Dutch central government entered the cloud ill-prepared
The Dutch central government started using cloud services without thoroughly considering the implications and risks. The Netherlands Court of Audit concludes in a report published today, Dark clouds are looming, that the government has limited insight into the cloud. It has not made mandatory risk assessments of two-thirds of the main cloud services it uses. The Court of Audit is concerned that the public services it delivers to citizens and businesses are exposed to too much risk. This could potentially disrupt society.
Working in the cloud can increase government efficiency and improve service delivery. The audit found that the government is making avid use of the cloud. All Dutch ministries are working with it. However, they do not know what type of cloud they are using in more than a quarter (26%) of the 1,588 cloud services they reported for the audit. This is a matter of concern: the type of cloud is of fundamental importance.
It is not known whether a quarter of the cloud services reported by the ministries are public, private or hybrid
Risks often not assessed, difficult management
As part of the audit, the Court of Audit investigated the most important public cloud services government organisations use to perform their primary tasks. The services related to office automation at ministries, weather data at the Royal Netherlands Meteorological Institute and customer care data. More than half of these important public cloud services are procured from the American companies Amazon, Microsoft and Google. Their use is not without risk to the government itself and to citizens and businesses. For instance, foreign governments can request data from the cloud service provider or the provider could collapse or be hacked.
Ministries must understand how they use the cloud and make risk assessments before they decide to use it. The Court of Audit found that they did not make sufficient strategic risk assessments before using a public cloud. Risk assessments were not made of 84 (67%) of the 126 material public cloud services. As a result, there is a risk that data are poorly protected and services can be disrupted without notice. Furthermore, it is difficult for the State Secretary for Digitalisation to manage overarching cloud-related risks.
Central government has not assessed the risks of two-thirds of its most important public cloud services
Policy differs from one ministry to another
Cloud strategies and policies differ from one ministry to another. The diversity makes it difficult for all stakeholders (ministries themselves, central government data centres, cloud providers) to make consistent agreements. The Court of Audit’s main recommendation to the government is therefore that it should present itself to the major cloud providers as a single, unified organisation. By setting frameworks, enforcing rules and controlling risks as a unified organisation, the government would strengthen its position in relation to cloud suppliers and other users. The government must consider the opportunities, risks and alternatives far more effectively.
The Court of Audit’s Vice-President Ewout Irrgang is concerned about the findings: ‘To put it bluntly, there is a risk that foreign governments, particularly the US government, can access and even modify information on the Dutch government and citizens. Whether they do or not is secondary but if they want to, they can.’ Mr Irrgang is also worried about service delivery to citizens and businesses, ‘Service delivery cannot be guaranteed if office automation is no longer working. The ministries have to work together as a unified government to strengthen their grip on their cloud use. Fortunately, Zsolt Szabó, the State Secretary for Kingdom Relations and Digitalisation, endorses our report and is eager to get to work. I call on the government as a whole to have the ministries work together more formally.’