KIT – University of the State of Baden-Wuerttemberg and German National Research Center of the Helmholtz Association www.kit.edu

COMMUNICATIONS ENGINEERING LAB, INSTITUTE FOR TECHNLOGY ASSESSMENT AND SYSTEMS ANALYSIS

INSTITUTE FOR TECHNLOGY ASSESSMENT AND SYSTEMS ANALYSIS

Findings from the eProcurement study

Arnd Weber

Security of eGovernment, European Parliament, Brussels 2013

ITAS2 Arnd Weber

Public procurement in EU

19% of GDP

Prone to bid rigging, corruption

Source: Wikimedia

ITAS3 Arnd Weber

Electronic procurement

<10% is eProcurement

Confidential information, such as:Prices

Content

Passwords

ITAS4 Arnd Weber

Case study on security of eProcurement

Will present two over-arching issues

More available in report

ITAS5 Arnd Weber

Issue 1: Vulnerability of computer systems

Attacks such asZero-day attacks

Crafted attacks

We keep patching

Reuters on Commission report: Spyware in Chinese hardware

Issue also in eHealth etc.

= Not a solid foundation for eGovernment

ITAS6 Arnd Weber

Issue 1: Vulnerability of computer systems

Policy option:

Require computer systems with reliable isolationIsolate sensitive ones

Isolate risky applications

ITAS7 Arnd Weber

Issue 1: Vulnerability of computer systems

Use of isolation:

What security is technically feasible?

What is usable?

What is economic?

How can policy push for isolation?Require exhaustive analysis?

Require proven systems?

Topic of session on „Protecting against attacks“= A start of a debate on policies

ITAS8 Arnd Weber

Floris Ampe, http://de.slideshare.net/Nicolas_Loozen/golden-book-presentation-challenges-and-opportunities

Issue 2: Variety of systems & tools

ITAS9 Arnd Weber

Issue 2: Variety of systems & tools

Hundreds of platforms

Variety of tools used for authentication, encryption, non-repudiation

Reluctance to use platforms:50% of public authorities reject concept of mandatory eProcurement

ITAS10 Arnd Weber

Issue 2: Variety of systems & tools

Policy option: European lead

Processes not efficient, go back to 1990ies

Trans-border processes need to be identified, implemented, tested, their cost-efficiency estimated, and rolled-out

Topic of afternoon session on the variety in „27 Member States“

ITAS11 Arnd Weber

Thanks!

To interviewed experts

To co-author Christian Henrich of Forschungszentrum Informatik

ITAS12 Arnd Weber

BACKUP

ITAS13 Arnd Weber

Draft eProcurement Directive 896

Key content:

Make eProc mandatory

Commission can impose technical standards

Comments:

Consider that bidder submits decryption key after submission deadline

Reliance on central systems may lead to risks and costs

Have upgrade path if signatures get hacked

ITAS14 Arnd Weber

Source: PEPPOL project