Oh, the joys of public infrastructure privatization...

There's a lesson to be learnt here, extending beyond digital infrastructures.

The Dutch government should have outsourced DigiD hosting to SURF [1] which already had extensive experience with cloud services and is virtually immune to foreign influence.

[1] https://www.surf.nl/

Yes but our government was deeply neoliberal, pushed for by the VVD party and obsessed with privatisation and markets. This is what caused this mess and many others.

They also adore the US (as an example Mark Rutte, the current NATO boss was their foreman and prime minister for a decade) so dependency on the US was never a problem for them until 2025 when Trump turned against his allies.

Are there not already risks that exist from it relying on US run devices?

Obviously (Example: Zivver [1]). But that doesn't mean we have to make it worse. It means we need to tackle those risks.

[1] https://news.ycombinator.com/item?id=46262524

Yes, but I like to think the hacker community is persistent enough that if there were backdoors embedded in US or Chinese made hardware, it would have been found already.

Then again, they never found out about the Crypto AG communications backdoor (https://en.wikipedia.org/wiki/Crypto_AG) until 2018 as far as I know. Or they did know but since it's CIA they allowed it.

A backdoor could be introduced at any time by a software update.

Cutting off updates would leave devices insecure.

Do some devices not have remote disabling as a security feature?

A lot of devices and software store or backup to cloud servers.

Well, it took Juniper only 2 years find in 2015 the likely NSA implanted backdoors in their firewalls. Then the weakened Dual EC DRBG has been found.

Now (2023/2025) another two have been found.

Cisco equipment has been intercepted and implanted in the past.

So definitely "the community" can find things, sometimes it just takes ages.

And to add to your Crypto AG, Anom was also a nice example of the sting like this.

The company that runs it for the government, or the company who owns it for the government?

If the government owns the infrastructure, but outsources the day-to-day running to a company that's one thing. But if the infrastructure is owned by the third party then that's a lot harder to deal with.

> If the government owns the infrastructure, but outsources the day-to-day running to a company that's one thing

This is still very problematic. To be honest, even using foreign hardware or propietary software is problematic. But you should reduce dependence as much as possible because it is a huge vector that should the foreign government decide to turn on you openly or secretly, it could bring you down before you have a chance to detect what is happening. I believe wars between developed countries will operate at this level (i.e. by targeting foreign dependency chains whether it be national systems for id or simply cutting undersea cables)

I agree that it's still problematic. But you can recover from that by hiring your own staff and slowly taking over the running of the system. No doubt there would be issues, but it would be doable.

Recovering from "Your critical national infrastructure is physically owned by someone else" is much trickier.

It is kind of sticky situation for the country that is debating data sovereignty.

The key issue here and in many similar cases is for governments to define what they mean by sovereignty. Because if it means not only ownership but also keep it out of outsiders control then it means that governments will by necessity have to get involved in data ownership and data sharing arrangements of the companies that run and manage their systems. Trust is eroding quick.