By Roel van Rijsewijk
Inspiring conversations with Boudewijn Boots
The kitchen table conversation is again not at my kitchen table. I travel to The Hague to speak at the old offices of the Ministry of Defence with Boudewijn Boots, a Vice Admiral in the Royal Navy, since March 8, 2021 Deputy Commander of the Armed Forces and thus also a member of the Cyber Security Council. Our armed forces have traditionally operated on land, at sea and in the air. With space as the fourth domain, we are going to talk about the defense of the fifth domain: cyber space.
The boy from Brabant who wanted to go to the sea
After a small delay caused by a closed Coentunnel, I arrive a few minutes late at the impressive historic Defence building where I have to pass uniformed doormen who indicate that I was already wanted. A little intimidated by this and nervous that I’m going to be late for an appointment with a military man, I walk into Admiral Boots’ office.
“The Cyber Security Council has serious concerns about the digital autonomy.”
It’s not so bad after all; the admiral is happy to see me and I can call him by his first name: Boudewijn. And so I suggest we start with that: who is Boudewijn? And how did he end up in the Navy, has that always been in your blood?”
“No not really; I’m a boy from Brabant who wanted to go to the sea.”
I myself am from Brabant as well and note that there is no sea there, just some fens.
“There is only fresh water in Brabant, so I was the black sheep of the family,” he laughs. “I wanted to go to sea to see the world and went on the merchant navy. And I have seen the wide world and at the same time it is also a small world; with a group of people for a long time on a ship performing diligent work. When we graduated from the Naval Academy, a naval man came along and tried to convince us to serve in the Navy. As a professional seafarer you received a generous salary and a bonus when you left the service. They didn’t have to tell the young 22-year-old man twice and that’s how I ended up in the Navy in 1986.”
His ‘tour of duty’ in the Navy was not love at first sight, as the sequel shows.
“In my military service I sailed on small boats in the North Sea, polyester ones,” he adds scornfully. “It was mostly practice on minesweeping during the Cold War; waiting for an enemy that won’t come, I saw no point in that.”
So Boudewijn would have been very close to returning to the merchant navy. Nevertheless, he signed up for another six months.
“With the crew I was sailing with at the time, I was asked to travel to two minehunters in Dubai. At the request of the Americans, they were looking for mines in the Street of Hormuz and the Persian Gulf that might have been placed by Iran in the war with Iraq. An American frigate had hit one of these mines. Everything we had practiced in the North Sea was suddenly true!”, and his eyes began to sparkle. “For six months I worked as a minehunting officer defusing those spheres with spikes on them, which everyone knows from the cartoons.”
“Deadly dangerous,” he warns. “And with that experience I waved goodbye. I then spent a few years doing completely different things, the searching young fellow I was. But that experience in the Persian Gulf, for me, gave meaning to working in the Navy. In 1991, I started my career as a professional officer in the Navy and went on larger ships and did several missions. And at some point you know what your capabilities are. And the result is sitting here in front of you: an older man as deputy CDS with a lot of operational experience and some administrative sensitivity.”
The two faces of Defense
And with that, he touches on something that fascinates me: the two faces of Defence, the administrative and the operational, the organization in peacetime and on mission. “On the one hand, I know Defence as a large bureaucracy with everything that goes with it: a lot of hierarchy and rigid processes. But while on mission you suddenly see an organization that is very decisive and ‘agile’.”
“I’m glad you recognize that,” responds Boudewijn. “Of course, we are simply a big ministry and we have to abide by all the rules that are in place in the administrative-political domain and also internationally. But when the operational button is pushed, for example during the COVID-19 crisis, the floods in Limburg, a hurricane in Haiti or the international peacekeeping missions, a different defense organization starts running. And the Commander of the Armed Forces, and me next to him, are exactly on that cutting edge. Because we are members of the governing council of the group, but we are also commanders of the military executive organization.”
And with this I create a bridge to defense in the fifth domain. “I recognize that in a Computer Emergency Response Team (CERT). On the one hand, a CERT must be able to respond quickly to cyber-attacks, improvise because every attacker can think of new things with a lot of mandate from the experts on the ground to make decisions quickly. But on the other hand, you need tight procedures, you need to comply with laws and regulations like the GDPR, and things need to be well documented and accounted for. And at the barracks, which in our case is the SOC (Security Operating Centre), routines have to be built up and practiced to perfection. For that you then also need offensive capabilities, a red team to test the defense, to practice and to be able to deploy a counterattack.”
The offensive evangelist
Boudewijn eagerly responds to this. “If you look at what you have to abide by in the cyber domain, your foundation of action and privacy, then you are operating in an environment that is legally and ethically framed as if it were peace, while there may already be a war going on or coming. The Netherlands is under attack every day. It is of course less visible in the information domain than when green vehicles cross the border, but it does happen.”
“So that’s why you are a member of the Cyber Security Council on behalf of the Ministry of Defence?”, I ask.
“The Cyber Security Council’s establishment decree states that there must be a representative on behalf of Defence on the Council to provide direct advice to the government. It’s a large body with members from the public, private and academic worlds. And I certainly feel comfortable there as a representative of Defence. Not as an expert in the field, but rather, when it comes down to it, to be able to guarantee not only the defensive but especially the offensive capabilities that we also need. As Defence, we assist civil authorities every day, for example during the corona crisis, but also in this domain we assist with our expertise, for example in tracking down cybercriminals. Incidentally, we in the Cyber Security Council have serious concerns about the digital autonomy and resilience of the Netherlands.”
“The resilience of the Netherlands does indeed seem to me to be something where Defence has a role to play, also in this domain,” I can agree. “You assist civil authorities like the police, but do you also see cyber defense as a primary task?”
“Certainly, that is our vision.” he responds resolutely, “The war of tomorrow is different from that of 80 years ago. In Afghanistan we were already dealing with satellites and drones, a combination of old and new technology. You can prevent bloodshed by using a cyberattack to take clout away from the enemy. He cannot get out of the gate, so to speak, or the drones cannot fly out. That is why it is important to also have digital weapons in your arsenal, and in our case that is the Defence Cyber Command, which can be deployed in a crisis.”
“The war of tomorrow is different from that of 80 years ago.”
The new weapon
In military history, you see similar developments with the emergence of new technology. “Isn’t where we are today in cyber defense similar to the emergence of new technology, like airplanes in the early 20th century? That it takes a lot of time and some conflicts, but the new domain will eventually grow into a full-fledged armed forces component, like the Air Force?”
“There are certainly parallels to developments in the past: the airplane, but also, for example, missiles that allow us to take out the enemy from a great distance. Missile technology has fundamentally changed the whole doctrine of defense. There we also learned that offense is often the best defense. You have offensive capabilities for a ‘pre-emptive strike’ or in cyber to be able to hack back. And if you show the world that you have these offensive capabilities, it also has a deterrent effect. That might be a little harder to show in this domain than with missiles, but still.”
“In cyber security, you shouldn’t touch on attribution (who did it?), especially when it comes to state actors,” I begin cautiously.” but I can’t help feeling that our American allies don’t mind at all that the whole world thinks they were behind Stuxnet (the worm that sabotaged Iranian centrifuges from their nuclear program).”
“Yes, and that deters. But again, you see the immaturity of this discipline. In the maritime domain, we work together with our allies: I have this many ships and you have this many ships and together that makes our standing fleet. You don’t see that in cyber yet, unfortunately. Allies are called upon by NATO to work together to increase our cyber resilience. But it’s not a commitment, it’s a call. And with cyber there is always a sovereignty issue. That prevents some, and ourselves, from really committing to a collective defense. Yet I would strive to join forces in the cyber domain as well. Collective Defense; that’s what we’re set up for and that’s what NATO is for. But in the cyber domain, that still needs a little bit more time.”
A cold war in the fifth domain
In addition to organized crime, we increasingly have to deal with state actors who carry out cyber attacks. There is thus a complex geopolitical dimension to cyber defense. Together we will go down the list of countries that, in addition to the United States, have many capabilities in this domain and are not shy about deploying these capabilities.
“In war, coming in second is equal to losing.”
First, Russia, which focuses on disruption of government and defense of potential enemies, for example, tried to manipulate the U.S. elections and carried out successful attacks on the electricity network in Ukraine. Then China, which, for the time being, focuses primarily on economic espionage. Iran has built up a large cyber army since Stuxnet that is active in attacks on vital infrastructure in the US and for North Korea it seems mainly a way to bring in hard currency through state-sponsored cybercrime.
“And that list is only going to get longer,” concludes Boudewijn.
“Can you speak of a cold war in the fifth domain?”. And I realize that war is a loaded term for a military person.
“The Cold War of yesteryear was not a real war but an opportunity for great conflict. I would venture to say that we have to deal with this in cyber space as well. What happens in the digital domain is less visible. You have to go on the offensive to be able to look inside the enemy. War is indeed a loaded term, but I do see parallels.”
“And then it is naive to assume that we as the Netherlands are not a target.” I respond. “So how should we increase the resilience of the Netherlands?”
Defense in the fifth domain is a public-private collaboration
“We finally have a new cabinet and defence budget, so now the task is to translate the vision and cyber strategy into concrete implementation plans,” he begins. “But of course it’s not just a task for Defence; multiple government agencies like the Ministry of Internal Affairs, Ministry of Justice and the police have an important role to play in this. I envision a kind of executive Security Council that will come from multiple angles and interests to help the cabinet increase our resilience to cyber threats. That would include representatives of the Ministry of Economic Affairs and, of course, the business community. We need to work better together and learn from each other. None of that is primarily the role of Defence, but I’m happy to contribute to it.”
“Cyber defense is a public-private collaboration I sometimes say,” I continue on this. “Or if your factory is attacked by planes, the Air Force comes to defend. But if you’re dealing with a cyber-attack, you have to do it yourself.”
“There is something in that, but is a tricky comparison” he responds. “If a hostile aircraft invades Dutch airspace then we will take action, but in the cyber domain it is more difficult to determine whether the Netherlands is under attack or our sovereignty is being violated and therefore Defence must be deployed. That also makes it complicated to build a unified and powerful defense. We will need each other for that. I have sat in sessions as a soldier and then I sit next to a mayor, KPN, the police, customs. In short, eventually it won’t all fit at one table.”
“Now that’s not necessarily a problem,” I respond. “A distributed network like the one you describe here can be quite resilient in itself. As long as the information in that network can flow freely.”
The free flow of threat information
“And that’s where the current legal frameworks get in our way a bit,” he continues. “We are too limited to operate effectively in the information domain. Even the police aren’t allowed to just browse through social media to see where the next demonstration is going to be. As Boudewijn Boots, I’m allowed to google ‘Roel van Rijsewijk’, but if I do that as deputy CDS then that’s a problem.”
“That’s what you have the MIVD for, right?”, I try.
“They collect intelligence, that’s more strategic,” is his response. “What my units need is information they can act on, what in military terms we call ‘situational awareness’: where is the enemy, how are they moving, what kind of weapons have they brought etc., In the physical world I can observe that, in the digital world we are too limited in collecting that kind of information.”
I also recognize this distinction in cyber security: there you have strategic threat information such as who are the actors and groups that threaten me, what are their motives and how do they operate. You can call that intelligence. But what you really need is more operational threat information, so so-called Indicators of Compromise (indicators that point to a particular attack), the IP addresses of the attackers, fingerprints of the malware they use etc. “That’s where I see a lot of room for improvement; how can the public and private parties collect and share this kind of information in an effective and responsible way,” I respond.
“Yes and all parties, including private parties, have to follow the rules in doing so. And there is also room for improvement there: a legal framework that regulates the collection and sharing of this kind of information in an effective way,” he makes his point again.
Defence Cyber Command as our National Red Team
I continue on the offensive weapon of Defence. “If this kind of information is not readily available you can also develop it yourself by simulating attacks and learning from them. In my field we call this ‘red-blue teaming,’ a term that, like so many terms, we borrowed from the military (during the Cold War, the Western allies in exercises were the ‘blue team’ and the group playing the Communists was the ‘red team’). Can’t we learn a lot from the Ministry of Defence in this area?”.
“Yes indeed, we are used to thinking like this, working like this and planning like this. Of course, we do nothing but practice and play ‘wargames’.” he agrees. “The Defence Cyber Command is still in development, but that’s where we look at how, in case, you can take certain cyber actions. And you want to test, validate and practice that. We still do that internally, in a closed environment. But you also have to be criticized, you have to have the ‘devil’s advocate’ in your ranks to make sure that your plan is good. So maybe Defence could help you in testing your resilience.”
“So the Defence Cyber Command can start acting as a kind of national Red Team?”, I try.
“I can’t make any commitments here, but I think in this domain you should be able to reinforce each other. To get your defense better, you could red-blue team together. With a ‘practice enemy’ as we call it.”
“Of course, we do nothing but practice and play ‘wargames’.”
Regulation and Decisiveness
We get into a conversation about my experiences in working with Defence from a business perspective. Boudewijn would like to see the Ministry of Defence act more decisively in the administrative domain, just as it does on missions. That’s not easy given the sensitive nature of the subject matter, the huge sums of money that are often involved and the magnifying glass under which Defence simply lies.
“We are somewhat over-regulated for understandable reasons and that sometimes gets in our way in the defense domain as well. When it comes to the regulations around, for example, information gathering that we were talking about earlier, it does chafe a bit.”
Defence is not alone in this I note. “I don’t know if this reassures you, but in business there is a similar tension in cyber security. On the one hand, you have to defend against cyber attacks in a decisive way against an enemy that typically doesn’t play by the rules, but on the other hand, you have to comply with all kinds of strict laws and regulations. Sometimes you see that a lot of time and resources go into compliance with all sorts of regulations on privacy and security, and that is a huge distraction from actually defending against cyber attacks. That people think more in terms of regulations and complying with all kinds of security standards and not in terms of the actual threats and what you have to do to defend yourself against them,” I sigh.
Know your enemy
“That’s the tried-and-true strategy that you have to put yourself in the enemy’s shoes; surely that must appeal to you as an amateur military historian,” he laughs. “We defeated ISIS not by sending square brigades blind into the field, but by providing small, independently operating teams with good intelligence and information and then striking with modern means. That’s how you defeat the enemy, also in the cyber domain.”
For Defence it is a new domain with sometimes other actors fighting with new means, and then it is logical that the laws and regulations are not yet fully adapted to that, we conclude. And Defence is also still developing: what exactly is their task in this domain and how can they best perform it.
“And that’s what the coalition agreement has given us room for, and that’s reflected in the Defence Vision: to keep moving forward and become better at the things we do, certainly also in the new areas of space and cyber. We need the money very badly for that. Because in war, coming in second is equal to losing.”
“That brings me to the final question: in the cyber domain, what are the three most important things you want to accomplish?”
“We spoke extensively about regulation. There definitely needs to be a proper legal framework so that we can collect and use the threat information that allows us to do our job.”
“Second important point is good collaboration in joint defense. So government, industry and science jointly able to face the hybrid threat in the cyber domain.”
“And finally, the maturing of our cyber weapon. The Defence Cyber Command is an indispensable new addition to the tribe to get our mission done. We need to rapidly develop DCC to be able to deploy cyber, with all its quirks, as an effective weapon. It is relatively easy to make an F35 take off, fly and land again. The deployment of the cyber weapon still requires a lot of preparation time; when do we deploy it and how exactly? And that partly goes back to the first point; know your enemy.”
We wrap up the conversation so that Boudewijn can get back to his administrative duties: “Thanks, this was the highlight of my day,” laughs ‘the boy from Brabant who wanted to go to sea’ to himself as we say goodbye. I understand what he means, but now also realize how essential the political-administrative foundation is for a decisive defense in the cyber domain: for a good legal framework for offensive cyber work, to get the resources for the maturing of the cyber weapon and to organize the necessary public-private cooperation. The development and deployment of an offensive cyber weapon by the Netherlands seems like a very good idea if all the collected threat information is then also widely shared and the offensive capabilities are also deployed to test our defenses. I’ll be leaving soon so Boudewijn can get on with this good work for a resilient Netherlands.
About the author
Roel van Rijsewijk is a cyber security consultant and evangelist with over 20 years of experience helping organizations become cyber resilient. He is a key note speaker and author of ‘Cyberrisico als Kans’ (The Upside of Cyber Risk).