The UK's signals intelligence agency GCHQ is facing calls to reveal whether it had advance notice of the security vulnerability used by hackers last week to spread a cyberattack across NHS systems that led to cancelled operations, diverted ambulances, and major incident protocols being declared.
The attack, named WannaCry, used an exploit first built by the USA's National Security Agency that was leaked online by a hacker group called Shadow Brokers earlier this year. The attack spread automatically once on the NHS network, locking up systems and making their files inaccessible – while demanding a $300 per computer ransom to unlock the systems.
GCHQ, the agency with ultimate responsibility for the UK's cybersecurity, also works with the NSA on hacking software and creating backdoors and other exploits as part of its surveillance mission. As GCHQ and NSA routinely share their tools and methods, this raises the significant possibility that the agency was aware of the vulnerability used to attack the NHS.
In a statement earlier this week, Microsoft levelled the blame at the NSA for losing control of vulnerabilities it had uncovered but kept secret.
"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," the company said in a blogpost. "This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.
"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen."
Brian Paddick, the former deputy assistant commissioner of the Metropolitan police and the Liberal Democrats' home affairs spokesman, told BuzzFeed News the statement showed GCHQ too had serious questions to answer.
"The allegations by Microsoft that spy agencies are hoarding software vulnerabilities begs the question whether GCHQ were aware of the vulnerability in the NHS’s systems and did nothing about it and whether, thanks to Theresa May and her policies, other public systems are exposed," he said.
"If GCHQ develop malware to exploit weaknesses in operating systems, they should also develop an antidote that can be administered immediately if it gets into the wrong hands."
Jim Killock, the director of the digital rights campaigning group ORG, said the latest attack was a sign GCHQ should be split so it no longer has responsibility for cybersecurity as well as producing attacks.
“US and UK security agencies kept a widespread vulnerability secret rather than telling the companies so they could fix it," he said. "When the US leaked the vulnerability, it seems GCHQ had no plan to deal with the mess.
"GCHQ have a lot of questions to answer about their very dangerous strategy of hoarding knowledge of security problems. The National Cyber Security Centre should be made independent of GCHQ so these risks can be balanced without bias."
BuzzFeed News asked the Home Office and GCHQ whether the agency was aware of the exploit before its public release, whether it took any specific steps to warn the NHS of its potential and whether it saw any tensions between its dual surveillance and cybersecurity roles.
The agency did not address these specific questions, but issued the following statement:
"Vulnerabilities always exist in software. Whoever finds the underlying software defect, it's incumbent on everyone – individual users, enterprises and government departments, the vendors of the software – to work together to mitigate that harm.
"This was a global attack and rates of patching and security preparedness across the world can be improved. The NCSC [National Cyber Security Centre] is working with NHS Digital and other critical sectors to help them prepare for these sort of attacks, and guidance has been available on this and other cyber security issues.
"The NCSC has been working around round the clock with numerous partners, including the National Crime Agency, NHS Digital UK and international partners, to respond to this cyber attack. "
James Ball is a special correspondent for BuzzFeed News and is based in London. PGP: here
Contact James Ball at James.Ball@buzzfeed.com.
Got a confidential tip? Submit it here.