German spies want millions of Euros to buy zero-day code holes
Because once we own them, nobody else can ... oh, wait
Germany's spooks have come under fire for reportedly seeking funds to find bugs – not to fix them, but to hoard them.
According to The Süddeutsche Zeitung, the country's BND – its federal intelligence service – wants €300 million in funding for what it calls the Strategic Technical Initiative. The Local says €4.5 million of that will be spent seeking bugs in SSL and HTTPS.
The BND is shopping for zero-day bugs not to fix them, but to exploit them, the report claims, and that's drawn criticism from NGOs, the Pirate Party, and the Chaos Computer Club (CCC). German Pirate Party president Stefan Körner told The Local people should fear governments more than cyber-terror.
Körner is also critical of the strategy on the basis that governments shouldn't be helping fund the grey market for security vulnerabilities, a sentiment echoed by the CCC.
The CCC's Dirk Engling called the proposal legally questionable and damaging to the German economy. The SZ report also points out the serious risk that a zero-day bought on the black market will also be available for purchase by criminals for exploitation.
The BND proposal would seem to put it at odds with America's NSA, which put its hand on its heart last week and promised that it shares “most” of the bugs it finds so they can be fixed.
(The Register can't help but wonder if a parter agency hoarding bugs would be resisted by the NSA, or if it provides an escape clause to the promise to share bugs).
The BND also wants to spend €1.1 million to set up a honey-pot, and is in the early stages of conducting social network analysis, with a prototype program slated for completion by June 2015. ®