14 May 2014

Five Unanswered Questions on the UK’s New Computer Emergency Response Team

2 Apr 2014
By Calum Jeffray, Research Analyst

The UK’s Computer Emergency Response Team (CERT) was launched this week to universal nods of approval. Questions remain, however, over how it will achieve its aims and what value it will add in an increasingly crowded UK network of cyber security teams.

On Monday the Cabinet Office officially launched the UK’s Computer Emergency Response Team (CERT-UK), seen as a key milestone in achieving the objectives laid out in the national Cyber Security Strategy. Speaking at the launch event in central London, officials gave an overview of the CERT’s main functions; in short, providing a centralised incident management response capability in the wake of major cyber attacks, situational awareness and analysis of threats, and a main point of contact for international CERT engagement.

Perhaps most importantly, government, industry and overseas partners now know who to call (ortweet) in a crisis.

However, the very public launch of this initiative elicited few details on set-up and cost. Though it is still early to judge UK-CERT, here are important questions that must be answered at the outset:

1. What’s New?

Although a new entity, it could be argued that CERT-UK does little more than bring together teams that existed previously – namely, the Cyber Security Incident Response Team and Cyber Security Information Sharing Partnership (CISP) – under one management structure.

In this new form, CERT-UK can be placed on the long – and often confusing – list of bodies responsible for anticipating and responding to cyberspace threats in the UK. CERT-UK joins, rather than replaces, other government CERTs such as GovCertUK (assisting public sector organisations in the response to incidents) and MODCERT (responsible for coordinating the Ministry of Defence’s response to incidents).

Indeed, CERT-UK will be the twenty-third CERT in the UK recognised by the European Union Agency for Network and Information Security (ENISA). This is in addition, of course, to bodies such as the Centre for the Protection of National Infrastructure (CPNI) and units such as the National Crime Agency’s National Cyber Crime Unit, who conduct their own situational awareness and threat analyses.

CERT-UK may indeed prove crucial in providing the sorely needed coordinating body between all these different groups, though it is questionable whether its functions of incident management response and situational awareness are not already being provided elsewhere.

2. What Does it Look Like?

During the launch event, the Director of the National Cybersecurity and Communications Integration Center (NCCIC) – CERT-UK’s American counterpart – provided details of the four component units of his organisation, noting the 600 personnel that currently work there.

Beyond the vision, functions and goals of CERT-UK, few details on its setup were made available in comparison. In particular, much on the size and organisational structure of CERT-UK remain a mystery. The need for a certain degree of confidentiality is clear, yet without such basic details it is difficult to gauge the appropriateness of the resources it has been allocated relative to the threat, and therefore its ability to predict how well it is likely to perform its functions on a daily basis, let alone during a crisis.

3. How Will it Ensure Industry Collaboration?

One of the main aims of CERT-UK is to increase government information-sharing and collaboration with industry through the Cyber-Security Information Partnership (CISP). Designed to encourage exchanges on cyber threats and vulnerabilities, recent figures show that CISP now boasts over 600 members representing over 300 corporate organisations.


Despite government claims that CISP is already ‘demonstrating value’, there is little evidence of the extent of government-industry dialogue and what the partnership has actually achieved since the first pilot was run in 2011/12. Certain organisations have also privately questioned the value of participation and the quality of the return they receive in exchange for the information provided. Even if the value of CISP could be illustrated, CERT-UK collaboration with industry appears to run solely through this channel; there is no indication of how it might engage with industry organisations that choose not to be members of CISP.

4. How Will it Ensure International Collaboration?

CERT-UK will undoubtedly provide an invaluable service in acting as the primary point of contact for international partners; the Director of NCCIC, for example, was reassured that the question of ‘Who do I talk to in the UK during a crisis?’ was now answered.

While coordination with the US and NATO partners can be assumed, this will only be of limited utility if an attack originates in or transits through the networks of uncooperative or non-friendly nations. Despite claims to the contrary, collaboration and information exchange – even between allies – is also likely to remain a challenge. Information exchange on cyber security is notoriously difficult, given that it is a relatively new area of inter-state cooperation and the potential sensitivity of the information shared. How CERT-UK plans to tackle these challenges is unknown.

5. When is a Crisis a Crisis?

A final point that remains unclear is what constitutes an ‘incident’ necessitating CERT-UK involvement. Given the proportion of critical national infrastructure owned and operated by private industry, it is likely to be corporate networks that will be the subject of CERT-UK operations. Figures provided during the launch suggested that there are an average of twenty-eight distributed denial of service (DDoS) attacks per hour, and that 93 per cent of the networks of major UK corporations have suffered a breach in the last financial year.

Whether the onus is on these companies to seek assistance during an attack (which may prove difficult given the speed in which an attack can occur and the reputational damage it may cause), or the CERT has the authority to intervene (though at what stage?), questions remain over what constitutes the threshold for a ‘National Cyber Security Incident’, who decides this and when. Crucially, at what point should government, industry and overseas partners pick up that phone?

No comments: