The GCHQ’s Vulnerabilities Equities Process

By Nicholas Weaver
Monday, June 3, 2019, 2:53 PM

In the U.S. there has been a long debate about “vulnerability equities”—that is, whether the government should disclose a vulnerability it discovers to the vendor, which will then allow users to apply a patch and be defended against exploitation, or keep the vulnerability secret to enable the government’s exploitation of targets. There is little data on how the process works. But the U.S. has the potential to learn how the British handle the same problem.

Recently, the U.K.’s National Cyber Security Centre (NCSC)—which is a division of the GCHQ, the British equivalent of the National Security Agency (NSA)—disclosed a major vulnerability to Microsoft. The company regards this vulnerability, colloquially known as “BlueKeep” but really just CVE-2019-0708, as serious enough to justify providing patches for out-of-support Windows XP and 2003. Although it does not affect Windows 8 and 10, this vulnerability is otherwise reportedly very powerful, enabling an unauthenticated attacker to gain complete control of the remote system. This is the sort of “god mode” exploit that intelligence agencies prize, because it allows them to break into otherwise highly secure targets.

There are several possible stories here, all of which would do credit to the GCHQ. It could be that the organization simply discovered this vulnerability and disclosed it. It could be that the GCHQ discovered the vulnerability and used it and then an opponent captured it for the opponent’s own use. Or the GCHQ might have discovered someone else using it. All three possibilities speak well of the GCHQ’s internal processes, but I hope the organization will formally disclose which one is true: This information would help shape policy discussions around vulnerability disclosure.

The first possibility is that the GCHQ discovered this vulnerability and decided, after an internal process, to notify Microsoft. This would suggest an equities process highly deferential to the defensive side—the sort of process desired by so many critics of intelligence agencies. If this is the case, the GCHQ would deserve a huge amount of credit for discovering such a powerful exploit and responding by ensuring that nobody could use it. This decision would also indicate to policy makers and others that the current equities process, at least for the British, is more than sufficiently biased toward defense.

The second possibility is that the GCHQ discovered this vulnerability, weaponized it and then used it. Given the power of this exploit, I would expect any intelligence agency would want to use it to attack particularly hard targets. Sometime later, perhaps, the GCHQ then had reason to believe that an adversary discovered the exploit, probably by reverse-engineering an attack. A NOBUS (Nobody But Us) vulnerability of this nature is one thing, but if others know about it, then the danger is vastly increased. It therefore becomes critical to “burn” the exploit, rendering it unusable to everyone by notifying Microsoft.

This case would also show a highly responsible GCHQ. In this scenario, the organization developed an exploit, used it (after all, the GCHQ’s job is to break into other computers), and then, when the danger increased, the GCHQ decided to render it inoperable. In doing so, the organization implicitly notified whoever obtained the exploit that the GCHQ knows the exploit got caught. If this is the case, the GCHQ would gain credit for behaving responsibly—and a decision on the organization’s part to acknowledge how things played out would not reveal any knowledge that the adversary in question hasn’t already gained.

It also suggests that the GCHQ is following an equities process that, although biased toward offense, does monitor for changing conditions. Just as the NSA clearly disclosed “EternalBlue” to Microsoft when it became clear that the Shadow Brokers had a copy (their “auction” told the name of the tools and the NSA responded by notifying Microsoft and Microsoft provided a patch before the Shadow Brokers released the tools themselves), this would be the British doing the same.

In this case, the GCHQ would be following a philosophy of “no unilateral disarmament, but mutual disarmament”: When a vulnerability is NOBUS, it stays in the offense. But as soon as there is a suggestion otherwise, it is then something to be eliminated. If I were in charge of the NSA or the GCHQ, this would be the position I’d probably take.

The final possibility is that the GCHQ noticed an adversary using this exploit, captured it and then disclosed to Microsoft. This would speak highly of the GCHQ’s defensive (rather than offensive) mission. A defensive win like this would be huge and should be lauded. If this is the case, the adversary already knows that the GCHQ discovered the attack—so revealing this publicly would not notify the adversary of anything new but would allow policy makers and the public to understand how the GCHQ’s defensive mission operates. It would also allow the organization to take a well-deserved victory lap.

All three possibilities speak well of the GCHQ, and revealing which one is the case would not tell adversaries anything they don’t already know. There is no adversary in the first case, while an adversary in the second or third case already knows what happened. But disclosure would tell the rest of the world something about how a responsible intelligence agency behaves. Here is hoping that the GCHQ understands that its instinct for secrecy would be best set aside in this situation.