Ministerie van Justitie

Speech by NCTb, Erik Akerboom at the World Congress on Information Technology (WCIT), 25 May 2010, Amsterdam

Breaking Down the Walls: public-private partnerships in counterterrorism

Good afternoon, ladies and gentlemen. I am honoured to be speaking to such a distinguished audience of IT experts, business leaders and policymakers.

IT has changed our politics, our business and our social lives. It has changed our very culture. My children will never fully understand what a life-changing influence the internet has been on our society. Because they have never known life without it. Six-year-old children who can barely read now google for information, use digital blackboards at school and use PowerPoint to give class presentations. IT has become an integral part of our lives and so it has also become an essential part of my business, which is counterterrorism.

All the wonderful opportunities that IT offers us are also available to terrorists and other criminals. Imagine, for example, that the daughter of a politician under police protection takes a smartphone photo of the family pet and puts it online. Metadata on that photo can give away the politician’s location. We need to know what IT can do so that we can use it to our advantage and take measures against misuse.

My organisation is working constantly to use IT to the full and balance the opportunities and threats that come with it. So I am very familiar with the theme of this conference: Challenges of Change.

We know that we can’t do this alone. IT expertise and R&D are the domain of the private sector. The government does not have a complete picture of all the threats and opportunities. At the same time, recent research shows that in the Netherlands, 83% of business activities depend heavily on IT.

The previous speaker offered a great insight into the way terrorists use the internet. May I share with you the results of a study performed by my office. And on a more positive note I will also share some of the innovative ways in which we are using IT for counterterrorism – or CT ­– purposes. Finally, and most importantly, I want to touch on how we can join forces to minimise the terrorist threat and seize the opportunities that IT can offer society. That's my personal challenge for change.

Threats
Make no mistake: no matter how diverse the backgrounds and motives of terrorists may be, they are still criminals and murderers. The study I mentioned focuses specifically on how jihadists use the internet. The study was first published in 2006 and was updated recently in order to track the development of the threat. I can report that there has been no substantial change in the threat posed by this group.

Even back in 2006, the researchers concluded that jihadists were making significant use of the internet: for propaganda, recruiting,  planning, financing, communication and training.

But mostly it’s being used for propaganda purposes. Take Anwar al-Awlaki, the prominent US-born internet ideologue. He preaches in English using interactive websites and email. He inspired both the Fort Hood gunman and the detroit bomber.

The updated study adds that small-scale attacks against or via the internet by jihadists are a possibility. Large-scale attacks, however,  are still unlikely. The two main factors here are capability and intent. To perform a large-scale internet attack you would need the kind of expert computer skills that we have not yet seen in jihadist circles. Nor have we seen any serious intent in this area. However, we have also found that the internet’s vulnerabilities have increased in the same period. And that more and more people are discovering them. What’s more, both tests and real incidents have shown how these weaknesses can be exploited. So it is possible that over time jihadists will develop both the capability and intent required. Or even that other types of terrorists will. Even small-scale attacks could have a serious impact in vital sectors and create major social disruption. The IT systems we rely on for controlling processes in the vital sectors (also known as SCADA systems) are vulnerable to disruption or takeover by outside elements.

As I have said, it is not only jihadists who use the internet for terrorist purposes. Single-issue extremists and terrorists are internet savvy too. Al-Qaida seems committed to bomb attacks and has a fairly closed network which might make it harder to develop new skill sets. But single-issue extremists may have organisational structures that are more open to learning ‘new’ skills, such as how to launch cyber attacks.

You may think that terrorist or extremist attacks only happen to others, but it’s useful to understand what the risks are for your company. For example, we’ve seen that companies and employees involved in building a detention centre for asylum seekers have been placed on ‘name and shame’ websites. The same goes for suppliers to cosmetic or medical companies involved in animal testing. The entire supply chain is a target. Perhaps an IT firm like yours could be the next victim.

All in all, there is good reason to make sure that we are always anticipating new weak spots and responding accordingly. To do this successfully it is vital that both government and business learn to be more open about the risks involved and work together in countering them.

Public-private partnerships
New trends in IT are having a great impact on counterterrorism. At the same time, the patterns for generating new knowledge are changing too. More flexible cross-border and cross-cultural R&D networks are arising and replacing traditional innovation systems.

Having worked for many years in the police and intelligence communities, I know how unaccustomed we are to these new ‘informal’ structures. We deal with sensitive information and we find it hard to trust people outside our organisations. And, in my dealings with CEOs I have noticed that there is lack of trust in government. Business leaders are only too willing to help develop CT tools and improve overall security. But they also fear that government will over-regulate if companies are too open about their vulnerabilities.

None of us is perfect. Counterterrorism organisations have access to a lot of data, scanning tools and lists of suspected terrorists. And yet someone still managed to take explosives on a flight to Detroit last Christmas – and he was on such a list. More data is not always a good thing. On the other hand, I continue to be surprised by the leaks and weaknesses that exist in hard and software. How is that possible? Aren’t there ways to make better software that doesn’t need as much patching? Maybe you can explain how it could be done! Secure software would be a real breakthrough for SCADA systems. I believe that if CT and IT experts would trust each other more and share more insights into threats and vulnerabilities – as well as ways of countering them – we would all benefit.

Opportunities
Trust can grow, only if we first get to know and understand each other. There are already some initiatives in which government bodies like mine, the NCTb, are working with IT companies. To make the most of what IT can offer, we need a greater understanding of what it can do to support all aspects of counterterrorism.

Counterterrorism aims to prevent, protect, detect and pursue. Intelligence and information are essential in each of these areas. IT can play a crucial role. As I said earlier, simply obtaining more data is not always helpful. We need smarter, faster and more efficient search and analysis tools. And we want to encourage innovative techniques to achieve this.

My office runs a programme on fingerprinting and digital recognition techniques in which we work closely with IT companies. We’re looking for tools that can improve object recognition, the detection of suspicious behaviour, video fingerprinting techniques and the use of hashing.

Trusted community
In these projects we’re learning that innovation comes from the bottom up, so a top-down government steering model is bound to fail. We need to understand each other’s interests, which sometimes might conflict. If government, NGOs and the business community want to benefit from cooperation, they need to work together at a more strategic level.

We cannot afford to waste resources, particularly in times of economic difficulty. Companies need to know that the technologies they develop can actually be used effectively by governments. Or at least that they facilitate or promote the use of other technologies. Governments owe it to taxpayers to use research budgets efficiently and show common sense when buying IT applications.

A productive exchange of views between innovative researchers, software developers, entrepreneurs and counterterrorism experts will help us understand the risks that come with technological progress and the opportunities that IT can offer CT.

I just had a meeting with CT coordinators from various countries and international organisations, plus the CEOs of several IT multinationals. We all share the same sense of urgency and have agreed to set up an ‘IT for CT Trusted Community’. I’m delighted that Privacy International has agreed to take part in discussions on human rights and privacy issues to ensure that our approach is both balanced and proportional.

Everyone involved has an interest in IT security. Our goal is that out of this trusted community will emerge a new, potentially richer agenda for the study of CT and information technology, and also a better mutual understanding and a trust-based environment in which we can share expertise. We have decided to hold the first meeting on this project in the autumn. It is high time that we broke down some walls.

And in the interests of striking the first blow, I want to share our perception of the threat that comes from terrorists’ use of the internet. You may remember the study of jihadists and the internet that I mentioned at the beginning of my speech. There are hard copies available in this room and you are welcome to help yourself, but it can also be downloaded from our website.

Thank you.