German spy agency wants to buy and use 0-day bugs

The Bundesnachrichtendienst (BND) – Germany’s Federal Intelligence Service – has asked a parliamentary oversight committee for big money to buy vulnerabilities on the open market, the Sueddeutsche Zeitung reported (via Google Translate) on Monday.

This wouldn’t be a very important piece of news were it not for the fact that they are looking to acquire bugs in order to use them themselves and not to share the information with software developers and the public.

According to a confidential report seen by the newspaper’s reporters, the agency is asking for total of of €300 million for the financing of its Strategic Technical Initiative in the next 5 years (€28 million in 2015).

The SIT program has been established to, among other things, find security holes in the SSL and HTTPS protocols, which are used by banks and e-commerce sites to secure transactions, but also social networks and other online services to secure access to users’ accounts.

The BND is also looking to set up an early warning system for cyber attacks and a honeypot, as well as to hire more IT professionals whose task will be to keep government networks safe by identifying software vulnerabilities themselves.

Finally, they want to set up a system for monitoring the activity on social networks in real time to gain a more accurate picture of the situation abroad. The monitoring would be limited to data from non-German users – information written in the German language and coming from German location would be discarded by using specially set up filters.

These revelations have drawn criticism from various parties, including the Chaos Computer Club. “The proposed acquisition and sale of vulnerabilities by the BND would be legally questionable not only in several ways, but is also a direct and deliberate damage to the German economy,” noted (via Google Translate) CCC spokesman Dirk Engling.

He said that the BND’s thirst for exploitable vulnerabilities is a serious encroachment on fundamental rights. Users will be unable to defend themselves not only against spying, but also against cyber crooks that will take advantage of these bugs that the government will be aware of but won’t choose to disclose publicly.

He pointed out that the money for these vulnerabilities comes from the taxpayers, and that it’s better to spend it on software audits.

Stefan K?¶rner, the president of the German Pirate Party, noted that “if this is the strategy of the government for our security, we should fear them and their intelligence agencies more than the danger of cyber-terror that they’re always hyping.”