The strengths and weaknesses of NAFIN, the digital armed forces network
The Netherlands Armed Forces Integrated Network (NAFIN) is a technically well-designed network for secure and confidential communication between critical parts of the Dutch government. The Minister of Defence has taken many measures to mitigate NAFIN’s vulnerability wherever possible and the risk of outage is relatively small. On paper, security arrangements are good. Nevertheless, unauthorised persons can gain physical access to secure rooms and network cabinets. In a very tense geopolitical situation, this leads to the conclusion that the Netherlands is not fully alert to the risk of sabotage by state actors.
NAFIN is a fibre optic network built by the Ministry of Defence and telecoms provider KPN for secure communication between Defence units. The police, the 112 emergency call centre, all ministries, the Senate and the House of Representatives are also connected to the network. NAFIN has become the backbone of national security. In recent years, however, critical European systems have been the target of more and more sabotage attempts. The Netherlands Court of Audit has investigated the security measures taken by the Minister of Defence to protect NAFIN.
Security good on paper, weak in practice
NAFIN is technically well designed. There is sufficient capacity and the risk of outage is small. Digital access to the network is subject to authorisation management and access procedures regulate physical access to network rooms. In practice, however, the Court of Audit found several security problems.
Weaknesses in NAFIN’s security
- Main sites may be entered only by people with valid authorisation. Our tests revealed that unauthorised persons can also access the sites and the network cabinets they house. Weak security of Defence property is a recurrent problem; for examples see our 2022 and 2023 Accountability Audits of the Ministry of Defence.
- In practice, Defence does not make full use of the resources available to detect cyberattacks on NAFIN.
Defence reliant on third parties for construction and maintenance
The Ministry of Defence is reliant on KPN for the construction and maintenance of the network’s cables. To contract the work out, it must share state secrets with KPN, such as the location of NAFIN cables and the precise location of network rooms. KPN in turn subcontracts the work to other companies, which in turn subcontract the activities to yet other companies. Insight into who is working on the network and the security measures agreed with them is accordingly diluted. One subcontractor, for example, worked on the network for two years without valid authorisation. NAFIN’s security is also reliant on how third parties use the network. Ministries and other third parties connected to NAFIN must agree to the Minister of Defence’s security conditions, but the ministry does not check whether they actually comply with them.
No strategic vision of NAFIN’s role and future
Many decisions concerning NAFIN have been taken for financial and technical reasons rather than for strategic reasons. The network was nearly sold to a commercial party in 2001. The Minister of Defence has not decided how big the network should be or who may or may not be connected to it. The ministry says government parties may be connected ‘as long as Defence interests are not harmed’ but specific details are lacking. There is no clear vision of the network’s future growth. A new risk analysis is long overdue, even though global unrest has grown massively in recent years. Remarkably, NAFIN does not have the status of ‘critical infrastructure’ yet several processes of extreme importance to the Netherlands rely on it.
Major disruption on 28 August 2024
An incident that occurred while the Court was carrying out its audit seriously disrupted NAFIN on 28 August 2024. Emergency services and other users throughout the country experienced major communication problems. Flights were grounded at Eindhoven Airport. The Court of Audit did not investigate this disruption. The State Secretary for Defence said the cause was a faulty software code but a definitive analysis will not be made until the end of the year. The incident illustrates just how serious the consequences for the Netherlands could be if NAFIN were to fail.
Our audit questions
- What are the objectives of the NAFIN armed forces network and who uses it?
- Does the public-private partnership function effectively with regard to the cybersecurity of the NAFIN armed forces network?
a) Is there a clear allocation of responsibilities between the Minister of Defence and the private parties?
b) Are the private parties authorised to work on the network and is their work supervised correctly?
c) What cybersecurity agreements have been made with the public parties and are the agreements supervised correctly? - Are effective detection measures in place for the NAFIN armed forces network? (design and existence)
- Are clear scenarios in place to respond to incidents on the NAFIN armed forces network and are response measures effective? (design and existence)
- Are detection and response measures in place for the NAFIN armed forces network effective in practice? (operation)
Do you have any feedback on this investigation?
We welcome all feedback on our audits and investigations. What do you think about our report? If you have any questions or need further information, mail us at feedback@rekenkamer.nl. We read all emails carefully and treat them in confidence.