Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK's GCHQ Admits To Using Vulnerabilities To Hack Target Systems

Posted by timothy on from the but-we're-your-friends dept.

Bismillah (993337) writes "Lawyers for the GCHQ have told the Investigatory Powers Tribunal in the UK that the agency carries out the same illegal Computer Network Exploitation (CNE) operations that criminals and hackers do. Except they do it legally. GCHQ is currently being taken to court by Privacy International and five ISPs from UK, Germany, the Netherlands, Zimbabwe and South Korea for CNE operations that the agency will not confirm nor deny as per praxis."

1 of 57 comments (clear)

  1. You're not going to get anywhere with this crowd by Anonymous Coward · · Score: 0, Flamebait

    There are also laws against killing people, yet law enforcement and the military may lawfully do so in certain situations.

    The summary would be accurate if it simply struck the word illegal:

    "the agency carries out the same Computer Network Exploitation (CNE) operations that criminals and hackers do. Except they do it legally."

    Is anyone surprised by this? NSA and CYBERCOM do it, too, under US Title 50 and Title 10 authorities, respectively.

    And there is no equivalence between the actions of criminals and democratic governments, nor between repressive government and democratic governments, without an ugly morass of moral relativism.

    GCHQ is an intelligence component of a free and democratic society operating with clear and specific legal authorities, even though some may disagree with them, utterly misunderstand them, or incorrectly believe that is not the case. Intelligence activities also require secrecy in order to be effective, even in free societies.

    There appears to be a fundamental misunderstanding even in the tech companies of what GCHQ and NSA are actually doing and why. Gone are the days where the US or UK targeted foreign communications on distant shores, or cracked codes used only by our enemies. No one would have questioned the legitimacy of breaking the German or Japanese codes during WWII. The difference today is that our adversaries -- from terrorists to nation-states -- use the same systems, services, networks, operating systems, devices, software, hardware, cloud services, encryption standards, and so on, as our citizens and much of the rest of the world. The distinction is no longer the technology or the place, but the person(s) using a capability: the target. In a free society based on the rule of law, it is not the capability to do a thing, but the law which defines how we behave, that is paramount.

    An important thing to remember here is that because adversaries use the same systems we're using, the fact that Americans or Britons or others also use them does not suddenly or magically mean that no element of US or UK intelligence should ever target them. When a terrorist in Somalia is using Hotmail -- or an iPhone -- instead of a walkie-talkie, that does not mean we pack our bags and go home. That means that, within legal authorities and duly authorized missions, we aggressively pursue any and all possible avenues, within the law, that may allow us to intercept and exploit the communications of foreign intelligence targets.

    If they are using hand couriers, we target them. If they are using walkie-talkies, we target them. If they are using their own custom methods for protecting their communications, we target them. If they are using HF radios, VSATs, satellite phones, or smoke signals, we target them. If they are using GMail, Facebook, iPhones, Android, SSL, web forums running on Amazon Web Services, etc., we target them -- within clear and specific legal frameworks that govern the way our intelligence agencies operate, including with regard to our own citizens.

    That doesn't mean it's always perfect; that doesn't mean things are not up for debate; that doesn't mean everyone will agree with every possible legal interpretation; that doesn't mean that some may fundamentally disagree with the approach to, e.g., counterterrorism. But the intelligence agencies do not make the rules, and while they may inform these, they do not define national policy or priorities.

    "We're pretty aggressive within the law. As a professional, I'm troubled if I'm not using the full authority allowed by law." - General Michael Hayden, Director, National Security Agency (DIRNSA), November 2007

    "Gone were the days when signals of interest [...] went along some dedicated microwave link between strategic rocket forces headquarters in Moscow and some ICBM in western Siberia. By the late '90s, what NSA calls targeted communications -- things like al Qaeda communications -- coexisted out there in a great global web with your phone calls and my e-mails. NSA needed the