Militaries around the world spend countless hours training, developing policies, and implementing best operational security practices, so imagine the size of the egg on the face of the Dutch navy when journalists managed to track one of its warships for less than the cost of some hagelslag and a coffee.
The security snafu was reported by Dutch regional broadcaster Omroep Gelderland. In a Thursday report, Omroep Gelderland journalist Just Vervaart said the broadcaster was able to track HNLMS Evertsen, a Dutch air-defense frigate deployed to help protect France’s aircraft carrier Charles de Gaulle against missile threats, by mailing a Bluetooth tracker concealed in a postcard to the ship.
Per Vervaart, the Dutch Ministry of Defence makes it easy to send mail and packages to soldiers and sailors in the Dutch armed forces and posts full instructions online. It's that freely available open-source intelligence data that Vervaart was able to use to send the tracker to the Evertsen.
The report says the tracker remained active for about 24 hours, showing HNLMS Evertsen leaving port in Heraklion, Crete, and sailing first west along the island’s coast before turning east toward Cyprus. The tracker finally went offline a day later when the ship was near Cyprus, and hasn't come back online.
According to Dutch defence officials Vervaart spoke to for his story, the tracker was found during mail sorting and was disabled. Still, the Ministry is reportedly changing its mail policies in response to the incident and will now ban greeting cards containing batteries along with further reviewing mail guidelines.
The ban on greeting cards containing batteries appears to be a direct response to Vervaart's test, as he chose to conceal the Bluetooth tracker in a postcard after ministry videos and mailing guidance indicated envelopes were not X-rayed, unlike packages, making that route more likely to pass through undetected.
An opsec lesson for civvies, too
As a military veteran myself, I understand the delicate balance to be made between letting troops stay in touch with their families and protecting them from accidentally spilling crucial secrets.
Social media, for example, has been an absolute opsec disaster for militaries, as even the most innocuous seeming post can accidentally include information that's incredibly valuable to the right person. Limits obviously have to be put in place to that end.
- Lovestruck US Air Force worker admits leaking secrets on dating app
- Tile trackers are a stalker's dream, say Georgia Tech researchers
- Top Trump officials text secret Yemen airstrike plans to journo in Signal SNAFU
- Google, Apple gear to raise tracking tag stalker alarm
Cut soldiers and sailors off from physical mail while on deployment, though, and you're likely to have a mutiny on your hands. Technology has changed, though, and something once as innocuous as posting instructions on how to send mail to military members has to be weighed in a new light.
"Nowadays, you can eliminate targets remotely and with great precision, but you do need to know where they are," retired Dutch lieutenant general Mart de Kruif told Omroep Gelderland in the original story. "So, as a frigate, you never want to reveal your location to other people."
This isn't just a military lesson, either: Technological evolution means things that were totally acceptable in the enterprise world before may now be critical security risks that have yet to enter into your OPSEC equation. ®