case, the “impact” was believed to be imperceptible to the user. The documents
indicated that there had, in recent years, been an increase in the number of
“unexpected incidents”, although the most recent figures showed a reduction.
The increase was attributed to the increase in CNE work and to greater
investigation by GCHQ of incidents involving CNE.
7.26.
Serious allegations have been made about the potential of CNE to create
security vulnerabilities or leave users vulnerable to damage: 2.68(b) above. It is
not for me to determine the truth of such allegations. But it is plain from
everything I have seen that, notwithstanding the technical shortcomings referred
to above, EI, including at scale, is capable of producing useful results.
Internal documents
7.27.
The Review team was given access to a substantial number of quarterly and
annual GCHQ reports, including GCHQ Investment Board minutes and papers
submitted to the Board. In addition, we were shown strategy and business case
documents relating to GCHQ’s present activities and future plans.
7.28.
The difficulties caused to GCHQ’s work in many fields by increasing encryption,
and the need to develop greater CNE capabilities, were recurring (and linked)
themes throughout the reports.
7.29.
Business case documents from 2012 to 2016 have consistently advocated the
need for the further development of EI, including by “CNE scaling”. A series of
documents dating from 2013 and 2014 set out the need for change in the light of
technological advances, and stated that CNE would be expected to play a
greater part, relative to bulk interception, than had previously been the case.
Two papers from 2014 referred to the aim of “shift[ing] GCHQ from a
predominantly passive access organisation to one where active and passive
approaches are in balance and mutually reinforcing”.233 The desirability was
stressed of attaining a clear legal basis for “bulk CNE”, described as “the delivery
of implants to devices not precisely identified in advance, for the purpose of
discovering targets”.
7.30.
233
The annual mission report for the 2015-16 financial year recorded significant
success in GCHQ/MI5 operations designed to protect major private businesses
(including
those
providing
essential
services
such
as
energy,
telecommunications, transport and water) from cyber-attack. CNE was described
in the mission report as being “fundamental” to GCHQ’s work to combat cyber-
Passive access refers to the ability to reach traffic because it flows past an interception point,
generally without the need to actively interfere with the communications or with any user
devices. An active approach interferes with the traffic or with a user device, in particular by
CNE / EI.
108