News Article

GCHQ and the NCSC publish the UK Equities Process

Last Updated: 29 Nov 2018
To disclose or not to disclose, that is the question.

News article - 29 November 2018

GCHQ, and the National Cyber Security Centre, have a proud history of discovering and disclosing security weaknesses in all manner of technologies.

We've discovered vulnerabilities and informed the vendors of every major mobile and desktop platform for over twenty years. This work plays an important role in helping to secure the technology which underpins our economy and the everyday lives of millions of people in the UK and abroad.

However, we do not disclose every vulnerability we find. In some cases, we judge that the UK's national security interests are better served by 'retaining' knowledge of a vulnerability.

The natural question is, 'how do you decide which vulnerabilities to disclose?' This blog introduces the Equities Process, the means by which the UK intelligence community decides how to handle the vulnerabilities we discover.

Weighing the benefits

There are two ways in which we can handle a vulnerability to help protect the UK's national security.

The first is to disclose a vulnerability to the provider, so that it can be fixed and benefit global users of the technology.

The second is to retain knowledge of the vulnerability, so it can be used to gather intelligence and disrupt the activities of those who seek to do the UK harm, including terror groups, serious and organised crime gangs, and malign states.

The decision whether or not to disclose a vulnerability must balance these two courses of action. The decision is never taken lightly, and always involves a rigorous and objective assessment by a panel of world-leading experts from GCHQ, NCSC and the Ministry of Defence.

Default position

When we discover a previously unknown vulnerability, our starting position is to disclose it. We always perform a thorough review so we can understand whether there is an overwhelming national security benefit in retaining it. You can learn more about this process here.

Although the decisions to retain themselves must remain secret, we are publishing the principles and processes to provide a clearer understanding of the framework within which decisions on how best to protect UK security are taken.

The Investigatory Powers Commissioner has agreed to provide oversight into how the Equities Process operates in practice with the aim of providing public reassurance.

No credit needed

The vast majority of cyber-attacks exploit known vulnerabilities which is why we encourage organisations and citizens to keep their systems patched. Before any vulnerability is made public, we ensure that a fix is available so that everyone can follow best practice by patching it and removing the weakness.

When this happens, the companies involved sometimes publicly credit us, as Microsoft did in the first quarter of 2018, when the NCSC was named as one of the top five bounty hunters.

Nice as it is to be recognised, we aren't here for the publicity. It's our job to make the UK the safest place to live and do business online. Even when (as in the vast majority of cases) no credit is given, these disclosures are an important element of that work.

If you want to learn more, read this blog from NCSC Technical Director Dr Ian Levy.