The UK’s surveillance watchdog is investigating potential security risks for highly classified intelligence records amid GCHQ disclosures that about 100 external IT contractors have privileged, systems administrator access to its most sensitive data.

GCHQ has previously denied in court hearings that external contractors from companies that supply software and computer equipment have administrator rights to live computer systems holding some of the most sensitive data gathered through electronic interception of people’s internet and phone activity.

But Computer Weekly has learned that GCHQ has submitted new evidence to a hearing in the UK’s most secretive court revealing that about 100 IT industry contractors have “privileged user” access to the surveillance agency’s live computer systems following a policy change “a few years ago”.

The Investigatory Powers Commissioner’s Office (IPCO), the UK’s overseer of surveillance laws governing the intelligence services and law enforcement, told Computer Weekly it was taking seriously claims that contractors could misuse their trusted status to access databases containing intercepted telephone, internet and email records of individuals, or other highly sensitive intelligence records.

“We recognise the importance of the need for reviewing the security arrangements for contractors which may have access to sensitive data, particularly given the recent leaks by contractors in other countries. We began work last year, and it’s going to be a focus for our inspection activity in 2018,” said an IPCO spokesman.

Privacy International, a non-government organisation (NGO) and campaigning group, is expected to argue in the UK’s most secret court today that contractors with privileged access to intelligence service computer systems pose a clear risk to sensitive data gathered by GCHQ and the intelligence services.

For example, Edward Snowden used his systems administrator rights as external contractor to the US National Security Agency (NSA) to download “Top Secret Strap” documents from GCHQ.

In another case, a contractor working for the NSA reportedly leaked hacking tools to the Russian antivirus software company Kaspersky Lab. The contractor claimed to have taken NSA software home to work on, on his personal computer. Kaspersky’s software identified malware attributed to the “Equation Group”, the code name for the security agency’s hacking team.

A senior witness from GCHQ will face cross-examination from Privacy International’s lawyers this afternoon.

GCHQ uses contractors from the IT industry to test and maintain the computer systems and software they have played a role in developing, and therefore have an intimate knowledge of the way the agency’s systems work.

This poses particular security risks, according to Gus Hosein, an executive director of Privacy International, and a specialist in information security.

“Given the numbers of people with similar access worldwide, it would be surprising if some had not misused their access for selfish purposes,” he said in evidence presented to the Investigatory Powers Tribunal (IPT).

GCHQ’s U-turn GCHQ’s U-turn came when a senior director responsible for mission policy gave written evidence to the IPT during a three-day court challenge by Privacy International in October 2017. The anonymous witness claimed that IT contractors may have systems administrator rights during the design, build and testing phase of a project, but that once it was complete those rights were passed to members of GCHQ staff. In late November, after the legal hearing had finished, the director submitted a new witness statement retracting the original evidence. “Following a change in policy introduced a few years ago, there are contractors within GCHQ who are administrators of operational systems. This is because much of the hardware and software from these systems is provided by industry partners, and they are therefore best placed to support those systems,” the director said. The intelligence service’s evidence on the effectiveness of the independent oversight of its work with industry partners, which include software companies and universities, has also been called into question. One of its most important partners is the University of Bristol, where researchers were given access to GCHQ’s entire datasets, covering people’s internet use, telephone call data and websites they visited. GCHQ’s deputy director of mission policy said, in written evidence to the IPT in June 2017, that the commissioners responsible for scrutinising GCHQ had “been briefed in general terms about GCHQ’s use of industry” during the course of their inspections at the intelligence organisation. But in a letter to the court in September 2017, the investigatory powers commissioner confirmed that sharing of bulk personal datasets “with industry partners” was not audited, nor were there records of any inspection visits. Until Privacy International’s legal action, commissioners were unaware that GCHQ was sharing data with industry partners. IPCO has since ordered inspections of the practice. The intelligence community’s growing reliance on contractors GCHQ, MI5 and MI6 have become increasingly reliant on external contractors over the past decade. Between 2011 and 2016 their combined spending on consultants and contractors grew from 20% of the overall intelligence agency budget to 30%. The Cheltenham-based agency is expanding rapidly and, according to the latest figures available, in 2016/16 was spending £70m a year on contractors to fill staff vacancies. IT contractors played a significant role. “It gives us a reach into technology…and innovation that we couldn’t develop in-house, but also gives us flexibility so we can go up and down on headcount if we need to during the year,” GCHQ told Parliament’s Intelligence and Security Committee. Analysis by this committee in 2015/16 showed that the intelligence services had hired more than 1,000 external contractors through one classified managed services contract alone. The contract added 10% to the number of people working for the security agencies.

The cost of contractors was, on average, double that of internal employees.

MI5 hired the majority of its hourly rated contractors, some 470 personnel, through this contract at a cost of £63m, an average of £134,000 per person.

GCHQ hired 494 contractors at a cost of £71m, an average of £144,000 per person.

SIS (MI6) hired 279 contractors at a cost of £40m, an average of £143,000 per person. Source: Intelligence and Security Committee of Parliament Annual Report 2016-2017 GCHQ’s sudden reversal in its evidence has drawn criticism from Privacy International. Solicitor Millie Graham Wood told Computer Weekly it was alarming that a senior director at GCHQ appeared to be unaware that the agency had outsourced access to computers containing highly sensitive data to external contractors. If GHCQ is giving misleading information to a court of law, it must raise questions whether the agency is giving accurate information to the regulator, IPCO. “This case is all about safeguards of highly sensitive bulk data. The main witness for GCHQ did not give accurate information to courts. Our contention is the regulators are not being given the correct information. How can they conduct their role as an oversight body without the right information?”

The perks of privilege GCHQ has two types of systems administrators, known as privileged users, who have the rights to bypass some or all of the controls that govern the access and activity of normal users. Privileged user function administrators are like traditional systems administrators, and have rights to install software, manage log files, fix problems for users and manage loads on servers. Privileged user data administrators have routine access to data, including human resources, finance, legal and commercial data, and exceptionally sensitive data known as ECI, or exceptionally controlled (or compartmentalised) information. They have to comply with tighter security procedures.

Lines of command GCHQ’s deputy director of mission policy focused almost exclusively on the security of the command line interface (CLI) – used by privileged user function administrators to manage operational IT systems – as a secure line of defence against misuse of GCHQ’s Bulk Personal Datasets and Bulk Communications Datasets, in evidence presented in court. The likelihood of a contractor with access rights going into the system, downloading relevant data and then covering their tracks was low, the director said in a witness statement, submitted prior to today’s hearing. “There is system monitoring and auditing for malicious behaviour at the command line level”. But security experts consulted by Computer Weekly have concluded that GHCQ’s arguments over the command line interface, on the face of it, are not entirely convincing (see “True or false” box below). Ross Anderson, professor of security engineering at the Computer Laboratory at Cambridge University, said systems administrators with privileged function status could, in principle, use their authority to subvert GHCQ’s controls. “The guys at the functional level are technical sysadmins who install software on GCHQ’s machines. These are the people who could put on tools that could enable them to snoop stuff, harvest stuff and so on, and that is, after all, what Snowdon did,” Anderson told Computer Weekly. GCHQ focuses its analysis of communications data, collected under Section 94 of the Telecommunications Act on foreign nationals, while the security service is more focused on analysis of UK data. Last year MI5 made over 27,700 applications to access data, which might include phone, email, internet browsing, and location data held in huge databases, known as Bulk Communications Datasets (BCD)