We all benefit from a secure and reliable digital infrastructure. It ensures the protection of sensitive personal data, security, business secrets and the national interest. It is essential for the protection of free communication and privacy. As a consequence, any vulnerability should be patched immediately. This is obviously only possible when unknown vulnerabilities are disclosed responsibly. Keeping a vulnerability under wraps is patently irresponsible: it may be found simultaneously by others who abuse it, for example to steal sensitive information or to attack other devices.
Unfortunately, the Dutch government takes a weaker and more dangerous approach. In a statement released on 8 November (Dutch), the government said it may keep unknown vulnerabilities in software and hardware available for use by the police and intelligence services. It seems that the statement has been drafted with the intention to leave as much room as possible for the police to hack into devices all over the internet.
Most importantly, the statements lacks a much needed vision. As society increasingly relies on the availability and security of our digital infrastructure, a clear vision on the government’s role is necessary. This is especially true now that governments regularly make proposals that can have a high impact on the trust in our digital systems.
The statement fails to address all of the relevant aspects of the security problems it raises. For example, the government focusses only on the situation where a police or intelligence service accidentally stumbles on an unknown vulnerability. It ignores the fact that those vulnerabilities may be acquired on the black market, or that they may be shared amongst intelligence services.
Another area where the statement is far from complete: the application of such vulnerabilities by the police is discussed only in the context of the proposed power to hack into computers (Dutch). The government conveniently ignores the fact that the police is using technology for extracting data of confiscated mobile phone with special forensic devices. Those devices make use of unknown vulnerabilities in order to be able to access the phones. This means that the Dutch government is using unknown vulnerabilities on a daily basis and is thereby supporting the shady market for those vulnerabilities.
The Dutch government goes into lengths explaining it put a lot of thought into deciding whether to disclose the unknown vulnerability or not disclose and thereby keep it for exploitation. The list of possible reasons for not disclosing the vulnerability is long, not exhaustive, and the criteria are formulated rather vague. For example: “Delaying the disclosure of information about an unknown vulnerability in software that is widely used is not reasonable.” Nor it is excluded.
And last but not least, the government claims there is sufficient oversight on police and intelligence services. When police is using such an unknown vulnerability, oversight is in the hands of the public prosecutor, which can’t be named an independent party. The Review Committee for the Intelligence and Security Services (CTIVD) is responsible for the oversight on the Dutch intelligence services. Although they operate fairly independently, their oversight happens only after the vulnerability has already been used.
The government should do all that is in its power to make our digital infrastructure as secure as possible. The Dutch government is capable of doing that: earlier this year the government said no to weakening encryption. A similar approach should also apply here: all unknown vulnerabilities are immediately reported to the manufacturer. The police should have authorities that facilitate criminal investigations, but they should not be allowed to hack computers over the internet using technical vulnerabilities.