GCHQ opens up about concealing cyber threats from global community

In a series of publications from GCHQ and the NCSC, security directors explain why and how it keeps security threats a secret

Aerial shot of GCHQ's building

GCHQ and NCSC have revealed that when they encounter vulnerabilities in its tech, including the technology that other government departments and some businesses use, they don't always inform the vendor.

In an impressive display in transparency, the two national security agencies said that during daily operations, analysts working at GCHQ or other areas of government sometimes encounter vulnerabilities and while its default stance on the situation is to notify the vendor as soon as practicable, "sometimes - after weighing up the implications - we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it".

Stockpiling exploits doesn't have a strong history. Most recently, the WannaCry ransomware, which cost the NHS an estimated 92 million, was so successful as a result of stolen exploit information from the NSA. While the NCSC understands that its process might not be met with everyone's approval, the logic is sound.

"We've tried to make the description of the process as simple as possible to show the important characteristics," said Ian Levy, Technical Director at the NCSC in a blog post.

"We say our default position is to disclose the problem and there has to be a very good reason not to - either an overriding intelligence case or the fact that disclosing could reduce the security of people who use the product - and we really do mean it."

Levy says that the decision not to disclose a tech vulnerability that could leave businesses open to attack is not an easy one, but a necessary one. To make the difficult decision, it has a codified process called the 'Equity Process'.

The Equity Process

There are three separate bodies by which decisions must have approval before they are made. The Equities Technical Panel (ETP), The GCHQ Equity Board (EB) and The Equities Oversight Committee all consist of industry experts and NCSC representatives are involved at all stages. All decisions are reviewed within twelve months and sooner if new evidence is acquired. The decision pathway is illustrated below.

A set of decision criteria are used and the decision on whether to retain or release known vulnerabilities must be considered on the basis of: 

1) Exploring routes to mitigate the vulnerability, would the release of it be at the detriment of national security?

2) Consideration of value to intelligence, is it worth keeping a secret?

3) Consideration of the potential risk to the UK and its allies in not releasing it

Essentially, decisions are made on the balance of potential damage. If the NCSC believes that knowledge of the vulnerability could be used to the UK's advantage, then it's retained, if not, then it's released.

"Some people will say that we don't need this process and that we should just disclose everything. In my opinion, that's nave - and I don't think it's got much to do with the NCSC being part of GCHQ and the wider UK intelligence community," Levy said.

"If we were separate, the rest of the community would still do vulnerability research and we would be much less likely to see those vulnerabilities and have a voice in how they're handled, so the UK would likely be at a greater security risk. But the NCSC is integral to the process and our job is to minimize the harm that cyber attacks can cause to the UK, and to also make the UK the safest place to live and do business online."

Benefits of non-disclosure

While it understands that businesses, hospitals, government departments and private citizens could be left vulnerable to attacks as a result of its silence, GCHQ ensures that the same vulnerabilities could be used to gain actionable intelligence. This means terrorist groups and child exploitation rings could be discovered and neutralised.

In the age where cyber intelligence is the deciding difference between having a bomb detonate in a school and the arrest of the bomber, there's an argument that it's paramount trust is placed in UK security services.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

22 Sep 2020
Lookout reveals mobile-first endpoint detection and response solution
Security

Lookout reveals mobile-first endpoint detection and response solution

21 Oct 2020
Cisco finds an increase in security concerns due to remote working
Security

Cisco finds an increase in security concerns due to remote working

21 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020