GCHQ’s hacking operations are conducted with little to no oversight and risk “undermining the security of the internet”, leading online privacy experts have warned. Even when oversight is required, GCHQ has revealed that ministers don’t have the technical knowledge to understand what it is doing. Privacy campaigners today described the issue as “a major scandal”.
Details of GCHQ’s hacking operations and attempts to weaken encryption were revealed in a parliamentary committee report into the UK’s surveillance capabilities. The Intelligence and Security Committee (ISC) review, published last week, revealed GCHQ makes the majority of decisions about hacking, and its operations to weaken encryption, internally and without telling ministers exactly what it is doing.
GCHQ’s hacking operations, which it defines as “computer network exploitation” are part of a “general power” afforded to the spy agency with “no additional ministerial authorisation”, according to the ISC’s report. While a warrant is required for hacking operations inside the UK, outside the UK the spy agency uses five broad “Section 7 class-based Authorisations”, which allow it to carry out hacking without specific oversight.
Ministers are only asked to judge GCHQ’s hacking operations when they may cause serious economic or political risk. Even in these instances the report revealed the Foreign and Commonwealth Office (FCO), whose remit GCHQ falls under, doesn’t have the technical knowledge to understand what GCHQ is doing. The lack of oversight could also lead to internet security being weakened, privacy experts told WIRED.co.uk.
“This is not oversight: it is a policy of ‘trust us, we know what we’re doing’,” said Jim Killock, executive director of civil liberties organisation Open Rights Group. “It is shocking that ministers and the ISC aren’t checking their risk analysis and admit the FCO lacks the skills to do so.”
In its report, the ISC expressed concern that GCHQ’s decisions about hacking were taken internally. It said such operations “may expose the public to greater risk and could have potentially serious ramifications”. The ISC added that ministers “must be kept fully informed of all such work”. The ISC also makes a distinction between GCHQ’s hacking operations and its efforts to weaken encryption. In relation to hacking, the ISC notes there is inadequate oversight with attacks on encryption apparently subject to no oversight whatsoever.
Following publication of the ISC’s report, foreign secretary Philip Hammond praised the “independent scrutiny and oversight” that it provides. Hammond also said that the actions of the UK’s intelligence agencies, including GCHQ, were subject to “detailed ministerial oversight”, despite GCHQ’s admission that decisions about its hacking activities involve no oversight.
Killock slammed the committee’s “inadequate” response, arguing that the “scandalous lack of oversight” looks set to continue. Even if the ISC’s recommendations are adopted by government, no changes will be made to increase oversight of GCHQ’s hacking operations, according to the report.
GCHQ admitted the FCO was “not well placed to assess the complex technical risk” of its hacking operations. In evidence given to the ISC Sir Iain Lobban, then director of GCHQ, dismissed the idea that its operations caused “large scale damage to the internet” as “misplaced”. Killock, an expert witness called on by the ISC for its report, claimed that “technical expertise seems to be absent from all levels of oversight”.
Caroline Wilson Parlow, legal officer at rights group Privacy International described the revelations as “very troubling”, adding that GCHQ’s hacking operations and efforts to weaken encryption were “undermining the security of the internet”.
“State-sponsored hacking into phones, computers, and networks weakens the communications systems we rely on everyday, making us less secure in the process and more vulnerable to malicious actors online.
“The oversight of GCHQ’s hacking activities is minimal, and when it comes to weakening encryption, it appears to be nonexistent. As the ISC report reveals, to the extent that ministers oversee GCHQ’s overseas hacking activity at all, it is only to grant broad authorisations that essentially give GCHQ carte blanche to hack.”
She said that GCHQ should only be allowed to engage in such activities with strong safeguards and oversight in place. “The fact that the agency seems to have taken powers unto itself without parliamentary oversight, or even effective ministerial authorisation, should worry us all,” she said.
GCHQ’s alleged hacking abilities form a major part of its cybersecurity arsenal. The spy agency was linked to the attack on Sim card maker Gemalto, from which billions of mobile device encryption keys were reportedly stolen — although the firm has claimed said the attack was ineffective. GCHQ has also been linked to a 2012 attack on Belgium’s largest telecommunications provider, Belgacom.
In July 2014 a leaked GCHQ document detailed more than 100 tools it apparently used to launch attacks on everything, from Twitter and Blackberry to Facebook and Second Life. Leaked documents also revealed GCHQ’s use of a malware toolkit named after characters in TV series The Smurfs. An ability codenamed Nosey Smurf turns on Android and iPhone microphones to spy on conversations, while Tracker Smurf and Dreamy Smurf handle device geolocation tracking and the covert switching on of phones respectively. Online rights charity Privacy International has accused GCHQ of “unlawfully” spying on people using such malware.
The spy agency’s range of tools relies on a number of exploits — known bugs, bugs found by GCHQ, information shared by the NSA and bugs placed into software by agents. Weaknesses exploited by GCHQ, or that it creates, could fundamentally damage online security. Security engineers have argued that they need to be made aware of rare bugs, many of which GCHQ reportedly relies on to gather information. Such information would allow engineers to better secure online infrastructure, making the internet safer for all users
In evidence given to the ISC, GCHQ said that the “lion’s share” of the vulnerabilities it used were “publicly known”. However leaked documents have revealed its use of both zero-day exploits — which use previously unknown weaknesses to attack software — as well as exploits it has found or created.