GCHQ Doesn't Always Tell Vendors If Their Software Is Vulnerable

GCHQ has revealed that it doesn't always tell companies if their software is vulnerable to cyber-attacks.

The UK's government's intelligence and security organisation has said it will sometimes withhold the information to protect "national security interests".

GCHQ has made its decision-making process public for the first time.

The service has a team of researchers that find flaws in different types of computer software and systems, from the most popular used by millions of people to niche technical kit.

Factors that might lead to a weakness being kept secret are:

- There is no way to fix it
- The product is no longer supported
- The product is so poorly designed it can never be secure
- There is an overriding intelligence requirement that cannot be fulfilled in any other way

A statement published on the GCHQ and National Cyber Security Centre (NCSC) websites said on Thursday: "We've discovered vulnerabilities and informed the vendors of every major mobile and desktop platform for over 20 years.

"This work plays an important role in helping to secure the technology which underpins our economy and the everyday lives of millions of people in the UK and abroad.

"However, we do not disclose every vulnerability we find.

"In some cases, we judge that the UK's national security interests are better served by 'retaining' knowledge of a vulnerability."

The statement says the information can be used "to gather intelligence and disrupt the activities of those who seek to do the UK harm, including terror groups, serious and organised crime gangs, and malign states".

If there is an intelligence purpose it has to be in a current case or one in the near future, and it is kept under review.

The practice of retaining vulnerabilities sparked controversy in the US after information stolen from the National Security Agency was used to stage the massive WannaCry attack in 2017, which affected a number of organisations internationally including the NHS.

Microsoft president Brad Smith condemned US authorities for the process of "stockpiling vulnerabilities" after the attack - something GCHQ is adamant it does not do.

Mr Smith used a blog entry in May 2017 to call for governments to be forced to report issues to vendors, and said: "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.

"An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.

"The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.

"We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

Earlier this year the tech giant named NCSC as one of its top five bounty hunters - researchers who find bugs and flag them up to the vendor.

Dr Ian Levy, technical director of the NCSC, said that if a vulnerability similar to the one exploited in the WannaCry attack was discovered in the future, it would "almost certainly" be flagged under the UK system.

He said: "Because it is quite highly wormable (capable of being turned into a malicious programme that spreads itself) we would have pushed for a disclosure. If a vulnerability similar to the one exploited in the WannaCry attack was discovered it would almost certainly have been disclosed in our process."

Sky News:

You Might Also Read:

EC-Council Sets New Application Security Training Standards

« Russian Hackers Are Using Brexit To Leverage Cyber Attacks
Surveillance Spyware Targeted At Journalists In Mexico »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BSI Group

BSI Group

BSI is the business standards company that equips businesses with the necessary solutions to turn standards of best practice into habits of excellence

Packet Storm

Packet Storm

Packet Storm is an online resource for security tools, whitepapers, exploits, and advisories on computer security issues.

Micron Technology

Micron Technology

Micron is a global leader in the semiconductor industry providing memory and secure storage devices for Networks, Mobile devices and IoT applications.

Ahope

Ahope

Ahope is a mobile security solution provider in Korea with a long history of security solution development.

herdProtect

herdProtect

herdProtect is a second line of defense malware scanning platform powered by 68 anti-malware engines in the cloud.

InfoGuard

InfoGuard

InfoGuard is a leading Swiss company providing comprehensive cyber security and network solutions.

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI) is an independent, global think-tank. We bring together the world’s top global researchers to undertake ground-breaking research on blockchain technology.

Ampliphae

Ampliphae

Ampliphae gives you an easy-to-deploy, sophisticated and affordable cloud-discovery, security and compliance platform.

IP2Location

IP2Location

IP2Location provide services to identify geolocation by IP address, and to detect IP addresses associated with anonymous proxy servers, which are often used for fraud and spamming purposes.

NCC-CSIRT (Nigerian Communications Commission)

NCC-CSIRT (Nigerian Communications Commission)

NCC has established a CSIRT for the telecommunication industry to provide services and support for the prevention and management of potential cyber security related emergencies.

HackEDU

HackEDU

HackEDU provides secure coding training to companies ranging from startups to the Fortune 500.

Alpha Mountain AI (alphaMountain)

Alpha Mountain AI (alphaMountain)

alphaMountain provides up-to-date domain and IP intelligence for cybersecurity investigational and protection platforms.

Swish Data Corp.

Swish Data Corp.

Swish delivers when the problems are complex, requirements are difficult, and the mission is absolutely critical.

Secora Consulting

Secora Consulting

Secora Consulting is a professional services company specialising in tailored cybersecurity assessments and cyber advisory services.

Fairdinkum Consulting

Fairdinkum Consulting

Fairdinkum is a leading full-service IT consulting firm with more than two decades of experience in the industry.

Stern Cybersecurity

Stern Cybersecurity

Stern Cybersecurity offers a robust defense against the ever-evolving landscape of digital threats.