IT security gaps: how far can the state go?

Can the state take advantage of IT security gaps? The Federal Constitutional Court demands clarification. According to research by WDR, NDR and “Süddeutscher Zeitung” there are already plans.

They are in great demand, some of them cost millions: security gaps in IT systems, in English they are called “exploits”. The programming errors allow hackers to penetrate computers or smartphones unnoticed. Anyone who knows these gaps can secretly install spy software and monitor encrypted communication. Knowing about the weak points is therefore valuable. For criminals as well as for secret services and the police.

Not only has a lucrative market developed around the security gaps – but also a heated debate: Should the state report such vulnerabilities to software manufacturers and ensure that they are closed as soon as possible? Or should authorities be allowed to take advantage of the “zero days” themselves in order to be able to carry out surveillance measures secretly? The state should protect its citizens – and at the same time ensure a secure network.

Pressure by decision from Karlsruhe

A decision by the Federal Constitutional Court now forces the federal government to make a decision. It was about a complaint against the police law in Baden-Württemberg. The Chaos Computer Club Stuttgart was one of the plaintiffs who wanted to overturn source telecommunications surveillance with the constitutional complaint, in which government agencies exploit weaknesses in software to carry out surveillance measures.

In June, the Karlsruhe judges finally rejected the complaint, claiming that it was not adequately founded. However, they also made it clear that there could be no “business as usual” when exploiting IT weaknesses. “The fundamental legal duty to protect” requires a regulation as to how the “conflict of aims between protecting information technology information systems from third party attacks by means of unknown IT security gaps on the one hand and keeping such gaps open to enable a source TKÜ serving to avert danger on the other hand is to be resolved in accordance with fundamental rights”, it says in the decision of the court with the file number 1 BvR 2771/18.

The Greens and the FDP want clarity

Now a regulation has to be found, a “weak point management”. The next federal government must establish such a process at the latest. The topic may also become relevant for upcoming coalition negotiations, because the Greens and FDP have been pushing for a clear guideline for some time.

“The issue must be at the top of the agenda at the beginning of the next electoral term,” says Konstantin von Notz, the Greens parliamentary deputy in the Bundestag. “With all understanding for the wishes of the security authorities, from an IT security point of view, there can only be one opinion” – namely the fastest possible repair of gaps, “which often endanger the IT security of millions of users worldwide”.

Decision postponed again and again

So far, however, the grand coalition had repeatedly avoided making decisions about IT security gaps. According to research by WDR, NDR and “Süddeutscher Zeitung” have been planning to do this for some time. They were developed in the Federal Ministry of the Interior and stipulate that the security authorities who want to hack computers and smartphones should make a decision in a secret meeting with the Federal Office for Information Security (BSI), which is responsible for IT security.

Which IT weaknesses should be used “responsibly” for surveillance measures – and which should be closed as quickly as possible because they pose a threat to the general public? If the experts cannot agree, the political level should decide, according to the previous plans, which are also known to the Chancellery, the Ministry of Foreign Affairs, the Ministry of Defense and the Ministry of Justice.

Already hackers in the service of the BND

A similar process with regard to the use of security holes already exists in Germany in a somewhat slimmed-down format. The Federal Intelligence Service (BND) employs hackers who work on cyber tools and also use them. For some time now, the service has been telling the Federal Chancellery which weaknesses it is exploiting. It is not known whether the spies have ever been banned from using such a loophole.

In the past few weeks, the Federal Ministry of the Interior has contacted the federal states, above all Baden-Württemberg. It is said to have asked that there, at the state level, no rush to introduce any regulations, but that they should agree on this. The topic will soon also be brought up at the Conference of Interior Ministers.

USA as a possible model

The model of the German “weak point management” is supposed to be a procedure from the USA, where the secret services and police authorities have had to present to a committee since 2008 which IT security gap they would like to exploit and why. These weaknesses should only be allowed to be exploited after approval has been granted. How effective the procedure actually is, however, can hardly be verified. Everything takes place in secret.