Why spy chiefs won’t tell firms when they’re at risk of hacking
Security flaws hushed up in terror fight
GCHQ yesterday admitted it does not always tell firms and the public about cyber security issues.
The spy agency says it sometimes withholds the information so it can be used to tackle terrorists, hostile states and web paedophiles
In a post on its website, GCHQ said: ‘We’ve discovered vulnerabilities and informed the vendors of every major mobile and desktop platform for over 20 years. This work plays an important role in helping to secure the technology which underpins our economy and the everyday lives of millions of people in the UK and abroad.
‘However, we do not disclose every vulnerability we find. In some cases, we judge that the UK’s national security interests are better served by “retaining” knowledge of a vulnerability.’
It said keeping the breach secret allowed it to ‘be used to gather intelligence and disrupt the activities of those who seek to do the UK harm, including terror groups, serious and organised crime gangs, and malign states’.
The practice of stockpiling knowledge of cyber security flaws sparked controversy last year following the WannaCry attack in the US. Information used to carry out the attack had been stolen from the National Security Agency.
Microsoft president Brad Smith used a blog post to call for governments to be forced to report any security flaws to the companies involved.
He said: ‘Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.
‘The governments of the world should treat this attack as a wakeup call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.’
GCHQ insisted it did not stockpile cyber security flaws and said information on vulnerabilities was reviewed at least every year to check it still needed to be kept secret. Dr Ian Levy, of the National Cyber Security Centre, which is part of GCHQ, said that if a WannaCry-style flaw was discovered in the future it would ‘almost certainly’ be flagged up.
He said Britain would push for a disclosure because such bugs are ‘highly wormable’ – capable of being turned into a malicious program that spreads itself.
If NCSC experts cannot agree on whether to keep the flaw secret the case goes to the GCHQ equity board, which includes representatives from other government agencies and departments. If no agreement can be reached the Foreign Secretary has the final say. The City watchdog warned on Tuesday that technology disasters at banks and finance firms have more than doubled amid an unprecedented wave of cybercrime.
Overconfident bankers are making errors in crucial computer updates which cause chaos, the Financial Conduct Authority says.
And many firms are woefully underprepared for hacking attacks – putting their customers at risk.
Lenders have suffered a wave of online failures and hacks over the past few years, from a blackout at TSB to a massive internet raid at Tesco Bank.