The Threat Is Approaching from All Sides Now

According to investigative journalist Huib Modderkolk, the Belgian and Dutch governments are taking nowhere near enough protective measures against digital hacking and sabotage. How do we avoid all of our systems going down?

The Dutch journalist Huib Modderkolk, who writes for a number of broadsheet newspapers, has spent over five years delving into the world of cyber-attacks and hacking by private individuals (often lonely young men), by criminals, by criminals on behalf of governments, and by governments themselves (police and security services). In his book There Is A War Going On But No One Can See It, Modderkolk sketches a fascinating portrait of all these characters, and of their common techniques for hacking and sabotaging, or for detecting hacks and sabotage.

But according to Modderkolk, there is far too little 'protection against hacks and sabotage', such that scandals and disasters continue to happen – including in the Netherlands and Belgium. Modderkolk calls this “the problem of the many hands”. At a policy level, everyone is pumping money into digital development, but no one is investing the same amount of money into securing that digital infrastructure – everyone just hopes that "others” will.

Modderkolk's book was published at a time when the European legislator obliged all countries to pump money into security. A European law from 2016 (The NIS Directive) obliges member states to protect network and information systems deemed 'essential for social or economic activities or public safety'. These systems must also be alarmed and potential security incidents must be reported.

Three years later, we are seeing the first results. In Belgium since July 2019, electricity companies, airlines, financial institutions, hospitals, and other 'providers of essential services in our country' are obliged to report any incident with a (potentially) significant impact on their network or information systems to authorities such as the Centre for Cybersecurity (CBB) and the Computer Security Incident Response Team (CSIRT). A similar arrangement has recently been introduced in the Netherlands as well as other neighboring countries - demonstrating how useful the European Union is to our small societies, which tend to sweep problems under the carpet rather than take them seriously.

How do we avoid all of our systems going down?

Chapter eleven of Modderkolk's book, however, casts serious doubts on the catch-up that has been set in motion by Europe. All the attention is paid to network and information systems that are deemed 'essential for social or economic activities or public safety'. But what is considered essential in a connected or joined-up society?

Modderkolk’s eleventh chapter looks at the computer systems shutdown of a Rotterdam-based container transhipment company (Maersk) in June 2017. Maersk was one of the dozens of companies worldwide that was hit by a so-called ransomware attack. The company had ensured metal gates and security cameras surrounded their shipping containers, but had forgotten to invest in computer security.

Text appeared on Maersk's computer screens demanding 300 dollars in bitcoin, but even payment didn’t help. The result: no computer traffic, a traffic jam of ships in front of the Port of Rotterdam, and monster traffic jams of empty trucks that had nowhere to go because container transport in Rotterdam had come to a standstill. The damage was significant with rotting fruit in containers serving as the most notable detail.

But what exactly is non-essential in our digital world and how do we avoid all of our systems being devasted by non-essential sloths (such as Maersk)? Are we ready to live without electricity, water and hospitals, telephones, computers, planes, and money after yet another digital attack?

Modderkolk is tough on Mark Rutte, who fails to invest enough money in security

According to Modderkolk, much more needs to be done, and because of this, he is tough on Dutch Prime Minister Mark Rutte, who fails to invest enough money in security. Is Belgium doing any better? Modderkolk's discussion of the hack of the Belgian telecommunications company Belgacom in 2013 by British and American secret services (chapter six, 'A Many-Headed Snake') leaves no doubt: Belgium too is lagging behind. It was only in late 2018 that a report from the Belgian federal prosecutor's office confirmed the facts – facts that had already been brought to light thanks to people like Modderkolk and Edward Snowden.

Modderkolk gives many other examples of governments that have no control over digital vulnerabilities within our society. With this, he emphasizes that these vulnerabilities are relished by every security service in the world, who exploit them in order to spy and sabotage. The book makes it crystal clear that, for example, the Dutch security service AIVD is one of the frontrunners in the world of what Modderkolk calls a digital arms race. 'The threat is coming from all sides now. Chinese, Iranians, Americans, Russians, British: they all spy. They steal information and use it to influence societies. […] Everybody is at it.'

Modderkolk's attitude towards the Dutch security services should also be viewed in that light. Digital skirmishes take place daily, and these services - which are by no means innocent - must therefore be given extensive powers to be able to engage in battle and attack (which is sometimes the best form of defence). He goes on to discuss the spring 2018 Dutch referendum, which posed that exact question: should the Dutch security services be given more digital powers? Modderkolk doesn’t delve too deep here. He doesn’t consider it the task of a journalist to take a position here, but as an “expert” he can’t help but notice that citizens have paid too little attention to the truly dangerous powers in the proposals, such as hacking carried out by security services. They have paid too much attention to less important things, such as the discussion about so-called dragnet surveillance, where security services tap online communication on a large scale, including that of non-suspect citizens.

The Dutch security service is one of the frontrunners in the world of the digital arms race

Two things stick with me after reading this book. Firstly, Modderkolk’s flashy style – he can write incredibly excitingly! The opening story about the hacked Dutch internet company DigiNotar is very technical, but Modderkolk has written it in such a way that it reads like a gripping thriller, which urgently needs to be made into a film. The story has so many layers that there are always new denouements to follow. Even a somewhat predictable story about a lonely Dutch boy who turns out to be the dangerous hacker behind an attack on the Dutch telecommunications company KPN (chapter four, 'Code Red’), is a page-turner thanks to Modderkolk's writing style.

Secondly, the book also reads like a long reflection on what in-depth journalism is. Huib Modderkolk has changed while writing this book. He has become more suspicious and has adopted the behaviour of the very people he is researching - the hackers and the world of intelligence and security. A router in his house that suspiciously slows down on his first foray into that world (“am I being spied on?”) continues to occupy him and serves as an anecdote to conclude the book.

Those last pages also contain many thoughtful words about a journalist's duty to expose sources in a world that thrives on secrecy. There is also a nice section on the question of whether Modderkolk's book – which exposes so many shady practices of the Dutch security services – has perhaps in fact become a propaganda book for those same services, by bringing us closer to their worldview and actions.

In a recent report, the Netherlands Scientific Council for Government Policy (WRR) – which contains in it a striking number of examples of cyber incidents that we also find in There Is A War Going On But No One Can See It - argues for 'clearly delineated legal authority for digital auxiliary forces'. Citizens are told that they had better have some cash ready at home and a paper inventory of their medicines, just in case the electronic patient records network goes down. So, it really is a bit of a war.

Huib Modderkolk, There Is A War Going On But No One Can See It, Bloomsbury Publishing, London, 2021, 288 pages.