On 28 August 2024, an IT failure occurred at Defence, which had quite an impact on the functioning of systems inside and outside Defence.

The Minister of Defence wrote a letter about the failure to the House of Representatives on the same day, but the cause and solutions were not known at the time

According to the letter, the cause of the problem lay in the provision of access to the so-called Netherlands Armed Forces Integrated Network (NAFIN). An error in the software code would have caused a problem in time synchronisation on the network. As yet, there was no indication that the malfunction was caused by a malicious party. Once more is known about the cause, the minister would inform the House.

Most of the external outage was said to have been resolved the same day. Internally Defence, however, seems to have taken a bit longer.

An "error in the software code" is, in our working group's opinion, a rather general interpretation of the cause. After all, in almost all modern systems, software determines how it functions. An error doesn't just happen either. A failed update such as had global effects a few weeks earlier might be possible, but a well-designed combination of systems should be able to withstand it. Apparently, for the system, which caused the wrong time synchronisation, there was no monitoring, hot-standby or other solution, which could intervene if something like that went wrong.
It is also common for software to be tested before going live. Didn't that happen here? Did speed win out over security?

In an IT system crucial for the functioning of several vital (government) services, such a "single point of failure" should not occur. Not for failures caused by technical errors, but neither for intentional failures caused by adversaries.

The working group suggested to the Standing Committee on Defence to hold the minister to his promise of further information, addressing in particular whether there are any other single points of failure in Defence systems and how they can be prevented in the future.

_____________________________
The Hague, 30 September 2024
More information on the Politics and Defence Technology Working Group can be found via this link.
Do you have any questions? If so, please contact the working group via E : dv@kivi.nl
If you would like to receive the working group's comments and opinions by email, please sign up via this link.

Are you an engineer and would like to contribute to our opinions? Get in touch via dv@kivi.nl
Disclaimer: The facts and opinions given are based on open sources and on the knowledge and experience of working group members.
This is not an official position of KIVI. The association accepts no liability for anything put forward by the working group or its members.

Image: Creative Commons CC0 1.0