Patricia Damen, head of the Netherlands General Intelligence and Security Service (GISS) and the Netherlands Defence Intelligence and Security Service (DISS) Joint Sigint Cyber Unit (JSCU), outlined the options for gathering intelligence on a hackers’ collective in a fictitious country (X). She stated that the Dutch Intelligence and Security Services Act 2017 (Wet op de inlichtingen- en veiligheidsdiensten 2017 – Wiv 2017) provides insufficient operational scope for GISS and DISS to act with speed and agility to counter cyber-attacks. She looks forward to the temporary legislation, which provides for greater operational striking power and introduces new, binding regulatory provisions.
The JSCU head explained that GISS and DISS always first attempt to handle investigation requests in ways that will least impact civilians, for example by consulting open sources such as newspapers and social media channels. The next step is to establish whether partner services have any relevant information, and if this is not the case, special intelligence-gathering methods are employed. Since the use of human sources (spies) is rarely a viable option, it is often necessary to employ technical means such as wiretapping (signals intelligence) or cyber investigations. In these cases, too, the aim is to search for information in a targeted manner to ensure the least possible impact on those who are not the focus of an investigation.
Bulk data
Cyber investigations may involve bulk data, cable and wireless interception or hacking. Patricia Damen emphasised that such procedures are unavoidable in an increasingly digitalised world. They can be used to search for known threats such as a hackers' collective that has already been identified, but also for unknown threats such a hackers' collective that is not yet on the services’ radar. She explained that under the Wiv 2017, the services have limited or no powers to search for unknown threats. However, the temporary legislation drafted by the Minister of Defence and the Minister of the Interior and Kingdom Relations offers greater scope and introduces fitting and dynamic regulatory provisions.
For details of the temporary legislation, see Temporary legislation governing cyber operations | Dutch Intelligence and Security Services Act | GISS