GCHQ's Dubious Role in The 'Quantum' Hacking Spy Tactic

Thursday 12 December 2013

I've not posted here for a while, but I've got a good excuse. For the last month or so I've been out in Brazil working on a series of stories with the American journalist and former Guardian columnist Glenn Greenwald. We've been reporting a series of revelations about government surveillance based on the trove of files leaked by former NSA contractor Edward Snowden.

I've had some time to take a breather tonight and I want to draw attention to something important in one of the latest stories we worked on with a team of excellent Swedish journalists from Uppdrag Granskning — an investigative unit that operates as part of Sweden's national public broadcaster SVT.

We worked on several stories with Uppdrag Granskning in the lead up to an hour-long documentary, aired Wednesday, about Sweden's major role in the global surveillance nexus that is led by the United States, the United Kingdom, and the other members of the so-called Five Eyes group — Australia, Canada, and New Zealand.

As we reported, the documents reveal how Sweden has become a key partner for the US and the UK, and top-secret agreements have been made in the last decade that bolster Sweden's spying role like never before.

But aside from these crucial details, which are hugely important for Swedish citizens to be informed about, I'd like to highlight here one smaller piece of information that we reported that I think is highly notable.

Earlier this year, it was disclosed that UK spy agency GCHQ was involved in hacking into the Belgian telecom company Belgacom's computer systems in order to covertly gather intelligence on unknown targets. But what is interesting is that, despite being involved in using these hacking methods, GCHQ has been worrying behind the scenes about their legality.

One of the Snowden documents we revealed on the Uppdrag Granskning documentary — dated circa April 2013 — shows the NSA describing a so-called 'Quantum' hacking initative that GCHQ was involved in at a "proof-of-concept" level. However, the document notes:
Continued GCHQ involvement may be in jeopardy due to British legal/policy restrictions, and in fact NSA’s goal all along has been to transition this effort to a bilat with the Swedish partner. [Emphasis added.]
This struck me because, last year, I uncovered a document showing something similar. In obscure technical standards meetings with telecom companies about implementing new surveillance capabilities, GCHQ representatives from a little-known unit of the agency called the National Techical Assistance Centre were voicing the same concerns about hacking techniques.

At meetings held between 2010 and 2011 in Estonia and Italy, at which a GCHQ representative was present, the UK was said to be anxious about the legality of performing a so-called 'man-in-the-middle' attack to covertly hack and eavesdrop on communications:
An additional concern in the UK is that performing an active attack, such as the Man-in-the-Middle attack proposed in the Lawful Interception solution...may be illegal. The UK Computer Misuse Act 1990 provides legislative protection against unauthorised access to and modification of computer material. The act makes specific provisions for law enforcement agencies to access computer material under powers of inspection, search or seizure. However, the act makes no such provision for modification of computer material. A Man-in-the-Middle attack causes modification to computer data and will impact the reliability of the data.
This could not be clearer. The UK's position was that it might be unlawful for authorities to hack a computer in order to monitor communications and/or exfiltrate data. That was the position in 2010/11, and I think the same concern is what is being referenced in the 2013 NSA document when UK "legal/policy restrictions" are mentioned.

Yet despite this concern — and this is perhaps the most important point — GCHQ has marched ahead with its participation in clandestine surveillance operations that involve hacking. The Belgacom case is a specific example, but the NSA documents on Sweden illustrate that Belgacom was not an isolated case. GCHQ was (and likely continues to be) involved in a program called WINTERLIGHT that explicitly involves trying to infect hundreds of targeted computers with so-called 'implants' of malware. GCHQ even operates a covert computer server that it uses to help infect targets with the malware, likely by masquerading as legitimate websites such as LinkedIn, as previous reports have suggested. These covert servers are mentioned in one of the NSA documents on Sweden, dated April 2013, revealed by Uppdrag Granskning:
Last month, we received a message from our Swedish partner that GCHQ received FRA [Swedish spy agency] QUANTUM tips that led to 100 shots, five of which were successfully redirected to the GCHQ server.
So, the question here is: how can this be legal? If GCHQ was previously concerned that performing active hacking attacks may be unlawful under the UK's Computer Misuse Act, then how has that situation been resolved? Has the agency been granted immunity to perform these operations? If so, who granted the immunity? Alternatively, has the UK government, with zero public debate and under cover of total secrecy, produced a classified interpretation of the law aimed at justifying and rendering lawful the use of this clandestine hacking technique?

Another very intriguing theory I have considered is that GCHQ lets one of the other agencies do the "dirty work" — the part of the hack that would illegal under UK law. The NSA may deploy the malware, for instance, while GCHQ plays a lesser role by merely facilitating the attack by hosting the server — but still reaping the benefits (i.e. it gets access to the intercepted data). Having spent countless hours now looking at the Snowden documents, it certainly appears to me that this is something that occurs — that the spy agencies circumvent their domestic laws by allowing partner agencies to do things that they could not do themselves.

Either way, GCHQ's clear and undeniable role in Quantum hacking attacks raises hugely significant legal questions and it is remarkable to me — but perhaps not totally surprising — that the blundering British parlimentarians who are supposed to hold the agency to account have thus far failed to raise any of these key issues.


  1. Look at the Intelligence Services Act, section 5 (1) - doesn't that give them permission, as long as they've a Warrant? http://www.legislation.gov.uk/ukpga/1994/13/crossheading/authorisation-of-certain-actions

  2. Warrants are usually specific, I don't think a court would grant a warrant to search everyone.

  3. This comment has been removed by the author.

  4. I've had the same thoughts. Craig Murray said something along the same lines here: http://www.craigmurray.org.uk/archives/2013/06/lack-of-intelligence/ - I also remember him describing how, if you need intelligence on something illegal in the UK, you get the US to do it, and it arrives on your desk with a red back, but same format, just not the blue back. Can't find that quote now. But this theory is compelling as the standard strategy for most of these services is the "it's done outside our borders .. therefore not illegal" - the Norway Boundless Informant mess comes to mind. It would be interesting to look for patterns like this - country x collects metadata for y, y for z, all goes to the database, and no one breaks the law.

  5. As a Canadian I worry about our CSEC being involved.
    The oversight here is microscopic and, believe it or not, the oversight reports themselves have to be approved (and is censored by) by CSEC itself.

  6. Ryan, thank you for an excellent discussion of an interesting document.

    It makes better reading after unravelling the acronyms. In order of appearance, these are LI for Lawful Interception (lol limiting it to that), MIKEY-IBAKE for one of eight protocols explained at wikipedia under consideration as a layer (Media Plane) for 3GPP (third-generation) cell phone encryption, LEMF a Law Enforcement Monitoring Facility (DRTBOX, Stingray, Room 641A, exfiltrating malware), a PLMN being a govt regulated Public Land Mobile Network (rather than marine or satellite), with the target under surveillance using a cell phone (MS/UE = Mobile Station/User equipment), with the LEA (Law Enforcement Agency) seeking CC (intercepted Content of Communications) in addition to IRI (Intercept Related Information metadata).

    We have here a situation reminiscent of 'hair trigger, fail-safe" ICBM launch control -- the public is allowed to make encrypted cell phone calls, but the carrier must provide for Lawful Interception and easy decryption in the view of the US (which wishes to push the FBI's CALEA model on the rest of the world -- see http://cryptome.org/2013/08/proton-clearwater-lexis-nexis.htm). However the proliferation of new digital calling protocols has created a quandary -- real-time decryption on the fly without alerting the target or causing massive call terminations.

    Worse, the only feasible method involves a man-in-the-middle attack, yet that unacceptably alters the digital stream from the perspective of eventual prosecution in goody-goody jurisdictions like the US and UK, more subtly but similar to editing an email from 'I'm feeling a lot of pressure at work' to 'I'm bringing a pressure-cooker to work'. In the US, evidence is laundered through a contrivance called parallel construction whereby the LEA recreates data sourcing in a way that a defense attorney is unable to challenge, yet unilateral disarmers in DOJ have just halted that.

    In this September 2010 memo, the UK representate politely disses MIKEY-IBAKE in favor of another draft protocol, MIKEY-SAKKE. (There wasn't agenda time given at this meeting for balancing full take with rights to privacy because they're all true believers.) And here we are, 40 months later, not knowing how it shook out. And as you say, in view of the bilats, wondering what Lawful Interception really means for the US not restrained in foreign collection and select foreigners not restrained in US collection.

  7. Think everyone has more or less hit the nail on the head. It's interception outside Domestic Law (in theory) by getting someone else to do it. But who gives/gave "permission" Domestically?

    1. Other area to think about is of course "mass surveillance ok because we can then get the highly dangerous people" argument or the "i've done nothing wrong so not bothered" argument. We can't really accept this because the extraordinary new technological advancements and power can so easily be abused. In the end we might have to accept that "certain types of highly dangerous people" will just have to get away with it. Freedom can suck.

  8. I find it by no means irrelevant to the general discussion that Sweden's former prime minister and its current Minister of Foreign Affairs, Carl Bildt, who is among the persecutors of Assange, has long been the Consultant in International Affairs and a Board Member of the U.S. corporation Booz Allen Hamilton Holdings, Snowden's former employer. He is also, come to that, a proud old friend of Karl Rove and Condoleeza Rice (- see Wikipedia). Isn't there a journalist in Sweden disposed to follow up on all this?

  9. Fredrik Laurin and Filip Struwe would be the right people to look into that. Ryan works with Laurin.

    1. This comment has been removed by the author.

    2. Geoffrey de Galles15 December 2013 at 14:27

      For any journo interested enough in pursuing all this further:- Bildt is also a Senior International Advisor and Board Member of Akin Gump Solutions --like Booz Allen Hamilton Holdings, a US data-capture corporation. Condoleeza Rice happens to be, also, a Board Member of this corp., as indeed she is of BAHH, too. She and Bildt are also Board Members of the so-called Aspen Institute (see Wikipedia); and both are Bilderberg alumni -- as in 'illuminati' (ibid.). Smells real fishy, no?

  10. Cryptome pulled together today 29 resources it carries on GSM cracking and tracking papers from the 11 Dec 13 WaPo Snowden document back to 1997.

    WaPo document highlights:
    -- This is a guide to secrecy classification of 2G GSM cell phone facts dated 20 Sept 2006
    -- NSA was already collecting and able to decrypt A5/1 GSM encryption seven years ago, even when it didn't know the 'cryptovariable'.
    -- Technical reports are called tactical reports (TACREPs) or Klieglights
    -- 6 geolocation fields available: country, city, VLR (visitor location register) Global Title (PSTN analog of internet's host name), Location Area Code, Cell ID, Latitude/Longitude
    -- SMS (short message text) could also be intercepted.
    -- cell tower location can be used to geo-reference a GSM handset to 2-3 km ellipse

  11. "spy agencies circumvent their domestic laws by allowing partner agencies to do things that they could not do themselves."

    Compare with the Chilcott Enquiry and the Detainee Inquiry's preliminary report. It seems that any party to the documents can forbid their disclosure. So any state can be protected from embarrassing disclosure by the intervention of another "trusted" state. The same circular technique is being used both to enable dodgy surveillance and to suppress the information democracies need in order to function.