 |
| Photo by author |
It’s there in the distance: the car of the colleague who
would take us away. You are looking through a crack in the closed steel gate of
the parking garage of the International Criminal Tribunal for the former
Yugoslavia in The Hague.
Let’s rewind 14 hours. That's when the two-day ONE
Conference started in the World Forum, where nearly two thousand information
security professionals from the Netherlands and abroad gathered to catch up on
their field of expertise. Our team was also present with a delegation and
because we were staying overnight in The Hague, we went to a Chinese restaurant
together. After an excellent meal we wanted to take the tram or bus to our
hotel, but that one colleague, who lives nearby and was by car, offered to
drive us. Arriving at the parking garage (at 10:42 pm) his car seemed
impossible to find at first, but after some time searching – and slight doubts
about the parking memory of our colleague – we came to that steel gate where we
saw it. Unreachable.
The doorman of the associated hotel was kind enough to
walk with us. "Ah, I see. You are in the garage of the Tribunal." The
garage is used by hotel guests, conference attendees and also by employees of
the Tribunal. In the morning, our unfortunate colleague was waved into exactly
that part by a traffic controller. The gate in question was then open and there
was no indication that this was a special part of the garage. The traffic
controller might not have known that the gate would be locked at night, or he
might not have expected a conference attendee to pick up his car this late. Via
the intercom at the barrier, the doorman contacted the security guard of the
Tribunal. His card, with which he could open the gate, was missing. Finally we
were able to leave the garage at 11.16 pm. And so by attending an information
security conference, you can get caught up in physical security measures. I
couldn't have made this up. But I really need to talk about the conference.
The war in Ukraine was a fairly prominent topic there.
This is the first real war to be fought not only on land, at sea and in the
air, but also in “cyber”, as it is called in military circles. From day one they
started to attack each other not only physically but also digitally, and
probably earlier as well. One of the speakers, Cristin Flynn Goodwin of
Microsoft, told us that a fight against a state actor in your own data center
can be compared to a hand-to-hand combat: arduous and bloody. Countries that
attack you digitally are preying on the ideas and information governments need
to make decisions about important current affairs, Goodwin said. In doing so,
they mainly target think tanks, non-governmental organizations (NGOs),
diplomats, policy advisors and academics.
Goodwin's point was that as an organization you cannot
cope with all that digital violence on your own. It is therefore much better to
store your data in the cloud, where you enjoy the protection of a large service
provider (where it would have been nicer not just to mention her own company).
The idea is that these large cloud suppliers have every conceivable means to
optimally protect your crown jewels.
By nature, a country wants to keep its crown jewels close
by, on its own territory. Furthermore, the GDPR prescribes that personal data
of EU citizens must be stored in Europe (under certain conditions it may also
be stored elsewhere). But, Goodwin argued, that's not always wise. She said
that Ukraine has stored important parts of its national ICT completely outside
its own borders. Other countries should also prepare for such a scenario, and
test it. That sounds pretty scary, but I can imagine that it is one less
headache for Ukraine. At least, as long as the connections to that distant
cloud last.
The Dutch government recently adopted a new policy with
regard to the public cloud. It switched from “no, unless” to “yes, provided
that”. My biggest concern is the availability of the data. Having your own data
center simply gives you a sense of tangibility, of being able to hold onto the
data when the going gets tough. But if you think about it, that doesn't make
sense. One cruise missile, one ransomware attack and your data is gone. And yet
there is an extra dimension to that cloud: what if your country gets into a
fight with the country of the cloud supplier?
If your car is parked in your own driveway, you can
always reach it. If it is in a parking garage, the manager of that garage will
determine whether you can leave. Even external factors can play a role: years
ago a Ferris wheel on the Apeldoorn Market Square turned out to be so heavy
that the city feared that the parking garage under the square would not be able
to bear its weight. People who had parked their cars there could only get back
to their cars after the Ferris wheel had been taken down. I see difficult
choices coming our way.
And in the big bad world…
This section contains a
selection of news articles I came across in the past week. Because the original
version of this blog post is aimed at readers in the Netherlands, it contains
some links to articles in Dutch. Where no language is indicated, the article is
in English.
- lessons are being drawn from the war in Ukraine.
- Cloud suppliers also make mistakes of course, as witnessed by this major leak at Microsoft.
- Microsoft believes that the discoverer of that leak is grossly exaggerating.
- Dutch
higher education is already abundantly in the cloud. [DUTCH]
- there
is political aversion in the Netherlands to US cloud providers. [DUTCH]
- ransomware is used to prepare for physical wars.
- Not
only officials have fallen victim to the ID-ware ransomware attack. [DUTCH]
- the
police outsmarted a ransomware gang.
[DUTCH]
- we
seem to be a fairly privacy-loving people.
[DUTCH]
- attackers
used a vulnerability in a virus scanner to disable another virus scanner. [DUTCH]
- the
difference between “to” and “bcc” is a data breach. [DUTCH]
- Texas accuses Google of collecting biometric data.
