December 29, 2016

Obama used a cybersecurity link for the first time to warn Russia

(Updated: January 7, 2017)

Shortly before the recent US presidential election, a dedicated cybersecurity hotline with Moscow was used by president Obama to warn the Russian government not to interfere with the election process through hacking operations.

Press reports compared the cybersecurity with the "Red Phone", which many people believe is used on the Hotline between Washington and Moscow. That's not true, and also Obama's message seems not to have been transmitted by phone, but through an e-mail channel which is maintained by the Nuclear Risk Reduction Center (NRRC).

The Nuclear Risk Reduction Center (NRRC) at the US State Department,
which also maintains the cybersecurity communications link
between US and Russian Computer Emergency Readiness Teams
(screenshot from a State Department video)

Obama's message

The fact that on October 31, US president Obama sent the Russians a direct message through the cyber channel was first reported on December 16. Three days later, NBC News came with some details about the content of the message. According to anonymous officials, it included phrases like "International law, including the law for armed conflict, applies to actions in cyberspace" and that the US "will hold Russia to those standards."

However, another senior intelligence official told NBC that the message was "muddled" because there was no bright line laid down and no clear warning given about the consequences. According to the official, the Russian response was non-committal. It's worrying that these government officials are leaking the content of the message, thereby undermining the necessary confidentiality of such an important hotline.

Obama's warning message was not about the hacking of the Democratic National Committee (DNC) or of it's chairman John Podesta, which director of national intelligence James Clapper had previously said was conducted with the knowledge of the Russian leadership. Instead, the warning reportedly only referred to the concerns about hacking around the election process itself.


On December 29, 2016, the White House announced actions "in response to the Russian government’s aggressive harassment of U.S. officials and cyber operations aimed at our election." As most visible action, 35 Russian intelligence operatives under diplomatic cover were expelled and two Russian compounds were closed, but although that seemed to be a response to the Russian hacking operations, it was actually a retaliation for the harassment of US diplomats over the past 2 years.
Regarding Russian hacking, only several GRU officials, two Russian hackers and a few Russian companies were named. Also some technical information was published in a Joint Analysis Report (JAR) by the FBI and the US-CERT, to identify Russian cyber attacks, but experts considered this information inconsistent and hardly useful.

US president Obama and Russian president Putin during
the G-8 summit in Northern Ireland in June 2013
(photo: Kevin Lamarque/Reuters - click to enlarge)

The cybersecurity link

On June 17, 2013, shortly after the start of the Snowden-revelations, the White House announced that during the G-8 summit in Northern Ireland, Russia and the United States had agreed upon several confidence-building measures (CBMs) to reduce the mutual danger from cyber threats. This includes the regular exchange of technical information about malware and other kinds of risks to critical systems, which appear to originate from each other’s territory and/or could be misperceived as an attack.

Such information is exchanged between the US Computer Emergency Readiness Team (US-CERT), which is part of the National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland Security (DHS), and its Russian counterpart. To provide secure and reliable communication lines for the formal inquiries about cybersecurity incidents, this task was delegated to the Nuclear Risk Reduction Center (NRRC - see below).

Secure voice line

Besides the information channel via the NRRC, the White House and the Kremlin also agreed to set up a direct secure voice communications line between the US Cybersecurity Coordinator at the White House and the Deputy Secretary of the Security Council of Russia, in case there should be a need to directly manage a crisis situation arising from a cybersecurity incident.

The announcement said that this direct voice line "will be seamlessly integrated into the existing Direct Secure Communication System ("hotline") that both governments already maintain" - which indicates that this line runs over the same redundant and secure satellite link as the Direct Communications Link (DCL, which is the official name of the Hotline) and the Direct Voice Link (DVL) between both heads of state.

We have no information about how this direct cybersecurity voice line is secured, but earlier, similar high-level bilateral telephone links consisted of Secure Telephone Equipment (STE), provided by the US.


As the press reports say that Obama's message was sent via the NRRC, we have to assume that it was in the form of an e-mail, and not a call through the secure voice channel. It was also reported that "the Obama administration had never used the cyber line before", but it's not really clear whether that means that the president never sent a message this way, or that the system was never used in any way.

The latter would mean that since 2013 no information about suspicious network intrusions has been exchanged between Russia en the US. The secure voice line for cybersecurity incidents has then probably also never been used - this kind of high-level direct phone lines seem rarely used in general.

Watch center of the National Cybersecurity and Communications Integration Center (NCCIC),
which includes the US-CERT. On the right there's an STE secure telephone.
(photo: Saul Loeb/AFP/Getty Images - click to enlarge)


The Nuclear Risk Reduction Center

The relay of cybersecurity messages is now one of the tasks of the Nuclear Risk Reduction Center (NRRC), which is located in the US Department of State (DoS). Its Russian equivalent is part of the Russian Ministry of Defence. The Cyber Security Protocol agreed upon in 2013 is the latest of 14 arms control treaties and agreements for which the NRRC exchanges information with more than 55 foreign governments and international organizations.

The NRRC consists of a watch center that operates 24 hours a day, 365 days a year and is staffed by Department of State Foreign Service officers, civil servants, and technical support personnel. They provide and receive inspection notifications, exchanges of data regarding strategic offensive arms, prior notifications of major exercises or unit restructurings, and other treaty-required communications.

The NRRCs were established by an agreement between the United States and the former Soviet Union from September 15, 1987 in order to build confidence through information exchange about their nuclear arsenals. The centers became operational on April 1, 1988. After the split-up of the Soviet Union in 1991 this secure data link, officially called Government-to-Government Communication Link (GGCL), was extended to Ukraine, Belarus and Kazakhstan.

Initially, these communication links consisted of facsimile devices, with (one-time pad) encryption conducted by personal computers and the random keys provided on 5¼ inch floppy disks, just like on the Washington-Moscow Hotline. As of late 1995, the NRRC communications shifted to encrypted e-mail with an additional chat channel for coordination purposes.

State Department video about the Nuclear Risk Reduction Center (2012)
(click to play)


Red Phone versus Hotline

It may be more than clear now that Obama's warning message had nothing to do with a "Red Phone", but it should be mentioned that the White House and the military did use red phones, although not for international, but for internal communications between the president and the military command centers. This was achieved through a secure military telephone network: the Defense Red Switch Network (DRSN).

Through popular culture, the image of a red telephone became projected to the direct communications link between Washington and Moscow, but this is false: the Hotline was never a phone line, as it was set up in 1963 as a teletype connection, which in 1988 was replaced by facsimile units. Since 2008 the Hotline is a highly secure computer link over which messages are exchanged by e-mail.

What the Hotline terminal at the Pentagon looks like nowadays can be seen in the following picture, which was released on the occasion of the 50th anniversary of this communications link in 2013:

The Washington-Moscow Hotline terminal room at the Pentagon (2013)
(photo: - click to enlarge)

Other options?

Besides the cybersecurity channels, the NRRC and the Hotline, the US government has two additional channels for direct communications with the Kremlin: the Foreign Affairs Link (FAL) between the State Department and the Russian foreign ministry, and the Defense Telephone Link (DTL) between de defense ministries of both countries. Both are secure phone lines, which also exist with a range of other countries.

This means that president Obama had several other options for transmitting his warning to Russia. It seems the NRRC cybersecurity channel was chosen because it was about the threat of cyber attacks, but still, such a warning message seems not what that channel is meant for, which is the exchange of technical information about actual intrusions that could be misinterpreted as a deliberate attack.

Therefore, the Foreign Affairs Link (FAL) would probably have been more appropriate: US secretary of state John Kerry could have called his Russian counterpart to issue the warning. But generally, for important messages in which every word counts, written communications are preferred, so that left only the NRRC or the Hotline.

Using the Hotline was probably considered too dramatic, and therefore the remaining option was the cybersecurity channel maintained by the NRRC.

Links and sources
- NextGov: Obama's cyber legacy: He did (almost) everything right and it still turned out wrong (2017)
- The Washington Post: Obama administration is close to announcing measures to punish Russia for election interference (2016)
- EmptyWheel: Now the spooks are laking criticism of Obama's sole use of the "Red Phone" (2016)
- NBC News: What Obama Said to Putin on the Red Phone About the Election Hack (2016)
- The New York Times: White House Confirms Pre-Election Warning to Russia Over Hacking
- The White House: U.S.-Russian Cooperation on Information and Communications Technology Security (2013)

December 16, 2016

A perspective on the new Dutch intelligence law

(Updated: January 17, 2017)

Since the Snowden-revelations, several countries adopted new laws governing their (signals) intelligence agencies, but instead of restricting the collection capabilities, they rather expand them. Previously we examined the new laws that have recently been implemented in France. This time we will take a look at the Netherlands, where a new law for its two secret services is now being discussed by the parliament.

The situation in the Netherlands is different in at least two major aspects from many other countries. First, there is no institutional separation between domestic security and foreign intelligence as the two secret services combine both tasks. Second, the current law restricts bulk or untargeted collection to wireless communications only, so cable access is only allowed for targeted and individualized interception.

The headquarters of the General Intelligence and Security Service AIVD
in Zoetermeer, not far from The Hague
(photo: NOS - click to enlarge)

Secret services

The two Dutch secret services, which were both created during a major reorganisation in 2002, are:

- General Intelligence and Security Service (Dutch: Algemene Inlichtingen- en Veiligheidsdienst, or AIVD), which falls under the Interior Ministry and is mainly responsible for domestic security issues, but also has a small branch that gathers intelligence information from and about foreign countries. In 2015, AIVD had over 1300 employees and a budget of 213 million euros.

- Military Intelligence and Security Service (Dutch: Militaire Inlichtingen- en Veiligheidsdienst, or MIVD), which falls under the Defence Ministry and is mainly responsible for military intelligence related to peacekeeping missions and military operations overseas. They also have to provide security for the armed forces. In 2015, MIVD had over 800 employees and a budget of approximately 85 million euros.

The Netherlands has no separate signals intelligence agency, but in 2014, the Joint Sigint Cyber Unit (JSCU) was created as a joint venture of AIVD and MIVD. The JSCU integrates the collection of signals intelligence and cyber defense operations on behalf of both agencies. The unit is located in the AIVD headquarters building in Zoetermeer and has a workforce of some 350 people. The head of JSCU is also the point-of-contact for foreign signals intelligence agencies, like NSA and GCHQ. The JSCU operates two listening stations: a relatively large satellite intercept station near the northern village of Burum, and a very capable High Frequency radio listening post in Eibergen near the German border.

The fact that the Dutch secret services combine both domestic security and foreign intelligence tasks, also means that there’s just one legal framework for both, and that authorisations are not only required for domestic operations, but also for foreign ones. Therefore, the Dutch services don’t have to separate foreign and domestic communications, which proved to be such a painful job for NSA and the German BND.

The headquarters of the Military Intelligence and Security Service MIVD
at the compound of the Frederik Barracks in The Hague

Dutch capabilities

During an interview with Dutch television in January 2015, Edward Snowden said that "the US intelligence services don't value the Dutch for their capabilities, they value them for their accesses, they value them for their geography, they value them for the fact that they have cables and satellites... a sort of vantage point that enables them to spy on their neighbours and others in the region in a unique way."

This doesn't show much familiarity with the issue, as the Dutch services have no "cables" yet and "satellites" are mainly intercepted for their foreign traffic. In reality, what makes Dutch intelligence interesting for NSA isn't spying on their neighbours, but their spying overseas: data they collect during military missions in Afghanistan and Mali, during navy missions around the Horn of Africa, by the quiet Dutch submarines, and radio traffic from the Middle East intercepted at the Eibergen listening post.

Some numbers

In 2009, the Dutch government provided the number of targeted interceptions conducted by the secret services: 1078 by AIVD and just 53 by MIVD. This number doesn’t seem very high (especially taking in account that targets often use multiple phone numbers) - but in the same year, French intelligence services were allowed to tap 5029 phone lines, although it’s not clear whether these number count in the same way.

Dutch government refuses to publish such numbers for more recent years, saying that that would give to much insight in the modus operandi of the agencies. A strange argument, because such numbers say nothing about the targets and also because countries like the US and Germany regularly publish even more detailed numbers. Like the police, the secret services also request metadata (verkeersgegevens or printgegevens) from the telecoms, but for this there are no numbers available.

Secret services vs. police force

In 2014, Dutch police conducted over 25.000 phone and internet taps, which is way more often than in other countries (it seems that Snowden had this in mind when he erroneously said that the Dutch secret services are the “surveillance kings of Europe”). The reason for this is that Dutch police rarely conducts undercover, observation and bugging operations, which are considered much more controversial and intrusive than phone taps.

Originally, targeted interception by the police was only allowed for crimes that could be sentenced with 4 years or more imprisonment and only for phone numbers used by the suspect himself, but with a new law on special criminal investigation methods from the year 2000, these restrictions were abolished.*

The Dutch police force has its own unit for targeted interceptions and in 2006 operated at least one IMSI-catcher (the AIVD two), which may be used both for finding out unknown phone numbers of known suspects, as well as for the targeted interception of phone calls. It’s also allowed to use Wifi-catchers.* Unlike in France, Dutch secret services do not work on or support police investigations under the authority of a judge.

Eavesdropping authorities of Dutch police and secret services.
Situation until new laws will probably be passed in 2017.
(click to enlarge)

Oversight bodies

The Netherlands there is a quite thorough oversight for the intelligence and security services. This is conducted by the independent commission CTIVD and the parliamentary commission CIVD:

The main oversight body is the Review Committee for the Intelligence and Security Services (Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten, or CTIVD), which consists of three independent members, appointed by royal decree, who are supported by a secretariat of 10 people. The strength of this commission is that it has the right to access all documents and computers systems and speak to all employees: commission members can actually walk in, pull open drawers and log into the networks of both AIVD and MIVD.

The CTIVD publishes an annual report, but also conducts investigations on specific matters, like targeted interception in general or specific cases based upon press revelations. This results in a steady flow of reports, most of them public, which provide a detailed insight into the work of the Dutch services, of course without revealing specific methods or other sensitive details.

The other oversight body is the Committee for the Intelligence and Security Services (Commissie voor de Inlichtingen- en Veiligheidsdiensten, or CIVD), comprising the leaders of all political parties represented in the Second Chamber of the Dutch parliament. In this commission, which meets about 10 times a year in utmost secrecy, the party leaders are briefed by the responsible ministers and the heads of both secret services.

Within the context of the CIVD, the party leaders have the right to read classified documents, but when they make notes, even those notes are considered classified and may not leave the secure room. They can also ask, through the minister, to question employees of the secret services, but they have no powers to force them, nor to hear them under oath.


According to scholars and historians, the CIVD commission isn’t really fit to conduct thorough oversight. The party leaders are involved with way too many other political issues, and therefore they not always attend the commission meetings. A leak from this commission in February 2014 also made clear that the government can apparently rather easily report about things in such a way that the party leaders miss the actual importance of it.

Independent experts proposed that the commission should at least be extended with specialized members of parliament so intelligence issues receive full attention and better understanding, but this proposal was rejected by the party leaders. They seem not really interested in the work of AIVD and MIVD, which is especially worrying given the very secretive way the Dutch government deals with intelligence issues.

The Dutch satellite intercept station near Burum, operated by JSCU
(photo: ANP - click to enlarge)

Towards a new law

Currently, the two Dutch security and intelligence services are still governed by the Intelligence and Security Services Act from 2002 (Dutch: Wet op de inlichtingen- en veiligheidsdiensten, or Wiv). In February 2013, an evaluation commission for this law was installed, led by Stan Dessens. In its report from December of that year, the commission recommended that the intelligence services would be allowed to also conduct bulk collection on cable-bound communications. But given increased public scrutiny since the Snowden revelations earlier that year, the commission also urged for stronger oversight and more transparency.

It then took until July 2015 before the government published its proposal for a new law. This was followed by an internet consultation, in which anyone could submit an opinion about the proposal through a government website. This resulted in over 1100 reactions, 500 of them public and most of them very critical (it should be noted though that (the highly critical) digital rights organization Bits of Freedom provided an online tool for easily submitting standardized reactions).

Given this amount of critique, including from major telecommunication providers and internet companies, the government reconsidered its proposal. On April 15, 2016 the draft was discussed in the council of ministers. The new text wasn’t released, but the government announced that some changes had been made:

- A new independent review commission (Toetsingscommissie Inzet Bevoegdheden, or TIB) that has to approve all requests for both the new bulk cable access and the existing targeted interceptions. This commission will be different from the existing independent oversight commission CTIVD and will actually consist of just 1 member and two substitutes, who have to be judges with at least 6 years of experience.

- When AIVD or MIVD want to intercept the communications between lawyers and their clients or between journalists and their sources, there has to be prior approval by the district court of The Hague. This extra protection is required by the rulings of the European Court for Human Rights.

- The government will pay for the costs of the untargeted cable tapping, which are estimated at 15 million in 2017, 25 million in 2018 and 35 million in 2019. The initial plan was to let the telecommunication companies pay for the necessary equipment on their networks, something they strongly opposed. The government plans to get one access location ready for bulk interception each year, so the agencies can gradually get used to this new method. In 2020, there will be four access locations, which will be chosen according to specific information needs and in consultation with the telecoms.

On April 29, the newspaper De Volkskrant disclosed the full text of the revised proposal, including the over 400-page explanatory memorandum (Memorie van Toelichting, or MvT). Here it was read that the government had replaced the original "untargeted interception" (ongerichte interceptie) by a horrible new term meaning something like "interception according to research assignment" (onderzoeksopdrachtgerichte interceptie) - clearly meant to sound more focused and limited, in order to counter the popular image of an indiscriminate dragnet.

This revised proposal was sent to the Council of State, which must be consulted before a law is submitted to parliament. Instead of a legal review of the full proposal, the Council only addressed a few topics. The controversial bulk cable access is considered necessary enough to be in accordance with the European Convention on Human Rights (ECRM), provided that there’s strong and independent oversight.

However, the Council expressed serious doubts about the effectiveness of newly proposed TIB commissioner, which lacks the expertise and capacity of the existing CTIVD commission. The proposed approval by the TIB could therefore end up like a "rubber stamp". It would be better to give the CTIVD commission the right of non-binding prior approval and the Council advises the government to change the draft in this way, before sending it to parliament.

Another point of critique is that data collected in bulk may be kept for 3 years, which the Concil thinks is too long and has to be shortened significantly. The Council was also especially concerned about the analysis of "big data" and wants to see a more general vision on how big data analysis affects the work of the secret services, like to what extent there’s a shift from collecting data to analysing already existing data sets.

After receiving the Council of State’s consultation from September 21, some changes were made, with the most important one being that the TIB is extended from one commissioner to a commission of three, with 2 judges, one member with for example technical expertise, and its own secretariat - thereby ignoring the main point of the Council of State’s recommendation.

The final proposal was discussed by the Dutch cabinet on October 28 and subsequently submitted to parliament. In December, the responsible parliamentary commission consulted the oversight committee, secret service officials and outside experts. The Second Chamber of parliament is expected to vote on the new law in the first week of February, which is just before the Dutch general elections on March 15, 2017.


AMS-IX internet Exchange co-location at the National Institute for Subatomic Physics
Will the Dutch services select cables at this kind of locations for bulk collection?
(photo: Martin Alberts/Stadsarchief Amsterdam - click to enlarge)

Bulk cable access

The most important and most controversial new feature of the proposed intelligence law is the bulk collection of cable-bound communications. In the proposed law, the regulations for bulk collection will be made "technology independent", so they apply to both wireless communications (SHF satellite and HF radio) and fiber-optic cable traffic (internet and telephony). For this, the new law introduces a framework of 3 stages:

1. Acquisition (article 48):
Selecting specific cables and satellite channels from specific internet providers and satellites. Then conduct filtering to let through or block certain types of traffic (peer-to-peer, music and movie streams, etc.) and/or traffic from/to particular countries of interest. The remaining data may be stored for up to 3 years.
It should be noted that this means that both metadata and content are simply stored, like put in a big box, where at NSA and GCHQ content is only buffered for several days using the XKEYSCORE system, which prevents unnecessary storage of content that is not of interest.

2. Preparation (article 49):
   a. Search the communication links to determine the type of traffic and the persons or organisations it belongs to. The law mentions this as part of stage 2, suggesting that it follows upon stage 1, but actually this activity supports and therefore goes parallel to the selection of the right cables and channels during stage 1.
   b. Look for new, or verify already known selectors related to known targets, and look for new targets related to selectors already known - this is actually a kind of contact-chaining like in stage 3, but here not for the sake of analysis, but to see whether the stored bulk actually contains data or new selectors that match already approved selectors of known targets.
(This stage 2 is very artificially composed and the whole process would be much clearer and simpler when section a. would be incorporated in stage 1 and section b. in stage 3)

3. Processing (article 50):
   a. Conduct metadata analysis using the metadata from the stored bulk sets of data. These can be used for contact-chaining, creating a pattern-of-life or other kinds of analysis in which the collected metadata can also be correlated with other datasets.
   b. Selecting the content of communications by picking them out of the stored bulk data sets when there’s a match with approved selectors.

For each of these stages AIVD and MIVD need a prior authorisation from their respective minister, which is valid for up to 12 months (3 months for the content selection of stage 3). Each authorisation will then have to be approved by the TIB commission.

The government already expects that authorisations for stage 1 and 2 will often be combined. As these stages are part of a continuous process, the Council of State also noticed that it seems not very realistic to make such clear distinctions and acquire separate authorisations. This means that in practice, authorisations will likely be combined for all 3 stages, thereby largely mitigating the goal of the system.

Overview of the 3 stages for bulk access to cable-bound communications
as proposed by the new Intelligence and Security Services Act
(click to enlarge)

Just like with the sudden introduction of the TIB commissioner, this 3-stage authorisation scheme seems primarily aimed at comforting the public opinion. The government presents them as safeguards against abuses, but they actually make things unnecessarily complicated with a substantial risk that they will end up to be counterproductive.

These extra safeguards were introduced partly because the government couldn’t very well explain why the new bulk collection of cable communications is actually that necessary. The standard example used by the interior minister is about access to cables from the Netherlands to Syria, but communications related to known targets can already be covered by targeted interception, while for example Facebook and Whatsapp messages actually go through cables from the US.

Supposed purposes

On April 20, 2016, public broadcaster NOS revealed a confidential document that apparently addressed internet providers and contains some more specific examples for the proposed bulk cable access. For example when people from a fictitious city of 400.000 inhabitants communicate with a certain chat service, this should be interceptable. Also internet traffic for a maximum of 200 people has to be 'searched', but it isn’t clear whether that applies to the example of the city, or whether this is a total.

Another example from the document is about public wifi hotspots. Communications of people accessing certain hotspots and/or using these to visit certain foreign websites must also be interceptable. The document also speaks about telephone traffic between a Dutch city and a foreign country as well as about the internet traffic between someone in a Dutch city and in a foreign country in which for example bittorrent is used. All this must be interceptable.

There are no rules for "minimizing" (anonymising) the results of this kind of collection, likely because both secret services have both a domestic and a foreign intelligence task, so they are not prohibited from using domestic data, like agencies in other countries.

Overview of the safeguards for untargeted cable access (in Dutch)
Stage 2 is only mentioned where it prepares for stage 3
(source: Dutch government - click to enlarge)

The champions in cable tapping are NSA and GCHQ, but there we already see a shift towards cyber defense and hacking operations, things that got much less attention in the Dutch public opinion and (probably therefore) also not in the new law.

Cyber security monitoring

The proposed bulk cable access is not only meant for intercepting communications, but also for cyber security purposes. The strange thing is that this isn’t explicitly mentioned in the new law itself, but only, and even rather short, in the explanatory memorandum. It is said that the new articles 48 and 49 make it possible for AIVD and MIVD to scan cable-bound network traffic for malware signatures and other anomalies which may pose a threat for national security.

This cyber security monitoring may only take place after prior approval by the minister, who will specify on which particular part of the cable infrastructure and for which goal the network monitoring or network detection may take place. Where bulk cable access for intercepting and analysing communications will only be conducted on sets of data that are stored offline, the cyber security task can also take place online: traffic will then be analysed in real-time by for example a DPI (Deep Packet Inspection) system.

The explanatory memorandum mentions real-time online monitoring only for cyber security purposes. Later on, it is said that bulk collection for the purpose of intercepting communications is less intrusive than a traditional targeted interception, because the latter results in an online and real-time collection of all the target’s communications, while the bulk collection only provides the limited set of data that has been stored offline. This distinction isn’t explicitly mentioned in the proposed law itself, so it’s unclear whether real-time monitoring and filtering systems are also allowed for interception purposes.


Antennas of the HF radio intercept station in Eibergen, operated by JSCU
(photo: Peter Zandee/De Gelderlander - click to enlarge)

Third party hacking

Another important new feature in the new law is about network and computer hacking. Already under the current law from 2002, both secret services are allowed to hack into digital systems and networks, but only those being used by a particular target (Dutch police isn’t allowed to hack, but another new law is expected to change that soon). Additional to this, the proposal will also allow AIVD and MIVD (or JSCU on their behalf) to hack computer systems used by third parties, whenever that is necessary to get access to a target’s computer.

Obviously, so-called hard targets can secure their systems in a way that it is hardly possible to break in, or they can avoid online systems as much as possible, so the only option will be to get access through third parties near or in contact with such a target. But still this extension of powers is remarkable because this is one of the most controversial methods that came to light in recent years. GCHQ for example hacked the network of the Belgian telecom company Belgacom as a means to get access to still unknown targets.

Despite third party hacking is probably just as controversial as the bulk cable tapping, the government didn’t introduce separate authorisations for the various steps in the hacking process, like they did for untargeted interception. This means that hacking operations, no matter how intrusive or extensive, require only a single authorisation set (minister + TIB commission).

However, each authorisation by the minister has to make sure that the use not only of hacking methods, but also of all other special intelligence methods is in accordance with these three basic rules:

- Necessity: a method must be necessary to fulfill the intelligence or counter-intelligence mission.

- Proportionality: the consequences of a method have to be in proportion to its goal.

- Subsidiarity: a method may only be used when the goal cannot be achieved through a less intrusive method.

Contributions to this article were made by Zone d'Intérêt, a French weblog about intelligence & defence, on which this article was also published as part of an ongoing series about new laws on intelligence and security services.

On December 30, 2016, members of parliament submitted hundreds of questions about the draft Intelligence and Security Services Act, but no substantial changes were proposed. In its answers from January 18, 2017, the government stuck to its initial position. The only change worth mentioning is that when during untargeted interception data are considered not of interest, they have to be deleted immediately - the word "immediately" wasn't in the original text.

However, the government's answers also provided some clarity, as it was said that the untargeted cable access doesn't mean that the secret services will get access to a complete fiber-optic cable (through cable-splitting), but that instead the telecoms will likely only copy specific and selected channels (through port mirroring) and provide these to the government for further processing, which is a more targeted and flexible way.

Given that members of parliament were mainly focused at the untargeted interception, or "dragnet" as many call it, there was less attention for the new hacking capabilities and nothing was clarified about how the services will use the new cable access for cyber security purposes.

On february 8, the Second Chamber of the Dutch parliament discussed the proposal during a 9-hour debate in which several parties proposed over 40 amendments to the new law, but again the government wasn't willing to change anything. The vote was on February 14, 2017 and the law passed with a fairly large majority. Now the new law will be reviewed by the Senate or First Chamber of parliament, but it's expected that it will pass there too.

Links and sources
- Bits of Freedom: Moties en amendementen bij de nieuwe Wiv (Febr. 2017)
- Graag wat meer technische inbreng bij debat over nieuwe wetgeving (Dec. 2016)
- Tweede Kamer: Hoorzitting/rondetafelgesprek inzake de nieuwe Wiv (Dec. 2016)
- BoF protest website: (Dec. 2016)
- De geheime dienst is een gemakkelijke zondebok (Nov. 2016)
- Tweede Kamer: Wetsvoorstel 34588 (Oct. 2016)
- 'Onschuldige burgers hebben niet zoveel te vrezen' (Apr. 2016)
- Kabinet houdt vast aan massaal aftappen internetverkeer (Apr. 2016)
- Bart Jacobs: Select while you collect - Over de voorgestelde interceptiebevoegdheden voor inlichtingen- en veiligheidsdiensten (Jan. 2016)
- [Dutch] Lijstje van reacties van organisaties op de Wiv-consultatie (Sept. 2015)
- Bart Jacobs: Vluchtig en Stelselmatig. Een bespreking van interceptie door inlichtingen- en veiligheidsdiensten (Febr. 2015)

December 8, 2016

Wikileaks publishes classified documents from inside German NSA inquiry commission

(UPDATED: January 23, 2017)

On December 1, Wikileaks published 90 gigabytes of classified documents from the German parliamentary commission that investigates NSA spying and the cooperation between NSA and the German foreign intelligence service BND. The documents include 125 files from BND, 33 from the security service BfV and 72 from the information security agency BSI.

It should be noted though that all documents are from the lowest classification level and lots of them are just formal letters, copies of press reports and duplications within e-mail threads. Nonetheless, the files also provide interesting new details, for example about the German classification system, BND's internal structure, the way they handled the Snowden-revelations and the use of XKEYSCORE.

These topics will be updated or topics will be added when new information is found in the documents published by Wikileaks

The German parliamentary investigation commission just before a hearing
(photo: DPA)


Some background information was provided in an article from the newspaper Die Zeit, which says that only documents with the lowest classification level (VS NfD or RESTRICTED) are scanned and made available to the investigation commission on a government server. They are also available at the federal Chancellery.

Documents with a higher classification level are not digitalized and have to be read in a secure room (German: Geheimschutzstelle) in the parliament building. Most of the documents classified Top Secret can only be viewed at the Chancellery or the new Berlin headquarters of BND.

Classified documents provided to the investigation commission
(still from the ARD documentary Schattenwelt BND)

Regarding the source of this leak, IT experts of the German parliament said that they found no indications of a hack. Der Spiegel suggests that the source might be a member of the parliamentary commission for foreign affairs or for the affairs of the European Union, because one document published by Wikileaks (meanwhile removed) was only available to members of those two commissions.


On December 11, 2016, German press reported that according to a high-level security officer, there's a high plausibility that the commission documents published by Wikileaks were stolen during a large hacking attack on the German parliament's internal network late 2014/early 2015.
This attack was discovered in May 2015 and showed patterns similar to APT28 a.k.a. Operation Pawn Storm, the Sofacy Group, or Fancy Bear - a hacker collective which is probably sponsored by the Russian government. The timeframe of this hacking attack could explain why Wikileaks has no commission documents dated after January 2015.

It seems also possible that the secret documents about the joint NSA-BND operation Eikonal, which were published last year by the Austrian member of parliament Peter Pilz, came from this cyber attack on the German parliament servers.

Wikileaks hasn't redacted anything. Almost everything that is redacted is in blue, which is apparently the way BND is redacting its documents. Therefore, the files still contain all the internal organizational designators as well as the e-mail aliasses or addresses of many German government units and employees.

Internal BND e-mail from the EAD branch for the relationships with western countries &
cooperation partners, and the EADD unit for relationships with North America & Oceania
(click to enlarge)


BND classifications

Documents from BND are classified according to the official German classification system, which has four levels, corresponding to those used in many other countries:

color code: blue or black; equivalent: RESTRICTED

color code: blue or black; equivalent: CONFIDENTIAL

- GEHEIM (Geh. / Stufe I)
color code: red; equivalent: SECRET

- STRENG GEHEIM (Str. Geh. / Stufe II)
color code: red; equivalent: TOP SECRET

Besides these common classification levels, it was suspected that there would be at least one higher or more restrictive category to protect highly sensitive information. This has now been confirmed by various letters from the Wikileaks trove, which mention the following two classification markings:


color code: ?; equivalent: TOP SECRET/SCI

The use of these markings is apparently a secret itself, because also members of the parliamentary commission puzzled about their exact meaning and usage. It seems though that these categories are rather similar to the US Classification System, which was explained here earlier.

The German marking ANRECHT apparently means that certain information is classified Secret or Top Secret, but that within that particular level, it's only meant for those people who have a need-to-know (German: Anrecht), apparently especially when it comes to signals intelligence. In the United States this is realized through a range of different dissemination markings.

The marking SCHUTZWORT is also meant to restrict access, but in this case, the originator of a particular document determines a codeword (German: Schutzwort) which he provides only to those people who are allowed access to that document. This is similar to the system of Sensitive Compartmented Information (SCI) used in the US, where meanwhile several formerly secret codewords have been declassified.

A security manual from the German armed forces from 1988 also mentions special classification categories, like for example SCHUTZWORT and KRYPTO, the latter apparently for classified cryptographic information.

Letter from the Chancellery which was classified STRENG GEHEIM-ANRECHT,
which was marked as cancelled (UNGÜLTIG) after the attached
documents at that classification level were removed
(click to enlarge)

Internal markings

From the commission files we also learn that BND uses te following internal markings. When disseminated outside BND, such information was meant to be classified GEHEIM.

- Meldedienstliche Verschlusssache - amtlich geheimgehalten

- Ausgewertete Verschlusssache - amtlich geheimgehalten

- Operative Verschlusssache - amtlich geheimgehalten

- FmA Auswertesache - amtlich geheimgehalten


BND organization

The files published by Wikileaks also contain a set of charts showing the organizational structure of BND between the year 2000 and 2014. There are some changes in the agency's divisions, with a reorganization in 2009, as can be seen in the following charts:

BND organization chart, situation until 2009
(click to enlarge)

BND organization chart, situation since 2009
(click to enlarge)

A more detailed BND organization chart was among the Snowden documents and was published earlier by Der Spiegel.

Internal designators

The BND's divisions, branches and units are designated by codes that consist of letters, written in capitals. In the current situation the main divisions have a two-letter designator which is more or less an abbreviation of their full name. The SIGINT division is for example TA, which stands for Technische Aufklärung.

From the e-mails published by Wikileaks we learn that lower units are designated by adding additional letters or words to the division designator. It seems that these addtional letters can be the first letter of a full name, a more or less random letter, or A for the first unit, B for the second unit, etc.

For example, "PLSA-HH-Recht-SI" is the first branch (A) of PLS, which is the BND president's staff. The term "Recht" indicates that this is apparently a unit for legal issues. A simpler designator is "GLAAY", which is a unit of the division GL (Gesamtlage)

By combining several documents related to XKEYSCORE, the following list of designators for BND's field stations could be reconstructed:
- 3D10: Schöningen or Rheinhausen (satellite interception)
- 3D20: Schöningen or Rheinhausen (satellite interception)
- 3D30: Bad Aibling (satellite interception)
- 3D40: Gablingen (HF radio interception)*
Similar designators are used for BND liaison offices:
- 2D01: London (with contacts to 7 British partner agencies, denoted as GBR01, GBR02, GBRMD, GBRND, GBRSD, GBRPS, and GBRTF)
- 2D02: Paris
- 2D03: Brussels/NATO
- 2D30: Washington
- 2D33: Canberra

Some divisions

The organization charts for BND's structure since 2009 shows that there are four divisions for analysis and production, which is where analysts prepare intelligence reports:
- Two divisions are for topical missions: TE for international terrorism and organized crime, and TW for proliferation of weapon systems and ABC weapons.
- The other two divisions, LA and LB, are responsible for a geographical area. From their logos in the signature block in internal e-mails we learn that LB is responsible for Africa, the Middle East and Afghanistan, while LA has the rest of the world:

Secure communications

A letter from BND from July 2013 says that BND's wide-area networks (WANs) which are classified Secret (Geheim) are secured by SINA encryption devices certified by the BSI. Communications between foreign and domestic BND facilities are transmitted through MPLS (Multiprotocol Label Switching) networks.

The letter also says that BND-unit SICD for eavesdropping techniques domestically checks only whether BND facilites may have been bugged, but found nothing over the past several years. Outside Germany, the embassies and consulates of the German foreign ministry were checked in regular turns.



According to Wikileaks, one of the more interesting documents from their release is one that allegedly proofs that "a BND employee will be tasked to use and write software for XKeyscore." However, the German tech website Golem says that this seems to be based on a text section that only refers to BND employee A.S. who helped install XKEYSCORE at the Berlin headquarters of the domestic security service BfV, which uses this system only for analysing terrorism-related data sets.

More interesting are several other documents about XKEYSCORE. For example In a list of answers prepared for the meeting of the parliamentary oversight commission on November 6, 2013 it is said that XKEYSCORE is used since 2007 in Bad Aibling and that this system is being tested since February 2013 at the satellite intercept stations Schöningen and Rheinhausen. It was planned to use XKEYSCORE on a regular basis at the latter two locations too.

According to another document, BND uses XKEYSCORE for the following purposes:
- Check whether satellite links with internet traffic (only foreign-to-foreign and especially crisis regions, so no links to or from Germany or cables inside Germany) could contain data relevant for BND's mission
- Search for new relevant targets
- Make communications traffic from already known and selected targets readable to transfer them to analysts for preparing reports
XKEYSCORE processes data streams in real time, but for analysis purposes it can also buffer both metadata and content for a certain time, which depends on the available storage space of the buffer. Because XKEYSCORE is used for regular processing purposes, BND deemed it not necessary to inform the federal chancellery or the parliamentary oversight commission (PKGr) about this system specifically.

An internal BND e-mail from November 5, 2013, explains that at Schöningen and Rheinhausen, XKEYSCORE is used for intercepting foreign satellite communications. The specific purpose for the system is determining which satellite links are most useful and subsequently checking whether the traffic contains the communications of people the BND is looking for (so-called survey):

Internal BND e-mail about the use of XKEYSCORE at BND's satellite stations
(source: Wikileaks, pdf-page 248 - click to enlarge)

This is a rather unexpected use of XKEYSCORE, because for NSA and GCHQ the strength of the system lies in its capability to reassemble internet packets, filter them and allow analysts to search buffered content. It is still not fully clear whether BND uses XKEYSCORE also in this way.

In November 2014, W.K. from BND's SIGINT division testified that XKEYSCORE was used for decoding and demodulating IP traffic. Decoding for making things readable happens both online and on stored data, while (demodulating for) selecting the proper satellite links only happens on online data streams.

At Schöningen and Rheinhausen XKEYSCORE was only used for the latter purposes, in the pre-analysis stage. This also came forward from some testimonies before the investigation commission. For example E.B., head of the Schöningen station, said that XKEYSCORE was only used for looking at a few days of satellite traffic to determine which communication links where in it.

An earlier presentation about satellite interception at Menwith Hill Station in the UK shows that NSA and GCHQ have other systems, like DARKQUEST, for surveying satellite links, after which XKEYSCORE is used for processing and analysing the data.

Another file that was sent to the parliamentary commission contains two diagrams about how BND uses the XKEYSCORE system:

In the first diagram we see that what comes in through the satellite antenna first goes to an actual collection system (Erfassungssystem) which has some kind of database attached that says which satellite links have to be selected (Streckenauswahl). The result then goes to XKEYSCORE, which is fed by a database with rules (Regeln), which apparently determine which data to select and forward for further analysis (Weiterverarbeitung):

Another diagram shows the difference between XKEYSCORE and traditional collection processing systems: in the traditional set-up, it seems that first, IP packets from a data stream were reassembled (sessionized) and then went through a filter to select only those of interest (the green one), which were forwarded for further analysis. XKEYSCORE could do all that at once:

IBM servers

The Wikileaks files also contain an internal BND order form from February 25, 2014, used for ordering six servers for field station 3D20: two IBM X3650 M4 and four IBM X3550 M4 servers, with a total cost of 58.000,- euros. A separate text explains that these servers were needed for both PDBD and XKEYSCORE:

- PDBD was the new centralized BND tasking database, which would replace the proprietary tasking databases used at the various field stations.

- XKEYSCORE is described as a system that decodes packet-switched telecommunicatiosn traffic like e-mail, messenger, chat, geolocation information, etc. and is used for analysing telecommuncations traffic. At BND the system was needed because it became increasingly difficult to extract relevant information from the ever growing amount of data. The servers were needed to move XKEYSCORE from test to operational status.

Internal BND order form for several IBM servers to be used for XKEYSCORE and PBDB
(source: Wikileaks, pdf-page 72 - click to enlarge)



A large file from the commission documents is about the reaction on the revelation of PRISM. In August 2013, members of the Bundestag asked so many questions about this NSA program, that one BND employee complained that it was unreasonable to expect that his agency could provide all the answers.

At that time, many details about PRISM weren't clear yet and statements from the US government and from internet companies seemed to contradict eachother. Among the documents that BND forwarded to the parliamentary commission was also one report from July 2013, which summarizes what was known about PRISM at that time.

This report was made by civil servants from unit ÖS I 3 of the Public Safety division of the German Interior Ministry (BMI). After summarizing what was known from the press reports, the report also describes a second tool that is named PRISM - based upon an earlier article on this weblog:

Summary of a second PRISM program as described on this weblog
(source: Wikileaks, pdf-page 104 - click to enlarge)

Shortly after the existance of PRISM was revealed early June 2013, much was unclear, so I did some open source research and found that the US military uses a program named PRISM, which in this case is an acronym for "Planning tool for Resource Integration, Synchronization and Management".

Shortly afterwards, in July 2013, German press published an NSA letter saying that there are actually three different programs with the name PRISM: one that collects data from the big internet companies, one that is used as a military tasking and planning tool, and finally one that is used for internal data sharing in NSA's Information Assurance Directorate (IAD).



On July 29, 2013, the German magazine Der Spiegel published a chart from the NSA tool BOUNDLESSINFORMANT. The chart was related to Germany and it was thought that it showed that NSA had intercepted over 550 million pieces of communications traffic.

But within just a few days, BND contacted Der Spiegel, saying that they collected those data, and shared them with NSA. The SIGADs US-987LA and US-987LB designated collection at the BND satellite station in Bad Aibling and interception of phone calls in Afghanistan, respectively. This was confirmed by NSA and published by Der Spiegel on August 5, 2013.

A document published by Wikileaks explains that in Afghanistan, BND had a satellite interception facility (for downlinks to complement the uplinks intercepted at Bad Aibling) and also intercepted point-to-point microwave links (generally used for (mobile) telephony backbones).

BOUNDLESSINFORMANT screenshot showing metadata related to Germany
as being published by Der Spiegel on July 29, 2013
(click to enlarge)

An e-mail published by Wikileaks shows that meanwhile, M.J. from unit 3D3D of the Bad Aibling station was comparing the numbers from the BOUNDLESSINFORMANT chart with those from his logfiles and Nagios Checks. In the e-mail, from August 12, 2013 to his boss R.U., he concluded that at the beginning of the month there was a relatively clear similarity with the chart from Der Spiegel:

The chart that seems to be prepared by BND employee M.J. to compare
with the one from BOUNDLESSINFORMANT (note the different scale)
(click to enlarge)

It should be noted that BND didn't count the numbers of metadata they provided to NSA, they did so only for content, so the numbers from M.J.'s chart may not be fully accurate. Even more puzzling is a table that was also with the e-mail from M.J. and contains the daily numbers for the metadata during this period:

The chart that seems to be prepared by BND employee M.J. to compare
with the one from BOUNDLESSINFORMANT (note the different scale)
(click to enlarge)

The strange thing here is that on the right side, the table has daily numbers broken down for several processing systems - strange because the chart from Der Spiegel only provided aggregated numbers, and because three codenames weren't seen in the published BOUNDLESSINFORMANT charts: POPTOP, CRON and SNOWHAZE. Did NSA provide these more detailed numbers so BND could compare them?

In a letter from August 13, 2013, BND president Schindler asks NSA director Alexander to confirm that the metadata collected through 987LA and US-987LB came solely from BND. This would help to make the public debate more rational.

During a hearing of the German parliamentary investigation commission on January 19, 2017, former BND president Schindler said that the BOUNDLESSINFORMANT charts that Snowden took, were from training course material. This was said here for the first time and given the problems these charts caused for BND, it's possible that they asked NSA for more details after which this explanation came up.


Cooperation in Afghanistan

In answers to questions from parliament, BND wrote that in Afghanistan, NSA operates a collection network, in which 14 countries participate (the Afghanistan SIGINT Coalition, or AFSC). Partner agencies enter the data they collect into a database (similar or identical to SIGDASYS) managed by NSA and they can request from the database those data that are relevant for their mission task.

Between 2011 and 2013, BND requested and received 216.423 data sets from this syetem. For the Afghanistan "burden sharing", BND was working on some 5000 targets, which resulted in ca. 1 million data sets each day. These were shared with the AFSC group and therefore also with NSA and GCHQ. Most of this is about localisation.

Furthermore, NSA provided BND with several thousand selectors of targets to collect the related data from satellite links from or to Afghanistan and other crisis regions. BND does this through its satellite intercept station in Bad Aibling, which results in ca. 3 million data sets each month. After passing the G-10 filter (to block communications related to Germans), these data are provided to NSA.


Cyber security

Some insights about the cooperation between BND and NSA on the field of cyber defense can be read in a report about the visit of NSA director Keith Alexander to Berlin, on June 6 and 7, 2013 (which were the second and third days of the Snowden revelations!).

When it came to cyber issues, Alexander compared the internet to a "fibre ring" operated by internet service providers (ISPs), with "pipes" leading to the networks of industry, finance and government. Any malware, whether for destroying things or stealing data, should be stopped in the "fibre ring" before it reaches the "pipes" - "you need to see it first".

A German government official said that Germany has good cyber specialists, but they work only in a defensive way. When it comes to offensive cyber attacks, Germany is inactive. Also, contacts to industry should be revived. The general opinion was that German industry should protect itself, but small and medium businesses are very naiv and without obligations, companies will not spend money for cyber defense.

The report says that for cyber issues, a small group of "trusted states" could be created, because international regulations like the Budapest Convention seem hardly effective. According to general Alexander, the US is building partnerships, but sharing information depends on trust, which is not always given.

General Alexander also told BND that NSA had 27 teams of 56 persons each, which support the US Combatant Commands and that additional 6000 new cyber specialists will follow. NSA also supports the US Cyber Command with a detachment of 407 cyber experts. According to Alexander, NSA identified about 50 Chinese "intrusion sets" and gained access to Chinese networks to find out who the victims were of these massive and global cyber attacks.

In an answer to questions by member of parliament Oppermann from July 23, 2013, BND says that they support domestic security service BfV and information security agency BSI in recognizing foreign cyber attacks, which is called "SIGINT Support to Cyber Defence" (SSCD). Only BND is able to build technical systems to detect cyber attacks in(!) foreign countries.

The answer also says that "within the SSCD-working group of a international SIGINT coalition, BND exchanges information about the international detection of cyber attacks" - this international SIGINT coalition is most likely the SIGINT Seniors Europe (SSEUR or 14-Eyes) group. And apparently it's this working group that that BND director Schindler referred to when he talked about international cybersecurity cooperation in May 2014.



Finally, a list of some of the most interesting files found so far (would have been useful when Wikileaks provided this kind of index though):

- MAT_A_BND-1-3a_2 (employees of US military and intelligence contractors in Germany)

- MAT_A_BND-1-5 (NSA's bulk metadata collection, PRISM and XKEYSCORE)


- MAT_A_BND-1-11c (pdf-page 315: options how NSA could have intercepted Merkel's cell phone)

- MAT_A_BND-1-11j (pdf-page 145 ff.: cyber security cooperation between NSA and BND; page 155: short history of Bad Aibling Station; page 280: NSA letter about 3 different PRISMs)

- MAT_A_BND-1-11k (letter of BND president Schindler to NSA director Alexander)

- MAT_A_BND-1-13a (pdf-page 61 and 88: initially, BND assumed that PRISM was about collecting metadata; page 99: since 2012, NSA sent BND ca. 450 reports about terrorist threats)

- MAT_A_BND-1-13b (pdf-page 84 and 85: XKEYSCORE diagrams; page 227: targeted interception requires a "sessionizer" similar to XKS; page 277: SSCD working group of the SSEUR)

- MAT_A_BND-1-13c (pdf-page 127: data sharing in Afghanistan)

- MAT_A_BND-1-13h (pdf-page 108 ff.: report about the VERAS metadata system)

- MAT_A_BND-3a (very extensive index of topics used by BND)

- MAT_A_BND-3-1a (BND organization charts from 2000-2014)

- MAT_A_BND-8a (contacts with GCHQ, cooperation between BND and NSA, reports about the refugee interview unit, internal G10 manual)

More to follow...