“US law is largely incompatible with our GDPR. So, while we’re still working with American companies like Microsoft and others, our data will ultimately need to be hosted in the European Union.”
Making the leap from the private sector to the world of government, Roel Gloudemans has brought fresh, innovative nous to the Dutch government’s more than 15-year-old experiment with digital identity.
We speak with Roel, Chief Information and Security Officer for the Netherlands’ National Office for Identity Data (Rijksdienst voor Identiteitsgegevens, or RvIG), on the benefits of embracing a compartmentalised, rather than fully interconnected, government function, the dangers of setting bad precedent with security backdoors, and why cryptography is the next major frontier in government cybersecurity.
FST Government: Having previously served as a CISO (chief information security officer) in the private sector, what are the most glaring differences you’ve seen stepping into a government role?
Gloudemans: Certainly, since my appointment just over a year ago, those differences have really been in my face. If you look at most private companies, they tend to be well structured in terms of process and corporate responsibility, and it’s all driven by the fact that, by the end of the month or end of the year, they need to make a profit. In government, there’s no such thing as generating a profit. Of course, we try to do things as efficiently as we can for our citizens, but there’s no strong drive to keep it that way.
Keeping things efficient also means keeping things simple. Government by its nature is complicated; while responsibilities are enshrined in law, it’s sometimes fragmented to the point that there’s no clear understanding of who’s responsible for what. That’s where I see major differences.
Another thing is the trust model. Especially within large companies, this is an understood and acted upon concept. In the part of government that is within my view, the trust model appears underdeveloped.
While not necessarily the case when dealing with external parties, government agencies tend to trust each other blindly.
We’re one of the few agencies in the Netherlands that has trust modelling as a mandatory control in our policy. From a basic standpoint, it says: ‘We’re all government agencies; we trust each other. However, you can’t necessarily trust our neighbouring parties to maintain similarly functional and efficient controls. While we have a central control framework in place, at the very lowest level, can we necessarily trust each government employee to lock their desktops when they walk away from their computers?
FST Government: Of course, you cannot trust that every single employee will act in the best interests of a public agency or follow its security rules to the letter, potentially leaving the door open for a malicious actor to exploit. A year since you stepped into the role, have there been any other concerns popping up on your radar?
Gloudemans: As an agency that manages digital identity across government, we constantly receive data from neighbouring government agencies. So, we have to ask, can we actually trust this data? That’s really important, because the organisations we’re exporting our data to – those private sector companies, other local governments and sub-government authorities, like an education department – make decisions based on our data that can have a big impact on our citizen’s lives.
Data integrity is critical. As the RvIG, we have controls in place to verify the integrity of all data we receive. But it’s still easy to make mistakes. For instance, we have very stringent controls to verify those parties that may have access to our data; healthcare happens to be one of those parties. If we get a list of, say, hospitals from one of our neighbouring agencies, we have to ask ourselves, how was this list compiled? Were the controls in place during this compilation process as good as ours? If not, we need additional checks on our side.
FST Government: In terms of cross-agency and government-to-private sector data sharing, would you say you’re still in the early stages of building a regimented data quality control process?
Gloudemans: At the local government level, it’s fine. For the identity data we have, we conduct lots of checks. But that doesn’t mean we can’t make it better. From a data science point of view, we’re developing algorithms to check that our data is correct. For example, if we combine identity data with housing data and find that there are 10 people on a single square foot of land, that’s probably wrong. We’ll lodge a report to the responsible local government branch so they can follow up. It might just be an administrative error, but if not, they can go and check to see if any assistance is needed. After all, 10 people on one square foot of land could be something fraudulent, but they could also be a family or even refugees in need.
That’s one of the good things about government. Our basic standpoint is that the citizen is good.
Indeed, our starting point is, if something isn’t correct or if something went wrong, we have to help these people. In the private sector, if something goes wrong, we often assume somebody is attacking us.
FST Government: More broadly on security, looking at AI or machine learning algorithms, which are increasingly working their way into cyber defence systems, or even blockchain as an immutable ledger to protect high-value data, where you see the kind of next major steps being taken in government data security?
Gloudemans: That’s a hard one. Perhaps the next major step for government is to pool our monitoring data. We’re all seeing only part of the picture. While our National Centre for Cyber Security has threat detectors out in the field, it only oversees a sparse population; and while each country’s own cybersecurity centres work together, as far as I know, they don’t pool their log data together.
If you ask me, that could be an improvement. Find a log or reporting format that allows for more inter-country data exchange and then use artificial intelligence systems to start looking at attack or organised crime-related fraud patterns.
The other area of development is in digital identity, which has become more and more pervasive. In the Netherlands, we have what’s called ‘DigID’, which essentially encapsulates a Dutch citizen’s entire eGovernment account. As a second factor to that account, individuals can now use travel documents; there’s a digital certificate in the document and we’ve rolled out apps to interrogate them, allowing what you’d call ‘remote document authentication’ to help us determine whether people on the other side of the line are really who they say they are.
FST Government: So it appears the Netherlands has progressed fairly well in deploying its digital identity solution. What were some of the challenges in the DigiD rollout?
Gloudemans: Well, I couldn’t say definitively because I wasn’t on board with government at the time of its rollout. But I’ve had a digital identity now since around 2005 – that’s more than 15 years. And it’s progressing. It used to be a simple user ID and password; you could fill in your tax forms at the end of the year and submit them using your digital identity. Then we got a second factor, which added in an SMS service; and now we can use our identity documents. While the first use was at the taxpayer’s office, now our local government relies heavily relies on digital identity. Even the private sector – for instance, health insurance companies – are using DigID. So, we’re seeing it expand more and more.
It’s a federated authentication platform, just like you might use to access your Facebook account to access Microsoft services or vice versa. The main difference is that DigID is limited to entities that are performing tasks for the government.
FST Government: Has DigiD been expanded to every Dutch government citizen service now?
Gloudemans: As long as you’re offering a citizen service, you can use the DigiD. However, we still have people in the Netherlands who aren’t very handy in the digital world, so we’ve maintained traditional government communication methods as well: you can still send mail, you can still go to an office – the digital identity service hasn’t replaced anything.
FST Government: Do you see the DigiD evolving beyond the simple username and password, perhaps introducing a biometric capability in the near term?
Gloudemans: We are currently discussing the use of biometrics in identity documents. Within Europe, sometime around August this year, we’ll need to implement biometrics in identity documents. For DigID, however, there’s currently no biometrics capability.
If does happen anywhere, my guess is that it’ll be on the DigID smartphone app. This app authenticates the user by scanning a QR code on the DigID portal which is followed by the user entering a code. I don’t think it would be too difficult to replace the user code with the phone’s built-in face or fingerprint scanner, just like the banks are doing. The benefit of this mechanism is that we wouldn’t need to store any biometrical data on our own servers.
FST Government: It feels almost inevitable then that biometrics will feature in this process, taking advantage of smartphones’ existing functions. And if you don’t have that capability, a user can simply default back to the username/password, token or SMS passcode.
Gloudemans: One of the interesting things is that the citizen’s device is now front and centre of the authentication processes in both the public and private sectors. If you don’t want to exclude people, you have to support a lot of devices, among which include devices that no longer have manufacturer support.
My personal opinion is that we need to have a discussion if phone-based biometric authentication is really what we want. We’re still supporting the old versions of phone operating systems, and we know those phones aren’t secure.
Those who can’t afford to buy a new phone every two to four years might end up having their security compromised. They might have malware, and as soon as they log on to a government service, a session cookie might get taken over and then they might get exploited. That level of thinking has not yet arrived though.
It’s a really interesting discussion; if you have a low income, you don’t necessarily have the means to buy a new phone, but we can’t exclude those people from government services. So how are we going to solve that?
FST Government: While DigiD is a federated system, it does serve to illustrate the value of centralising government services. Are you keen to see further progress in the consolidation of digital government services?
Gloudemans: Yes, DigID is more about federation than centralisation. DigID services are provided by Logius, the Netherlands’ digital government services agency. They are the front end, we are in the backend, the one that carries the database of all Dutch citizens.
We are all separate agencies with own responsibilities and strategy. I consider this a better arrangement.
We all have our expertise; ours is building identity systems, not tax systems. And if you look at cybersecurity, it’s also a good thing to compartmentalise government. It’s hard for an attacker to move from a tax system to a healthcare system, because the connection between those two is very thin. If a nation-state actor or organised crime group gets into a government ministry, it will only affect a small part of it.
While fragmentation could also be seen as a threat, in terms of an inconsistent level of controls and the challenges of getting all agencies up to the same standard, to me it’s also a key part of defence.
Of course, we’re still looking to reduce the number of channels necessary for citizens to engage with government. For instance, we have a service where the citizens can alert us to errors in government registers across the public sector. This is a form of centralisation seen by citizens at the front-end, but in the back, we’re still quite separate entities.
FST Government: Coming back to the data piece, there is an ongoing tension between an innovator’s urge to leverage all useable data to create amazing citizen experiences and a regulator’s concern to preserve citizen privacy and protect sensitive data. How is the Dutch government negotiating this balance?
Gloudemans: Our government is very big on transparency.
When we create an algorithm, we need to be clear about what the algorithm does; a regular citizen can request this information at any time.
There are checks in place to make sure our algorithms don’t introduce bias. That all sounds fine, but I have a science background; I know how hard it is to actually prevent bias, and it’s also true for the algorithms we have.
We check them as much as possible, open them up for auditors, but the last line of defence are the citizens themselves. They can ask about our algorithms, and if they claim something is wrong, we’ll look at it. That means, in terms of the number of algorithms being deployed, we’re probably not progressing as fast as we could. But it’s deliberative progress. We only build the next step when we know the previous step was okay.
FST Government: Is it relatively easy for an individual to report potential algorithmic bias to the government?
Gloudemans: Every Dutch citizen has the right to request information from our government. We call it wet openbaarheid van bestuur (WOB), a public governance law that means all government information that isn’t classified can be requested by citizens, and that includes information about our algorithms.
Access to certain government algorithms has in fact attracted some negative press. The SyRI (system risk indication) scandal, which occurred within our Tax Authority, provided a huge learning experience for the rest of central government.
Because it was developed by the private sector, the algorithms weren’t transparent; they kept it as a trade secret. So we as a government didn’t really know what was in it the code either. That was seen as unacceptable.
FST Government: The Netherlands has long held a tradition of promoting liberal democratic values and an international rules-based global order – values that more and more have come under threat in recent years. As one of Europe’s central hubs for web traffic, what is the Dutch government doing to promote open cyber diplomacy and ensure the internet can be preserved as a neutral and free-sharing network?
Gloudemans: We have a policy of strict net neutrality in the Netherlands, which I’d argue has been effective. Following a recent election here, a new government is being formed yet again. While the make-up will be complicated, we’re likely to have a centre-right government forming once more, or perhaps even a true centre. This probably means that things like net neutrality will be kept in place – only the parties of the far-right and far-left actually question it.
When looking at encryption, however, I do wonder where it’ll all go. We have a minister from the Justice Department telling people he wants to allow a backdoor into applications like WhatsApp or other social apps. I know a lot of experts in the private sector and in government are telling us, ‘Well, if the government has a key to get in, then you know for sure others will be getting in too’. Our police and law enforcement agencies already have huge success in capturing criminals by breaking encryption controls currently in place that don’t require a backdoor.
The question then is, do we really need that backdoor? My personal opinion is we don’t. It’s dangerous.
FST Government: It is a slightly concerning development, especially seeing attempts by US law enforcement authorities to break into Apple’s encryption, which does in a sense undermine many values around personal security and liberties held dear in the West.
Gloudemans: Indeed, if the US pushes forward, I think we’ll enter a world where we cannot host our data there anymore. And, in fact, we’re almost there now, we had our “privacy shield” in place which was invalidated by European law.
US law is very different from our own GDPR. So, while we’re still working with American companies like Microsoft and others, public and private sectors alike are requiring the data to be hosted in the European Union.
FST Government: Within the EU itself, with far more heterogeneity and sovereignty between states, would there be concerns that certain jurisdictions would not have the optimal security provisions to protect your sensitive government-level data?
Gloudemans: We partner with private businesses with big data centres in Ireland, Norway and Sweden, Switzerland, the Netherlands and Germany – they’re all countries with good records, so we’re not too worried about that.
Looking at the Dutch government, everything we consider even mildly classified we keep within our own borders.
Our government currently has a couple of centralised data centres throughout the Netherlands where we keep government data. In the future, because we’re moving more and more into the cloud, we’ll have to gain further experience with cryptographic controls and cybersecurity technologies like that. If you do it in the proper way, we should be able to host services outside of our own borders.
One of my main interests right now is in building out a set of crypto services that we can use for encrypting data – not only within our central data centre, but also for key pairs on travel documents and other service chains that we are part of.
Of course, using cryptography properly is incredibly hard. You can see this through the success our law enforcement agencies have had in cracking encryption from criminals: these criminal syndicates have money, so while they might have access to good intelligence and individuals with impressive encryption knowledge, we in government are still able to crack it.
I used to work for a cybersecurity company, and our experts cracked the encryption from several crypto-lockers. I know for a fact it’s a very, very complicated field of expertise.
FST Government: So cryptography is something you’re looking to invest and expand government resources in?
Gloudemans: We’re just now looking around at what other ministries, agencies and industries have done, and it’s a relatively new field even within the tech-forward financial services industry; only now are they starting to centralise their cryptography services.
FST Government: Right on your doorstep, countries across the EU have become trailblazers in eGovernment. Who do you look to inspire eGovernment innovation in the Netherlands?
Gloudemans: It’s a hard one, because, despite some of our shortcomings, we’re among the front runners in digital government.
I don’t think we can look to any single country to innovate; we’re looking at the whole world to discover new and unique innovations. We can learn a lot from our European partners, for instance, when looking at travel documents. We have good documents, but Germany does as well.
I follow one particular adage, loosely translated from Dutch: “Better to follow somebody who knows what they’re doing than to implement something badly yourself.”
Looking to the private sector, I use Google, Apple, Microsoft and Facebook as examples to challenge people. Those big companies have long-established federated authentication platforms in the field. From a useability point of view, they are very well developed, and we cannot lag behind.
If we do, we will be replaced by the Apples, Googles and other bigtechs of the world, because the citizens make their own choices about what they use as an authentication platform – and that’s not necessarily going to be ours. If we feel that those companies are harming the interests of our citizens, we need to make sure that we have a better service ourselves.
FST Government: Convenience is certainly king today. Of course, people want the most streamlined service, but they may not necessarily think of the implications of surrendering their data to access it.
Gloudemans: It’s a core principle of security today: make sure that the way to do things securely is the easiest way. If you have accomplished that, then you don’t have to worry much about your security.
Roel Gloudemans was a featured keynote presented at this year’s FST Government Western Australia 2021 conference.