4 December 1998. Add message.
From: "Brian Gladman" <firstname.lastname@example.org> To: "UK Crypto List" <email@example.com> Subject: UK Government Information (In)Security Organisations Date: Fri, 4 Dec 1998 13:27:10 -0000 Here is my first effort to set out, and comment on, some of the UK government organisations involved in information security issues. Please bear in mind that it is my first attempt and is likely to contain errors. It will certainly not be liked in a number of the organisations which I mention! If people in the organisations mentioned (or elsewhere) would like changes to remove errors, to add details that I have omitted, or to put their own interpretation on the issues I comment on, then I will happily consider these for inclusion in a future update. If it is seen as a useful contribution I will see if we can put it up on the Cyber-Rights and Civil Liberties web site as a permanent contribution. If people think this is worth doing I will add web links and other details so that we have a resource for dealing with the issues involved. Brian PS apologies to any government departments who I have left out of this note - though maybe it should be the other way round. ---------------------------------------------------------------------------- *The Government Communications Headquarters (GCHQ) GCHQ is the UK's electronic intelligence collection agency - the jargon term for this is SIGINT - short for Signals Intelligence. It has its HQ in Cheltenham and its collection facilities are located at many sites both in the UK and overseas. It undertakes collection, decryption, language translation and, for some traffic, interpretation as well. For other types of traffic it acts as a primary collection and code breaking agency but passes the resulting information collected to expert cells in other government departments for interpretation (for example, the Defence Intelligence Staffs in MOD). It has enormous collection resources, shared with NSA, and a wide range of general purpose and custom designed computer systems for code breaking. GCHQ is a part of the Foreign and Commonwealth Office and some details of its functions and the statutory basis for them are set out on its web site. Historically its role has been the collection of intelligence information but its statutory duties (set out on its web site) include: "to monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material" This shows that it is allowed to interfere and disrupt communications systems and services if it chooses to do so. There are some within government who believe that the above description gives GCHQ a mandate to penetrate computer systems both for information collection and for active disruption and deception attacks. However others dispute this and believe that there are immense legal probelms in this area of operation. So far these uncertainties appear to have limited the extent to which GCHQ has deployed operational capabilities in this area (called Offensive Information Warfare) *The Communications Electronic Security Group (CESG) CESG is the part of GCHQ that is responsible for protecting UK government communications - in the jargon this is COMSEC - communications security. It also has responsibility for computer security - COMPUSEC and for protective information security - INFOSEC. It likes to be called the 'UK National Authority' for such matters although its mandate in respect of other government departments is only advisory. Its main responsibility is for designing and approving cryptographic algorithms for UK government use and for implementing them in prototype form. For some government departments it also builds complete communications systems but for others it simply supplies cryptographic algorithms or hardware. It is located on the GCHQ Benhall site in Cheltenham. It also has responsibilities in information security and is involved in computer systems security and in the design of secure networks and protocols. However it lacks systems expertise in these areas and has never had sufficient resources to cover these areas effectively. This has led to policy advice to other government departments that has been unrealistic and this in turn has had a damaging impact on the cost and performance of their operational computer systems. MOD has suffered especially badly here. CESG used to be funded centrally but they have now moved onto a repayment basis in which a significant part of their income has to be obtained from their customers for the services they provide. This should in time bring about a change in culture and may overcome the difficulties that they have had in developing effective policies in the computer systems area. However CESG remains a part of GCHQ and its primary function in respect of uses of cryptography outside of its control is that of ensuring that they are ineffective. Its interest in respect of preventing information warfare attacks on the UK as a whole, government assets aside, is hence highly suspect. *The Ministry of Defence (MOD) A major MOD responsibility is that of collecting and analysing military intelligence data. The staff involved are highly professional and very careful to ensure that their work does not stray over the boundary into activities not soundly based within the the statutory responsibilities of the MOD. I am obviously biased but I consider them a national asset and not a threat to the privacy of UK citizens. MOD has its own collection assets buts also relies heavily on GCHQ. The MOD is a major client for GCHQ intelligence data and a major user of secure communications and information systems. As such it is a major client of both GCHQ and CESG. In respect of cryptographic products MOD has been CESG's major customer and has in the past taken as much as 90% of their output. MOD relies on CESG for the design of cryptographic algorithms and prototype designs but does most of its own development and production work through its Procurement Executive in Bristol. Except for cryptographic algorithms MOD has an independent mandate to undertake its own programme of research and development in respect of communications and information systems security. In principle MOD does not have to apply CESG rules, or take their advice, but in practice it almost always does (even when it is aware that it is flawed). This is engineered through a careful conspiracy between CESG and GCHQ - if MOD does not accept what CESG tells them to do then GCHQ threatens to cut off MOD's intelligence feed on the pretext that MOD systems are not secure enough to handle it. The only area of MOD to avoid this 'blackmail' is the MOD Procurement Executive in Bristol which, because it does not need GCHQ intelligence, has been able to implement reasonably effective and reasonably secure computer systems to support its operations. MOD staff at all levels are well aware that GCHQ advice (and that is what CESG advice is) is wasting large sums of taxpayers money but they don't do anything about it for fear of upsetting GCHQ. This makes them culpable and will mean that when the National Audit Office eventually finds out about the magnitude of the waste involved it will be MOD's 'head on the block' as much as GCHQ's. I am not exactly popular in GCHQ (or MOD) for discussing this in public but I was one of the few people in MOD who did NOT accept the GCHQ line and GCHQ attempted to crucify me for this. I will continue pointing this out until I get a personal apology from GCHQ for their action! *The Defence Evaluation and Research Agency (DERA) DERA is the research arm of the MOD, now running as a semi-autonomous agency reporting direct to the Minister of Defence. Its has a large number of sites in the UK (and some overseas) but information security work is largely concentrated at Malvern in Worcestershire. It is tasked by the MOD to conduct research into information security issues and undertakes work in both offensive and defensive techniques. Until the mid-1980s it was the only government organisation with a significant information security research programme and its work on computer and network security predates that at GCHQ by at least 10 years. DERA at Malvern (then the Royal Radar Establishment and the Royal Signals and Radar Establishment) was an early participant in ARPANET and a leader of UK research and development in the defence packet switching field. In the 1980s it sought to design and develop secure computer systems for defence use but none of these achieved any significant success. It was more successful in designing packet switching encryption products and these eventually went into MOD service. In the mid 1980s GCHQ sought to take over and remove the DERA mandate for research in the computer and information security fields. The DERA success in designing a packet switching encryption product before the US almost certainly prompted NSA to encourage GCHQ to make this move in order to retain control over the technology. After a considerable period of infighting GCHQ succeeded in getting CESG nominated as the 'UK National Authority' for information security but DERA secured an agreement in which they retained a full and unconstrained right to conduct independent R&D in the computer and information security fields. DERA has undertaken work under contract for GCHQ and CESG in the computer, network and software security fields. DERA remains the most competent organisation within government in the secure computing and networking fields. However it appears to be losing this expertise as defence budget cuts bite into its research programme. *The Department of Trade and Industry (DTI) The DTI's role in cryptography and information security is to manage the industrial and economic aspects of the topic and to co-ordinate the 'public facing' aspects of cryptography and information security policy such as, for example, export licensing. They therefore have the unenviable task of bringing UK government departments together in order to set a coherent UK government policy on cryptography and information security matters. They represent the UK on the EU bodies dealing with these subjects and also attend activities such as the Wassenaar Arrangement where cryptography controls are agreed. They used to rely on the National Physical Laboratory and on DERA Malvern for technical expertise but shifted to employing commercial resources in the 1980s. They now have no intramural technical expertise of any magnitude in the field (although some of their staff are individually competent). *The Cabinet Office The Cabinet Office manages the central intelligence machinery and runs a number of committees that have a role in considering cryptography and information security issues. It has a major role in deciding departmental responsibilities where new issues arise or where the departments are unable to agree on how things should be handled. The departmental responsibility for protecting the UK in the face of an information warfare attack on our information infrastructure is a hot topic at the moment. The Cabinet Office is also responsible for the Central Information Technology Unit: *The Central Information Technology Unit (CITU) CITU is responsible for Information Technology policy and strategy spanning government departments and for the promoting the use of IT in the delivery of government services to the public. They are taking the security and privacy aspects of their tasks seriously. GCHQ have been trying very hard to interest CITU in their insecurity products but senior CITU staff are very well aware that public trust and GCHQ involvement are mutually exclusive. CITU are relying heavily on industry involvement to obtain an effective strategy for secure service delivery but the extent to which their proposals have been subject to scrutiny by independent security experts is unknown to the author at the moment. *The Central Computer and Telecommunications Agency (CCTA) The CCTA also handles pan-government matters in Information Technology and Telecommunications and provides resources to support those government departments that do not employ their own expert IT staff. Until the early 1990s the CCTA had responsibility for setting policy on the security and privacy protection required for all government information designated as 'sensitive but unclassified' (in outline classified information is information which, if revealed, would damage the UK - this was handled by CESG and CCTA handled the rest) However when they became interested in cryptographic protection in the early 1990s, CESG moved immediately to take over their duties in setting protection policy for this class of information (see the trend here!). Although a number of staff in CCTA were acutely aware of the damage this would do (I attended meetings to support them in expressing their concerns) , CCTA was no match for the political power of GCHQ and these responsibilities were eventually transferred. So GCHQ insecurity policies now apply on a pan-government basis!
Date: Fri, 4 Dec 1998 16:25 +0000 (GMT Standard Time) From: firstname.lastname@example.org (Peter Sommer) Subject: Re: UK Government Information (In)Security Organisations To: email@example.com A few additions to Brian's contribution : 1 http://www.open.gov.uk/co/cim/cimrep1.htm takes you to the Cabinet Office and then on to the Central Intelligence Machinery. 2 CITU have recently lost their oversight role for PFI contracts to the Treasury; the Treasury are presumably considered very good at negotiating contracts, but it isn't clear who now does specification, security risk analysis and project management 3 There is a Cabinet Office Security section and as Brian says one part of their remit is to look at threats to the UK National Information Infrastructure - they tend to prefer "electronic attack" to "information warfare" believing that the latter term encompasses far too much; within the next few weeks there will be some sort of formal announcement about its pre-occupations. (there has been a PNQ in the Commons in the last few days about this) 4 Some of CCTA's computer security remit also went to the Security Service - they are the sponsors of CRAMM, the risk analysis methodology, and they also have responsibility for Operation Security in Government Departments and Line-X companies (those that hold sensitive contracts). The Security Service also does personnel vetting in Line-X companies as well as contributing an overall threat assessment Obviously not all of these functions relate simply to crypto..... Two problems of mapping out these bodies and their functions are that many have more than one name and re-organisation / re-assignments of remit occur quite frequently. |----> Peter Sommer ------------------------------------------->| |----> firstname.lastname@example.org P.M.Sommer@lse.ac.uk ------------------>| |----> Academic URL: http://csrc.lse.ac.uk/csrc/pmscv.htm ----->| |----> Commercial URL: http://www.virtualcity.co.uk ----------->|