IT-experts: ‘How can the ministry know that information was not stolen?

The Hague – For years the cyber-security protecting government information systems on Bonaire, Saba, and Statia was substandard. These information systems also contained information about citizens and companies. IT-experts are questioning whether or not any information was stolen.

Up until April, individuals with bad intentions could ‘easily access’ the network of Rijksdienst Caribisch Nederland (RCN). The login method used was not secure, and since 2014 it was known that the firewall was quite porous. This created new security risks for the other networks of the Government of the Netherlands.

Could citizens private information be on the streets? A spokesperson for the Ministry of the Interior and Kingdom Relations (BZK) states that this is not the case. “An investigation has not given us any hints that unauthorized individuals have accessed information relating to citizens or companies.”

IT-experts Brenno de Winter, and Astrid Oosenburg are questioning how the BZK reached those conclusions. “A lot of digital footprints are erased automatically. Logs are designed to be cleared periodically”, according to De Winter. “Additionally, you don’t have to log in to do damage.”

‘Reasons to doubt’
“Using forensic methods, you can conclude whether someone logged in to the system, but you have to do this quickly”, according to Oosenburg an IT-expert, and former member of parliament for the PvdA. “How did they investigate this, and when did they investigate this? And why was it not done in 2014?”

Both experts looked at the recent statements released by the BZK. “There are reasons to doubt the statements” says De Winter. “It was not immediately evident what was investigated. The ministry is not showing that something was investigated.”

BZK has been aware of the poor cyber-security in place in the Caribbean municipalities since 2014, but only took emergency measures  in April after the Netherlands Court of Audit (Algemene Rekenkamer) pressured them to do so. According to De Winter this ‘shows that there was no policy in place to monitor breaches’.

What if data was stolen?
At the moment a two-step verification method has been implemented. “In the past you could log in with just a username, and password. Imagine if you had used my credentials to log in, they would not be able to tell it was someone else”, says Oosenburg. “The moment someone enters the system, you can assume that data has been copied.”

“This means that the possibility exists that citizens can get into trouble. How will you be able to help the citizens and companies if in a year or two they discover that they are victims of identity fraud?”

“The minister has to take proper steps, and show that the government is there to serve its citizens, and not the other way around”,  according to the former member of parliament, and IT-expert. “Set-up a point of contact on the islands.”

Persistent problem
De Winter notes that it is not clear how the government plans to structurally tackle the issue of cyber-security. “We don’t know if the risks have been properly identified. Where’s the roadmap, and the vision that shows that it will change for the better? The impression that is being created is that they are ‘doing something’ with security.”