Page 1 of 4
Karim.Khan @ICC-CPI.int
Po Box: 19519, 2500 CM
The Hague, NL
Dear Karim Khan,
I have been interested in your work for a while and would like to request an open-hearted informal
conversation about various security and compliance issues at ICC itself.
Note: This isn't a commercial offer, nor a trick to gain anything. It is merely an attempt to share
specific knowledge to help ICC protect our safety and justice for all people.
Some background information:
***********************************************
***********************************************
*** mainly focused on structural prevention of espionage, sabotage and criminal infiltration.
While maintaining decent safeguard as core value to prevent corruption.
During a recent research project we noticed that there are some very serious security and law & regulations
compliance issues with how ICC is handling information flows. This concerns me.
It not only means that ICC itself is partly operating outside the boundaries of various rules, regulation and
international treaties, but also that subjects like espionage and intrusion-prevention seem to be a rather
neglected concern within the present ICC structure.
Our main findings;
~ ICC is leaking quantities of sensitive and confidential inside_information to the public internet via various
paths.
~ ICC leadership has 'allowed' 3rd party commercial companies to handle sensitive and classified ICC
information, even companies with a rather dubious reputation like criminal convictions...
By doing so, ‘allowing’ espionage profiling of the organization, which people work for/with ICC and what
operational activities are going on. While ‘tolerating’ unauthorized covert access to data handling systems.
~ ICC 'security' functionaries who are supposed to make sure that unauthorized access to ICC infrastructure
and physical locations is not possible. Are seemingly sitting within a bureaucratic Ivory Tower composition
whereby they “allow” indolent IT and operational security choices which are clearly not compliant with
essential basic security guidelines and regulations.
Various simple protection measures are not even accomplished. Which is publicly visible.
Note: By partly neglecting the core task to actually “enforce” security rules and regulations on people who
make key choices for the ICC structure. Those 'security' functionaries are allowing the ICC organization
to be insufficiently protected. Therefor ICC is in breach of various regulations.
Page 2 of 4
~ ICC 'security' functionaries do not seem to be “in control”, when it comes to preventing or detecting long
term intrusion and extraction. As they are not “in control” of the data flows and accessibility.
There seems to be a lack of a complete overview diagram/picture of which data flows there are present.
So how can they be expected to even define which classification and protection maturity level all those forms
and (sub-)layers of data/information ought to have ?
I’m concerned to see that the present security functionaries at ICC are partly neglecting to enforce all the
essential mandatory “Security” rules on themselves, their fellow employees and service-providers.
After all, those 'security' functionaries currently do not get rewarded extra for making sure that ICC is
decently protected and compliant. They do get paid for their work hours. So of course they appear to be
making things look good on paper. As it’s better for their personal career when they don’t bother considerably
with actually enforcing various rules and regulations...
Sensible rules which many within ICC can't be really bothered to adhere to, ..because they have not been
made sufficiently aware of why it is of key importance to comply.
They even go as far as using various known (Machiavellian) tricks, like putting cunningly deceptive
statements in official status reports to pretend that things are “okay” and compliant.
Even when it is publicly noticeable that things clearly are not “okay” at all.
Be that as it may, I would like to offer in-depth expertise so that you and your peers within ICC leadership
can be better informed about what's going wrong with risk management and why.
More importantly, how you can simply make sure that protection and compliance is actually done properly.
Please feel free to send an invitation, so that we may exchange key knowledge on location in Den-Haag.
Met vriendelijke groet | With kind regards | Med vennlig hilsen
* *******
eMail: ***********
Tel: +31.6.********