“Our default is to tell the vendor and have them fix it. But sometimes, after weighing up the implications, we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it”
GCHQ and NCSC today for the first time published the decision making process they use to decide whether to retain a technology vulnerability for intelligence purposes, or disclose it to a vendor to be patched.
Release of the so-called Equities Process is a move of striking transparency for the traditionally secretive signals intelligence organisation. It comes amid growing pressure from vendors to disclose all such finds.
Equities Process: Wait, What?
The UK’s GCHQ, like other intelligence agencies globally, conducts vulnerability research – seeking out flaws in technology that can be exploited for intelligence purposes, either by malicious actors, or UK intelligence.
Many it refers back to vendors for “repair”; indeed the NCSC was named one of the top five bounty hunters under Microsoft’s “bug bounty” programme this year.
Some it holds on to for intelligence purposes.
Such nation state retention of so called 0days, or previously unknown vulnerabilities, has become increasingly controversial however, after 0days stockpiled by governments leaked into the wild and were weaponised by “bad actors”.
As Microsoft President Brad Smith last year put it: “The WannaCrypt exploits… were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. [They] provide yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern…”
He added: “Exploits in the hands of governments have leaked into the public domain and caused widespread damage. [We are calling for] governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
Jaya Baloo, the CISO of the Netherland’s KPN Telecom, speaking at an event on critical infrastructure security earlier this year was also blunt:“There is no vulnerabilities equity process. No sharing. If we want critical infrastructure security we need law enforcement and intelligence to share the info they know. Otherwise we are just creating both a white and a black market for vulnerabilities.”
GCHQ Equities Process: Intelligence Capabilities Have Their Place…
In a blog published alongside a description of the decision making process by which GCHQ and the NCSC decide when or not to disclose such finds, Dr Ian Levy, the NCSC’s technical director, however, said disclosing all finds would be “naive”.
He wrote: “Our default is to tell the vendor and have them fix it. But sometimes, after weighing up the implications, we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it.”
He added: “There has to be a very good reason not to – either an overriding intelligence case, or the fact that disclosing could reduce the security of people who use the product – and we really do mean it. From an NCSC point of view, some of our best technical folk are involved in the day-to-day decision making, and a couple of us not involved in the day-to-day process are available to the Equity Technical Panel and the Equity Board to provide senior, independent technical advice if necessary.
“We’ve also asked the Investigatory Powers Commissioner, who oversees the use of statutory powers by GCHQ, to provide oversight of the process we run to make sure we’re really taking the right things into account when making a decision. We think that provides world class assurance around this bit of our work,” he noted.
So, What’s the Process?
There has to be a “a clear and overriding national security benefit in retaining a vulnerability”, GCHQ said. It uses a trio of entities to help determine this (and has also adopted the ISO 29147 approach to vulnerability disclosure, it said).
1: The Equities Technical Panel (ETP), made up of a panel of subject matter experts from across the UK Intelligence Community including the NCSC.
2: The GCHQ Equity Board (EB), “which includes representation from other Government agencies and Departments as required”. This is chaired by “a senior civil servant with appropriate experience and expertise, usually drawn from the NCSC”.
3: The Equities Oversight Committee, chaired by the CEO of the NCSC, which “ensures the Equities Process is working… in accordance with specified procedures and which advises the NCSC ‘s CEO on equity decisions escalated from the Equity Board.”
In deciding whether to release or retain a vulnerability, GCHQ looks at these criteria:
Possible remediation. Consideration of the possible routes to mitigate the impact of the vulnerability, in particular focusing on whether there is a viable route to release, or whether releasing it would have a negative impact on national security.
Operational necessity. Consideration of the intelligence value to the UK in retaining the vulnerability, which includes the following questions:
- What operational value can be gained from this capability?
- What are the intelligence opportunities from this capability?
- How reliant are we on this vulnerability to realise intelligence?
- How likely is a disclosure to impact other operational capabilities or partners
Defensive risk. An assessment of the impact on security of not releasing the vulnerability in the context of the UK and its allies, including Government departments, critical national infrastructure, companies and private citizens. This includes:
- How likely is it that this vulnerability is/could be discovered by someone else?
- How likely is it that this vulnerability could be exploited by someone else?
- What technology/sector is exposed if left unpatched?
- What is the potential damage if the vulnerability is exploited?
- Without a patch applied to the software are other mitigation opportunities possible such as configuration changes?
Ultimately, GCHQ concludes, although when discovering a vulnerability its starting point is to disclose it, retaining knowledge of the vulnerability, “can be used to gather intelligence and disrupt the activities of those who seek to do the UK harm, including terror groups, serious and organised crime gangs, and malign states.”
It adds [the decision to retain a 0day] is “never taken lightly, and always involves a rigorous and objective assessment by a panel of world-leading experts from GCHQ, NCSC and the Ministry of Defence.”
Whether such publication is enough to persuade an increasingly vocal tech community of the benefits of vulnerability retention remains to be seen.