient. “The Netherlands can then underline the importance attached to cooperation through diplomatic channels,” he said.

In addition, Knapen says the Netherlands will continue its efforts to promote the joint development of response options and knowledge sharing within the EU, NATO and other alliances with allies.

Toorn says the proposed non-hostile operations seem very reasonable given that the Dutch military – and in particular the Dutch Cyber ​​Command – has extensive capabilities and intelligence to help public and private companies fight ransomware.

He adds that “the offensive operations of the Dutch army must be carefully considered” as they “could bring more diplomatic problems”, “I would hesitate to openly propose military offensive capabilities before I have defined all the requirements and all the requirements. thresholds, ”Toorn said.

Williams notes that the document appears to establish the legal justification under international law for military action against countries that blatantly allow ransomware attacks to continue within their borders.

Preventive measures

The letter also describes how the Dutch government is increasing the digital resilience of the Netherlands. He said the country is taking various measures as part of the national cybersecurity program and its integrated approach to cybercrime.

“In many successful cyber attacks, including ransomware, it appears that basic cybersecurity measures have not been sufficiently taken. In addition, many entrepreneurs, especially in SMEs, do not seem to see themselves as a potential victim of ransomware, ”says Knapen. “The Digital Trust Center (DTC) of the Ministry of Economic Affairs and Climate is therefore committed to providing information on ransomware, for example by sharing the stories of entrepreneurs who have been victims of ransomware.

Knapen further warns that a number of cybercriminal groups now possess capabilities that are not inferior to state actors, and the impact of an attack could pose a threat to national security through the deployment of ransomware.

“This has not yet manifested itself in the Netherlands, [however] this threat comes on top of the already existing and growing threat in the cyber domain, ”notes Knapen. “The investigation services, the intelligence and security service and the armed forces are still insufficiently equipped to take structural measures against actors threatening national security by a ransomware attack.

And Williams notes, “While I don’t foresee ransomware-related military invasions in the near future, the document sends a strong message to countries by simply ignoring actors operating within their borders. Given the focus on setting the standard for international law, the document may also be intended to stimulate meaningful conversations internationally about the threat of ransomware. ”