Serious cyber attack hits Belgian military intelligence service
Early 2013, experts of the US Cyber Command helped the Belgian military intelligence service ADIV get on top of a serious cyber attack. In an exclusive interview with the Belgian monthly magazine MO*, general Eddy Testelmans (head of ADIV) sheds some light on the events and on Belgium’s own capability to intercept communications abroad.
According to the Belgian minister of Defense Pieter De Crem, the Belgian Army’s IT systems are regularly under attack by hackers. It is the task of the military intelligence service ADIV (= Algemene Dienst Inlichtingen & Veiligheid / General Service Intelligence & Security) to investigate and respond to these attacks. MO* magazine was informed that at the turn of year, the ADIV itself became victime of a serious cyber incident.
Is it correct that the ADIV communications network had to be shut down for a couple of weeks and that the American National Security Agency (NSA) had to intervene? What exactly happened?
Testelmans: The ADIV has a highly secured internal network to exchange classified information. Next to that, we also have a network to exchange non-classified information between employees and to communicate with the outside world. The latter, the QET.be network (QET refers to the ADIV motto “quaero et tego”, I investigate and protect, kc), is linked to the internet.
Every other year, we do a major cleanup of this second network: removing or updating software, adding storage capacity, removing common viruses… Since the end of the year is typically a quiet period, this is when we started the maintenance.
During this process, our technicians identified a piece of software on our network that we had not installed there ourselves. It turned out to be a highly complex virus. We started our own analysis to determine what exactly the malware could do, but it soon became clear that our limited capacity was not sufficient to do the job. And so we turned to the American Army’s Cyber Command -which is like the NSA led by general Keith Alexander.
Since the bilateral relationships between Belgium and the United States are very good, it only took a couple of days before we had a team of American specialists join us. They helped us analyse the virus and gave us tips to protect ourselves against similar malware in the future.
What was the purpose of the virus? What damage did it cause to your network?
Testelmans: I cannot disclose that information. Nor can I disclose the origin of the virus.
Was it the work of an individual hacker, a specialized company or the secret service of a foreign state?
Testelmans: Given the high level of complexity of the virus, it is safe to say it was the work of a professional organization.
Are you sure that the American specialists did not install back-doors into your systems during their work?
Testelmans: Yes. The question who got access to the network was discussed and agreed upon beforehand. Our own specialists were present at all times. There have not been any irregularities.
Does the Belgian Army need the US Cyber Command and the NSA?
Testelmans: In this specific case, we were glad that we could turn to a “bigger brother”.
Why did you ask the American intelligence services for help instead of asking a European partner, the German Bundesamt für Sicherheit in der Informationstechnik (BSI) for example?
Testelmans: We work within the NATO context. And we’ve decided to ask the world’s foremost experts in the field, which happen to be the Cyber Command and the NSA. Relationships with them are very good, open and professional, and work in both directions.
These events by the way show that multinational cooperation is very important in the field of cyber security.
Visiting the NSA
Belgian Defense Minister De Crem informed the Belgian parliament in July that your service, the ADIV, ‘exchanges information with the NSA on topics that are a direct threat to Belgium or its citizens’.
Testelmans: NSA information reaches Belgium through several channels: through the CIA, the FBI and the Defense Intelligence Agency (DIA). When the Belgian army is involved in a joint military operation abroad, the information exchange happens “in the field” with the DIA. If the Belgian territory is concerned though, information is usually exchanged through the CIA.
As for topics like extremism and terrorism, it is obvious that the NSA information is of more use to the State Security (Belgium’s civil intelligence service, abbreviated VSSE, kc) -unless it impacts military operations abroad, such as those in Afghanistan.
Do you ever have direct contact with the NSA?
Testelmans: Yes we do. In the SIGINT context (SIGINT is an abbreviation for SIGnals INTelligence, kc), experts meet several times a year to discuss technology and exchange information. Very high tech.
We also have contacts in the field of cyber security, notably with their Central Security Service, which is in charge of securing networks and data.
A couple of weeks ago, I visited Fort Meade, the headquarters of the US Cyber Command and the NSA in Maryland near Washington. It’s a huge complex and they’ve got a massive capacity, far beyond our reach. The Cyber Command has a staff of around 6000 employees there.
What was the purpose of your visit?
Testelmans: I wanted to find out how the United States organize themselves in the cyber security field. How does the department of Defense protect itself ? How do they protect critical infrastructure in the country? These are the very topics that we ourselves are also discussing. And rather than reinventing the wheel, it is better to learn from others. Look at how the top dog does it, then translate to your own level and possibilities. For the same reason, I have also visited The Netherlands and Switzerland and we’ve studied the German approach as well.
‘The NSA has prevented three terrorist attacks in Belgium’
Have you met general Keith Alexander, the head of the NSA, while visiting Fort Meade?
Testelmans: I’ve met his “right hand” there. The general himself, I’ve recently met on another occasion.
Did you discuss Prism, the surveillance programme disclosed by Edward Snowden, on those occasions?
Testelmans: Only informally. The general’s “right hand” told me that general Alexander would brief his colleagues about Prism at the appropriate time, to avoid and clear any misunderstandings. Meanwhile this has happened. We’ve received the speaking notes of Alexander when he was questioned in June in the American House of Representatives. We also get regular updates, as they are quite open on the matter. In his speech, Alexander explained how many terrorist attacks have been prevented by the NSA. Not only in the United States, but also in allied countries like Belgium.
Is that information correct? Has the NSA indeed prevented terrorist attacks in Belgium?
Testelmans: Yes. In three cases a potential terrorist attack has been prevented on the basis of NSA information that was forwarded to us through classified channels. If the NSA had not forwarded us that information, we would not have known.
Europe should ask itself whether we Europeans are sufficiently “armed” in the battle against terrorism, transborder crime and the proliferation of weapons of mass destruction.
[Update 6.5.2015: On the basis of a report by the Standing Intelligence Agencies Review Committee, Belgian daily De Tijd reports that the information about three prevented terror attacks if false. Read more about it in the op-ed De waarheid komt uiteindelijk toch bovendrijven (in Dutch)]
Does Belgium - like Germany - have direct access to Prism?
Testelmans: No. We assume that the NSA will take the initiative to inform Belgium when they have information that is of crucial importance.
Does it also work the other way around? Does Belgium give information to the NSA?
Testelmans: That’s how it works: tit for tat. If we have crucial information at our disposal concerning facts that could harm the United States, then we pass it on.
Also Belgium intercepts communications abroad
The ADIV does its own bit of SIGINT. Your service also intercept communications abroad. Who are the targets?
Testelmans: We only intercept communications abroad and coming from abroad. The aim is to support the military operations of the Belgian army abroad.
Our SIGINT activities are under close supervision of the Belgian Standing Intelligence Agencies Review Commitee. It regularly checks what we intercept -unannounced. Besides, what we intercept has been approved beforehand by the Belgian Minister of Defense.
Once a year, the Belgian Minister of Defense approves a list of SIGINT targets: countries, organizations, persons and political movements that are relevant for the support of our military operations abroad and of our national interests. The list is directly linked to the intelligence policy plan, which has to be approved annually by the Minister of Defense and is also passed on to the Standing Intelligence Agencies Review Commitee. The system is flexible though: if Syria suddenly appears on the radar, there is a quick procedure with the Chief of Defense and the Minister of Defense to adapt the list. It works very well.
What do you mean with ‘relevant in the support of Belgium’s national interests’?
Testelmans: With our SIGINT capabilities, we can support the Belgian State Security, the Federal Prosecuter’s Office and the Federal Police -only abroad of course. For example, it is not because we don’t have the an army on the ground in Syria, that we are not interested in the events in Syria.
How do you do it? How do you intercept the communications abroad?
Testelmans: Specific SIGNIT interception infrastructure is deployed for the targets that concern us. The intercepted communications are processed and then passed on to the relevant services, such as our military forces abroad, allied countries but also to the Federal Prosecuter’s Office and the State Security. Everybody will understand that I can not disclose the technology used or where it is located. Our methods need to be secret so that the targets do not get suspicious.
ADIV has approximately 650 employees. How many of those do work on SIGINT?
Testelmans: Given the sensitivity of that information, you’ll understand that I can not disclose it.
Since the approval of the so called Belgian “BIM Law” in 2010, your service is -like the State Security- allowed to apply special intelligence means, such as intercepting e-mails and tapping telephones. How does this differ from the SIGINT-activities that ADIV has been doing for years?
Testelmans: The BIM Law applies to the territory of Belgium itself, the SIGINT activities are aimed abroad.
How does the ADIV cooperate with the EU Satellite Centre in Torrejon near Madrid ?
Testelmans: That’s a different story altogether, it’s about imagery: satellite images. It works like Google Earth, but then more sophisticated. We are part of the Helios-consortium, led by France, with Germany, Greece, Spain and Italy as other members. Belgium has invested money in it, and as a result of that we can claim a certain amount of bandwidth.
And the ADIV then asks for satellite images of…
Testelmans: … for example Goma, Lubumbashi, the situation in Tripoli, certain harbor infrastructures…
Lack of cyber security
Early July, the Belgian cabinet has approved the acquisition of a so called Modern IT System (MIS), totalling about 4 million euros. What purpose will it serve?
Testelmans: It will allow us to make a huge leap in the information processing field (storage, parsing, analysis…). There’s no point for our service to have excellent interception means if you can’t process the amount of raw data you intercept. Since the in-stream is always getting bigger, you need the IT means to handle it.
What was the internal reaction within the ADIV after the Snowden leaks hit the headlines?
Testelmans: There was a certain degree of disbelief. How could such an organization with such an enormous means have a leak like that? Imagine such a thing happening to you… The conclusion is that it doesn’t matter how much money you put into the physical protection of your systems and data, and into logging and registration… the individual person always is the essential link in any security system. You can never stop the insider threat, although you can adapt the system. It remains a fact that Edward Snowden, despite his junior rank, had access to a huge amount of data. Same story with Bradley Manning (the American soldier that disclosed information to Wikileaks, kc).
And what was the reaction to the content of the Snowden leaks, to the fact that the NSA runs a worldwide surveillance network?
Testelmans: Reading general Alexander’s speech for the House of Representatives, one realizes that the NSA could do it. But do they? Like in Belgium, there are a lot of checks and balances in the United States on what the NSA is allowed to do. While the NSA is a big organization, I don’t think anybody is capable of intercepting and analysing all communications worldwide, every e-mail, every text message. Having the IT capacity is one thing, but you still need to process all the data, which requires people, and that capacity is limited. According to the NSA, they handle about several hundreds of cases at a time.
During a seminar of the Belgian Intelligence Studies Centre in 2012, the security adviser of Belgian Prime Minister Elio Di Rupo announced the creation of a “Belgian cyber security coordination centre”, which should take off in 2013. How are those plans coming along?
Testelmans: In December 2012, the Belgian government has approved a national cyber security strategy - without having in place the operational part though. The question remains who will run it, and who will pay for it. The Prime Minister has tasked the “Board for Information and Security” (a board including general Testelmans; the head of the State Security; and other leading officials of Belgian ministries linked to security, kc) to define the structure as from where Belgium will guarantee cyber security, based on the chosen strategy. That Board is now deciding on who is to take the lead. The department of Defense was asked to do this, but I think that BELNIS (the Belgian Network on Information Security, kc) is better placed to take the lead.
One could also ask an external consultancy company to do it. The question remains though: who will pay for what? The price tag is quite significant. In the meantime, the department of Defense has started the development and implementation of its own defense cyber security strategy.
Thank you for the interview.