CASE 8: Procurement of public key infrastructure

Transcription

1 CASE 8: Procurement of public key infrastructure Uni. Athens / CERES Country / region Netherlands Short description This is the case of an integrated central e-government infrastructure for issuing and using Public Key Certificates (PKC). These certificates allow any type of electronic transaction between citizens and public services or among the services of the public sector validated by electronic signature. The procurement involved the development, installation and maintenance of a top level system aiming at servicing the entire public administration. The innovative aspect of the procurement was that an integrated infrastructure was set up, allowing each public employee and each citizen to be e-authenticated in order to access this infrastructure using public key certificates. Another innovative aspect is that the infrastructure was consistent with both the European (developed by EESSI) and international standards (mostly developed by IETF). This condition allows the generalised use of the service, while it assures full compatibility, meaning that any authorised certificate service provider (CSP) can join the system. The technology existed by the time of the procurement, but the standardisation process was still evolving and it was the first time that a system like that had to be developed to serve applications of such a large scale. The company selected to implement the project is the PinkRoccade. The budget allocated was Euro (excluding VAT) including: the initial investment for the creation of the PKI root infrastructure and operational costs for a 6 year period. Procuring agency and policy background The procurement was part of the actions of the Dutch government for the modernisation of the public sector. A task force, PKIoverheid, was set up in 1999 to develop the requirements (Programma van Eisen) for the public key infrastructure (PKI). The introduction of such an infrastructure was mandatory according to the Directive 1999/93/EU for the application of electronic signatures in the public sector. The standards were developed by the ICT Standards Board (ICTSB) in the context of the European Electronic Signature Standardisation Initiative (EESSI). The PKIoverheid was later incorporated into a broader organisation created in 2001 by the Dutch Ministry of the Interior named ICTU (Information and Communications 3

2 Technology Unit). The ICTU was entrusted with the structural development of e- government. Its main aim is to advise the public sector on ICT applications and to implement large scale ICT projects on behalf of the Dutch government. Each one of its programmes focuses in the interaction between government and citizens enabled by ICTs. In this context, ICTU is responsible for the organisation and implementation of ICT public procurement, complying with the European Directives and the national legal framework. The success and impact The project succeeded in technological terms and the diffusion of the system in the entire public sector is now taking place: The PKI is increasingly being used in securing websites of the municipalities, government agencies and other public sector sites. PKI government certificates are currently being used by the healthcare personnel (400,000 people) and all Defence Department personnel (100,000 people), while by 2006 PKI certificates will be included in the electronic citizen ID card and a rollout of several million people is expected. An additional indication of success (leading to higher utilisation) was the inclusion of the certificate of the Dutch government PKI in the most recent versions of the most popular web-browsers (MS Internet Explorer, Mozilla Firefox) as a trusted certificate.1 The management skills and the expertise of the ICTU have been well recognised and ICTU experts are frequently invited to speak in seminars and expert groups on PKI and e-authentication. Procurement cycle Identification of requirements The Taskforce PKIoverheid during conducted a demand analysis in the public sector. This information was utilised for the establishment of the technological requirements, along with the list of requirements set up by careful analysis of the European standards of EESSI (where members of the Taskforce participated actively). The final description of the technological requirements was prepared by the Taskforce PKIoverheid in cooperation with external experts. Market intelligence (market research etc.) Taskforce PKIoverheid during made the necessary market and product research. The Taskforce cooperated with the TTP.NL project, which constituted a 1 Not all public key certificates are supported by the web browsers, which means that they don t allow the encryption to take place in the corresponding computer. Including the Dutch certificate demonstrates both its potential and the determination of the Dutch government to make it as user friendly as possible.

3 voluntary accreditation scheme for electronic signature service providers in the Netherlands and also performed trial audits in several organisations. Through the TTP.NL project, the Taskforce PKIoverheid was kept informed on market developments. The authentication mechanisms of the new infrastructure constituted at that time an untested technology. Despite the technological risks associated with the early stage of the standards, ICTU supported the procurement based on the assessment that the full exploitation of the potential of the new technology would lead to the minimisation of bureaucratic processes and the effective transaction within and with the public sector. The establishment of a secure system allowing for the electronic exchange of official public documents and their verification with electronic signature was considered as an integral part of this effort. This assessment was based on a demand level analysis. A working group composed of legal and technical experts was set up in order to tackle all technical issues concerning the establishment of the infrastructure and to secure the feasibility of the project in terms of compliance with the legal and institutional framework (governing public sector operations and data protection etc). Tendering process The tendering process was implemented by Taskforce PKIoverheid in cooperation with the Ministry of Interior (BZK). The Taskforce first determined whether the installation, maintenance and operation of the PKI could be assigned to an existing government organisation, but eventually it was decided to proceed with a public tender. Potential suppliers were asked to provide a plan for implementing a secure PKI root infrastructure. In cooperation with internal and external experts employed in the project for nine months, the Taskforce organised the tendering material and process. The set of technical requirements was already prepared, so, more effort was placed upon the preparation of a model agreement that was describing all legal requirements, including security guarantees and liability qualities of the tenderer. The degree of compliance of this model agreement was part of the selection criteria (see below). An international call for tenders was published in the Journal of Official Publications of the European Union at the end of December Assessing/awarding For the assessment of the contract the Taskforce PKIoverheid in cooperation with the Ministry of Interior employed a number of internal and external evaluators. The set of the evaluation criteria was divided into three sections: 1. Accomplishment of the technical requirements: The tenderer should prove his experience and provide a coherent proposal on how he was going to fulfil the 5

4 technical and operational requirements of the project. 2. Financial issues: For the financial evaluation two separate cost drivers were considered: (a) costs related to the initial provision and overall technical support on PKI and (b) variable costs depending on to the amount of certificates issued. 3. Compliance with the model agreement: The tenderer should prove how he could accomplish the requirements of the articles of the agreement, especially as far as liability and security guarantees are concerned. The security guarantees by the service provider (rather than cost effectiveness) was the most significant criterion for the selection of the supplier. Contracting and management of the contract From the received tenders the company of PinkRoccade Infrastructure services was selected to host the root infrastructure, due to their proven track record of secure and reliable e-government services and PKI technology. The contract (in the form of a Service Level Agreement) was signed in August 2002 between the PinkRoccade and the Ministry of Interior. PinkRoccade had to supply the root certificate (a kind of electronic authentication seal attached to each new key certificate produced) and the central infrastructure. The duration of the contract was 6 years. A few months later, in December 2002, the root certificate for the Dutch government PKI was generated at PinkRoccade and used to sign the domain certificates of the Government, Business and Citizen domains. The monitoring mechanism includes the following: The submission to the PKIoverheid of monthly reports by PinkRoccade in which the company provides detailed evidence on its compliance with the Service Level Agreement. There are periodic meetings (about 2-3 times per year) between PKIoverheid and PinkRoccade representatives to discuss the status of the infrastructure. During these meetings PKIoverheid also checks the log files (track record of log-ins and certificates issued) kept by PinkRoccade. Independent auditors conduct annual WebTrust audits of the root infrastructure. Since the PKIoverheid infrastructure is also used for confidential electronic communication within the government, the Dutch Intelligence Service (AIVD) periodically audits the root infrastructure to ensure its security. Major reason for success 1. The system conformed to the requirements set by the 'Programma van Eisen' aiming at wide scale applications. This had not been done before elsewhere since most other national PKI's were based on a single, government owned monolithic certificate service provider, issuing certificates to the public.

5 2. The root certificate of the Dutch government PKI was recognisable and operational over web browsers such as Microsoft Internet Explorer and Mozilla, allowing for the wide diffusion of the technology among users. It is the first time that a national government root has been granted this feature. This is proved to be a very user-friendly characteristic in order to make the Dutch government PKI a widely used and trusted infrastructure. 3. The fact that the Ministry was prepared to finance the maintenance of the PKI for several years until the technology matures and a market emerges. Major impediments overcome For the procurement, the ICTU and the PKIoverheid had to work with standards and specifications which were still under development and not yet finalised by the European standardization institutes. The internal assessment helped overcome this impediment. It took time for the PKI to become a technology that was actually considered useful and necessary. At earlier stages PKIoverheid taskforce accepted significant negative publicity; it was not until very recently that the policy authorities and the wider public endorsed this innovative public spending. Major lessons to be learned 1. When implementing a large project involving the procurement of a nascent or unproven technology, government sponsoring and political support is of great importance. In this case the Ministry of Interior was prepared to finance and promote the project long enough, until the technology matured. A crucial question is how patient the procurer should be. Although there is no general optimum level of time-to-performance for a technology involving public spending, some guidelines are needed as to how patient clients could and should be. This is a major trade off that innovative procurement is required to look at. 2. When implementing an e-government tool for (in this case) e-authentication, it is very important for the success of the project that there are also practical business-cases in which the tool can be used. If there are no previous applications of the tool before its roll out, there is a very large likelihood of failure. PKIoverheid faced this problem until in recent years a stronger focus on user authentication and security has created viable business cases. 3. In the case of projects aiming at the development of tools or standards for digital security, it is very important that government bodies at a higher level stimulate the use of these tools / standards or (preferably) that their use is mandated in laws or regulations as a means to create a market. Otherwise government organisations will be very slow to adopt new security measures for which they see little usefulness and which they consider as expensive and restrictive. 7

6