Cryptome DVDs. Donate $25 for two DVDs of the Cryptome collection of 47,000 files from June 1996 to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, cryptome.info, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,100 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.


4 December 1998. Add message.


From: "Brian Gladman" <gladman@seven77.demon.co.uk>
To: "UK Crypto List" <ukcrypto@maillist.ox.ac.uk>
Subject: UK Government Information (In)Security Organisations
Date: Fri, 4 Dec 1998 13:27:10 -0000

Here is my first effort to set out, and comment on, some of the UK
government organisations involved in information security issues.

Please bear in mind that it is my first attempt and is likely to contain
errors. It will certainly not be liked in a number of the organisations
which I mention!

If people in the organisations mentioned (or elsewhere) would like changes
to remove errors, to add details that I have omitted, or to put their own
interpretation on the issues I comment on, then I will happily consider
these for inclusion in a future update.  If it is seen as a useful
contribution I will see if we can put it up on the Cyber-Rights and Civil
Liberties web site as a permanent contribution.

If people think this is worth doing I will add web links and other details
so that we have a resource for dealing with the issues involved.

     Brian

PS apologies to any government departments who I have left out of this note -
though maybe it should be the other way round.

----------------------------------------------------------------------------


*The Government Communications Headquarters (GCHQ)

GCHQ is the UK's electronic intelligence collection agency - the jargon term
for this is SIGINT - short for Signals Intelligence. It has its HQ in
Cheltenham and its collection facilities are located at many sites both in
the UK and overseas.  It undertakes collection, decryption, language
translation and, for some traffic, interpretation as well.  For other types
of traffic it acts as a primary collection and code breaking agency but
passes the resulting information collected to expert cells in other
government departments for interpretation (for example, the Defence
Intelligence Staffs in MOD).  It has enormous collection resources, shared
with NSA, and a wide range of general purpose and custom designed computer
systems for code breaking.
GCHQ is a part of the Foreign and Commonwealth Office and some details of
its functions and the statutory basis for them are set out on its web site.
Historically its role has been the collection of intelligence information
but its statutory duties (set out on its web site) include:

"to monitor or interfere with electromagnetic, acoustic and other emissions
and any equipment producing such emissions and to obtain and provide
information derived from or related to such emissions or equipment and from
encrypted material"

This shows that it is allowed to interfere and disrupt communications
systems and services if it chooses to do so.

There are some within government who believe that the above description
gives GCHQ a mandate to penetrate computer systems both for information
collection and for active disruption and deception attacks.  However others
dispute this and believe that there are immense legal probelms in this area
of operation. So far these uncertainties appear to have limited the extent
to which GCHQ has deployed operational capabilities in this area (called
Offensive Information Warfare)

*The Communications Electronic Security Group (CESG)

CESG is the part of GCHQ that is responsible for protecting UK government
communications - in the jargon this is COMSEC - communications security.  It

also has responsibility for computer security - COMPUSEC and for protective
information security - INFOSEC.  It likes to be called the 'UK National
Authority' for such matters although its mandate in respect of other
government departments is only advisory.

Its main responsibility is for designing and approving cryptographic
algorithms for UK government use and for implementing them in prototype
form. For some government departments it also builds complete communications
systems but for others it simply supplies cryptographic algorithms or
hardware. It is located on the GCHQ Benhall site in Cheltenham.

It also has responsibilities in information security and is involved in
computer systems security and in the design of secure networks and
protocols.  However it lacks systems expertise in these areas and has never
had sufficient resources to cover these areas effectively.  This has led to
policy advice to other government departments that has been unrealistic and
this in turn has had a damaging impact on the cost and performance of their
operational computer systems.  MOD has suffered especially badly here.

CESG used to be funded centrally but they have now moved onto a repayment
basis in which a significant part of their income has to be obtained from
their customers for the services they provide.  This should in time bring
about a change in culture and may overcome the difficulties that they have
had in developing effective policies in the computer systems area.

However CESG remains a part of GCHQ and its primary function in respect of
uses of cryptography outside of its control is that of ensuring that they
are ineffective.  Its interest in respect of preventing information warfare
attacks on the UK as a whole, government assets aside, is hence highly
suspect.

*The Ministry of Defence (MOD)

A major MOD responsibility is that of collecting and analysing military
intelligence data.  The staff involved are highly professional and very
careful to ensure that their work does not stray over the boundary into
activities not soundly based within the the statutory responsibilities of
the MOD.  I am obviously biased but I consider them a national asset and not
a threat to the privacy of UK citizens.  MOD has its own collection assets
buts also relies heavily on GCHQ.

The MOD is a major client for GCHQ intelligence data and a major user of
secure communications and information systems. As such it is a major client
of both GCHQ and CESG.  In respect of cryptographic products MOD has been
CESG's major customer and has in the past taken as much as 90% of their
output.
MOD relies on CESG for the design of cryptographic algorithms and prototype
designs but does most of its own development and production work through its
Procurement Executive in Bristol.  Except for cryptographic algorithms MOD
has an independent mandate to undertake its own programme of research and
development in respect of communications and information systems security.

In principle MOD does not have to apply CESG rules, or take their advice,
but in practice it almost always does (even when it is aware that it is
flawed).  This is engineered through a careful conspiracy between CESG and

GCHQ - if MOD does not accept what CESG tells them to do then GCHQ threatens
to cut off MOD's intelligence feed on the pretext that MOD systems are not
secure enough to handle it.

The only area of MOD to avoid this 'blackmail' is the MOD Procurement
Executive in Bristol which, because it does not need GCHQ intelligence, has
been able to implement reasonably effective and reasonably secure computer
systems to support its operations.

MOD staff at all levels are well aware that GCHQ advice (and that is what
CESG advice is) is wasting large sums of taxpayers money but they don't do
anything about it for fear of upsetting GCHQ.   This makes them culpable and
will mean that when the National Audit Office eventually finds out about the
magnitude of the waste involved it will be MOD's 'head on the block' as much
as GCHQ's.

I am not exactly popular in GCHQ (or MOD) for discussing this in public but
I was one of the few people in MOD who did NOT accept the GCHQ line and GCHQ
attempted to crucify me for this.  I will continue pointing this out until I
get a personal apology from GCHQ for their action!

*The Defence Evaluation and Research Agency (DERA)

DERA is the research arm of the MOD, now running as a semi-autonomous agency
reporting direct to the Minister of Defence.  Its has a large number of
sites in the UK (and some overseas) but information security work is largely
concentrated at Malvern in Worcestershire.  It is tasked by the MOD to
conduct research into information security issues and undertakes work in
both offensive and defensive techniques.    Until the mid-1980s it was the
only government organisation with a significant information security
research programme and its work on computer and network security predates
that at GCHQ by at least 10 years.

DERA at Malvern (then the Royal Radar Establishment and the Royal Signals
and Radar Establishment) was an early participant in ARPANET and a leader of
UK research and development in the defence packet switching field.   In the
1980s it sought to design and develop secure computer systems for defence
use but none of these achieved any significant success.  It was more
successful in designing packet switching encryption products and these
eventually went into MOD service.

In the mid 1980s GCHQ sought to take over and remove the DERA mandate for
research in the computer and information security fields.  The DERA success
in designing a packet switching encryption product before the US almost
certainly prompted NSA to encourage GCHQ to make this move in order to
retain control over the technology.

After a considerable period of infighting GCHQ succeeded in getting CESG
nominated as the 'UK National Authority' for information security but DERA
secured an agreement in which they retained a full and unconstrained right
to conduct independent R&D in the computer and information security fields.

DERA has undertaken work under contract for GCHQ and CESG in the computer,
network and software security fields.

DERA remains the most competent organisation within government in the secure
computing and networking fields.  However it appears to be losing this

expertise as defence budget cuts bite into its research programme.

*The Department of Trade and Industry (DTI)

The DTI's role in cryptography and information security is to manage the
industrial and economic aspects of the topic and to co-ordinate the 'public
facing' aspects of cryptography and information security policy such as, for
example, export licensing.  They therefore have the unenviable task of
bringing UK government departments together in order to set a coherent UK
government policy on cryptography and information security matters.

They represent the UK on the EU bodies dealing with these subjects and also
attend activities such as the Wassenaar Arrangement where cryptography
controls are agreed.

They used to rely on the National Physical Laboratory and on DERA Malvern
for technical expertise but shifted to employing commercial resources in the
1980s.  They now have no intramural technical expertise of any magnitude in
the field (although some of their staff are individually competent).

*The Cabinet Office

The Cabinet Office manages the central intelligence machinery and runs a
number of committees that have a role in considering cryptography and
information security issues.   It has a major role in deciding departmental
responsibilities where new issues arise or where the departments are unable
to agree on how things should be handled.  The departmental responsibility
for protecting the UK in the face of an information warfare attack on our
information infrastructure is a hot topic at the moment.

The Cabinet Office is also responsible for the Central Information
Technology Unit:

*The Central Information Technology Unit (CITU)

CITU is responsible for Information Technology policy and strategy spanning
government departments and for the promoting the use of IT in the delivery
of government services to the public.  They are taking the security and
privacy aspects of their tasks seriously.

GCHQ have been trying very hard to interest CITU in their insecurity
products but senior CITU staff are very well aware that public trust and
GCHQ involvement are mutually exclusive.   CITU are relying heavily on
industry involvement to obtain an effective strategy for secure service
delivery but the extent to which their proposals have been subject to
scrutiny by independent security experts is unknown to the author at the
moment.

*The Central Computer and Telecommunications Agency (CCTA)

The CCTA also handles pan-government matters in Information Technology and
Telecommunications and provides resources to support those government
departments that do not employ their own expert IT staff.
Until the early 1990s the CCTA had responsibility for setting policy on the
security and privacy protection required for all government information
designated as 'sensitive but unclassified' (in outline classified
information is information which, if revealed, would damage the UK - this
was handled by CESG and CCTA handled the rest)   However when they became
interested in cryptographic protection in the early 1990s, CESG moved
immediately to take over their duties in setting protection policy for this
class of information (see the trend here!).   Although a number of staff in
CCTA were acutely aware of the damage this would do (I attended meetings to
support them in expressing their concerns) , CCTA was no match for the
political power of GCHQ and these responsibilities were eventually
transferred.   So GCHQ insecurity policies now apply on a pan-government
basis!


Date: Fri, 4 Dec 1998 16:25 +0000 (GMT Standard Time) From: hcorn@cix.co.uk (Peter Sommer) Subject: Re: UK Government Information (In)Security Organisations To: ukcrypto@maillist.ox.ac.uk A few additions to Brian's contribution  : 1 http://www.open.gov.uk/co/cim/cimrep1.htm takes you to the Cabinet Office and then on to the Central Intelligence Machinery. 2 CITU have recently lost their oversight role for PFI contracts to the Treasury;  the Treasury are presumably  considered very good at negotiating contracts,  but it isn't clear who now does specification, security risk analysis and project management 3 There is a Cabinet Office Security section and as Brian says one part of their remit is to look at threats to the UK National Information Infrastructure - they tend to prefer "electronic attack" to "information warfare" believing that the latter term encompasses far too much;  within the next few weeks there will be some sort of formal announcement about its pre-occupations. (there has been a PNQ in the Commons in the last few days about this) 4 Some of CCTA's computer security remit also went to the Security Service - they are the sponsors of CRAMM, the risk analysis methodology, and they also have responsibility for Operation Security in Government Departments and Line-X companies (those that hold sensitive contracts). The Security Service also does personnel vetting in Line-X companies as well as contributing an overall threat assessment Obviously not all of these functions relate simply to crypto..... Two problems of mapping out these bodies and their functions are that many have more than one name and re-organisation / re-assignments of remit occur quite frequently. |---->   Peter Sommer   ------------------------------------------->| |---->   hcorn@cix.co.uk   P.M.Sommer@lse.ac.uk  ------------------>| |---->   Academic URL:  http://csrc.lse.ac.uk/csrc/pmscv.htm  ----->| |---->   Commercial URL:  http://www.virtualcity.co.uk  ----------->|