Governance of cyber warfare in the Netherlands: an exploratory investigation

ABSTRACT

This paper addresses the governance of cyber warfare capabilities in the Netherlands. A recent conceptual model of cyberspace is used, which distinguishes between a technical, socio-technical, and governance layer. The issue of cyber warfare governance is addressed through a literature review, interviews, and a partial SWOT analysis. The literature review provides first insight into existing definitions and perceptions of cyber warfare in the international and Dutch context. Second, the main stakeholders regarding cyber warfare in the Netherlands and their governance roles are identified. The interviews provide more detail and enable partial cross-check of the published narrative. A SWOT analysis allows identification of the main challenges (weaknesses) connected to the governance of cyber warfare in the Netherlands and corresponding mitigating factors (opportunities). The research findings show the infancy stage of cyber warfare capabilities and governance in the Netherlands. They testify to the problem of reconciling differing and sometimes conflicting interests, and point to the need for collaboration and unified coordination of governance efforts within the Netherlands. However, governance of national cyber warfare capabilities requires more than a concerted national effort alone. Sensitivity to the international environment is indispensable given the complexity of cyber warfare governance.

Resumen

Este artículo aborda la gobernanza de las capacidades de guerra cibernética en los Países Bajos. Se utiliza un modelo conceptual reciente de ciberespacio que distingue entre una capa técnica, sociotécnica y de gobernanza. El tema de la gobernanza de la guerra cibernética se aborda a través de una revisión de la literatura, entrevistas y un análisis SWOT. La revisión de la literatura proporciona una primera visión de las definiciones y percepciones existentes de la guerra cibernética en el contexto internacional y holandés. En segundo lugar, se identifican los principales stakeholders​​en relación con la guerra cibernética en los Países Bajos y sus roles de gobernanza. Las entrevistas proporcionan más detalles y permiten una verificación cruzada parcial de la narrativa publicada. Un análisis SWOT parcial permite la identificación de los principales desafíos (puntos débiles) relacionados con la gobernanza de la guerra cibernética en los Países Bajos y los correspondientes factores atenuantes (oportunidades). Los resultados de la investigación muestran la etapa de infancia de las capacidades y la gobernanza de la guerra cibernética en los Países Bajos. Atestiguan el problema de conciliar intereses divergentes y, en ocasiones, conflictivos, y señalan la necesidad de colaboración y coordinación unificada de los esfuerzos de gobernanza en los Países Bajos. Sin embargo, la gobernanza de las capacidades nacionales de ciberguerra requiere más que un esfuerzo nacional concertado aislado. La sensibilidad al entorno internacional es indispensable dada la complejidad de la gobernanza de la guerra cibernética.

KEYWORDS:

• Governance
• cyber warfare
• the Netherlands
• capabilities
• stakeholders

Palabras clave:

• gobernanza
• ciberguerra
• Países Bajos
• capacidades
• stakeholders

Introduction

In July 2016, the NATO Warsaw summit recognized cyberspace as the fifth domain of warfare, next to the land, sea, air, and space domain (Warsaw Summit Communiqué, 2016).¹ In September 2014, at the previous NATO summit in Wales, agreement had already been reached to consider cyber defense part and parcel of NATO’s core task of collective defense (Wales Summit Declaration, 2014).² NATO cyber defense exercises—dubbed ‘Locked Shields’—have been held annually since 2010. Even earlier, in 2008, the Cooperative Cyber Defence Centre of Excellence was established in Talinn, Estonia (Cyber Defence Exercises, 2016; Dijk, Meulendijks, & Absil, 2016, p. 67–8).

Cyberattacks on any of the NATO members can now justify invoking Article 5—the alliance’s well-known collective defense clause. But, as of yet, no one knows what kind of cyberattack might actually cause Article 5 to come into effect. And, whether or not offensive actions constitute an integral element of a defensive response (Meyer, 2015, p. 47–9; Veenendaal, Kaska, & Brangetto, 2016). With little of a cyber doctrine or cyber policy available, any such decision thus depends upon the situation and is in the end decided by the North Atlantic Council on a case-by-case basis (Limnéll & Salonius-Pasternak, 2016; Wales Summit Declaration, 2014).

This paper is an exploratory investigation into cyber warfare governance from the perspective of the Netherlands, a small and little-mentioned, but not insignificant member of the EU and of NATO. The paper aims to shed light on cyber governance issues in a country not often discussed in the wider literature. It thus offers a relatively unique new insight into the challenges and opportunities faced by similar smaller and/or medium-sized EU and NATO countries making up the numerical bulk of both organizations’ membership. Given the inherent confidentiality of the discussed topic, the lack of benchmarks, and the exploratory stage of cyber warfare activities at this point in time, the conclusions of this investigation can only be considered tentative. Future research incorporating the experience of other countries should therefore be encouraged to further progress in this interesting and relevant field of research.

Exploring the cyber warfare domain

With military activities entering the fifth domain of cyberspace, military cyber capabilities are rapidly developing. These capabilities can be used for defensive, offensive, and intelligence purposes. Cyber capabilities will certainly become part and parcel of conventional military operations and conventional warfare (Defensie cyber strategie, 2012). However, although many internationally accepted rules and regulations govern conventional warfare, there is no common international understanding as of yet of what constitutes cyber operations, or cyber warfare for that matter (Mueller, 2014).

Many countries choose to apply the laws and regulations governing conventional warfare to cyberspace as well, but the characteristics of this domain are different from the characteristics of the other domains (Mueller, 2014). Cyber activities used for malicious purposes can, for instance, remain undetected, and the effects can be less tangible than the effects of conventional military actions. As a result, the lack of clear international rules and regulations could result in miscalculation, misperception, and misunderstanding (Confidence building measures, 2014).

In the 2015 revision of its Defence Cyber Strategy, the Dutch government has stated that over the next years the Netherlands will work together with its allies to mitigate the risks of integrating digital cyber capabilities with conventional military operations (Hennis-Plasschaert, 2015, p. 1–2). In order to do so, a common understanding is needed on what constitutes cyber warfare and on what rules and regulations apply. This paper provides an overview of the governance challenges and mitigating factors with regard to cyber warfare in the Netherlands in an attempt to answer the following question:

“What are the main governance challenges regarding cyber warfare for the Netherlands, and how can these challenges be mitigated?”

A recent three-layer model by van den Berg is used in order to assess which stakeholders in the Netherlands have a governance role at the technical, socio-technical, and governance layer (van den Berg, 2014). A literature review is conducted to obtain more insight into the international definitions used to describe cyber warfare. In addition, an analysis of the weaknesses and opportunities of the Dutch system is offered to ascertain the challenges its stakeholders face in governing cyber warfare. Mitigating factors at each layer are identified as well that can assist in creating a more robust governance framework.

Conceptualizing cyberspace

To comprehend the governance challenges with regard to cyber warfare in the Netherlands, it is necessary to demarcate the notions of governance as well as cyber warfare. In this paper, governance is seen as the establishment of policies, and the continuous monitoring of their implementation, by the members of an organization’s governing body (Governance, 2016). The notion of cyber warfare is explored in more detail in Section 4.

The given explanation of governance has led to an investigation of cyber warfare stakeholders, in this case the members of the governing body of an organization. In order to create a complete picture of those governance stakeholders, and their policies in the realm of cyber warfare, the conceptualization of cyberspace offered by van den Berg (2014) is used. According to this model, cyberspace can be divided into several cyber subdomains and needs to be analyzed on three different layers. See Figure 1 below for a visualization.

Figure 1. Conceptualization of cyberspace.

Source: van den Berg (2014).

Technical, socio-technical, and governance layer

From the model, it follows that cyber warfare is positioned in the cyber subdomain of Public Order & Safety. The model also shows that looking into the technical aspects of cyberspace alone does not suffice. Socio-technical and governance aspects need to be considered as well. The technical layer concerns the more traditional notion of information security (hardware and software, including cables, satellites, routers, codes, etc.), whereas the socio-technical layer concerns the range of cyber activities that people are currently able to perform. These cyber activities consist of the interaction between people and the IT systems available to these people. The governance layer consists of a large number of human actors, organizations, and (supra-)state governing bodies that (try to) regulate cyberspace and—in doing so—influence the technical as well as the socio-technical layer (van den Berg, 2014).

Section 4 also provides the results of a literature review of the stakeholders and the policies they establish, implement, and monitor regarding cyber warfare in the Netherlands at each of the layers of the model by van den Berg (2014). The results of the literature review are complemented by interviews conducted with three cyber specialists working for the Ministry of Defence. Given the confidentiality of the subject, these sources wish to remain anonymous.

The following subquestion is addressed:

“Which stakeholders can be identified at the technical, socio-technical, and governance layer that have a role in the establishment, implementation, and monitoring of cyber warfare policy in the Netherlands?”

After determining which stakeholders and what policies apply to the notion of cyber warfare in the Netherlands, a review of the weaknesses and opportunities of the current system is conducted in order to ascertain the obstacles and possibilities that these stakeholders are faced with (see Section 5). Analyzing the results of the review can help disclose the changes and improvements to be made in order to improve the system in place. For the purpose of this paper, the weaknesses and opportunities identified at the technical, socio-technical, and governance layer are used in order to discover the main challenges and mitigating factors regarding cyber warfare. Section 6 provides an overview of the results of the literature review and analysis, providing the main challenges and mitigating factors regarding cyber warfare in the Netherlands.

The information provided in this paper is based on public sources. Three interviews have been conducted with anonymous cyber specialists of the Dutch Ministry of Defence to address some gaps in the publicly available information. Nevertheless, many questions regarding cyber warfare remain and more research in the future is necessary to help provide answers. However, given the confidential nature of cyber capabilities—especially offensive cyber capabilities—many stakeholders have a strategic interest in keeping (parts of) its governance structures and procedures confidential.

Defining cyber warfare and identifying stakeholders

This section outlines the results of the literature review regarding the governance of cyber warfare in the Netherlands. The first part offers insight into the existing definitions of cyber warfare, which serves to show that despite the existing wealth of literature no agreement yet has been reached on notions of cyberspace, cyber warfare, etc. What remains so far is a confusing amalgam of fact and opinions. The second part describes the main stakeholders with regard to cyber warfare in the Netherlands and their governance roles at each of the layers as envisaged by van den Berg (2014) in their conceptualization of cyberspace.

Defining cyber warfare

The literature review shows that there is no common international understanding of what constitutes cyber warfare (Mueller, 2014). Notions like cyber espionage, cyberattack, cyber war(fare), and even cybercrime are often conflated. To illustrate the point, in 2014 Singer and Friedman wrote that defining cyberwar need not be complicated. Discussing the key elements of war in cyberspace, they regard them as similar to warfare in other domains. There is always a political goal and mode and always an element of violence. Subsequently, they refer to the US government’s position on the use of force in which a cyberattack results in death, injury, or significant destruction, without exploring the definition issue any further (Singer & Friedman, 2014, p. 68; p. 121).

However, a cyberattack is not the equivalent of cyber warfare. In the eyes of Thomas Rid, it first has to be clear whether a cyberattack can actually be characterized as an act of war. To qualify as an act of war, a cyberattack or any offensive cyber act should, according to him, meet three distinctive criteria: (1) it must have the potential to be lethal, (2) it has to be instrumental, and (3) it has to be political. According to Rid, no known cyberattack so far has met all three criteria, and therefore he draws the conclusion that no cyber warfare has ever taken place (Rid, 2012).

Although Rid’s extreme position has sparked a fruitful scientific debate, it has not led to an internationally agreed-upon definition of cyber warfare. It could be argued whether this stage will ever be reached. According to the USA Law of War Manual (LOWM), a definition of cyber warfare “often depends on the specific legal context in which it is used” (Law of War Manual, 2015). This would preclude a commonly accepted cyber warfare definition. And indeed, a range of definitions can nowadays be found, offered by different authors and/or organizations (Denmark invests in cyber offensive capabilities, 2015; France to invest 1 billion euros to update cyber defenses, 2014; Law of War Manual, 2015; Rid, 2012). Some randomly selected cyber warfare definitions in circulation are described below in Table 1. These merely serve to illustrate the current confusion and potential misunderstanding when it comes to discussing the concept of cyber warfare.

Table 1. Some examples of cyber warfare definition attempts.

Definition
Netherlands	“Cyber warfare is defined as the conduct of military operations to disrupt, mislead, modify or destroy an opponent’s computer systems or networks by means of cyber capabilities. The key criteria that define cyber warfare are: 1) the presence of a military operation aimed at achieving a political or military advantage, 2) the causing of damage to the opponent’s cyber infrastructure; and 3) the use of cyber capabilities (since computer systems can also be destroyed using kinetic capabilities).” (Cyber Warfare, 2011)
ENISA	“Cyber warfare: activities and operations carried out in the cyber domain with the purpose of achieving an operational advantage of military significance.” (National Strategic Framework for Cyberspace Security, 2013) ENISA = European Network and Information Security Agency
Oxford Dictionary	“Cyberwar: The use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of communication systems by another state or organization.” (Cyberwar, n.d.)
Clarke & Knake	“Cyber war: Actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.” (Clarke & Knake, 2010)
Cartwright	“Cyber warfare: An armed conflict conducted in whole or part by cyber means, and military operations conducted to deny an opposing force the effective use of cyberspace systems and weapons in a conflict.” (Cartwright, 2010)

At this point in time, Martin Libicki probably has the most measured analysis to offer on the theme under discussion. He defines cyberspace as the agglomeration of computing devices that are networked to one another and to the outside world. Like any other domain, it is a domain of potential conflict, which can lead to a (cyber)attack, that is, a deliberate disruption or corruption by one state of a system of interest to another state. According to Libicki, cyberattacks can constitute full-scale cyberwar, defined by him as (a) deliberate attack(s) on a network with the aims of paralyzing it (Libicki, 2009, p. 6–23). He thereby distinguishes between strategic and operational cyberwars. Strategic cyberwar is made up of cyberattack(s) launched by one entity against a state and its society primarily, but not exclusively, for the purpose of affecting the target states behavior. Operational cyberwar has a more limited scope in his opinion and is defined as the use of a computer network to support physical military operations (Libicki, 2009, p. 117).

With all this in mind, the attention will now be turned to the Dutch context. Ducheine and van Haaster (2013) have provided the following hands-on definition of cyber warfare:

“Cyber warfare is the execution of military cyber operations.” (Ducheine & van Haaster, 2013, p. 369).

Since this definition speaks of cyber operations, it is necessary to find out what cyber operations entail. The Dutch Defence Cyber Strategy (DDCS) speaks of enabling military operations in the digital domain through (1) defensive, (2) offensive, and (3) intelligence cyber capabilities. The DDCS provides the following distinction of these three concepts (Hennis-Plasschaert, 2015):

1. Offensive cyber capabilities, or digital means that aim to influence or disable the actions of an opponent.

2. Defensive cyber capabilities, or digital means that aim to protect the effectiveness and deployability of the armed forces.

3. Intelligence cyber capabilities, or digital means that aim to gather information in order to strengthen the position to judge and influence opportunity, threats, and risks in cyberspace.

The definition and wording used in the DDCS fall in line with an international definition provided by the so-called Tallinn Manual process:

“Cyber operations are the employment of cyber capabilities with the primary purpose of achieving (military) objectives in or by the use of cyberspace” (Schmitt, 2013, p. 258).

The DDCS defines offensive cyber capabilities as the availability of digital means with the purpose of influencing or denying enemy action by means of infiltration of computers, networks, and weapon and sensory systems in order to influence information and systems. The Ministry of Defence uses digital means exclusively against military targets (Hennis-Plasschaert, 2015). Identifying these targets can only be done with the help of detailed and timely intelligence. Furthermore, the Dutch intelligence law provides the only legal framework so far to conduct offensive cyber activities.³

Defensive measures are considered equally important to ensure the effectiveness and deployability of the armed forces. During an operation, rapid response might be necessary in case of a cyberattack. Proven attribution through computer network exploitation (intelligence) is essential in this respect. This emphasizes once again the need for evaluated and validated intelligence that need to be provided timely to a commanding officer (Hennis-Plasschaert, 2015).

High-quality strategic and operational intelligence is conditional for the execution of military missions. These can be complemented by (locally) acquired intelligence using other means (human, signals intelligence). According to the DDCS, an integral intelligence position enables the Ministry of Defence to properly estimate and influence opportunities, threats and risks (Hennis-Plasschaert, 2015). Table 2 below offers a more detailed overview of defensive, offensive, and intelligence capabilities.

Table 2. Defensive, offensive, and intelligence capabilities from the Dutch perspective.

OFFENSIVE ACTIVITIES	Psychological operations (e.g., communicating with the public or public authorities via a hacked network) Network Attack Eliminating/disrupting the opponent’s command, control and communication functions and other defense systems (distributed denial-of-service [DDOS] attacks) Network Attack Destruction of critical infrastructure (e.g., influencing utility companies’ process management systems) Network Attack
DEFENSIVE ACTIVITIES	Securing/monitoring own networks (including weapons systems) Network Defense (passive defense) Securing defense industry network connection Network Defense (passive defense) Neutralizing counterattack to protect systems (e.g., disrupting command and control of botnets or taking control of/sabotaging an aggressor’s system using malware) Network Defense (passive defense)
INTELLIGENCE ACTIVITIES	Tapping/accessing Internet traffic (interception of IP data or underlying protocols Network Exploitation Monitoring the volume and patterns of data traffic on foreign networks Network Exploitation Clandestine penetration of systems to download data (e.g., by means of exploits) Network Exploitation Counterintelligence activities (e.g., manipulation or disruption of third-party cyber intelligence activities) Network Exploitation

Source: Cyber Warfare, Advisory Council on International Affairs (AIV, nr. 77)/Advisory Committee on Issues of Public International Law (CAVV, nr. 22) 2011, p. 15–16.

Stakeholders and governance

The following pages list the results of a literature review of the stakeholders and the policies they have established and are implementing regarding cyber warfare in the Netherlands. The three layers of the model by van den Berg (2014) are used and addressed separately with the following subquestion in mind:

“Which stakeholders can be identified at the technical, socio-technical, and governance layer that have a role in the establishment, monitoring, and implementation of cyber warfare policy in the Netherlands?”

Stakeholders and policies on the technical layer

The technical layer of the conceptualization model concerns the technology and IT (both hardware and software) that enable cyber activities at the socio-technical layer (van den Berg, 2014). The focus is on stakeholders that have a role in enabling defensive, offensive, and intelligence cyber capabilities. See Table 3 below for a description of the Dutch government’s expectations of these cyber capabilities.

Table 3. Dutch government expectations regarding cyber capabilities.

The Dutch Defence Cyber Strategy (DDCS) describes what the Dutch government expects from cyber capabilities. Cyber operations are supported by defensive, offensive, and intelligence cyber capabilities.

DEFENSIVE CAPABILITIES

Digital capabilities used for defensive cyber operations need to be able to protect the effectiveness and deployability of the army (Hennis-Plasschaert, 2015). The resources used should be able to find vulnerabilities in and monitor digital resources. They also need to provide correct information for rapid response (Hennis-Plasschaert, 2015). The Defence Security Operations Centre (SOC) has the lead in monitoring and protecting all digital assets (Hennis-Plasschaert, 2015). Monitoring digital assets means the possibility of viewing data that can be linked to persons. These privacy sensitive data are protected by law, which also applies to the Ministry of Defence (Ministerie van Defensie, 2009). DefCERT independently provides information about vulnerabilities, provides advise on mitigation, and coordinates incidents (Hennis-Plasschaert, 2014, 2015).

OFFENSIVE CAPABILITIES

Digital resources used for offensive cyber need to be able to infiltrate computers, computer networks, weapons, and sensor systems and influence the information and/or the systems. Offensive cyber is only used to target military targets (Hennis-Plasschaert, 2015). Examples of cyber weapons include “angle reflectors, malware, autonomous mobile cyber weapons, botnets, backdoors in commonly used software, key-loggers, defense shields against electronic attack, IP spoofing, electronic countermeasures, infrared decoys, false-target generators, Trojan horses, info-blockades, viruses, worms, rootkits, sniffing, spamming, spyware, and transient electromagnetic devices” (Willson & Tomhave, 2012). One can argue whether all these are cyber weapons by itself. Examples of probable cyber weapons are however composed of these items. A difference is made in strategic and tactic resources. The difference is formulated by the impact created by using the technology. Strategic impact is more likely to be created by technology with a higher complexity and quality and is expected to be designed for one goal and target such as Stuxnet. DCC is assigned to manage everything involved in creating offensive cyber (skilled personnel, available technology, processes, correct intelligence, etc.). DCC not only plays a key role in the development (creation), but also in maintaining and deploying the offensive cyber resource (Hennis-Plasschaert, 2015).

INTELLIGENCE CAPABILITIES

Digital resources used for intelligence should be able to gather information to strengthen the position of the Ministry of Defence to judge and influence opportunity, threats, and risks (Hennis-Plasschaert, 2015). With respect to cyber warfare, the emphasis is on intelligence gathering in cyberspace (Ministry of Defence, 2012). The legal framework for this activity is the recently renewed intelligence law (“Wet op de Inlichtingen- en Veiligheidsdiensten,” WIV). The MIVD is allowed under the responsibility of the Ministry of Defence to gather intelligence (Hennis-Plasschaert, 2015).

Source: (Hennis-Plasschaert, 2015)

The updated DDCS describes the strategy and requirements needed to obtain these cyber capabilities (Hennis-Plasschaert, 2015). Purchasing technology and development of capabilities for defensive and intelligence purposes is not new to the Ministry of Defence. After all, the use of defensive and intelligence capabilities is not solely restricted to cyber warfare. These capabilities contain a diversity of “ordinary” cyber activities, such as office automation.⁴ Offensive capabilities, on the other hand, can only be used for cyber warfare activities. See Figure 2 below for a visualization.

Figure 2. Visualization of cyber warfare activity and the three types of cyber capabilities (Courtesy of C. Rugers).

Of relevance here is the fact that the Ministry of Defence has made the strategic decision to obtain cyber capabilities by purchasing technologies through the private sector (Hennis-Plasschaert, 2015). The DDCS states that the current processes used to purchase these technologies need to be adapted to match the dynamic character of the digital domain (Hennis-Plasschaert, 2015). However, the required adaptation is still in progress⁵ and for obvious reasons public sources remain silent on the topic. As a result, the search for sources to identify the stakeholders and policies on the technical layer focuses on current purchasing processes for obtaining regular IT.⁶ See Tables 4 and 5 below for the search results.

Table 4. Identified stakeholders on the technical layer with a role in the purchase of resources.

STAKEHOLDER	Task	Remarks
Defence Purchase Office	Companies need to hand over information with regard to their economic and financial capacity (Ministerie van Defensie, n.d.). Depending on the inquiry, companies also need to have quality management in place (Zakendoen met Defensie, n.d.). Compliance to this is checked by the purchase office within the Ministry of Defence.	There is no public source found on the actor who is writing these rules. It can be assumed that the secretary- general of the ministry plays a role in formalizing these rules and regulations as this is the case with the so-called ABDO rules and regulations concerning the delivery of specified resources to the defense apparatus (Algemene Beveiligingseisen voor Defensieopdrachten 2006, 2006). ABDO: general security demands for Defence procurement.
NATO	Products used for military purposes should also comply with NATO standards, like the Allied Quality Assurance Publications (AQAP) (Zakendoen met Defensie, n.d.). These standards are written by the NATO Standardization Office (NSO).	No explicit standard linked to cyber exists, although it can be assumed that the existing standards apply to cyber resources to some extent. The NATO Industry Cyber Partnership (NICP) is especially founded for cyber, but will not be creating standards.
Government and Parliament	Parliament monitors the compliance of the minister of defense regarding the Security Screening law (Wet Veiligheidsonderzoeken) (Beleidsregel veiligheidsonderzoeken Defensie, 2013).	This law enables the Dutch Defence Intelligence and Security Service to investigate people who play a role in designing, developing, maintaining, or deploying technology.
Ministry of General Affairs	Regulation in “Besluit Voorschrift Informatiebeveiliging Rijksdienst Bijzondere Informatie 2013 (Besluit Voorschrift Informatiebeveiliging Rijksdienst Bijzondere Informatie 2013(VIRBI 2013), 2013)”	This regulation concerns classification issues and information security.
MIVD	Monitoring ABDO-certified companies if they comply to the policies	MIVD: Militaire Inlichtingen en Veiligheidsdienst (Defence Intelligence and Security Service)
NBV	Defensive cyber could use technology to protect information; this type of technology needs to be evaluated by the NBV (monitoring on compliance) (Informatiebeveiliging, n.d.)	NBV: Nationaal Bureau voor Verbindingsbeveiliging (National Bureau for Communication Security), part of the Ministry of Internal Affairs
MIVD, BA, SG (regarding ABDO)	The mentioned organizations all have a governance task related to the ABDO certification of companies delivering resources to the Ministry of Defence. The ABDO is enforced by the MIVD and written by the Defence Security Authority (BeveilingsAutoriteit; BA) and formalized by the secretary-general (SG) of the Ministry of Defence as part of the total security policy (Let’s make IT happen!, 2014).	If classified information is shared between the ministry and the industry partner, the ABDO regulation applies (Algemene Beveiligingseisen voor Defensieopdrachten 2006, 2006). It is recognized that the current ABDO regulation needs to be updated (Hennis-Plasschaert, 2015).

Table 5. Additional stakeholder with a governance role.

STAKEHOLDER	Task	Remarks
DCC	The Defence Cyber Command (DCC) manages everything concerning offensive cyber (Hennis-Plasschaert, 2015). The DCC not only plays a key role in the development, but also in maintaining and deploying the offensive cyber resource (Hennis-Plasschaert, 2015).	In this paper, it is assumed that the DCC, being responsible for offensive cyber management, will influence the decisions made with regard to the new cyber procurement processes. NB: This influence may be seen as a governance task.
Defence Security Operations Center (SOC)	Monitoring and protecting all digital assets within the Ministry of Defence (Hennis-Plasschaert, 2015).	This is not a straightforward governance task. However, while monitoring for cyber risks, the SOC comes across incorrectly implemented security policies, or incorrectly implemented architecture principles that need to be addressed.

The literature review identified two stakeholders operating on the socio-technical layer with a (partial) governance role on the technical layer. See Table 5 below.

Stakeholders and policies on the socio-technical layer

In order to discover the stakeholders involved in cyber warfare at the socio-technical layer, it is necessary to look at those actors that play a role in conducting cyber warfare and the cyber activity that comes with it. According to Boeke, the Dutch institutional cyber landscape in general resembles a participant-governed network connecting partners on a basis of trust and equality (Boeke, 2016, 2017, p. 6). Rather than being centralized, cyber capabilities and responsibilities are spread across different organizations—each with their own tasks, interests, and culture. This distributed nature requires much time-consuming and laborious deliberation among the participants and is especially marked within the Ministry of Defence, which is responsible for cyber warfare capabilities in the Netherlands—either for defensive, offensive, or intelligence purposes. The implementation of which, however, is covered by different organizational elements each sharing only limited data with each other (Cyber Warfare, 2011; Defensie cyber strategie, 2012; Hennis-Plasschaert, 2015; Landschapskaart cyber security, 2014).⁷

Within the Ministry of Defence, the Defence Cyber Command (DCC), which was formally established in 2014, is a key stakeholder with regard to cyber activities. This includes the development of defensive, offensive, and intelligence capabilities and activities (Hennis-Plasschaert, 2015). In 2014 DCC commander General Folmer (current DCC commander) described the DCC as the central entity within the Ministry of Defence for the development and use of military operational and offensive cyber capability. In his view, it is possible to support military operations with cyber capabilities. As a force multiplier, offensive cyber capabilities can increase the effectiveness of the armed forces and become a crucial addition to existing conventional military capabilities (Folmer, 2014; Vijver, 2017).

However, to become more than a force multiplier on paper and actually support military operations requires the development of capabilities, which in turn draws attention to the available budget. The annual budget of the DCC in 2017 was €22.5 million, divided in investments, exploitation, and personnel (in millions of Euros) (see Table 6)⁸ —a small amount in the light of a total Dutch Defense budget of about €8 billion, and a minute amount compared to US Cyber Command’s budget as stated at the website of the US Department of Defense, which is expected to rise to $650 million in 2018 out of a total US Defense cyber budget of $7 billion.

Table 6. DCC budget 2012–2018 (in millions of Euros).

DCC BUDGET	2012	2013	2014	2015	2016	2017	2018
Cyber Investments	0.1	3	5	4,1	2.9	2.4	0
Cyber Exploitation	0	1	2.5	6.5	11.9	11.9	11.9
Cyber Personnel	1.9	4	5.3	8.2	8.2	8.2	8.2
Total	2	8	12.8	18.8	23	22.5	20.1

Source: DCC Budget (2014)

The total defense investment budget for cyber (weapons) amounted to €7 million in 2016 and will rise to €9 million from 2017 onward. About 40% of this budget is assigned to the DCC, 40% to the MIVD, and the remaining 20% to Joint Information Provision Command (with the acronym JIVC), the Netherlands Defence Academy (NLDA), and the Directorate of Operations (DOPS).⁹

Within the defense organization, the DCC is embedded in the Army Operational Command, although the DCC falls under the direct responsibility of the Dutch commander in chief (Folmer, 2014). Its employees include civilian and military personnel from all four operational commands (army, navy, air force, and military police) (Folmer, 2014). Given the multilateral and joint character of the DCC, the strong organizational army connection seems peculiar. Two interviewees pointed, for instance, at the DOPS that houses the Joint Special Operations unit (JSO): a long-time cooperation of marines (navy) and commandos (army). Given the clear operational and multilateral character of the DCC right from the outset, they expressed the opinion that a DCC situated within the DOPS would have benefited the expected and required cooperation among the different actors involved.¹⁰

The DCC is obliged and clearly instructed to cooperate closely with the Military Intelligence and Security Service (MIVD) and the Joint Sigint Cyber Unit (JSCU)—which is a cooperative endeavor of the Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD). These organizations perform their tasks based upon a separate intelligence and security law. The DCC is explicitly excluded from this legal regime and any offensive cyber operation thus depends upon the capabilities of the MIVD and JSCU. All three organizations are very different in procedures, operating style, tasks, and outlook. Although they find each other in a wish to establish an access position, they may differ severely in the exploitation (in time and approach) of the opportunities obtained. They need to understand each other’s needs and possibilities first, before a common understanding is within reach. However, without the input of the MIVD and JSCU, the DCC is rendered helpless. In addition, the DCC cooperates with a number of other partners inside and outside of the Ministry of Defence (Defensie cyber strategie, 2012). An overview of the DCC environment and linkages (in Dutch) is provided in Figure 3.

Figure 3. DCC environment and linkages (in Dutch; explanation provided underneath).

Source: DCC Ontwerp Organogram (2014).

To achieve its tasks and objectives, the DCC (Defensie Cyber Commando) is divided into three departments: the Technology Department, the Operations Department, and the Cyber Expertise Center (Defensie Cyber Expertise Centrum; DCEC). The development and deployment of offensive cyber capabilities (Offensief Vermogen) is placed in the Technology Department and will consist of cyber specialists with the expertise to act offensively in the cyber domain. However, this capability is currently not operational. Future deployment will be dependent on the expertise developed; the legal possibilities of DCC, MIVD, and JSCU; and the indispensable support of the other two departments within DCC. This also applies to the support of the defensive (Defensief Vermogen) and intelligence (provided by MIVD, JSCU) capabilities of the Ministry of Defence (Folmer, 2014).¹¹

The Operations Department and the Cyber Expertise Center (DCEC) are equally important for the successful execution of cyber capabilities. Within the Operations Department, a pool of cyber advisers will support operational units by advising the commander on the use of digital means, vulnerabilities, and capabilities of the enemy as well as own troops. The cyber advisers are the link between the operational unit in the area of deployment and the cyber units in the Netherlands (DCC and DEFCERT). The Defence Cyber Expertise Center (DCEC) is responsible for strengthening the knowledge position and innovative capability within the cyber domain, and thereby contributes to the strengthening of the three described cyber capabilities. The DCEC cooperates with the National Cybersecurity Centre (NCSC), other ministries (ander departementen), commercial business (bedrijfsleven), universities (universiteiten), (international) knowledge institutions (kennisinstituten), NATO, EU, and by means of bilateral contacts (Bi-lateraal) (Folmer, 2014).

The DCC—under direct supervision and control of the commander in chief—represents the proverbial spider in the web, acting as a coordination and operational hub when it comes to Dutch cyber warfare activities. However, the required expertise and (technical) infrastructure to conduct such cyber activities is not present within the DCC, nor does it fall under its span of control. Indispensable partners when it comes to operationalizing and legalizing cyber warfare activities are the MIVD, JSCU, and DMO within the Ministry of Defence (Oratie Ducheine, 2016).

The question whether the mentioned stakeholders have a cybersecurity governance responsibility is difficult to answer and depends upon the chosen point of view. In principal, the DCC answers to the commander in chief, whereas the MIVD answers to the secretary-general of the Ministry of Defence. Both in turn answer to the minister of defense. The JSCU is governed by a management board answering to the secretary-general of the Ministry of Defence and the minister of interior affairs (Organisatiestructuur Bestuursstaf, 2016; Organogram Defensie, 2016).¹²

Governance matters, aided by oversight mechanisms and legislation (national and international law), ultimately reside at these top levels. However, cyber is a relatively new and dynamic phenomenon. A mature governance mechanism with a corresponding coherent set of rules, regulations, and protocols is not in place yet. This development process is being fed and thus partly shaped by those developing, implementing, and executing cyber activities on the socio-technical layer. The proposed defense cyber warfare doctrine can serve as an example. Part of long-standing conventional practice, the formulation of a doctrine—that is, authoritative guideline incorporating theoretical considerations and (best) practice—was envisioned from the outset, although it will take at least another year to be published. DCC and MIVD, in particular, and the broader cybersecurity environment, in general, will, by means of such activities, influence the final outcome of the governance structure of Dutch cyber warfare activities (Defensie cyber strategie, 2012).

Stakeholders and policies on the governance layer

Identifying stakeholders

van den Berg (2014) describe the governance layer as the layer that governs the technical and the socio-technical layers in complex ways. The results of an investigation into the main stakeholders and policies that govern the cyber warfare activities and the technical means needed to conduct cyber warfare are given below.

As mentioned earlier, the Ministry of Defence considers cyberspace to constitute the fifth domain of military action. In the coming years, the Ministry of Defence will work on developing cyber capabilities to further support its military operations. Consequently, these cyber capabilities can, in the future, be used to support conventional military operations. As such, the legal framework that applies to the use of cyber capabilities is no different than the legal framework that applies to the use of conventional capabilities.¹³ This means that, at this point in time, the deployment of cyber capabilities is in line with the procedures for the deployment of conventional military capabilities (Ducheine & Arnold, 2015).

The rules and procedures for the deployment of military capabilities regarding conventional warfare are dealt with in constitutional law. Consequently, it is necessary to look at conventional law to find out which actors have a role with regard to the deployment of cyber capabilities. Article 97 of the Dutch constitution proclaims that the armed forces are an instrument of the democratic state. This means that the armed forces are subject to civil authority as represented by the Dutch government. Under conventional law, one of the main stakeholders involved in the decision-making process with regard to the deployment of the armed forces is the Dutch government (Ducheine & Arnold, 2015).

The second main stakeholder is the Dutch parliament. Constituting the legislature, the parliament has a number of opportunities to check the actions of the government. This also applies to governmental decision making on deploying the armed forces (Ducheine & Arnold, 2015).

Other important stakeholders with regard to military operations can be identified. These include the ministers of defense, foreign affairs, general affairs, and the commander in chief of the armed forces. These stakeholders have an important role to play in the process of agenda setting and decision making with regard to deploying the armed forces. However, due to the concept of “unity of governmental policy,” these stakeholders are not as such recognized within constitutional law (Ducheine & Arnold, 2015).

Identifying policies

In order for the above-mentioned stakeholders to make a decision on deploying a cyber operation, they need a legal base. A distinction can be made between national and international legal frameworks that might apply to the deployment of cyber capabilities (Ducheine & Voetelink, 2011).

Two national legal frameworks can be identified. First, the Intelligence and Security Services Act provides the legal provisions for the General Intelligence and Security Service and the Defence Intelligence and Security Service. Second, the Police Act 2012 mandates the Dutch military police to investigate and prevent cyberattacks (Politiewet 2012, 2012). However, these national frameworks primarily focus on defensive capabilities and law enforcement. As a matter of principle, national legislation does not contain the provisions for offensive military operations. Consequently, it is necessary to look at the international legal frameworks that apply (Ducheine & Voetelink, 2011).

International law actually prohibits the transboundary use of force, both offensive and defensive. This is included in article 2(4) of the UN Charter. However, what remains unclear is whether or not the use of offensive cyber capabilities is considered to be “armed force” and as such is prohibited under article 2(4) of the UN Charter. International law does contain three exceptions to article 2(4): assent could be provided by the applicable state, coercive measures as stated in chapter VII of the UN Charter could apply, and self-defense could be necessary (Ducheine & Voetelink, 2011).

Once an exception to article 2(4) is invoked, the international laws that regulate war apply. These laws consist of two strands: jus in bello and jus ad bellum. Jus in bello refers to international humanitarian law and includes provisions for the conduct of armed forces when they are engaged in war or armed conflict. Jus ad bellum applies to the conduct of engaging in war or armed conflict including crimes against peace and war of aggression (ICRC, 2015). However, the question that remains unanswered is whether or not the laws of war apply to cyber operations, and if so in what manner (Ducheine & Voetelink, 2011).

The present international legal frameworks to cyber operations therefore require scrutiny. One initiative that has been set up in order to address this issue is the Tallinn Manual process. This process was initiated by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). The CCDCOE tasked an international group of independent international experts to examine how international legal norms apply to the fifth domain of cyber warfare. The Tallinn Manual primarily focuses on the applicability of both the jus ad bellum and jus in bello. The original manual was published in 2013. Tallinn Manual 2.0 has provided an update and extension of the first handbook (Tallinn Manual 2.0, 2016). The Tallinn Manual is not an official document, being considered “an expression of the scholarly opinions of a group of independent experts acting solely in their personal capacity” (Schmitt, 2013). However, with no official alternative at hand, the manual fulfills current needs and is generally considered good enough to taken as a model at this point in time.

Another initiative was launched by the Organization for Security and Cooperation Europe (OSCE) in 2012. The OSCE invited an Informal Working Group to come up with so-called Confidence-Building Measures (CBMs) for reducing the risk of conflict in cyberspace. The aim of the CBMs is to “enhance interstate co-operation, transparency, predictability, and stability, and to reduce the risks of misperception, escalation, and conflict that may stem from the use of ICTs” (Arnold, 2016; OSCE, 2013).

Analyzing weaknesses and opportunities

A review of existing weaknesses and opportunities is applied here to identify the challenges and mitigating factors to cyber warfare for each of the three layers (the technical, socio-technical, and governance layer). In order to do so, the identified weaknesses are used to recognize the main challenges with regard to cyber warfare in the Netherlands. The identified opportunities are used to recognize the mitigating factors capable of addressing these challenges.

Technical layer

The results of the analysis for the technical layer are mainly based on information obtained in interviews. Below, the challenges (weaknesses) and the mitigating factors (opportunities) are described for the technical layer.

Weaknesses (challenges)

Currently, there is no legal framework for offensive cyber capabilities (except for missions). The lack of a generally accepted legal framework for the use of offensive cyber capabilities, as discussed in the governance layer, has repercussions for the technical layer. With regard to conventional offensive military operations, conventional law dictates that collateral damage of any operation should be specified before conducting any operation. Given the complex nature of cyberspace, it is, however, very difficult to precisely determine the collateral damage created by technology used for offensive cyber operations.¹⁴ Solving this problem might prove impossible but will certainly affect the full-scale use of technical capabilities and require a lot of time, energy, and innovative brainwork on the technical level.

Another challenge constitutes the Dutch Information Act that applies to purchasing procedures regarding offensive cyber technologies.¹⁵ Consequently, the Ministry of Defence is to disclose all information regarding its purchasing procedures if requested upon. By disclosing this kind of information, adversaries may be given intelligence on the technology bought and used by the Ministry of Defence. This allows adversaries to focus on exploiting weaknesses in this technology in order to obtain a military advantage.

Opportunities (mitigating factors)

The Ministry of Defence is aware of the challenges as stated above and is currently exploring options to address these challenges. The ministry collaborates with the NATO Industry Cyber Partnership and the European Defence Agency for mutual development and purchasing of cyber capabilities (Hennis-Plasschaert, 2015). The information obtained though these international partnerships could help the Dutch Ministry of Defence in optimizing its own purchasing processes.

Socio-technical layer

Weaknesses (challenges)

The description of the socio-technical layer has shown several weaknesses. The current organizational structure offers a challenge for the future and may lead to imperfect collaboration or friction given widely differing lines of communication and accountability. On a more generic level, it is clear that the combination of defense, offence, and intelligence is far from a natural partnership since interests and perspectives deviate markedly. Another challenge is posed by the absence of a coordinating body—a role the DCC does not perform—spanning the chain of cyber partners. Finally, the absence of a defense cyber doctrine or related documents such as standard operating procedures (SOPs) or Rules of Engagement (RoE) is a serious weakness. Without authoritative guidelines in place, it is difficult to set a course for the future development of cyber warfare activities.

Opportunities (mitigating factors)

These weaknesses are to some degree counteracted by developments on different stages. A clear opportunity constitutes the fact that cyber appears to be high and rising on the political agenda (Hennis: dreiging cyberspionage tegen Defensie neemt toe, 2016; Kamerbrief—Voortgangsrapportage uitvoering Defensie Cyber Strategie, 2016). Furthermore, there are concrete initiatives for national and international cooperation on the cyber stage. On the national level, scarce and expensive cyber capacity is being pooled and this trend is supposed to continue. For example, in the foreseeable future, DCC, MIVD, and AIVD will be brought under one roof (Hennis: dreiging cyberspionage tegen Defensie neemt toe, 2016). On the international level, cooperation initiatives are present as well, such as the NATO Cooperative Cyber Defence Centre of Excellence in Talinn, Estonia. Finally, the fact that a Dutch cyber warfare doctrine is currently drafted presents a clear opportunity for the deployment of cyber activities.

Governance layer

Weaknesses (challenges)

International law provides some guidelines for cyber warfare on the governance layer. However, it is unclear whether cyber operations constitute armed force and are thus prohibited under international law. What is more, the question remains whether cyber operations can amount to an armed attack, justifying a response of self-defense by states. Another question is whether a cyber operation has enough “intensity of force” to be labeled as armed conflict or as a “hostility” (Ducheine & Voetelink, 2011).

As such, it can be stated that one of the weaknesses, and thus one of the main challenges, with regard to cyber warfare is the extent to which the existing legal frameworks that currently apply to conventional warfare also apply to cyber warfare.

Opportunities (mitigating factors)

One initiative that has been set up in order to address these gaps in international law is the above-mentioned Tallinn Manual process. The Tallinn Manual process primarily focuses on determining the applicability of both the jus ad bellum and jus in bello to the fifth domain of cyber warfare (Tallinn Manual 2.0, 2016). Even though the Tallinn Manual is not a legally binding document, it certainly provides a useful framework for creating national legislation and procedures. Other examples include the work done by the United Nations Group of Governmental Experts on cybersecurity and the OSCE efforts to create an international understanding on what constitutes cyber warfare. The OSCE Informal Working Group came up with 11 CBMs for reducing the risk of conflict in cyberspace (Arnold, 2016; OSCE, 2013). Consequently, it can be stated that on the governance layer, the opportunities, and thus the mitigating factors for the identified challenges are the Tallinn Manual process, UN initiatives, and the CBMs created by the OSCE.

Concluding remarks

The following procedure was followed to answer the main question of this paper: “What are the main governance weaknesses/challenges with regard to cyber warfare for the Netherlands and how can these be mitigated?” First of all, definitions of cyber warfare have been considered. Cyber warfare in the Netherlands is considered to be the execution of military cyber operations through defensive, offensive, and intelligence cyber capabilities. Second, the main stakeholders and their policies have been identified at the technical, socio-technical, and governance layer. Third, weaknesses and opportunities have been identified at each layer in order to discover the main governance challenges and mitigating factors. This exercise resulted in the following findings at each consecutive layer:

Technical layer

The technology needed for cyber warfare will be purchased through the private sector. However, existing purchasing procedures need to be adapted to respond to the dynamic character of the digital domain. Stakeholders that have a role in purchasing regular IT for the Ministry of Defence have been identified to provide some insight into the kind of stakeholders that might play a role in purchasing technology needed for cyber operations.

One challenge on the technical layer affecting offensive cyber capabilities is the virtual impossibility to specify collateral damage of any offensive operation before conducting an operation. The Dutch Information Act is another challenge since it also applies to the purchasing procedures of the Ministry of Defence. The purchase of offensive cyber technologies might thus be disclosed to the benefit of adversaries. Mitigating factors could be the fact that the Ministry of Defence has shown itself to be aware of these challenges and is currently collaborating internationally to obtain cyber capabilities. The knowledge thus obtained could help in optimizing current purchasing processes.

Socio-technical layer

The main stakeholder on the socio-technical layer is the DCC. The DCC is the central entity within the Ministry of Defence for the development and use of military operational and offensive cyber capability. A number of organizational challenges, however, severely limit its effectiveness.

The required expertise and (technical) infrastructure to conduct cyber operations is not present within the DCC, nor does it fall under its span of control. Other challenges include a lack of a mature governance mechanism, the lack of a coordinating body, and the absence of a defense cyber doctrine for the time being. Furthermore, the combination of defensive, offensive, and intelligence capabilities is far from a natural partnership. Mitigating factors include the fact that cyber appears to be high on the political agenda. On the national level, cyber capacity is being pooled, a Dutch cyber warfare doctrine is in the making, while on the international level cooperation is building.

Governance layer

The deployment of cyber capabilities is not different from the procedures for the deployment of conventional military capabilities. As a result, Dutch government and parliament are the two main stakeholders with a role in the deployment of cyber capabilities. The national legal framework focuses exclusively on defensive capabilities. International law therefore needs to be taken into consideration when it comes to offensive capabilities, although it remains to be seen in which way international law is applicable to cyber operations .

One of the mitigating factors to counter this challenge is the Tallinn Manual Process, which examines how the international framework applies to cyber warfare. Other mitigating factors are UN initiatives, such as the United Nations Group of Governmental Experts on cybersecurity and the CBMs that have been established by the OSCE in an effort to reduce the risk of conflict in cyberspace.

In sum

This exploratory investigation has clearly demonstrated the infancy stage of cyber warfare capabilities and governance in the Netherlands. A governance model is still under construction and no doubt subject to adjustments in the foreseeable future. The research results testify to the problem of reconciling differing and sometimes conflicting interests between, for instance, the DCC and the intelligence community, or the Ministry of Defence and commercial organizations. This indicates the need for collaboration and unified coordination of governance efforts within the Netherlands. Last, the findings highlight the fact that governance of national cyber warfare capabilities need more than a concerted national effort alone. Sensitivity and awareness of developments within the international environment are required in order to address the complexity of cyber warfare governance with any confidence.

Acknowledgments

The author would like to thank L. Durand, C. Rugers, and R. de Vries for their invaluable input. The input of two anonymous reviewers has been much appreciated.

Notes

¹ The Warsaw Summit Communiqué stated: “Cyber attacks present a clear challenge to the security of the Alliance and could be as harmful to modern societies as a conventional attack. …. Now, in Warsaw, we reaffirm NATO’s defensive mandate, and recognize cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land, and at sea.”

² The Wales Summit Declaration stated: “Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack. We affirm therefore that cyber defence is part of NATO’s core task of collective defence. A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.”

³ Based upon interviews with two anonymous cyber specialists at the Ministry of Defence, March 21 and 23, 2016.

⁴ Based upon an interview with an anonymous ICT specialist at the Ministry of Defence, March 16, 2016.

⁵ Ibid.

⁶ The development on purchased technology is called “rapid tool development” (Hennis-Plasschaert, 2015).

⁷ The cyber environment scan of Nederland ICT (Landschapskaart cyber security, 2014) lists 7 government departments with a (partial) responsibility in formulating cyber policies and 44 actors, both public and private, involved in the formulation and/or implementation of cyber activities. Only the Ministry of Defence is tasked with cyber warfare activities.

⁸ Dutch parliament: Rijksbegroting 2015 Defensie, Tweede Kamer, vergaderjaar 2014–2015, 34 000 X, nr. 1, pp. 96, 100–101. Recently, the annual defense budget was increased substantially. How this exactly will translate into the defense cyber budget remains to be seen.

⁹ https://blog.cyberwar.nl/2014/10/the-dutch-defense-cyber-command-a-new-operational-capability-colonel-hans-folmer-2014/.

¹⁰ According to two anonymous cyber specialists at the Ministry of Defence, e-mail correspondence (March 21, 2016) and interview (March 23, 2016).

¹¹ Ibid.

¹² Based upon an interview with an anonymous ICT specialist at the Ministry of Defence, March 16, 2016.

¹³ Dutch parliament: Kamerstukken Parlement II 2013–14, 33 321, nr.3, blz.3.

¹⁴ Based upon an interview with an anonymous ICT specialist at the Ministry of Defence, March 16, 2016.

¹⁵ Ibid.