The trade in exploits, i.e. ways and means of exploiting known and unknown security holes, is large and extremely lucrative. Many government agencies are now stocking up on private companies with such tools, also in order to use them offensively against third parties. The industry sometimes has little hesitation in selling to authoritarian regimes. The German start-up Go Root wanted to do it differently and failed, as did research from Spiegel and Bavarian Broadcasting demonstrate. The reluctance of the German state is also said to have contributed to this.
The two media evaluated internal documents and spoke to those involved and thus gained an insight into the naturally rather closed world of such specialized companies. Accordingly, Go Root was founded in 2017 and marketed its products at military conferences, but also to German authorities and armaments companies.
Attack yes, but morally clean
According to the documents, products were offered that could paralyze entire regions’ data networks. Otherwise, you probably had a lot in the quiver for a more offensive strategy. For this purpose, employees were recruited from competitors who developed suitable tools within a few months and which were then to be adapted to customer requirements. A promise that allegedly attracted some talents to work only with reliable partners who were also legitimate under German law. Which excludes authoritarian states that often use such tools against domestic opponents.
One of the co-founders of Go Root was Sandro Gaycken, who not only published a book of the same name on the subject of cyberwar, was a NATO advisor and advised the federal government on cybersecurity. He has often publicly advocated an offensive cybersecurity strategy. In an article on the BND scandal in 2015, he defended US espionage in German companies as “arms control” and denied any suspicion of industrial espionage.
SAP in sight
Go Root also had rather delicate projects in mind for the German economy. So there was according to the Spiegel Considerations to spy on SAP databases, but also to encrypt them and thereby paralyze them. In view of the numerous SAP customers worldwide, not only large companies but also numerous authorities, it is a far-reaching attack tool.
It is unclear whether such software actually existed or was even used. According to Gaycken, the project was “never made functional” and a SAP product was “never developed, offered or sold”. However, the advanced mind game allows the conclusion that potential gaps were known or at least suspected. Accordingly, the question now arises of what happens to this knowledge.
Because despite good contacts, the Go Root donors soon lost interest and there was a lack of orders. Therefore, the company should either be sold or cooperate with other companies. Interested parties from the Arab states are also said to have existed. Co-founder Gaycken warned internally of the possible legal consequences, soon thereafter resigned the management and left the company in a dispute. Many of the recruited specialists followed him. Now, Go Root is marketing itself more as a traditional security company, not without referring to the world’s best ethical hackers.
No success with high standards
Why Go Root ultimately failed with its concept, although it apparently fit into the current strategy of German security authorities, is not entirely clear. Because even German authorities are publicly not averse to explicitly exploiting security loopholes for their own purposes. With the Central Office for Information Technology in the Security Sector (Zitis), for example, a “hacker authority” has been created which is subordinate to the Ministry of the Interior; Interior Minister Seehofer wants to “promote the responsible handling of 0-day vulnerabilities and exploits”.
The Spiegel According to the Bundeswehr’s “Cyber and Information Room Command” said that the applications were not yet fully developed or that they did not deliver what was promised. Go Root, on the other hand, announced that the “business model could not be successfully implemented under the high ethical and compliance guidelines it had set itself”. According to Gaycken, the German authorities were rather too slow and inflexible “for agile cooperation”.