back to article Cyber arm of UK spy agency left without PGP for four months

UK spy agency GCHQ’s cyber security arm, CESG, was left without PGP encryption for more than four months, according to a government report. This "prevent[ed] direct electronic receipt of evaluation reports", it emerged in the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board (PDF) annual report. “Internal …

  1. Lee D Silver badge

    Surely, if we have people smart enough to analyse the source code and tell us whether its safe, we could just have written that software ourselves, no?

    1. Anonymous Coward
      Anonymous Coward

      To quote the internet - 'Ain't nobody got time for that'

      It's a nice thing to going and roll your own all the time but it takes time, in this case it's much quicker and easier for a competent developer to read over source code and figure out how it works than write it, bug check it, system test, acceptance test, merge and then release (before then having to patch it because you missed something).

      Though, yes if you do have the time and money then by all means roll your own (but remember Rome was neither built in a single day nor by a single pair of hands).

  2. Nick Kew Silver badge

    Source

    Is it uniquely Huawei whose kit they are using without source? Or might they also use other Usual Suspects like Apple, MS, Samsung, etc on the same basis?

    The mind boggles about being "without PGP". I expect individuals continued to use it, just not in their auditable Processes.

    1. Chris Miller

      Re: "without PGP"

      Yes. I'm probably just missing something obvious, but I can see how you can mess up PGP (accidentally deleting your private key, for example), but not why it would take 4.5 months to correct the error.

      1. Yet Another Anonymous coward Silver badge

        Re: "without PGP"

        They obviously they all use the same private key, which is kept secret - only the boss's secretary knows the combination and she was visiting her sister in Moscow

    2. Smooth Newt
      WTF?

      Re: Source

      Is it uniquely Huawei whose kit they are using without source? Or might they also use other Usual Suspects like Apple, MS, Samsung, etc on the same basis?

      Which makes one seriously wonder why they bother with this HCSEC nonsense? Why don't they just buy critical networking kit from strategic allies like the US?

      After all, virtually every personal computer in the country runs closed source operating systems produced by American corporations and even our nuclear warheads are mounted on American missiles. Buying American network kit for critical national infrastructure wouldn't make us any more vulnerable than we are now. Is Huawei kit really so much cheaper/better than Western stuff?

      1. Anonymous Coward
        Anonymous Coward

        Re: Source

        "Why don't they just buy critical kit from strategic allies like the US?"

        Because allies are not friends. Do not put all your eggs in one basket.

        1. Smooth Newt
          Happy

          Re: Source

          "Why don't they just buy critical kit from strategic allies like the US?"

          Because allies are not friends. Do not put all your eggs in one basket.

          I don't think the "eggs in one basket" analogy works here. The proper analogy is about how many people have "keys to the kingdom". Minimising the number of people who can potentially damage your infrastructure is surely the good thing to do, not maximising it.

      2. AmenFromMars
        Joke

        Re: Source

        If they're looking for the Huawei source code why don't they just ask Cisco for it?

      3. Anonymous Coward
        Anonymous Coward

        Re: Source

        >Which makes one seriously wonder why they bother with this HCSEC nonsense? Why don't they just buy >critical networking kit from strategic allies like the US?

        Because that wouldnt be backdoored at all eh?

  3. Anonymous Coward
    Anonymous Coward

    Yes Minister rules yet again.

    “Internal processes were updated to ensure this issue does not recur,” said the report.

    It's one of Sir Humphrey's 5 standard excuses that work in all circumstances!

    "Even for wars?"

    "Small wars, yes".

    1. Martin Summers Silver badge

      Re: Yes Minister rules yet again.

      Currently binge watching Yes Minister, never realised just how good it was. It's a paradox whether to laugh at it as you know just how near the mark it probably is even today or be frightened and pissed at how near the mark it probably is even today.

      I'm also geeking out at the moment as I'm right next to GCHQ Bude and have an excuse to mention it.

  4. Anonymous Coward
    Anonymous Coward

    Hmmm, where did they buy it from

    Doesn't Symantec own PGP now? Could they not issue a PO to the yellow & black?

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmmm, where did they buy it from

      Issue a PO in only 4.5 months? Doesn't sound very likely to me.

  5. Philip Hands

    GPG? on Debian say?

    If one were paying attention at all to these matters (and I think they do so in parts of GCHQ), you'd know that things like Debian come with full source, and that includes GPG which can deal with OpenPGP messages just as well as PGP.

    I guess that sort of special knowledge is only shared on a need to know basis (or perhaps it took whoever it was who failed to get the licenses paid for four months to pluck up the courage to ask anyone what they could do about it).

  6. Jamie Jones Silver badge

    Out of interest...

    In cases where source code is audited, does this mean that the government etc. deploy all the hardware themselves, with firmware compiled by themselves with the original audited source code, where the entire build and tool chain has also been audited?

    1. Yet Another Anonymous coward Silver badge

      Re: Out of interest...

      No need, as long as the contract says "source code is available" you are covered.

      It's like backups, so long as they are in the requirements you don't need to check them, test recovery or even perform them

  7. Anonymous Coward
    Anonymous Coward

    Without PGP....for what?

    Without PGP for hacking into messages from PRIVATE CITIZENS?

    Or for internal messaging?

    I think we should be told.

  8. cantankerous swineherd

    “The incomplete delivery of source code obviously means that HCSEC cannot provide assurance or risk management artefacts for the additional code.

    "While this is a matter of significant concern, the [National Cyber Security Centre] does not believe this process is in any way malicious, but is based solely on Huawei supplying source code for the features procured and used by UK operators."

    these people are simpletons.

  9. B0rg

    I don't geddit. We suspect the Chinese are spying on us because they are heavily embedded in our infrastructure, so instead of ditching them we just ask for reassurance that they're not spying on us?

    http://news.sky.com/story/gchq-to-monitor-huawei-amid-cyber-spying-fears-10424292

    Yes minister; the Chinese were doing such a good job of spying on our population already we asked if we could be let in on the intel too. It's much cheaper than re-inventing the wheel and compromising the networks ourselves!

  10. Severus

    Ever heard of the precautionary principle?

    Of course the Chinese are spying on us, they are our enemies! Why don't GCHQ start with the precautionary principle? The principle implies that there is a social responsibility to protect the public from exposure to harm, when there is insufficient evidence to show that something is safe. These protections can be relaxed only if further scientific findings emerge that provide sound evidence that no harm will result.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019