ADS input to the new UK National Computer Emergency Response Team (CERT-UK)

CERT-UKLater this morning, the government will launch the Computer Emergency Response Team – UK (CERT-UK).

CERT-UK is the UK’s national CERT and will be a lead organisation in national cyber incident response and exercising.  It will also work alongside British industry, academia and international partners to coordinate activity, build trust, foster collaboration and the sharing of information to give the level of situational awareness the UK needs to stay ahead of adversaries.  CERT-UK combines a number of the roles of CPNI’s Combined Security Incident Response Team (CSIRTUK), the Cyber Security Operations Centre (CSOC) and the Cyber Security Information Sharing Partnership (CISP).

In short, CERT-UK will be a centre of excellence, providing advice and additional capacity to existing CERTs within government (such as GovCert) as well as industry.

ADS’ role in helping design CERT-UK

CERT-UK has been built over the last year.  ADS had a key role in helping design the CERT; between January and March 2013, ADS was asked by GCHQ/Cyber Security Operations Centre (CSOC) and the Cabinet Office to provide input for the government’s study about establishing a UK National CERT, from the perspectives of the aerospace, defence, security and space sectors.

Summary of ADS input to GCHQ/CSOC and the Cabinet Office (March 2013)

The key conclusions and recommendations from ADS’ study were:

  1. Prime defence, security, aerospace and space companies receive a good level of support from existing government mechanisms, though there is room for improvement with each.
  2. The use of in-house CERTs by Primes is very limited at present. Many Primes are facing an investment decision: should they set up general CERT teams? The extent to which this is done will partly depend on European legislation. However, it is important to note that in-house CERTs are unlikely to have the bandwidth to address (large) supply chains.
  3. From the perspective of Prime companies, a crucial gap in existing CERT coverage is the supply chain (which is principally composed of SMEs). Smaller companies are not benefiting from the architecture and infrastructure hardening that Tier 1 companies are having to undertake and are unlikely to have the situational awareness necessary for defending themselves. SME respondents similarly noted that they had not entered into any relationships with existing CERTs but expressed an interest in finding out more.
  4. In addition to improving overall situational awareness, respondents agreed there is a requirement for two distinct levels of information sharing: detailed threat information (including more raw material) to the ‘InfoSec savvy’ community, and simplified reporting for SMEs who need clear and simple warning of specific threats and counter measures. Response times to threats should be reduced as a result of a National CERT.
  5. A UK National CERT would add most value by being positioned in the Cyber Security Information Sharing Partnership (CISP) so as to benefit from established boundaries. Primes are well covered through the Aerospace & Defence Manufacturers’ Information Exchange (ADMIE) and GovCERT. This should continue. GovCERT does not have the resources to concentrate on the unclassified world (where industry mainly exists). A National CERT should act as a fusion centre and a clearing house on the outside of GovCERT for supply chains and those sectors that are not well covered at present. If a National CERT lacked breadth across different sectors, respondents noted that the UK would just end up perpetuating the current situation of piecemeal coverage. Ease of access would be critical.
  6. Respondents would strongly support the idea of a fusion centre that could reliably take GCHQ’s Cyber Defence Organisation-type information, combined with wider open source and raw industry reporting from across different sectors.
  7. A National CERT would need to: develop a common reporting format; be able to scrub national intelligence; have a level of maturity to allow scrubbed threat data to be shared (at different levels depending on exposure of company); develop an information release model according to a standard and timely manner; and develop a timely triage system.
  8. A National CERT should not be purely reactive. Some respondents suggested the CERT could have a role in identifying, analysing and reporting vulnerabilities quite apart from receiving and processing threat information from others, though this could pose issues of liability. There were diverging views about whether a National CERT should have a response or ‘surge’ capability, but all Prime respondents agreed that it would be important for a National CERT to have an understanding of response, even if the CERT did not itself maintain a response capability, to ensure the CERT was able to work effectively with other response teams, understand the processes surrounding incident response and share the right type of information within appropriate timescales.
  9. A National CERT could add real value if it supported a globally sourced feed of intelligence (for example, Five Eyes based).
  10. Prime respondents noted that it would be useful of a National CERT set requirements for advanced training and technology development.
  11. A National CERT should be governed jointly by industry and government and funded in the same way, possibly by a subscription for some premium services.
  12. The majority of respondents felt the profile should be high to build confidence and attract companies (acting as a catalyst) and that the CERT should not be based in GCHQ.
  13. Consideration should be given to reframing the roles of other national organisations operating in the CERT and broader cyber security space if a new UK National CERT is introduced.
  14. A number of potential challenges or risks were identified, notably:
  • A CERT’s core business comes out of it being part of an enterprise. A UK National CERT would at present be a standalone entity, so an outstanding question is what enterprise it would fit into that covers supply chains, SMEs and non-defence/aerospace/security/space sectors.
  • An obvious problem is where a UK National CERT would get practitioners from. Respondents agreed that a National CERT should seek to exploit expertise and capability within industry but no consensus about how this should be done.
  • There would need to be a level of assurance that establishing a National CERT would have no effect on commercial business/engagement.
  • GovCERT might be diluted. There would need to be clear expectations of how a UK National CERT would work with GovCERT and the respective remits would need to be deconflicted.