What needs to be done after a cyber-attack has occurred? This is the question which two new cyber-security schemes will answer. On 13 August 2013, GCHQ‘s Communications-Electronics Security Group (“CESG”) announced a scheme whereby it will provide expertise to industries in the wake of sophisticated and nationally significant cyber-attacks. This will run alongside a complementary scheme operated by the Centre for the Protection of National Infrastructure (“CPNI”) and the Council of Registered Ethical Security Testers (“CREST”) aimed at establishing standards and certification for private sector cyber-security response providers.
The schemes will complement one another and will involve the non-governmental not-for-profit body CREST establishing suitable standards for general incident responses. These standards will be endorsed by the CESG and CPNI, and the latter two organisations shall also establish a more focused incident response scheme for attacks on networks of “national significance”.
CREST, which presently certifies the expertise of cyber-security providers, will work alongside industry to develop appropriate standards, audit the service providers against these standards and ensure compliance through codes of conduct. Given the technical expertise required to deal with sophisticated cyber-attacks, it is envisaged that only a small numbers of providers will be certified to offer cyber-attack response services. More details of how to become, select and find a certified provider can be found on the CESG website.
The new schemes follow the introduction of a pilot programme in October 2012. Companies within the pilot helped private and public sector bodies resolve cyber security incidents. The conclusion of the pilot was that effective solutions were needed to deal with the varied types and requirements of incidents which allow the intelligence authorities to be able to concentrate on serious national attacks whilst being confident that private service providers are able to deal with the remainder of incidents.
Further information on the schemes can be found on GCHQ’s website. In addition, businesses wanting more information about cyber-security may wish to examine the UK Government’s “10 Steps to Cyber Security” guidance published last year.