GCHQ launches new regime for the certification of providers of cyber-attack response services

CESG, the Information Security arm of GCHQ, has launched a new scheme for the certification of providers of Cyber Incident Response services in order to offer access to government and industry approved tailored response expertise following cyber-attacks on businesses or public bodies.

The initiative, announced on 13 August in collaboration with the Centre for the Protection of National Infrastructure (CPNI) and the Council of Registered Ethical Security Testers (CREST), involves a two-tier approach to the certification of Cyber Incident Response services. It will take into account the varying degrees of assistance required by different industry sectors, government bodies and academic institutions through industry-led certification on the one hand and allows CESG and CPNI to focus on sophisticated, targeted attacks against networks of national significance on the other.

The first-tier, industry-led certification scheme, will be administered by CREST and will focus on the appropriate requirements for each industry sector and public body. CREST has worked to define the standards that companies providing cyber security incident response services should have in place to protect client information. The body will audit the service providers against these standards and will also enforce them via codes of conduct. This process will provide companies and the public sector with a list of assured providers from whom they can choose and CESG hopes that it will lead to the foundation of a "strong UK cyber incident response industry able to tackle the vast majority of cyber-attacks".

The second tier, CESG/CPNI-led certification scheme, will focus on responding to challenging attacks or those targeted against national infrastructure. The scheme will seek to identify a small number of providers with the necessary expertise and quality standards required to tackle sophisticated attacks by "highly skilled threat actors".

Chloe Smith, the Minister for Cyber Security explains that while, "The best defence for organisations is to have processes and measures in place to prevent attacks getting through," despite best efforts cyber-attacks cannot always be avoided and when such attacks do penetrate systems, "Organisations want to know who they can reliably turn to for help." It is hoped that this initiative will allow all of those organisations which may be victims of cyber-attacks, including SME's, national and multinational industry, the wider public sector and central government to source an appropriate incident response service tailored to their particular needs, while allowing CESG and CPNI to focus on the most challenging attacks.