The security cameras ordered by Netherlands Railways (NS) are not connected to the Internet. They are located in a closed and secured internal network, so no one from the outside can access the images. It is one of the measures taken by the NS to keep (state actors) out.
So writes State Secretary for Infrastructure and Water Management Vivianne Heijnen on behalf of Minister of Justice and Security Dilan Yeşilgöz-Zegerius in a letter to the House of Representatives (1). In it she answers written questions submitted last month by Queeny Rajkoswki and Fahid Minhas (both VVD).
The VVDers had questions after Follow The Money wrote that there are some 10,000 cameras on trains, at train stations and at bicycle shelters. Most of the cameras come from Western companies such as Bosch and Siemens. Some of them -- estimated to be some 1,500 cameras -- are supplied by Hikvision and Dahua.
This poses a danger to both our privacy and national security, according to experts. There is a risk that the images recorded by these cameras could end up in the hands of the Chinese government, the People's Liberation Army or Chinese secret service. This allows them to remotely monitor which dignitaries are where at what time. Dutch intelligence and security services have also warned about cyber espionage in the past.
For ProRail, which is responsible for maintenance of the Dutch railroads, that was reason to remove all Hikvision cameras before the end of the year. NS left them hanging because there is "no negative government advice" on the table and the National Cyber Security Center (NCSC) has not recommended replacing the cameras. Indeed, the NS ordered 5,000 new security cameras from Chinese technology companies in September.
Following this news, Rajkowski and Minhas decided to submit a number of written questions to Minister Yeşilgöz-Zegerius. In them, they revealed that they find it "highly undesirable" that the NS is purchasing cameras from Chinese tech companies. "Do you agree that it is unacceptable that millions of Dutch people are being filmed by controversial Chinese cameras of which it is not clear what will be done with these images?" the VVD members asked the minister, among others.
State Secretary Heijnen, also on behalf of Minister Yeşilgöz-Zegerius, has answered the questions of the VVD. In a letter, the State Secretary writes that the cameras are part of a European tender to modernize train equipment. European train manufacturers, in turn, do business with Chinese suppliers.
NS says it has taken a variety of measures to ensure that China cannot watch the images recorded by the cameras. "One of the measures is that these cameras are located in a closed and secured (internal) network that is not connected to the Internet. According to NS, this means that no one from outside can access the content or control of the cameras," the letter to the Lower House reads. State Secretary Heijnen writes that there are no security cameras from Chinese companies at stations. These are currently used in "a number of types of trains."
The ministeress does not share the VVD's view that it is highly undesirable to purchase Chinese security cameras. Heijnen emphasizes that a risk analysis is made when purchasing services and products. National security considerations are taken into account, as well as any risks to the supplier and potential risks if such systems are used.
NS has been designated as an essential service provider (AED) by the Ministry of Infrastructure and Water Management. As such, the railroad company falls under the regime of the Network and Information Systems Protection Act (Wbni). This means that NS are obliged to take appropriate security measures to protect their systems from malicious parties. "In this regard, vital providers are themselves responsible for taking the appropriate measures. Sectoral regulators monitor how vital providers fulfill this duty of care," the state secretary said.
Furthermore, State Secretary Heijnen writes that the NCSC does not give advice on individual products or services. "The NCSC advises organizations to implement risk management in their organization and to apply it when purchasing products and services," the letter to the House of Representatives states. Providers of vital services are responsible for this themselves.
Finally, the State Secretary for Infrastructure and Water Management reports that the Netherlands is discussing data security with China in various contexts. These talks include the protection of privacy, compliance with the General Data Protection Regulation (AVG), protection of human rights and inappropriate government access to data data.
The cabinet favors strict enforcement and strong promotion of European standards and norms in the areas of data protection, privacy and product safety.
https://www.tweedekamer.nl/kamerstukken/kamervragen/detail?id=2022Z16709&did=2022D43602
