Following a spate of high-profile cyberattacks on Dutch websites and services, the Netherlands is looking to give its police new tools to track down cybercriminals. Key among them? The power to investigate and take over any suspect's computer – even if it is not located in the Netherlands.
Last week, Dutch Minister for Security and Justice Ivo Opstelten proposed a new law that would allow law-enforcement officials to search suspects' computers – or even seize control of or disable them – even if these computers are outside of the Netherlands' territory.
“The existing legislation is out of date,” the ministry wrote in a press release. Mr. Opstelten said the police need broader powers to disable botnets – collections of "zombie computers" from all over the world that are being used by cybercriminals to send spam or overload websites. Ordinary citizens might be part of a botnet without noticing anything other than their computers are running slower than normal.
A key difference with cybercrime, as opposed to the regular variety, is the sense that a criminal's physical presence is no longer necessary, explains Troels Oerting, head of the European Cybercrime Centre in The Hague. The center supports the police forces of the European Union's 27 member states.
“We are so used to the geographical link,” says Mr. Oerting. “The perpetrators always had to be there. There will be a robber, a murderer, a drug dealer in the country. And if he escapes, we'll find him and extradite him.” But a cybercriminal, he notes, might be operating from a remote country or a failed state where he cannot be found by local police forces.
A pressing concern
Although Dutch police had been asking for broader powers in cyberspace for more than a year, the general public only recently became aware of the problems when the Netherlands came under a severe digital attack. Last month, several banks like ING and Rabobank, companies like KLM, and the governmental system for digital identification DigiD, suffered distributed denial-of-service (DDoS) attacks. DDoS attacks make a website unavailable by bombarding it with so many data requests that it becomes unable to respond.
Due to the attacks, many people were unable to pay digitally or access their accounts, sometimes for hours on end. Prospective students who wanted to enroll were unable to use DigiD for several days, as were other people who wanted to access government websites like the tax office with the digital passport.
The attacks were particularly concerning because the Dutch are one of the frontrunners in digital communication and using online services. Last year, 80 percent of Dutch citizens arranged their bank affairs online. Of the 27 EU member states, only Finland has a slightly higher percentage, at 82. The EU average is 40 percent, according to Eurostat.
As for overall Internet access, Eurostat places the Netherlands as highest in the EU: 94 percent of its citizens are online, compared to the European average of 76.
So are the Dutch too dependent on the Internet? No, says Michel van Eeten, a cybersecurity expert at the University of Delft. “You would only answer yes to that question if the Internet gave us more damage than benefit. And it doesn't. Nobody is forcing us to do online banking on our mobile phones. The fact that many people vote with their feet, shows trust is high.”
Going too far?
But Mr. van Eeten says he has “mixed feelings” about the government's plan, which has been sent to several government organizations with requests for advice before it can be legislated further.
“In itself, it presents a straightforward argument. The procedure to get help from local police [in the territory where the cybercriminal is operating from] can sometimes be very time-consuming”, he says.
“But in practice it means that the police will take over computers of people who have nothing to do with cyber attacks," van Eeten warns. "Snooping around in innocent people's computers in other countries, that's far-reaching. I'm not against law enforcement entering other computers, but there have to be procedures that guarantee honest use and accountability.”
Also, he adds that it's a myth that most cyberattacks are carried out through servers in faraway places. “You'd think that cybercriminals only use computers in China or Russia, but in practice it's been proved that they use many servers in the West.” He notes that last month's attacks in the Netherlands “originated mostly from the West.” And a suspect in a large cyberattack on the antispam organization Spamhaus was recently arrested in Spain, another EU member.
And even countries with a bad reputation when it comes to allowing cybercrime, like Russia, have agreements with the Netherlands regarding legal assistance procedures. Van Eeten adds, “The Russian will not be amused with this proposal, which would allow Dutch police to violate Russia's sovereignty.”
The Dutch lobby organization Bits of Freedom, which advocates online civil rights, is against the plan because the methods are “a breach of privacy,” says Tim Toornvliet, spokesperson of the organization. Also, he thinks if the law is passed, it will give other countries the legitimization to also start cross-border hacking.
Van Eeten also warns of the precedent the law might set. “This law would legitimize any state using national security as an excuse for digital trespassing," he says. "The Netherlands will no longer have the right to lecture China on digital trespassing, because China's reason is also protection of national security.”