The challenges of military adaptation to the cyber domain: a case study of the Netherlands

ABSTRACT Whilst NATO speaks increasingly publicly about the military use of cyber operations, adaptation to the cyber domain has reportedly been challenging for most militaries. Little research has sought to understand the nature of these challenges. This study seeks to address this gap through a case study of the Netherlands. By utilizing a range of primary and secondary sources, this article reveals that the Dutch Defense Cyber Command has faced significant constraints in its adaptation to the cyber domain, primarily due to issues related to organizational structure, operational mandate, and the availability of skills and resources. A cyber command that lacks regular opportunities for day-to-day operations and where personnel may not have continuous learning opportunities to acquire and refine their skills will encounter difficulties in recruiting, training, and retaining a proficient workforce. These findings highlight the tendency of observers to mistakenly equate the mere establishment of a cyber command with the existence of a robust military cyber capability – namely, the ability to effectively carry out and sustain a range of cyber operations for tactical or strategic purposes.

The establishment of military cyber commands has become increasingly prevalent among NATO countries. By 2018, there were 61 countries worldwide with active-duty military organizations (often referred to as 'cyber forces' in this context) possessing the capability and authority to conduct cyberspace operations, influencing diplomatic and military interactions. 1 Among them, 23 were NATO members. This represents a significant surge compared to 2007 when only ten countries, including three NATO nations, had military cyber forces. Additionally, numerous countries have expressed their willingness to contribute sovereign cyber effects to NATO missions if the need arises.
However, it is important to exercise caution when assessing the extent of this advancement. While the establishment of cyber commands is widespread, many NATO-allied militaries have encountered challenges in adapting to the complexities of the cyber domain. Only a few NATO allies have been recognized for conducting cyber effect operations, which involve disruptive, denying, degrading, and potentially destructive actions. 2 Several states continue to grapple with the integration of cyber operations into their strategic outlook and legal framework. Notably, scholars Matthias Schulze and Sven Herpig highlight Germany's efforts to build offensive cyber capabilities without a clearly defined strategic purpose, reflecting a recurring problem in German national security policy. 3 Despite the significance of developing a military cyber capacity, there has been a dearth of research dedicated to examining the challenges associated with this endeavor. Gaining a deeper understanding of these challenges is important, however, as it directly impacts our understanding of the militarization of cyberspace and shapes the trajectory of cyber conflict in the future.
The lack of critical attention towards understanding the challenges of developing a military cyber capacity can be attributed to two potential reasons. Firstly, scholarly research has primarily focused on studying the United States and a limited set of other prominent actors, such as Russia, China, North Korea, and Iran, who are extensively engaged in cyberspace activities. Not as much attention is paid to less active militaries. Secondly, investigating the military adaptation of states to the cyber domain necessitates delving into the internal workings of these states, which presents inherent difficulties due to the sensitive nature of such information. This requirement to 'open the black box' and gain insights into internal processes often poses significant challenges.
This study helps to address this gap through an exploratory case study of the Dutch Defence Cyber Command (DCC), established in June 2015. 4 Exploratory case studies as a qualitative method are useful as a form of analysis in fields where data collection is challenging and there is no single set of (predetermined) outcomes. 5 For this case study, I rely on various publicly available sources, such as reports of parliamentary debates, official government statements and publications, the academic literature, and media reports. I complement these sources with my own anonymized interview data with key individuals from the intelligence services, defence forces, private sector, think tanks and academia, and non-anonymized interview data from existing research and journalistic reporting.
The analysis of the case study highlights the challenges faced by the Dutch Defense Cyber Command (DCC) in developing an operational capacity. These challenges stem from the interaction between its strategic outlook, operational mandate, and the availability of skills and resources. As Rosen points out, '[a]lmost every government bureaucracy has a function it executes on a day-to-day basis. Military organizations, in contrast, exist in order to fight a foreign enemy, and do not execute this function every day. Most of the time, the countries they serve are at peace. Military organizations plan and prepare for war, but they do not fight'. 6 Similarly, the Dutch cyber command operates with a wartime mission and does not engage in day-to-day combat. However, its ability to effectively plan and prepare for war during peacetime is limited. One of the key challenges arises from the fact that the DCC lacks a mandate to conduct reconnaissance, making it difficult to identify potential targets and adequately prepare operations well in advance.
Moreover, the case study underscores the interplay between strategy development and the development of cyber capabilities. At its core, building a cyber capability hinges on the skills and knowledge of individuals involved. The strategic approach adopted by countries has profound implications for their capacity to cultivate a skilled and capable cyber force. A cyber command that lacks regular opportunities for day-to-day operations and where personnel may not have continuous learning opportunities to acquire and refine their skills will encounter difficulties in recruiting, training, and retaining a proficient workforce.
These findings indicate that there is a tendency among observers to mistakenly equate the mere establishment of a cyber command with the presence of a robust military cyber capability. In reality, a meaningful military cyber capability refers to the ability to effectively execute and sustain a range of cyber operations that serve tactical or strategic purposes. This misconception often leads to exaggerated media reports regarding advancements in cyber warfare, highlighting the need for caution when referencing indices that measure states' cyber power. Moreover, the results of this study underscore the limited extent to which allies are adopting the proactive approach of US Cyber Command in cyberspace, commonly referred to as persistent engagement. 7 This article is outlined as follows. The next section puts the DCC's establishment in historical context and provides a budget overview of the organization. Section two subsequently discusses the strategic role of the DCC. In Section three, I then look at the organizational and legal mandate of the military command vis-à-vis the intelligence agencies. Section four brings the insights from the previous sections together to show the challenges for the DCC to develop a capability considering its limited (peacetime) mandate. The final section summarizes the main arguments and discusses the several implications of this study.

A modern military force on the cheap
In 2012, the Dutch Ministry of Defence established a 'Taskforce Cyber' with the objective of strengthening the digital capabilities of the Ministry. As a result, the Defence Cyber Command (DCC) was established in June 2015. 8 Initially, the DCC was organizationally situated within the Royal Netherlands Army. However, in July 2018, it was elevated to a command component directly reporting to the Chief of Defence of the Armed Forces.
During a period characterized by a significant decline in Dutch defense spending, the institutional establishment and development of the Defense Cyber Command (DCC) unfolded. The Dutch government had been steadily reducing the defense budget since the early 1990s, 9 resulting in a critical juncture in 2013-2014 when the budget reached an unprecedented low. At that time, the Netherlands allocated just slightly above one percent of its gross national product towards defense expenditure. 10 However, despite the downsizing of the military forces, there was still room for investment in cyber operations. 11 In fact, this investment can be viewed as a significant factor since the relatively modest allocation of resources towards cyber operations allowed the Dutch government to showcase the modernization of their armed forces during a period marked by extensive austerity measures and reductions in the defense budget. A letter dated 8 April 2011, from the Dutch Minister of Defence to the House of Representatives effectively captures this sentiment. 12 The opening statement of the letter reads as follows: 'The state of the national budget forces the government to take drastic measures. The Ministry of Defence is not exempt from this and is faced with the tough task of structurally cutting € 635 million within the next few years, approximately 9% of the part of the defence budget that can be affected'. 13 The letter then continuous providing a long list of required budget cuts for the armed forces. But, the Minister of Defence notes '[a] military that does not prepare for the future is vulnerable. That is why it is important to create room for intensifications and innovation in the coming years'. 14 For this reason, the Minister further writes 'Cyber is for the military a weapon system in development. To ensure the deployability of the Dutch armed forces and to increase its effectiveness, Defence will strengthen its digital resilience in the coming years and develop the capacity to carry out cyber operations'. 15 Figure 1 provides the budget overview of the cyber command and taskforce 'cyber'. 16 The presented data illustrates that the annual expenditure of the DCC on the development of their cyber force has not exceeded 25 million euros, with particularly limited structural investments. While drawing definitive conclusions solely based on budget figures is challenging, the available data implies that the Dutch cyber command lacks the necessary resources to sustain a comprehensive range of complex operations. However, it is plausible that the DCC could potentially carry out smaller-scale cyber effect operations effectively, given efficient resource allocation. The allocated budget for personnel should be adequate for recruiting and retaining skilled operators, developers, analysts, and other essential personnel. 17 Furthermore, a shift in the perception of the necessary resources and level of sophistication for operations has occurred. Initially, earlier reports, such as the 2012 defense cyber strategy, emphasized the requirement for complex operations. However, DCC officials have subsequently highlighted the potential effectiveness of less advanced activities that can still achieve the desired objectives. This change in perspective acknowledges the value of more streamlined approaches in accomplishing the mission. As brigadier-general Paul Ducheine notes after the cyber command was launched, '[the DCC commander] does for sure have a toolbox with cyber weapons. However, it does not necessarily have to be an advanced, tailor-made tool à la Stuxnet. With a standard DDoS you can also shut down a website. Sometimes a bow and arrow can be enough'. 18

Operating during conflict and beyond?
The primary role of the DCC has consistently been to offer military assistance to other forces during times of armed conflict. The initial Defense Cyber Strategy, released in 2012, asserts that it is imperative for the Defense organization to possess adequate knowledge and capabilities to engage in offensive operations in cyberspace. This capability is crucial not only for mounting a robust defense but also for supporting military operations effectively. The strategy emphasizes the need to develop sophisticated and technologically advanced assets, methodologies, and expertise that are specifically designed to enhance the military capability of the Netherlands. 19 The strategy furthermore states that "[a] cyber attack on an air defence system may thus increase the effectiveness of an air attack while reducing the risk of collateral damage. An offensive cyber capability can be a force multiplier and thus increase the armed forces' effectiveness. By developing a robust cyber capability, the Netherlands can play an important role within NATO in this respect". 20 In 2015, the Dutch Ministry of Defence published their second strategy. It followed the same line of thinking about the need to 'strengthen the use of cyber in military missions'. 21 The concept of employing cyber operations as a valuable asset during armed conflict was reiterated frequently in media interviews with military commanders. This highlights the recognition and emphasis placed on the strategic significance of cyber operations in the context of military engagements. For example, general Hans Folmer, the first Commander of the Dutch cyber command rhetorically asks a news reporter: 'Why would you throw a bomb on a power plant if it can also be disabled with a computer attack? This damage is temporary and therefore the population suffers much less'. 22 The publication of the third cyber defense strategy in 2018 reaffirms the significant role of cyber operations as an integral component of military operational planning. According to the strategy 'The digital aspect is considered at an early stage of the planning phase of each (potential) mission. This is expressed in (military) advice and analyzes by the Operations Directorate and in subsequent (operations) plans'. 23 To this extent, the Dutch government is one of the first countries that has signed on to offer their 'sovereign cyber effect' to the NATO alliance if the need arises. 24 A notable shift in the latest strategy is its increased emphasis on the role of deterrence. 25 According to the 2018 Cyber Defence Strategy: 'The operational capabilities of the Defence cyber command contribute to the total arsenal of deterrent means available to the government. Deterrence makes the Netherlands less attractive as a target for (cyber) attacks and is therefore above all a tool for conflict prevention'. 26 As stated by one of the principal authors of the strategy, 'Good deterrence is about visible, credible and offensive capacity. Defence in itself is not a deterrent. It is not without reason that there are military parades on the Red Square or the Champs-Élysées. Something like that should also be done in the field of cyber '. 27 This implies that the Dutch government's approach to cybersecurity deviates from the emerging perspectives in the United States regarding the role of US Cyber Command. In 2018, the US Cyber Command unveiled its vision of Persistent Engagement, along with the Department of Defense's introduction of the Defend Forward strategy. 28 Jason Healey described the release of these documents as the most significant expression of cyber policy in the last two decades. 29 The US Cyber Command vision offers 'a roadmap for USCYBERCOM to achieve and maintain superiority in cyberspace as we direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and foreign partners'. 30 The vision emphasizes continual and persistent engagement against malicious cyberspace actors. According to Fischerkeller and Harknett, 'persistent engagement recognizes that cyberspace's structural feature of interconnectedness and its core condition of constant contact creates a strategic necessity to operate continuously in cyberspace'. 31 Cyber Command's transition towards persistent engagement stems from an alternative perception of the threat landscape. Departing from the conventional notion that cyber operations primarily involve tactical espionage, subversion, or sporadic instances of theft and crime, this perspective recognizes these operations as significant tools within the realm of great power competition. By linking a series of cyber operations below the threshold of an armed attack, cohesive campaigns can yield strategic outcomes of strategic importance. 32 The Dutch government increasingly recognizes the strategic importance of below the threshold activity. 33 The 2018 Defense Strategy also states: 'State actors and criminal groups are operating less and less cautiously in the digital domain. Cyber attacks and incidents are the order of the day. They can no longer be seen as stand-alone, isolated incidents. More and more often these are interrelated incidents, which together form a campaign of state actors and their proxies, intended to undermine the economic revenue model, the vital infrastructure, the military capabilities or the democratic order of countries'. 34 Furthermore, there is a recognition that deterring this specific form of activity presents inherent difficulties. Nevertheless, the government shows reluctance in embracing the approach employed by the United States, which entails granting the DCC a more proactive role in persistently disrupting adversarial behavior in cyberspace. 35

Organizational and legal mandate
An effective operation in cyberspace hinges on having superior knowledge of your adversary's networks. While it is sometimes assumed that cyber activity occurs instantaneously, the truth is that cyber operations require time. As these operations must be customized to the specific computer systems and networks involved, advanced actors often invest significant time in establishing the foundation for future attacks, a process known as operational preparation of the environment (OPE). 36 Hence, if the DCC would like to generate 'effects' in conflicts, it has to anticipate this well in advance to ensure it has the right level of access to the systems it would like to target. However, the DCC lacks the authority to carry out such preparatory activities. Instead, this authority rests with the Dutch intelligence services, which are organizationally distinct from the DCC. 37 While the Dutch Defense Cyber Command (DCC) operates within the jurisdiction of the Armed Forces, the Military Intelligence and Security Service (MIVD) operates under the purview of the Secretary-General. This distinction has implications for the working methodology and legal framework of the DCC. 38 The Dutch armed forces operate under the authority and guidance of the Chief of Defence (Commandant der Strijdkrachten), as specified by Article 97 of the Dutch constitution. 39 The deployment of military assets within the Netherlands necessitates a decision by the government. Alternatively, a more discreet process can be followed through the Article 100 procedure, whereby the Ministerial Core Group Special Operations (Ministeriële Kerngroep voor Speciale Operaties) assumes responsibility for making deployment decisions. 40 The mandate of the MIVD is derived from the Intelligence and Security Services Act (Wet op de Inlichtingen en Veiligheidsdiensten, WIV). 41 The Chief of Defense does not possess authority over the MIVD. In cases where it is deemed necessary for national security, the MIVD may engage in hacking activities targeting systems or networks. However, DCC is prohibited from gathering information during times of peace. 42 This authority lies with the MIVD.
In 2014, the MIVD collaborated with the civilian General Intelligence and Security Service (AIVD) to create the Joint SIGINT Cyber Unit (JSCU) as part of the collaborative initiative known as 'Project Symbolon'. 43 The JSCU is responsible for conducting cyber operations involving signals interception and intelligence collection, as mentioned earlier. It was also the unit that successfully infiltrated the computer networks of Russian hacker group(s) in mid-2014. However, it is important to note that carrying out specific effects on target systems falls within the jurisdiction of the Ministry of Defence and is not covered by the provisions of the Intelligence and Security Services Act. 44 The organizational structure and mandates in place create challenges for the operations of the DCC. As Pijpers notes, 'in principle, the roles and tasks are clear, but the problem lies in the preparation. How will the DCC ever fulfill its role (cyber [operations] during armed conflict) if it is not allowed to do anything in peacetime?' 45 Transferring relevant access from the intelligence services to the DCC is not a straightforward process. As highlighted by two anonymous employees from the MIVD, explicit information regarding access positions, such as login credentials and command-and-control server (C2 server) operations, is often only effective when combined with extensive implicit knowledge about the target and its environment. 46

The strategy-capability linkage: recruiting, training, and retaining talent
The preceding discussion unveils that the establishment of the Dutch cyber command primarily aimed at conducting operations during wartime. However, the DCC is not permitted to carry out cyber effects or even engage in reconnaissance during peacetime. This absence of a peacetime mission and operational activity consequently hampers their capacity to cultivate an effective cyber force. 47 The fundamental aspect in building a military cyber force lies not in the acquisition of material resources, but in the recruitment, training, and retention of skilled individuals. 48 One often hears that a compelling aspect of working at a cyber command, which attracts capable personnel, is the opportunity to engage in activities that are typically prohibited in the private sector. 49 However, due to the limitations imposed on the DCC, this notion is hardly applicable. Moreover, it becomes challenging to cultivate and enhance skills among personnel if the cyber command operators are prohibited from engaging in actual operations. As Boekholt-O'Sullivan also states "The young and highly motivated cyber experts within the DCC are having problems with the current mandate and its legal framework. Lawyers are blocking the cyber experts' imagination, improvisation, and creativity which are necessary for future cyber scenarios". 50 In order to facilitate the development of its workforce, the DCC has pursued three approaches. Firstly, it has established a cyber range and actively participates in cyber exercises. In 2016, Thales constructed a cybersecurity training and testing facility, known as a 'cyber range', specifically for the DCC's use. 51 As general Folmer, then commander of the DCC notes, 'It is a facility at which many forms of cyber operations can be simulated. This is essential for training our staff and testing our systems'. 52 The Dutch DCC officers (together with personnel from other departments such as the CERT) are also participating in international cyber security exercises. The largest international cyber defence exercise offering 'the most complex technical live-fire challenge in the world' is Locked Shields, organized by the NATO Cooperative Cyber Defence Centre of Excellence. 53 The Dutch participated for the first time in 2013. During the exercise, defending 'blue' teams had to defend a pre-built network consisting of roughly 35 virtual machines against the attacking 'red' teams. 54 In 2014 and 2015, the Dutch participated with a combined team together with Germany (the first multinational team to join the exercise in history). 55 In the years that followed, the Dutch has always participated with at least one blue team. 56 Second, the DCC decided early on to rely on reservists: these are civilian cyber specialists the cyber command can call upon in case they require their assistance. 57 In 2016, the DCC had appointed thirteen cyber reservists, while another ten people were going through the appointment procedure. 58 In November 2018, the number of reservists had increased to 30, but was still far below the initial target of 150. 59 The Ministry of Defense therefore set up a pilot project to recruit more cyber reserves in late 2018. 60 The government regularly organized 'matching days' throughout the year to identify potential cyber reservists who would be suitable for the role. Unlike other military personnel, these candidates could be exempted from certain physical and medical requirements. By October 2019, the number of reservists had reached 72, indicating an increase in their ranks. 61 Furthermore, there are an additional 48 aspiring cyber reservists who have been selected, with nine of them undergoing a modified procedure that exempts them from the usual physical tests required to join the armed forces. These individuals are currently awaiting their official appointments. 62 Third, the Dutch government has established joint cyber mission teams. The joint cyber mission teams, as the name suggests, are mission-focused and consist of operators from both the cyber command and the JSCU. The 2018 cyber strategy explains the rationale behind these teams: 'With a view to making military capability possible in the cyber domain, in-depth knowledge about vulnerabilities in the systems of potential opponents must be acquired at an early stage. By virtue of its constitutional tasks, the MIVD supports the DCC with intelligence that is necessary for effective military deployment in the cyber domain. The knowledge and skills necessary for intelligence operations and military operations in the cyber domain are similar. Following the example given by other countries, cyber mission teams will therefore be formed from MIVD personnel and personnel from the armed forces. The designated personnel will operate within the regulatory framework of the Intelligence and Security Services Act. When the armed forces are deployed, they will be placed under the command of the Chief of Defence within the relevant mandate'. 63

Conclusion
An increasing number of NATO members have established military cyber commands to address the challenges of the cyber domain. This study focused on the Netherlands as a case study to highlight the key challenges faced by militaries in establishing their cyber warfighting structures. The analysis revealed that the Dutch Defence Cyber Command encounters a range of interconnected challenges, impeding the development of an operational capacity. These challenges include strategic outlook and organizational mandates that restrict the organization's ability to execute operations efficiently, hinder organizational and individual learning, and pose difficulties in talent retention.
The capacity of cyber commands to recruit, train, and retain skilled individuals is likely to vary based on their specific mandate. When comparing similar factors, a cyber command that focuses on deterring adversarial activity and operates exclusively within adversary networks during wartime will face greater challenges in maintaining the skills and knowledge of their cyber warriors. It becomes more difficult for such a command to ensure continuous development and up-to-date expertise.
The Dutch cyber command, as an exploratory case study, has outlined three options to reduce the (negative) linkages between strategy development and capability generation. This thus leads to a set of questions for further research: how effective are each of these policies? An early assessment suggests that there are significant limits to each policy. Firstly, cyber exercises can only provide a partial simulation of real cyber operations, making it challenging for cyber commands to establish comprehensive standard operating procedures based solely on these activities. 64 Secondly, while input from the private sector is valuable, it introduces additional complexities and obstacles of its own. 65 Effective defense or offense in cyberspace necessitates a deep understanding of the target system. This renders a 'plug and play' approach with reserves less than ideal. 66 Additionally, national security clearances pose a challenge. The thorough screening of reservists to ensure their compatibility with the intelligence services and their integration into DCC teams is both time-consuming and costly. 67 Ultimately, the cyber mission teams emerge as the most hopeful initiative, although the Dutch Ministry of Defense did not deem it necessary to test the concept through the Article 100 procedure during missions in Mali or Iraq. However, as Boeke points out, even if cyber mission teams are deployed, it would only result in a DCC with restricted capabilities for minor interventions -a sort of miniature cyber staffing agency. In reality, the majority of expertise remains within the JSCU. 68