May 13, 2017 | Jim Killock

NHS ransom shows GCHQ putting us at risk

The NHS ransom shows the problems with GCHQ’s approach to hacking and vulnerabilities, and this must be made clear to MPs who have given them sweeping powers in the IP Act that could result in the same problems recurring in the future.

GCHQ buildingHere are four points that stand out to us. These issues of oversight relating to hacking capabilities are barely examined in the Investigatory Powers Act, which concentrates oversight and warrantry on the balance to be struck in targeting a particular person or group, rather than the risks surrounding the capabilities being developed.

GCHQ and the NSA knew about the problem years ago

Vulnerabilities, as we know from the Snowden documents, are shared between the NSA and GCHQ, as are the tools built that exploit them. These tools are then used to hack into computer equipment, as a stepping stone to getting to other data. These break ins are at all kinds of companies, sites and groups, who may be entirely innocent, but useful to the security agencies to get closer to their actual targets.

In this case, the exploit, called ETERNALBLUE was leaked after a break in or leak from the NSA’s partners this April. It affects Windows XP. It has now been exploited by criminals to ransom organisations still running this software.

While GCHQ cannot be blamed for the NHS’s reliance on out of date software, the decision that the NSA and GCHQ have made in keeping this vulnerability secret, rather than trying to get it fixed, means they have a significant share of the blame for the current NHS ransom.

GCHQ are in charge of hacking us and protecting us from hackers

GCHQ are normally responsible for ‘offensive’ operations, or hacking and breaking into other networks. They also have a ‘defensive’ role, at the National Cyber Security Centre, which is meant to help organisations like the NHS keep their systems safe from these kinds of breakdown.

GCHQ are therefore forced to trade off their use of secret hacking exploits against the risks these exploits pose to organisations like the NHS.

They have a tremendous conflict of interest, which in ORG’s view, ought to be resolved by moving the UK defensive role out of GCHQ’s hands.

Government also needs to have a robust means of assessing the risks that GCHQ’s use of vulnerabilities might pose to the rest of us. At the moment, ministers can only turn to GCHQ to ask about the risks, and we assume the same is true in practice of oversight bodies and future Surveillance Commissioners. The obvious way to improve this and get more independent advice is to split National Cyber Security Centre from GCHQ.

GCHQ’s National Cyber Security Centre had no back up plan

We also need to condemn the lack of action from NCSC and others once the exploit was known to be “lost” this April. Some remedial action was taken in the US by informing Microsoft who created a patch in March, not however issued freely until today.

Hoarding vulnerabilities is of course inherently dangerous, but then apparently not having an adequate US or any UK wide plan to execute when they are lost is inexcusable.  This is especially true given that this vulnerability is obviously capable of being used by self-spreading malware.

GCHQ are not getting the balance between offence and defence right

The bulk of GCHQ’s resources go into offensive capabilities, including hoarding data, analytics and developing hacking methods. There needs to be serious analysis to see whether this is really producing the right results. This imbalance is likely to remain the case while GCHQ is in charge of both offence and defence, who will always prioritise offence. Offence has also been emphasised by politicians who feel pressure to defend against terrorism, whatever the cost. Defence—such as ensuring critical national infrastructure like the NHS is protected — is the poor relation of offensive capabilities. Perhaps the NHS ransom is the result.

Other interesting responses

Comments (8)

  1. Filipescu Mircea Alexandru:
    May 13, 2017 at 01:23 PM

    Meanwhile in the Tory government: "Hmmm... maybe blowing our cybersecurity budged on a national firewall to block porn wasn't such a good idea, and we should have used it to keep our institutions updated with the latest security tools instead. Damn you, 1st and 3rd world priorities!"

  2. Dave:
    May 13, 2017 at 10:12 PM

    How about you point the finger of blame at the people who leaked these tools/information to the entire world.

    Get your priorities in order

  3. Silly Dave:
    May 14, 2017 at 12:08 AM

    Oh? Sure, let's blame the theft. How about responsible disclosure Dave? It is naive and irresponsible for a nation state to stockpile vulnerabilities without disclosing them. At the end of the day, it isn't just nation-states that have the ability to discover these flaws within software. So, perhaps you should take a moment and get your priorities in order? Silly Dave.

  4. GeorgeH:
    May 14, 2017 at 09:52 AM

    The question of whether the vulnerability was leaked is irrelevant - vulnerabilities are discovered by hackers independently of any discovery by "Government" agencies (although I don't know whether that was the case with this exploit).

  5. Dave:
    May 14, 2017 at 03:17 PM

    No. It's intelligence agencies job to utilise these....not to share them and get them fixed. They aren't bounty hunters, they use them as part of their job.


  6. Steven:
    May 14, 2017 at 03:42 PM

    Dave, that only makes sense if enemy powers use different software systems. What's the point of ignoring fixing security holes that a matching organization could figure out just as easily? This exploit isn't advanced or complicated, anyone can find it given the time. If their priority is not to protect their own citizens, what are they doing?

  7. Geekman:
    May 15, 2017 at 04:34 PM

    Dave: You're missing the whole point: an unfixed bug is a bug that can be exploited by anyone, not just the NSA.

    Affected systems are used by other government agencies or civilian institutions, and can be vulnerable to anyone else who has covertly discovered the bug: hostile nations, criminals, etc.

    Security is an all-or-nothign venture, and our intelligence agencies should be shoring it up, not undermining it.

  8. NickDaGeek:
    May 27, 2017 at 08:24 AM

    You are wrong. XP was not the problem.

    The Server Message Block vulnerability code named EternalBlue affected everything that used SMB shares which is every single MS operating system including Windows 10. The highest number of infected machines ran unpatched Windows 7 Pro x64.

    The problem is very simple, Microsoft patches very often cause as many problems as they fix. IT Managers are therefore correctly wary of deploying untested patches on a large network. This slows down rollout. Microsoft had this patch available in February. They did not release it till April and then blamed the NSA for their delay.

    The NSA did not create EternalBlue. What they did was to create a tool that exploited the Microsoft created vulnerability. The question you have to ask is: are such vulnerabilities accidents or designs?

    Who is to say that the NSA does not ask MS and others for back doors to be inserted. Check out your history regarding the Clipper encryption chip and also Lotus Notes encryption. The CIA has owned Crypto AG for years.