Secret Service should not decide for itself whether software vulnerabilities remain secret

Spread the love

The AIVD and MIVD are not allowed to keep to themselves previously undisclosed vulnerabilities in software that they discover. Someone else must determine whether vulnerabilities found should be reported, the Senate decided on Tuesday.

This control can, for example, concern the minister himself or a ‘sounding board group’, PvdA senator Klaas de Vries told Webwereld. His motion was passed on Tuesday in which the Senate calls for this to be done. Only the PVV voted against the motion.

A few weeks ago, Minister Ronald Plasterk said in the Senate that the secret services AIVD and MIVD themselves consider whether vulnerabilities should be shared with others. The services would in any case do that if a vulnerability threatens national security, Plasterk assured. In the new situation, vulnerabilities would still be kept secret, but it is no longer the secret service itself that decides whether a vulnerability should be shared.

Earlier, Plasterk said in the House of Representatives that vulnerabilities could be used to spy on hostile regimes. Vulnerabilities that have not yet been discovered, so-called zero days, are the most valuable: after all, those problems have not yet been patched and are therefore easier to abuse. Zero days were used, for example, in attacks on Iranian nuclear installations, probably by the United States.

You might also like