A Simple Guide to GCHQ's Hacking Powers


We now know a lot more about GCHQ's hacking operations and the details haven't come from Edward Snowden. New documents released by the government and privacy advocates have given us the first official glimpse of how GCHQ operates, with its hacking and encryption weakening operations confirmed for the first time.

The details come from three new documents:

1. The Intelligence and Security Committee's (ISC) Report into the UK's security services.

2. The government's open response to the ISC report.

3. Documents from secret court proceedings released by Privacy International.

But what does all this new information mean? Below we answer the key questions beginning with what hacking powers does GCHQ have?

The spy agency has the power to hack into phones, computers and communications networks and is legally justified to hack anyone, according to privacy experts. GCHQ can also hack anyone, anywhere in the world, even if they are not suspected of any crime. Court documents released by Privacy International show GCHQ can carry out hacking on "individuals who are not intelligence targets in their own right". The privacy charity, which has launched legal action against the UK government and GCHQ, claims this allows GCHQ to hack people who are not targets.

The ISC report also shows for the first time that GCHQ uses security vulnerabilities, including zero-days, which use previously unknown weaknesses to attack software, for its operations. And what does GCHQ have to say about this? The spy agency says Privacy International's claims that its operations are unregulated are "simply untrue". 

A spokesperson for the spy agency said its operations were subject to "rigorous oversight", adding that its "operational processes rigorously support this position". GCHQ was unable to respond to individual issues raised due to its policy of not commenting on intelligence matters.
The agency's Edgehill decryption program, revealed in documents released by Edward Snowden, revealed ambitions to crack encryption used by 15 major Internet companies and 300 virtual private networks (VPNs) by 2015. Cryptography experts have warned that such operations risked weakening online security for everyone.
 
Wired:

« Anonymous vs ISIS: the ongoing skirmishes of #OpISIS
Threat Lessons from Sony and Anthem »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

K&D Insurance Brokers

K&D Insurance Brokers

K&D provide insurance for all sectors of industry and commerce including cyber risk cover.

Flexera

Flexera

Flexera is reimagining the way software is bought, sold, managed and secured.

United Security Providers

United Security Providers

United Security Providers is a leading specialist in information security, protecting IT infrastructures and applications for companies with high demands on security.

TechVets

TechVets

TechVets is a non-for-profit helping UK veterans and service leavers retrain into Cyber Security and Technology jobs.

BrainChip

BrainChip

BrainChip is the leading provider of neuromorphic computing solutions, a type of artificial intelligence that is inspired by the biology of the human neuron - spiking neural networks.

Tier1Asset (T1A)

Tier1Asset (T1A)

T1A is Europe’s leading IT refurbisher. We offer certified data erasure using blancco on site and at our facilities, providing environmentally sound disposal of your used equipment.

Intechtel

Intechtel

Intechtel is a cyber security company, in addition to providing other internet, technology and telephone services.

BCN Group

BCN Group

BCN Group is an agile IT solutions provider. We are experts in delivering and managing business-critical technology solutions.

Fusion Risk Management

Fusion Risk Management

Fusion Risk Management focuses on operational resilience encompassing business continuity, risk management, IT risk, and crisis and incident management.

Redbot Security

Redbot Security

Redbot Security provides industry leading manual penetration testing. Protecting critical systems and data - red team attack and breach simulations, (OT) critical infrastructure testing.

GLIMPS

GLIMPS

GLIMPS-Malware automatically detects malware affecting standard computer systems, manufacturing systems, IOT or automotive domains.

Encova Insurance

Encova Insurance

Encova’s cyber liability coverage protects you and your customers in case of a security breach in your company's data.

CoreStack

CoreStack

CoreStack helps enterprises overcome cloud challenges such as ever growing security risks, stringent regulatory compliance needs and operational complexities.

Europol - European Cybercrime Centre (EC3)

Europol - European Cybercrime Centre (EC3)

The European Cybercrime Centre (EC3) was set up by Europol to strengthen the law enforcement response to cybercrime in the EU.

Neeve

Neeve

Neeve is an edge cloud platform transforming smart buildings and spaces, making them more secure, smarter, and more sustainable.

DarkHorse Security

DarkHorse Security

DarkHorse exists to make it easy and affordable for organizations to be able to identify their cybersecurity vulnerabilities.