CSE's Equities Management Framework

Purpose

The Communications Security Establishment’s (CSE) Equities Management Framework (“Framework” hereafter) provides a standardized decision-making process in which CSE experts consider all available information to responsibly manage equities associated with an identified vulnerability in an information system or technology in a way that puts the security interests of Canada and Canadians first.

Background

In support of CSE’s operational mandates, analysts may identify vulnerabilities in information systems or technologies that could increase risk to Canadian networks and information. In some cases, those same vulnerabilities could also be used to gather intelligence that protects Canada and Canadians or to conduct foreign cyber operations critical to Canada’s international affairs, defence or security interests.

This Framework recognizes that protecting information systems and technologies, as well as leveraging unique insights for intelligence gathering, are different but complementary parts of CSE’s mandate. Any retention of vulnerabilities will consider the risk to the security of information systems and technologies relied on by Canadians. The determination of whether to disclose or retain a vulnerability is based exclusively on the objective to best protect the security of Canada and Canadians.

Principles

Assessments conducted under the Framework are objective and guided by the following principles:

• Vulnerabilities discovered by CSE through operational research, or otherwise obtained, will be subject to the process outlined in this Framework.
• Vulnerabilities that are public knowledge will not be subject to an equity assessment under this Framework.
• When a decision is made to disclose a vulnerability, CSE will do so responsibly with impacted vendors to ensure that system owners and operators are able to apply mitigation measures prior to public notification. In select cases, CSE may choose to postpone acting on the disclosure of a vulnerability if an environmental scan assesses an elevated risk to Canada and Canadians if released. Postponed disclosures will resume once the risk is reduced or mitigated.
• Decisions must be linked to CSE’s mandate outlined in the CSE Act.

Decisions to retain individual vulnerabilities shall be reviewed at minimum every twelve (12) months from the date the original equity management decision was approved under the Framework. If significant new information about a vulnerability or mitigation measures becomes available, CSE will reassess the decision at the earliest opportunity.

Assessment process

The Framework clearly defines the roles of those involved in the assessment process.

Technical Panel

The panel, made up of designated experts from the Canadian Centre for Cyber Security (Cyber Centre) and the Signals Intelligence (SIGINT) and Innovative Business Strategy and Research Development (IBSRD) branches:

• brings forward identified vulnerabilities as soon as possible
• performs an expert assessment of identified vulnerabilities for threat, impact and mitigation (identified below)
• documents completed assessments with recommendations provided to the Equities Review Board

Equities Review Board

The board, jointly chaired by two Directors General (DGs), with one representing the Cyber Centre and the other, SIGINT:

• reviews assessments and recommendations from the Technical Panel and, if needed, seeks further clarification
• reaches a consensus decision on the equity or, where a decision cannot be reached, refers the decision to Head or Associate Head of the Cyber Centre and Deputy Chief (DC) SIGINT
• reports regularly to the Head or Associate Head of the Cyber Centre and DC SIGINT on equity decisions made by the Equities Review Board

Membership is comprised of Directors and DGs representing the Cyber Centre, SIGINT, IBSRD, the Royal Canadian Mounted Police (RCMP) and the Canadian Security Intelligence Service (CSIS).

Head or Associate Head of the Cyber Centre and DC SIGINT

• Consider all relevant information and reach consensus decisions on an equity where the Equities Review Board couldn’t
• Refer the decision to the Chief CSE should a case arise where consensus on the equity’s management cannot be reached
• Receive and review regular reporting from the Equities Review Board

Chief of CSE

The Chief reviews equity decisions as presented by the Head or Associate Head of the Cyber Centre and DC SIGINT.

Review

All CSE activities, including equities management decisions made under the Framework, are subject to CSE’s robust system of independent oversight, including the National Security and Intelligence Review Agency (NSIRA) and the National Security and Intelligence Committee of Parliamentarians (NSICOP).

Factors to be considered in an equity assessment

The following factors (at a minimum) will be considered when conducting an equity assessment:

• Whether the vulnerability relates to an information system or technology relied on by the Government of Canada or Canada’s critical infrastructures
• Whether the vulnerability, though not relied upon by the Government of Canada or Canada’s critical infrastructures, is found on information systems or technology in widespread use in Canada
• Whether and which adversaries have the capability to use the vulnerability against Canadian networks
• The level of technical expertise or complexity required to use the vulnerability against Canadian networks
• The severity of damage that could be caused should the vulnerability be successfully exploited by a threat actor
• An assessment of the value derived from retaining the vulnerability to CSE mandated activities in the context of Canada’s national security and prosperity interests
• Whether any other comparable capability is available to CSE that could be employed to achieve the same outcome as expected from using a retained vulnerability
• Whether there are any mitigation measures that would reduce the impact of the vulnerability on the information systems and technology relied on by the Government of Canada, Canada’s critical infrastructures and, to the extent the required information is available, information systems and technology in widespread use in Canada
• An assessment of the private sector entity’s capacity and willingness to responsibly mitigate the identified vulnerability in its products, the extent to which CSE’s assistance may be required to enable this mitigation and CSE’s capacity and authority to do so
• Whether the vulnerability was provided by an allied partner and already assessed under a similar equities process

Definitions

• Vulnerability: A weakness or flaw in the design, implementation, operation or management of an information system or technology that allows an unauthorized user to access the system in a way that impacts confidentiality, integrity or availability of information.
• Protection concerns: Characteristics of the identified vulnerability that place information systems and technology relied on by the Government of Canada and critical infrastructures at risk of compromise by an unauthorized user. The greater the impact of the compromise caused to these systems and networks by the vulnerability, the more significant the protection concerns associated with that vulnerability and the greater the interest CSE has in mitigating the security risks presented by that vulnerability.
• Protection concern mitigation measures: One or more measures used by CSE to reduce concerns associated with retaining a vulnerability for intelligence or other operational purposes. These can include the development of a mitigation capability deployed on information systems and technology of the Government of Canada and of Canada’s critical infrastructures.
• Equity assessment: The determination of the security risk presented by the protection concerns associated with an identified vulnerability, and the intelligence value associated with that vulnerability.
• Environmental scan: CSE’s determination of whether a vendor is able to responsibly act on the disclosure of a vulnerability.