Nederlands
English
Category: security
Parliamentary hearing on IT-projects, security & privacy
On June 1st 2012 the Dutch government’s Parliamentary working group on government IT-projects held a hearing of experts. My written contribution below. Capture of videostream… (in Dutch). Dutch journalist Brenno de Winter published his thoughts here. Column on this published the week after here.
Introduction – IT and the Dutch national government
Universality is an assumption of astrophysics that states that all phenomena, everywhere, behave as we observe them from Earth. I’m assuming that phenomena I have observed in specific government IT projects also occur in government IT projects that I have less infromation about (this is usually caused by the poor implementation of Freedom Of Information Acts, see the notes of Mr de Winter).
IT project management is currently based on a rather naive model of reality – "smart entrepreneurs compete on a level playing field for the favours of the government, which then procures with insight and vision." However, this model does not adequately predict the observed outcome of the projects. Whence this group.
Another model would be "a corrupt swamp with the wrong incentives, populated by sharks and incompetent clowns". This model has the advantage of perfectly predicting the observed outcomes.
The price of outsourcing everything
No vision, no vigour, no knowledge, and especially no ambition to do anything to improve on any of these. This is the overarching theme of all government IT projects I have experienced both on the inside and externally. And I believe is the fundamental cause of the vast majority of practical problems the group wishes to understand.
From Knowledgenet to the National EHR, the Whale project, voting computers, the public transport card, and the failed attempt to break the monopoly of large software vendors – NOiV … the knee-jerk response remains the same: to reduce a social problem to a technical project that can then be quickly outsourced to IT suppliers and/or advisors. The societal aspects are quickly lost once the train of political promises, commercial interests and project logic leaves the station and becomes unstoppable. Even the parliamentary group on IT projects aims to outsource part of its work to an external company. The chances are that the selected external company will already have as its main selling-point an umbrella contract with the national government. Probably this company will already have been advisors on one or more of the projects that may be under investigation.
In my experience as an advisor of a large government project (from the list of projects provided by the work group), I had to advise another consultant on how to hire yet other outside consultants to perform a security audit. The argument that the government has difficulty in hiring and retaining specialised expertise may be true in specific cases, but in reality, most of the hired ”IT workers” have no specialist expertise. Often they are generalists and/or project managers without much substantive technical knowledge. The inability of government to attract competent personnel should be seen as a problem that needs to be solved and not as an immutable law of nature. If we truly want something to change, we really need to be willing to change anything/everything.
Focus of the research proposal: look at the forest, not at the trees
By focusing on individual projects it is likely that the working group will only look at operational issues within these projects. The broader, underlying causes remain hidden, yet that is precisely where many failures begin. Moreover, it is especially important to look at such overarching issues as potential factors in future projects.
If anything has become clear since the Diginotar case, it is the total lack of accountability or sanctions subsequent to the failure of both executive and supervisory organisations and officials. Suppliers and officials who have endangered the security of citizens and the functioning of the state have largely remained in position, free to repeat their mistakes in a few more years. Evaluation, in this context, is therefore only useful if lessons learned from them can be used to prevent a repetition of similar birth defects in new projects in the future.
Analyse context: causes and societal consequences of failure
When the EHR project was cancelled by the Senate, there was great indignation about the "wasted" 300 million Euros that had been spent. In my view, the 300 million is not the issue we should be focusing on. If the figures used by the Health Ministry and Nictiz concerning the need for the EHR system were correct, the real costs of the failure of the EHR system over the past 12 years are more than 20,000 lives and 16 billion Euros.
Therefore the real question is why Nictiz on the one hand did not have either the budget or the required mandate to deal with the problem, and on the other hand why this national disaster was not the most important issue for the Health Ministry to address. Why did the leadership of the Ministry not have its hand on the wheel, with weekly reports to the Cabinet and parliament?
If the publicly-stated figures are incorrect, Parliament has been misinformed for more than 12 years and the project should never have been started. Either way, something went very wrong and it had very little to do with the technical aspects of the project (although there was enough to criticise there as well).
The above example is just one of many cases where the formal administrative motivation for a project and subsequently allocated funds and mandates bear no logical relationship.
Also the projects concerning the introduction of voting computers and the public transport card, had logical holes of Alice-in-Wonderland-like proportions. A very high level of public transparency about new projects here would probably have enabled citizens to provide both solicited and unsolicited assistance to the government in finding these holes.
It would also help to restore some confidence amongst citizens, whose faith has been repeatedly dented. On the one hand the government uses its own incompetence as an excuse for failure, while on the other hand two weeks later it will ask its citizens to rely on its ability to finish a new megalomaniac techno-fix for a complex social issue. The current deep lack of credibility ultimately becomes a question of legitimacy.
Selection criteria for examining IT projects:
- Extent to which the original official motivations and assumptions were not investigated or found not to be substantiated. What was the problem? How would the proposed IT project fix this? Why was the gap between policy and reality not foreseen?
- Social costs of not solving a problem (by the failure of the project); these are often multiples of the cost of the IT project itself.
- Damage to citizens and their rights because of the failure of project or because of incorrect technical and organisational choices made during implementation.
IT projects the working group hould include in the investigation:
- The EHR
- The public transport card
- The NOiV & the NCA investigation into the failure of this policy.
- GOLD / DWR – introduction of the ‘standardised’ workplace for the national government between 2004 and today.
Doublethink, Waiting for the Big One, Doctor doctor, Asbestos, Gran knows why, (my columns)
My Court of Audit questions for investigation into national openstandards and opensource policy 2010
Prof. Eben Moglen explains the big societal picture (45 min speech) – must watch!
Unsuitable
<originally a webwereld column in Dutch>, <also on HuffPo UK>
Over nine years ago, I was talking to Kees Vendrik <Dutch MP) about the broken Dutch software market. Not only was it impossible to buy a top brand laptop without buying a Microsoft Windows licence, it was also impossible to visit many websites (municipalities, Dutch railways and many others) without using Internet Explorer. The latter area has greatly improved and I can lead my life using my OS and browser of choice. Only occasionally do I have to just swallow a Windows licence when buying a new laptop. Not much has improved in that area. Our national dependence on products such as MS Office has not really diminished either, despite all the wishes of our Parliament and its related governments policies.
Meanwhile, the technological seismic shift that frightened Bill Gates so much back in ’95 (the web makes the operating system irrelevant) is fast becoming reality. Almost all new developments discussed by IT power players and specialists are web-based or based on open specifications and the most commonly used applications are running quite well as service in a browser.
So while the 15-20 year old problem of software dependency is not yet solved (our government, with its tens of thousands of IT workers, is still unable to wean itself off the familiar Microsoft technology stack) its impact is becoming less relevant. Meanwhile, new dependencies based on cloud providers are promising to be even more detrimental.
While excessive use of proprietary software creates the risk of foreign manipulation and potential attacks on critical infrastructure (eg Stuxnet). But at least if your systems are attacked in this way, there are some ways to track this. If you are working on the computer that does not belong to you, that is based in a foreign country and is managed in ways you cannot know, it will be very difficult to have any control over what happens to your data.
The old assumption, that using local servers could be part of the solution, seems unfortunately to be an illusion. All cloud services offered by companies based in the US are subject to US legislation, even if the servers are physically in another country. And US law is now somewhat, shall we say, problematic. With no evidence, but with an allegation of involvement in "terrorism", systems can be closed down or taken over – without any warning, or the possibility of adversarial judicial review. The term ‘terrorism’ has been stretched so far in that anyone who allegedly breaks US law, even if they’re not a US citizen and even if they’re not in the US can still a deemed "terrorist", just on the word of one of the many three-letter services (FBI, CIA, NSA, DIA, DHS, TSA, etc.). The EU is not happy about this but does not want to go so far as reccomending its citizens and other governments to no longer use such services.
The long arm of the US Patriot Act goes even further than merely the servers of US companies on European soil. Thus domains can be "seized" and labelled: "this site was involved in handling child pornography". Try explaining that as a business or non-profit organisation to your clients and (business)partners. Just using one .com, .org or .net extension as your domain name now makes you liable under US law. All Europeans can now be seized from their homes for breaking US law. So a .com domain name makes your server effectively US territory.
We were already aware that proprietary platforms like Windows and Google Docs were not suitable systems for important things such as running public or critical infrastructure. However, now it turns out, that every service delivered through a .com / .org / .net domain places you under de facto foreign control.
Solution? As much as possible, change to open source software on local servers. Fortunately there quite a few competent hosting companies and businesses in the Netherlands and Europe. Use local country domains like .nl/.de./.fr or, if you really want to be bullet proof, take a .ch domain. These are managed by a Swiss foundation and these people take their independence seriously. Wikileaks today is running on wikileaks.ch after its domains such as .org got a one-way ticket to Guantanamo Bay.
If you still want to use Google Docs, Facebook, Evernote, Mind Meister, Ning.com, Hotmail or Office 365 – please do so with the awareness that you no longer have any expectation of privacy or any other form of civil rights. Good for the administration of the tennis club but completely unsuitable for anything that really matters.
Gran knows why
My grandmother was born in 1920 and left school at the age of 12 to work in her father’s shop. She has never used a computer (but has tried an iPod for audio books). She is now 90 and is still interested in what I do.
Usually I just quickly skip over the technical aspects, because it’s difficult for her to understand. The “why” is much more relevant. Privacy, civil rights and the control of your own details/information. She understands this easily, without having to follow all the technical details of open source codes and cryptography.
Last Sunday, Bits of Freedom in Amsterdam organized a lecture and discussion with Prof. Eben Moglen, a former programmer who is now a law professor and advocate for the use of free software. Part of his lecture was about the risks of cloud computing (see a previous lecture in New York on the same theme).
Besides his new plans for a technical project (the Freedom Box) , Moglen spoke mainly about the principles of digital freedom. Explaining this concept in The Netherlands remains difficult.
A video that Bits of Freedom tweeted about shows this problem. It’s a short list of recent privacy breaches but does not explain why these are problematic. For many viewers there is still a pervasive feeling of "so what?”.
In The Netherlands, the problem explaining this issue is that we have no recent experience of a government that has seriously gone off the rails (unlike Spain and Eastern Europe). The use of a good recent example can be seen in an employee of the German T-Mobile explaining why the British government’s Stasi-style tapping of all mobile phone traffic might not be a good idea. Churchill must be turning in his grave.
As we have only experienced two real disasters in The Netherlands in the last 100 years (the German occupation and the 1953 flood), we as a people fall back on WW2 to explain the importance of civil rights. And then the Godwin-accusations fly. For the post-baby boom generations the war is a (his)story that we read about, but which is not quite real. And the possibility that such a thing could happen again is inconceivable, and therefore unmentionable.
My grandmother has no such problem because she lived through it. A real war – where the previous government was suddenly replaced by a new administration that energetically started using data collected in previous decades, and which found the accurate ethnic records extremely useful: an administration which could put your neighbours on a train to Westerbork concetrationcamp, and would shoot you for owning a radio.
Eben Moglen suggested that we all ask our grandparents why privacy and other civil rights are important. People who have lived through an oppressive state are largely immune to Godwin’s rules. They can speak out from a personal, rather than an abstract, historical perspective. My grandmother is not well enough to speak out, but hopefully there are some grandparents out there who can explain to the younger, Facebooking and tweeting generation in The Netherlands the vital importance of privacy and other civil liberties.
When I’m done explaining things Gran always grabs my hand and whispers "just you be careful!". Because you never know what could happen when you are critisizing governments. She knows this, so take a bit of time to listen to your gran.
Dedicated to my grandmother, Tet de Boer – Olij,
Kollum 1920 – Leidschendam 2010
Article in Surgeon’s journal
The Dutch Journal for Surgeons, publishes an article written by my collegue Younass and myself. We wrote this article to further explain some of the points we made during our keynote at the natinal Convention of Surgeons last month. The entire article here in English and Dutch, the PDF of the journal here. Background links and articles here (mostly Dutch).
When surgeons and IT architects work together…
Younass Aboulghit and Arjen Kamphuis
We live at a time when information technology is drastically changing our lives. We can see the digital process all around us in information systems and the change in our working procedures. People always expect to be able to get information quickly and share it with each other if it’s important. In healthcare there are opportunities and a new generation of patients has high expectations. The question is: how do we embrace the potential of information technology while maintaining quality and professionalism? How do we prevent the indiscriminate use of IT making the work of the specialist more difficult, rather than easier? That things can go badly wrong with healthcare projects has been demonstrated with the case of the Electronic Health Records (EHR).
EHR and related IT projects in healthcare often confuse medical and logistical functions. Different groups within a health institution experience different problems that they want to see solved through IT. Non-medical planning and logistics work is often an important way to improve the efficient use of manpower and resources. However, from the perspective of front-line healthcare providers, this can mean that they feel treated like a cog in a machine, and this does not fit with their sense of professional autonomy. Certain lessons of the logistics of care can be drawn from the tailor-made principles of 20th century industry. However, a hospital is not a widget factory and a patient is certainly not a widget. The factory metaphor is useful, but also has its limitations. And, by not recognising these distinctions, software vendors and corporate buyers over the last 20 years have often gone wrong.
The fundamental problem began with the introduction of the national EHR. Since the mandatory imposition of a national administrative system was considered unfeasible, the decision was taken to centralise and maintain the existing IT systems from 9,000 health care institutions as efficiently as possible. Merging all these systems into one structure was a political and administrative nightmare. Unfortunately, the quality, speed and reliability of the overall national EHR relied on the standards used by each of the individual 9,000 institutions. A critical care professional cannot make decisions based on medical data of questionable reliability. Since no one knows how all these institutions store potentially relevant data about a specific patient, nor how reliable the information is, care professionals are reluctant to use the system. Gendo raised this fundamental problem back in 2005 after a test hack of two hospitals initiated by writer and privacy campaigner Karin Spaink.
Now the First Chamber has quashed the idea of a national EHR, the field is clear for local and regional initiatives to apply lessons learned.
A mistake often made in healthcare is the implementation of large-scale IT systems basically not designed for healthcare. These systems compel hospitals and care institutions to align their processes to the IT rather than vice versa. This ultimately leads to a lot of frustration among service providers. We need to listen to the medical professionals who rely on IT systems in order to perform their job. A successful system should be based on a clear answer to the problems it solves. What are the needs of different stakeholders? Besides a clear definition of the problems, it is very important that stakeholders agree on the way forward. In other words, a shared IT strategy.
A clearly defined strategy can be learned from the experiences of the St Anthony Hospital, which in 2008 began to build its own EHR based on open standards and open source software. The St Anthony consciously chose a longer route where the problem was not fixed by an external supplier, but developed its own solution. One of the steps the hospital took was to establish a steering committee consisting of different types of caregivers. Together they defined the vision and controlled the implementation. The principal reason for choosing open standards was the guarantee of future interconnectivity with other systems and organisations. The choice of open source makes it possible in future to develop new systems jointly with other institutions,without one party having all the control.
The healthcare professionals most closely involved in developing the system need to be assured that they are actually helping their business. Both IT workers and health professionals need to be interested in each area and have the patience to learn. IT professionals are not surgeons, but can understand the problems of surgeons; good surgeons can grasp the basics of IT architecture, learning how to use it without the IT worker having to be present. Only through cross-pollination of knowledge is it possible to create solutions appropriate to both the medical and IT technical reality.
Medical information is complex, and careful handling of patient information is a legal and moral obligation. The IT systems that process such information must be reliable. To ensure reliability, the IT architecture has to meet certain requirements, such as: modular, secure, transparent and easy to audit, scalable, reliable and interoperable. To make these architectural requirements a reality, proven methods and components must be used. Transparency is achieved by using open source and providing proper documentation. IT systems need to be scalable and have built-in redundancy to allow for a comprehensive back-up, recovery, and restoration strategy. To ensure that different IT systems can communicate with each other, they should be based on open standards like DICOM and HL7 messaging for information processing and image sharing. In addition to the above, it is also important that the architecture complies with the laws and regulations laid down for health care institutions, such as NEN7510.
One of the goals of an IT strategy is a vision of the method of software development. An important part of the development philosophy is always to start small and modular. The basis for this is discrete units – ‘blocks’ – performing one very simple function, that are interoperable with other blocks. By such a process of small steps we can clearly prevent out-of-control monster projects costing many millions. A system that has modularity as a design principle will always remain future-proof: new or individual modules can be added to adapt to new medical insights or changing legislation. Another important philosophy is to maximize the use of proven technologies and methodologies: in other words, use technological components where a consensus exists that they are reliable and future-resistant. The Unix OS is a common example of what can be achieved with this method of development. The UNIX family of operating systems currently runs TomTom, super computers, phones and all Apples (including the iPhone and iPad). For those willing to to use it, the modular philosophy has proven to be flexible, scalable, secure and free.
Building an EHR should involve close collaboration between medical professionals and IT architects, and result in compliance with key framework policies. The main challenge is for these two groups of professionals to explain clearly to each other their needs and expertise, and build an EHR structure, block by block, that will encompass everything.
(The authors gave a keynote at the Dutch Surgeons’ Day 2010. We are looking forward to talk with health care professionals who are interested in the above vision to work towards building an EHR)
Autoimmune disease in the pig pen
Computer viruses and palliatives against them are a growing threat to high-tech care. There is a classic solution for the old problem of a vulnerable mono-culture: diversity.
Last Monday alarm bells went off in many IT departments. A viral infection on Windows XP computers was initially caused by an anti-virus update from McAfee. The update made part of the system appear to be a threat and system file protection software made the system unusable, a type of auto-immune disease.
In hospitals and care institutions XP is still widely used, as specialised medical applications are often not ready for the new Windows version (and as often purely because of under-investment). This time it was McAfee, but almost all anti-virus products from time to time cause such problems. Anti-virus updates are a real-time arms race and sometimes in the rush things goes wrong.
From agriculture and ecology, we know that monocultures are efficient but also very vulnerable. It is no different in the pig pen of IT. The management of 4500 identical systems seems simpler than a more varied infrastructure – until a virus or autoimmune disease outbreak. Then the overtime starts. The scale of many of these incidents shows that even large health care institutions do not have proper internal firewalling and compartmentalisation. Nevertheless, the situation is better than five years ago.
Security issues caused by monocultures are not a new story. In 2003 Daniel Greer and Bruce Schneier wrote a report about the security implications of the dominant OS monopoly. Since that time neither the market nor the government has succeeded in effectively breaking this monopoly. In health care applications with medical or laboratory equipment included, many are Windows-only. Vendors often set additional conditions on the PCs, for example no firewall, before guaranteeing proper functionality for of their own applications. Thus a computer virus (or an autoimmune disease) is not only annoying for the admin department, but can also make scanners unusable. The MRI scanner can still take images, but the PC is crucial to the operation and viewing the results. So a Philips or Siemens unit worth a cool million is effectively scrap metal and patients cannot be treated. Sooner or later, this is a real time problem and then way more people than just the help desk are affected. In England, more than 1100 National Health Service computers were infected with a data-thieving worm. And there goes your medical confidentiality.
From the many conversations I have had in recent years with IT workers, I conclude that the difference between a product monoculture (a ‘standard’ desktop) and the application of standards to achieve interoperability is still not understood. Some years ago I spoke to a ministry official who enthusiastically told me that a ‘standard’ desktop was going to be implemented for the entire government. When I asked what standards would be applied, he launched into a list of products, "this version of an OS, this version of a word processor" and so on. The perception is prevalent amongst many IT managers that systems can only work and be properly managed if they are all from the same vendor and version. But this is much more a symptom of market failures and the immaturity of the IT industry. It is a problem to be solved, not a law of nature to which we have to adapt.
That there is another way to do things can be seen from the work over the past 10 years in the Antonius Hospital in Nieuwegein. There they have consistently, in small steps, consciously worked to minimize dependence on a particular vendor, platform or application. What most IT managers of health institutions describe as ‘impossible’ has been done in Nieuwegein. Fortunately this hospital is in the centre of the Netherlands so when a really big crash occurs all critical patients can be sent there. In 2010 we can avoid succumbing to the first virus or software-update-gone-wrong by using virtualisation, web-enabling and open standards environments to build greater diversity and interoperability.
Security workshop – Cascadis Webmasterclass
On 17th September Gendo held a workshop for the Cascadis Webmasterclass meeting. Arjen Kamphuis and Menso Heus gave attendees a broad overview of what the security landscape is like, what are the common threats and what participants could do about it.
The workshop participants worked for local governments, police and other government agencies and used a wide range of systems. By focusing on the theoretical principles of security instead of very specific system information, Gendo managed to keep everyone interested.
The reactions from participants was positive and the workshop was an ‘eye opener’ for many. At Gendo we were very happy about that. Next month we’re training another Webmaster Class, and on 18th November we shall be contributing to the Cascadis Congress – we look forward to it! Here are the slides in ODF and PDF.
Learn more about our vision of information security – an integral part of IT strategy.
