GCHQ reveals why it keeps some software vulnerabilities secret
GCHQ has revealed how it makes decision over which software vulnerabilities to keep secret.
According to the agency’s defensive arm, the National Cyber Security Centre (NCSC), the default position when a vulnerability is discovered is to try and get the flaws fixed – but this isn’t always in the UK’s interest.
It was previously known that flaws might be kept secret to use the information to hack back into the computers of those responsible – but the agency has now explained the checks and balances behind this.
The process for how the UK handles vulnerabilities has been made public more than a year after the US published its own. The British document is considerably shorter than the 14-page one published by the Americans.
It aims to ensure that achieving national security objectives is not hindered by the default position of disclosing the vulnerabilities.
But some security researchers and former members of the intelligence community say the disclosures may put too much of a burden on democratic governments and give an advantage to hostile states.
Vulnerabilities are flaws in the computer systems which can be exploited by an attacker to make the system perform an action it would otherwise not be capable of doing.
GCHQ said that “vulnerabilities may represent a risk to the security of systems in the UK and of our allies” but the same vulnerabilities “might provide a means by which the UK intelligence community could obtain vital intelligence”.
When a vulnerability is discovered it is considered by a group of experts from across the UK’s intelligence community known as the Equities Technical Panel.
These experts consider if it would be in the national interest to retain the vulnerability and potentially exploit it – or to release it with the aim of getting it fixed.
If the members of the panel don’t agree about whether the vulnerability should be retained or not, the issue is escalated to the GCHQ Equity Board, and if this board doesn’t agree then the decision falls to the CEO of the National Cyber Security Centre.
The British process is similar to that of the US.
In an essay published with national security blog Lawfare, cyber security experts Dave Aitel and Matt Tait accused the US equities process of failing to protect the public and providing “thin public relations cover when the US government is questioned on its strategy around vulnerabilities”.
The pair noted that most security breaches don’t use the rare kinds of vulnerabilities being discovered by government researchers, but instead exploit software which was known to be flawed but had not been updated.
Even in the WannaCry and NotPetya attacks, the weakness exploited by the hackers could have been patched up for weeks before the damage began to be done.
“If collectively we decide that the intelligence community should do more to help defend America online, they should be charged with helping companies develop systemic improvements against phishing or research anti-exploit techniques for major software.
“Insisting the government disclose zero-days one at a time, following some painstaking process, helps no one and hurts us all,” the pair argued.
One of the most damaging vulnerabilities to have been held by an intelligence agency in recent years affected something called SMBv1, a communications protocol widely used in Windows systems.
The vulnerability and a tool to exploit it called Eternal Blue were kept secret by the US National Security Agency, but were stolen and released by a group suspected of connections to the Russian state calling itself the Shadow Brokers.
The NSA has not said whether it disclosed the SMBv1 vulnerability to Microsoft, but after the Shadow Brokers’ action, the company issued an update patching the software flaw.
Despite this, it was exploited in two of the largest and most damaging cyber attacks in history – the WannaCry attack which crippled the NHS, and the NotPetya attack which wreaked havoc in Ukraine and elsewhere.
A spokesperson for GCHQ told Sky News: “If a similar vulnerability was discovered in the future we would disclose it. Worth remembering that Microsoft issued a patch for this back in March 2017 – the WannaCry attack happened in May 2017.”
Although the process only references vulnerabilities discovered internally by researchers working for the government, GCHQ acknowledged to Sky News that it does buy vulnerabilities from the market.
“If we do buy a vulnerability, it will go through the equities process,” a spokesperson said, adding: “Purchasing vulnerabilities provides us with a better understanding of the threats they pose.”