Dr. Sven Herpig heads international cyber security policy at the German tech think tank Stiftung Neue Verantwortung in Berlin. You can follow him @z_edian.
The German government’s approach to cybersecurity has shifted in the last two years. In the past, Berlin focused its efforts primarily on defense—protecting German networks from compromise. Now, the country has a unified cyber command in the armed forces and Ministry of Defense, an agency responsible to develop and buy hacking tools and services for law enforcement and intelligence agencies, and an open debate on the use of offensive cyber capabilities, disguised as “active cyber defense.” Just last week, the government announced the creation of a new agency devoted to funding cutting edge research on offensive and defensive cyber tools.
The government’s new focus on the use of offensive cyber tools rests on its ability to identify and exploit vulnerabilities in hardware, software and online services. It might need to acquire and use very potent and dangerous vulnerabilities, so-called zero-days, to compromise high value targets in military or clandestine cyber operations. Some of the most valuable and most effective vulnerabilities are those that affect widely-used software (e.g. Windows, Android, iOS), but for military and intelligence operations that also includes vulnerabilities in industrial control systems and military-specific hardware and software.
This puts governments, like Germany’s, in a bind. The vulnerabilities it seeks to exploit for its offensive purposes could also be used by state actors, criminals, and others against it as well as domestic companies, utilities and its citizens. Private companies, critical infrastructure operators, and the general public therefore have a vested interest in how their government handles and exploits vulnerabilities in widely-used products. Governments also require some entities to protect critical infrastructure and sensitive personal information, which can be put at risk if a government-identified vulnerability escapes into the wild. Hardware vendors, software vendors and providers of online services have an incentive to identify and fix vulnerabilities in their products to provide a secure service and prevent reputational and financial harm. The private sector and the public would like to use secure devices and services to avoid falling victim to cyber espionage and crime, as well as to simply communicate freely and confidentially.
In general, the internet ecosystem benefits more from the patching of vulnerabilities than it does from their use. As a result, government policy should be to disclose them unless there is a specific, justifiable reason for retaining and using them in law enforcement, intelligence or military programs. Assessing and managing the tradeoffs and various equities of civil liberties, commerce, public safety and IT security will not be an easy task. To address this challenge, Germany needs a regulatory framework, one which is proposed in a new report supported by the Transatlantic Cyber Forum.
The report proposes that a German vulnerabilities equities process (VEP) be weighed towards immediate vulnerability disclosure, with retention being authorized under specific circumstances and only for limited periods of time. The report suggests an institutional structure, a decision-making process and critical indicators for evaluating vulnerabilities; and whether they are immediately disclosed to the manufacturer or whether they should be temporarily retained for operational value. To ensure that this process improves overall public security, the German VEP should be equipped with three essential safeguards: (1) parliamentary oversight, (2) annual transparency reports, and (3) extraordinary security mechanisms to protect retained vulnerabilities from unauthorized access.
The proposal for a German VEP is modeled on a similar policy in the United States, which the White House made public last year, but differs in some critical respects. Unlike the U.S. VEP, Germany’s VEP should be enshrined into law and subject to parliamentary oversight and an annual transparency report. It also contains more detail on the individual indicators that are used for the assessment of vulnerabilities, such as their operational value, how severe they are, or the range of affected products. Although the U.S. VEP might include those specifics, it has not been made public.
An unregulated use of vulnerabilities will likely lead to reduced overall security. With its new, slightly more offensive posture in cyberspace, it is about time for Germany to review the implications of its approach and acknowledge that setting up a governmental VEP in accordance with the principles laid out in the report is sensible and necessary to weigh the various equities at stake.