UK Cyber Response: Getting it Right Matters
There currently exists an alphabet soup of organisations tasked with upholding the the UK’s cyber-defences. Proposals for a national UK Cyber Response Team will therefore need to have clear responsibilities, differentiating from other cyber-response initiatives.
The UK faces a wide variety of cyber threats, with the potential to impact broad swathes of society. These range from criminal activity targeting individuals and small businesses, through to organised groups of activists plotting large-scale disruption of websites and state sponsored campaigns of industrial espionage.
How the government responds to a cyber attack, including the co-ordination of departments, agencies and assets has been of particular concern to policymakers. Up until recently, both the public and private sectors were without a national centre to coordinate the response to a cyber attack. The first version of the National Cyber Security Strategy, published in 2009, tasked the Cyber Security Operations Centre (CSOC) with improving ‘the technical response co-ordination to cyber incidents’. The 2012 Olympic Games also posed a challenge to UK cyber response organisations. The latter resulted in the establishment of an Olympic Cyber Coordination Team to ensure any cyber incidents that could impact on the continuity of the Games were managed appropriately. It was only the beginning of this year that the Cabinet Office announced the next stage of improvements to the UK's cyber response machinery – the establishment of a national Cyber Emergency Response Team (CERT).
The State of the Nation
Currently the UK has two primary government CERTs that cater to different organisational groups: CSIRTUK, part of the Centre for the Protection of National Infrastructure (CPNI), which primarily provides services to companies that make up the critical national infrastructure, and GovCERTUK which provides response services primarily to government, and wider public sector, organisations. Additionally the Ministry of Defence (MoD) has a dedicated CERT, responsible for MoD networks.
Cyber incident response is not just a government activity. The European Network and Information Security Agency (ENISA), an EU body based in Greece that promotes cyber security initiatives and supports EU member states cyber response programmes, publishes an annual report on CERT activity in the EU member states. The 2013 report lists a total of twenty-one cyber incident response groups operational in the UK; aside from the three government run response teams there are a number of industry and academic response groups, and companies providing response services. ENISA has encouraged each member state to have a single government backed national CERT, and has a set of minimum capability requirements such an organisation should meet.
Currently the majority of companies in the UK have had no government backed central body for incident reporting, and no means of receiving bulletins and alerts of the type made available to critical infrastructure companies, and government departments. Companies suffering a malicious cyber incident are able to report to law enforcement or to Action Fraud,( which acts a national point for reporting of online fraud and other criminal activity ), but the response to high tech crimes varies significantly from police force to police force, and for many it is not a high priority. Even with improvements, such as the proposed National Cyber Crime Unit, a police response will necessarily focus on prosecuting criminality rather than providing a reporting and information-sharing service.
Until 2007 the roles of CSIRTUK and GovCERT were combined, in what was effectively a national UK CERT forming part of the National Infrastructure Security Coordination Centre (NISCC), the predecessor to CPNI. The Unified Incident Reporting and Alert Scheme as it was named, was responsible for providing a central point for reporting incidents from both the public and private sector (though with an emphasis on critical infrastructure), and for producing bulletins and alerts on cyber threats.
With the formation of CPNI the responsibility for incident response and alerting for government and public sector networks was passed to the newly formed GovCERTUK. CPNI took on the CERT role for the critical national infrastructure. Whilst both CSIRTUK and GovCERTUK continued to provide the same response and alerting services to their respective customer bases, the end of NISCC and UNIRAS resulted in an overall less cohesive response picture in the UK.
In the intervening years the push for government departments to outsource has continued to blur the boundaries between the public and private sector. Additionally the unprecedented growth in the use of the internet and internet based services expanded significantly the number of services that could be considered critical to the continued economic well being of the UK. This increased complexity has raised the potential impact of cyber incidents, and made a cohesive national response to a large-scale cyber incident all the more important.
Whilst the government began to recognise these issues in the 2009 Cyber Security Strategy with the elevation of cyber to the top tier of threats to the UK, the cyber response machinery in the UK has remained fragmented. The lack of a lead in this space has caused confusion – the loss of the single reporting point that was NISCC, alongside the sudden government generated publicity for all things cyber meant that there was an interest in cyber security but no obvious point of contact for private sector organisations. Additionally, whilst there has been no publicly declared significant cyber incident, it is clear that a co-ordinated response to cyber security threats would be most effective with a single lead organisation.
In the most recent iteration of the cyber security strategy, a number of strands have emerged which are pertinent to cyber incident response. The first of these was the Cyber Information Sharing Partnership (CISP). The aim of this initiative was the development of an online forum for the sharing of information on threats and security incidents. The goal being the ability of participating organisations to rapidly disseminate important information which may impact on others (such as details of a specific kind of cyber attack) and for the community to be able to provide assistance and advice to its members.
The Ministry of Defence has launched a supply chain specific equivalent of the CISP, named the Defence Cyber Protection Partnership (DCPP). The goals are similar to that of CISP – improved cooperation between government and industry, and the ability of the private sector participants to help each other through information sharing.
Next is the Cyber Incident Response (CIR) service. This scheme aims to certify security companies that can provide an effective incident response service to those in need. The applicant organisations are assessed by government against a number of criteria pertinent to responding to sophisticated cyber attacks before they are able to offer services under the CIR banner. Currently only four companies are listed as meeting these criteria, though the initiative only moved out of the pilot phase in August 2013.
Other government programmes include Action Fraud and the cyber crime function of the new National Crime Agency.
The UK CERT
The final and potentially the most significant piece of the jigsaw is the proposed national UK CERT. So far little detail has been made public about the capabilities of the UK CERT, beyond the initial announcement. ENISA provides some recommended baseline capability guidance for a national CERT but, though it is implied, does not require that these functions be vested in a single organisation. The baseline requirements include working to reduce the threat to critical networks, providing a framework for effective incident response and building working relationships with the national CERTs of other countries. All of these activities occur at the moment in the UK, spread across, and sometimes duplicated by, the existing CERTs.
To be truly successful the UK CERT should assume the functions of the existing CERTs. This would include acting as single point of contact for organisations in the UK to report significant cyber incidents, publishing advisories and briefings on topically and timely security threats. It also includes co-ordinating the government response to significant cyber incidents and, for nationally significant organisations that suffer a significant incident, providing a level of on the ground support from government experts. For companies that have suffered a cyber incident and need further assistance, the CERT can signpost the way to cyber security companies that can provide further technical response services. The UK CERT should provide national CERTs in other countries a single point of contact in the UK. This will provide greater clarity to the UKs partners in cyber security, facilitate the co-ordination of a response to a major incident and make other initiatives, such as multinational cyber exercises, far simpler for the UK to engage in.
The new CERT also needs to have a clear purpose amongst the array of other cyber response initiatives either absorbing them or forming part of a broader cohesive response framework, in which each component operates with a well-defined remit and purpose. Careful thought needs to be given on communicating this to industry and the wider private sector, with clarity provided on responsibility and remit, and clear guidance on the services and response that can be expected from the CERT.
Poor communication would render the new CERT little more than another acronym amongst the current initiatives, with industry still lacking clarity on the government response to cyber incidents. Additionally it is clearly not practical, or desirable, for government experts to attend every organisation that reports an issue – the CERT messaging must be clear on the response and service that will be provided.
Done well the UK CERT can stand as the clear cyber lead in government. However, if it is set up alongside the existing CERTs with no clear remit and lacking support from departments which have the relevant expertise it runs the risk of being another little used and ineffective government initiative. With the National Cyber Security Programming, and the associated £650 million, coming to a close in 2014 it is crucial that the national UK CERT, potentially the centrepiece of the future for cyber response in the UK, is implemented effectively.
Associate Fellow, Cyber