[ad_1]
The very day that some types of piracy backed by the British state now require a warrant issued by a judge, the GCHQ has lifted the veil and gave the world of security info a overview of its hoarding policy.
The internal process of the spy agency's actions is the means by which it decides whether or not to tell technology providers that its snoopers have discovered a hardware or software vulnerability.
A hot topic for many years, vuln disclosure (and correction) is a double-edged sword for spy agencies. If they keep knowledge uncovered for themselves, they can exploit it for their own purposes, for which the public reason is given as disturbing "the activities of those who seek to harm the United Kingdom" – there including the Belgian telephone operators.
If GCHQ discloses to the relevant seller the information it has discovered, it may "benefit global technology users", in the words of the agency, while tending to create a climate of trust, which The Peeping Tom agency is keen to follow the international damage done to its reputation after Snowden's revelations.
However, in a briefing note released today, the agency revealed that it could keep unsupported software. "If the software in question was no longer supported by the provider," he said, "if a vulnerability were to be discovered in such software, there would be no way to to repair."
Only last year, Brad Smith, a Microsoft priest, was raging against GCHQ's US cousins, the NSA, for "government vulnerability storage" – although, as we had revealed, Microsoft was sitting on a pile of patches that were provided only to customers not the public, so everyone in this debate is not immaculately clean.
Beautiful bureaucracy
When deciding whether or not to abandon a city, the GCHQ stated that three internal bodies were involved: the technical action group, composed of spies "experts in the field"; the GCHQ Equity Committee, which is chaired by a public sector official from the GCHQ, the National Cybersecurity Center (CNSC), and made up of people from other ministries; and the Equity Oversight Committee, chaired by NCSC Chief Executive Ciaran Martin.
In general, Martin decides if a vuln is "published" to be corrected. These decisions are "regularly reviewed at a time appropriate to the security risk" and, regardless of the risk, "at least every 12 months".
What are they reviewing? Operational necessity ("do we depend on this vulnerability for information?") Is one of the criteria, as is the impact on the activities of other UK government ministries. Whether vulnerability could be independently identified by third parties and used to harm businesses and citizens is considered to fall under the general category of "defensive risk", but seems less of a priority than whether State will find the wings cut as a result of the disclosure.
Even in this case, the agency would prefer to encourage the industry to apply "configuration changes" to limit vulnerabilities instead of seeing the patch deployed after disclosure. The reason is obvious: not everyone is implementing configuration changes, which means that some GCHQ targets may remain vulnerable to "network operation".
"The badessment in relation to a number of these factors is based on standardized criteria and experience gained, including by applying, where appropriate, the use of the common vulnerability rating system. ", said the GCHQ.
Good thing, now go get an appropriate warrant
Today, a post-Snowden legal adjustment comes into effect: state employees wishing to hack networks and target devices must now obtain a warrant issued by a judge, pursuant to section 106 of the Act investigative powers.
"Such warrants may then be issued from December 5. However, except in cases of urgency, the warrant will have to be reviewed and approved by a Judicial Commissioner," said the Society for Computers and Law in a statement. update of the new law. He added that starting in January, law enforcement agencies will have to use this process to insert probes into the gear of suspected hackers.
The use of hacking tools to investigate suspected crimes under sections 1 to 3 of the Computer Misuse Act of 1990 is now subject to the procedure of "equipment interference warrant" "rather than the 1997" Police Law "," Intrusion into Property ".
The difference lies in the fact that state-sponsored hackers are looking for "communications, private information, or equipment data," which therefore requires a different set of legal protections than the one of the Police Act process, which provided for slightly different scenarios, such as tracking bugging on cars. ®
Start note
"In exceptional cases, the NCSC CEO may decide to invoke a further escalation via submissions to the Director of GCHQ and, where appropriate, to the Foreign Secretary," said GCHQ's press release, giving place pictures of espionage chases circles around a smoking waiter and chanting the name of Jeremy Hunt, falling to his knees in gratitude when the mysterious Foreign Secretary himself appears in a flash, ready to to render a very vulgar justice.
We encourage GCHQ readers to send us videos of this process if it actually happens.
Sponsored:
Put the Sec in DevSecOps
Source link
