British spy agency GCHQ and its info-sec unit, NCSC, today outlined how they decide whether or not to tell vendors when they find security bugs during bug hunting escapades
GCHQ and NCSC today published an outline of the ‘equities process’ they use to decide whether or not to tell, say Microsoft, about a critical flaw they found in one of its products.
Last year NCSC disclosed three flaws to Microsoft, including a pair of critical bugs in Windows Defender, and a remote code execution flaw in the scripting engine used by Microsoft Edge and Internet Explorer 11.
The three bugs reported to Microsoft would have undergone the equities process detailed today, a three tier system of decision-making that the UK government uses to weigh up whether or not to report a security vulnerability to a vendor.
But why reveal the process used to disclose bugs or not today? GCHQ says that the UK Investigatory Powers Commissioner has agreed to "provide oversight into how the Equities Process operates in practice with the aim of providing public reassurance."
The explanation coincides with a requirement that came into effect today for warrants using "the most intrusive investigatory powers" under the Investigatory Powers Act to be approved by a judge.
According to GCHQ, the default stance it takes is that “disclosing a vulnerability will be in the national interest”. After all, GCHQ and NCSC know they may not have exclusive knowledge of a given flaw. Disclosing allows the vendor to supply a patch that government agencies, businesses and consumers can use to protect their computers.
The question of disclosing or not is a prickly issue between government and the tech sector. Last year’s WannaCry ransomware attack brought that into focus as it relied on leaked Windows exploits built by GCHQ’s US counterpart, the NSA.
In the wake of WannaCry, Microsoft president Brad Smith blasted the US spy agency for “hoarding” vulnerabilities and endangering consumers, calling for new rules that compel governments to report bugs to vendors. A month later the NotPetya ransomware, using the same NSA exploit, caused over a billion dollars in losses to European and US companies.
GCHQ’s equities process determines if previously unknown flaws — aka ‘zero day’ bugs — found by it or its info-sec underling do get reported.
The three tiers consist of security experts, members of the intelligence community, government agency representatives, and an equities oversight committee chaired by NCSC’s CEO Ciaran Martin. NCSC, which emerged in October 2016 to help UK organizations respond to cyber hacks, plays a vital role in the equities process.
Discovered zero-day bugs are submitted to the Equities Technical Panel. If intelligence and NSCS members on the panel agree the bug should be disclosed, the bug is reported to the vendor.
If the panel doesn’t reach a consensus, the issue is pushed up to the Equity Board, which includes government agency representatives and is chaired by a civil servant reporting to Martin. If the Equity Board doesn’t reach a consensus, it’s escalated to the Equities Oversight Committee, which is chaired by Martin. The committee aims to ensure “the Equities Process is working appropriately and in accordance with specified procedures”.
GCHQ says that all retained bugs reviewed“at least every twelve months”.
But there are cases where vulnerabilities aren’t put through the equities process. GCHQ doesn’t provide any hard rules, but notes three circumstances where it could happen, including when a partner government has already considered a bug and shared it with GCHQ, or when a product is no longer supported. The third example is where a product has been made “vulnerable-by-design”, such a well-documented but vulnerable configuration in a product.
Dr Ian Levy, NCSC’s technical director said that taking the stance it should just disclose everything found would be “naive”, arguing that NCSC can play a better protective role by being engaged in the equities process in partnership with the intelligence community.
“The UK equities process is designed to prefer disclosure at every step. However, disclosing a vulnerability won't materially change the security of a fundamentally insecure product. So, sometimes we use the vulnerability discovery to start a more strategic conversation with the company involved, to help them raise the overall security of the product,” wrote Levy.