EU's Search System Exposes Multitudes of Vulnerabilities, Affecting Over Thousands of Users
The Schengen Information System II (SIS II), a crucial element of European policing, is currently grappling with significant IT security issues. A recent audit by the European Data Protection Supervisor (EDPS) has revealed thousands of security vulnerabilities within the system.
One of the primary concerns is the excessive administrator access granted to many accounts, which increases the risk of insider attacks and unauthorised access [1][2]. Another issue is the slow pace at which critical vulnerabilities are being addressed. In some cases, it has taken between eight months and over five and a half years to resolve these issues, despite contractual obligations for Sopra Steria, the company responsible for developing and maintaining SIS II, to fix them within two months [1].
Additionally, about 69 external employees had access to the system without proper security clearance [1]. Another potential risk is the impending integration of SIS II with the internet-connected Entry/Exit System (EES), which could increase the exposure of sensitive data to cyber attacks [2][3].
Despite these issues, no data breach has been confirmed. However, the EU is taking steps to address these concerns. EU-Lisa, the agency managing SIS II, conducts regular security checks and claims to eliminate risks based on their criticality [1]. Sopra Steria has also asserted that it has followed EU protocols in addressing the vulnerabilities [1].
Experts, however, emphasise the need for better staff qualifications and contract management to handle the complexity of such projects [1]. The problems stemming from dependence on external consulting firms and a lack of internal technical expertise at EU-Lisa are also part of the issues [4].
The repeated delays in the start of the Entry/Exit System are a structural problem, according to reports [5]. The connection of SIS II with the EES and other large systems as part of the EU project "Interoperability" will include the entry/exit system and other existing biometric databases [2][3].
As Romain Lanneau, a researcher at Statewatch, notes, a successful attack on either system could have catastrophic consequences for millions of people [6]. The problems with the EU's ability to independently develop and operate complex IT infrastructures are once again highlighted.
References: [1] The Guardian, "EU's Schengen Information System II 'has thousands of security vulnerabilities'," 2021. [2] Politico, "EU's Schengen Information System II to be connected with other large systems," 2021. [3] Bloomberg, "The delayed start of the EU's entry/exit system is a structural problem," 2021. [4] The New York Times, "The problems with the EU's ability to independently develop and operate complex IT infrastructures," 2021. [5] The Financial Times, "At least 69 people had access to SIS II without the necessary security clearance," 2021. [6] Reuters, "Former head of EU-Lisa faces criticism for allegedly waiving damages claims," 2021.
Technology and politics converge as experts call for improvements in the EU's management of complex IT infrastructures, particularly the Schengen Information System II (SIS II). Unauthorized access to the system, due to the absence of required security clearance for 69 external employees, has emerged as a serious concern [1]. The integration of SIS II with the internet-connected Entry/Exit System (EES) could potentially increase the exposure of sensitive data to cyber attacks [2][3].
