New UK law will criminalise failure to hack on demand

First published by Computer Weekly -

MPs have been given only two weeks to read 1,200 pages of documents which disclose new powers to require technology companies to install secret surveillance capabilities in software, computer equipment or networks.

Computer businesses or IT staff who fail to destroy security on their products or services on demand, or who decline a Home Office order to hack their customers in Britain or overseas by installing or operating government malware, could face bankruptcy or long jail sentences if a new law before parliament goes ahead.

The little-noticed extended powers the government now seeks can secretly compel anyone or any ICT business in the UK to carry out “equipment interference” – government language for hacking – and to make any change demanded to their products or systems to allow encryption or other security protections to be broken, or databases – called “bulk personal datasets” – to be stolen and added to integrated intelligence systems.  

Technology companies face government orders to hack on demand

The new law, if passed unchanged, would mean that no British IT product providing communications – including games, apps and services, as well as supposedly secure software systems – could truthfully and legally be marketed as “secure”.    

Revelations from former US intelligence officer Edward Snowden have shown that Britain’s communications intelligence agency GCHQ and its US counterpart National Security Agency (NSA) have both targeted computer games communications as means of getting to communications networks, as well as seeking both authorised and covert access to major social networks such as Facebook.    

Major international games companies, such as Scottish-based Rockstar Games, maker of Grand Theft Auto, now automatically provide online interplayer communications systems as part of their package. Intelligence agencies in the UK and elsewhere have said they need to have access to these systems so that their targets cannot hide by being players in Grand Theft Auto, World of Warcraft or Second Life.

MPs had only two weeks to read nearly 1,200 pages of new government documents

The new powers are contained in the 258-page Investigatory Powers Bill, which the government plans to rush through Parliament and make law before the end of 2016. The Bill was introduced as a draft in November 2015, and then permitted only a short review and two weeks of “revision” before being re-introduced, one-third longer, at the start of March. At the same time, the government published nearly 1,200 additional pages of accompanying documentation, which MPs were given two weeks to read before deciding how to vote on the bill tomorrow (15 March 2016).

Among documents which had not previously been provided to MPs was an 83-page Equipment interference code of practice, specifying how recipients of notices and warrants are required to respond. The government can require malware to be created, installed or delivered to carry out interception, acquisition or interference with computer equipment and communications or to acquire data.

The only change made to the proposals after criticism has been to a section on technical capability notices requiring “relevant operators” to remove “electronic protection”, or encryption. Section 217 of the bill now specifies that operators would normally be required only to break encryption they had applied, not to attack and potentially cryptanalyse. But other powers can still require them to subvert third-party security systems, such as by installing equipment to enable man in the middle attacks.

Fake software updates may be used to create backdoors for surveillance

When warrants are issued, the code of practice may require companies to push malware code to a device by means of fake updates, or even to use malware sent to one device to infect other devices. Definitions have been expanded to include cloud-based services. Clause 215 of the proposed bill also allows GCHQ and SIS (MI6) to plan and control hacking attacks inside the UK.

Warrants for equipment interference or hacking can be “targeted” or “bulk”, meaning the government can order a malware attack on all the users of a product that provides any type of telecommunications service using “data”, even though they acknowledge that the vast majority of people using the services are of “no security or intelligence interest”. These include “signals serving either for the impartation of anything between persons, between a person and a thing, or between things”, according to the official Home Office definition published at the start of March.  

Universities, schools and businesses can be served with hacking notices

Under the new law, the range of companies and people who can be served with notices has been enlarged from public telecommunications service providers to anyone or any business which provides any type of communications services as a “telecommunications operator”.  

The new definition now includes universities and schools, Wi-Fi service operators, or app developers whose app includes a communications service that customers could use. Nothing is excluded.  Previously, such notices could only be served on well-known public telecommunications operators, such as BT, Virgin and mobile phone companies.   

The notices can also require companies to create and install a “permanent capability” for unsupervised and remotely controlled government interference and interception, provided they have more than 10,000 customers.

Employees face five years in jail if they reveal existence of surveillance notices

Both warranted and unwarranted illegal activity overseas can be enforced and directed by serving “national security notices” or “technical capability notices” on companies or individuals. There is no requirement that the person concerned own or control the business whose products are required to be tampered.     

According to the codes of practice Parliament is being asked to approve, “any person to whom a technical capability notice is given, or any person employed or engaged for the purposes of that person’s business, is under a duty not to disclose the existence and contents of that notice to any person”. Managers or directors of their company are not excluded. The maximum penalty for revealing to anyone that a notice has been served or its contents without the permission of the secretary of state is five years’ imprisonment.

Government has powers to require startups to install backdoors in their systems

The notices will also be able to be served on startups, requiring them to build government hacking or interception systems from the start. The government acknowledges that a reason for secrecy about the notices is because to reveal what is required may “harm the commercial interests of companies acting under a notice”.

The vulnerability of key IT personnel in Britain and overseas to official hacking has been highlighted in a stream of disclosures since 2004 about attacks on communications infrastructure.  

Vodafone suicide linked to hacking by the NSA

Vodafone systems administrator Kostas Tsalikidis was found hanged in Athens in 2005 two days after massive inserted code had been discovered in the network he had managed, causing the phone calls of key Greek ministers and others to be redirected to interception sites near to the US Embassy in Athens. The operation was later linked to US National Security Agency alterations to their networks initially carried out for claimed security reasons at the time of the Athens Olympics.

Major European targets of GCHQ operations exposed by Edward Snowden include attacks on satellite communications service companies in Germany, the major Belgian telecommunications company Belgaco, and a SIM provider in the Netherlands. In each case, staff in the companies were ruthlessly targeted for malware attacks. In each case, the company and staff were not the actual targets.

More than 60 UK companies have been hacked by NSA

An estimated 60 British computer networks and data companies have also been deliberately hacked and infected with malicious computer software, according to documents provided by former NSA analyst Edward Snowden.

IP addresses listed in the documents suggest that, using a malware tool called “Validator”, NSA hackers may have secretly sabotaged British and international networks run by prominent computer companies, including Sky Broadband, UK2group, Areti Inernet, and Alentus UK, among others. Once Validator programs are “implanted” on target computers, they automatically hide their activities and prepare re-infection mechanisms to provide permanent access.

One of the codenames used to designate the attack of a UK user of Sky Broadband, Ballonknot, is American slang for the anus.

Mobile phones targeted for hacking

According to government papers published with the new bill, equipment interference “allows the security and intelligence agencies, law enforcement and the armed forces to interfere with electronic equipment such as computers and smartphones to obtain data, such as communications, from a device”. It “encompasses a wide range of activity from remote access to computers to downloading covertly the contents of a mobile phone”.

Warrants for bulk or targeted equipment interference will be required to be approved by a judicial commissioner, who is required to check that the issuing secretary of state has followed correct principles in the few minutes they will have had to read an application. In the cases of bulk warrants, no specific target will be specified.

Questions still remain unanswered

The Internet Service Providers Association has expressed concern about the speed with which the bill is being pushed through and says “there are still questions to be answered”.

In February 2016, the parliamentary review committee on the bill asked that the government define “national security” to provide clarity to the circumstances in which these warrants can be issued and orders given to companies and their staff.

The government did not accept this recommendation, and stated: “It has been the policy of successive governments not to define national security in statute. Threats to national security are constantly evolving and difficult to predict, and it is vital that legislation should not constrain the ability of the security and intelligence agencies to protect the UK from new and emerging threats.”   

New law offers no legal safeguards for technology company employees

The new law provides no safeguards for companies or IT staff who may be asked to take part in hacking, even if it is illegal overseas in the countries where they may be ordered to plant or help plant malware.

Companies or directors ordered to comply with a national security notice or similar order do not automatically incur criminal penalties for failure to carry out the orders, provided they do not reveal the details. But the law allows the government to take them to court, where they would then face unlimited sanctions for contempt.

Keeping TABs – the surveillance watchdog that never meets

Employees or companies who raise concerns will, however, be allowed to report to the government-appointed commissioner, or to appeal to the Home Office’s special “independent” Technical Advisory Board (TAB) set up by the government 15 years ago to allow telecommunications companies to challenge what they were asked to do to permit and maintain interception capabilities.    TAB would continue in its present form under the new law.

TAB consists of six un-named representatives from intercepting agencies, and six staff members from companies doing interception for the government. The board’s largest ever expenditure, in 2014, was £15,000 to headhunt a replacement chairman, with a £400-a-day salary. The search found Jonathan Hoyle, formerly a GCHQ director, and now the European manager of US company Lockheed Martin, which sells bulk internet interception equipment to GCHQ.

According to its published annual reports, TAB has never met once in the past 15 years “to perform its advisory function”. Its role was reviewed and nearly abolished in 2012 under the previous coalition government as an unwanted “quango”, or non-departmental public body. 

The Home Office defended it on the grounds that it cost the public almost nothing, except paying the chairman £400 for a day to hold an annual meeting to announce that: 

“As in previous years, there have been no issues referred to the board during the year. This is due to the continuing skills of the Home Office and the intercepting agencies in their negotiations with the industry and the acceptance by the industry of the legitimate role that interception plays in safeguarding the nation.”

Duncan Campbell writing from Berlin. This is the first in a series of articles by investigative journalist Duncan Campbell on the Draft Investigatory Powers Bill.