The CERT, part of the Government's £650 million National Cyber Security Strategy, will bring together private and public sector experts to co-ordinate response to cyber crimes and online attacks on a national level, and work with other countries' CERTs to share technical information on cyber security.
“We are still in process of recruiting professionals for our CERT-UK team and we expect it to be functional by the end of the year,” Cabinet Office Minister Francis Maude was reported as saying just last month. But the Government has now admitted the scheme has been delayed to early 2014, when it will be introduced only in a phased approach.
The Cabinet Office has not given a reason for the setback but is red-faced at the delay to a scheme that was originally promised for this year when the Government gave an update on its national strategy in December 2012.
A Cabinet Office spokesman said: “It was written in black and white that we hoped to do it within 12 months and I understand the criticism.” But he defended the delay, saying: “We're not going to be rushed into doing it, because this is the first UK national CERT and we want to do it properly.”
He said that the Government hopes to make an announcement on the scheme “in the next month or so”.
The difficulty of recruiting cyber security specialists could be one reason for the hold-up. But industry observer, Steve Durbin, head of the independent Information Security Forum (ISF) user group, said such delays are always on the cards with government-led schemes.
He told SC Magazine: “It does point to one of the challenges that government has in terms of trying to set up these sorts of things. Cyber space is an incredibly fast-moving environment and you need to be very fleet of foot. So responsiveness is key. The question is always going to be whether or not governments are best placed to be able to respond in an effective fashion.”
Durbin said the UK Government “is doing a pretty good job” but “it's always going to be slightly behind the game - necessarily so because of the nature of the beast ”.
The US has had a CERT in place since 2003. The UK currently has a CERT focused on government-run systems, but the new body will be the first to co-ordinate cyber incident response across all public and private sectors.
A government spokesman said: “In our discussions with industry and across the board we've seen the importance of having a UK national CERT - and it's important that we get it right. Our priority has been in making sure we have something that is credible with our partners in industry, academia, across the board.”