CyberChef is a web app to carry out many cyber operations within a web browser. It has over 300 operations, including basic encoding with Base64, Advanced Encryption Standard (AES) decryption, or changing character encodings. The app can handle many operations at once, making it a quick way to experiment and translate data.
GCHQ made CyberChef open source under the Apache 2.0 licence as part of a push to become a more transparent organisation. The CyberChef code has provided a useful app for the wider industry and 75 open source community contributors have helped with bug fixes, new code contributions and expanded functionality.
As the anonymous app creator explained: “GCHQ has put a lot of effort into increasing transparency, so it makes sense that, where possible, we share apps like CyberChef, so everyone can use it. It helps to demystify what we’re doing a little and build trust.”
Publicly releasing a cyber security app from a world-leading intelligence agency required careful planning and execution - which included getting approvals from GCHQ, assessing the risks of opening the app and its code and agreeing how the app would be maintained and how they would manage contributions from non-GCHQ staff.
The app was created when an analyst began looking for open tools to help automate some data manipulation operations. It was too time consuming to write short scripts for every data transformation they needed such as encoding, encryption and viewing data in different formats. Seeing few open source tools available, they began to develop what would later become known as CyberChef.
After building the app for their own use, the creator began sharing CyberChef with colleagues in GCHQ and other UK agencies and partners.
CyberChef became so well-used that other analysts started asking if the app could be shared more widely with industry, students, businesses, and anyone who wanted to try translating data. So the creator began to explore the possibility of opening CyberChef to the public.
Knowing GCHQ had approved open code before, the app creator began speaking with relevant teams such as the Innovation team and the Legal and Policy team to investigate what approvals were needed.