GCHQ’s hacking technologies go unregulated and unsupervised

This is detailed in last week’s Privacy and Security report from the Intelligence and Security Committee in paragraphs 179–183.

However, the report does not recommend any serious fix to this area of oversight. GCHQ’s hacking technologies, when specific methods are employed and the risks they consider, would continue to be a matter for their judgement alone except in extreme circumstances, even if the ISC’s changes are accepted by government.

The ISC examined GCHQ’s attempts to get around encryption and engage in ‘equipment interference’. They noted that developing these technologies is not subject to any ministerial warrant or external permission (my emphasis):

180. The legal basis for this work is the general power afforded to GCHQ under Section 3(1)(a) of the Intelligence Services Act to:

… monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material.

No additional Ministerial Authorisation is required for these activities. There are internal procedures: ***. There is no legal requirement to inform Ministers: however, GCHQ have said that they would ask the Foreign Secretary to approve a specific operation of this kind “where the political or economic risks were sufficiently high” (although, in practice, they manage their operations to avoid this level of risk). GCHQ told the Committee that:

The FCO is aware of the activity and the possible political risk, but individual legal authorisations are not required for each operation. The FCO could assess the political risk of a compromise, it is not well‐placed to assess the complex technical risk. Whilst not formally overseen by a Commissioner, the Intelligence Services Commissioner has been briefed on this type of activity where it relates to individual approved operations.

This is a very frank omission, that GCHQ ‘s hacking techniques are not subject to oversight, and the political masters at the FCO lack the ability to assess the technical risks. Implicitly, the ISC and Intelligence Services Commissioner also fail to look at the risk assessments and technical implications.

Only days ago, Phillip Hammond, the Foreign Secretary and the man in charge claimed:

[The agencies’] actions are subject to detailed Ministerial oversight: between the Prime Minister, the Home Secretary and me, we spend hours every week with the agencies, ensuring that this Government is doing everything it can to keep the British people safe. … 

I regard the independent scrutiny and oversight that the ISC provides as a particular and significant strength of the British system.

However, in relation to hacking technology oversight is absent: the FCO have a policy of “we trust them, they say they know what they are doing, and we wouldn’t understand anyway”. The ISC concludes (my emphasis):

DD. GCHQ need to be able to read the encrypted communications of those who might pose a threat to the UK. We recognise concerns that this work may expose the public to greater risk and could have potentially serious ramifications (both political and economic). We have questioned GCHQ about the risks of their work in this area. They emphasised that much of their work is focused on improving security online. In the limited circumstances where they do *** they would only do so where they are confident that it could not be ***. However, we are concerned that such decisions are only taken internally: Ministers must be kept fully informed of all such work and specifically consulted where it involves potential political and economic risks.

In other words, GCHQ should choose when to inform ministers, but there is an absence of any plan to introduce oversight and assessment of the technical risks. The new policy would amount to: “we trust them, they will tell us if there is a problem. But we don’t want to be bothered with the technical details”.

What should the FCO and ISC be weighing up?

Assessing the appropriateness of GCHQ’s technologies does indeed rest on some very tricky calculations. Hacking tools depend on using problems in software. These can come from known bugs, bugs that GCHQ finds, are given by the NSA or are otherwise presumed to be unknown beyond the agencies, or they can be placed into software. Sometimes encryption may be weakened by simplifying the protocols for instance.

All of these strategies are problematic from one point of view or another. It is very hard to know that if software is broken, the problem will not be discovered and used by someone else. The damage might be felt through action from other agencies or criminal gangs. The people affected could be individuals, banks, or businesses, in any country, not just the UK. The damage could include any kind of financial or data theft, or even acts of sabotage.

Where rare bugs are found or used, security engineers argue that these are the ones they need to know about most, so they can learn from them and anticipate new solutions. So even when GCHQ thinks their exploits are the least likely to be found, they are potentially denying security engineers the opportunity to solve security’s most important new problems. This is the principle of ‘full disclosure’ which has been a foundation stone of security research for decades.

Government should also assume that for every Snowden there are several other people giving secrets quietly to other parties. That will range from organised crime, to foreign agencies, to third parties in order to cause embarrassment and loss of contracts. This of course makes the use of undeclared exploits an even more risky proposition.

Even where well-known bugs are used, GCHQ are creating an incentive not to inform them of specific exploits or press companies into action. And yet GCHQ also has a role, in CESG, in “Information Assurance”, that is to say, improving general security of computer systems in the UK.

Breadth of GCHQ hacking technologies

The hacking operations from GCHQ are enormous. We have reviewed the public information in Chapter two of our report on GCHQ’s activities.

It’s important to note that they have huge resource and technology sharing with the NSA (and their equivalents in Canada, Australia and New Zealand) so that their operations are virtually inseparable in many aspects.

The Snowden documents detail very sophisticated operations, where GCHQ use their access to cables to ‘inject’ malware into normal online communications. The documents show they build malware, have created fake LinkedIn pages and emails, and show they have hacked into major companies including Belgacom and Gemalto. Belgacom’s clean up operation has cost them at least £12 million.

There is evidence that GCHQ and NSA share ‘zero day’ (unpublished) bugs. GCHQ specialises in mobile phone hacking (see NOSEYSMURF for instance). Recent allegations also include a CIA programme to break into Apple phones and tablets.

It may be that their decisions are entirely well judged, but they have an incentive to break into many, many computer systems, and create as much access as possible. The risk calculations are very complicated and yet politicians and oversight are, it appears, not involved in these calculations at all.

Consultation on GCHQ hacking

The government is running a consultation on “Equipment Interference” and a proposed Code of Practice. They are doing this because it is one of several areas where the law is highly unclear about what kinds of activity may be taking place, which is likely to fall foul of ECHR requirements for clear surveillance laws. We believe that primary legislation is needed to meet these concerns. While the Code of Practice is an attempt to regulate these actions, it does not focus on the methods and the oversight needed to control risks associated with these tools, so fails to address our concerns. 

Oversight’s task: legality and effectiveness

This lack of attention goes to the heart of what is wrong with current oversight. For a start, oversight is far more reliant on the agencies’ political masters than independent overseers. Ministers have far more chance of forming an accurate view than the ISC, but may also not feel any desire to get into levels of detail. Independent oversight concentrates on the low barrier of ensuring the agencies comply with current laws rather than examining whether their activities are justifiable.

ORG and civil society tend to concentrate on the basic human rights question: are you targeting your response to what is necessary to deal with specific suspects?

On the other hand, ministers and oversight appear to approach GCHQ’s surveillance as a simplistic question of whether they are reducing the risk of terrorist activity to as close to zero as possible. Cameron claimed that he doesn’t want to be the Prime Minister who failed to give the agencies the tools they needed to prevent a murder. Or, as Malcolm Rifkind put it to campaigners at the hearings: is a terrorist atrocity a price worth paying for privacy?

The problem with Cameron and Rifkind’s approach is that their judgements about GCHQ’s work could be placing us at greater risk of a terrorist threat, or other very serious criminal threats, but they have no real idea if they are doing so.

On a broad level, the ISC is failing to assess the relative cost effectiveness of different strategies, for instance of human intelligence versus automated bulk surveillance.

Given that recent terrorist atrocities have all involved people known to the authorities, we might speculate that traditional intelligence may have not been given sufficient resources. GCHQ is extremely costly, and eats up a great proportion of the intelligence budget. How does the Prime Minister and the ISC know whether they are placing resources into the right strategy? How do they establish if they are not in fact being the ISC and Prime Minister that placed people in danger by failing to know what really works?

While hard, ways to achieve these calculations are the subject of intense investigation, including in academia, where it is known as security economics.

No real oversight of GCHQ hacking technologies

In relation to hacking technologies, the FCO and ISC are failing to examine GCHQ’s underlying risk models, the risks GCHQ takes into account and the values they give to different negative outcomes.

Oversight needs a step change. Sometimes we spell this out by saying to them that they need technical advice to understand the problems. To be completely clear, the ISC, Commissioners and political masters such as the FCO need to understand the risk modelling and make their own cost-benefits analysis. Without technical understanding of their own, they cannot make the calculations. Without making the calculations, they are blindly trusting GCHQ.

While Foreign Secretary Phillip Hammond claims that “independent scrutiny and oversight of the ISC provides … a particular and significant strength of the British system” the ISC has in fact admitted that it and the FCO are absent of the necessary knowledge to understand the risks they are undoubtedly running.