Citing unnamed sources, The Guardian newspaper reports that the group is set to go live on 31 March, some 15 months after being announced by Cabinet Office minister Francis Maude in December 2012. At the time, the group was seen as a pivotal part of the government's £650 million cyber security strategy.
Much work has gone on behind the scenes over the last year between the government, law enforcement bodies and industry-specific CERTs, including those based out of GCHQ, CPNI and the recently-introduced National Cyber Crime Unit (NCCU – part of the National Crime Agency). The Janet Computer Security Incident Response Team (Janet CSIRT) has also been involved and has been sharing data on incident response.
According to the Cabinet Office, the CERT-UK will develop UK's cyber resilience to protect critical systems –such as power and water stations – from criminal and state-sponsored attacks.
The group was initially delayed because of a shortage of technology and personnel, but the latter has, in particular, has rectified in recent months.
Chris Gibson, the former director of e-crime at Citigroup and on the leadership team at the Forum of Incident Response Security Teams (First), joined as director, with Neil Cassidy, former cyber defence lead at government supplier Qinetiq, becoming deputy director of operations. The Guardian reports that Andrew Whittaker, formerly a crisis management expert at the Foreign Office, was given the role of overall deputy director.
Gibson did not immediately respond to our request for comment.
Some other details on CERT-UK are still to be decided, although the location is likely to be London-based.
The government has faced plenty of criticism over the delay, but a Home Office spokesperson told SCMagazineUK.com back in October that it wouldn't be pressured into launching the group ahead of time: “We're not going to be rushed into doing it, because this is the first UK national CERT and we want to do it properly.”
On learning that the group is now ready to become operational, Tim Holman, CEO of 2-Sec and president of ISSA UK, told SCMagazineUK.com that CERT-UK will, however, only work if clear communication lines are established between the various CERT teams, as well as the NCC.
“CERT-UK in essence is a good idea – there are already multiple CERTs within the UK that have grown from the public, education and private sectors to fulfil the urgent need for information sharing, and bringing it under one roof should help ensure information sharing can be carried out much faster and ensure a rapid response to cyber threats,” he said.
“Next day recovery is no longer acceptable for entities that are damaged by cyber attacks, and getting certain entities back online within hours or even minutes has to be a priority.
“It's only going to work if the fragmented CERTs that exist in the UK today start talking together and share information, both within the UK and the rest of the world.” Holman added that effective CERTs are also needed for the private sector, and expressed concern that these groups may not protect SMEs, even though attackers are increasingly edging that way.
“Criminals are just going to turn their attention to easier targets. Us,” said Holman via email.
Information security researcher - and industry veteran - Graham Cluley is more positive on the announcement, although he too noted the importance of different groups being able to work together.
"Good luck to them. Lets hope that they bring together the different teams effectively, and can provide helpful leadership to the various organisations defending the UK against cybercrime attacks," he told SCMagazineUK.com.
Bob Tarzey, analyst and director at Quocirca, added that he has mixed feelings on the new group, especially as so few of supposed attacks against CNI are reported in mainstream media.
"Mixed feelings on this. On the one hand, if CNI is so vulnerable, how come there have been no significant attacks reported to date? On the other hand, if the threat is so ominous how come it has taken the government so long to put protection in place?" he said.
"Anyway, it is good to see the government is looking at the potential scale of the problem and the defences that might be required."
The UK is late to developing such a team, although it does have a CERT focused on government-run systems, critical infrastructure and defence forces (CESG). The Home Office says that “the new national CERT will build on and enhance these existing mechanisms”. The US has had a CERT team since 2003, while there are various teams across the EU (CERT-EU) and its member states.