GCHQ releases teen-friendly code-busting app

A privacy rights org this week lost an appeal [PDF] in a case about the sharing of Bulk Personal Datasets (BPDs) of UK residents by MI5, MI6, and GCHQ with foreign intelligence agencies.

The British agencies have never stated, in public, whether any of them have shared BPDs with foreign intelligence agencies – they have a so-called "neither confirm nor deny" (NCND) policy – but the judgment noted it "proceeds on the assumption that sharing has taken place."

The true position, as noted by Queen's Bench Division president Dame Victoria Sharp in the judgement, was revealed to the defendant in its closed hearings.

Security flaws in Log4j, Microsoft Exchange, and Atlassian's workspace collaboration software were among the bugs most frequently exploited by "malicious cyber actors" in 2021 , according to a joint advisory by the Five Eyes nations' cybersecurity and law enforcement agencies.

It's worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years' lists often found miscreants exploiting the older vulns for which patches had been available for years.

Of course, the US Cybersecurity and Infrastructure Security Agency (CISA) and friends note that malicious cyber actors have not stopped trying to exploit older flaws – but reckon those efforts are happening to a "lesser extent" than in the past.

The director of UK intelligence agency Government Communications Headquarters (GCHQ), Sir Jeremy Fleming, has warned that China is trying to introduce "undemocratic values as the default for vast swathes of future tech and the standards that govern it."

In a speech delivered on Thursday at the Australian National University's National Security College, Fleming said the world is experiencing "generational upheaval" of security architectures.

One sign of that upheaval is China's increasingly strident attempts to shape technology standards.

The UK's National Cyber Security Centre (NCSC) has advised users of Russian technology products to reassess the risks it presents.

In advice that builds on 2017 guidance about technology supply chains that include links to hostile states, NCSC technical director Ian Levy stated that the agency has not found evidence "that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests."

But he added that "the absence of evidence is not evidence of absence" – so "it would be prudent to plan for the possibility that this could happen."

The British government has launched a £2.6bn National Cyber Strategy, intended to steer the state's thinking on cyber attack, defence and technology for the next three years – and there's some good news if you run a tech company.

Today's strategy document runs between now and 2025. A major piece of political policy, it is big on ambition – and unlike many previous government statements, it sets out specific aims and objectives.

In-amongst the puffery are pledges to invest in technology research – including the use of AI in cybersecurity. The government already spends "millions" with Cambridge-based Darktrace, although the same could be said of governments elsewhere.

The UK's Government Communications Headquarters (GCHQ) boss Sir Jeremy Fleming has outlined a plan to pursue criminal actors who deploy ransomware as well as the state actors that are aware of their efforts.

Speaking remotely to The Cipher Brief Annual Threat Conference on Monday, Fleming discussed the increasing threat of cybercrime – in particular ransomware – and GCHQ's strategy to reduce threats.

"We have to be clear on the red lines and behaviours that we want to see. We've got to go after those links between criminal actors and state actors and impose costs," Fleming argued, in order to make ransomware and other cybercrime less profitable.

Parliamentary criticism of the National Cyber Security Centre's "image over cost" London HQ is being shrugged off by the government because of the GCHQ offshoot's successful response to the WannaCry ransomware outbreak.

George "Eleventy Jobs" Osborne, who at the time of NCSC's establishment in 2016 was the Chancellor of the Exchequer, overrode procurement processes and gave the panicking Cheltenham set at GCHQ their desired Westminster base – and not the grubby Shoreditch "tech hub" the spies feared they'd be dropped into.

Last winter Parliament's Intelligence and Security Committee (ISC) condemned the procurement of NCSC's Nova South HQ, opposite London's Victoria railway station. The Conservative-dominated committee described Osborne's pick of Nova South, which wasn't even on a shortlist prepared by the National Security Adviser (NSA), as "image over cost."

The director of the UK's signals intelligence agency has delivered a speech in which he contemplated power in the digital age, observing that "China's size and technological weight means that it has the potential to control the global operating system," and hinting at an expanded role for the agency he leads as one way to fight back.

GCHQ director Jeremy Fleming on Friday delivered the 2021 Vincent Briscoe Lecture for the Institute for Security, Science and Technology, and opened with an observation that humans love to connect to each other, that digital connectivity continues to become more pervasive and important, and that Britain is "a big animal in the digital world."

Fleming said the UK had evolved into that status thanks to the internet being largely a creation of the West.

Increasing numbers of senior ex-GCHQ people have called for laws preventing businesses using cyber insurance to buy off ransomware attackers – with the money merely perpetuating the criminals' business model.

Yet, even as industry gets used to waking up to find the entire corporate network is scrambled while user endpoints display nothing but ransom demand notes, former government hackers (and cybersecurity folk) are speaking out about the trend for meekly meeting the crooks' demands and moving on.

Ciaran Martin, former chief of the UK's National Cyber Security Centre, made headlines earlier this year after telling Parliament that insurance companies were "funding organised crime" by paying ransoms on behalf of their customers.

The National Cyber Security Centre picked its London HQ building not because it was the best or most cost-efficient location – but because the agency "prioritised image over cost", a Parliamentary committee has said.

NCSC's HQ in the English capital's Nova South development, a glitzy commercial building near Westminster, was procured in breach of GCHQ's own rules on leasing commercial buildings.

Parliament's Intelligence and Security Committee (ISC) said in a report that NCSC "ignored warnings" over the cost and suitability of its new base when it set itself in mandarin-friendly Victoria. Rather than picking "a 'tech hub' such as Shoreditch", as recommended by their own consultants, NCSC's founders threw their teddies out of the pram until they got an HQ in the altogether more refined location of Westminster.