Today’s report from Parliament’s Intelligence and Security Committee has suggested that GCHQ has broken computer encryption systems and is able to read messages that ought to be secure.
The admission is made at the bottom of page 67 of the report.
Under the headline, “Reading Encrypted Communications”, it states: “Terrorists, criminals and hostile states increasingly use encryption to protect their communications. The ability to decrypt these communications is core to GCHQ’s work, and therefore they have designed a programme of work – [redacted] – to enable them to read encrypted communications.”
The report states that there are three main strands to GCHQ’s work, two of which are redacted in the report, but the third simply reads “developing decryption capabilities”. The wording of the report, though, suggests that GCHQ has already achieved this, although how efficiently and quickly it is able to do so, and what encryption systems it refers to, remains open to question.
The report claims that such encryption-cracking is legal under section three of the Intelligence Services Act, which empowers the security services to, “monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material”.
No additional ministerial or judicial authorisation is required for these activities, claims the report, although there is an internal procedure that the committee redacted from the report.
“Many people believe, based on the Snowden leaks, that GCHQ systematically undermine and weaken common internet encryption products,” claims the committee. But under questioning, representatives of GCHQ claimed that they “have increasingly taken into account the interests of members of the public who will use relevant products”.
One of the early claims arising from the disclosures by US National Security Agency (NSA) whistleblower Edward Snowden was that the NSA had “circumvented or cracked” internet encryption.
One of the ways in which it did this was by nobbling an encryption standards-setting committee to incorporate technology it knew to be flawed. It could then exploit those flaws when the technology was commercially deployed.
It also paid RSA Security, one of the best-known security software companies, $10m to incorporate flawed technology in its products and NSA-compromised technology was later found in a second security tool, the Bsafe security suite, sold by RSA.