Collaboration the common thread at NBIP NEXT 2023

NBIP NEXT, NBIP’s annual event where participants, stakeholders and interested parties come together to learn with and from each other, took place for the second time on 21 November 2023. Below you can read a summary of the event.

Current developments

Octavia de Weerdt, director of NBIP, introduced the afternoon by briefly reflecting on 2023 and current developments within NBIP. The focus was on cooperation with participants and partners in the industry and government.

The importance and value of cooperation are also increasingly recognised abroad. For example, NaWas has been available for some time in the Benelux countries, the UK, Germany, Austria, Switzerland, Italy and the Nordics. In Germany, NaWas has been placed on the preferred list of the Bundesamt fur Sicherheit in der Informationstechnik (BSI). The BSI is the equivalent of the Dutch National Cyber Security Centre (NCSC). NaWas is now the only non-profit DDoS mitigation solution available in Germany and has been listed as a “Qualifizierter DDoS-Mitigation-Dienstleister”.

Another reason why cooperation is becoming increasingly important is the fact that from the EU comes more and more laws and regulations making it necessary to act. As a service provider, you have to start demonstrating that you are compliant with those laws and regulations. This is partly to stop the increasing intensity of abuse. Hosters in particular face additional effort obligations and, depending on the size of the company, additional measures to prevent abuse

Clean networks

do this effectively, it is important to know whether abuse occurs in the network and how it can be mitigated. To this end, NBIP runs the Clean Networks Platform, for which the first proof of concept was launched in 2018-2019. Through this Platform, participants receive reports on abuse in their network and action perspectives, prioritised based on urgency and impact. Organisations connected to the Platform subscribe to a code of conduct and become holders of a certificate demonstrating their active efforts to detect and combat vulnerabilities and abusive activities within their network. Thanks to the Platform, they have a concrete solution to compliance issues and can present themselves in their market as ‘good hoster’. Now that the Platform has proven its usefulness in the Netherlands, the intention is to roll it out in Europe as well.

Second point-of-presence NaWas scrubbing centre in Denmark

An important milestone was the opening of a second point-of-presence of the NaWas in Denmark, Simon Kuhn, Head of Engineering of the NaWas, told us. This offers benefits to all NaWas participants. For instance, capacity has been increased and the NaWas is more resilient. It is therefore possible to connect even more participants, which ultimately ensures that costs remain manageable for all participants. This expansion also makes it possible to further develop NaWas to keep pace with the threat landscape. There are also some additional services in the pipeline, such as DDoS Detection as a Service and a Web Application Firewall (WAF). As soon as there is news about these, we will report it via this website and elsewhere.

Lawful intercept and lawful disclosure

NBIP once originated as a service for ISPs to handle lawful interception and disclosure requests of public authorities that are authorised to do so. There are now more than 100 participants in what is called the ‘tap service’ and that number is growing steadily. Currently, the service is being further automated and additional intelligence is being built in. Again, this is not possible without partners like EVE Compliancy Solutions.

Mark Lastdrager, CEO of EVE, dwelt on the developments in the field of Lawful Interception (LI) and Lawful Disclosure (LD) during NBIP NEXT. Whereas LI involves tapping live communication (whatever form it takes), LD involves requisitioning retained information. In the Netherlands, public communication service providers are obliged to cooperate in this under Section 13 of the Telecommunications Act.

Mark also considered Mobile Virtual Network Operators (MVNOs), which are increasingly running their own network and buying only the radio access from a Mobile Network Operator. This means that they are themselves responsible for complying with the obligations arising from Section 13 of the Telecommunications Act, and thus must have the knowledge and resources to carry out tapping operations.

New obligations and compliance

We touched on it briefly, but there is a lot coming at providers when it comes to laws and regulations. NIS2, eEvidence, anti-abuse obligations and other laws and regulations: hosters, ISPs and public communication service providers will have to comply with existing and new regulations. This in itself is not a bad thing, as it helps to identify and manage risks and increase the resilience of systems and networks.

There are, however, a lot of small organisations that have to deal with these regulations, but do not have or cannot free up the knowledge and resources to be compliant. This, as Michiel Steltman of Stichting Digitale Infrastructuur Nederland (DINL), among others, explained during NBIP NEXT, was also taken into account when the legislation was drafted. But that does not alter the fact that service providers do have obligations to comply with. Where necessary and possible, the obvious thing to do here too is to organise a sectoral approach.

E-evidence regulation implementation

How such a thing could take shape in practical terms was explained by Erik Planken, senior policy advisor at the Law Enforcement and Crime Directorate of the Ministry of Justice & Security. During his presentation, he addressed the implementation of the European e-Evidence legislation.

In a nutshell, this law regulates making it easier to quickly access digital evidence during investigative investigations. Such evidence is increasingly important in investigations, but is held by private parties that may be spread across several countries. Police and the judiciary are only allowed to directly request this kind of evidence within their own national borders, but depend on mutual legal assistance requests in other countries to do so. This can take quite some time – outside Europe sometimes many months. This is not conducive to investigations and, ultimately, to law enforcement.

In short, there is a need for a standardised way to request digital evidence within Europe, whereby this evidence can be delivered smoothly. The e-Evidence regulation allows EU member states to make direct and binding claims to a service provider in another member state.

The EU is developing a system that will be made available to EU countries to facilitate this data exchange. NBIP is one of the experts participating in the European-level talks on this system. Its years of experience with the Tap Service provides fertile ground for these talks. As soon as more is known about this, we will share more information here. From the first quarter of 2026, companies covered by the legislation will have to start complying with it. They will have to designate a branch or representative who will handle claims from then on.

The role of the National Digital Infrastructure Inspection (RDI)

In the Netherlands, the RDI is (among other things) responsible for monitoring telecommunications and IT networks and ensuring their security and reliability. One of the things the RDI inspects is compliance with the Telecommunications Data Security Decree (Bbgt), which is designed to ensure that there is no unauthorised access to LI data.

The Bbgt therefore sets requirements for the security of requisitions and requests from police or security services and the information provided by providers based on the requisition or a request. These include, for example, a security plan, retention periods and confidentiality. Organisations faced with tap obligations must be able to demonstrate that they have described processes for this, that these are complied with and that these are also technically arranged according to the requirements. During an inspection by the RDI, for example, they will be asked about a security plan, logical access security and physical security.

It is explicitly the RDI’s approach to work together with the sector to achieve a compliant way of working at every organisation dealing with wiretapping claims. But it is also seen that it is quite a burden for many smaller parties to arrange this properly. It may be advisable for them to have tap claims handled by a third party: the Bbgt explicitly allows for this.

Capture the red flags – the importance of cooperation in combating illegitimate online activities

Andrew Silonero, policy advisor High Tech Investigations at the Dutch Prosecutor’s Office (OM), spoke about the issues surrounding illegality on Dutch servers at hosters. These include images of child sexual abuse, illegal content and the use of servers for ransomware attacks or phishing. Most hosters do not want to facilitate this kind of activity at all, but they do not know that their network is being abused for this purpose. The OM also sees that cooperation in this area can be more rewarding than cracking down, especially since the hoster itself often does not wilfully facilitate cybercriminals.

This is why the Public Prosecutor’s Office has developed a game in cooperation with some industry parties to promote cooperation to combat abuse: capture the red flag. The aim of this game is to practice how abuse and illegality can be spotted and fought by acting together. This takes place during an interactive afternoon in groups comprising both hosting parties and the Public Prosecution Service. In this way, participants gain an understanding of each other’s methods and approach and it becomes possible to fight online trouble much more effectively.