Within the Netherlands, there’s a growing problem of sharing information and distributing who’s creating new cryptographic products. Or better said, there is a lack of ecosystems within the Dutch cryptographic landscape. Frans van Dorsselaer, Principal Architect at Fox Crypto and with over thirty years of experience in cybersecurity, has witnessed firsthand the challenges Dutch government institutions face in securing sensitive information. “There's a need for a coordinated approach to information security across ministries”, says Frans.
“It's a waste when each ministry tries to solve the same problem in isolation, especially when resources are limited and the stakes are high,” claims Frans. His insights shed light on the inefficiencies and potential risks that are present in the current fragmented approach to handling classified information within the Dutch government.
Common challenges across Ministries
Dutch ministries and related organizations, including the Ministry of Defense, the Tax Authority, the Netherlands Forensic Institute (NFI), and even the police—all handle highly classified information such as state secrets. Despite their varied functions, they share common security challenges:
- Secure storage: Ensuring sensitive data is stored safely to prevent unauthorized access or leaks.
- Proper authorization: Implementing mechanisms to control who can access specific pieces of information.
- Secure transportation: Safely transmitting data between parties without risk of interception.
- Secure sharing and reception: Exchanging information with external entities in a secure manner.
Frans emphasizes: “All these ministries face the same issues with sensitive information—storage, authorization, transport, sharing—but they don't realize it or think they need to handle it individually. Therefore, these ministries often operate in silos, unaware that their counterparts face similar issues. They don't know it from each other or feel they need to organize it themselves because it's high-grade classified information.”
The fragmented approach has led to a duplication of efforts, particularly in the development of security solutions. Despite a limited pool of suppliers capable of creating high-security products, ministries carry out similar projects independently. Frans explains: “We have a very limited supply in the Netherlands of parties that can make and deliver such products. The demand is too big for the supply. We're all being over-requested.”
The need for a coordinated approach
Frans advocates for a unified strategy where ministries collaborate to identify common needs and assign different suppliers to develop solutions in parallel. “Imagine if all the requesting parties sat together and, for each problem, defined the greatest common denominator. For example, you could say, 'Supplier 1, you make a VPN connection; Supplier 2, you make a gateway where data can be authorized and exported; supplier 3, you can put together virus scanners to create a good scrubber.’ By dividing the workload, multiple problems can be addressed simultaneously without overburdening any single supplier. You would have solved three problems in parallel.”
A significant barrier to this coordinated approach is the tendency of ministries to seek all-encompassing solutions that promise to address every need. Frans warns against this mindset: “They need to get used to the fact that it's better to solve 80% of your problems now than to set a non-existent dot on the horizon that will someday solve 100% of your problems but never materializes. It's better to tackle well-defined, manageable problems one at a time. You can always improve upon them later, but at least you have functional solutions in place.”
Proposed solution
Implementing the four-eyes principle, where at least two individuals are required to authorize sensitive actions, helps a lot to get information from one side to the other. This principle adds an extra layer of oversight and reduces the risk of unauthorized disclosures. But, there are more ways to make sure information is transferred securely:
- Gateways: serve as the selection and authorization point for data to be shared. “The sharing party must select the information to share. Someone selects the information, and another approves it—that's the four-eyes principle again.”
- DataDiodes: hardware devices that ensure one-way data flow, preventing data leaks and unauthorized access. “Behind gateways, you implement a DataDiode. DataDiodes protect the confidentiality and integrity of the network by preventing external attacks.”
- VPN boxes: provide secure communication channels over the internet. “Then you have a VPN box, which needs to encrypt the information so you can send it over the internet. This VPN box is yours and is managed by a central government body, like a shared service center ICT or DICTU.”
- Scrubbers: clean incoming data to remove potential malware or unauthorized code. “You need to scrub what you've received behind your DataDiode. This could involve virus scanning or removing macros from Word documents to ensure no malware gets in.”
Conclusion
Frans’ insights highlight a critical need for coordinated action in securing sensitive information across Dutch government institutions. By collaborating, sharing resources, and assigning specialized tasks to different suppliers, ministries can avoid duplication of efforts, and enhance overall security. A significant obstacle to implementing this coordinated approach is the lack of centralized leadership. He believes that strong leadership is crucial for overcoming bureaucratic hurdles and political barriers. “If you can bridge gaps in the ICT government landscape, you make those points. So if you have that power as a minister, state secretary, or appointed CISO, then you should be the one who clarifies these issues.”
The call to action is clear: it's time for leaders within the government to step up, break down silos, and work together to secure the nation's most sensitive information.