GCHQ and NCSC have revealed that when they encounter vulnerabilities in its tech, including the technology that other government departments and some businesses use, they don't always inform the vendor.
In an impressive display in transparency, the two national security agencies said that during daily operations, analysts working at GCHQ or other areas of government sometimes encounter vulnerabilities and while its default stance on the situation is to notify the vendor as soon as practicable, "sometimes - after weighing up the implications - we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it".
Stockpiling exploits doesn't have a strong history. Most recently, the WannaCry ransomware, which cost the NHS an estimated 92 million, was so successful as a result of stolen exploit information from the NSA. While the NCSC understands that its process might not be met with everyone's approval, the logic is sound.
"We've tried to make the description of the process as simple as possible to show the important characteristics," said Ian Levy, Technical Director at the NCSC in a blog post.
"We say our default position is to disclose the problem and there has to be a very good reason not to - either an overriding intelligence case or the fact that disclosing could reduce the security of people who use the product - and we really do mean it."
Levy says that the decision not to disclose a tech vulnerability that could leave businesses open to attack is not an easy one, but a necessary one. To make the difficult decision, it has a codified process called the 'Equity Process'.
The Equity Process
There are three separate bodies by which decisions must have approval before they are made. The Equities Technical Panel (ETP), The GCHQ Equity Board (EB) and The Equities Oversight Committee all consist of industry experts and NCSC representatives are involved at all stages. All decisions are reviewed within twelve months and sooner if new evidence is acquired. The decision pathway is illustrated below.
A set of decision criteria are used and the decision on whether to retain or release known vulnerabilities must be considered on the basis of:
1) Exploring routes to mitigate the vulnerability, would the release of it be at the detriment of national security?
2) Consideration of value to intelligence, is it worth keeping a secret?
3) Consideration of the potential risk to the UK and its allies in not releasing it
Essentially, decisions are made on the balance of potential damage. If the NCSC believes that knowledge of the vulnerability could be used to the UK's advantage, then it's retained, if not, then it's released.
"Some people will say that we don't need this process and that we should just disclose everything. In my opinion, that's nave - and I don't think it's got much to do with the NCSC being part of GCHQ and the wider UK intelligence community," Levy said.
"If we were separate, the rest of the community would still do vulnerability research and we would be much less likely to see those vulnerabilities and have a voice in how they're handled, so the UK would likely be at a greater security risk. But the NCSC is integral to the process and our job is to minimize the harm that cyber attacks can cause to the UK, and to also make the UK the safest place to live and do business online."
Benefits of non-disclosure
While it understands that businesses, hospitals, government departments and private citizens could be left vulnerable to attacks as a result of its silence, GCHQ ensures that the same vulnerabilities could be used to gain actionable intelligence. This means terrorist groups and child exploitation rings could be discovered and neutralised.
In the age where cyber intelligence is the deciding difference between having a bomb detonate in a school and the arrest of the bomber, there's an argument that it's paramount trust is placed in UK security services.
