GCHQ has revealed for the first time how it researches vulnerabilities, claiming sometimes not to inform the vendor if a specific flaw could be used to its advantage.
The intelligence agency’s “Equities Process” involves a binary decision: disclose so a patch can be issued to improve the overall security of businesses and consumers, or hang on to it for reasons of national security.
“We say our default position is to disclose the problem and there has to be a very good reason not to — either an overriding intelligence case or the fact that disclosing could reduce the security of people who use the product — and we really do mean it,” explained Ian Levy, technical director of GCHQ’s National Cyber Security Centre (NCSC).
“Some people will say that we don’t need this process and that we should just disclose everything. In my opinion, that’s naïve — and I don’t think it’s got much to do with the NCSC being part of GCHQ and the wider UK intelligence community. If we were separate, the rest of the community would still do vulnerability research and we would be much less likely to see those vulnerabilities and have a voice in how they’re handled, so the UK would likely be at greater security risk.”
The NCSC was at pains to point out the checks and balances that exist in the process to ensure that non-disclosure is only a decision taken in exceptional circumstances. This includes review by an Equities Technical Panel, an Equity Board, and finally, NCSC CEO, Ciaran Martin.
Questions asked by these panels include: how likely it is that the vulnerability could be discovered and exploited by someone else; what sectors would be exposed if it is left unpatched; and what the potential damage could be if the flaw is exploited.
“This process is complex and sometimes quite nuanced, relying on expert judgement around very detailed technical issues,” said Levy. “That’s true across the range of our work, not just this process, and I make no apology for it — we’re proudly expert.”
The decision-making process is said to be similar to the of the US intelligence agencies.
Jake Moore, cybersecurity expert at ESET UK, warned that the impact of non-disclosure could be severe.
“Just look at WannaCry where [NSA exploit] EternalBlue was kept quiet prior to its fix,” he argued.
“There are inevitably many weaknesses in computer software and operating systems that are yet to be patched, some of which will be left unpatched for a considerable amount of time. Not highlighting this to the vulnerable companies at risk could give cyber-criminals many opportunities to attack.”
Russell Haworth, CEO of Nominet, argued that businesses should be more self-reliant.
“Retaining some knowledge can help GCHQ protect the nation in the future. This story underlines that businesses should be taking their own steps to protect themselves from potential threats, not relying on others,” he added.
“Responsibility for cybersecurity begins at home. There are lots of technologies that can help identify if your network has been compromised, and take action.”