On 24 November 2022, the EU Parliament’s PEGA committee of enquiry, which is investigating the scandals surrounding the use of state Trojans in Europe, looked into the black markets specializing in software and systems vulnerabilities. The Parliament itself is affected, as smartphones of MEPs have also been hacked and spied on with state Trojans.

Thorsten Schröder was the expert witness with the Chaos Computer Club (CCC) at the committee hearing. We publish his statement in the PEGA committee (German, pdf).

If the EU Parliament wants to draw conclusions from the state Trojan scandals and finally curb the market for IT security vulnerabilities, the EU could take an important pioneering role. We propose the following measures:

Demands for sustainably safer computer systems for everyone

1) No illegalisation of security research

In order to curb the ongoing threat posed by a small and unscrupulous clique at the hubs of zero-day commerce, the prohibition of security research through the so-called German „Hackerparagraph“ and comparable regulations in other countries must first be ended. Researchers who are being branded as criminals in the course of their IT security profession are potentially much more vulnerable to being embraced by real criminals.

2) End purchases by intelligence agencies and police institutions

The hoarding of unpatched IT security problems by various authorities makes the net and our computers an unsafe place for all of us. The illusion of being in sole possession of acquired information about vulnerabilities seems childish considering the real and widely documented damage done to journalists, lawyers and opposition figures in dictatorships around the world by the very same vulnerabilities.

The only real winners in this useless and counterproductive subsidisation of a shadow market in vulnerabilities are a bunch of morally jaded digital mercenaries. They provide zero-days to enemies of democracy around the world - but in the process also supply common cybercriminals for whom the falling crumbs of zero day haggling are enough to instigate regular waves of world wide blackmail Trojans.

3) Mandatory processes to immediately fix known vulnerabilities

All security vulnerabilities - regardless of how or to which government agency they became known - must be remedied immediately and in urgent cooperation with the manufacturer. In addition, all users of the affected projects and products must be forced to apply the corrections quickly. This is the only way to ensure that the black market, which depends on the novelty of zero days, is effectively left sitting on its rotten exploits from yesterday.

4) Set up a state sponsored purchasing office to buy security vulnerabilities at market-value

The EU must buy new zero day exploits before they reach the black market to have them closed immediately and without diversions via intelligence services or police forces. As long as our authorities and government agencies of other countries fuel the black market, there will always be hackers who put aside their moral concerns and sell their supplies to the shady middlemen. Vulnerability information must be rewarded in a more financially attractive way than the zero-day black market can afford to pay.

Here, the EU can put up a protective shield with comparatively modest financial resources and buy the zero days directly from researchers before they can even be developed into attack tools. Companies that specialise in so-called „weaponising“ - i.e. developing knowledge about a security vulnerability into a ready-to-use infiltration tool - can be cut off in this way. Such a protective shield is certainly cheaper than the economic and political damage caused by unregulated or even subsidised zero-day exchanges.

Such bug bounty programmes are not new, but when used in a concerted manner, they can sustainably prevent the shady service providers from supplying dictators and cybercriminals with fresh sabotage tools.

Links

• PEGA: Hearing on 'Trade in zero-day vulnerabilities' (German)
• CCC: Stellungnahme an den Untersuchungsausschuss zum Einsatz von Pegasus und ähnlicher Überwachungs- und Spähsoftware (PEGA) des Europäischen Parlaments (German, pdf)