German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security
from the is-that-really-a-good-idea? dept
The newspaper Süddeutsche Zeitung reports that the German spy agency BND will spend €28 million on what it calls its ‘Strategic Technical Initiative’ (SIT) next year, and that it has asked the German government for a further €300 million (original in German). The German edition of the English-language site “The Local” explains how the money will be used:
The aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.
Government spokesman Steffen Seibert confirmed to dpa on Monday that the BND had worked with French computer security firm Vupen, which is known to sell details of security holes to governments, in the past.
Techdirt has written about Vupen a couple of times recently, and emphasized why buying such zero-day vulnerabilities to use for surveillance purposes without passing them on to be fixed makes the Internet much less safe for everyone. According to a related story in Der Spiegel (original in German), the BND hopes to apply zero-days to undermine the main encryption technology used to protect online communications, the Secure Sockets Layer (SSL) protocol. As The Local writes:
The programme to penetrate SSL, codenamed Nitidezza, would also target the HTTPS protocol which is the standard for many banks, online shops, webmail providers and social networks.
“Holes in SSL need to be patched [fixed] because it is ubiquitous and everyone depends on it for their security,” said Jim Killock of London-based digital rights NGO Open Rights Group.
“There is a real risk that failing to fix problems means criminal gangs will seek to obtain the same data using the same defects.”
SIT means that not only will the privacy of millions of people be at risk, but so will their economic activities and that of all the companies that use SSL to carry out online transactions.
The BND’s move is particularly worrying, since it could well encourage spy agencies in other nations to follow suit, thus starting a bidding war for serious software flaws. That, in its turn, will encourage even more people to find and sell zero-days, rather than report them, reducing security online. It’s probably too much to hope that government agencies would ever agree to give up acquiring and using software bugs in this way, but they should at least be required to limit their use so as to minimize the serious harm they could wreak across the entire Internet.