Toespraak minister Grapperhaus over digitale veiligheid en cybercriminaliteit

Toespraak van minister Grapperhaus over de uitdagingen van digitale veiligheid en de strijd tegen cybercriminaliteit in Washington D.C. (VS). De toespraak is alleen in het Engels beschikbaar.

Ladies and gentlemen,

Less than a mile from here, in the Library of Congress, you can find a unique treasure: the first map of the world to use the name America. It was made by the German cartographer Martin Waldseemüller and first published in 1507. To be honest: the name America is placed on what is now known as Latin-America, but it was proof that the Roman poet Virgil was right. That there was a land “that lies beyond the stars, beyond the paths of the year and the sun, where Atlas the heaven-bearer turns on his shoulder the axis of the world set with blazing stars". Waldseemüller based his map on the travels and discoveries of Ptolemy, Amerigo Vespucci and – no surprise – Christopher Columbus.

Explorers who sailed the 7 seas in order to discover new trade routes, new products, new trade partners.  Yes, money made the world go round. These men – yes, all men, sorry -, these explorers and cartographers, made the unknown into the known. Because in the unknown, there were dragons.

Their world was a world of land, sea and air. Dangerous, but visible, definable, finite. But in the last 70 years, we expanded that known world in 2 directions: up and everywhere.

We went up in space in the '60s, in the words of president John F. Kennedy: “we choose to go to the moon in this decade and do the other things. Not because they are easy, but because they are hard.”

And then we went beyond what is there, into an new – this time manmade ‘everywhere’: which is cyberspace. Invisible, indefinable, infinite. And just as dangerous – or even more so - than the old world. Because cyberspace is not a place on a map. Cyberspace, digitalisation is everywhere.

Over the course of just a few decades, the world has entered a digital age in which people from all over the world are connected online. In 1996, only 36 million people used the internet, less than a per cent of the world population. In 2017, that figure had risen to 3.7 billion, nearly half the world’s population. Individuals and businesses, governments and NGO’s, financial institutions and think tanks: they – we - are all connected. We all use the endless resources, the endless possibilities of cyber space. And I think that is a good thing.

Because digitalisation brought us e-learning, e-health, unlimited information and shared knowledge, social media and the internet of things. And the possibilities seem endless: talking refrigerators, self-driving cars and robots that dream. But digitalisation also brought us ransomware and fake news, the dark web and cyberstalking, digital espionage and cyberattacks. And maybe even some Manchurian candidates we don’t know about yet. Killers, instructed through the internet, somewhere out there. Yes, cyberspace brought us cybercrime and the need for cybersecurity.

And to be honest, our society has become totally dependent on digital resources. Critical processes like telecoms, water supplies and financial transactions are now completely reliant on digital systems and processes.  If 1 link in the digital chain breaks, it soon may have a domino effect. It will have direct consequences on critical processes in business and government, the earning power of companies and the daily lives of our citizens. Not to mention indirect consequences.

So the chain can break, and there are threats that will happen on purpose. Such purpose comes mainly from 2 categories of perpetrators: state actors and criminals. Their influence and deviousness of these 2 sorts is growing and continues to develop.  State actors who try to digitally influence elections, but also reputations and public views. State actors who may even want to influence essential processes in society or sabotage vital infrastructure. Thereby undermining free society.

Criminals present other threats; let us first take a closer look at those. They continue to develop revenue models, such as ransomware.  Like in 2017 when organisations across the globe fell victim to a ransomware attack. In the Netherlands one of the largest container terminals in the Port of Rotterdam was attacked, among others. Processes were halted and delayed for days, with severe societal and economical damages. In the United Kingdom in a likewise manner with two large hospitals. And, criminal organizations who have no technological expertise, can orchestrate a ransom attack: they just hire experts to develop and distribute the ransomware. Easy money, but big social and economic consequences.

They also find those people who can develop and distribute ransomware on the dark web: dark nets where one can find markets for weapons and drugs, assassins and - for me personally one of the worst - child exploitation.

And this is why our governments must put money and means in the investigation and persecution of those Internet criminal organization. As was done in the cooperation between the Dutch, US and German law enforcement to get a hold on Hansa. Hansa was once the largest dark-web market in Europe. There were more than 24,000 drug products on offer, from cocaine to specific sorts of MDMA to heroin, as well as a smaller trade in fraud tools and counterfeit documents. The Dutch investigators started an undercover operation. With fake accounts the Dutch police was able to take full control of the site itself. From that moment they could keep digital eye on Hansa's buyers and sellers. Learn everything about them so they could be identified and even tricked dozens of sellers in revealing their locations.

It was a game-changing police intervention, that packed a real punch against the dark web: millions of dollars worth of confiscated bitcoins, more than a dozen arrests - and counting - of top drug dealers, and a vast database of user information.

And that type of interventions must continue. As must close cooperation. Because to stand up to the increasing threats, we must work with others. With other governments, other agencies, other countries. At political, policy-making and technical but also operational level. Cyberspace knows no borders, so does cybercrime: we have to think global to pack our punches.

For instance, to do that against international networks that distribute child abuse images. That is an important issue for me, for the Netherlands. Because a huge amount of online child sexual abuse is stored on servers in or attributed to locations in the Netherlands. Because we are a digital hub; we have a high-end infrastructure that criminals misuse. And it is my aim to break this spiral; victims deserve no less.

So I started to organise a round table with the large digital companies NGO’s and science. The sector itself has developed a self-regulating policy with a notice and takedown-procedure: they will themselves see to remove unlawful content is removed within 24 hours. Secondly we also built a hash-check-service that allows companies to clean their servers.  Thirdly a technical University makes a monitoring instrument that provides insight into which company hosts how much child abuse images. Last but not least I started a legislative process to directly impose penalties on companies that do not remove the content in 24 hours after a report of child pornography including everything that goes with it. And certainly also the naming and shaming that will go with it.

To make sure that actually happens they will be supervised by a new independent national authority that will have sufficient enforcement resources at its disposal. Companies or directors who do not defer to this authority will be prosecuted. All actions that will – must - help to slay the dragon of online child sexual abuse.

Slaying these dragons, to be cyber secure, is an integral part of protection against threats in the digital domain, essential for safeguarding national security as well. However. Challenges to effectively combat cybercrime remain.  Especially, the challenge of going dark. In other words how do we maintain access to information and critical tools that our law enforcement needs to find these criminals.

In the Europe and the U.S. we have the same discussion on the use of end-to-end encryption by platforms such as Facebook, Instagram or Whatsapp and others. Everyone agrees that victims of online child abuse should have our societal protection. Everyone agrees that we should do everything to find the heinous criminals and prosecute them. But everyone also agrees that we have a right to privacy and data protection. Everyone agrees that we need to be cyber secure. End-to-end encryption is both a blessing and a curse in prosecuting criminals.

Many of the tech platforms have moved to use end-to-end encryption or are about to. And although I agree with people that end-to-end encryption is an important feature on privacy protection. But I also see how our law enforcements agencies are struggling with how criminals benefit from this shield of privacy. We need to find a balances approach, to protect the victims and respect ones privacy. And I wish to stress; only to protect victims of those heinous crimes as child abuse en pornography. I propose to continue the dialogue with the tech platforms. And I agree with your attorney General Barr that we need to call upon them, to take their responsibility, to keep the Internet a safe place.

Until now, I’ve addressed primarily cybercrime, but of course the issue is much broader. We also have to talk about cybersecurity, state actors. Because everything is connected. That is why 2 small cities in the Netherlands are on a United States list. Not because they are on the Lonely Planet’s list of places you must visit, but because they are crucial security targets.

But because at Beverwijk and Katwijk, undersea telecommunications cables land on the shore. Fiber optic cables that are used for telephones, internet and television, that connect Europe with America through the Amsterdam internet exchange. An attack on those cables can have serious consequences for international Internet and telephone traffic. In November 2003, for example, a relatively modest defect of 1 of the cables caused major Internet disruptions in the United Kingdom. A coordinated attack on multiple cables might paralyze half the world. And as we see state actors of various geographical and political background have been willing to try to influence our cyber-dependant systems to destabilize, or as I have pointed out before, to even sabotage our society. It makes us realise how vulnerable we are. How vulnerable we all are.

For this reason I presented a national Cyber Security Agenda in the Netherlands. A free society needs a basic level of cybersecurity to increase our resilience against cybercrime and cyberattacks.

We have to ensure that our capabilities and resources to address threats are working. As the question is no longer if a disruption will take place but when. We have to be prepared for that. Always.

We have to make sure that cybersecurity is a basic consideration in the further development of our digital processes. Against those criminals but also against state actors. We have to make sure that citizens, businesses and public authorities improve their digital security and that the government fulfils its protective duty in the digital domain.

I can ensure you, I will raise the awareness to the public. It is one of my more difficult tasks as a minister. That means that we have to work together, that we need public and private cooperation, national and international. Current practice in this cooperation shows that there is a need for a clear division of responsibilities.

We cannot just rely on existing laws and regulations on security. Cyber has its own dimensions, one could even say that cyber in itself adds a new dimension in our universe. That does not mean that we need a whole new set of rules and regulations. Absolutely not. But as a society we must reconcile the specific aspects of cyber with existing rights and regulations we have.

In that respect: new does not automatically mean ‘different’; cyberspace is not automatically the exception, does not have special status. So we do not need to reinvent everything, we must explore what isn’t there yet. We must take upon us the challenge to become the cartographers of cyberspace. We, that is society, involving everyone who has an interest or involvement in cyber.

It is clear that – although we cannot be a 100% responsible – the government has to take the lead.  We have to commit to a secure and stable country by recognizing threats to critical interests and increase the resilience of those interests. We have to be prepared for attacks and crimes, crises and incidents that threaten our society. We also have to take the lead in gathering and sharing information and knowledge. For instance by stimulating fundamental and applied research into cybersecurity. Not only to strengthen our own security, but also to enhance our national and international knowledge position and our digital autonomy. And the government has to take the lead in public-private cooperation. In the Netherlands, that cooperation has already led to many great initiatives and results.

We have  created the Digital Trust Center, in order to help businesses increase their cybersecurity. And we have developed a national system to facilitate the exchange of cybersecurity information. There is now a Cybersecurity Council and a Cybersecurity Alliance where public bodies, private organisations and the research community work together to make strategic and practical improvements to cybersecurity in our country.

But public-private partnerships alone won’t be enough to respond to the ever mounting threats. When it comes to addressing security concerns, we are finding a new balance. Because security can no longer be an afterthought. Remember that I said; it is not if it is gonna happen, but when. As a government we must act earlier and more assertively. And, maybe even more importantly: we have to work together. Cybersecurity is not restricted to national borders.

As I said earlier, the Netherlands has internationally crucial digital infrastructure, that means whatever we do, cannot only be seen at a national level. We need international cooperation. Together with several partners such as the EU, we have taken a number of steps to keep up and become more resilient. However, due to rapid technological developments and on the other hand, the transboundary risks and threats, it is necessary to take the next step in international cooperation. To increase security in the international, digital domain. The Netherlands and the US shoudl work even more together, we are natural partners in this respect.

As a Dutchman I admire the American approach. Your approach to cybersecurity can lead as an example on how we can develop even further. For example the way the Americans handle critical infrastructure and supply chain risk management illustrates the possibilities and necessity of a common approach and cooperation. 

On the other hand, you are also the land of the free and the home of the brave. Freedom of fundamental rights are your DNA. In my youth I was much inspired by Steve Miller. His song - Fly Like an Eagle - was about hope for the future. "There's a solution", was the reoccurring line. And you know what? They call him the Space Cowboy: always positive searching for answers. I certainly would hope the USA would be willing to take up the role as the future Cyberspace Cowboy.

We need the USA if we want fruitful international progress on cyber. As I said it will only be possible to enhance cybersecurity through international cooperation and international legislation.

You all know that the Netherlands are a relatively small country – although we are 13 times bigger that your smallest state: Rhode Island. On Waldseemüller’s map of the world we were not even named, as we were then just a collection of low counties by the sea. But that sea, the threats and possibilities of all that water, learned us to cooperate. With public and private partners, nationally and internationally.  With an especially strong reputation in ensuring maritime cyber security.

Maritime cyber security sets a good example of the cooperation between our two countries. In this area the US and the Netherlands took the first step in creating a partnership. We have many shared interests when it comes to maritime cyber security. Creating a synergy in this sector, by sharing information and best practices, is the only way to keep our ships and ports digitally safe. And I’m very pleased to see that now other countries joining the two us in the cooperation such as Denmark, Germany, France and the UK.

So finally, whether on land or sea, cyberspace is a world we are still exploring. A world we have to map out, define, regulate. But there are still plenty of dragons at the edges of the map. We have the tradition in slaying those dragons: we have lots of explorers, adventurers and cartographers in our history to be proud of.

We just missed out on discovering America, but we were the first to discover Australia, long before James Cook sailed along. A Dutch cartographer, Adriaen Block, was – in 1614 - the first European to draw a map of your East Coast, with the island Manhattan, or New Netherland as it became known then. And ok, we should never have sold New York, but what can you do? People make mistakes right?

But as they say, failures achieved in the past offer no guarantees for future lessons learned. Of course, results achieved in the past offer no guarantee for the future. So we should consider cyberspace as a whole new challenge. A challenge that is difficult to know, difficult to grasp, difficult to map. A challenge we have to face together, working together, talking together. Like we are doing during my visit here. That is the role we all have to play. Together we will take the next steps.

Thank you.