The Communications Security Establishment’s (CSE) Equities Management Framework (“Framework” hereafter) provides a standardized decision-making process in which CSE experts consider all available information to responsibly manage equities associated with an identified vulnerability in an information system or technology in a way that puts the security interests of Canada and Canadians first.
In support of CSE’s operational mandates, analysts may identify vulnerabilities in information systems or technologies that could increase risk to Canadian networks and information. In some cases, those same vulnerabilities could also be used to gather intelligence that protects Canada and Canadians.
This Framework recognizes that protecting information systems and technologies, as well as leveraging unique insights for intelligence gathering, are different but complementary parts of CSE’s mandate. Any retention of vulnerabilities will take into account the risk to the security of information systems and technologies relied on by Canadians. The determination of whether to disclose or retain a vulnerability is based exclusively on the objective to best protect the security of Canada and Canadians.
Assessments conducted under the Framework are objective and guided by the following principles:
- Vulnerabilities discovered by CSE through operational research, or otherwise obtained, will be subject to the process outlined in this Framework.
- Vulnerabilities that are public knowledge will not be subject to an equity assessment under this Framework.
- When a decision is made to disclose a vulnerability, CSE will do so responsibly with impacted vendors to ensure that system owners and operators are able to apply mitigation measures prior to public notification.
- Vulnerabilities retained must be linked to the highest-priority intelligence requirements of the Government of Canada.
- Vulnerabilities unique to information systems and technology used exclusively by a foreign entity are not subject to this Equities Management Framework as they present no risk to Canada or Canadians.
Decisions to retain individual vulnerabilities shall be reviewed at minimum every twelve (12) months from the date the original equity management decision was approved under the Framework. If significant new information about a vulnerability or mitigation measures becomes available, CSE will reassess the decision at the earliest opportunity.
The Assessment Process
Technical Panel, designated experts from the Canadian Centre for Cyber Security (CCCS) and Signals Intelligence (SIGINT) branches
- Brings forward identified vulnerabilities as soon as possible.
- Performs an expert assessment of identified vulnerabilities for threat, impact and mitigation (identified below).
- Documents completed assessments with recommendations provided to the Equities Review Board.
Equities Review Board, jointly chaired by Directors Generals (DGs) from CCCS and SIGINT
- Reviews assessments and recommendations from the Technical Panel and, if needed, seeks further clarification.
- Reaches a consensus decision on the equity or, where a decision cannot be reached, refers the decision to Head CCCS and Deputy Chief (DC) SIGINT.
- Reports regularly to Head CCCS and DC SIGINT on equity decisions made by the Equities Review Board.
Head CCCS and DC SIGINT
- Consider all relevant information and reach consensus decisions on an equity where the Equities Review Board was unable.
- Should a case arise where consensus on the equity’s management cannot be reached, refer the decision to the Chief CSE.
- Receive and review regular reporting from the Equities Review Board.
- Reviews equity decisions as presented by the Head CCCS and DC SIGINT.
- All CSE activities, including equities management decisions made under the Framework, are subject to CSE’s robust system of independent oversight, including the Intelligence Commissioner (IC), National Security and Intelligence Review Agency (NSIRA), and National Security and Intelligence Committee of Parliamentarians (NSICOP).
Factors to be Considered in an Equity Assessment
The following factors—at a minimum—will be considered when conducting an equity assessment:
- Whether the vulnerability relates to an information system or technology relied on by the Government of Canada or Canada’s critical infrastructures;
- Whether the vulnerability, though not relied upon by the Government of Canada or Canada’s critical infrastructures, is found on information systems or technology in widespread use in Canada;
- Whether and which adversaries have the capability to use the vulnerability against Canadian networks;
- The level of technical expertise or complexity required to use the vulnerability against Canadian networks; and
- The severity of damage that could be caused should the vulnerability be successfully exploited by a threat actor.
- An assessment of the expected intelligence value from retaining a vulnerability in the context of the security of Canada and Canadians; and
- Whether any other comparable capability is available to CSE that could be employed to achieve the same outcome as expected from using a retained vulnerability.
- Whether there are any mitigation measures that would reduce the impact of the vulnerability on the information systems and technology relied on by the Government of Canada, Canada’s critical infrastructures and, to the extent the required information is available, information systems and technology in widespread use in Canada;
- An assessment of the private sector entity’s capacity and willingness to responsibly mitigate the identified vulnerability in its products, the extent to which CSE’s assistance may be required to enable this mitigation and CSE’s capacity and authority to do so; and
- Whether the vulnerability was provided by an allied partner and already assessed under a similar equities process.
In this Framework, the following terms mean:
- Equity assessment refers to the determination of the security risk presented by the protection concerns associated with an identified vulnerability, and the intelligence value associated with that vulnerability.
- Protection concerns refer to the characteristics of the identified vulnerability that place information systems and technology relied on by the Government of Canada and critical infrastructures at risk of compromise by an unauthorized user. The greater the impact of the compromise caused to these systems and networks by the vulnerability, the more significant the protection concerns associated with that vulnerability and the greater the interest CSE has in mitigating the security risks presented by that vulnerability.
- Protection concern mitigation measures refer to one or more measures used by CSE to reduce concerns associated with retaining a vulnerability for intelligence or other operational purposes. These can include the development of a mitigation capability deployed on information systems and technology of the Government of Canada and of Canada’s critical infrastructures.
- Vulnerability refers to a weakness or flaw in the design, implementation, operation or management of an information system or technology that allows an unauthorized user to access the system in a way that impacts confidentiality, integrity, or availability of information.