Cybersecurity agency criticized as a double agent

The security cameras are seen in the Information Technology of Security Authorities headquarters in Munich
Watch the back door. Source: Reuters

Ten months before Anis Amri killed 12 people by driving a truck through a Berlin Christmas market last December, German police confiscated the Tunisian’s cellphone, which had 12,000 photos and videos stored on it. The police used a software program to trawl through them for suspicious images. Unfortunately, the software missed several photos showing him posing with weapons.

The case highlighted how crucial it is for security services to be equipped with well-functioning digital technology. To steel Germany’s defenses, Interior Minister Thomas de Maizière earlier this year founded a new cybersecurity agency called Zitis.

Its main job initially will be digital forensics, said head Wilfried Karl, referring to the analysis of large volumes of data. It will be a kind of trend scout, informing police and intelligence agencies about the latest developments in IT and encouraging companies to respond.

Mr. Karl’s most pressing problem is to find the right staff. There’s huge competition for IT specialists in the private sector and among government agencies, and they’ve got to be vetted extensively. Past contact with Russia, for example, immediately disqualifies candidates.

But staffing isn’t the only problem for the agency still getting up to speed. Zitis has already come under fire over its plans to detect security gaps in commercial software and exploit them to monitor terrorist communications. Zitis said it won’t use its hacking tools itself — rather it will hand them to other agencies that will seek legal authority to use them.

This means the state has taken on the role of a double agent. On the one hand Mr. Maizière has stated the government’s commitment to turn Germany into a “No. 1 IT security location.” But at the same time, Zitis will attempt to detect security loopholes and secretly share them with law enforcement.

Bitkom said government authorities mustn’t be given the power to force companies to build back doors into their IT services.

Security experts and politicians have attacked this dual role and pointed to the US, where hackers accessed National Security Agency data on such a security gap. Criminals then used the loophole to launch the WannaCry worm, a ransomware attack that locked up more than 200,000 computers globally in May.

There’s another concern: that the state could in the future force companies to create so-called back doors, deliberately designed security holes that would open software to authorities. Experts suspect the Chinese government has been requiring domestic IT manufacturers to do just that.

German IT industry association Bitkom said in a statement government authorities mustn’t be given the power to force companies to build back doors into their IT services.

The government has denied considering such a measure. But even if it doesn’t go that far, the prospect that Zitis will detect gaps and not make them public is bad in itself, companies have warned. Bitkom demands that state agencies be legally required to report gaps.

But Mr. Karl defended the agency. “Zitis won’t make any security gaps,” he said. “They’re always there, and companies and consumers should assume that. They must adjust their security strategy accordingly.”

Dana Heide is a political correspondent at Handelsblatt. To contact the author:

We hope you enjoyed this article

Make sure to sign up for our free newsletters too!