GCHQ says national security interests determine vulnerability disclosure
29 November 2018
GCHQ, the UK’s premier intelligence agency, today revealed that even though its experts carry out detailed vulnerability research all the time, not all vulnerabilities are revealed and disclosing them depends upon the UK’s national security interests.
It disclosed that the UK intelligence community takes a decision on disclosing a vulnerability or retaining the knowledge of a vulnerability based on an Equities Process, which basically means that the intelligence community assesses the risks and benefits to both the UK’s intelligence requirements and the cyber security of the UK before deciding on disclosing or keeping a vulnerability secret.
Not all vulnerabilities can be disclosed
Dr Ian Levy, Technical Director of the NCSC, said in a blog post that even though the default position of GCHQ and its arms is to disclose a vulnerability to a company as it allows the company to fix the vulnerability before it is exploited, it may not disclose a vulnerability if there is either an overriding intelligence case or the fact that a disclosure could reduce the security of people who use the product.
“When we find a security problem, we need to decide what to do. Our default is to tell the vendor and have them fix it, but sometimes – after weighing up the implications – we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it.
“Some people will say that we don’t need this process and that we should just disclose everything. In my opinion, that’s naïve – and I don’t think it’s got much to do with the NCSC being part of GCHQ and the wider UK intelligence community.
“If we were separate, the rest of the community would still do vulnerability research and we would be much less likely to see those vulnerabilities and have a voice in how they’re handled, so the UK would likely be at greater security risk. But the NCSC is integral to the process and our job is to minimize the harm that cyber attacks can cause to the UK, and to also make the UK the safest place to live and do business online,” he wrote.
Strict vulnerability disclosure process in place
He added that since the disclosure of a vulnerability may not necessarily or materially change the security of a fundamentally insecure product, the intelligence community uses the vulnerability discovery to start a more strategic conversation with the company responsible for developing the product.
Also, whenever a decision needs to be made on not disclosing a particular vulnerability, it can only be put into effect if the Equity Technical Panel and the Equity Board are taken into confidence. In some cases, the decision-making is escalated from the Equity Board to Ciaran Martin, the chief of NCSC, who then decides on the matter after receiving inputs from the technical director on the technical ramifications of individual cases.
“This process is complex and sometimes quite nuanced, relying on expert judgement around very detailed technical issues. That’s true across the range of our work, not just this process, and I make no apology for it – we’re proudly expert,” Dr Levy added.