The Federal Criminal Police Office of Germany, also known as the BKA, is looking to hire software engineers who can develop remote computer surveillance technologies for use in criminal investigations.
According to a recruitment announcement posted last Thursday on the BKA website, the job involves developing software that meets the technical requirements to allow “covert police access to remote computer systems.”
Candidates are expected to have very good knowledge of C++, low-level programming, system driver development, networking and Internet protocols, object-oriented software development and software modelling standards.
However, the BKA wants more than just a good developer. As well as programming skills, they want someone who knows the security mechanisms of Windows and other operating systems and who has experience with finding software vulnerabilities.
Law enforcement and intelligence agencies from around the world are increasingly using computer surveillance or monitoring software in their investigations. However, such tools are usually licensed from private companies that specialize in their development.
“An in-house hacking capability that could create custom cyber-surveillance tools for the BKA has potential advantages in the area of secrecy,” Stephen Cobb, a security evangelist at antivirus vendor ESET, said Tuesday via email. “Commercial tools are typically sold to more than one client and become known if the vendor is not careful.”
“Licensing a commercial tool also creates a paper trail that may come to light while the origins of an internally developed tool may be easier to hide,” Cobb said.
The security of such software could be another reason why a law enforcement agency like the BKA might want to handle its development internally.
A computer Trojan believed to have been developed by a German company called DigiTask for use by the BKA in criminal investigations was discovered in Germany last year.
According to the Chaos Computer Club, a well-known European hacker club, the Trojan had security holes that could have allowed attackers to take control of the monitored systems or submit fake data to the authorities.
Law enforcement, military and defense people are incapable of grasping that digital tools or weapons are inherently harder to control and contain than physical ones, Cobb said. “The risk of blow-back is exponentially greater when dealing with a weapon of which a million perfect copies can be created and shipped to anywhere on the planet, in seconds, at zero cost,” he said.
Following the discovery of the German Trojan program last year, many antivirus vendors added detection for it in their products, which most likely impacted the ability of law enforcement agencies to use it.
“If AV companies aren’t in the loop on specific tools, they’re going to detect them as some form of spyware (if they detect them at all),” David Harley, a senior research fellow at ESET, said Tuesday via email. “If law enforcement agencies do approach the security industry, the precise response will vary according to circumstances, but ignoring policeware by request is both ethically and technically problematic, because a security company can’t usually tell whether a specific instance of the software is legitimate or not.”
Harley believes the use of such tools is justified if done in a lawful manner. “It’s analogous to wiretapping done in accordance with due legal process (e.g. where an appropriate warrant has been issued), and it’s perfectly logical to employ people who are familiar – or can be trained to be familiar – with the technology,” he said.
A spokeswoman from the BKA Press and Information Office declined to comment about the job posting.
(Loek Essers in Amsterdam contributed to this story.)