GCHQ, the UK’s cyber-intelligence agency, has substantially increased its ability to hack into devices, but its project to crack encryption has so far failed, according to a report by the Intelligence and Security Committee (ISC).
The committee, which oversees the work of all the UK intelligence agencies, has snuck out its annual report just as Parliament breaks up for Christmas. But amongst the various revelations it contains is the news that GCHQ has “over-achieved” in its programme to enhance its own cyber-attack capabilities.
The National Offensive Cyber Programme (NOCP) was launched in 2015 and is a joint-project by GCHQ and the Ministry of Defence. It was intended to give UK intelligence the tool it needs to conduct cyber-attacks on “on a different scale” and provide them with “high-end” offensive capabilities.
It appears that the programme has been a huge success. According to the ISC Report, they have doubled the number of offensive cyber-capabilities available to British intelligence in just two years.
Details of exactly what GCHQ is now capable of have not been revealed, for obvious reasons, but in 2015, the Government defined the aims of the programme as being to “disrupt, deny, degrade or destroy computer networks and internet-connected devices”.
Then last year, it was claimed they were aiming to give intelligence and armed forces the ability to “deploy offensive cyber capabilities as an integrated part of operations” and “maintain political control over cryptography.”
It is likely that GCHQ now has the capability to retaliate against any country which targets key British industries or infrastructure with cyber-attacks.
An example of this could be the WannaCry ransomware attacks earlier this year, which North Korea has been blamed for. But other nations like China and Russia frequently user cyber-attacks to disrupt other countries and steal information.
But it should also be noted that once GCHQ has these tools, there is little to stop them being used against individual internet users as well as state actors.
However, while GCHQ is naturally pleased with the progress it has made, its success has not been universal. Several projects they have attempted have not been successful, including one, known as Foxtrot, which was targeting encryption.
Details are sketchy again, but Foxtrot is described in the report as an “equipment interference programme to increase GCHQ’s ability to operate in an environment of ubiquitous encryption.”
In evidence provided by GCHQ to the Committee, Foxtrot is described as their “number one priority and number one worry”. This makes it abundantly clear that British intelligence is working hard to undermine encrypted communications. This is something that will affect not just hostile overseas regimes, but individual internet users too.
Fortunately, the project is not going to plan thus far. The report states that its objectives have become much more difficult and competition from the private sector has created a skills shortage within GCHQ.
By their own admittance, GCHQ cannot compete with private sector wages, which are often four or five times higher. They claim to offer more interesting work, but it will come as no surprise that the best employees always end up in the private sector eventually.
UK Government targeting encryption
That is undoubtedly good news for all internet users that value their online privacy. But while the project may be struggling, it nonetheless continues. And with GCHQ confirming it as their “number one priority”, people should be in no doubt that their efforts will continue.
Foxtrot may benefit from a planned recruitment spree at GCHQ over the next couple of years. They plan to increase staffing numbers by 14% before 2020, which is the equivalent of an additional 800 people. Whether those new faces will be skilled enough to present a real threat to encryption remains to be seen.
But the report does confirm that UK intelligence is still attempting to give itself the power to access all encrypted internet data and communications. Some of their efforts are targeted at state threats, but the geopolitical situation right now means that individuals are viewed as every bit as much of a threat too.
If and when they do develop the ability to crack encryption, the online privacy and security of everybody will be threatened. It would again be naïve to suggest that only state actors will be targeted.
But, for now at least, this report confirms that they don’t yet possess that capability. And that means UK internet users who value their privacy can still rely on a VPN such as IPVanish or ExpressVPN to keep their online activities secure and private this Christmas and into 2018.