Netherlands Says Armed Forces May Combat Ransomware AttacksOfficials and Experts Debate Legality, Diplomatic Ramifications of the Statement
The Dutch government says it may use intelligence agencies or military services to counter cyberattacks - including ransomware attacks - that threaten the country's national security.
"If a ransomware attack, whether or not with a financial purpose, crosses the threshold of (manifesting) a threat to national security, for example due to the failure of vital sectors, then the government also has other resources at its disposal," Dutch Minister of Foreign Affairs Ben Knapen said in a letter answering a parliamentary inquiry into how the country might potentially respond to ransomware attacks.
Knapen says it is important that states are held accountable, and measures such as sanctions can be issued if their actions violate accepted standards of behavior in cyberspace, such as enabling cross-border criminal cyber-operations, including against ransomware attacks.
"An example of the latter is taking IT infrastructure offline (or having it taken offline) that is part of the attack infrastructure or that is misused for digital espionage or sabotage. In addition to action by the Intelligence and Security Service (I&V) services, the Netherlands can also respond with the armed forces," Knapen notes (see: Netherlands Cybercrime Increased by 127% in 2020).
In addition, Knapen says the Defense Cyber Command can also carry out a counterattack using the armed forces to avert enemy action or to protect an essential interest of the state, depending on the international legal basis and after a government decision.
Hugo van den Toorn, manager of offensive security at Outpost24, tells Information Security Media Group that the letter describes a structured collaborative approach to the prevention and response to ransom attacks specifically.
"According to the letter, some threat actors have reached the same level of capabilities as state-sponsored actors, which is the reason for the worry and revision of collaborative action. If certain (financial) thresholds are surpassed, the military could be invoked to help from either a diplomatic point of view, by sharing intelligence, helping in performing takedowns or ultimately perform counterattacks," Toorn notes.
Since there is no agreed definition of digital ransomware in international law, the way in which ransomware operations are qualified for response will have to be considered on a case-by-case basis, Knapen says.
The international legal framework does offer the option of taking countermeasures under certain circumstances, especially regarding the definition of state liability law for countermeasures' in the cyber context, which is: "Countermeasures are acts (or omissions) that would normally constitute a violation of an international law obligation, but are lawful because they are a response to a previous violation of an international law obligation by another state," Knapen notes.
Jake Williams, CTO of cybersecurity firm BreachQuest, says the way in which the Dutch are handling the nonstate actor problem is significant.
"Most opposition to military response for ransomware and cybercrime is the issue that it's a response to a law enforcement problem. This document highlights the issues of attribution in determining whether an operation is state sponsored, state sanctioned, or simply state ignored. Effectively, this seemingly indicates that military use is a legal option because a failure to take action on ransomware actors operating from your borders is no different than actually sponsoring the action," notes Williams, a former member of the U.S. National Security Agency's elite hacking team.
Knapen says that the Netherlands will focus on tools for concrete implementation of standards, with priority being given to the initiative for a advancing responsible state behavior in cyberspace in the context of international security within the United Nations.
"The Netherlands will pay particular attention to the implementation of standards that are relevant to ransomware," Knapen notes.
Countries are being held accountable for their actions and inaction via diplomatic responses such as actions against cross-border criminal cyber operations and measures such as sanctions, which are more powerful if they are designed in a broad coalition context, Knapen says.
"Within the EU, the Netherlands has therefore been a driving force behind the EU Cyber Diplomacy Toolbox and the adoption of the ninth EU cyber sanctions regime in May 2019, and the Netherlands is committed to further developing these instruments. This provides the EU with good tools to respond faster and more vigorously to cyber incidents. Recent EU statements and sanctions show that these instruments are delivering concrete results," he notes.
Knapen is also pushing for diplomatic channels for bilateral cooperation between countries in judicial investigations against ransomware, which he says can be useful if cooperation through international judicial channels is insufficient. "The Netherlands can then emphasize the importance attached to cooperation through diplomatic channels," he says.
In addition, Knapen states that the Netherlands will continue its efforts to promote joint development of response options and knowledge sharing within the EU, NATO and other alliances with allies.
Toorn states that proposed nonhostile operations sound very reasonable given that the Dutch military - and specifically the Dutch Cyber Command - has extensive capabilities and intelligence available to assist both public and private companies in combating ransomware.
He adds that "offensive operations by Dutch military should be carefully considered" as they "may bring more diplomatic issues," "I would be hesitant to openly offer military offensive capabilities before having defined all requirements and thresholds," Toorn says.
Williams notes that the document seems to establish the legal justification under international law for military action against countries that blatantly allow ransomware attacks to continue from within their borders.
The letter also describes how the Dutch government is increasing the digital resilience of the Netherlands. It states that the country is taking various measures within the framework of the National Cyber Security Agenda and its integrated approach to cybercrime.
"In many successful cyberattacks, including ransomware, it appears that basic cybersecurity measures have not been taken sufficiently. In addition, many entrepreneurs, especially in SMEs, do not seem to see themselves as a potential victim of ransomware," Knapen states. "The Digital Trust Center (DTC) of the Ministry of Economic Affairs and Climate is therefore committed to providing information about ransomware, for example by sharing the stories of entrepreneurs who have become victims of ransomware."
Knapen further warns that a number of cybercriminal groups now possess capabilities that are not inferior to the level of state actors, and the impact of an attack could pose a threat to national security through the deployment of ransomware.
"It has not yet manifested itself in the Netherlands, [however] this threat comes on top of the already existing, continuously increasing threat in the cyber domain," Knapen notes. "The investigative services, the Intelligence and Security Service and the armed forces are as yet insufficiently equipped to take structural action against actors who pose a threat to national security through a ransomware attack.”
And Williams notes, "While I don’t foresee ransomware-related military invasions in the near future, the document sends a strong message for countries simply ignoring actors operating inside their borders. Given the focus on establishing the international law standard, the document may also be intended to spur meaningful conversations at an international level about the ransomware threat."