Report Dutch Safety Board on ‘DigiNotar incident’: Why Digital Safety Failed in Government Agencies
On 28 June 2012 the Dutch Safety Board published a report on the ‘DigiNotar incident’, in which it concludes that the public executives of many government agencies in the Netherlands do not exercise sufficient control to ensure proper digital security.
On 28 June 2012 the Dutch Safety Board published a report on the ‘DigiNotar incident.’ In this report, The DigiNotar Incident: why digital safety fails to attract enough attention from public administrators, the Dutch Safety Board presents the findings of its investigation into a major hacking incident in the Netherlands in the summer of 2011.
In June and July of that year, a hacker accessed the computer systems of DigiNotar B.V. This company provided digital certificate services and hosted a number of Certificate Authorities (CA’s). Certificates issued included default SSL certificates, Qualified Certificates and ‘PKIoverheid’ - Government accredited - certificates. On 29 August 2011 it became public knowledge that a false certificate was presented to a number of Internet users in Iran. This certificate had been issued by DigiNotar B.V. and was revoked on that same day.
A first investigation performed by the company Fox-IT in September 2011 (Interim Report: DigiNotar Certificate Authority breach “Operation Black Tulip”) revealed that the hacker had succeeded in generating and issuing fraudulent certificates. As a result, the data of private individuals and companies was at risk of being intercepted, which could lead to misuse of data, privacy breaches and identity fraud. In January 2012, the Dutch Safety Board was asked by the Dutch Minister of Internal Affairs to carry out an investigation, which led to the report that was published on 28 June.
In its report, The Dutch Safety Board concludes that the public executives of many administrative organisations in the Netherlands do not exercise sufficient control to ensure proper digital security, among other reasons because they are insufficiently aware of the threats to digital security and the potential consequences of digital security breaches. The Safety Board warns: “Risks are the rule with respect to digital security, not the exception”.
The Dutch Safety Board recommends that public executives of administrative organisations exercise active control with respect to digital security. A public obligation to render account similar to the obligations that apply in the field of finance could contribute to achieving such control. Administrative supervision must be tightened and the government must ensure that public executives become better informed about exercising control and providing guidance with respect to digital security. Furthermore, the Safety Board recommends that the risks associated with data processing be explicitly weighed against the benefits of such processing at the highest level of the administrative organisation. In addition, public authorities must systematically identify risks to digital security and take the appropriate measures to counter these risks.
Since September 2011, several investigations into the DigiNotar Incident have been performed by Dutch public authorities and supervisors (see for an overview the letters of 9 July and 14 March 2012 of the Dutch Minister of Kingdom Relations to Parliament, Kamerstukken 26643).
The DigiNotar incident is a major wake-up call for Dutch government agencies, as well as for citizens, companies and politicians. It illustrates the vulnerability of information systems used by government agencies and private companies alike. The fundamental right to respect for private life, as laid down in article 8 of the European Convention on Human Rights and article 17 of the International Covenant on Civil and Political Rights, is at stake. Additionally, the Dutch General Administrative Law Act prescribes (in art. 2:14-2:16) that government agencies adhere to the principles of integrity and confidentiality in their electronic communications with citizens. There has so far been little case law on how to interpret these norms of administrative law. The DigiNotar incident has shown that adherence to these norms is crucial. The Dutch Standarisation Board recently published guidelines for the implementation of these norms: ‘Assurance levels for authentication for electronic government services’. These guidelines can contribute to creating awareness among jurists of the importance of internet security. Furthermore, they offer practical guidance to jurists on how to secure respect for private life in digital communication between government agencies and citizens.