information security

<originally a column for Webwereld - in Dutch>

On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months after publication, they have never been implemented. Or even discussed further.

Under the heading "Measures to encourage self-protection by citizens and enterprises" lists several concrete proposals for inproving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be "accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology". So not just some abstract government infomercial on TV/radio but hands-on tips to get some actual work done please!

<originally a Webwereld column>

Last month the VVD and D66 political parties (the Dutch equivalent of the Conservatives and LibDems in the UK) again proposed that the Netherlands should re-adopt electronic voting. Earlier this year the Dutch Association of Mayors also called for their reintroduction (don't you just love it when non-elected officials comment on and interfere with the electoral process :-). While the use of voting computers in the Netherlands has been banned for over four years, even for water board elections, there remains a fundamental misunderstanding of the basic problem with electronic voting.

While the many clumsy security problems (video) or the absence of the source code of the software (in the case of Nedap and SDU voting computers), are excellent talking points for the media and political agenda, these issues are not the core of the problem. And although the voting computer dossier at the Ministry of Home Affairs is now labelled with a bright fluorescent sticker: 'radioactive, do not touch!", there is still a risk that local authorities or suppliers will continue to feel that voting by computer is best "if we can just iron out a few little bugs”.

The real objections are more fundamental and have little to do with security bugs or open source code. They are the fundamental principles underpinning our democracy, and are threatened by the use of voting computers. In the many discussions on mailing lists and web forums it seems that people have lost sight of these principles.

On June 1st 2012 the Dutch government's Parliamentary working group on government IT-projects held a hearing of experts. My written contribution below. Capture of videostream... (in Dutch). Dutch journalist Brenno de Winter published his thoughts here.

Introduction - IT and the Dutch national government
Universality is an assumption of astrophysics that states that all phenomena, everywhere, behave as we observe them from Earth. I'm assuming that phenomena I have observed in specific government IT projects also occur in government IT projects that I have less infromation about (this is usually caused by the poor implementation of Freedom Of Information Acts, see the notes of Mr de Winter).

IT project management is currently based on a rather naive model of reality - "smart entrepreneurs compete on a level playing field for the favours of the government, which then procures with insight and vision." However, this model does not adequately predict the observed outcome of the projects. Whence this group.

Another model would be "a corrupt swamp with the wrong incentives, populated by sharks and incompetent clowns". This model has the advantage of perfectly predicting the observed outcomes.

<originally a Webwereld column - in Dutch>

Diginotar's multiple IT failures in the public sector have been swept under the carpet. So far, nothing indicates that there will be any real change to the Dutch government's overdue IT projects. During the hearing (mp3 – in Dutch) in the Lower House it was apparent that neither the government overseer OPTA or auditor Price Waterhouse Coopers believe themselves at fault, despite the fact that for years as regulators they have rubber stamped the work of Diginotar. The decisions of the PwC auditors were obviously good because "they are executed by responsible professionals". This will be heartening for all those Iranian citizens who are suffering the consequences of this (think of an unpleasant convergence of kneecaps and power tools).

But because of the chaos at Diginotar, we may never know for certain the full horror of those consequences. It is very simple for someone to take over an entire network and manipulate all the logs. The only thing we can really say with any certainty is that so far we have no reason to believe that IT security was any better in the past than the recently discovered FoxIT mess. The PwC audits are obviously not able to detect such a mess and OPTA apparently did not even look. Possibly Diginotar has been totally hacked for many years, and nobody noticed. A really smart spy or cyber criminal does his job and leaves no traces. The many detailed discussions about the exact scale and timeline of the hack have completely ignored this fact. From his grave Socrates is smiling at the idea that we only certainly know what we certainly do not know.