On January 8, 2024, the newspaper de Volkskrant published an article by Huib Modderkolk about findings related to the Stuxnet operation in Iran in 2007. In essence, the Stuxnet operation involved a digital attack on the infrastructure of an Iranian nuclear program. According to the article, a Dutch AIVD (the Dutch General Intelligence and Security Service) agent played a significant role in this operation. Following the publication of Modderkolk's article, a debate arose regarding the extent to which Dutch intelligence and security services were aware of this operation and whether they had adequately informed the responsible ministers or parliament about it. Some suspicion towards the services is quickly realized in such narratives, especially considering the secretive nature of their operations. However, this portrayal requires some nuance. Oversight of our services is comprehensive and legally grounded. Wouter Scherpenisse, PhD candidate in the field of cybersecurity at Erasmus School of Law, shares his insights on this matter.
Stuxnet
Modderkolk's article reveals that the Iranian infrastructure around the nuclear program was compromised using a digital 'virus.' More specifically, centrifuges necessary for enriching uranium were rendered unusable through malicious software (malware). The Stuxnet malware, orchestrated by intelligence agencies - the article mentions the CIA and Mossad - was strategically introduced into the digital systems of the nuclear complex. This caused certain valves of the centrifuges to close at the wrong moment, leading to accumulating gas and repeatedly damaging the centrifuges. An estimated thousand centrifuges were destroyed, causing a delay of several years in the Iranian nuclear program.
Furthermore, Modderkolk's article describes that a Dutch AIVD agent likely planted the malware in the Iranian complex's digital systems. Scherpenisse explains: "An 'AIVD agent,' according to the Intelligence and Security Services Act (Wiv 2017 in Dutch), is a natural person who performs certain tasks under the instruction of the AIVD. This can involve collecting intelligence that the services may find challenging to obtain or performing specific actions. The latter could also include the actions described in the article of de Volkskrant during the Stuxnet operation. However, this is an assumption from which the presumption follows that the AIVD actively participated in the operation, which cannot be stated with certainty."
Permission and oversight
"Firstly, it is important to note for completeness that the current Intelligence and Security Services Act of 2017 (Wiv 2017) is more specific and comprehensive than the version that was in effect during the operation in Iran. For instance, the Investigatory Powers Commission (in Dutch, the TIB) did not exist then. The additional safeguards of the current law, of course, do not negate the absence of any evidence of unlawful actions by the services in 2007 concerning the legislation in force at that time," says the researcher.
If the AIVD played an active, instructive role in the Stuxnet operation, it could be expected that permission would be obtained at the ministerial level. Scherpenisse states, "Especially since significant (political) risks are associated with the decisions that may have been taken. The Statement of Explanation of the then-existing and current laws describes it as 'evident' that the minister participates in decision-making in such risky cases." This requirement for permission also applies to deploying agents before they take certain measures. In addition to ministers, parliament can also be informed confidentially by ministers and service heads. "There is a special parliamentary committee (CIVD), also known as the 'Commissie Stiekem'," Scherpenisse adds.
In addition to political involvement in such operations, the current law provides an additional system of assessment and oversight. The researcher explains, "If the responsible minister grants permission to use certain extensive powers, the TIB assesses the legality of the granted permission. It is worth noting that this assessment probably would not have taken place in the described case, considering the relevant powers and, of course, apart from the fact that the TIB did not exist at that time. Subsequently, the Oversight Committee for the Intelligence and Security Services (CTIVD) monitors the services during and after the exercise of their tasks. The CTIVD has access to the buildings, can inspect the systems of the services, and is authorized to interview employees."
The fact that politicians and independent oversight bodies can be informed about the services' actions does not mean that this information can subsequently be leaked to journalists. Scherpenisse emphasizes, "Leaking of state secrets is, after all, a criminal offence."
Nuance on current affairs
The notion seems to be circulating that the intelligence services appeared to operate independently without involving the political sphere, whereas they should have done so. "That is a problematic perception, and I believe it is unnecessarily damaging to the trust in our services if this perception is not adjusted," notes the researcher. However, the article of de Volkskrant contains more nuance than that. It suggests that the AIVD agent himself may not have known that he was planting the virus on Iranian systems. It is also unclear to what extent his superiors within the AIVD were aware of the operation.
Scherpenisse comments on involving politics in the operation: "If we assume that the AIVD was not or not fully aware of the operation, then it would not have been reasonably possible to inform the political top. If the top was aware, it is highly unlikely that they did not have contact with the responsible ministers." As explained, ministers are frequently involved in the decision-making of the services, especially in sensitive operations with potential geopolitical consequences. Scherpenisse continues: "It is also conceivable that ministers in the CIVD seek political support beforehand or are held accountable afterwards for such delicate operations. Additionally, the watchdog (CTIVD) could monitor the services live and inform the ministers unsolicited about such operations if the services failed to do so themselves. The idea that the services operated independently, not explicitly suggested in the article of de Volkskrant, is hopefully adjusted with this perspective."
- PhD student
- More information
Read the full article of de Volkskrant.