Despite its previously tough stance against encryption backdoors, the Netherlands has now given the green light for its secret services and police to exploit zero-day software vulnerabilities.
By Tina Amirtha for Benelux | December 6, 2016
Last month, the Netherlands government gave its police and central intelligence agency official approval to exploit zero-day vulnerabilities.
These hardware and software flaws, which are unknown to the public and often also to the product makers themselves, are seen by Dutch law-enforcement agencies as key tools in understanding potential cyberattacks.
But critics believe that allowing security agencies to exploit zero-days amounts to a license to conduct covert surveillance programs on the public.
Zero-day vulnerabilities can be unknown or known to manufacturers. In either case, the public is not aware of them until the manufacturer issues a software or firmware patch or update.
Manufacturers usually issue swift updates, but sometimes end users do not download them right away. The Dutch government will also allow law enforcement to exploit known vulnerabilities that users or manufacturers have left untreated for a period.
In a memorandum to parliament, the Netherlands government called the use of hardware and software vulnerabilities by law enforcement an urgent matter of national security, as increasingly more criminals commit crimes via the internet.
As part of new guidelines, government officials are required to make any newly-discovered zero-day vulnerability known to the Dutch National Cyber Security Centre, or NCSC, under a “responsible disclosure” policy. In turn, the NCSC will notify the manufacturer of the flaw.
The new zero-day ruling is a U-turn for the government’s stance on backdoors. In December last year, the Dutch voted to make the public’s digital infrastructure more secure and prevent backdoors by funding three different open-source encryption projects.