GCHQ has published a series of documents shedding light for the first time on how it decides whether to retain or disclose zero-day vulnerabilities.
The publication of the “Equities Process” marks an attempt by the intelligence agency to increase transparency around the controversial practice of stockpiling exploits.
The move comes after the US government published a similar set of documents last year, having faced criticism for developing vulnerabilities which were subsequently leaked and used by hackers to build the WannaCry and EternalBlue ransomware viruses.
Sign up to Emerging Threats, our weekly cyber security newsletter
The key article outlining the Equities Process, which has been published on GCHQ’s website, reveals that the government’s default position is to disclose the vulnerability to the company behind the software in question.
But the government takes three issues into consideration before making a disclosure, the document reveals. The first surrounds the issue of “possible remediation”, which involves assessing whether there is a “viable route to release, or whether releasing it would have a negative impact on national security”.
The second is “operational necessity”, an assessment of the “intelligence value” in retaining the vulnerability. This entails an evaluation of not just how useful the vulnerability could be to the UK, but also how likely a disclosure is to “impact other operational capabilities or partners”.
Finally, the government accounts for defensive risk, which involves examining “the impact on security of not releasing the vulnerability in the context of the UK and its allies, including Government departments, critical national infrastructure, companies and private citizens”. Those involved in the process ask how likely it is the vulnerability would be discovered and exploited, and what the potential damage would be if it was.
These decisions are made by three panels which follow a series of protocols detailed in the chart below. The Equities Technical Panel makes the first call on any vulnerability and features “subject matter experts from across the UK Intelligence Community including the NCSC”.
Two other boards, which are either chaired by or report to Ciaran Martin, chief executive of NCSC, are tasked with judging the situation if the first panel does not reach a consensus on releasing the vulnerability.
“To ensure that cyber security considerations are at the centre of this process, there are representatives from the NCSC involved in all stages and a dispute resolution role for the CEO of the NCSC,” GCHQ said. “In exceptional cases, the CEO of the NCSC may decide that further escalation via submissions to Director GCHQ and, if required, the Foreign Secretary should be invoked.”
In a blogpost, Ian Levy – the technical director of NCSC – acknowledged that “some people will say that we don’t need this process and that we should just disclose everything”. “In my opinion, that’s naïve – and I don’t think it’s got much to do with the NCSC being part of GCHQ and the wider UK intelligence community. If we were separate, the rest of the community would still do vulnerability research and we would be much less likely to see those vulnerabilities and have a voice in how they’re handled, so the UK would likely be at greater security risk.”
Speaking to NS Tech, Alan Woodward, a professor of cyber security at Surrey University, acknowledged that there has “always been a tension” between the desire to hoard vulnerabilities for espionage and ensuring people’s devices are secure.
“There has to be a process to decide what you’ve got to do,” he added. “It’s been very opaque in the past about how they decide what to do and when. This is a good first step in trying to make this as transparent a process as possible.”