Last night, on TV, I saw an announcement that there might be something wrong with the security of the emailing systems of the House of Representatives (Second Chamber). It was supposed to be so serious that there could be far-reaching consequences! The TV program RTL Late Night would shed some light on the matter for us. My interest was sparked and I checked out the item.
Humberto Tan, the presenter of the show, made it exciting. The journalist from Follow The Money who had investigated this problem, supposedly hacked the mailing servers of the Lower House and had logged on. During the item, however, they explained that it was merely a missing SPF record. Not really great, but not really a problem either. And definitely not something that would have political consequences. The implementation rate of SPF is around 50% worldwide.
A storm in a teacup. But when I started to think about it a little more, I realised that the government had to operate by the ‘apply-or-explain’ list. That list contains internet standards that need to ensure a safer and future-proof internet. And SPF is on that list as well. But that list only applies to products/services of € 50.000,- or more. The majority of the email uses in governments will not exceed this value. The government does thing digital security to be important, but not when it concerns cheap systems. That seems weird. The smaller/cheaper system also process data streams that represent a large social or economic interest or affect citizens’ privacy.
But we see this often. Tenders, RFIs, REPs and RFQs of the government make no mention of the apply-or-explain list. Sometimes they are not obliged to because the € 50.000,- minimum is not met, but sometimes that minimum is met and it is simply not included as a requirement. Luckily, even more often than that we do see requests for the protocols/standards on the list.
Job well done. Not. There seems to be a lot of wiggle room in the ‘explain’ part of the policy. Much too often we see that the tenders are awarded to the party that does not deliver in accordance with the list. These parties use the room to explain by saying that it is not a standard service, but that it can be provided upon request. In practice that means that protocols like IPv6 or DNSSEC are not used at all. Or worse; the awarded party gets away with ‘this protocol is in a trial phase here and will be a part of the service at some point in the future’. This means that the required protocol cannot be provided and it might even be 10 years before it is available.
I get really annoyed with practices like the ones mentioned above. Businesses that are willing to invest in a safer and more modern internet have to pay for that investment, which shows in the prices for the product/service that is required. Governments opt for the cheapest supplier, even if this supplier gives unfair reasons for not living up to the safe and modern standards. Do you not think it is time that the Forum Standardisation gets enough resources to really make a stand for a better internet?
By: Wido Potters