GCHQ opens up about concealing cyber threats from global community

In a series of publications from GCHQ and the NCSC, security directors explain why and how it keeps security threats a secret

Aerial shot of GCHQ's building

GCHQ and NCSC have revealed that when they encounter vulnerabilities in its tech, including the technology that other government departments and some businesses use, they don't always inform the vendor.

In an impressive display in transparency, the two national security agencies said that during daily operations, analysts working at GCHQ or other areas of government sometimes encounter vulnerabilities and while its default stance on the situation is to notify the vendor as soon as practicable, "sometimes - after weighing up the implications - we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it".

Advertisement - Article continues below

Stockpiling exploits doesn't have a strong history. Most recently, the WannaCry ransomware, which cost the NHS an estimated 92 million, was so successful as a result of stolen exploit information from the NSA. While the NCSC understands that its process might not be met with everyone's approval, the logic is sound.

"We've tried to make the description of the process as simple as possible to show the important characteristics," said Ian Levy, Technical Director at the NCSC in a blog post.

"We say our default position is to disclose the problem and there has to be a very good reason not to - either an overriding intelligence case or the fact that disclosing could reduce the security of people who use the product - and we really do mean it."

Advertisement - Article continues below

Levy says that the decision not to disclose a tech vulnerability that could leave businesses open to attack is not an easy one, but a necessary one. To make the difficult decision, it has a codified process called the 'Equity Process'.

The Equity Process

There are three separate bodies by which decisions must have approval before they are made. The Equities Technical Panel (ETP), The GCHQ Equity Board (EB) and The Equities Oversight Committee all consist of industry experts and NCSC representatives are involved at all stages. All decisions are reviewed within twelve months and sooner if new evidence is acquired. The decision pathway is illustrated below.

A set of decision criteria are used and the decision on whether to retain or release known vulnerabilities must be considered on the basis of: 

Advertisement - Article continues below

1) Exploring routes to mitigate the vulnerability, would the release of it be at the detriment of national security?

2) Consideration of value to intelligence, is it worth keeping a secret?

3) Consideration of the potential risk to the UK and its allies in not releasing it

Essentially, decisions are made on the balance of potential damage. If the NCSC believes that knowledge of the vulnerability could be used to the UK's advantage, then it's retained, if not, then it's released.

"Some people will say that we don't need this process and that we should just disclose everything. In my opinion, that's nave - and I don't think it's got much to do with the NCSC being part of GCHQ and the wider UK intelligence community," Levy said.

"If we were separate, the rest of the community would still do vulnerability research and we would be much less likely to see those vulnerabilities and have a voice in how they're handled, so the UK would likely be at a greater security risk. But the NCSC is integral to the process and our job is to minimize the harm that cyber attacks can cause to the UK, and to also make the UK the safest place to live and do business online."

Benefits of non-disclosure

While it understands that businesses, hospitals, government departments and private citizens could be left vulnerable to attacks as a result of its silence, GCHQ ensures that the same vulnerabilities could be used to gain actionable intelligence. This means terrorist groups and child exploitation rings could be discovered and neutralised.

In the age where cyber intelligence is the deciding difference between having a bomb detonate in a school and the arrest of the bomber, there's an argument that it's paramount trust is placed in UK security services.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



What is cyber warfare?

16 Mar 2020
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular


Nokia breaks 5G record with speeds nearing 5Gbps

20 May 2020
cloud computing

Microsoft launches public cloud service for health care

21 May 2020
video conferencing

House of Commons to ditch Zoom in favour of British alternative

11 May 2020