Balancing privacy and security requires highly developed information security policies and, of the UK intelligence agencies, GCHQ has taken the lead
In a perfect world there would be no need for security and intelligence agencies. But in an imperfect world, where such agencies are required, arguably the best way to balance security and privacy is to minimise their ability to abuse their powers without stopping them from doing their jobs.
Doing so requires agencies, regulators and politicians to create highly developed information security policies and practices. The UK has a relatively high tolerance of state surveillance, partly based on the agencies’ Second World War reputations, but also on the public’s assumption that they use their present-day powers properly. Maintaining this is in the interest of the agencies as well as the public, as support for legislation such as the Investigatory Powers Bill would be severely threatened by evidence of corruption or sloppy practice.
Of the three agencies, GCHQ has to take the lead on information security. It has the most staff – 5,564 at March 2015, compared with 4,047 at the security service MI5 and 2,479 at the secret intelligence service MI6. It probably spends the biggest part of the £2.6bn intelligence account, although the budgets for each agency are secret. It certainly has the greatest powers to gather information, being the only one of the three agencies that can wield all four kinds of ‘bulk power’, the controversial surveillance abilities that gather data on large numbers of mostly innocent people.
In his recent report on such powers, the independent reviewer of terrorism legislation David Anderson wrote: “Bulk powers, by definition, involve potential access by the state to the data of large numbers of people whom there is not the slightest reason to suspect of threatening national security or engaging in serious crime. Any abuse of those powers could thus have particularly wide-ranging effects on the innocent.”
Safest pair of hands
Also, the other agencies outsource some of their work in this area to GCHQ. MI6 relies on GCHQ’s bulk interception of communications to provide targeted information, while both MI5 and MI6 analysts use GCHQ’s system for bulk personal data on travel.
Fortunately, there is some evidence that GCHQ is the safest pair of hands among the agencies on information security. In his most recent annual report, the intelligence services commissioner Sir Mark Waller said that GCHQ had reported three errors during 2015, compared with 11 at MI6 and 67 at MI5. In its defence, Waller said that MI5 obtains significantly more warrants than the other agencies, “and their error rate is in fact low as a proportion of authorisations”.
Other external checks have called MI5’s information security into question, including its staff contravening rules for accessing communications data on 210 occasions over five years. David Anderson’s review said that GCHQ had reported no errors over bulk communications data during the same period, while on bulk personal datasets the investigatory powers tribunal has heard that between June 2014 and February 2016 there were six “instances of non-compliance” at MI5, with two members of staff disciplined, and five instances at MI6, with three staff disciplined. There were just two such incidents at GCHQ, neither involving individual non-compliance.
UK IT security role
GCHQ has another advantage: it is responsible for strengthening the information security of UK organisations through its CESG arm. It has started publishing advice such as on passwords, and is in the process of expanding its work through the establishment of a new National Cyber Security Centre.
Apart from this, it has previously been difficult for organisations to learn from GCHQ’s own information security experience. But documents from Privacy International’s investigatory powers tribunal case against the intelligence and security agencies, as well as David Anderson’s review, have included details on how GCHQ secures its own information.
Much of its work focuses on individual users. All employees go through a three-month vetting as part of recruitment, but the tribunal documents show this is just the start of the process. This people-centric approach is outlined in Boiling Frogs, a research paper released by GCHQ in May 2016. Writers Russ B, Mike M and Steve H argue against a model of security that prevents people doing their jobs – not least because it may lead to a growth in shadow IT workarounds – preferring one that offers permission and enables staff. “People-centric security is a strategic approach to information security that emphasises individual accountability and trust, and that de-emphasises restrictive, preventative security controls,” they wrote.
In a witness statement to the investigatory powers tribunal, the unnamed deputy director for mission policy at GCHQ revealed some of the ways in which the agency attempts to put this model into practice:
- A business case for access: Unless they have an up-to-date qualifying skill – generally gained only by using the system in question – GCHQ staff have to prepare a business case to access its bulk telephony and internet data tool. This includes demonstrating a requirement for the data and confirming there are colleagues who will support the person in using the system. Applications have to be approved by a local manager and the system’s senior user community. If approved, the new user has to read a “defensive brief” for the system which covers the proportionality of the tool’s use and the policy requirements, along with advice and contacts for support. Only then can the user apply for an account.
- Compulsory training: An account does not lead directly to access. New users have to undergo online training courses and tests, including a legal overview course and, for staff who have access to operational data, an advanced mission legalities course. Both must be re-taken every two years to retain access. The agency also runs an hour-long e-learning training course in using bulk personal datasets with an additional module for travel data, both of which have to be completed before access is granted to that system.
- Multiple levels of access: For GCHQ’s bulk telephony and internet data tool there are three levels of access: level 1, 1+ and 2, with the last allowing access to communications content. Some bulk personal datasets are limited to a handful of people, at least initially: in June 2013, one financial dataset acquired from MI6 was accessible only by two people, while in April 2015 a dataset acquired for a time-limited trial was used only by about 10 analysts.
- A written reason for access: Use of systems is tracked, but, along with MI5 and MI6, GCHQ also requires staff to confirm that they require access each time, selecting one of three legal justifications: national security, economic well-being or to support the prevention or detection of serious crime. GCHQ aims to stop this from being purely a menu choice exercise by requiring a free text justification for the search.
- Use it or lose it: As well as requiring users to jump through hoops to get access, staff with access to the bulk telephony and internet data tool have to use it at least once every six weeks, “or it will expire and a new application will be needed”. In addition to person-centric security, GCHQ uses a range of auditing techniques, both internal and external. These include measures that hold data and datasets for limited periods, with the latter needing reauthorisation if they are to be kept.
- Limited retention periods: GCHQ holds bulk communications data for a year, as does MI5, after which the information is deleted automatically. On bulk personal datasets, since 2010 an internal GCHQ panel has reviewed their use twice a year. The panel authorises retention for a limited period and owners must request extensions, with the usefulness of each dataset tracked through technical data sheets that analysts fill in stating sources while drafting reports. If the owner does not request retention or the panel does not grant this, the owner has to provide evidence that the dataset has been deleted.
- External auditing: As well as internal reviews, since December 2010 the intelligence services commissioner has carried out twice-yearly checks on GCHQ’s use of bulk personal datasets, on the orders of then-prime minister David Cameron. Sir Mark Waller, in his October 2015 inspection, spotted incomplete paperwork for retaining one bulk personal dataset, where the original authorising document was unsigned. As a result, GCHQ’s mission policy department checked the paperwork for all such datasets.
- Admit errors: The agency has raised its own errors with the commissioner, such as when a dataset containing the names and photos of several thousand alleged intelligence agency officers was released online, which GCHQ downloaded to check for its own staff. The file was then deleted, so the agency helped MI5, MI6 and an overseas Five-Eyes partner agency (from the US, Canada, Australia or New Zealand) check against their own employee lists. Permission had not been sought for external sharing, but Waller decided it was justifiable as it aimed to defend employees.
There is always more that GCHQ and the other agencies could do. In his report on bulk powers, David Anderson recommended that the government appoints a technical advisory panel, partly to help the agencies “reduce the privacy footprint of their activities”. But on the basis of the recently published documents, other organisations could benefit from considering GCHQ’s practices on information security.
First published by ComputerWeekly.com, 29 September 2016