Category: government & IT
Over the last 10-15 years public IT in Europe has not developed in line with public interests, nor does it guarantee the fundamental rights of citizens such as privacy and freedom of expression. Tremendous opportunities in the field of economic development and employment have also been missed. Europe effectively outsources much of its information processing (software & services) to foreign parties at the direct cost of hundreds of billions of Euros (typically around 1% of GNP). The opportunity-cost to local economic growth and employment opportunities are much greater than that. Even more costly than either of these is the de-facto handing over of control of data of governments, businesses and individual citizens to foreign spies who use it for political manipulation, repression of citizens’ freedoms and industrial espionage. Although the warnings about the negative consequences of current policies date back at least 15 years, these aspects have been documented in irrefutable detail over the last year by the revelations of Edward Snowden. 12 months later there has not even been the beginning of a policy response.
It could all have been so different …
In the first 21 months of the 21st century, the dot-com bubble burst and then three skyscrapers in New York collapsed. Between these two events a largely forgotten report to the European Parliament appeared in the summer of 2001. This report described the scale and impact of electronic espionage in Europe by the U.S. and its ‘Echelon’ partners (Canada, UK, Australia and New Zealand). Besides a detailed problem analysis, the report also gave concrete examples of IT policies that governments could take to significantly limit foreign intelligence spying on Europe.
In the same period was U.S. government won one of the largest anti-trust cases its history, against Microsoft, and the EU followed this victory by launching a similar case that would also be won leading to the highest fine to a company for economic crimes in the history of the EU.
It was against this background that thinking about strategic versus operational aspects of IT in the public sector changed. The report on Echelon made it clear that reducing IT into a merely operational exercise had disastrous consequences on the sovereignty of European states with respect to, in particular, the United States (and perhaps in the near future, China, other technically capable countries or non-state organizations). The economic consequences of industrial espionage against many high-tech and R&D-intensive companies became a major concern for the government.
The IT policy of governments would from 2002 onwards be based first on the political principles of a democratic and sovereign state. This not only meant a very different policy in the field of technology selection and procurement, but also the balance between outsourcing versus in-house expertise and required an extreme degree of transparency from all suppliers. Open data standards for public information were required, and non-compliance resulted in severe penalties (although public ridicule from 2009 onward was generally the most effective). These new frameworks for public IT created a new market for service providers who based solutions on so-called ‘Free Software’ (previously better known as ‘opensource’). The high degree of transparency both in project implementation as the technology itself made for a well functioning market and made recycling of (parts-of) systems the norm. Spending on software fell sharply and the freed up budget was used for the recruitment of highly qualified IT workers under conditions that could compete with the offerings of market.
The full transparency with respect to both the IT projects and the tech itself, combined with a depth of expertise within the government, changed the market for public software and IT services. Quality rose steadily while prices remained permanently under pressure. Since all service providers had full access to all software used in government (with only a few exceptions in defense, justice and home affairs), there was a very open playing field where all providers were expendable (and those who performed below par were replaced regularly).
In addition, computer and IT education from kindergarten to university studies was fundamentally revised. Basic understanding of the operation of computers and information networks became as normal as reading and writing. From 2006 every 14 year-old was taught in school how to encrypt email and what the disadvantages were of using software whose source codes are not published. Through this awareness among young people in Europe the adoption of social media occurred very differently than in the U.S.. Young people not only had end-user skills but real understanding about what was happening to their information when sending a message or upload a photo to websites. Being careful with your private information was considered cool. The social media landscape was not dominated by a handful of U.S. companies, instead there was a landscape of federated services such as Diaspora who competed among themselves but were compatible in the same way as is the case with email. These services were sometimes somewhat centralized but, just as often, completely decentralized and run on micro-servers in many people’s homes (such as the UK-invented 35 Euro RaspberryPi).
Due to the high privacy and safety awareness online crime did not have much grip on most European countries. Hardly anyone was naive enough to log on to strange domains or websites in response to a fake email that appears to come from their bank. And the use of customized secure USB drives created by various banks was accepted as obvious for any major online financial transactions. At the level of organisations high levels of expertise and a high degree of diversity in technology implementations made for robust security that was only seldom breached. The large demand for experts in well-paid jobs also kept many would-be criminals from selling their skills for more destructive applications.
This is the IT that Europe could have had if other choices were made over the last 12 years. All the knowledge and technology for these choices were available in the first months of this century. Because these choices were not made Europe has spent hundreds of billions on software licenses and services from American companies, while there were cheaper (often free), more flexible and safer alternatives available that would not operate as a foreign espionage platform. All these hundreds of billions were not not invested in European service, training, education and R&D. The economic impact may be a multiple of the roughly $1 trillion in foreign software licenses spent by Europe this century, while the social cost resulting from manipulated politicians during transatlantic negotiations on trade or environmental matters will probably never be known.
Europe still has everything it needs to develop and implement such policies. It is not too late to turn, no matter how regrettable the policy failures of the last decade and no matter how many wasted billions. Today could be the first day of such a new course. Concrete examples in the Netherlands, Germany, France, Spain the UK and many other places show that this is not only possible, but almost immediately leads to huge savings, improved safety and independence from foreign parties in future IT choices.
It’s not often that regaining national sovereignty and the restoration of civil rights can spur national innovation and employment programs simultaneously. The only thing missing is the political will to stop rewarding businesses and governments that use their technological dominance to spy on the entire world. We have nothing to lose but our chains to the NSA.
Dear Members of the Committee on ICT ,
On June 1st, 2012 I was invited by your predecessors to contribute to the expert meeting of the Parliamentary Working Group on ICT projects in government. The written submission that I made at that time is here, including a video of those hearings (in Dutch).
As an IT architect but also as a concerned citizen, I have been actively involved with the IT policy of the government since 2002, focusing on the areas of electronic health records, security and open standards / open source software. On the latter issue I was the initiator of the 2002 Parliamentary ‘Motion Vendrik’ that advocated greater independence from dominant software suppliers. Last year I also served as a technical expert on the Committee of Minister Plasterk who advised on the (im)possibilities of electronic support for the electoral process.
Although this motion Vendrik from 2002 was translated into the Heemskerk Action Plan in 2007, this policy was quietly killed in 2010/11 by the lobbying power of large software vendors and the U.S. government. Even the Court-of-Audit was pressured to *not* ask certain questions in its 2011 report on the policy. Since 2002, the Netherlands has spent about 60-90 billion on foreign software, for which in many cases free, equally good or better alternatives are available. Their use is, however, actively hindered by both the Ministries of Education and Interior, as well as the VNG supported by the lobbying apparatus of major suppliers and the U.S. government.
This despite Justice Minister Donner’s 2004 letter to Parliament in response to the Motion Vendrik where he admitted that:
- the government’s dependence on Microsoft was very great;
- that this was a problem ;
- and that by introducing open standards and the use of open source that could be solved.
This dependence has since become much greater and more than one billion Euro was spent on Microsoft licenses over the last decade. That money would have paid for 10,000 man-years of expertise to migrate away from Microsoft products. A large part of the money spent would have remained in the Dutch economy and returned to the state through tax and VAT. Not that 10,000 man-years would have been needed. The Municipality of Ede did it against the odds for a fraction of the cost and now saves 92 % on software expenses (and 25% on overall budget). The rest of the government has yet to take steps. Why is an important question.
In addition to the huge amounts of money involved (the VAT ends up mostly in the Irish exchequer due to inter-EU trade to Irish headquarters of IT companies), it has also become clear in recent months thanks to Edward Snowden in particular that U.S. software is deployed as espionage infrastructure . This has practical implications. For example, the current semi-privatised infrastructure of the national Electronic Health Records system has been put under technical management of an American company and therefore falls under the Patriot Act. But the Windows PCs ( which are de facto mandatory in secondary schools) and Gmail accounts (which are necessary to follow a University course) are part of the global spy network. Similarly with the iPhones that some of you might use, about which NSA internal documents boast of the 100% success rate in automated monitoring at zero dollars cost per device.
All this means that even if IT projects according to any definition ‘succeed operationally’ these often still violate the basic rights of millions of Dutch citizens (article 12 NL – Constitution, Art 8 ECHR , Art 12 UNDHR). Examples include electronic heatth records, transportation smart cards and many information processing systems of governments that have been outsourced on foreign soil and/or to foreign companies (such as the database of fingerprints that for many years has been linked to the issue of passports).
Both the EU and the Dutch government have been aware of this problem since the summer of 2001, yet nothing has since been done in the Netherlands to ensure the privacy of citizens or the data security of Dutch public and private institutions. Indeed, much has been done by the government which has greatly exacerbated this problem.
The above points, in my view, mean that a purely ‘operational ‘ approach to project success simply does not cover all the obligations of a democratic government in its role as guardian of the rights of its citizens.
This past weekend, I have viewed the first five videos of hearings and was most impressed by the contribution of Mr. Swier Jan Miedema. He seemed to be the only person genuinely committed to getting to the heart of the problems and saying out loud what he thought (although Prof . Verhoef also make quite a few wise points). The most compelling aspect of his testimony was the obvious fear of specifically naming a commercial party. This seems to confirm what many in the Dutch IT world know: companies like Centric abuse their dominant position in local government for short-term gain including the exclusion of anyone who is a threat to those gains (here another example).
That an IT professional of such seniority has to beat around the bush with a trembling voice is typical of the situation in the ‘market’ for public ICT. Institutionalized corruption and abuse of power is more associated with a developing country than a democracy.
In the conversations with both Mr. Miedema and other experts several members of the committee asked several times if these people could not suggest what would ‘solve’ all this. As if the problem was something that could be fixed with some trick. It is worryingly obvious that (two years and 8-12 billion after the start of the Commission) there is still the idea these problems can be solved by changing project-management methodology. Based on my experience, I believe that the problem is much more fundamental. I strongly urge you to look much more widely and more deeply at the problem and to not exclude your own role as parliamentarians in this. No questions or solutions should be taboo. Even if thereby the significant economic interests of above mentioned suppliers or the job security of groups of officials/civil servants must be called into question.
Both Mr. Miedema and Prof. Verhoef expressed the view that everything that happens can be broadly explained by the incompetence that exists in both the government and its suppliers. There are however, limits to the incompetence theory. Somewhere in the process the prolonged and appalling scale of wasting money, endangering the cyber security of the Netherlands and violating the privacy of millions of Dutch citizens has been allowed (or at least not considered an important subject). The fact that the Commission itself over the last 2 + years can spend a couple of hours a week on a problem that costs hundreds of millions of Euros monthly might also be an indication of some inexplicable non-priority. There are many officials, businesses, cybercriminals and intelligence services abroad that greatly benefit from the status quo. Look especially at those who do not come to your hearings.
In the 21st century laws are made reality by software. So it no longer befits a democracy to hand over control of that software to (often foreign) commercial parties. Executive parts of government must be accountable to you ultimately and without control over the technology that underpins their work this accountability is simply not possible.
Obviously I am willing to explain myself further as to above matters.
With kind Regards,
June 9th 2014: In The other IT of another Europe I commemorate one year of the Snowden/NSA scandal by describing a scenario in wich other choices were made, choices that are still open to us today…
Friday a week ago I, along with other "experts", attended a Parliamentary Working Group to answer questions about government IT projects. This was a Parliamentary group of MPs investigating the many IT failures of the government. After the summer (and the sept 12th elections), the investigation should begin with a sharp set of research questions. The invited experts were there to help formulate the right questions.
Here are my blog links to some of the available online advice written by the working group and the video stream (all in Dutch). It was striking how unanimous was the message presented by all the IT experts, given the variety of backgrounds.
Like other columnists and opinion writers, I also emphasised the failings of government and egregious damage to national security, privacy and general public funds. From available data, in terms of the government, the cost to the Dutch has moved from millions to billions of euros annually.
With such a government it is like shooting fish in a barrel for columnists. Therefore it was refreshing on this occasion to make a more constructive contribution. Although it was a pity that such meetings do not occur more frequently and are not better attended by the officials and suppliers who are responsible for all these projects. As 6 billion euros pour down the drain every year (and that is only the out-of-pocket costs – the social impact may be much higher) it might be a good idea to hold consultations more often. While I doubt that the gathering last week has any ready-made solutions for all the problems, I think there is a reasonable degree of consensus about their root causes:
1. Wrong incentives for both government and suppliers; who actually has an interest in completing projects within the agreed time frame and under budget? Nobody. Not the supplier, who could just add many more billable hours, and therefore finds added complexity much more lucrative. Not the responsible bureaucrats, because when a project runs they have a job and a growing staff to do things – the larger your group, the more important you are. And because projects quickly become a political matter, and then a 1000% overspend becomes perfectly acceptable in order to save the neck of some senior official. There are never any penalties for any of the involved parties, no matter what the scale and comsequences of the failures. The same officials continue to hire the same 10 major suppliers.
2. Too little substantive knowledge; allows suppliers to drive the process; because most government departments lack the expertise they allow suppliers to drive virtually all substantive activities. This allows vendors to interfere in advisory roles about the the delivery of products and the implementation of services. This is very profitable for the suppliers, but not so great for the cost or technology choices that are supposed to work in the interest of the government and the citizens.
3. Total lack of oversight and transparency; there is so little transparency that the government does not know what it has, what it buys and how much it costs. Previous attempts by Parliament to get an insight into all this failed. The consequence is that most so-called "business cases" are mostly hot air. If it is impossible to assess what something currently costs and the expense of replacing it, we are sailing blind. Probably on the ‘advice’ of the vendors mentioned in Point 1.
4. Dangerously naive attitude to security risks; the recent incidents involving SCADA systems and many, many other broken online government services show that the security risks are not incidental but structural in nature. Add Stuxnet to the mix, and it is clear that public systems can be easily manipulated. The social consequences of a targeted attack are difficult to predict, and the government has no contingency plan whatsoever. It is not even clear who is responsible for picking up the pieces when certain services fail.
5. There is no discernable ambition to rectify any of the above points; the government remains quite content to define them as an immutable law of nature or fate and therefore outside its ability to influence.
That all sounds terrible. The question remains – is there anything we can do? Yes we. Because if you have read this, you will probably be concerned about government, your hospital that you might need some day, the school where your children go, the pumping station that keeps your feet dry.
The solution starts with recognizing the five points above. It is not good enough to dismiss the scale of the problem with statements like "but it is not always wrong …". A car which sometimes does not explode is not good enough. After recognising the problem, there must be a real will to improve (perhaps spurred on by a penalty imposed by Parliament). The government must have the ambition to seriously revise its traditional modus operandi. In addition, there must be the will to have a real, effective government, not some call centre for a corporation. The government is not a business, so it should stop pretending. This goal should be the visible core of all subsequent behaviour. Greater transparency will sharply expose any lack of expertise and the wrong incentives; as a result targeted action can be taken. Transparency also makes it much easier for other experts to advise government (for example about that naïve attitude to security).
How large, complex and important all these questions may seem to be. Yet the more important questions were asked last month by Professor Eben Moglen in a masterly speech in Berlin: "Why Freedom of Thought Requires Free Media and Why Free Media Requires Free Technology". Under the speech there are now discussions that ‘I Have a Dream‘ meets ‘Band of Brothers‘ (a vision combined with a call to action). That is how this speech should look to anyone involved in IT, and triply so to bureaucrats. I hope that our MPs can also spare an hour to watch it this summer. To waste 6 billion Euros a year is bad, but to throw away the hard-won freedoms of the past 1000 years – that’s really bad.
On June 1st 2012 the Dutch government’s Parliamentary working group on government IT-projects held a hearing of experts. My written contribution below. Capture of videostream… (in Dutch). Dutch journalist Brenno de Winter published his thoughts here. Column on this published the week after here.
Introduction – IT and the Dutch national government
Universality is an assumption of astrophysics that states that all phenomena, everywhere, behave as we observe them from Earth. I’m assuming that phenomena I have observed in specific government IT projects also occur in government IT projects that I have less infromation about (this is usually caused by the poor implementation of Freedom Of Information Acts, see the notes of Mr de Winter).
IT project management is currently based on a rather naive model of reality – "smart entrepreneurs compete on a level playing field for the favours of the government, which then procures with insight and vision." However, this model does not adequately predict the observed outcome of the projects. Whence this group.
Another model would be "a corrupt swamp with the wrong incentives, populated by sharks and incompetent clowns". This model has the advantage of perfectly predicting the observed outcomes.
The price of outsourcing everything
No vision, no vigour, no knowledge, and especially no ambition to do anything to improve on any of these. This is the overarching theme of all government IT projects I have experienced both on the inside and externally. And I believe is the fundamental cause of the vast majority of practical problems the group wishes to understand.
From Knowledgenet to the National EHR, the Whale project, voting computers, the public transport card, and the failed attempt to break the monopoly of large software vendors – NOiV … the knee-jerk response remains the same: to reduce a social problem to a technical project that can then be quickly outsourced to IT suppliers and/or advisors. The societal aspects are quickly lost once the train of political promises, commercial interests and project logic leaves the station and becomes unstoppable. Even the parliamentary group on IT projects aims to outsource part of its work to an external company. The chances are that the selected external company will already have as its main selling-point an umbrella contract with the national government. Probably this company will already have been advisors on one or more of the projects that may be under investigation.
In my experience as an advisor of a large government project (from the list of projects provided by the work group), I had to advise another consultant on how to hire yet other outside consultants to perform a security audit. The argument that the government has difficulty in hiring and retaining specialised expertise may be true in specific cases, but in reality, most of the hired ”IT workers” have no specialist expertise. Often they are generalists and/or project managers without much substantive technical knowledge. The inability of government to attract competent personnel should be seen as a problem that needs to be solved and not as an immutable law of nature. If we truly want something to change, we really need to be willing to change anything/everything.
Focus of the research proposal: look at the forest, not at the trees
By focusing on individual projects it is likely that the working group will only look at operational issues within these projects. The broader, underlying causes remain hidden, yet that is precisely where many failures begin. Moreover, it is especially important to look at such overarching issues as potential factors in future projects.
If anything has become clear since the Diginotar case, it is the total lack of accountability or sanctions subsequent to the failure of both executive and supervisory organisations and officials. Suppliers and officials who have endangered the security of citizens and the functioning of the state have largely remained in position, free to repeat their mistakes in a few more years. Evaluation, in this context, is therefore only useful if lessons learned from them can be used to prevent a repetition of similar birth defects in new projects in the future.
Analyse context: causes and societal consequences of failure
When the EHR project was cancelled by the Senate, there was great indignation about the "wasted" 300 million Euros that had been spent. In my view, the 300 million is not the issue we should be focusing on. If the figures used by the Health Ministry and Nictiz concerning the need for the EHR system were correct, the real costs of the failure of the EHR system over the past 12 years are more than 20,000 lives and 16 billion Euros.
Therefore the real question is why Nictiz on the one hand did not have either the budget or the required mandate to deal with the problem, and on the other hand why this national disaster was not the most important issue for the Health Ministry to address. Why did the leadership of the Ministry not have its hand on the wheel, with weekly reports to the Cabinet and parliament?
If the publicly-stated figures are incorrect, Parliament has been misinformed for more than 12 years and the project should never have been started. Either way, something went very wrong and it had very little to do with the technical aspects of the project (although there was enough to criticise there as well).
The above example is just one of many cases where the formal administrative motivation for a project and subsequently allocated funds and mandates bear no logical relationship.
Also the projects concerning the introduction of voting computers and the public transport card, had logical holes of Alice-in-Wonderland-like proportions. A very high level of public transparency about new projects here would probably have enabled citizens to provide both solicited and unsolicited assistance to the government in finding these holes.
It would also help to restore some confidence amongst citizens, whose faith has been repeatedly dented. On the one hand the government uses its own incompetence as an excuse for failure, while on the other hand two weeks later it will ask its citizens to rely on its ability to finish a new megalomaniac techno-fix for a complex social issue. The current deep lack of credibility ultimately becomes a question of legitimacy.
Selection criteria for examining IT projects:
- Extent to which the original official motivations and assumptions were not investigated or found not to be substantiated. What was the problem? How would the proposed IT project fix this? Why was the gap between policy and reality not foreseen?
- Social costs of not solving a problem (by the failure of the project); these are often multiples of the cost of the IT project itself.
- Damage to citizens and their rights because of the failure of project or because of incorrect technical and organisational choices made during implementation.
IT projects the working group hould include in the investigation:
- The EHR
- The public transport card
- The NOiV & the NCA investigation into the failure of this policy.
- GOLD / DWR – introduction of the ‘standardised’ workplace for the national government between 2004 and today.
My Court of Audit questions for investigation into national openstandards and opensource policy 2010
Doublethink is a concept that was introduced by George Orwell in his famous novel ‘1984 ‘. It is a mental mechanism that allows people to believe sincerely and simultaneously two completely opposing ideas without a problem.
In the ten years that I have been involved with open source and open standards in the Dutch public sector, I have encountered many double thinkers. So for years I have endured “experts” and insiders patiently explaining that the migration to open source desktops within that community would be impossible, because civil servants could not work with other platforms. Asking non-techies to use anything but the Windows + Office desktop they were taught at Dutch schools would lead to disaster. It Just Could Not Happen.
The certainty with which this (to this day) is mouthed as an aphorism everywhere has always amazed me. Previously, the Netherlands had migrated from WP5.2 in DOS to Windows Word 6, yet the Earth kept turning, children went to school and there was water from the tap.
Multiple migrations, mostly outside the Netherlands, have also demonstrated that ordinary users can do their work well with alternative platforms, provided they are given some training and support (something, indeed, that is perfectly normal when migrating to new releases of the usual proprietary systems).
The same people who for years have claimed with great certainty that "It Just Could Not Happen” have been busily rolling out iPads to the many managers and directors, who for many and varied reasons discover they need one. Apparently the adoption of an entirely different platform with a totally different interface is not as problematic as was asserted for all those years. Huh?
The classic “civil service desktop” tribe, led by IT heads of ministries and municipalities and supported by Microsoft, Pinkroccade and Centric, have had many happy years of “standardising” the Netherlands on proprietary tools, the management of which would then be done by the Dutch business partners of Microsoft. When asked why such a vulnerable and expensive monoculture was necessary, the standard reply is "working together!". For “working together”, according to these people, can only occur if everyone works with exactly the same stuff (never mind that millions of people on the internet are working together with very different tools). And that stuff should be consistent with what people already know, because learning something new is ultimately ‘not realistic’.
The Web 2.0 tribe wants everything on "the cloud" so that with iPads they can “work together” from Starbucks with colleagues and consumer-citizens-entrepreneurs. That this places control of state information in the hands of uncontrolled private and foreign parties is not part of the discussion. "We must work with the most modern tools!" When asked what they do in concrete terms, the answer is almost always shifty or there is some muttering about experiments and the importance of “working together”.
Both of the above tribes mix at “e-government” conferences and other such events and hear both perspectives, one after the other, with nobody apparently perceiving these contradictions. It is Doublethink in its ultimate form: simultaneously believing two contradictory ideas without experiencing a conflict: from 11:00 to 11:30 they can believe that a Microsoft monoculture is a necessary requirement for civil servants to “work together”, and then from 13:30 until 14:00 just as happily accept that all hip 2.0 workers, with their privately-bought iPads authorised via LinkedIn, must have access to the State-intranet so that they are finally able to “work together” with other officials. And nobody is pointing to the naked emperor and saying that at least ONE of these two stories has to be nonsense (and probably both).
Despite all this focus on collaboration between government organizations are regularly at odds, working against each other, re-inventing wheels 300 times, or point to each other when things go wrong. Even Caligula or G W Bush could still learn a thing or two from such levels of surrealism.
Proprietary vs. open source in government is just ONE of the examples where sly salesmen from dubious companies appear to be much more attractive than people with demonstrated expertise. Also in the cases of Electronic Health Records, voting computers, the public transport chip card and the security of its own systems, the government actively chose lying, cheating vendors and/or incompetent bureaucrats over its own citizens and academics with a proven expertise.
After last year’s ‘Leaktober month’ and the Diginotar drama, it appeared that some light might finally break in, but now it is clear that one deals with problems by treating them as an immutable fact of reality. With the logic of “as it is now, so shall it remain”, the years-long impetus towards greater vendor independence and diversity of systems ground to a halt. Now the same logic is used as an excuse to defend failure everywhere. It’s a bit like claiming to achieve fire safety by shouting that not every building is on fire, and anyway the fire engines can drive with 130km/hr away – "We react so quickly!". Prevention is seen as difficult and, moreover, "as it is now, so shall it remain – you will never be safe."
Despite this latest capitulation to foreign intelligence services and criminals, yet more megalomaniac IT projects are underway. Citizens continue to entrust the government with all their personal information, despite the fact that the government itself admits to being unable to protect them adequately. When working on such projects, you’d need to remain in a permanent state of Doublethink to avoid a serious moral dilemma.
Once the Netherlands had a government that built the Delta Works to keep the sea out and ensured that the country was ranked in the global top 2 or 3 in the fields of health, education, social security, security, democracy and transparency of governance. Only Sweden and Denmark sometimes did better.
Today feels like the Dutch government is abolishing itself. It knows nothing, wants nothing, does nothing. Perhaps we the citizens should do the same. Give them nothing, ask for nothing, expect nothing. The Zen of the citizen-government relationship. Happiness is low expectations!
<originally a Webwereld column – in Dutch>
Diginotar’s multiple IT failures in the public sector have been swept under the carpet. So far, nothing indicates that there will be any real change to the Dutch government’s overdue IT projects. During the hearing (mp3 – in Dutch) in the Lower House it was apparent that neither the government overseer OPTA or auditor Price Waterhouse Coopers believe themselves at fault, despite the fact that for years as regulators they have rubber stamped the work of Diginotar. The decisions of the PwC auditors were obviously good because "they are executed by responsible professionals". This will be heartening for all those Iranian citizens who are suffering the consequences of this (think of an unpleasant convergence of kneecaps and power tools).
But because of the chaos at Diginotar, we may never know for certain the full horror of those consequences. It is very simple for someone to take over an entire network and manipulate all the logs. The only thing we can really say with any certainty is that so far we have no reason to believe that IT security was any better in the past than the recently discovered FoxIT mess. The PwC audits are obviously not able to detect such a mess and OPTA apparently did not even look. Possibly Diginotar has been totally hacked for many years, and nobody noticed. A really smart spy or cyber criminal does his job and leaves no traces. The many detailed discussions about the exact scale and timeline of the hack have completely ignored this fact. From his grave Socrates is smiling at the idea that we only certainly know what we certainly do not know.
The most important question is surely: "how can we prevent such a critical part of our IT infrastructure from falling into foreign hands?". But this question was apparently not even on the radar of our regulators or MPs. Recent discussions about the USA browsing through our systems without judicial oversight make this question particularly pertinent. But perhaps I am somewhat naive to expect that my government to be both capable and motivated to protect the interests of its citizens.
Teamwork: it spreads the blame
Diginotar is yet another egregious example of a public IT function going terribly wrong at every conceivable level (selection, implementation, monitoring), and yet nobody being held responsible for the consequences. It is important to recognise that we shall probably never know how serious the real consequences were – especially for that unknown number of Iranian citizens. As a direct result, we must also recognise that we need to replace the people who did this “monitoring”and the "methods" they used. To continue to do the same and yet expect different results is one of the definitions of insanity.
Know nothing, do nothing
If a key IT organisation appointed by the government fails, it is down to a lack of crucial expertise in the government. Everything is privatized and the resulting lack of expertise is an unfortunate consequence of a principle of degraded policy-making. Instead of identifying and solving this lack of substantive expertise, it is dismissed as an immutable law of nature. "It just is" that the government has no employees who have relevant expertise to evaluate, manage and oversee IT projects (or evaluate and oversee the hired vendors). Simultaneously, our citizens trust that same government to properly assess the feasibility and implications of increasingly megalomaniacal IT projects – another symptom of institutional madness.
I therefore see the debate about any special protection for hackers as whistleblowers, however well intentioned, as only a symptom. The government needs to “own” the information, at least to have the right to ask questions and to independently evaluate the answers to these questions. Or should we simply give away control of our sea dykes and hope that a few public-spirited people will report the hole in a dyke on their Sunday off?
Nothing can be leaked that could change the way the people in The Hague deal with these problems. Nobody loses their head, even after such a mega-failure as Diginotar: and in comparison the implementation of both the electronic medical records and the public transport Chipcard pales into insignificance, butno doubt these projects also continue despite faillure after faillure.
What is necessary for a real breakthrough? Like I said in a debate about the EMR in 2005: an event that is too terrible to ignore. Because that is always what it takes in the Netherlands to shift our political-administrative system down a different path. It is always susceptible to the pressures of existing commercial interests or the idea of a couple of people losing their jobs. The complexity of Dutch society and the economy might itself bring about that change: something like a national breakdown of hospital systems, or something like an exploding refinery in the Rotterdam area. There are so many vulnerabilites to choose from.
I suspect there is a “sweet spot” in terms of deaths versus effective political impact. Somewhere between the Enschede fireworks disaster (23 dead) and the 1953 flood (1835 dead), so to speak. I share Rop Gongrijp’s analysis that after Diginotar nothing will change (because there were no deaths on TV). We are waiting for the big blow that is strong enough to make real change possible. Only then will there room for other people with more technical expertise, involving a much higher level of technical requirements and transparency of all the inter-related processes such as design, selection and implementation of new systems.
Perhaps a cruel cyber attack with cute little piglets?
A MP stumbles, coughing, into the doctor’s surgery. There is blood pouring from the ears and nose and left eye. “Doctor, doctor, I’ve just had a bad fall and I think I’ve broken my wrist” gasps the MP. The doctor has a look and briefly feels the pulse. “Does that hurt?” “A little bit” mumbles the MP. “I don’t think it’s that bad” says the doctor. Unfortunately I can’t check it today as the digital X-ray machine is broken”. The MP is swaying back and forth. “It’s probably just a bruise, the nurse will give you a sling. Take it easy for a couple of days and come back if it’s still painful.” The MP staggers out of the surgery, still bleeding from the ears, nose and eye. The doctor is already focused on the file of the next patient, because doctors are very busy.
The process described above resembles the way the Court of Audit went about answering MPs questions about our national IT strategy. The MPs asking those questions were not experts and the Court provided simplistic answers without providing any context or stopping to consider whether the symptoms might be part of a broader problem. The newly-published report failed to respond even to the superficial questions and, moreover, based its answers on minimal data. Which is a disgrace, as it is precisely the role of the Court to delve into the deeper issues.
Instead of focusing on the 88 million euros spent on licence fees (less than 1% of the total annual licence expenditure), the Court could and should have explored why a different approach can work in other European countries, but fails in the Netherlands. Is this country really so different from Finland, Germany, France or Spain? As their colleagues in the Central Planning Bureau had done in 2009, the Court could have produced its own qualitative analysis of the macro-economic effects of large-scale, open source implementations. This as a viable alternative to annual imports totalling of more than 8 billion, primarily from the USA. The macro-economic demand alone is relevant since the VAT and profit tax of this trade ends up predominantly in the Irish treasury, because of inter-EU trade regulations. (I ‘m not necessarily against bailing out Ireland but this can surely be done more efficiently). Also the figures of the 2004 SEO study are still current enough to be indicative for order of magnitude estimates.
As one of the ‘experts’ consulted by the Court, I am very disappointed by the minimalist approach it took. But perhaps I shouldn’t have been surprised – after all, in a previous report, the Court had also dithered, even after they had determined the government really had no insight whatsoever into its own IT spending. It is beyond me why a subject such as IT, where so many aspects can go so terribly wrong, is not more thoroughly and strategically overseen. In my written input to the Court last year I proposed several clear ways to frame the fundamental questions. For those who, like doctors, are very busy here is a summary:
Dear MPs, the Netherlands is a modern western country with access to the same knowledge, technology and IT budgets as Germany, France, Spain and Finland. Today all these countries have already achieved widespread adoption of open source and open standards in government. The work of the Dutch government is also very similar to these countries – certainly generic aspects such as office automation. So, eight years after the original and unanimous vote by parliament, surely the only reason that the Netherlands cannot implement this policy is our administrative culture and our Atlanticist political orientation. There is certainly no fundamental reason why the results of the other countries I mentioned cannot be replicated in the Netherlands, particularly because those same countries have already done all the preliminary research for us. But in recent years potential obstacles for migration have been elevated to norms, rather than being correctly identified merely as part of a problem to be solved.
Parliament should no longer accept high dependence on a supplier being invoked as an excuse for not making progress towards becoming less dependent on that supplier (as the government did in response to parliamentary questions in in 2004, 2006 and 2008). The high dependency is the problem that must be solved, not an immutable law of nature where IT departments are the powerless victims.
Parliament should no longer accept the acknowledged lack of technical and organisational expertise of the 60,000 government IT professionals (and its suppliers) as a valid excuse for the lack of progress. It is implausible that the Dutch state cannot find the requisite skills to replicate the results of its European neighbours. Any IT staff and management found lacking in the necessary skills to carry out the very reasonable requests from parliament should be retrained or replaced. Incompetence is grounds for dismissal, not a valid excuse to refuse to do the work.
Of course there will be problems in unravelling this gigantic Gordian knot, created by decades of accumulated proprietary software. But the most frequently cited excuses for not making a start with OSS and OS are similar to those used by asbestos manufacturers: "yes, but it is handy", "we have been using it for so long", "we are comfortable with it", "we know nothing else". All factually correct statements, of course, but certainly not valid excuses to prevent us from finding an alternative solution.
If the government had started making these changes way back in 2002, as parliament voted to do, the cutbacks we’re now suffering in education and health care would have been more than covered.
On this issue, the Netherlands seems to have been reduced to providing the frightening role for the rest of Europe on “how not to do it….”. Too bad.