Waiting for the big one

<originally a Webwereld column - in Dutch>

Diginotar's multiple IT failures in the public sector have been swept under the carpet. So far, nothing indicates that there will be any real change to the Dutch government's overdue IT projects. During the hearing (mp3 – in Dutch) in the Lower House it was apparent that neither the government overseer OPTA or auditor Price Waterhouse Coopers believe themselves at fault, despite the fact that for years as regulators they have rubber stamped the work of Diginotar. The decisions of the PwC auditors were obviously good because "they are executed by responsible professionals". This will be heartening for all those Iranian citizens who are suffering the consequences of this (think of an unpleasant convergence of kneecaps and power tools).

But because of the chaos at Diginotar, we may never know for certain the full horror of those consequences. It is very simple for someone to take over an entire network and manipulate all the logs. The only thing we can really say with any certainty is that so far we have no reason to believe that IT security was any better in the past than the recently discovered FoxIT mess. The PwC audits are obviously not able to detect such a mess and OPTA apparently did not even look. Possibly Diginotar has been totally hacked for many years, and nobody noticed. A really smart spy or cyber criminal does his job and leaves no traces. The many detailed discussions about the exact scale and timeline of the hack have completely ignored this fact. From his grave Socrates is smiling at the idea that we only certainly know what we certainly do not know.

The most important question is surely: "how can we prevent such a critical part of our IT infrastructure from falling into foreign hands?". But this question was apparently not even on the radar of our regulators or MPs. Recent discussions about the USA browsing through our systems without judicial oversight make this question particularly pertinent. But perhaps I am somewhat naive to expect that my government to be both capable and motivated to protect the interests of its citizens.

Teamwork: it spreads the blame
Diginotar is yet another egregious example of a public IT function going terribly wrong at every conceivable level (selection, implementation, monitoring), and yet nobody being held responsible for the consequences. It is important to recognise that we shall probably never know how serious the real consequences were - especially for that unknown number of Iranian citizens. As a direct result, we must also recognise that we need to replace the people who did this “monitoring”and the "methods" they used. To continue to do the same and yet expect different results is one of the definitions of insanity.

Know nothing, do nothing
If a key IT organisation appointed by the government fails, it is down to a lack of crucial expertise in the government. Everything is privatized and the resulting lack of expertise is an unfortunate consequence of a principle of degraded policy-making. Instead of identifying and solving this lack of substantive expertise, it is dismissed as an immutable law of nature. "It just is" that the government has no employees who have relevant expertise to evaluate, manage and oversee IT projects (or evaluate and oversee the hired vendors). Simultaneously, our citizens trust that same government to properly assess the feasibility and implications of increasingly megalomaniacal IT projects - another symptom of institutional madness.

I therefore see the debate about any special protection for hackers as whistleblowers, however well intentioned, as only a symptom. The government needs to “own” the information, at least to have the right to ask questions and to independently evaluate the answers to these questions. Or should we simply give away control of our sea dykes and hope that a few public-spirited people will report the hole in a dyke on their Sunday off?

Nothing can be leaked that could change the way the people in The Hague deal with these problems. Nobody loses their head, even after such a mega-failure as Diginotar: and in comparison the implementation of both the electronic medical records and the public transport Chipcard pales into insignificance, butno doubt these projects also continue despite faillure after faillure.

What is necessary for a real breakthrough? Like I said in a debate about the EMR in 2005: an event that is too terrible to ignore. Because that is always what it takes in the Netherlands to shift our political-administrative system down a different path. It is always susceptible to the pressures of existing commercial interests or the idea of a couple of people losing their jobs. The complexity of  Dutch society and the economy might itself bring about that change: something like a national breakdown of hospital systems, or something like an exploding refinery in the Rotterdam area. There are so many vulnerabilites to choose from.

I suspect there is a “sweet spot” in terms of deaths versus effective political impact. Somewhere between the Enschede fireworks disaster (23 dead) and the 1953 flood (1835 dead), so to speak. I share Rop Gongrijp's analysis that after Diginotar nothing will change (because there were no deaths on TV). We are waiting for the big blow that is strong enough to make real change possible. Only then will there room for other people with more technical expertise, involving a much higher level of technical requirements and transparency of all the inter-related processes such as design, selection and implementation of new systems.

Perhaps a cruel cyber attack with cute little piglets?