Algemene Rekenkamer

Netherlands Court of Audits (NCA)
Cyber attacks vs border control - Background

"As more and more use is made of IT in operating border controls, so the cyber security risks will rise. In the light of all the technological advances that are set to take place in the coming years, we believe that the current level of cyber security in relation to the border controls operated by the border guards at Amsterdam Schiphol Airport is not adequate and hence is not future-proof."

"Cyber attacks, for example in the shape of digital sabotage, espionage and cyber crime, threaten the continuity of border controls and the confidentiality of the data processed. If IT systems fail, the Dutch border guards can no longer carry out border checks. Another risk is that foreign intelligence services may use cyber espionage as a means of gaining access to personal information, either on passengers in general or on individuals. However, cyber attacks could also be used in order to manipulate information, for example, to make it easier for people on wanted lists to cross the border."

Three basic threats

"The first possibility is that of a cyber attack aimed at disrupting border controls. The border guards cannot carry out border controls if the IT systems supporting the controls are disabled. The result would be long queues forming at Amsterdam Schiphol Airport and flights being delayed or cancelled, resulting in damage to the economy and the disruption of society. In the event of an IT failure, the border guards might have to relax border controls for a time, due to circumstances beyond their control. This is the point at which a cyber attack could raise the risk of illegal immigration, for example. In June 2019, a technical problem (not a cyber attack) forced the border guards to relax border controls for over an hour."

"Another scenario involves an attack mounted against the confidentiality of the IT systems. According to the National Cyber Security Centre (NCSC), there is a permanent and growing threat of cyber espionage perpetrated by foreign intelligence services (National Coordinator for Security and Counterterrorism and National Cyber Security Centre, 2019). The latter may be interested in tracking the movements of diplomats, members of repressed minorities or political opponents, and they may attempt to penetrate systems in order to gain access to such information. The Dutch Military Intelligence and Security Service confirmed that foreign intelligence services may indeed be interested in obtaining passenger data processed during border controls at Amsterdam Schiphol Airport. Its status as an international hub makes Amsterdam Schiphol Airport an attractive target."

"A third risk is of a sophisticated cyber attack aimed at manipulating information. The fact is that border controls depend on the reliability, or ‘integrity’, of the data used. If an attacker succeeds, for example, in manipulating the contents of lists of wanted persons, this could make it easier for wanted persons to get past the border undetected.The potential risks associated with cyber attacks will intensify in the future. The plans announced by Schiphol N.V. for performing biometric border checks and the EU’s development of an entry-exit system for recording border crossings by travellers with permission to reside temporarily in the Schengen Area will generate new data sets, including biometric data sets, and new interlinkages. Not only will this create a higher risk of cyber attacks, it will also ensure that they will have a more powerful impact if they materialise."

Strategy in place

"4.2.1 Cyber security policy adopted and responsibilities allocated. It is clear from the Ministry of Defence’s IT and cyber security strategy that the Ministry is aware of the nascent threat of cyber attacks. The cyber security strategy refers specifically to the growing digital risks associated with border controls. The strategy has been translated into the Ministry of Defence’s security policy, i.e. a systematic set of procedures and guidelines that together describe how cyber security is to be achieved and who is responsible for what."

Incomplete approval procedure

"Two IT systems used for border controls have not been approvedWe found that two IT systems used for border controls had not fully completed the approval procedure. The IT system used for the manned passport-control desks needs to be approved in accordance with the Ministry of Defence’s security policy. The IT system used for the self-service passport gates is owned by the Ministry of Justice and Security and is therefore not subject to the Ministry of Defence’s security policy. However, it has been agreed that this system must pass the approval procedure in accordance with the Ministry of Defence’s security policy. As it is not clear whether the necessary security procedures have been adopted, it is equally unclear whether the systems used for the manned passport-control desks and the self-service passport gates are adequately protected against cyber attacks."

1a Ensure that the requisite security procedures are adopted as swiftly as possible in relation to the IT system used for the manned passport-control desks, so that the approval procedure can be completed in accordance with the Ministry's security policy.
Missing tests

"Security is one of the aspects of an IT system that need to be tested in order to ensure that it meets the requisite quality standard. A security test involves examining how vulnerable the IT system is to misuse and/or how effective the security procedures are. Broadly speaking, security tests fall into two categories:"

"- vulnerability scans, the idea of which is to identify vulnerabilities that are inherent to the system and which might attacker might be able to exploit; and "

"- pen tests (i.e. penetration tests), in which testers try and exploit vulnerabilities in order to undermine the availability, integrity (i.e. reliability) or confidentiality of the IT system. "

"Any vulnerabilities identified in security tests are assigned a risk category, depending on the risk of the vulnerability being misused and the potential impact of such misuse. The categories used by the Ministry of Defence are ‘low’, ‘average’, ‘high’ and ‘critical’. A vulnerability is classified as ‘critical’ if it is open to easy misuse that could have a massive impact. "

"The IT system used for the pre-assessments has completed the approval procedure and the majority of the relevant security procedures have been implemented. However, even though the system was given the go-ahead to be taken into use, no security tests were carried out"

3a Subjecting the three IT systems used for border controls as swiftly as possible to annual security testing in accordance with the Ministry of Defence's security policy, and in ensuring that recommendations are implemented
Detection capacity not linked

"Both the Ministry of Defence and Schiphol N.V. have the necessary detection capacity in the form of a Security Operations Centre (SOC). The IT systems used for the border controls are not connected to the detection capacity of these SOCs. As a result, there is a risk of cyber attacks directed against these IT systems either not being detected or not being detected in time."

1b Connect the two IT systems used for the border controls for which the Ministry of Defence is responsible as swiftly as possible to the detection capacity of the Ministry's SOC, and to give priority to the pre-assessment system (classified as 'critical') in this respect
Ownership change is also about security

"The idea is for the ownership of the self-service system to be transferred to Schiphol N.V. Schiphol N.V. is currently responsible for cyber security matters, with the Minister of Justice and Security involved only in a policy-making role, for example in setting standards for the reliability of biometric checks. We found that there are no legal restrictions on transferring IT ownership in relation to critical government tasks such as border controls to commercial parties. The presence of the Network and Data System Security Act and its enforcement should ensure that the IT systems underlying essential services are sufficiently capable of resisting any cyber security threats. In the light of the number of parties involved and the wide range of interests at play in a changing technical environment, we believe it is important for cyber security to be guaranteed in relation to the planned transfer of ownership to Schiphol N.V."

2b Reconsider whether the planned transfer of ownership of the self-service system to Schiphol is accompanied by adequate cyber security safeguards
Lack of practical exercises

"The border controls operated by the border guards at Amsterdam Schiphol Airport form part of a chain of public-sector and private-sector parties in which decisions constantly need to be made based on an assessment of the relative interests of security and mobility. Any disruption of border controls can affect the entire airport. A cyber attack is a realistic risk that will most probably pose new challenges to both the border guards and Schiphol N.V. For this reason, we believe that the failure to hold any practical exercises with this scenario to date constitutes a risk. Moreover, procedures cannot be evaluated and improved without being tested."

3b Ensuring that the Ministry of Defence and the Ministry of Justice and Security work together with all relevant partners in the supply chain in conducting exercises in managing crises caused by a cyber attack directed against the three IT systems used for the border controls at Amsterdam Schiphol Airport
The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).