GCHQ: We don't tell tech companies about every software flaw

UK intelligence service details when it won't tell vendors that their software is vulnerable to attack and why that is.

UK intelligence's offensive cyber capabilities skyrocket

The UK intelligence services has revealed how it chooses which security vulnerabilities to reveal to technology vendors -- and which aren't disclosed because the UK's national interest is better served by what GCHQ describes as 'retaining' the knowledge.

For the first time ever, GCHQ and its cyber arm the National Cyber Security Centre (NCSC) has revealed the equities process that is used to determine if a vulnerability is disclosed or not disclosed when discovered.

It ultimately means that sometimes GCHQ won't tell a company if their software is vulnerable to cyber attacks and hacking if it's deemed to be the better option for national security.

When a previously unknown vulnerability is discovered, the default position is to disclose it -- but if it serves the national interest, knowledge of the vulnerability may not be disclosed. GCHQ states that the decision to withhold vulnerabilities is not taken lightly and always involves 'rigorous assessment' by a panel of experts from GCHQ, the NCSC and the Ministry of Defence.

By 'retaining' knowledge of the vulnerability, GCHQ claims it can be used to gather intelligence and disrupt activities of those who seek to harm the UK, such as crime groups, hacking gangs and hostile nation-states. It's a controversial move; not alerting a vendor to a bug means leaving a serious software vulnerability unpatched, potentially putting users at risk if other hackers discover it as well.

Decisions are made on whether to release or retain vulnerabilities based on three broad criteria: possible remediation, operational necessity, and defensive risk.

Possible remediation examines what action can be taken to mitigate the impact of the vulnerability and whether releasing it would have a negative impact on national security -- for example, by providing information that attackers could use to conduct campaigns.

Operational necessity considers the intelligence value of the UK retaining information about the vulnerability, by examining the operational value and intelligence opportunities provided by retaining it, as well as questioning how vital retaining the vulnerability would be to aiding intelligence services and if disclosing it will impact the operational capabilities of partners.

SEE: What is cyberwar? Everything you need to know about the frightening future of digital conflict

GCHQ and the NCSC also examine the defensive risk of not releasing information about releasing the vulnerability -- this applies to the security of everything, from government departments to critical national infrastructure, to private citizens, companies and other nations that could be impacted by retaining the vulnerability.

Questions asked when examining this include:

  • How likely is it that this vulnerability is/could be discovered by someone else?
  • How likely is it that this vulnerability could be exploited by someone else?
  • What technology/sector is exposed if left unpatched?
  • What is the potential damage if the vulnerability is exploited?
  • Without a patch applied to the software are other mitigation opportunities possible such as configuration changes?

"I hope the detail we've published today helps reassure people that we're doing our best in protecting the UK, including where vulnerabilities are found," said Ian Levy, technical director at the NCSC.

The status of a retained vulnerability is said to be regularly reviewed to ensure that withholding it is still the best course of action -- especially if new information comes to light.

However, GCHQ also admits there are exceptions that mean some vulnerabilities aren't subjected to the equities process, including when vulnerabilities have been subjected to a similar process by other nations then shared with the UK.

A vulnerability can also be retained if the software is no longer supported by the vendor, because if the vulnerability was made public, there'd be no means of patching systems to stop it from being exploited. GCHQ will also choose not to make vulnerabilities public if a device is deemed to be so insecure, it can't possibly be fixed -- something which the equities process refers to as 'secure by design'.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

In the cases where vulnerabilities are disclosed, GCHQ will work alongside the vendor and won't publicly reveal it prior to mitigation being made available.

While GCHQ argues that some vulnerabilities need to be retained in order to aid the UK's national interests, the world has already seen the negative effects of what can happen when an undisclosed vulnerability finds its way into the wild.

The global WannaCry ransomware attack was powered by EternalBlue, a vulnerability used by the US cyber intelligence. However, the vulnerability was leaked by hackers and despite Microsoft releasing a patch to combat it, North Korea used EternalBlue to distribute WannaCry ransomware.

The leaked vulnerability was also exploited by Russian Military Intelligence to distribute NotPetya -- a second global cyber attack that also did significant amounts of damage.

EternalBlue is still used to power cyber attacks to this day, as despite the publicity around the vulnerability, there are still plenty of systems that haven't been patched. Therefore, it's entirely possible that by withholding vulnerabilities, governments could be putting people at risk from attackers.