View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 29, 2018updated 07 Jul 2022 11:14am

Landmark GCHQ Publication Reveals Vulnerability Disclosure Process

"Our default is to tell the vendor and have them fix it. But sometimes, after weighing up the implications, we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it"

By CBR Staff Writer

GCHQ and NCSC today for the first time published the decision making process they use to decide whether to retain a technology vulnerability for intelligence purposes, or disclose it to a vendor to be patched.

Release of the so-called Equities Process is a move of striking transparency for the traditionally secretive signals intelligence organisation. It comes amid growing pressure from vendors to disclose all such finds.

Equities Process: Wait, What?

The UK’s GCHQ, like other intelligence agencies globally, conducts vulnerability research – seeking out flaws in technology that can be exploited for intelligence purposes, either by malicious actors, or UK intelligence.

Many it refers back to vendors for “repair”; indeed the NCSC was named one of the top five bounty hunters under Microsoft’s “bug bounty” programme this year.

Some it holds on to for intelligence purposes.

Such nation state retention of so called 0days, or previously unknown vulnerabilities, has become increasingly controversial however, after 0days stockpiled by governments leaked into the wild and were weaponised by “bad actors”.

Read this: Microsoft Demands “Digital Peace” – What Does It Really Want?

As Microsoft President Brad Smith last year put it: “The WannaCrypt exploits… were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. [They] provide yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern…”

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

He added: “Exploits in the hands of governments have leaked into the public domain and caused widespread damage. [We are calling for] governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”

Jaya Baloo, the CISO of the Netherland’s KPN Telecom, speaking at an event on critical infrastructure security earlier this year was also blunt:“There is no vulnerabilities equity process. No sharing. If we want critical infrastructure security we need law enforcement and intelligence to share the info they know. Otherwise we are just creating both a white and a black market for vulnerabilities.”

GCHQ Equities Process: Intelligence Capabilities Have Their Place…

In a blog published alongside a description of the decision making process by which GCHQ and the NCSC decide when or not to disclose such finds, Dr Ian Levy, the NCSC’s technical director, however, said disclosing all finds would be “naive”.

He wrote: “Our default is to tell the vendor and have them fix it. But sometimes, after weighing up the implications, we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it.”

He added: “There has to be a very good reason not to – either an overriding intelligence case, or the fact that disclosing could reduce the security of people who use the product – and we really do mean it. From an NCSC point of view, some of our best technical folk are involved in the day-to-day decision making, and a couple of us not involved in the day-to-day process are available to the Equity Technical Panel and the Equity Board to provide senior, independent technical advice if necessary.

“We’ve also asked the Investigatory Powers Commissioner, who oversees the use of statutory powers by GCHQ, to provide oversight of the process we run to make sure we’re really taking the right things into account when making a decision. We think that provides world class assurance around this bit of our work,” he noted.

The GCHQ Foyer

So, What’s the Process?

There has to be a “a clear and overriding national security benefit in retaining a vulnerability”, GCHQ said. It uses a trio of entities to help determine this (and has also adopted the ISO 29147 approach to vulnerability disclosure, it said).

1: The Equities Technical Panel (ETP), made up of a panel of subject matter experts from across the UK Intelligence Community including the NCSC.

2: The GCHQ Equity Board (EB), “which includes representation from other Government agencies and Departments as required”. This is chaired by “a senior civil servant with appropriate experience and expertise, usually drawn from the NCSC”.

3: The Equities Oversight Committee, chaired by the CEO of the NCSC, which “ensures the Equities Process is working… in accordance with specified procedures and which advises the NCSC ‘s CEO on equity decisions escalated from the Equity Board.”

Decision Criteria

In deciding whether to release or retain a vulnerability, GCHQ looks at these criteria:

Possible remediation. Consideration of the possible routes to mitigate the impact of the vulnerability, in particular focusing on whether there is a viable route to release, or whether releasing it would have a negative impact on national security.

Operational necessity. Consideration of the intelligence value to the UK in retaining the vulnerability, which includes the following questions:

    • What operational value can be gained from this capability?
    • What are the intelligence opportunities from this capability?
    • How reliant are we on this vulnerability to realise intelligence?
    • How likely is a disclosure to impact other operational capabilities or partners

Defensive risk. An assessment of the impact on security of not releasing the vulnerability in the context of the UK and its allies, including Government departments, critical national infrastructure, companies and private citizens. This includes:

    • How likely is it that this vulnerability is/could be discovered by someone else?
    • How likely is it that this vulnerability could be exploited by someone else?
    • What technology/sector is exposed if left unpatched?
    • What is the potential damage if the vulnerability is exploited?
    • Without a patch applied to the software are other mitigation opportunities possible such as configuration changes?

Ultimately, GCHQ concludes, although when discovering a vulnerability its starting point is to disclose it, retaining knowledge of the vulnerability, “can be used to gather intelligence and disrupt the activities of those who seek to do the UK harm, including terror groups, serious and organised crime gangs, and malign states.”

It adds [the decision to retain a 0day] is “never taken lightly, and always involves a rigorous and objective assessment by a panel of world-leading experts from GCHQ, NCSC and the Ministry of Defence.”

Whether such publication is enough to persuade an increasingly vocal tech community of the benefits of vulnerability retention remains to be seen.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU