A Government-backed scheme to help companies recover from cyber attacks has failed to get off the ground - despite ostensibly being launched in August - because none of the suppliers bidding to provide the ‘emergency service' has been judged good enough.
Eight vendors have so far tried and failed to secure accreditation under the Computer Incident Response (CIR) scheme to rescue businesses who have suffered a cyber attack.
CIR is part of the Government's flagship £640 million National Cyber Security Programme (NCSP), and is the second part of the NCSP to hit problems in recent weeks.
In October, SC Magazine.co.uk reported that the launch of a UK Computer Emergency Response Team (CERT) – which will pool private and public sector experts to co-ordinate a national UK response to cyber crimes and attacks – has been delayed from this year to 2014.
The CIR problem is due to the suppliers failing to meet the standards set by CREST, the not-for-profit certification body running the scheme.
CREST had hoped to have the first suppliers in place by the end of September but its president, Ian Glover, told SC Magazine: “Nobody passed the audit on the first attempt. Although it was our intention, nobody passed on the first tranche.”
He declined to name the eight bidders failing to make the grade but said they included three of the four firms involved in the year-long CIR pilot – who were BAE Systems Detica, Cassidian, Context Information Security and Mandiant.
Glover said the eight have re-applied and CREST expects the first successful bidders to qualify later this month. Glover also believes more suppliers are preparing submissions, including the remaining vendor from the CIR pilot.
He said the main problem for vendors was nailing down the policies, processes and procedures demand by CREST.
“The temptation is, if something has gone wrong, then we need to start tomorrow,” he said. But the suppliers “need to define objectives even though it's an emergency project and recognise the legal and regulatory requirements”.
For example, Glover said: “If the objectives are that we wish to take somebody to court, then there are certain approaches that need to be done and there's certain protection of evidence that needs to go along with it.”
He added, “It's quite likely that the investigation will go beyond the organisational scope and at that point you need to be very careful how you continue the investigation. You're potentially either making the situation worse or you are looking at information you don't have a right to see.”
Companies looking for ‘qualified' help right now with cyber attacks can go to the four CIR pilot companies, who remain “interim” providers of the service. CREST has also approved several vendors as qualified intrusion analysts, malware reverse engineers, and web apps and network penetration testers.
CREST's CIR scheme is for private-sector victims of cyber attacks. It sits alongside a separate CIR for ‘networks of national significance' run by GCHQ's information security arm, CESG, and CPNI (the Centre for the Protection of National Infrastructure). It is understood that the first suppliers for the CESG/CPNI CIR scheme will also be approved this month.
Despite CIR's teething troubles, Glover wants to encourage suppliers to apply for the scheme. But he also wants “the buyer community and the supplier community to know it is not a trivial exercise”.
He said the vendors had reacted positively to failing first time round. “It isn't - ‘I've failed my GCSEs'. It is - the industry body is assisting me to provide the services in a more consistent and professional fashion.”
CREST has published a free CIR guide, available via its website at www.crest-approved.org.