Since the corona crisis, civil servants working from home have often used insecure means of communication and private e-mail accounts to exchange sensitive information. Ministers also do this, because the secured means are too complicated.
Senior officials and ministers make little use of the special security equipment they receive, says a report by the Court of Audit. Ministers, for example, have Sectra Tiger telephones that automatically encrypt messages, but in practice they appear to be little used. They would “not be easy to use.” The officials therefore use apps such as Zoom and WhatsApp, on regular tablets and smartphones. In the spring of this year, CIO-Rijk set up an online method for extra secure video meetings, but it turned out that “there was no need for cabinet members.”
The Court of Audit also notes that ministers such as ministers and state secretaries can hardly be held accountable for the conduct. “They are not formally civil servants and are not the responsibility of the secretary general or chief information security officer,” the report said.
Risks for information security and privacy
The problems came to light in particular in recent months. The regulator investigated the use of ICT by civil servants at ministries and other government institutions. The Court of Audit concludes that there are risks to information security and privacy. Civil servants use many different tools to communicate, even if not prescribed by the technical service. For example, sensitive information is sometimes sent via WhatsApp or private e-mail addresses, and documents are stored in, for example, Dropbox or Google Drive. The Court looked specifically at the period from July to October. Most civil servants worked from home during that period because of the corona crisis.
In most cases, civil servants use Webex for video calling, but Skype for Business and Microsoft Teams are also popular. WhatsApp is used in most cases for ‘informal communication’. According to the Court of Auditors, seven percent of the officials surveyed were found to have sent confidential information via WhatsApp. Also, private email would often be used to send such information.
Lots of different applications
The report sees a problem with ways to collaborate online. There are said to be dozens of programs to work with, for example to save documents, share files or manage schedules. “An explanation for this large number of used applications is that there are few collaboration platforms in the central government on which organizations can safely collaborate with each other.”
An additional problem of using the different apps is that of archiving. For example, agreements made are not recorded centrally, but in Dropbox or Google Drive. According to the Court of Audit, this leads to ‘a lack of insight’ about decision-making. In addition, the situation may pose problems in the future if an audit takes place.
Dissatisfaction with obligations
An important cause of the problem is that ministries and departments can determine themselves which tools employees are allowed to use. Despite this, there appears to be a lack of clarity among many civil servants about the agreements that are made about which tools may be used, and a large number are ‘not satisfied with this’. Such rules would, for example, be difficult to implement in practice.
The Court cites the example of the mandatory use of Citrix to work safely remotely, but video calling often does not work in that environment. It would also be a problem that the agreements differ per department. WhatsApp is permitted under certain conditions at some government organizations, but not at others.
State Secretary Raymond Knops of the Interior acknowledges in a response that ‘the situation created by Covid-19 requires a great deal of adaptability from the national government’. He says that since this spring, various measures have been taken, which are now being considered whether they could be improved. An information campaign has also been launched for civil servants.