GCHQ opens up about concealing cyber threats from global community

In a series of publications from GCHQ and the NCSC, security directors explain why and how it keeps security threats a secret

Aerial shot of GCHQ's building

GCHQ and NCSC have revealed that when they encounter vulnerabilities in its tech, including the technology that other government departments and some businesses use, they don't always inform the vendor.

In an impressive display in transparency, the two national security agencies said that during daily operations, analysts working at GCHQ or other areas of government sometimes encounter vulnerabilities and while its default stance on the situation is to notify the vendor as soon as practicable, "sometimes - after weighing up the implications - we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it".

Advertisement - Article continues below

Stockpiling exploits doesn't have a strong history. Most recently, the WannaCry ransomware, which cost the NHS an estimated 92 million, was so successful as a result of stolen exploit information from the NSA. While the NCSC understands that its process might not be met with everyone's approval, the logic is sound.

"We've tried to make the description of the process as simple as possible to show the important characteristics," said Ian Levy, Technical Director at the NCSC in a blog post.

"We say our default position is to disclose the problem and there has to be a very good reason not to - either an overriding intelligence case or the fact that disclosing could reduce the security of people who use the product - and we really do mean it."

Advertisement - Article continues below

Levy says that the decision not to disclose a tech vulnerability that could leave businesses open to attack is not an easy one, but a necessary one. To make the difficult decision, it has a codified process called the 'Equity Process'.

The Equity Process

There are three separate bodies by which decisions must have approval before they are made. The Equities Technical Panel (ETP), The GCHQ Equity Board (EB) and The Equities Oversight Committee all consist of industry experts and NCSC representatives are involved at all stages. All decisions are reviewed within twelve months and sooner if new evidence is acquired. The decision pathway is illustrated below.

A set of decision criteria are used and the decision on whether to retain or release known vulnerabilities must be considered on the basis of: 

Advertisement - Article continues below

1) Exploring routes to mitigate the vulnerability, would the release of it be at the detriment of national security?

2) Consideration of value to intelligence, is it worth keeping a secret?

3) Consideration of the potential risk to the UK and its allies in not releasing it

Essentially, decisions are made on the balance of potential damage. If the NCSC believes that knowledge of the vulnerability could be used to the UK's advantage, then it's retained, if not, then it's released.

"Some people will say that we don't need this process and that we should just disclose everything. In my opinion, that's nave - and I don't think it's got much to do with the NCSC being part of GCHQ and the wider UK intelligence community," Levy said.

"If we were separate, the rest of the community would still do vulnerability research and we would be much less likely to see those vulnerabilities and have a voice in how they're handled, so the UK would likely be at a greater security risk. But the NCSC is integral to the process and our job is to minimize the harm that cyber attacks can cause to the UK, and to also make the UK the safest place to live and do business online."

Benefits of non-disclosure

While it understands that businesses, hospitals, government departments and private citizens could be left vulnerable to attacks as a result of its silence, GCHQ ensures that the same vulnerabilities could be used to gain actionable intelligence. This means terrorist groups and child exploitation rings could be discovered and neutralised.

In the age where cyber intelligence is the deciding difference between having a bomb detonate in a school and the arrest of the bomber, there's an argument that it's paramount trust is placed in UK security services.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



What is cyber warfare?

16 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020