So, people from within Iran have hacked the Dutch company DigiNotar, allowing them to issue fake certificates so they could listen in on Iranian dissidents and other organisation within Iran. This is a very simplified version of the story, since it’s all quite complicated and I honestly don’t even understand all of it. In any case, DigiNotar detected the intrusion July 19, but didn’t really do anything with it until it all blew up in their face this past week. Now, the Dutch government has taken over operational management of DigiNotar… But as a Dutch citizen, that doesn’t really fill me with confidence, because, well – whenever the Dutch government does anything even remotely related to IT technology, they mess it up. And mess it up bad.
It’s almost a commonly known fact in Dutch society that whenever our government – regardless of which coalition is in power – does anything even remotely related to IT technology, they will mess it up. It will be insecure, it won’t work as intended, it will break down, and it will go over budget at least 56 times.
At some point, our government decided, in all its wisdom, that out existing method of buying train and bus tickets was no longer adequate. The system worked just fine; for trains, you walked up to a machine or a service desk, handed over some money, and you got a (return) ticket of your choosing. For the bus, you bought a ticket which had several ‘zones’ on it; each zone corresponded to a certain area. So, between Alkmaar and my hometown, there were four zones. You always pay at least one zone, so in total, the bus driver stamped five zones off my ticket. These tickets came in various sizes (15 zones, 30 zones, etc.). If you traveled by bus/train more often, you bought a pass which you only had to show to the driver, and that was it.
This worked just fine, but the government decided that this should all be done electronically. So, they let a private company come up with a plastic card with a chip in it, which had a certain amount of money on it. Using NFC, you tap it against a turnstile, which would then register your starting location. Tap again at the exit location.
Sounds simple enough, but the system was hacked quickly, making it very easy to hack more money onto the cards, or to duplicate them. To make matters worse, travel information is stored by a private company, which has raised red flags regarding privacy issues. The system also doesn’t work properly, causing wrong amounts to be deducted from cards, and it has also increased costs of public transport. A supposedly safer version of the system has been planned, but the roll-out will take six years, and the costs of this roll-out will be transferred to travelers. The system is also not particularly friendly towards the elderly. The list of complaints is long.
In short, the system has been an unmitigated disaster.
Another example: crisis.nl. This website is supposed to provide citizens with information in the case of a disaster. However, the website cannot handle larger loads, and during a few recent disasters, the website was knocked offline very easily. The website cost a whopping â‚¬500,000 to build, and now that it has proven not to work, the government is throwing even more money at the project.
In the meantime, a smaller company has built crisis2.nl, which delivers the exact same information, and can actually handle lots and lots of traffic which would’ve already killed crisis.nl – and at only 75% of the costs. The reason this company doesn’t get to handle this project is because the company is considered too small. The rules for government projects like this state that only large companies are allowed to accept them.
Then there’s the Dutch police. The problems with the Dutch police go far beyond just the computer systems backing them, but it is still a major problem. The plan was to invest â‚¬46 million in modern computer systems for the police, but the new systems did not work, were hated by police officers, and have horrible usability. To make matters worse, local police stations did not adapt their workflow, and kept existing systems side-by-side. The end result is a major cluster*&*$. Costs have already risen to â‚¬70 million – but this excludes costs for implementation at local police stations. Everything put together, police computer systems in 2009 cost â‚¬770 million – and it still doesn’t work.
According to comprehensive studies among police officers and personnel, this has a direct and negative effect on the police’s ability to do its job. In other words, crimes aren’t solved, and criminals aren’t caught. Police offers tell stories of them still struggling with entering information of a crime into the computer system, while the perpetrator walks by – he’s already been set free. It’s… A disgrace.
And these are just a few examples. So, when the Dutch government sends out a press release stating they have taken over operation management of an IT-related company… Well, while this might inspire confidence abroad, it doesn’t inspire me with any. This story is far from over, and I wouldn’t be surprised if it goes even deeper than we know today.
Well, considering how incredibly bad the private company screwed up it’s not like it can get much worse.