The Sunday Times reported this weekend:
GCHQ was aware that a British IT expert who stopped a cyber-attack against the NHS was under investigation by the FBI before he travelled to America and was arrested for alleged cyber-offences, The Sunday Times can reveal.
Officials at the intelligence agency knew that Marcus Hutchins, from Devon, who was hailed as a hero for helping the NHS, would be walking into a trap when he flew to the US in July for a cyber-conference.
Malware researcher Hutchins was arrested as he attempted to fly home to the UK, following the DEF CON conference in Las Vegas. He has pleaded not guilty to charges related to the Kronos banking malware, and is currently stuck in the United States awaiting trial.
It’s ironic that GCHQ knew about the US intelligence agency’s interest in Hutchins, as just a few months ago it was widely reported that he was actually helping GCHQ’s National Cyber Security Centre to combat further attacks.
Should we be stunned that GCHQ didn’t tip Hutchins (aka MalwareTech) off that the FBI considered a person of considerable interest? No, of course not. I wouldn’t expect them to act any differently.
Anyone familiar with the cases of Gary McKinnon and Lauri Love will know that the United States has had faced enormous difficulty extraditing suspected hackers from the UK in the past.
Recent history has proven that attempts to extradite suspected malicious hackers from the UK are not guaranteed to succeed, and can go on for years.
With that in mind, it may be no wonder that the FBI chose to wait until Hutchins was on American soil before arresting him.
All of which raises the question of – why did they allow him to spend a week attending security conferences in Las Vegas?
Was it because, out of the goodness of their heart, the FBI felt Marcus Hutchins deserved some party time?
Or was it because they thought it sensible to wait until most of the information security/hacking community had left Las Vegas before apprehending someone many consider a hero?
One thing is clear. The US authorities saved themselves an awful lot of paperwork and legal expense arresting their suspect on their own soil rather than trying to extradite him from the UK.
…and GCHQ's ideal is to be able to say "we complied fully with the law" while finding (indeed generating via complacent and malleable politicians) loopholes to enable them to do exactly what they want. Law is, for GCHQ, an irritating challenge to be circumvented. GCHQ have only done what their US masters require.
@IanH
It's not necessary that the US be GCHQ's "master" for these events to be accurate. Having been told that the FBI intended to nick him, they *obviously* couldn't tip him off, for reasons that a couple of seconds' thought will make obvious.
That's true – you're right
Then again, they would not have tipped off GCHQ unless they could trust GCHQ to do what was convenient for the US rather than what would have been just for an untried British citizen not afforded due UK-US extradition proceedings, farcically asymmetric as these are when it comes to protection of UK citizens.
US masters.
Or maybe the FBI thought Hutchins would be tempted to get into some cyber related mischieves or otherwise, to help their case.