UK Government Information (In)Security Organisations
by Brian Gladman, Worcester, 4th January 1998
The Government Communications Headquarters (GCHQ)GCHQ is the UK's electronic intelligence collection agency - the jargon term for this is SIGINT - short for Signals Intelligence. It has its HQ in Cheltenham and its collection facilities are located at many sites both in the UK and overseas. It undertakes collection, decryption, language translation and, for some traffic, interpretation as well. For other types of traffic it acts as a primary collection and code breaking agency but passes the resulting information to expert cells in other government departments for interpretation (for example, the Defence Intelligence Staffs in MOD).
It has enormous collection resources, shared with NSA, and a wide range of general purpose and custom designed computer systems for code breaking. GCHQ is a part of the Foreign and Commonwealth Office and some details of its functions and the statutory basis for them are set out on its web site. Historically its role has been the collection of intelligence information but its statutory duties (set out on its web site) include:
"to monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material"This shows that it is allowed to interfere and disrupt communications systems and services if it chooses to do so. There are some within government who believe that the above description gives GCHQ a mandate to penetrate computer systems both for information collection and for active disruption and deception attacks. However others dispute this and believe that there are immense legal probelms in this area of operation. So far these uncertainties appear to have limited the extent to which GCHQ has deployed operational capabilities in this area (called Offensive Information Warfare).
The Communications Electronic Security Group (CESG) CESG is the part of GCHQ that is responsible for protecting UK government communications. In the jargon this is COMSEC - communications security. It also has responsibility for computer security - COMPUSEC - and for protective information security - INFOSEC. It likes to be called the 'UK National Authority' for such matters although its mandate in respect of other government departments is advisory.
Its main responsibility is for designing and approving cryptographic algorithms for UK government use and for implementing them in prototype form. For some government departments it also builds complete communications systems but for others it simply supplies cryptographic algorithms or hardware. It is located on the GCHQ Benhall site in Cheltenham.
CESG has responsibilities in information security and is involved in computer systems security and in the design of secure networks and protocols. However it has traditionally been involved in building electronic cryptographic equipments and this has meant that it lacks the culture needed to be effective in the computer systems field. Moreover it has never had sufficient staff or financial resources to tackle this area of R&D effectively.
This has led to policy advice to other government departments that has been unrealistic and this in turn has had a damaging impact on the cost and performance of their operational computer systems. MOD has suffered especially badly here.
CESG used to be funded centrally but they have now moved onto a repayment basis in which a significant part of their income has to be obtained from their customers for the services they provide. This should in time bring about a change in culture and may overcome the difficulties that they have had in developing effective policies in the computer systems area.
However CESG remains a part of GCHQ and its primary function in respect of the use of cryptography outside of its control is that of ensuring that it is ineffective for its intended purpose. The CESG interest in respect of preventing information warfare attacks on the UK as a whole, government assets aside, is hence highly suspect.
The Ministry of Defence (MOD) A major MOD responsibility is that of collecting and analysing military intelligence data. The staff involved are highly professional and very careful to ensure that their work does not stray over the boundary into activities not soundly based within the the statutory responsibilities of the MOD. I am obviously biased but I consider them a national asset and not a threat to the privacy of UK citizens. MOD has its own collection assets buts also relies heavily on GCHQ.
The MOD is a major client for GCHQ intelligence data and a major user of secure communications and information systems. As such it is a major client of both GCHQ and CESG. In respect of cryptographic products MOD has been CESG's major customer and has in the past taken as much as 90% of their output.
MOD relies on CESG for the design of cryptographic algorithms and prototype designs but does most of its own development and production work through its Procurement Executive in Bristol. Except for cryptographic algorithms MOD has an independent mandate to undertake its own programme of research and development in respect of communications and information systems security.
In principle MOD does not have to apply CESG rules, or take their advice, but in practice it almost always does, even when it is aware that it is flawed. This is engineered through a careful 'conspiracy' between CESG and GCHQ - if MOD does not accept what CESG tells them to do GCHQ then threatens to cut off MOD's intelligence data feed on the pretext that MOD computer systems are not secure enough to handle it.
The only area of MOD to avoid this 'blackmail' is the MOD Procurement Executive in Bristol which, because it does not need GCHQ intelligence, has been able to implement reasonably effective and reasonably secure computer systems to support its operations.
MOD staff at all levels are well aware that GCHQ advice (and that is what CESG advice is) is wasting large sums of taxpayers money but they don't do anything about it for fear of upsetting GCHQ.
The Defence Evaluation and Research Agency (DERA) DERA is the research arm of the MOD, now running as a semi-autonomous agency reporting direct to the Minister of Defence. Its has a large number of sites in the UK (and some overseas) but information security work is largely concentrated at Malvern in Worcestershire. It is tasked by the MOD to conduct research into information security issues and undertakes work in both offensive and defensive techniques. Until the mid-1980s it was the only government organisation with a significant information security research programme and its work on computer and network security predates that at GCHQ by at least 10 years.
DERA at Malvern (then the Royal Radar Establishment and the Royal Signals and Radar Establishment) was an early participant in ARPANET and a leader of UK research and development in the defence packet switching field. In the 1980s it sought to design and develop secure computer systems for defence use but none of these achieved any significant success. It was more successful in designing packet switching encryption products and these eventually went into MOD service.
In the mid 1980s GCHQ sought to take over and remove the DERA mandate for research in the computer and information security fields. The DERA success in designing a packet switching encryption product before the US almost certainly prompted NSA to encourage GCHQ to make this move in order to retain control over the technology.
After a considerable period of infighting GCHQ succeeded in getting CESG nominated as the 'UK National Authority' for information security but DERA secured an agreement in which they retained a full and unconstrained right to conduct independent R&D in the computer and information security fields.
DERA has undertaken work under contract for GCHQ and CESG in the computer, network and software security fields.
In my biased view DERA remains the most competent organisation within government in the secure computing and networking fields. However it appears to be losing this expertise as defence budget cuts bite into its research programme.
The Department of Trade and Industry (DTI) The DTI's role in cryptography and information security is to manage the industrial and economic aspects of the topic and to co-ordinate the 'public facing' aspects of cryptography and information security policy such as, for example, export licensing. They therefore have the unenviable task of bringing UK government departments together in order to set a coherent UK government policy on cryptography and information security matters.
They represent the UK on the EU bodies dealing with these subjects and also attend activities such as the Wassenaar Arrangement where cryptography controls are agreed.
They used to rely on the National Physical Laboratory and on DERA Malvern for technical expertise but shifted to employing commercial resources in the 1980s. They now have no intramural technical expertise of any magnitude in the field (although some of their staff are individually competent).
The Cabinet Office The Cabinet Office manages the central intelligence machinery and runs a number of committees that have a role in considering cryptography and information security issues. It has a major role in deciding departmental responsibilities where new issues arise or where the departments are unable to agree on how things should be handled. The departmental responsibility for protecting the UK in the face of electronic attack on our information infrastructure is a hot topic at the moment. There is some evidence to suggest that they see the term 'electronic attack' as covering much less than 'information warfare' and, if true, this leaves the issue of the responsibility of protecting the UK in the face of an information warfare attack unresolved.
The Cabinet Office is also responsible for the Central Information Technology Unit:
The Central Information Technology Unit (CITU) CITU is responsible for Information Technology policy and strategy spanning government departments and for the promoting the use of IT in the delivery of government services to the public. They are taking the security and privacy aspects of their tasks seriously.
GCHQ have been trying very hard to interest CITU in their insecurity products but senior CITU staff are very well aware that public trust and GCHQ involvement are mutually exclusive. CITU are relying heavily on industry involvement to obtain an effective strategy for secure service delivery but the extent to which their proposals have been subject to scrutiny by independent security experts is unknown to the author at the moment.
The Central Computer and Telecommunications Agency (CCTA) The CCTA also handles pan-government matters in Information Technology and Telecommunications and provides resources to support those government departments that do not employ their own expert IT staff. Until the early 1990s the CCTA had responsibility for setting policy on the security and privacy protection required for all government information designated as 'sensitive but unclassified' . In outline classified information is information which, if revealed, would damage the UK - this was handled by CESG with CCTA handled the rest. However when they became interested in cryptographic protection in the early 1990s, CESG moved immediately to take over their duties in setting protection policy for this class of information (see the trend here!). Although a number of staff in CCTA were acutely aware of the damage this would do, CCTA was no match for the political power of GCHQ and these responsibilities were eventually transferred. So GCHQ insecurity policies now apply on a pan-government basis!
The Security Services The Security Services are responsible for assessing the threat to the UK in respect of information warfare (and some other) forms of attack. As a part of this they have taken over the sponsorship of CRAMM, an approach to risk analysis. They are also responsible for approving individuals and companies to handle government classified information.
Acknowledgement This summary was first published on the ukcrypto mailing list and I would like to acknowledge the inputs made by Peter Somner and other list members in providing additional aspects included in this version.
Brian Gladman, Worcester, 4th January 1998