GCHQ Doesn't Always Tell Vendors If Their Software Is Vulnerable

GCHQ has revealed that it doesn't always tell companies if their software is vulnerable to cyber-attacks.

The UK's government's intelligence and security organisation has said it will sometimes withhold the information to protect "national security interests".

GCHQ has made its decision-making process public for the first time.

The service has a team of researchers that find flaws in different types of computer software and systems, from the most popular used by millions of people to niche technical kit.

Factors that might lead to a weakness being kept secret are:

- There is no way to fix it
- The product is no longer supported
- The product is so poorly designed it can never be secure
- There is an overriding intelligence requirement that cannot be fulfilled in any other way

A statement published on the GCHQ and National Cyber Security Centre (NCSC) websites said on Thursday: "We've discovered vulnerabilities and informed the vendors of every major mobile and desktop platform for over 20 years.

"This work plays an important role in helping to secure the technology which underpins our economy and the everyday lives of millions of people in the UK and abroad.

"However, we do not disclose every vulnerability we find.

"In some cases, we judge that the UK's national security interests are better served by 'retaining' knowledge of a vulnerability."

The statement says the information can be used "to gather intelligence and disrupt the activities of those who seek to do the UK harm, including terror groups, serious and organised crime gangs, and malign states".

If there is an intelligence purpose it has to be in a current case or one in the near future, and it is kept under review.

The practice of retaining vulnerabilities sparked controversy in the US after information stolen from the National Security Agency was used to stage the massive WannaCry attack in 2017, which affected a number of organisations internationally including the NHS.

Microsoft president Brad Smith condemned US authorities for the process of "stockpiling vulnerabilities" after the attack - something GCHQ is adamant it does not do.

Mr Smith used a blog entry in May 2017 to call for governments to be forced to report issues to vendors, and said: "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.

"An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.

"The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.

"We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

Earlier this year the tech giant named NCSC as one of its top five bounty hunters - researchers who find bugs and flag them up to the vendor.

Dr Ian Levy, technical director of the NCSC, said that if a vulnerability similar to the one exploited in the WannaCry attack was discovered in the future, it would "almost certainly" be flagged under the UK system.

He said: "Because it is quite highly wormable (capable of being turned into a malicious programme that spreads itself) we would have pushed for a disclosure. If a vulnerability similar to the one exploited in the WannaCry attack was discovered it would almost certainly have been disclosed in our process."

Sky News:

You Might Also Read:

EC-Council Sets New Application Security Training Standards

« Russian Hackers Are Using Brexit To Leverage Cyber Attacks
Surveillance Spyware Targeted At Journalists In Mexico »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IPVanish

IPVanish

IPVanish has its roots in over 15 years of network management, IP services, and content delivery services. Now we're bringing these finely honed skills to VPN.

Cyberwatch

Cyberwatch

Cyberwatch is a Vulnerability Scanner & Fixer software that helps you to detect and fix the vulnerabilities of your Information System.

National Cyber Security Centre (NCSC) - Switzerland

National Cyber Security Centre (NCSC) - Switzerland

The National Cyber Security Centre is Swizerland's competence centre for cybersecurity and the first contact point for businesses, public administrations, and the public for cyber issues.

Secura

Secura

The Secura Cyber Security and Intelligence system predicts and prevents security threats by discovering hidden patterns through the meticulous analysis of large amounts of data.

ACPL Systems

ACPL Systems

We offer leading-edge technology solutions, expert professional and managed services and proven methodologies to ensure your data is protected and business risks are reduced.

CNA Insurance

CNA Insurance

CNA offers a market-leading suite of cyber liability insurance products and risk control resources for businesses of all sizes.

Altipeak Security

Altipeak Security

Altipeak Security provide Safewalk - a flexible and robust authentication platform through which we offer improved security to SMBs, corporates, banks, insurance companies, healthcare and more.

Accelerator Frankfurt

Accelerator Frankfurt

Accelerator Frankfurt is an independent go-to-market program focused on Fintech, Cybersecurity and Digital B2B startups.

Intechtel

Intechtel

Intechtel is a cyber security company, in addition to providing other internet, technology and telephone services.

LoughTec

LoughTec

LoughTec secure, manage and connect IT infrastructure for businesses and organisations throughout the UK and Republic of Ireland.

Sourcepass

Sourcepass

Sourcepass is an IT consulting company that focuses on providing expert IT services, cloud computing solutions, cybersecurity services, website, and application development.

Cyera

Cyera

Cyera is the data security company that gives businesses context and control over their most valuable asset: data.

Obscure Technologies

Obscure Technologies

Obscure Technologies is a firm of experts, specialised in brokering the best security solutions to market.

ThreatNix

ThreatNix

ThreatNix is a tight knit group of experienced security professionals who are committed to providing competent cybersecurity solutions that adhere to international standards.

Zeta Sky

Zeta Sky

Zeta Sky offers a full range of IT and cyber-security services for your business.

Glasstrail

Glasstrail

Glasstrail are single-minded about helping organisations gather intelligence and manage vulnerabilities in their attack surface before adversaries exploit them.

Proaxiom

Proaxiom

Proaxiom are focused on erasing cyber driven panic paralysis for Small and Medium Enterprises through brilliant cyber technologies which drive productivity and support growth.