Equities process – CyberAdviser News Portal

We have recently shared the United Kingdom’s methodology for addressing vulnerabilities discovered in various technological systems.

To clarify, the UK intelligence community, including the National Cyber Security Centre (NCSC), conducts vulnerability research aimed at identifying security flaws across a range of technologies, from commonly used devices to highly specialized equipment.

Upon identifying a security vulnerability, we must determine the appropriate course of action. Our standard approach involves notifying the vendor to address the issue; however, there are instances where, after careful consideration of the implications, we may choose to keep the vulnerability confidential to develop intelligence capabilities.

This approach is termed the ‘Equities Process.’ While ‘equity’ usually pertains to ownership, in this context, it refers to assessing the risks and benefits equitably, balancing the intelligence needs of the UK with the cybersecurity requirements of the nation.

We have aimed to simplify the explanation of this process, emphasizing that our primary position favors disclosure. There must be compelling reasons to refrain from disclosing a vulnerability—either due to an overriding intelligence necessity or because disclosure may compromise the security of users of the affected product. Our team includes some of the best technical experts who are involved in daily decision-making, and external advisors are available to the Equity Technical Panel and Equity Board for independent technical insights when required.

Additionally, we have sought oversight from the Investigatory Powers Commissioner’s Office (IPCO), which supervises the statutory powers utilized by GCHQ, to ensure that our process is implemented correctly and maintains high standards.

Critics may argue that such a process is unnecessary and that all vulnerabilities should be disclosed. However, I believe this perspective is overly simplistic, and separating the NCSC from GCHQ would not eliminate the need for vulnerability research within the intelligence community. In fact, being part of this structure allows us to identify and influence how vulnerabilities are managed, thereby enhancing the overall security posture of the UK.

The UK equities process is structured to prioritize disclosure at every phase. Nevertheless, revealing a vulnerability does not fundamentally alter the security status of an insecure product. In certain situations, we may utilize the discovery of a vulnerability to initiate a more in-depth dialogue with the concerned company, aiming to improve the overall security of their product. The Equity Technical Panel and the Equity Board, both chaired by NCSC officials, must be persuaded in every instance of retaining a vulnerability. Cases may be escalated to the CEO of the NCSC, Ciaran Martin, for additional evaluation, where I provide insight regarding technical implications. We take these responsibilities very seriously. This process is intricate and often nuanced, depending on specialized judgment regarding detailed technical matters, a characteristic that extends across our operations. We embrace our expertise in these fields.

It is my hope that the details shared today provide reassurance to the public that we are dedicated to safeguarding the UK, especially in areas where vulnerabilities occur.