Director Chris Gibson spoke about the launch of CERT-UK, the UK's first Computer Emergency Response Team.
I’d like to add my welcome to you all and thank you for attending this launch. As I’m sure you’ll understand, today is a very important day for me.
I joined CERT-UK from private industry (with some apprehension I have to say). I’ve been very involved in incident response for a number of years – both in my previous role at Citi but also within the volunteer community in FIRST – a global Forum of Incident Response & Security Teams. In both groups I dealt with a number of International CERTs and had often seen the potential for the UK in this space.
As we have built the CERT I have been constantly impressed with what the men and women in the team are capable of and have done – my earlier apprehensions were very wide of the mark.
The National Cyber Security Strategy, published in November 2011, sets out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment. The launch of CERT-UK is a key milestone in the development of the UK’s cyber security capabilities in line with the UK Cyber Security Programme.
So, what will we do?
CERT-UK will work with partners across government, industry and academia to enhance the UK’s cyber resilience. We will build trust, foster collaboration and both encourage and lead on sharing of information to develop the level of situational awareness we need to stay ahead of our adversaries.
Our main constituency will be critical national infrastructure (CNI) companies though we will work more broadly across industry through the Cyber-Security Information Sharing Partnership (CISP) platform – now an integral part of CERT-UK.
We will work with other national CERTs when the UK is being affected by activity originating in other countries and will assist other national CERTs (including through working with our National Crime Agency) when activity is tracked back to the UK.
To expand on this - I (and CERT-UK) have 3 primary objectives:
1. Cyber Situational Awareness
Situational awareness will lie at the heart of CERT-UK operations. This has been recognised and enhanced by moving the CISP into the CERT-UK Situational Awareness team. Also, using the CISP Fusion Cell (a partnership where industry colleagues work with CERT-UK to analyse information flowing across the CISP), we will be able to utilise specialist skills, tools and technical expertise to provide deeper analysis. This facility is available to our customers who report an incident to us, where the CERT-UK team judge it appropriate.
Our ambition for situational awareness is greater than our remit for incident handling – we want to help businesses help themselves and each other by expanding membership throughout the UK. CISP has proved valuable to members already – we are going to push for more sectors to join, enhancing their ability to improve their cyber security. In fact, to use this opportunity as a marketing moment, if you’re not a member I’d very much recommend you join.
We will use the information we gather from CISP and other providers to produce timely, actionable and usable information to businesses to allow them to defend themselves.
2. We will be an international point-of-contact
Cyber is a global issue and international co-operation is essential to the UK’s cyber security. The UK has established itself as a leading player on the international stage following the London Cyber Conference in 2011, the Budapest conference in 2012 and then, more recently, the Seoul Conference on Cyberspace in October last year, where the international dialogue continued.
Relationships with international partners are crucial. I am very happy to stand here with Larry Zelvin. Larry heads up the US NCCIC (the National Cybersecurity & Communication Integration Center) and we have already started working closely together.
CERT-UK will be the front door for international partners to contact the UK (predominately CERT to CERT), focusing on building relationships with other national CERTs to ensure the UK is represented in an increasingly important group - leading the dialogue and action.
3. We have responsibility for national incident management
As the National Security Strategy document noted, cyber-attacks are considered one of the top 4 threats to the UK’s national security. While, thankfully, national incidents are not a regular event, we will both continue to operate the plan and, also, work with the various areas of CNI to plan, exercise and raise awareness of incident management. Many of you will be aware of the “waking shark” exercises in the financial sector – we plan to run similar exercises across other sectors of the CNI. Through this we aspire to improve the ability of the UK to respond to incidents.
CERT-UK is not responsible for any infrastructure beyond our own network but will work closely with those that are, for instance:
- GovCERT for the government networks
- MoDCERT for defence networks
- JANET for academia etc
- industry CERTs etc
As with Larry, I am happy to have Steve Collins from National Grid here.
So, that’s the mechanics of how CERT-UK is set up. What it doesn’t highlight is how each of these parts, each powerful and extremely competent in its own right, combines to make a whole much, much greater than the sum of its parts.
As I’ve already highlighted, situational awareness is absolutely critical. What better way to enhance this than by taking the existing CISP – which is performing extremely well – and putting, right next to it, the incident management teams? That way the situational awareness team are getting information right from the horse’s mouth.
What better way to improve incident response than by combining the existing teams? National Incident Management is improved as we see incidents from the beginning rather than only once they’ve become National. CNI incident handling is improved as they see the whole picture. Incident coordination overall is improved as we bring the 2 groups together with all their knowledge, expertise and many, many years of experience.
And what better way to also improve incident handling overall than to put, right next to it, the existing situational awareness teams? This means that analysts working an incident can call on information from the wider picture.
Some of these teams existed previously but in completely separate locations. They did extremely good work but the synergies and benefits to be gained by co-locating under one roof and under one management structure cannot be denied.
As we now publicly launch we can add to this the benefits of enhanced UK and international collaboration right across CERT-UK and we get truly joined up benefits.
But, while I talk about CERT-UK as a team I am conscious that that team also needs a number of extremely important connections. Those connections are from industry, academia and other parts of government. We will do what we can to increase cyber resilience in the UK but I am acutely aware that the government owns very little of the CNI and certainly is not able to resolve all the problems. Without you we are not going to make this work and I plan on working with you. The UK Engagement team will be leading in strengthening the partnerships we already have and building those that the CERT will require as it goes forward. Some partnerships will be operational and some will be purely information sharing - we will ensure that these are bilateral and we share as much as we possibly can with each other.
Today is the official launch of CERT-UK. In truth all that means is we are going public. You may have noticed that in many of the examples I’ve used I’ve talked about current capabilities. This team has been working together, operationally, for a number of months. What has taken time is taking the various processes, systems and procedures and melding them into a single, cohesive whole.
Today is, though, the launch of Phase 1 of CERT-UK. We have plans to increase our interaction with business through exercising, products, reports and analysis. This is not a finished piece of work, it is a work in progress.
Today marks the culmination of a great deal of work. That work has been carried by numerous groups – the National Cyber Security Programme team led by James Quinault. Natalie Black has run point from the start in incubating CERT-UK. Numerous government departments (such as the Government Digital Service who built our website and other technology) have assisted us with staffing, equipment and knowledge and, finally, industry who have helped with equipment but primarily in building the CISP into the powerhouse it is now as well as staffing the fusion cell.
I am proud to stand in front of you and front that up – but make no mistake, this is a team effort. CERT-UK is a team, it will work as a team and it stands or falls on its ability to be a team. I have no doubt it will pass inspection.