The public underestimates the severity of the catastrophe that would occur if the IT system failed in, for example, the banking, energy or logistics sector. Admittedly, the chance of such a catastrophe is small, but government and business should make it even smaller still by investing in the security of their systems. This is what Prof. Hans Wortmann, Professor of Information Management at the University of Groningen, has to say.
‘So many parties are now involved in the security and storage of data that we do not even know who they all are. Only one link in this long chain has to fail and the consequences can be enormous. Hackers have already caused great turmoil a few times now. We cannot avoid these attacks, but we can ensure that the hackers do not penetrate the system.’
Parallel to the rise of the internet is, of course, the growth of cyber crime. Now almost all computers are accessible via the internet, it is worth criminals’ while to do all they can to break into computers to steal data or money or cause damage, for example. This has already led to a number of sensational break-ins already, such as when what were presumably Iranian hackers got into the system of DigiNotar, the small company in Beverwijk that provides security certificates for DigiD, which gives the public secure electronic access to government sites and the Dutch Tax and Customs Administration. Break-ins in the systems of Sony and, more recently, KPN have also attracted attention. People’s personal data is often regularly found in the public sphere. That is also a big problem, but it is not the biggest threat, says Wortmann. ‘The biggest problem is linked to matters such as money transfer, the transportation of goods and the supply of energy. If these are cut off, the consequences would be disastrous.’
An important cause of the problem is due to what is known as ‘cloud computing’. This is when different companies buy in certain services, such as data protection, from another company, which is logical because economies of scale make it cheaper. But this company then outsources parts of that work to another company again and that one to yet another one. Wortmann says, ‘The question now is: how do you protect yourself from hackers if these services call each other? Big parties outsource to smaller and smaller parties, and you do not know who they are. This verticalization makes the dependencies even greater. No one knows any more how exactly the services are linked and this, regardless of whether it is intentional or unintentional, gives hackers room to manoeuvre. Millions of people make a game of this and sometimes one of them hits the target.’
Wortmann points out that such a catastrophe does not even have to be caused by hackers. ‘It can be an accident. The iDEAL payment system has been down a number of times, for example. And DigiNotar hit the news for the first time a few years ago when, two weeks before 1 April, the deadline for tax returns, DigiD went down. That was not caused by an attack by hackers but a silly administrative error: a contract that was not extended in time. A small piece of software of maybe twenty lines was the cause then of a problem that affected five million taxpayers.’
Wortmann thinks that crucial systems should perhaps be disconnected from the internet in the same way as there is a telex network that still functions alongside the telephony network. ‘What you want is an intrinsically safe system, a system that can always switch back to a safe situation. This is possible, for example, with Scade systems for factory automation, which do not have an internet connection. Another example is the Swift network for money transfers between banks, and the Ministry of Defence also has a fully separate network. The disadvantage is that you cannot always use the technology that the internet offers, but it is safe.’
Wortmann appreciates that time is needed to change the carefree mentality concerning IT systems security. He says, ‘Sometimes a catastrophe is needed before risks enter the collective consciousness. Consider the worries people now have about the danger of nuclear power stations. No one takes it lightly in Germany, in any case, since the nuclear reactor accident in Fukushima in Japan.'
As far as Wortmann is concerned we should be just as vigilant about catastrophes resulting from the failure of IT systems. ‘This problem must be placed on the social agenda. Better academic research is needed. We must stimulate those awarding contracts, from governments to businesses, to invest more in the risk management of their systems. It can certainly be made more secure than it is now. It would cost a few bob, but the Netherlands would then be taking the international lead in this field. It does not matter whether we are talking here about energy, logistics, money transfer or healthcare: there is a chance of a sizeable catastrophe. A small chance admittedly, but this could be a lot smaller.’
Prof. Wortmann (Emmen, 1950) has been Professor of Information Management at the University of Groningen since 2003. He specializes in company information systems and is also editor-in-chief of the academic journal Computers in Industry.
On Sunday 6 October, Het Financieele Dagblad and Comedy Central, in collaboration with Het Akkoord van Groningen, will present the first edition of Standup Economics – the festival where economy and comedy come together. On various stages across the...
After a decade of preparations, it’s finally time: on the evening of 20 September the German icebreaker Polarstern departs from the Norwegian port of Tromsø. Escorted by the Russian icebreaker Akademik Fedorov, she will set sail for the Central Arctic...
Noorderlicht and the University of Groningen (RUG) continue their collaboration in the ‘Imagining Science’ series. Each year they commission a photographer to depict a scientific research field in relation to the Noorderlicht festival-theme of the year...