Computer and security company Fox-IT was established in 1999. Soon afterwards the Dutch government became a major customer for the Delft-based company. Fox-IT also plays a role in the national security. Among other things, the company provides security for Dutch state secrets, like the minutes of ministerial meetings, and is contracted by the National Police and the Foreign, Defence and Justice Departments.
The relationship between the government and Fox-IT became a topic of discussion in 2014, when the Delft-based company was taken over by the British NCC Group. Both in parliament (House of Commons) and the media questions were raised about the risks of Dutch state secrets ending up in foreign hands. However, even though questions were raised at the time, they were never really answered. Furthermore, the matter remains whether it doesn’t leave the Dutch government too dependent on the Delft-based company.
In recent years Buro Jansen & Janssen has tried through FOIA requests to uncover some information about the relationship between the Dutch government and Fox-IT. It’s not an easy process because of the long procedures, a lack of government transparancy and active obstruction from the part of Fox-IT to keep the information hidden. For example, Fox-IT advises the Ministry of Economic Affairs not to disclose certain information because it ‘could damage the interests of the State, clients, partners, relations and employees of Fox-IT and Fox-IT itself disproportionately’. The ministry sticks to Fox-IT’s suggestions.
In this research Buro Jansen en Janssen tries to map the ties between the Dutch goverment and Fox-IT. It’s a close relationship. There are personal connections and direct lines between the government and the company.
Fox-IT is commissioned to do various jobs. Besides the maintenance and security of the digital infrastructure of ministries and other government departments, the company also plays a significant role in national security.
The exceptional position Fox-IT has managed to establish for itself is also quite remarkable. Not only does it take an active role in the response to FOIA requests and which information the government discloses about the company, the company also has negotiated an exemption regarding corporate liability in the General Terms and Conditions of State for government tenders.
Decent people, ex Department of Justice
The close ties between Fox-IT and the Dutch government can’t be viewed separately from their personal connections. The two company founders, Ronald Prins and Menno van der Marel, have known each other since the 90s when they both worked at the judicial laboratory of the Department of Justice, a precursor to the NFI (Dutch Forensic Institute).
Department head of computer research at the forensic laboratory, and Prins and van der Marel’s boss in the 90s, Hans Henseler, would also go on to join Fox-IT years later (in 2010). As Fox-IT’s managing director Prins presents himself as the Netherlands’ cyber security expert. It’s not just the government that consults Prins, he’s also a regular guest in talkshows and current affairs programmes.
The links between the government and the company aren’t limited to the NFI, they also involve the AIVD (General Intelligence and Security Agency). For a short period in 1998-1999, Prins also worked at the BVD (Domestic Security Agency), the AIVD’s predecessor. After the sale of Fox-IT to the British NCC Group in 2014 Prins initially stays on as director, but in 2018 he returns to the civil service. He’s appointed a member of the TIB (Review committee Deployment Competences), the committee that oversees the Dutch Intelligence services.
Fox-IT’s current director, Inge Bryan, who joined Fox-IT at the start of 2021, also has an AIVD background. After which she became responsible for the National Police’s High Tech Crime Team (THTC) and from 2018 onwards she was cyber security Director at Deloitte Risk Advisory Netherlands.
Just like Fox-IT, Deloitte is also active in vital infrastructure security, including the government’s. The two companies are also both partners in The Hague Security Delta, a collaboration initiative in the field of IT and data security. One of the founders and treasurer of the initiative was Ronald Prins, while Inge Bryan had a seat on its advisory board.
In an interview with MTsprout of April 15, 2014, Prins states the government is the Delft-based company’s biggest client. Forty per cent of the company’s revenue is said to have come from the government. He believes two factors helped to forge relations between Fox-IT and the government. First of all, there are the obvious personal ties to the NFI. Even after 1999 employees of the NFI regularly moved to the Delft-based company and vice versa.
Secondly, Prins mentions the take over of Philips Crypto in 2003, a Philips branch that focused on the development of cryptographic products. “That meant we suddenly had the people and the technology to protect state secrets,” according to Prins.
He also said the company had no competition from other companies. “Regarding the competition in the high end segment, we still have nothing to worry about in the Netherlands,” said Prins. Fox-IT even received preferential treatment from the government due to a lack of tendering procedures.
“We hardly have to deal with tendering procedures, the government approached us directly. They still do. That’s because it’s very hard to start another Fox-IT in the Netherlands. You just try and find the hackers who can compete with us. We already got the best Europe has to offer,” according to then director Prins in 2014.
Prins is not the only one to comment on the strong bonds between Fox-IT and the government. Ton Fintelman, security authority (BVA) at the Ministry of Justice and Alfons Lammerts van Bueren, senior policy advisor at the Department of Penitentiary Institutions, summarize the relationship between the government and the company in the Fox-IT newsletter of May 2006 as follows: “Fox-IT is regarded as a reliable and capable partner, under the motto ‘decent people, ex Department of Justice’.” On top of which, Fintelman remarks “to be very glad about Fox-IT’s take over of Philips’ unique crypto technology in 2003.”
The close ties with the Dutch government combined with the knowledge of Philips Crypto have opened doors for the Delft-based company. Not just with the government, but also with companies like T-Mobile and umbrella organisations like the NVB (Dutch Society of Banks). In the MTsprout interview Prins claims Fox-IT delivers everything from “secure calling, fighting computer viruses, detecting hacks, authentication, tracing child pornography to the encryption of state secrets.”
The solid ties to the Dutch government will no doubt also have boosted the company’s international growth. From 2006 onwards Fox-IT becomes increasingly internationally active. Mainly aimed at Europe, the Middle East, Russia and India.
Fox-IT, established government supplier
Fox-IT is commissioned by the Dutch government for the most varying jobs. Among other things, they’re concerned with maintainance and security of the digital infrastructure of ministries.
From documents published under FOIA requests, it’s clear the Ministry of Economic Affairs assigned Fox-IT a wide variety of jobs in the period from 2008 to 2013. The company is asked to submit a quotation for the ‘testing of software and hardware for the auctioning of frequency space 2.6 GHz‘ in October 2008. It’s not clear whether any other companies were approached. Fox-IT gets the job.
In February 2010 the company gets a commission from Agentschap Telecom, part of the ministry, and in June of the same year the Delft-based company trains employees in ‘police investigation on the Internet’. The job is privately tendered. It’s not clear from the FOIA documents why the Ministry didn’t opt for a public tender.
In the following years Fox-IT also receives several jobs from the Ministry of Economic Affairs. In March 2011 for a security audit, in August and November 2011 for projects concerning ‘Audit auction site 2012’ and in the fall of 2012 for ‘project ER – Kestrel‘ as well as a training for employees.
On April 5, 2013 the Ministry of Economic Affairs and Fox-IT sign a confirmation order for unspecified ‘services, supplemental services, further investigation and miscelleaneous services’. Later that same month a request for a quotation for a pen test (a test to determine the vulnerability of computer systems) follows, followed by commisions for the project: ‘FoxCERT –Blue Lagoon‘ in May and June of 2013. FoxCERT is the company department that deals with security incidents, ‘Emergency Response & Investigations Service’.
The list is incomplete. Much like other government institutions the ministry hasn’t published all documents, which is clear from the inventory list that’s attached to the FOIA reply.
Fox-IT is mainly hired by the Ministry of Economic Affairs for maintainance work concerning the ministry’s digital structure. This is also true for other ministries and government departments. Though in most cases the co-operation goes much further.
Over the years Fox-IT has become an increasingly important player in national security, for which it works together with several different government departments. Ton Fintelman of the Justice Department already talks about the co-operation between the prosecution and Fox-IT in May 2006, which even entails the department ‘outsourcing detective work to Fox-IT’.
This close working relationship between the government and the Delft-based company in national security matters isn’t exclusively revealed in the Justice Department, it’s also clear from the development of the relationship between Fox-IT and the National Police.
External Police unit
Fox-IT has been working with the Dutch police since the start of the century. It’s obvious the ties with the NFI played an important role in the development of the relationship. Then director Ronald Prins commented on this in MTsprout of April 2014: “What also worked in our favour was the fact we already established warm bonds with the police through our work for the NFI. Where, among other things, we assisted in the forensic research of Etienne Urka during our start up years. We also provided security for police team laptops a number of times.”
Co-operation between police and Fox-IT started modestly in September 2001 when Fox-IT was present at the Politievak, a trade fair for police and security. In the following years the company becomes involved in confidential police information, interception and eventually detective work. In 2003 Fox-IT Group receives a POB (Private Investigation Agency) number from the Justice Department: POB 824. Private security firms or detective agencies have to apply for such a permit.
In June 2004 the company writes in its newsletter ‘Fox-IT Nieuws’ about its Forensic IT department: “Fox-IT’s forensic department has grown into a fully private investigative branch, in which special attention will always be given to digital traces, while traditional investigative tasks won’t be forgotten.”
The relationship between Fox-IT and the police moves onto the next level in September 2005. The Delft-based company supplies a system with which police information can be unlocked securely nation-wide. “Fox-IT has linked the relevant police registers for all police regions, the national CID and the special police services for this purpose,” according to Fox-IT in its newsletter of December 2005. The company said that “particularly high security demands were set for this link, seeing as it involves highly confidential information, some of it provided by police informants.”
It’s a small step for the company from having secured information provided by police informants to gathering information themselves. Fox-IT takes this step in 2010. “The Dutch police have recently purchased FoxReplay Analyst”, writes the company in its newsletter in November 2010. FoxReplay is interception equipment to analyse internet traffic, whether or not in ‘real time’. According to the company the police already has software in use and agents are being trained in its use.
Then director Ronald Prins said in an interview in MTsprout on April 15, 2014: “The choice of developing tapping software was a very good one. One day an acquaintance came knocking on my door with the idea and we just went ahead and did it. It has delivered us a lot of revenue.”
After the Dutch police purchased FoxReplay in 2010, Fox-IT played a part in dismantling the so-called Bredolab network that same year. It was said that millions of computers in the whole world were infected with malware from this network of computer servers in the Netherlands.
In co-operation with the national police’s THTC (Team High Tech Crime, the NFI, Govcert (Dutch government’s computer support network), the public prosecutor’s office and hosting provider Leaseweb, Fox-IT cut off 143 computer servers from internet access. According to reports in the media Fox-IT played a major part in the operation.
Though some researchers question the success of the collaboration. Michel van Eeten, professor of public administration at the TU Delft’s faculty of Technology, Administration & Management claims in Computable on November 2, 2010 that “the Bredolab network was never dismantled“.
According to the scientist even though it was true that ‘on Monday October 25th the servers, on which the command and control software of the botnet ran, were switched off” it didn’t stop “the network bots from staying active”. Van Eeten goes even further to state that “the KLPD has exaggerated the number of machines infected by the bot network by a factor of ten”.
Successful or not, it does solidify Fox-IT’s position in the realm of investigative work. Only a year later, in 2011, the company leads an investigation into a hack at the company DigiNotar. DigiNotar gives out digital certificates that should offer guarantee of origin. Among its clients are the Inland Revenue, but also companies like Google and Microsoft.
Fox-IT is hired by DigiNotar to investigate the hack. It’s remarkable DigiNotar chooses to hire a private company like Fox-IT and they don’t turn to the police (THTC) or the NCSC (National Cyber Security Centre), which resides under the NCTV (National Co-ordinator Terrorism and Security) and acts like a national emergency response service in the Netherlands.
State Secrets Incorporated: Fox Crypto Inc.
The take over of part of Philips Crypto in 2003 is an important step in Fox-IT’s development. It opens doors to the Dutch government, specifically concerning national security issues. The Delft-based company itself announces as much during the take over.
In its press release of November 6, 2003 titled “Fox-IT now also providing state secret security” the company claims to have entered the market for ‘protecting state secrets‘ and to have started developing products for ‘securing storage and communication of state secrets‘.
This increases the Dutch government’s dependence on Fox-IT. According to the company itself “the Ministry of Defence and the Foreign office particularly use this type of advanced cryptographic solutions“.
It concerns, for example, the protection of the minutes of cabinet meetings and – in co-operation with Swedish company Sectra – the security of phones for members of the cabinet and high-level civil servants.
The co-operation with Sectra has everything to do with the take over of Philips Crypto, for which the Delft-based company signs a deal with the Swedes in 2003. In its fifth newsletter of October 2003 Fox-IT writes: “Fox-IT has signed a unique agreement with Swedish company Sectra. This company was the only one in the world capable of developing a GSM approved by NATO up to the level of NATO Secret.”
Fox-IT also elaborates in the article how this agreement will benefit them commercially: “Sectra’s latest innovation is a separate bluetooth crypto module. With this small device and an ordinary mobile telephone that supports bluetooth you will be able to hold conversations that no-one can tap into.” Fox-IT will be selling the bluetooth crypto module.
The company creates an independent company to deal with work pertaining to state secrets: Fox Crypto Inc. This company remains 100% fully owned by Fox-IT.
Some years later, in late 2007, Fox-IT starts providing secure telephones, in co-operation with Sectra, to cabinet members and high-level civil servants. Website electrospaces.net remarks on the partnership: “The partnership between Fox-IT for the management and Sectra as the supplier of the hardware was established in 2007 by the VECOM (Safe Communication) contract. Under this contract all Dutch cabinet members and high-level officials of their departments are provided with secure phones.”
An analysis of a photo of PM Rutte’s phones from 2012 by the same website indicates the use of a Sectra Tiger XS Office. After the deal with Sectra, in 2003 Fox-IT already advertised the Tiger XS on its website. Nearly ten years later the Dutch PM still uses the phone from the Fox-IT advert.
Hack tests for the Foreign Office
The take over of Philips Crypto and the deal with Sectra IT in 2003 give Fox-IT a unique position regarding the Dutch government, specifically in matters of national security. Fox-IT already mentioned in its press release for the take over of Fox Crypto in 2003 that “particularly the ministries of Defence and Foreign Affairs were users of this sort of advanced cryptographic solutions”.
The Delft-based company is frequently commissioned by the Foreign Office over the years. One of these jobs is to perform smartphone hack tests for the ministry. On March 5, 2009 Fox-IT accepts the ‘Commission to Hack test Iphone’. The ministry requires Fox-IT to: “This Iphone needs to be hack tested. This hack test should specifically focus on the DME (Dynamic Mobile Exchange).” In June 2010 the Foreign Office requests a “re-test DME Iphone“.
A year later, at the end of 2011, it’s the BlackBerry’s turn. “At the moment the user has very little freedom to make use of the Blackberry device’s functionalities. The ministry aims to change the situation by switching to Blackberry Balance; Balance provides the option to separate ‘private’ and ‘professional’ matters on its device. More concretely this means that a BlackBerry device will have a ‘container’ on it with Foreign Office Outlook information”, according to a Foreign Office employee.
Their work for the Foreign Office, however, entails more than just communication security. Fox-IT is frequently commissioned to do jobs concerning the entire digital infrastructure, such as encryption, security, investigating systems and data recovery.
On September 8, 2010 the support contract between the ministry and Fox-IT changes from “the old support contract to the ‘strippenkaart’ contract”, as shown in published documents. (a strippenkaart is a former Dutch public transport card whereby you bought a paper strip of 15 spaces at once, which were stamped when used). Included in the contract change are, amongst other things “the ‘Support Fox Fort File Encryptor (FFFE)’ and ‘Support Fox Random Card (FRC)’, which will be switched to phone support in case of … problems. Repairs and reloading of the cards will also fall under the strippenkaart contract, as well as data retrieval from defective hard drives and support for the annual key change’.
On top of the encryption work the ministry also requests Fox-IT to investigate ‘Remote Access Services’ in 2011. The ministry wants the security of the Citrix Access Gateway investigated. In 2012 the Foreign Office wants the security of all internet access investigated: “The standard IT services consist of the following generic services: Email, office IT package, intranet, internet at the Workspace, network storage capacity, other standard applications, print facilities, back up and recovery of saved data.”
The relationship between the Foreign Office and Fox-IT is such that the ministry also turns to the Delft-based company for their acquisition and workshops. In 2013 the AIVD’s (Dutch Intelligence services) NBV (National Bureau for Communication Security), which supports the national government in matters of securing special information like state secrets, can’t deliver any Fort Fox File Encryptor (FFFE) cards. The ministry decides to make a hasty purchase of 150 FFFE Cards from Fox-IT directly.
The same thing happens with counter espionage and information security. Also in 2013 Fox-IT is commissioned to assess the ministry with regards to vulnerability to spying, ‘Assessment Spying vulnerability’ and to give a workshop on information security.
Secret and confidential Defence business
Apart from the Foreign Office, in its press release of 2003 Fox-IT also mentions the Ministry of Defence as a potential user of their cryptographic products. This ministry also commissions the Delft-based company for several jobs from 2006 onwards. Defence, however, doesn’t disclose which type of work it concerns. Much in the documents has been rendered illegible, some of it marked as classified, some as confidential.
What does become clear from the FOIA documents is that Fox-IT has many dealings with the MIVD (Military Intelligence). In connection to its responsibilities concerning the security of Dutch state secrets, Fox-IT is required to take several additional measures, like tightened screening, extra security and incident reports for the MIVD.
For example, the MIVD’s department head of Counter Intelligence and Security is responsible for the screening and appointment of security officials at Fox-IT and Fox Crypto Inc. There’s frequent contact between the director of the Delft-based company and the MIVD, such as this in July 2007: “As I’ve understood talks have taken place on July 18, 2007 between you and … to discuss the hand over and introduce … . During this conversation no objections were raised from either party regarding … taking up the position of (sub)security official.”
Apart from this screening, Fox-IT reports incidents involving burglary attempts, the triggering of the alarm at the MIVD’s Bureau of Industrial Safety and any indications of suspicious activities. Fox-IT reports attempted break-ins on January 15 and May 17, 2006, for example. On Sunday September 24, 2006 there’s a ”notification from the alarm system of the business unit Fox Crypto”. Three days later a Fox-IT employee mentions he’s seen a middle-aged man taking photos of the Fox-IT property.
Part of the national security structure
Since 2003 Fox-IT has grown into an integral part of national security. This not only shows from its work for the police and the ministries of Foreign Affairs and Defence, but also from their intimate relationship with the NCTV (National Co-ordinator Terrorism and Security), which is part of the Ministry of Justice and Security.
The NCTV hires Fox-IT, among other things, for maintainance and security of its digital infrastructure, such as hardware, storage capacity, back-ups, web space, migration and trainings, including accompanying service contracts.
In 2009 there’s mention of ‘the delivery (and installation) of goods/services as per the accompanying order list’. Fox-IT also provides several trainings for NCTV employees in 2009. In April 2012 it concerns rental of hardware for ‘CC-NCTV Proposal Traffic Assessment’. In the summer of 2012, the terrorism co-ordinator commisisons Fox-IT to ‘deliver the goods and services … with regards to the back-up and evasion location of the NCTV’. At the end of 2012 for ‘two brand new … for FTP and SMTP’ and ‘analysis number of devices linked to internet‘.
The NCTV doesn’t just hire the Delft-based company for the maintainance of its digital infrastructure, it also collaborates with Fox-IT for international exercises and the security of international events.
In March 2013 the company is asked to deliver programming equipment to the NCSC (National Cyber Security Centre), which is part of the NCTV. The equipment is to be used during the worldwide exercise Cyber Storm IV. The exercise is part of the Cyber Storm exercises of the American Department of Homeland Security, during which they test the vulnerability of governments to internet attacks.
One year later the NCTV even requests Fox-IT to ‘perform an additional cyber vulnerability inventarisation’ for the NSS 2014 (Nuclear Security Summit). During the NSS 2014 on March 24 and 25, large parts of The Hague and surroundings are inaccessible to the public due to the presence of many world leaders, including the US president. Far-reaching curtailments on freedom of speech and the right to protest were implemented during this period. The Delft-based company is also asked to perform ‘an emergency investigation into the network data of the online accreditation environment of the NSS‘.
The Foreign Office also turns to Fox-IT for help during the NSS 2014 concerning a commission called ‘NSS red teaming’. The company is asked to test the ministry’s vulnerability against physical and digital threats, both from the inside and the outside. On February 17, 2014, Fox-IT requests “the availability of a number of accounts for the website” for this job.
The Delft-based company also mentions they will “start targeting FO employees directly from this evening. …We want to start testing internally with you this Friday. On the one hand from the system of a regular FO employee (not an IT manager), on the other from a system we will bring ourselves, which we will attach to your network.” The exercise lasts till March. On March 14, 2014, Fox-IT reports that ‘the relevant logging on our C&C server has crashed unfortunately. We have done a remote uninstall this weekend, however, so the machine should be clean.” What the crashing of the server means for the results and the quality of Fox-IT’s work has not been disclosed by the Foreign Office.
Sort of standard deviation of General Terms & Conditions of State for Fox-IT
Fox-IT’s commission for the NSS 2014 contains a remarkable paragraph. In its plan of approach the NCTV writes about the work of the Delft-based company: “Even though Fox-IT will take the lead in this commission, the possibility exists for government third parties to be involved in the planning and possibly the execution of the work.”
So, Fox-IT has a leading role in the work. This is quite remarkable in and of itself, but it goes even further. The Delft-based company stipulates special conditions in the acceptance of government commissions.
The government applies the General Terms & Conditions of State (ARVODI) to any tendering of jobs to external companies. These conditions were periodically changed in 2008, 2011 and 2014. Published documents show that Fox-IT regularly stipulates exemptions to the General Terms & Conditions of State. This is the case, for example, in a tender from Fox-IT Crypto (date not disclosed) for a job with the police.
The general conditions of ARIV 2008 and ARVODI 2008 should in principle apply to this tender. Fox-IT, however, stipulates limited liability. The company provides a service for the Service Operational Support (Registration centre Cyber crime), possibly a VPN application, but it doesn’t want to be liable for the provided service.
Again, it’s quite remarkable enough that a company would refuse to accept liability for a service provided by said company, but it doesn’t stop there. Fox-IT rejects the General Terms & Conditions of State and applies its own conditions to their offer. The Delft-based company writes to the police: “KLPD (National corps police services) terms & conditions, as well as any other standard conditions that apply to the KLPD branche, are not applicable and are explicitly rejected by Fox-IT, unless Fox-IT has provided written conformation to accept the conditions. Any such acceptance cannot be infered from a lack of response to KLPD claims that it doesn’t accept the ICT Office conditions and declares its own conditions relevant” (date not disclosed).
The position taken by Fox-IT is no exception. The company takes a similar stance in other jobs for the police. In another approved quotation (date not disclosed) the company also rejects any liability. “Fox-IT accepts no liability in regards to any damage as a result, directly or indirectly, of the work executed by Fox-Crypto Inc at the orders of the client.”
The Delft-based company doesn’t stipulate exemptions for the police alone. Equally with jobs for the NCTV, Fox-IT has stipulated “a sort of standard deviation from ARVODI” during negotiations for commissions in 2014, according to a civil servant in an email dated May 15, 2014.
On June 11, 2014, a NCTV official sends a mail with the subject ARVODI 2014: “Could you take this up with … ?” He indicates we normally agree to Fox-IT’s conditions.” Even earlier, in an email from Fox-IT of September 19, 2012, Fox-IT had stated to “have a couple of concerns about the liability and intellectual property”. The Ministry of Justice and Security has not disclosed what kind of concerns the company specifically had.
Direct lines to government and cabinet
Fox-IT holds a special position with regards to the government. It not only shows in its exemption status regarding the General Terms & Conditions of State, but it’s also revealed in the direct lines it has to civil servants, embassies, the cabinet and ministers. During previous research by Buro Jansen & Janssen into Fox-IT this only came up indirectly.
For example, Matthijs van der Wel, the then manager Business Development EMEA (Europe, Middle East and Africa), tells Fox-IT’s German business partner AGT during a business trip to Dubai in 2007 that he ‘has an urgent meeting with the Dutch government’. At first he needs to return to the Netherlands for it, but later he decides to stay and conduct the meeting by phone. What Fox-IT’s sales manager in the Middle East can have to discuss with the Dutch cabinet remains undisclosed. It seems strange Van der Wel should share this information with a dubious business partner like AGT.
Dutch embassies abroad tend to lend a willing ear to Fox-IT. When the company in 2007, for its sales activities in the Middle East, delivers exclusive workshops for government departments, military and intelligence services in countries including Egypt, Syria, Saudi Arabia and the United Arab Emirates, Fox-IT has engagements with the Dutch embassies in Saudi Arabia and Syria. In Syria it concerns a lunch appointment, a day before a workshop to representatives of the Syrian government and intelligence services.
The Delft-based company even joins forces with two Dutch institutions, the NFI and TNO (Dutch organisation for Applied Physics), during the preparations for a Surveillance Lab in Saudi Arabia. The Surveillance Lab amounts to the implementation of a national network of phone and internet surveillance at the behest of the Saudi Home Office.
In an MTsprout interview in April 2014, the former Fox-IT director offers another example of a direct line to the very top of the Dutch government. He claims to have sounded out the then Minister of Defence, Jeanine Hennis-Plaschaert, about investments into the cyber security branch, to which his own company Fox-IT belongs. In the interview Prins claims the minister ‘appears to think along the same lines as us‘ (Fox-IT).
As an example of those lines Prins mentions The Hague Security Delta (HSD) that was established in that period. According to Prins ‘it could grow into a kind of Silicon Valley’. Over the years, however, the success of this HSD has been called into question in the media. Though the initiative was supposed to have received a lot of subsidy, it didn’t produce much result. The Hague city council also posed questions about The Hague Security Delta.
The government follows Fox-IT’s lead with FOIA requests
Due to the personal ties and the variety of commissions for which the Delft-based company is hired, they have direct lines of access to the government. Something that particularly stands out in the close relationship between Fox-IT and the government, is the company’s active involvement with regards to the response to FOIA requests with different government departments.
Throughout the years Buro Jansen & Janssen has made many FOIA requests to the government concerning its ties to Fox-IT. Though the government does publish some documents in response to these requests, many remain undisclosed and much information has been rendered illegible. This isn’t anything out of the ordinary in response to FOIA requests, but those concerning Fox-IT are a bit special in a different way. The company plays an active role in the response of these FOIA requests and thus makes sure even less information is made public than usual.
Requests on the basis of FOIA can be subjected to third parties who are allowed to give their view about the publication of government documents to be disclosed. However, Fox-IT doesn’t just give their views on the matter, the company actively interferes in the response and gets involved in legal procedures.
In regards to our FOIA requests in 2014, then director Ronald Prins approaches Buro Jansen & Janssen directly. The Delft-based company has been appraised of the FOIA requests made. It’s not unusual for companies to submit their view, however, what is quite astonishing is the fact the government has disclosed the identity of the submitter of the request, because according to Article 8 of the Act on the Protection of Personal Data, the government is dutybound to protect the privacy of those who submit FOIA requests.
After having been approached, Buro Jansen & Janssen decided to submit FOIA requests to several ministries regarding the manner in which FOIA requests concerning Fox-IT were handled. In response to these the Ministry for Economic Affairs published documents that show the company has a considerable influence in the response to FOIA requests submitted to the ministry regarding Fox-IT and which information the ministry can or can’t disclose.
On July 15, 2014, Fox-IT writes: “Fox-IT is of the opinion that disclosing certain documents or parts of them will or can harm the interests of the State, clients, partners, relations and employees of Fox-IT and Fox-IT itself disproportionately.”
Subsequently, Fox-IT itself reviews the documents and tells the ministry which information can’t be disclosed: “In the attached documents we have highlighted which parts of the concerning documents can not be published according to Fox-IT Inc. Therefore, these parts should be removed adequately or rendered unrecognisable.”
In an accompanying letter to the redacted documents by Fox-IT, the company concludes satisfactorily: “It’s Fox-IT’s understanding, any way, the documents are to be amended in the appropriate fashion?”
Furthermore, Fox-IT doesn’t only play an active role during the primary and the objection phase of FOIA requests, it also gets involved in the appeal phase. For example, in 2017 Fox-IT is approved by the court as an interested party during the consideration of a FOIA request submitted by Buro Jansen & Janssen to the National Police in 2014. The company is allowed as a third party, besides the police, to act as defendant.
The developments regarding this FOIA request are extraordinary. In 2014 Buro Jansen & Janssen requested the publication of all documents pertaining to the relationship between the police and Fox-IT. As per usual the police wanted to publish as little as possible, a stance shared by Fox-IT.
In March 2018, after the appeal stage, finally some documents were disclosed. In one of these documents even the letterhead is partially obscured. Over an assignment of ‘Hardware support … Equipment March 2013 – June 2013’ it says ‘Fox …, a Wholly-Owned Subsidiary of NetScout Systems, Inc’.
After Fox it should say Replay, as Fox-IT sold the FoxReplay to the American company NetScout on September 26, 2015, which was still marketed as the FoxReplay by NetScout for quite some time. In the General terms of the agreement between the national unit of the police and NetScout the name of the American company doesn’t appear, though there’s mention of the FoxReplay, albeit with Replay blacked out.
In 2010 Fox-IT proudly announced in its newsletter: “The Dutch police have recently purchased FoxReplay Analyst.” Ten years later the company is trying to prevent its name being associated with the tapping software.
Replies to parliamentary questions by Fox-IT
It’s clear Fox-IT has a lot of influence on what information about the company the Dutch government reveals. This doesn’t just show in the response to the FOIA requests, it was previously apparent in the responses to parliamentary questions in October 2011.
On October 17, 2011, MP El-Fassed submitted questions to the Ministry of Economic Affairs about the export of internet filters and tapping technology by Dutch companies. From published documents it’s clear that Fox-IT dictates the ministerial responses.
Further to the parliamentary questions, a meeting takes place on October 27, between the ministry and a number of companies, including Fox-IT. The ministry runs the concept answers past Fox-IT on November 21, 2011: “I would like to ask you to confirm your agreement to the inclusion of your answers as worded in reply 3. I’ve taken the liberty to edit a little bit here and there, but tried to leave your answers as intact as possible. Fox-IT is content the ministry has used its text and answers with a smiley: “No objections. Insofar that message wasn’t already clear.”
Fox-IT gets its way. In a letter to the House of Commons on January 18, 2012, the companies who were present at the talks are cited. The letter refers to Fox-IT very sparingly in one sentence, which has come straight from an email of October 26, from the company to the ministry: “Fox-IT is no longer active in the field of Lawful Interception. All activities in this field have been taken over by the American company NetScout.”
Imbalanced relationship between Fox-IT and the government?
The relationship between the Dutch government and the relatively small company of Fox-IT can be called extraordinary. In the course of a decade, former employees of police, the Justice Department and intelligence services have set up a company that works with the government on many levels.
Fox-IT collaborates with ministries and other government institutions in a variety of jobs. It’s involved, for example, with investigations, with disconnecting servers used for criminal purposes, securing state secrets, providing encrypted communication, performing hack tests, it’s commissioned to acquire equipment, gives workshops, joins in exercises with NATO partners, and is involved in the accreditation of an international cyber conference where the US president was present.
The list of goverment jobs is without a doubt very impressive. However, it’s also a list that raises questions.
First of all, the question whether the Dutch government isn’t overly dependent on Fox-IT. It’s a question that gained another dimension after the take over by the British NCC group in 2014. This not only raises the question of how safe Dutch state secrets are with a company that’s come under foreign ownership, but also about the security of every other service provided by Fox-IT, such as encrypted communications and hack tests.
The second question concerns Fox-IT’s negotiating position in the tendering of government jobs. The company has such a close relationship with the government it gets jobs without a tendering procedure, has stipulated exemptions with regards to the General Terms & Conditions of State and plays a major part in disclosing documents and answering parliamentary questions.
Do the negotiating position and its accompanying perks of making demands of the government, getting the many and diverse jobs it executes, the direct lines and personal ties to the government in other words their close relationship, stem from an overly dependent governmental position or does the Delft-based company simply employ clever negotiators?
The third question concerns the amount of control and oversight Fox-IT holds over the government. This question follows from both the matter of dependency as well as the negotiating position. Is the Dutch government even capable of checking the jobs a company like Fox-IT does for it, as well as being able to issue the permits the company needs?
About one of these permits, export permits, Buro Jansen & Janssen already conducted research in February 2020, as outlined in ‘Fox-IT and the Dutch export policy for dual use goods‘. This research showed that in practice no risk analyses were done to prevent undesirable uses, because the Department Export Control gave priority to facilitating the Delft-based company’s export. Fox-IT provides the Department of Export Control with hardly any information about the end users of its products for export and the government asks the company barely any additional information.
The relationship between the Dutch government and Fox-IT can therefore be considered imbalanced in more than one way. This jars even more considering the government as well as Fox-IT give the impression, specifically in the response to FOIA requests, of wanting to hide something.
– Onderzoek: Fox-IT in Rusland (pdf)