Diederick Perk of The Holland Bureau looks at what the Dutch intelligence service AIVD is up to with its public relations drive.

Espionage is thought to thrive in organisations steeped in secrecy. The modus operandi of secret agents has since long captured popular imagination, resulting in countless novels and Hollywood movies.
Nonetheless, spy craft is at best a minor share of the information intake of the intelligence agency. Turning raw data into a legitimate intelligence product requires several stages of analysis, and the end result still remains likely to be comfortably ignored or misjudged by policy makers. Ironically, the politicians in cabinet have now moved to put down standards for information security in the business sector and public administration against foreign espionage.
Leaving aside these reports and standards for the moment, the work of countering espionage and surveillance is where the profession becomes a complex configuration of smokescreens and mirrors.
Part of the job for any intelligence agency is to keep its nation’s secrets secret, while at the same time gaining advantages by uncovering their opponent’s classified information. Enter a world where reality is stranger than fiction. A world in which any document may be designed to deceive. A world in which code and cryptography aren’t for fun, but a realistic survival strategy somewhere in between peace and war.
The former paragraph is what a text on espionage could have said during the Cold War. At that time, clandestine intelligence operations were at the forefront of a geopolitical struggle for world hegemony, and would often turn hostile.
Surely, regional animosity will still have its covert component nowadays, potentially even leading to explosive situations, such as between Israel and its regional rivals like Hamas and Iran. Also, It could be argued that drone attacks conducted by the CIA are an extension of Cold War tactics, meaning, targeted killings authorized by the U.S. President. Explosive, yes, but no longer a direct threat of escalation.
The break with the past is then that the game has shifted its focus, and that a creeping demand for vital information comes from all sides, even from your allies. The increased digitalization of key resources, command and control functions, or communication flows allows for a distant, intangible threat to information security. Many of the threat assessments publicised by western intelligence agencies and alike now concentrate on cyber infrastructure and its vulnerabilities.
Simultaneously, observers estimate that 80% of any agency’s intake of information comes from open-source intelligence (OSINT), such as newspapers, journals and otherwise publicly available resources. No hacking skills or secret agents necessary there, save one perhaps, to get a fully functioning translation tool.
Indeed, the capabilities of any given intelligence outfit are generally overrated. The existence of an information overload within such bureaus does not come from frantic shadowing of possible perpetrators, but stems from difficulties in separating facts from fodder. An informed audience would not be led into the illusionary belief that any secret service can be either all-knowing, or free from failure.
Intelligence agencies themselves have become more active participants in the public debate during the 1990s. The Dutch intelligence- and security agency (AIVD) has made a remarkable shift to increasing openness, publishing its first yearly report in 1992, although in some respects still leaving opportunities for informing the public unheeded. Nevertheless, in contrast to the past and to its foreign counterparts, the AIVD has proved to be a frontrunner in its public communications.
We can trust its attempts to be genuine, but does it reap any benefits for its public standing? Unfortunately, no opinion polls have been done on this topic thus far.
Seemingly in contrast to this progression towards greater openness are the joint publications by the AIVD with the home affairs ministry’s security directive: Kwetsbaarheidsanalyse Spionage and Handleiding Kwetsbaarheidsonderzoek Spionage. Both review information security vulnerabilities while urging organisations and private businesses to increase information security.
The fact that foreign intelligence is actively gathering information within the Netherlands, in sectors related to finance, research & technology and public administration, is very commonsensical, to the point that it would be strange if they didn’t make any such attempts. Innovation never really is fully indigenous. Coupled with the stresses of economic downturns and growing domestic unemployment rates, industrial espionage is steadily gaining ground.
The response that the home affairs ministry, and, as of now, the entire cabinet, are requesting does point in interesting directions.
For one, the admittance that its research has found that intricacy and interconnectivity of databases make the sensitive fragments more vulnerable to unwanted clientele (“maakt deze data bestanden ook kwetsbaarder voor inzage door onbevoegden” p. 33) is a boon to privacy activists, such as Bits of Freedom.
In reality the whole report is an attempt to further security awareness in the private sector, but reads in effect like a preventive measure to cover various backsides should things go pear-shaped, like before. Much of the provided information is superfluous, overshadowing the essential criteria that are brought forward. Moreover, when intelligence agencies get into bed with private businesses, liberal democracies shouldn’t refrain from asking a two-fold question: who profits? And who’s accountable?
To their credit, the AIVD report offers methods for corporate security to be improved outside of direct involvement from the agency itself. The ten-step manual has all the qualitative input to analyse and operationalise a robust walling of informational leaks, red teaming included.
Will companies invest in these practices, to the extent of hiring outside experts to vet its processes? Or will the typical company trust in the loyalty of their employees and perceive ‘going that extra mile’ to be applicable only for companies closer to the line of fire than themselves?
That question, and how far this report and the ‘awareness presentations for a targeted audience’ by the AIVD influences a change in daily operations with regard to security practices, must be left open for now, but ought to be reviewed periodically.
A trade-off between allocated budget and full-fledged information security seems inevitable. In a competitive business environment, overseen by the agencies’ undisclosed monitors, and, if possible, an informed public, a proper balance between security and openness can be struck.