GCHQ opens up about concealing cyber threats from global community

In a series of publications from GCHQ and the NCSC, security directors explain why and how it keeps security threats a secret

Aerial shot of GCHQ's building

GCHQ and NCSC have revealed that when they encounter vulnerabilities in its tech, including the technology that other government departments and some businesses use, they don't always inform the vendor.

In an impressive display in transparency, the two national security agencies said that during daily operations, analysts working at GCHQ or other areas of government sometimes encounter vulnerabilities and while its default stance on the situation is to notify the vendor as soon as practicable, "sometimes - after weighing up the implications - we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it".

Stockpiling exploits doesn't have a strong history. Most recently, the WannaCry ransomware, which cost the NHS an estimated 92 million, was so successful as a result of stolen exploit information from the NSA. While the NCSC understands that its process might not be met with everyone's approval, the logic is sound.

"We've tried to make the description of the process as simple as possible to show the important characteristics," said Ian Levy, Technical Director at the NCSC in a blog post.

Advertisement - Article continues below
Advertisement - Article continues below

"We say our default position is to disclose the problem and there has to be a very good reason not to - either an overriding intelligence case or the fact that disclosing could reduce the security of people who use the product - and we really do mean it."

Levy says that the decision not to disclose a tech vulnerability that could leave businesses open to attack is not an easy one, but a necessary one. To make the difficult decision, it has a codified process called the 'Equity Process'.

The Equity Process

There are three separate bodies by which decisions must have approval before they are made. The Equities Technical Panel (ETP), The GCHQ Equity Board (EB) and The Equities Oversight Committee all consist of industry experts and NCSC representatives are involved at all stages. All decisions are reviewed within twelve months and sooner if new evidence is acquired. The decision pathway is illustrated below.

A set of decision criteria are used and the decision on whether to retain or release known vulnerabilities must be considered on the basis of: 

1) Exploring routes to mitigate the vulnerability, would the release of it be at the detriment of national security?

2) Consideration of value to intelligence, is it worth keeping a secret?

Advertisement - Article continues below

3) Consideration of the potential risk to the UK and its allies in not releasing it

Essentially, decisions are made on the balance of potential damage. If the NCSC believes that knowledge of the vulnerability could be used to the UK's advantage, then it's retained, if not, then it's released.

"Some people will say that we don't need this process and that we should just disclose everything. In my opinion, that's nave - and I don't think it's got much to do with the NCSC being part of GCHQ and the wider UK intelligence community," Levy said.

"If we were separate, the rest of the community would still do vulnerability research and we would be much less likely to see those vulnerabilities and have a voice in how they're handled, so the UK would likely be at a greater security risk. But the NCSC is integral to the process and our job is to minimize the harm that cyber attacks can cause to the UK, and to also make the UK the safest place to live and do business online."

Benefits of non-disclosure

While it understands that businesses, hospitals, government departments and private citizens could be left vulnerable to attacks as a result of its silence, GCHQ ensures that the same vulnerabilities could be used to gain actionable intelligence. This means terrorist groups and child exploitation rings could be discovered and neutralised.

In the age where cyber intelligence is the deciding difference between having a bomb detonate in a school and the arrest of the bomber, there's an argument that it's paramount trust is placed in UK security services.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



What is cyber warfare?

20 Sep 2019
cyber security

GCHQ boss says UK must be vigilant againt Chinese tech firms

25 Feb 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020