Go to content

NAFIN, vital Defence network well-designed but weak security

News item | 07-11-2024 | 11:00

The Netherlands Armed Forces Integrated Network (NAFIN) is a technically well-designed network for secure and confidential communication between critical parts of the Dutch government. The Minister of Defence has taken many measures to mitigate NAFIN’s vulnerability wherever possible and the risk of outage is relatively small. On paper, security arrangements are good. Nevertheless, unauthorised persons can gain physical access to secure rooms and network cabinets. In a very tense geopolitical situation, this leads to the conclusion that the Netherlands is not fully alert to the risk of sabotage by state actors.

X
  • NAFIN lets the Ministry of Defence, police and other parts of government communicate securely and confidentially with each other.
  • NAFIN’s technical support and maintenance are good.
  • The risk of outage is small.
  • Physical security is weak in practice.
  • The minister relies on third parties (KPN, users, subcontractors) for NAFIN’s maintenance and integrity.
  • There is no strategic vision of NAFIN’s future.

NAFIN is a fibre optic network built by the Ministry of Defence and telecoms provider KPN for secure communication between Defence units. The police, the 112 emergency call centre, all ministries, the Senate and the House of Representatives are also connected to the network. NAFIN has become the backbone of national security. In recent years, however, critical European systems have been the target of more and more sabotage attempts. The Netherlands Court of Audit has investigated the security measures taken by the Minister of Defence to protect NAFIN.

Security good on paper, weak in practice

NAFIN is technically well designed. There is sufficient capacity and the risk of outage is small. Digital access to the network is subject to authorisation management and access procedures regulate physical access to network rooms. In practice, however, the Court of Audit found several security problems. 

Weaknesses in NAFIN’s security

Weaknesses in NAFIN security. The caption under the figure includes a full description.
This figure shows the weaknesses in the Netherlands Armed Forces Integrated Network (NAFIN). NAFIN’s cables are protected at 4 places but the Court of Audit found weaknesses at 3 of them. 1. No weakness found in underground fibre optic cables 2. Weakness found in access control at barracks 3. Weakness found in a network cabinet with router and alarm 4. Weakness found in the IT Operations Center’s monitoring of all alarms
  • Main sites may be entered only by people with valid authorisation. Our tests revealed that unauthorised persons can also access the sites and the network cabinets they house. Weak security of Defence property is a recurrent problem; for examples see our 2022 and 2023 Accountability Audits of the Ministry of Defence.
  • In practice, Defence does not make full use of the resources available to detect cyberattacks on NAFIN
     

Defence reliant on third parties for construction and maintenance

The Ministry of Defence is reliant on KPN for the construction and maintenance of the network’s cables. To contract the work out, it must share state secrets with KPN, such as the location of NAFIN cables and the precise location of network rooms. KPN in turn subcontracts the work to other companies, which in turn subcontract the activities to yet other companies. Insight into who is working on the network and the security measures agreed with them is accordingly diluted. One subcontractor, for example, worked on the network for two years without valid authorisation. NAFIN’s security is also reliant on how third parties use the network. Ministries and other third parties connected to NAFIN must agree to the Minister of Defence’s security conditions, but the ministry does not check whether they actually comply with them.

No strategic vision of NAFIN’s role and future

Many decisions concerning NAFIN have been taken for financial and technical reasons rather than for strategic reasons. The network was nearly sold to a commercial party in 2001. The Minister of Defence has not decided how big the network should be or who may or may not be connected to it. The ministry says government parties may be connected ‘as long as Defence interests are not harmed’ but specific details are lacking. There is no clear vision of the network’s future growth. A new risk analysis is long overdue, even though global unrest has grown massively in recent years. Remarkably, NAFIN does not have the status of ‘critical infrastructure’ yet several processes of extreme importance to the Netherlands rely on it.

Major disruption on 28 August 2024

An incident that occurred while the Court was carrying out its audit seriously disrupted NAFIN on 28 August 2024. Emergency services and other users throughout the country experienced major communication problems. Flights were grounded at Eindhoven Airport. The Court of Audit did not investigate this disruption. The State Secretary for Defence said the cause was a faulty software code but a definitive analysis will not be made until the end of the year. The incident illustrates just how serious the consequences for the Netherlands could be if NAFIN were to fail.

Publications