Background
The Communication Security Establishment’s (CSE) Equities Management Framework is a standardized decision-making process used by CSE when we identify information technology vulnerabilities. The framework helps CSE manage discovered vulnerabilities in a responsible way that always puts the safety and security of Canada and Canadians first.
A vulnerability is a weakness or flaw in the design, implementation, operation or management of an information technology system, device or service that allows access to an unauthorized user. CSE’s mandate requires us to conduct vulnerability research and, as part of this work, our default position is to take the time to carefully assess any newly discovered vulnerabilities.
In most cases, this means disclosing the information to the relevant vendor so fixes can be developed. But, in some cases, our assessment may determine that the best option is to retain a certain vulnerability if it provides a unique opportunity to gather critical foreign intelligence that can protect Canada and Canadians.
Balancing the risks in decisions around a new vulnerability is often referred to as “managing equities”. The CSE Equities Management Framework provides a sense of how these decisions are made.
The Assessment Process
The objective of CSE’s Equities Management Framework is to guide decision making in a manner that best protects the safety and security of Canada and Canadians. This framework sets out the process that CSE must use to assess a vulnerability in order to decide to disclose or retain it.
Managing equities is complex but important, and CSE is uniquely well placed to lead that process. Despite the importance of our foreign intelligence mission, our equities management process favours disclosure except in those cases where there is a very good justification not to disclose and relevant mitigations have been discussed.
Our experts in the Canadian Centre for Cyber Security are accountable for protecting information systems and technology that Canadians rely on. Every day, we provide advice and guidance to keep Canadians secure on line, like our Top 10 IT Security Actions, featuring recommendations to patch operating systems and applications regularly.
Releasing vulnerabilities
Before releasing information about a vulnerability, the Cyber Centre works closely with vendors of information systems and communications technology to ensure that a fix is available. Although CSE does not request recognition, vendors sometimes publicly credit CSE, as McAfee did in May 2018, as well as Microsoft in November 2018.
Review of Decisions
Decisions to retain a specific vulnerability for intelligence purposes must be time limited. While shorter windows may be established, we revisit each within at least 12 months from the decision date. If at any time new information about a vulnerability or the related mitigation measures becomes available, CSE will reassess the equity management decision at the earliest opportunity.
Transparency, Review and Reporting
Decisions made by CSE under this framework are subject to review by the Office of the CSE Commissioner as well as the National Security and Intelligence Committee of Parliamentarians.
Bill C-59 and the proposed CSE Act
If the proposed Bill C-59 and CSE Act are passed by Parliament, CSE will make any necessary changes to the Equities Management Framework to reflect new authorities or review by the proposed National Security and Intelligence Review Agency (NSIRA).
Read CSE’s Equities Management Framework.