GCHQ Doesn't Always Tell Vendors If Their Software Is Vulnerable

GCHQ has revealed that it doesn't always tell companies if their software is vulnerable to cyber-attacks.

The UK's government's intelligence and security organisation has said it will sometimes withhold the information to protect "national security interests".

GCHQ has made its decision-making process public for the first time.

The service has a team of researchers that find flaws in different types of computer software and systems, from the most popular used by millions of people to niche technical kit.

Factors that might lead to a weakness being kept secret are:

- There is no way to fix it
- The product is no longer supported
- The product is so poorly designed it can never be secure
- There is an overriding intelligence requirement that cannot be fulfilled in any other way

A statement published on the GCHQ and National Cyber Security Centre (NCSC) websites said on Thursday: "We've discovered vulnerabilities and informed the vendors of every major mobile and desktop platform for over 20 years.

"This work plays an important role in helping to secure the technology which underpins our economy and the everyday lives of millions of people in the UK and abroad.

"However, we do not disclose every vulnerability we find.

"In some cases, we judge that the UK's national security interests are better served by 'retaining' knowledge of a vulnerability."

The statement says the information can be used "to gather intelligence and disrupt the activities of those who seek to do the UK harm, including terror groups, serious and organised crime gangs, and malign states".

If there is an intelligence purpose it has to be in a current case or one in the near future, and it is kept under review.

The practice of retaining vulnerabilities sparked controversy in the US after information stolen from the National Security Agency was used to stage the massive WannaCry attack in 2017, which affected a number of organisations internationally including the NHS.

Microsoft president Brad Smith condemned US authorities for the process of "stockpiling vulnerabilities" after the attack - something GCHQ is adamant it does not do.

Mr Smith used a blog entry in May 2017 to call for governments to be forced to report issues to vendors, and said: "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.

"An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.

"The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.

"We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

Earlier this year the tech giant named NCSC as one of its top five bounty hunters - researchers who find bugs and flag them up to the vendor.

Dr Ian Levy, technical director of the NCSC, said that if a vulnerability similar to the one exploited in the WannaCry attack was discovered in the future, it would "almost certainly" be flagged under the UK system.

He said: "Because it is quite highly wormable (capable of being turned into a malicious programme that spreads itself) we would have pushed for a disclosure. If a vulnerability similar to the one exploited in the WannaCry attack was discovered it would almost certainly have been disclosed in our process."

Sky News:

You Might Also Read:

EC-Council Sets New Application Security Training Standards

« Russian Hackers Are Using Brexit To Leverage Cyber Attacks
Surveillance Spyware Targeted At Journalists In Mexico »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

AWS Marketplace eBook: Optimizing your cloud deployments to accelerate cloud activities, reduce costs, and improve customer experience.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Free Access: Cyber Security Supplier Directory listing 5,000+ specialist service providers.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CyberVista

CyberVista

CyberVista is a cybersecurity training education and workforce development company. Our mission is to eliminate the skills gap by creating job ready professionals.

Acorus Networks

Acorus Networks

Acorus Networks provides a Cloud infrastructure service to protect against increasingly sophisticated denial of service attacks.

CryptoMill Cybersecurity Solutions

CryptoMill Cybersecurity Solutions

CryptoMill Cybersecurity Solutions provides advanced, innovative data security solutions for enterprises, professionals and individuals.

TeraByte

TeraByte

TeraByte is an information security company which helps to educate and protect businesses from cyber security related risks.

Enso Security

Enso Security

Enso is the first Application Security Posture Management (ASPM) solution, helping security teams everywhere eliminate their AppSec chaos with application discovery, classification and management.

Accurics

Accurics

Accurics enables self-healing cloud native infrastructure by codifying security throughout your development lifecycle.

ITConnexion

ITConnexion

From cloud migration to ransomware protection, our managed IT services can be customised to address the most prevalent IT issues for your business.

Telefonica Global Solutions (TGS)

Telefonica Global Solutions (TGS)

Telefonica Global Solutions is the technological partner of wholesalers and enterprises, helping them to achieve the digitalization they need.