THE NETHERLANDS: NCA audit on national IT-infrastructure NAFIN
The explosion of the Nord Stream pipeline, spies caught with explosives to destroy military transports, countless cut internet cables at sea and on land and the mass disruption of the French railway system in July 2024: critical European infrastructure has increasingly been the target of sabotage in recent years. We have been auditing how the Netherlands shields its critical infrastructure from cyberthreats since 2018. We carry out these audits because the outage, failure or misuse of IT systems can disrupt society. A feature of these audits is that we dive deeper than ‘paper and policy’ and carry out digital and physical practical tests in collaboration with the auditee.
Our most recent audit concerns a communication network of vital importance to central government in general and the Ministry of Defence in particular: the Netherlands Armed Forces Integrated Network (NAFIN). NAFIN is a military fibre optic network covering the Netherlands but separate from the normal fibre optic network that people use to connect to the internet. The 3,500-kilometre network is used to transmit data for the performance of vital government tasks. We investigated the hardware underpinning this digital infrastructure: NAFIN’s physical cables and the network routers that direct data traffic.
We have analysed these components’ vulnerability to cyberthreats. This lead us to the following three conclusions;
Ministry of Defence does not have a strategy for NAFIN’s role and future
The first conclusion from our audit is that the Ministry of Defence does not have a strategy for NAFIN. Ever since NAFIN’s initial launch in 1996, money has been pivotal in the ministry’s strategic decisions. As a result, the network was almost sold and the Ministry of Defence decided to substantially enlarge NAFIN to admit civil partners. Technical aspects were taken into consideration but policy documents and scenarios underlying the decisions looked no further than the technology. Furthermore, we could not find risk analyses of the changing geopolitical situation or a vison of the role NAFIN should play in Dutch society. What are the consequences of the Ministry of Defence becoming an IT provider for an airport, a large number of emergency services and many other civil partners?
NAFIN’s physical security is inadequate
Given its national importance, the network must meet the highest security standards. Our practical tests show, however, that security awareness at a number of NAFIN locations is below standard. In the tests, we were handed the keys to NAFIN’s network rooms on more than one occasion despite our lack of authorisation. In addition, detection of our unauthorised access and the response to it did not meet the ministry’s own security standards. We made comparable findings in our 2022 and 2023 Accountability Audits of the ministry of Defence. It is a matter of concern that we came across similar weaknesses regarding NAFIN. In addition, digital tests revealed weaknesses in NAFIN that a cyberattack could exploit. This leads us to conclude that in very tense geopolitical circumstances the Netherlands is not fully alert to the risk of sabotage by state actors.
Limited military command and control of the network
Our final conclusion is that the Ministry of Defence is very reliant on its private sector partner, KPN. Without KPN the fibre optic network could not have been built or upgraded. It is not possible to switch to another party. The ministry has taken cybersecurity measures to ensure that KPN handles classified information correctly but KPN contracts work out to third parties, who in turn subcontract it to other parties. There is no insight into who is working on NAFIN and what security measures have been agreed with them. One subcontractor worked on NAFIN for 2 years without valid authorisation. The Minister of Defence does not have sufficient command or control of the network.
NAFIN’s security and operation are responsibilities of the Minister of Defence. In practice, many people within the Defence organisation have a role to play: technicians, guards, security and surveillance organisations, the IT Operations Center, etc. NAFIN’s security is a key, shared responsibility. The incident on 28 August 2024 made it crystal clear how many public organisations rely on NAFIN. Parties outside the Ministry of Defence are also responsible for NAFIN’s security, including network users in central government, the contract manager at KPN and the subcontractors who work on the network. In view of the current geopolitical tension, where sabotage of European digital infrastructure on land and at sea is a realistic threat, it is extremely concerning that the Minister of Defence has not yet put NAFIN’s security in order.
Follow up
The minister of Defence made a serious response to our findings and promises to follow up on the vulnerabilities our audit has displayed. We would like to know if other SAI’s have done similar audits on key national IT-infrastructures in the light of increasing geopolitical tension and threats. Feel free to contact us if you have any questions about our article or report.