Until 1994, GCHQ, the British signals intelligence agency, didn’t officially exist. Now, it has emerged out of the shadows to take a very public role at the heart of British cybersecurity.
Public accountability for intelligence services is crucial to any democracy but, as the recent WannaCry ransomware attack showed, there are inevitable conflicts of interest between the role of intelligence services and network safety.
The past seven years have seen a dramatic change in profile for GCHQ. While the number of police officers has been cut by 14 per cent since 2010, GCHQ’s staff numbers – according to the Home Office – have grown by more than ten per cent in the same period.
At the same time, it has been loaded with additional responsibilities, including the fight against distribution of child-abuse images on the dark web, money laundering and financial fraud.
Rapid increase in power
This was made official when, in February 2017, it assumed responsibility for making the UK “the safest place to do business online” through the National Cyber Security Centre (NCSC).
This rapid increase in power is the result of GCHQ’s own competence. A dearth of expertise in government has led to a reliance on the intelligence service to fill gaps.
However, one of the core roles of intelligence agencies is covert operations. Weaving public-safety responsibility into a secret and secretive operation is always likely to cause conflicts of interest. WannaCry was an example of a state-developed cyber weapon turned against its creators.
The core exploit, Eternal Blue, is believed to have been created by the US National Security Agency (NSA), who presumably intended to keep it secret. Then, in April 2017, it was leaked, along with a suite of hacking tools targeting Windows PCs.
The same leak contains powerful exploits that could be weaponised by state adversaries, organised crime or by anyone possessing basic technical knowledge – as we saw with the Petya ransomware attack in Eastern Europe.
Had the NSA chosen to inform Microsoft of the vulnerability, there would have been no Eternal Blue, and no WannaCry. But intelligence agencies have a different motivation: they want to keep such “zero-day” vulnerabilities secret for potential development into a cyber weapon.
This is the challenge the National Cyber Security Centre faces. By its own description, the NCSC was set up “to help protect our critical services from cyber attacks, managing major incidents and improve the underlying security of the UK internet”.
Even the best intelligence agencies are not invulnerable
Part of that would include informing suppliers such as Microsoft of the discovery of major vulnerabilities. But the NCSC cannot do that if it’s also hoarding vulnerabilities for its boss, GCHQ.
If security services could keep their secrets safe, perhaps none of this would be a problem. But the NSA’s leaks show that even the best intelligence agencies are not invulnerable to hacking.
Eternal Blue was published online by the mysterious group of hackers known as the Shadow Brokers, which began releasing secrets in 2015. Their drop followed a release by WikiLeaks of nearly 9,000 documents exposing hacks developed by the CIA.
We do not know how these details were released, but it’s easy to see how leaks could develop. Security professionals such as those at the NCSC believe strongly in their work combating threats to the safety of the network, so the practice of hoarding zero-day vulnerabilities would be troubling to them.
Within intelligence agencies such as GCHQ, it can be difficult to raise concerns internally, increasing the potential security threat from insiders. If an employee’s legitimate worries aren’t being heard, it could lead to whistle-blowing – with a disastrous impact on national security.
Loading responsibility for public cyber-safety on to the intelligence services is bad for both public safety and national security. It also risks diverting resources and energies away from national security and covert operations.
The WannaCry attack should provide an opportunity to separate two key roles: clandestine signals intelligence and the cyber security of the UK’s critical national infrastructure.
The best way to start: make the National Cyber Security Centre independent from GCHQ.
Emily Taylor, Associate Fellow, International Security.
This article was originally published by Wired Magazine.