GCHQ Doesn't Always Tell Vendors If Their Software Is Vulnerable

GCHQ has revealed that it doesn't always tell companies if their software is vulnerable to cyber-attacks.

The UK's government's intelligence and security organisation has said it will sometimes withhold the information to protect "national security interests".

GCHQ has made its decision-making process public for the first time.

The service has a team of researchers that find flaws in different types of computer software and systems, from the most popular used by millions of people to niche technical kit.

Factors that might lead to a weakness being kept secret are:

- There is no way to fix it
- The product is no longer supported
- The product is so poorly designed it can never be secure
- There is an overriding intelligence requirement that cannot be fulfilled in any other way

A statement published on the GCHQ and National Cyber Security Centre (NCSC) websites said on Thursday: "We've discovered vulnerabilities and informed the vendors of every major mobile and desktop platform for over 20 years.

"This work plays an important role in helping to secure the technology which underpins our economy and the everyday lives of millions of people in the UK and abroad.

"However, we do not disclose every vulnerability we find.

"In some cases, we judge that the UK's national security interests are better served by 'retaining' knowledge of a vulnerability."

The statement says the information can be used "to gather intelligence and disrupt the activities of those who seek to do the UK harm, including terror groups, serious and organised crime gangs, and malign states".

If there is an intelligence purpose it has to be in a current case or one in the near future, and it is kept under review.

The practice of retaining vulnerabilities sparked controversy in the US after information stolen from the National Security Agency was used to stage the massive WannaCry attack in 2017, which affected a number of organisations internationally including the NHS.

Microsoft president Brad Smith condemned US authorities for the process of "stockpiling vulnerabilities" after the attack - something GCHQ is adamant it does not do.

Mr Smith used a blog entry in May 2017 to call for governments to be forced to report issues to vendors, and said: "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.

"An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.

"The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.

"We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

Earlier this year the tech giant named NCSC as one of its top five bounty hunters - researchers who find bugs and flag them up to the vendor.

Dr Ian Levy, technical director of the NCSC, said that if a vulnerability similar to the one exploited in the WannaCry attack was discovered in the future, it would "almost certainly" be flagged under the UK system.

He said: "Because it is quite highly wormable (capable of being turned into a malicious programme that spreads itself) we would have pushed for a disclosure. If a vulnerability similar to the one exploited in the WannaCry attack was discovered it would almost certainly have been disclosed in our process."

Sky News:

You Might Also Read:

EC-Council Sets New Application Security Training Standards

« Russian Hackers Are Using Brexit To Leverage Cyber Attacks
Surveillance Spyware Targeted At Journalists In Mexico »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Splunk

Splunk

Splunk provide real-time Security Information & Event Management solutions for Enterprise Networks, Cloud and small-scale IT environments

Lanner Electronics

Lanner Electronics

Lanner Electronics is a leading hardware provider for advanced network appliances and industrial automation solutions including cyber security.

United Nations Office on Drugs & Crime (UNODC)

United Nations Office on Drugs & Crime (UNODC)

UNODC promotes long-term and sustainable capacity building in the fight against cybercrime through supporting national structures and action.

Pryv

Pryv

Pryv is a Swissmade software for privacy, personal data collection, usage, sharing and storage.

The Legal 500

The Legal 500

The Legal 500 Hall of Fame highlights, to clients, the law firm partners who are at the pinnacle of the profession. Practice areas covered include Data Protection, Privacy and Cybersecurity.

African Cyber Security

African Cyber Security

African Cyber Security and it's partners, have the expertise and skills to provide holistic solutions for companies, institutions and government.

Ridge Canada Cyber Solutions

Ridge Canada Cyber Solutions

Ridge Canada helps insurance brokers and insurance buyers understand, evaluate, and secure cyber coverage that is tailored to their business.

Conseal Security

Conseal Security

Mobile app security testing done well. Conseal Security are specialists in mobile app penetration testing. Our expert-led security analysis quickly finds security vulnerabilities in your apps.

Forta

Forta

Forta is a real-time detection network for security & operational monitoring of blockchain activity.

Acrisure

Acrisure

Acrisure is powered by the best of human and high-tech and offers insurance, reinsurance, real estate, cyber and more solutions to millions of clients around the world.

PointWire

PointWire

PointWire offers a range of cybersecurity solutions and services including Penetration Testing on various levels, as well as Intrusion Detection and Prevention Systems.

Solcon Capital

Solcon Capital

Solcon Capital is a forward-looking, technology-focused investment firm that is committed to identifying and investing in the most promising areas of innovation and development in the tech industry.

Teleskope

Teleskope

Teleskope are on a mission to empower businesses to protect sensitive data by default.

Mindcore Technologies

Mindcore Technologies

Mindcore provide cyber security services, managed IT services and IT consulting services to businesses in NJ, FL, and throughout the United States.

Actelis Networks

Actelis Networks

Actelis Networks is a market leader in cyber-hardened, rapid deployment networking solutions for wide-area IoT applications.

Vault Cloud

Vault Cloud

Vault Cloud, Australia's National Cloud, is an Australian owned and operated company specialising in secure, sovereign, hyperscale cloud infrastructure.