The Equities Process
Whilst carrying out operational activity, analysts working at GCHQ or elsewhere within Government may identify vulnerabilities in technology. These vulnerabilities may represent a risk to the security of systems in the UK and of our allies. These include Government departments, critical national infrastructure, companies and private citizens. In some cases, the same vulnerabilities might provide a means by which the UK intelligence community could obtain vital intelligence that could be used to protect the UK and its interests. Examples might include disrupting terrorist attacks, identifying those involved in the sexual exploitation of children or protecting the UK from actions taken by malign states.
The Equities Process provides a mechanism through which decisions about disclosure are taken. Expert analysis, based on objective criteria, is undertaken to decide whether such vulnerabilities should be released to allow them to be mitigated or retained so that they can be used for intelligence purposes in the interests of the UK. The starting position is always that disclosing a vulnerability will be in the national interest.
The following entities are involved in the decision-making process:
- The Equities Technical Panel (ETP), made up of a panel of subject matter experts from across the UK Intelligence Community including the NCSC.
- The GCHQ Equity Board (EB), which includes representation from other Government agencies and Departments as required. The Chair of the Equity Board is a senior civil servant with appropriate experience and expertise, usually drawn from the NCSC, and answerable in this role to the Chief Executive Officer (CEO) of the NCSC.
- The Equities Oversight Committee, chaired by the CEO of the NCSC, which ensures the Equities Process is working appropriately and in accordance with specified procedures. This Committee also advises the CEO of the NCSC on equity decisions escalated from the Equity Board.
The decision-making process is summarised in the flow chart in figure one.
The process provides senior oversight, which helps ensure criteria have been applied effectively; novel or contentious issues are escalated appropriately; and recommendations to retain require ratification at a senior level.
To ensure that cyber security considerations are at the centre of this process, there are representatives from the NCSC involved in all stages and a dispute resolution role for the CEO of the NCSC. In exceptional cases, the CEO of the NCSC may decide that further escalation via submissions to Director GCHQ and, if required, the Foreign Secretary should be invoked.
Equity Process Diagram
In all cases when a vulnerability is retained, this decision is regularly reviewed at a period appropriate to the security risk and at least every twelve months. An earlier review can be instigated if significant information comes to light.
In reaching a decision on whether to release or retain a vulnerability, the following broad criteria are considered:
- Possible remediation. Consideration of the possible routes to mitigate the impact of the vulnerability, in particular focusing on whether there is a viable route to release, or whether releasing it would have a negative impact on national security.
- Operational necessity. Consideration of the intelligence value to the UK in retaining the vulnerability, which includes the following questions:
- What operational value can be gained from this capability?
- What are the intelligence opportunities from this capability?
- How reliant are we on this vulnerability to realise intelligence?
- How likely is a disclosure to impact other operational capabilities or partners?
- Defensive risk. An assessment of the impact on security of not releasing the vulnerability in the context of the UK and its allies, including Government departments, critical national infrastructure, companies and private citizens. This includes:
- How likely is it that this vulnerability is/could be discovered by someone else?
- How likely is it that this vulnerability could be exploited by someone else?
- What technology/sector is exposed if left unpatched?
- What is the potential damage if the vulnerability is exploited?
- Without a patch applied to the software are other mitigation opportunities possible such as configuration changes?
The criteria above will be applied to determine whether there is a clear and overriding national security benefit in retaining a vulnerability. These are broad criteria and they are not all relevant in every case. Equally, individual vulnerabilities may give rise to particular considerations which are relevant to the decision. Assessment in relation to a number of these factors is based on standardised criteria and past experience, including applying the use of the Common Vulnerability Scoring System where appropriate.
There are certain limited circumstances where vulnerabilities may not be subject to the Equities Process. These include vulnerabilities that have already been subjected to similar considerations by a partner and shared with us.
A second example, is where the software in question is no longer supported by the vendor: were a vulnerability to be discovered in such software, there would be no route by which it could be patched.
Another circumstance is where a software vendor has made a design choice which is inherently vulnerable, but which they have clearly documented, or alternatively where a system owner has made a similarly vulnerable configuration or architectural choice. These vulnerabilities can be categorised as "vulnerable-by-design", and there is no security benefit in fixing a single vulnerability in inherently vulnerable software.
GCHQ has adopted the ISO 29147 approach to vulnerability disclosure, and as such follows a co-ordinated disclosure approach with affected parties. GCHQ will not publicly disclose a vulnerability prior to a mitigation being made available.
GCHQ recognises that vendors need a reasonable amount of time to mitigate a vulnerability, which will vary based on the exact situation. GCHQ does not define a set time frame in which a fix must be made available and GCHQ will be ready to discuss the circumstances of any particular disclosure with the vendor.
If a vendor is unable or unwilling to resolve a vulnerability, GCHQ may, after discussion with the vendor, choose to share the details appropriately (for example, with service providers and customers) to ensure that appropriate mitigation is provided in relation to the threat to UK interests.