Surveillance watchdog investigates security risks of GCHQ IT contractors

The UK’s surveillance watchdog is investigating potential security risks for highly classified intelligence records amid GCHQ disclosures that about 100 external IT contractors have privileged, systems administrator access to its most sensitive data. 

GCHQ has previously denied in court hearings that external contractors from companies that supply software and computer equipment have administrator rights to live computer systems holding some of the most sensitive data gathered through electronic interception of people’s internet and phone activity.

But Computer Weekly has learned that GCHQ has submitted new evidence to a hearing in the UK’s most secretive court revealing that about 100 IT industry contractors have “privileged user” access to the surveillance agency’s live computer systems following a policy change “a few years ago”.

The Investigatory Powers Commissioner’s Office (IPCO), the UK’s overseer of surveillance laws governing the intelligence services and law enforcement, told Computer Weekly it was taking seriously claims that contractors could misuse their trusted status to access databases containing intercepted telephone, internet and email records of individuals, or other highly sensitive intelligence records.

“We recognise the importance of the need for reviewing the security arrangements for contractors which may have access to sensitive data, particularly given the recent leaks by contractors in other countries. We began work last year, and it’s going to be a focus for our inspection activity in 2018,” said an IPCO spokesman.

Privacy International, a non-government organisation (NGO) and campaigning group, is expected to argue in the UK’s most secret court today that contractors with privileged access to intelligence service computer systems pose a clear risk to sensitive data gathered by GCHQ and the intelligence services. 

For example, Edward Snowden used his systems administrator rights as external contractor to the US National Security Agency (NSA) to download “Top Secret Strap” documents from GCHQ.

In another case, a contractor working for the NSA reportedly leaked hacking tools to the Russian antivirus software company Kaspersky Lab. The contractor claimed to have taken NSA software home to work on, on his personal computer. Kaspersky’s software identified malware attributed to the “Equation Group”, the code name for the security agency’s hacking team.

A senior witness from GCHQ will face cross-examination from Privacy International’s lawyers this afternoon.

GCHQ uses contractors from the IT industry to test and maintain the computer systems and software they have played a role in developing, and therefore have an intimate knowledge of the way the agency’s systems work.

This poses particular security risks, according to Gus Hosein, an executive director of Privacy International, and a specialist in information security.

“Given the numbers of people with similar access worldwide, it would be surprising if some had not misused their access for selfish purposes,” he said in evidence presented to the Investigatory Powers Tribunal (IPT).

GCHQ’s U-turn

GCHQ’s U-turn came when a senior director responsible for mission policy gave written evidence to the IPT during a three-day court challenge by Privacy International in October 2017.

The anonymous witness claimed that IT contractors may have systems administrator rights during the design, build and testing phase of a project, but that once it was complete those rights were passed to members of GCHQ staff.

In late November, after the legal hearing had finished, the director submitted a new witness statement retracting the original evidence.

“Following a change in policy introduced a few years ago, there are contractors within GCHQ who are administrators of operational systems. This is because much of the hardware and software from these systems is provided by industry partners, and they are therefore best placed to support those systems,” the director said.

The intelligence service’s evidence on the effectiveness of the independent oversight of its work with industry partners, which include software companies and universities, has also been called into question.

One of its most important partners is the University of Bristol, where researchers were given access to GCHQ’s entire datasets, covering people’s internet use, telephone call data and websites they visited.

GCHQ’s deputy director of mission policy said, in written evidence to the IPT in June 2017, that the commissioners responsible for scrutinising GCHQ had “been briefed in general terms about GCHQ’s use of industry” during the course of their inspections at the intelligence organisation.

But in a letter to the court in September 2017, the investigatory powers commissioner confirmed that sharing of bulk personal datasets “with industry partners” was not audited, nor were there records of any inspection visits.

Until Privacy International’s legal action, commissioners were unaware that GCHQ was sharing data with industry partners. IPCO has since ordered inspections of the practice.

GCHQ’s sudden reversal in its evidence has drawn criticism from Privacy International. Solicitor Millie Graham Wood told Computer Weekly it was alarming that a senior director at GCHQ appeared to be unaware that the agency had outsourced access to computers containing highly sensitive data to external contractors.

If GHCQ is giving misleading information to a court of law, it must raise questions whether the agency is giving accurate information to the regulator, IPCO.

“This case is all about safeguards of highly sensitive bulk data. The main witness for GCHQ did not give accurate information to courts. Our contention is the regulators are not being given the correct information. How can they conduct their role as an oversight body without the right information?”

The perks of privilege

GCHQ has two types of systems administrators, known as privileged users, who have the rights to bypass some or all of the controls that govern the access and activity of normal users.

Privileged user function administrators are like traditional systems administrators, and have rights to install software, manage log files, fix problems for users and manage loads on servers.

Privileged user data administrators have routine access to data, including human resources, finance, legal and commercial data, and exceptionally sensitive data known as ECI, or exceptionally controlled (or compartmentalised) information. They have to comply with tighter security procedures.

Lines of command

GCHQ’s deputy director of mission policy focused almost exclusively on the security of the command line interface (CLI) – used by privileged user function administrators to manage operational IT systems – as a secure line of defence against misuse of GCHQ’s Bulk Personal Datasets and Bulk Communications Datasets, in evidence presented in court.

The likelihood of a contractor with access rights going into the system, downloading relevant data and then covering their tracks was low, the director said in a witness statement, submitted prior to today’s hearing. “There is system monitoring and auditing for malicious behaviour at the command line level”.

But security experts consulted by Computer Weekly have concluded that GHCQ’s arguments over the command line interface, on the face of it, are not entirely convincing (see “True or false” box below).

Ross Anderson, professor of security engineering at the Computer Laboratory at Cambridge University, said systems administrators with privileged function status could, in principle, use their authority to subvert GHCQ’s controls.

“The guys at the functional level are technical sysadmins who install software on GCHQ’s machines. These are the people who could put on tools that could enable them to snoop stuff, harvest stuff and so on, and that is, after all, what Snowdon did,” Anderson told Computer Weekly.

GCHQ focuses its analysis of communications data, collected under Section 94 of the Telecommunications Act on foreign nationals, while the security service is more focused on analysis of UK data. Last year MI5 made over 27,700 applications to access data, which might include phone, email, internet browsing, and location data held in huge databases, known as Bulk Communications Datasets (BCD)

Unanswered questions

Security specialists have reviewed GCHQ’s evidence in the Investigatory Powers Tribunal for Computer Weekly, and have identified unanswered questions that the investigatory powers commissioner may be well placed to investigate.

GCHQ’s systems administrators, both contract and staff, go through Developed Vetting, the most thorough level of security vetting, which is a requirement for individuals who have long-term, frequent and uncontrolled access to top secret information.

But this in itself is no guarantee that staff will not use their positions to leak or improperly view sensitive information on people. As one security expert told Computer Weekly, most of the intelligence leaks over the past 50 years have been from people who have passed security vetting.

The Soviet spy Kim Philby, whistleblowers such as Katherine Gunn – a GCHQ analyst who was threatened with the Official Secrets Act for disclosing an illegal attempt to bug members of the UN security council over the war in Iraq – and more recently Edward Snowden, show that vetting is no guarantee that intelligence agencies can keep sensitive data secure.

GCHQ has refused to confirm or deny whether it shares access to its intelligence databases with other members of the Five Eyes intelligence sharing group, made up of the US, New Zealand, Canada, Australia and the UK.

Few doubt that such sharing takes place, however, and that raises wider questions over what security and privacy protections, if any, would apply if GCHQ were to share sensitive data on UK citizens with its overseas partners.

Parliament’s Intelligence and Security Committee said in a public report, in March 2015, that while controls over how data is used, stored, retained and disclosed apply within the secret intelligence agencies, they “do not apply to overseas partners with whom the agencies may share datasets”.

It is also unclear what technical security and monitoring procedures GCHQ has in place to prevent Privileged User Data administrators – whose job it is to access highly sensitive data – from leaking or using the data for the wrong purposes.

A 2016 report by the intelligence services commissioner said GCHQ and the other intelligence agencies have protective monitoring systems in place, which are designed to identify and report suspicious activities.

These systems are “designed to ensure that no one person can act on their own, or access information on any of the systems holding sensitive information individually, without someone else knowing about it and without having to go to a more senior officer”. 

Most large organisations record all the activities of systems administrators on a server that is beyond the reach of normal systems administrators. They use security information management tools to analyse the logs, and look for unusual processes or activities that could be flagged up for assessment by IT security specialists.

But GCHQ’s witness has been silent on this matter.

Another question that has gone unanswered in GCHQ’s evidence is how well GCHQ has locked down its internal computer systems to prevent systems administrators copying large amounts of sensitive data and taking it out of the building. The intelligence agency might be expected to have locked down USB ports so they cannot be used to download data onto a memory stick.

With such lock-down systems in place, it might be possible for privileged users to download sensitive information, but removing more than a small volume of data would be challenging.

For those determined enough, there are always ways to smuggle data out, from photographing a computer screen using an iPod with a built-in camera, or inserting a device known as a Teensy, which can bypass USB blocking technology by masquerading as a computer keyboard. A rogue employee could use it, for example, to install malware.

Such controls may irrelevant, however, if contractors are able to access GCHQ’s operational IT system remotely from the offices of an IT supplier, or even from home. Depending on the security of the computer systems they are using, it could be much easier to download and remove sensitive data. On this matter, GCHQ has so far appears to have had little to say in public.

Why GCHQ is focusing almost exclusively on the security of its command line interfaces in its evidence is difficult to understand. One explanation may be that the organisation does not feel sufficiently confident about the systems it has in place to monitor the activities of its systems administrators, one security expert, with 20 years’ experience in government and the financial sector, suggested to Computer Weekly.

“Either they may not be as sure that their controls are as robust as they should be or they may have decided that the cost of running the controls adds delay into the mission object, or the director may be poorly briefed,” he said.

The Investigatory Powers Commissioner’s Office said it would address the question of whether GCHQ may have provided regulators with inaccurate information in an annual report published after Privacy International’s legal proceedings have concluded.

“It would be inappropriate to express a view in advance of the tribunal’s decision,” a spokesman said.

“IPCO has no reason to question GCHQ’s candour or to suspect there has been a deliberate lack of transparency. Indeed, GCHQ has taken steps to bring matters to the attention of IPCO where there has been a mis-statement or if relevant material had been overlooked.

“In the course of future inspections we will ensure that the regulatory and compliance machinery is in place to ensure that there is disclosure as regards all relevant issues.”