Today, we’ve published the UK’s process for how we handle vulnerabilities that we find in various bits of technology.
We should be clear what we’re talking about here. The UK intelligence community (including the NCSC) do vulnerability research - effectively looking for security problems in all sorts of technology, from commodity stuff we all use through to very specialised kit used only in a few places.
When we find a security problem, we need to decide what to do. Our default is to tell the vendor and have them fix it, but sometimes - after weighing up the implications - we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it.
Our process is called the 'Equities Process’. ‘Equity' can mean something about ownership, but here we’re using it in the equitable sense - the risks and benefits to both the UK’s intelligence requirements and the cyber security of the UK must be considered fairly.
We’ve tried to make the description of the process as simple as possible to show the important characteristics. We say our default position is to disclose the problem and there has to be a very good reason not to - either an overriding intelligence case or the fact that disclosing could reduce the security of people who use the product - and we really do mean it. From an NCSC point of view, some of our best technical folk are involved in the day-to-day decision making and a couple of us not involved in the day-to-day process are available to the Equity Technical Panel and the Equity Board to provide senior, independent technical advice if necessary.
We’ve also asked the Investigatory Powers Commissioner's Office (IPCO), who oversees the use of statutory powers by GCHQ, to provide oversight of the process we run to make sure we're running the process properly. We think that provides world class assurance around this bit of our work.
Some people will say that we don’t need this process and that we should just disclose everything. In my opinion, that’s naïve - and I don’t think it’s got much to do with the NCSC being part of GCHQ and the wider UK intelligence community. If we were separate, the rest of the community would still do vulnerability research and we would be much less likely to see those vulnerabilities and have a voice in how they’re handled, so the UK would likely be at greater security risk. But the NCSC is integral to the process and our job is to minimize the harm that cyber attacks can cause to the UK, and to also make the UK the safest place to live and do business online.
The UK equities process is designed to prefer disclosure at every step. However, disclosing a vulnerability won't materially change the security of a fundamentally insecure product. So, sometimes we use the vulnerability discovery to start a more strategic conversation with the company involved, to help them raise the overall security of the product. The Equity Technical Panel and the Equity Board are both chaired by NCSC people and in every single case where we wish to retain a vulnerability, both those chairs have to be convinced. Some cases are escalated from the Equity Board and that goes to the CEO NCSC, Ciaran Martin. He has to be convinced of the case, and I have to give him a view on the technical ramifications. We all take those responsibilities seriously. This process is complex and sometimes quite nuanced, relying on expert judgement around very detailed technical issues. That’s true across the range of our work, not just this process, and I make no apology for it – we’re proudly expert.
I hope the detail we’ve published today helps reassure people that we’re doing our best in protecting the UK, including where vulnerabilities are found.