On 13 August 2013, the UK’s CESG, the Information Security arm of GCHQ, formally launched two schemes aimed at providing access to industry expertise on effective response to cybersecurity attacks. The schemes were prepared in collaboration with the Council of Registered Ethical Security Testers (CREST), the professional body representing the technical security industry. The Minister for Cyber Security, Chloë Smith, said she was delighted to announce “a unique Government-Industry partnership to tackle the effects of cyber incidents.”
The initiative follows on from the successful pilot that began in November 2012. The pilot programme aimed to assist organizations hit by cyberattacks by connecting them with companies with established expertise in responding to such incidents. The conclusion drawn from it was that the objectives of the National Cyber Security Strategy will be best met by a two-tier certification programme for Cyber Incident Response services. The two-tier approach takes account of the varying degrees of assistance required by private sector companies, government organizations and universities by tailoring incident response to industry needs, and allowing GCHQ and CPNI to focus on the most significant attacks.
The first tier, or industry-led certification, will focus on appropriate standards for incident response for all industry sectors, the general public sector and academia. As part of this scheme, CREST, together with industry and government, will prepare standards for ‘Cyber Security Incident Response (CSIR)’ services. CREST will use the standards to audit security incident providers and will enforce the standards via codes of conduct. GCHQ hopes that this will provide a “foundation to establish a strong UK cyber incident response industry able to tackle the vast majority of cyber-attacks.”
The second tier, known as CESG/CPNI-led certification, will focus on responding to sophisticated or targeted attacks against important national infrastructure. This scheme will be run by GCHQ and CPNI, and will seek to identify a small number of industry providers with sufficient expertise and quality standards to respond to attacks perpetrated by the most skilled “threat actors” or those aimed at “networks of national significance”.
The scheme recognises that despite best efforts, cyberattacks cannot always be avoided, but that the manner of response is often crucial to how much damage results from it. Smith said, “The best defence for organisations is to have processes and measures in place to prevent attacks getting through, but we also have to recognise that there will be times when attacks do penetrate our systems and organisations want to know who they can reliably turn to for help.”