Surveillance watchdog investigates security risks of GCHQ IT contractors
The investigatory powers commissioner is reviewing the security arrangements for IT contractors that have access to live computer systems at GCHQ holding highly sensitive records on the UK population
The UK’s surveillance watchdog is investigating potential security risks for highly classified intelligence records amid GCHQ disclosures that about 100 external IT contractors have privileged, systems administrator access to its most sensitive data.
GCHQ has previously denied in court hearings that external contractors from companies that supply software and computer equipment have administrator rights to live computer systems holding some of the most sensitive data gathered through electronic interception of people’s internet and phone activity.
But Computer Weekly has learned that GCHQ has submitted new evidence to a hearing in the UK’s most secretive court revealing that about 100 IT industry contractors have “privileged user” access to the surveillance agency’s live computer systems following a policy change “a few years ago”.
The Investigatory Powers Commissioner’s Office (IPCO), the UK’s overseer of surveillance laws governing the intelligence services and law enforcement, told Computer Weekly it was taking seriously claims that contractors could misuse their trusted status to access databases containing intercepted telephone, internet and email records of individuals, or other highly sensitive intelligence records.
“We recognise the importance of the need for reviewing the security arrangements for contractors which may have access to sensitive data, particularly given the recent leaks by contractors in other countries. We began work last year, and it’s going to be a focus for our inspection activity in 2018,” said an IPCO spokesman.
Privacy International, a non-government organisation (NGO) and campaigning group, is expected to argue in the UK’s most secret court today that contractors with privileged access to intelligence service computer systems pose a clear risk to sensitive data gathered by GCHQ and the intelligence services.
For example, Edward Snowden used his systems administrator rights as external contractor to the US National Security Agency (NSA) to download “Top Secret Strap” documents from GCHQ.
In another case, a contractor working for the NSA reportedly leaked hacking tools to the Russian antivirus software company Kaspersky Lab. The contractor claimed to have taken NSA software home to work on, on his personal computer. Kaspersky’s software identified malware attributed to the “Equation Group”, the code name for the security agency’s hacking team.
A senior witness from GCHQ will face cross-examination from Privacy International’s lawyers this afternoon.
Read more about Privacy International’s legal challenge
- UK intelligence agencies “unlawfully” sharing sensitive personal data, court hears.
- Intelligence commissioners did not need technical expertise or support staff to check whether GCHQ and MI5 were lawfully sharing huge databases, court told.
- UK’s intelligence services lack adequate oversight and written guidelines when sharing databases of sensitive information, Privacy International argues in secret court.
- Mass collection of data on population “illegal”, UK court told.
- New privacy concerns raised after intelligence watchdog confirms it has never audited or inspected the way intelligence services share sensitive surveillance databases with industry partners.
- UK intelligence agencies have been collecting communications data on the population without adequate oversight for over a decade, according to Investigatory Powers Tribunal.
- Judges at the UK’s most secret court were persuaded not to disclose the existence of secret intrusive data on the population after briefings and lunch with MI5’s deputy director general.
GCHQ uses contractors from the IT industry to test and maintain the computer systems and software they have played a role in developing, and therefore have an intimate knowledge of the way the agency’s systems work.
This poses particular security risks, according to Gus Hosein, an executive director of Privacy International, and a specialist in information security.
“Given the numbers of people with similar access worldwide, it would be surprising if some had not misused their access for selfish purposes,” he said in evidence presented to the Investigatory Powers Tribunal (IPT).
GCHQ’s U-turn came when a senior director responsible for mission policy gave written evidence to the IPT during a three-day court challenge by Privacy International in October 2017.
The anonymous witness claimed that IT contractors may have systems administrator rights during the design, build and testing phase of a project, but that once it was complete those rights were passed to members of GCHQ staff.
In late November, after the legal hearing had finished, the director submitted a new witness statement retracting the original evidence.
“Following a change in policy introduced a few years ago, there are contractors within GCHQ who are administrators of operational systems. This is because much of the hardware and software from these systems is provided by industry partners, and they are therefore best placed to support those systems,” the director said.
The intelligence service’s evidence on the effectiveness of the independent oversight of its work with industry partners, which include software companies and universities, has also been called into question.
One of its most important partners is the University of Bristol, where researchers were given access to GCHQ’s entire datasets, covering people’s internet use, telephone call data and websites they visited.
GCHQ’s deputy director of mission policy said, in written evidence to the IPT in June 2017, that the commissioners responsible for scrutinising GCHQ had “been briefed in general terms about GCHQ’s use of industry” during the course of their inspections at the intelligence organisation.
But in a letter to the court in September 2017, the investigatory powers commissioner confirmed that sharing of bulk personal datasets “with industry partners” was not audited, nor were there records of any inspection visits.
Until Privacy International’s legal action, commissioners were unaware that GCHQ was sharing data with industry partners. IPCO has since ordered inspections of the practice.
The intelligence community’s growing reliance on contractors
GCHQ, MI5 and MI6 have become increasingly reliant on external contractors over the past decade. Between 2011 and 2016 their combined spending on consultants and contractors grew from 20% of the overall intelligence agency budget to 30%.
The Cheltenham-based agency is expanding rapidly and, according to the latest figures available, in 2016/16 was spending £70m a year on contractors to fill staff vacancies. IT contractors played a significant role.
“It gives us a reach into technology…and innovation that we couldn’t develop in-house, but also gives us flexibility so we can go up and down on headcount if we need to during the year,” GCHQ told Parliament’s Intelligence and Security Committee.
Analysis by this committee in 2015/16 showed that the intelligence services had hired more than 1,000 external contractors through one classified managed services contract alone.
- The contract added 10% to the number of people working for the security agencies.
- The cost of contractors was, on average, double that of internal employees.
- MI5 hired the majority of its hourly rated contractors, some 470 personnel, through this contract at a cost of £63m, an average of £134,000 per person.
- GCHQ hired 494 contractors at a cost of £71m, an average of £144,000 per person.
- SIS (MI6) hired 279 contractors at a cost of £40m, an average of £143,000 per person.
Source: Intelligence and Security Committee of Parliament Annual Report 2016-2017
GCHQ’s sudden reversal in its evidence has drawn criticism from Privacy International. Solicitor Millie Graham Wood told Computer Weekly it was alarming that a senior director at GCHQ appeared to be unaware that the agency had outsourced access to computers containing highly sensitive data to external contractors.
If GHCQ is giving misleading information to a court of law, it must raise questions whether the agency is giving accurate information to the regulator, IPCO.
“This case is all about safeguards of highly sensitive bulk data. The main witness for GCHQ did not give accurate information to courts. Our contention is the regulators are not being given the correct information. How can they conduct their role as an oversight body without the right information?”
The perks of privilege
GCHQ has two types of systems administrators, known as privileged users, who have the rights to bypass some or all of the controls that govern the access and activity of normal users.
Privileged user function administrators are like traditional systems administrators, and have rights to install software, manage log files, fix problems for users and manage loads on servers.
Privileged user data administrators have routine access to data, including human resources, finance, legal and commercial data, and exceptionally sensitive data known as ECI, or exceptionally controlled (or compartmentalised) information. They have to comply with tighter security procedures.
Lines of command
GCHQ’s deputy director of mission policy focused almost exclusively on the security of the command line interface (CLI) – used by privileged user function administrators to manage operational IT systems – as a secure line of defence against misuse of GCHQ’s Bulk Personal Datasets and Bulk Communications Datasets, in evidence presented in court.
The likelihood of a contractor with access rights going into the system, downloading relevant data and then covering their tracks was low, the director said in a witness statement, submitted prior to today’s hearing. “There is system monitoring and auditing for malicious behaviour at the command line level”.
But security experts consulted by Computer Weekly have concluded that GHCQ’s arguments over the command line interface, on the face of it, are not entirely convincing (see “True or false” box below).
Ross Anderson, professor of security engineering at the Computer Laboratory at Cambridge University, said systems administrators with privileged function status could, in principle, use their authority to subvert GHCQ’s controls.
“The guys at the functional level are technical sysadmins who install software on GCHQ’s machines. These are the people who could put on tools that could enable them to snoop stuff, harvest stuff and so on, and that is, after all, what Snowdon did,” Anderson told Computer Weekly.
GCHQ focuses its analysis of communications data, collected under Section 94 of the Telecommunications Act on foreign nationals, while the security service is more focused on analysis of UK data. Last year MI5 made over 27,700 applications to access data, which might include phone, email, internet browsing, and location data held in huge databases, known as Bulk Communications Datasets (BCD)
Security specialists have reviewed GCHQ’s evidence in the Investigatory Powers Tribunal for Computer Weekly, and have identified unanswered questions that the investigatory powers commissioner may be well placed to investigate.
GCHQ’s systems administrators, both contract and staff, go through Developed Vetting, the most thorough level of security vetting, which is a requirement for individuals who have long-term, frequent and uncontrolled access to top secret information.
GCHQ puts all of its IT administrators through Developed Vetting, the most thorough level of security vetting. It is designed for individuals who have long-term, frequent and uncontrolled access to top secret information.
Developed Vetting involves checking an applicant’s criminal record, credit reference data and finances, as well as checks against MI5 files and a three-hour interview with the candidate and their friends and relations. Its aim is to build as complete a picture of their life as possible, including their family background, relationships, finances, political views, hobbies and foreign travel.
Candidates are expected to disclose anything that might make them vulnerable to blackmail, which might include sexuality, financial problems and addictions. Those who are found to have withheld information are likely to lose their Developed Vetting status.
Once privileged users have completed the vetting and appraisal processes, they may be allowed unsupervised access to functions requiring elevated IT privileges.
But this in itself is no guarantee that staff will not use their positions to leak or improperly view sensitive information on people. As one security expert told Computer Weekly, most of the intelligence leaks over the past 50 years have been from people who have passed security vetting.
The Soviet spy Kim Philby, whistleblowers such as Katherine Gunn – a GCHQ analyst who was threatened with the Official Secrets Act for disclosing an illegal attempt to bug members of the UN security council over the war in Iraq – and more recently Edward Snowden, show that vetting is no guarantee that intelligence agencies can keep sensitive data secure.
GCHQ has refused to confirm or deny whether it shares access to its intelligence databases with other members of the Five Eyes intelligence sharing group, made up of the US, New Zealand, Canada, Australia and the UK.
Few doubt that such sharing takes place, however, and that raises wider questions over what security and privacy protections, if any, would apply if GCHQ were to share sensitive data on UK citizens with its overseas partners.
Parliament’s Intelligence and Security Committee said in a public report, in March 2015, that while controls over how data is used, stored, retained and disclosed apply within the secret intelligence agencies, they “do not apply to overseas partners with whom the agencies may share datasets”.
It is also unclear what technical security and monitoring procedures GCHQ has in place to prevent Privileged User Data administrators – whose job it is to access highly sensitive data – from leaking or using the data for the wrong purposes.
A 2016 report by the intelligence services commissioner said GCHQ and the other intelligence agencies have protective monitoring systems in place, which are designed to identify and report suspicious activities.
These systems are “designed to ensure that no one person can act on their own, or access information on any of the systems holding sensitive information individually, without someone else knowing about it and without having to go to a more senior officer”.
Most large organisations record all the activities of systems administrators on a server that is beyond the reach of normal systems administrators. They use security information management tools to analyse the logs, and look for unusual processes or activities that could be flagged up for assessment by IT security specialists.
But GCHQ’s witness has been silent on this matter.
Another question that has gone unanswered in GCHQ’s evidence is how well GCHQ has locked down its internal computer systems to prevent systems administrators copying large amounts of sensitive data and taking it out of the building. The intelligence agency might be expected to have locked down USB ports so they cannot be used to download data onto a memory stick.
With such lock-down systems in place, it might be possible for privileged users to download sensitive information, but removing more than a small volume of data would be challenging.
For those determined enough, there are always ways to smuggle data out, from photographing a computer screen using an iPod with a built-in camera, or inserting a device known as a Teensy, which can bypass USB blocking technology by masquerading as a computer keyboard. A rogue employee could use it, for example, to install malware.
Such controls may irrelevant, however, if contractors are able to access GCHQ's operational IT system remotely from the offices of an IT supplier, or even from home. Depending on the security of the computer systems they are using, it could be much easier to download and remove sensitive data. On this matter, GCHQ has so far appears to have had little to say in public.
Why GCHQ is focusing almost exclusively on the security of its command line interfaces in its evidence is difficult to understand. One explanation may be that the organisation does not feel sufficiently confident about the systems it has in place to monitor the activities of its systems administrators, one security expert, with 20 years’ experience in government and the financial sector, suggested to Computer Weekly.
“Either they may not be as sure that their controls are as robust as they should be or they may have decided that the cost of running the controls adds delay into the mission object, or the director may be poorly briefed,” he said.
The Investigatory Powers Commissioner’s Office said it would address the question of whether GCHQ may have provided regulators with inaccurate information in an annual report published after Privacy International’s legal proceedings have concluded.
“It would be inappropriate to express a view in advance of the tribunal’s decision,” a spokesman said.
“IPCO has no reason to question GCHQ’s candour or to suspect there has been a deliberate lack of transparency. Indeed, GCHQ has taken steps to bring matters to the attention of IPCO where there has been a mis-statement or if relevant material had been overlooked.
“In the course of future inspections we will ensure that the regulatory and compliance machinery is in place to ensure that there is disclosure as regards all relevant issues.”
True or false: Can sensitive data be accessed by command line interfaces?
GCHQ deputy director: Data on GCHQ’s data storage and retrieval platforms is not in a format that can be interpreted using the command line. The data is…hosted in such a way as to optimise the data for the analysis being carried out using the appropriate managed interface.
Security expert response: There are ways you can tweak data to make it quicker to search, for example GCHQ might hash phone numbers to make them quicker to search. To a degree he is probably right. You can go into a database and it could be hard to discern. But that does not stop you downloading large chunks of the database, and looking at it later in the database software.
GCHQ deputy director: A simple example would be a Microsoft Word document which if access via the command line returns a garbled set of characters because data needs to be placed through a Microsoft Office converter to present the information into a readable text format.
Security expert response: Computer Weekly witnessed demonstrations by two security specialists that showed it was possible to read the contents of a Microsoft Word file from the command line using a few simple commands. The complete text was visible, only the formatting and layout was lost.
GCHQ deputy director: The data needs to be stored in such a way to allow identification of a specific desired data item, i.e. a data item may not be stored in one place, rather being distributed across a number of storage servers, which can only be reassembled using specialist software.
Security expert response: GCHQ uses commercially available and open source databases, such as Hadoop and Elasticsearch, for managing large volumes of data. These programs have their own command line interfaces (CLIs), which can be accessed from a server command line interface. Systems administrators can use the software’s command line interfaces to perform the same operations as the database software, including searching for data. If anything, the command lines give systems administrators more powerful capabilities. It is possible that GCHQ may have decided not to install the command line interfaces that are built into commercial software. But it is unlikely. They get widely used for diagnostics.
“If I have a problem with a machine and I want to diagnose it by using the CLI for the database, I can check that the database is working. So while you could disable the database, you would be hampering systems administrators’ ability to troubleshoot,” one security expert told Computer Weekly.
GCHQ deputy director: The search tools available via the command line are basic, and considering the scale of data that needs to be searched against they would time out.
Security expert response: The claim is wrong. The time-out values will be the same for a web interface – i.e. the interface seen by a GCHQ analyst – as for the command line. If anything, the command line will be faster. Although CLI tools might appear basic, compared to a graphical interface, in the hands of a systems administrator, they are extremely powerful.
GCHQ deputy director: Although the technical community would state, in theory, that it is at times possible to search for a string – a name, for example – within the data using the command line, in practice this is not how the interface is used, nor is the interface designed to enable this kind of use.
Security expert response: This is inaccurate. It is possible for systems administrators to access the command line interfaces of database software and carry out searches. Computer Weekly saw a demonstration showing how a systems administrator carried out a search of fields in a Progress database held on a remote server, and was able to display the results.
GCHQ deputy director: Typically, with GCHQ the level of complexity of the systems means the only way to access the data in a readable format is via the software application programming interfaces (APIs).
Security expert response: A lot of databases, like Elastic Search and Hadoop, are store their data in JSON format. Using command line you could create your own record, or craft an API call from the command line. The response you get back is in a JSON format. A tool called JQ allows you to convert text into a JSON call. .
Computer Weekly consulted an IT security expert with more than 20 years’ experience in the financial sector and government. Fabio Natali, an experienced software developer, with an interest in computer security, also participated in this project.