In a landmark move, the UK intelligence services unveiled on Thursday (29 November) the process by which they decide to disclose security vulnerabilities to technology firms. Not every weakness discovered in a system is always disclosed to the company in question, they revealed.
GCHQ and the National Cyber Security Centre (NCSC) follow an ‘equities process‘ by which they determine if a security weakness warrants disclosure.
The metric used to determine whether the affected firm should be informed or not is whether the vulnerability could compromise national security.
The procedure states:
“Expert analysis, based on objective criteria, is undertaken to decide whether such vulnerabilities should be released to allow them to be mitigated or retained so that they can be used for intelligence purposes in the interests of the UK.”
This means that should the national security of the United Kingdom be judged to be at risk, then the equities process deems that GCHQ will not always inform the affected firm of the vulnerability.
In ‘retaining’ information concerning the vulnerability, UK authorities believe that such intelligence could be used to counter future malicious activity and cybercrime.
Need to know Vs. National security
The unveiling of GCHQ’s strategy in this field comes over a year after the US published details on its own process, which is similar to the British approach in which the public’s “need to know” is weighed up against the government’s interest in keeping the information under wraps.
Sky News on Thursday drew attention to a recent essay published with national security blog Lawfare, in which the authors accused the US strategy of being a “deeply-flawed and problematic framework.”
The US governments should seek to “utilize vulnerabilities for as long as possible and to disclose as infrequently as possible,” Dave Aitel and Matt Tait, the authors of the study, write.
A contrasting study, penned by Ari Schwartz and Rob Knake at the Harvard Kennedy School’s Belder Center, calls for a greater degree of public scrutiny over the “high-level criteria that informs disclosure or retention decisions.”
UK at risk
GCHQ’s admission on Thursday comes after the UK’s joint committee on the National Security Structure published a damning report on Britain’s critical national infrastructure (CNI), sin which cyber threats were identified across a number of sectors including energy, health services, transport and water.
The report stated that the UK government is not acting with the “urgency and forcefulness that the situation demands,” and that the critical national infrastructure is a “natural target for a major cyberattack.”
This study followed an earlier one produced by the World Economic Forum, which asked more than 12,500 executives around the world to select the global risks that pose the most significant concern for doing business within the next 10 years. In Europe, cyberattacks were deemed the most pressing threat.
EURACTIV spoke to the lead author of the report, Aengus Collins.
“2017 was a tipping point in the prevalence of cyberattacks in the EU,” he said. “The most significant of which was, of course, the WannaCry ransomware attack.”
Europol described the 2017 WannaCry cyberattack as “unprecedented” in scale after it had struck 200,000 computers across 150 countries.
The hit had seen global systems infected with a ransomware which targeted Microsoft Windows operating systems.
The report highlights the fact that the WannaCry attack disrupted systems such as the UK’s National Health Service and German rail infrastructure, and that such targets contribute to the reasons why cyberattacks have been voted as the most pressing issue to EU business.
The weaknesses that led to the WannaCry attack could have been patched up long before the damage had been done if the vulnerabilities had been publicly disclosed by an intelligence agency, even if Microsoft had already issued a patch for the weakness.
A spokesperson for GCHQ informed Sky News that such an attack would be regarded as the type of vulnerability that the intelligence services would seek to inform bodies or firms about promptly. “If a similar vulnerability was discovered in the future we would disclose it,” they said.