The Trump Administration’s National Security Council has released an unclassified set of guidelines for determining when the U.S. government will disclose – rather than retain for espionage purposes – a computer vulnerability that it discovers to the relevant private sector vendor so that a patch can be distributed. Led by cybersecurity coordinator Rob Joyce, the release of the Vulnerabilities Equities Process (VEP) Charter is designed to provide transparency into the how the deliberations take place, most notably by identifying the different government bodies that will participate in the discussion.
The Cipher Brief’s Levi Maxey spoke with Robert Hannigan, former director of GCHQ, the UK’s signals intelligence agency, who talked about how the UK’s process for deliberating the equities of vulnerability disclosure versus retention takes place as well as the impacts other U.S. intelligence programs have on UK national security.
“The fundamental dilemma for everyone is the judgment around what you release and what you don’t. In both the U.S. and the UK, the default has always been public safety and cybersecurity – because we are accountable for that first and foremost. So that means releasing over 90 percent of the vulnerabilities we find. The problem is if you don’t withhold anything at all, you have basically no tools to do the job.
So there is a public policy, political decision to be made about what you want agencies to do. If you want agencies to be able to get into a terrorist network or a nuclear proliferating country or a serious crime group, you have to have some tools to do it – you can’t ring them up and ask for their login details. That means having some vulnerabilities available, and that is a difficult judgment about how likely is it that anybody else will get there.
And I think that process has worked pretty well, but the difference is the insider threat has changed a bit. So if people are prepared to leak stuff or have stuff stolen, that changes that risk calculation a bit. But it doesn’t change the basic problem: you have to have some tools available to do the job as an intelligence gathering organization.
If you can be convinced that first of all, this is very unlikely to be discovered by anybody who is not as sophisticated as key Western governments and it isn’t going to effect wider public safety, then you can make a case for withholding it. But that is going to be less than 10 percent of cases.“
In the U.S. the VEP is run through the National Security Council at the White House and is not legislated by Congress – through there are bills in the works to do just that, such as the PATCH Act. While there are similarities between the U.S. process and that of the UK, Hannigan says there are subtle differences.
“The process is not legislated in the UK either, and it was discussed briefly in the Investigatory Powers Act but is not part of the legislation. It is run internally within GCHQ and informed by the National Cyber Security Centre, which is part of GCHQ. In that sense, the process is similar, it doesn’t have the same involvement of the executive and other parts of government. But that is a feature of our system I think. The principles of making the judgments are pretty much the same, and we work pretty closely with the NSA too, so we are not doing this in complete isolation. The people who are actually looking at the vulnerabilities are discussing this with their NSA colleagues.”
In the past, such as when the NSA reportedly disclosed a vulnerability to Microsoft a month before the WannaCry attacks, the U.S. government has not publically acknowledged that it had done so. But Hannigan says GCHQ has publically acknowledged that is was the source of disclosure before.
“We don’t insist on it at all, and there are plenty of cases where we don’t get acknowledged. It is largely up to the company, and in most cases it makes sense not to acknowledge because it draws too much attention to it. Obviously, you want to discreetly notify so that people have time to come up with a patch and then patch and then roll out the patch. So the last thing that you want to do is draw attention to these vulnerabilities before you are ready, and that argues against the whole attributing to governments or agencies. But occasionally companies want to attribute and that is fine. It is a practical judgment; I don’t think we have a policy where we must be credited in some way.”
While the discussion over the NSA’s use of cyber capabilities for espionage has come to the forefront regarding the VEP process, the authorities the NSA uses to conduct much of its intelligence collection, the Section 702 of the Foreign Intelligence Surveillance Act, is due to expire at the end of the year if Congress doesn’t renew it. But the authorities are not just important for U.S. national security, it is also crucial for U.S. allies, as Hannigan explains.
“It is a pretty big deal for us and not just the UK, but also many other U.S. allies. I think people pretend to forget that 702 is incredibly important to U.S. allies. I can’t think of a major terrorist investigation over the last few years that has not involved the use of 702 materials. We rely hugely on that. Obviously, renewal is an issue for the U.S. – this is a U.S. authority – but it is worth saying that U.S. allies rely hugely on 702 for our own safety.”
While many countries, including the UK, collect signals intelligence in a manner similar to how the NSA does under the FISA 702 authorities – namely through downstream and upstream collection – there are practical differences, says Hannigan.
“Some of the authorities are quite similar, and the Investigatory Powers Act made them more explicit than ever before. The Act replaced the regulation of the investigatory powers of 2000, which were very difficult to understand as a lay reader and even as a lawyer. What the IP Act did was to make it quite transparent. That didn’t please everybody, and there was a pretty lively political debate around it, particularly post Snowden, but it has meant that we have ended up with a very clear and transparent set of legislation.
It allows the state to do similar things, but clearly the context is different because so many of the companies in question are based in the U.S. jurisdiction, not in the UK. That is the crucial change I guess. You are not talking about telephony in the old terms, where the companies tended to be based in your own jurisdiction. That has made a big difference.“
Some former members of the U.S. intelligence community, particularly Chris Inglis, the former deputy director of the NSA, have argued that the UK’s new National Cyber Security Center (NCSC) could be a model for how the U.S. enhances its cyber defensive posture, specifically by bringing private industry directly into the fold. Hannigan explains the rationale behind the NCSC.
“We had a long discussion about how to do it and where to put the operational control of cyber advisory functions. We tried all sorts of different models before we came up with this, and I think the key point was that we decided to put them where the skills and the data were – and the truth that everybody came to at the time was the cyber skills are basically in GCHQ, which has always done assurance and security for the whole of its history, and the top secret data acquired under warrant is also there.
Now that is only part of the picture as most cyber data is out there in the private sector, and by definition, it is not classified. But the real benefit comes from washing the two together and having them in the same place accessible to the same people and to bring in industry to sit alongside security experts.
It is a new experiment, and so far we have concentrated in the NCSC on incident management. We saw a tidal wave of incidents on the way, and if anything, we underestimated that.
We wanted to put advice in one place and make it coherent. The complaint we got from everybody, including institutions like the Bank of England, was that there were too many bits of government giving advise, and it wasn’t always consistent. So the advantage of having it in one place informed by industry is that you get this single, coherent set of advice to industry on how to secure themselves.”
The difficulty in the U.S. is that it is at such a bigger scale. In the UK it is challenging to get enough of the right expertise, and it is difficult to get industry to come in on sectorial basis in enough numbers to give the advice and expertise on that sector. But it is beginning to happen, and it is an interesting model and an experiment. It has certainly clarified the way that we do it. There is some way to go before it gets to critical mass.
To listen to the rest of the interview, tune into The Cipher Brief’s 15 Minutes podcast with Robert Hannigan coming out the evening of Sunday, December 3.