The term “Computer Emergency Response Team”, or CERT as it is better known, has been bandied around recently.
Not only with the announcement of Chris Gibson as the head of the UK-CERT, which is expected to be fully functional in the New Year, but also after ENISA called on CERTs to work together and called them the “fire brigade” of security. Earlier this year, a BBC story said that each country would have to appoint a CERT and create an authority to which companies would report breaches, with these bodies deciding whether to make the breaches public and whether to fine companies.
The concept of a CERT follows the lead of Carnegie-Mellon University, who trademarked the term of a team that respond to computer incidents. “In order to call yourself a CERT or to use the name CERT in your title, you need to get permission from CERT/CC to do so,” said Brian Honan, head of the Irish CERT IRISSCERT.
David Harley, senior research fellow at ESET questioned how the EU can insist that each country has a CERT when it is a trademarked term, however he did say that the similar CSIRT (Computer Security Incident Response Team) can apply for CERT status.
“In fact, a load of countries do have a CERT or CERT-equivalent, if not more than one (for instance, we also have the JANET CSIRT). CPNI (back when it was UNIRAS and then NISCC) did facilitate meetings between such teams, and security companies were represented there.
“CPNI (Centre for the Protection of National Infrastructure) was also pushing hard on an initiative to generate WARPs (Warning, Advice, and Reporting Points) a few years ago: in fact, the NHS was in the process of replacing the Threat Assessment Centre, which I used to manage, with a WARP network, when I left in 2006. The WARP initiative seems to have lost some steam since then, but there are still WARPs out there.”
Honan said he felt that CSIRT better explains what teams do, in terms of responding to security incidents as opposed to computer emergencies. Looking at the EU’s announcement from earlier this year, Honan believed that the EU is looking for each member state to have a National CERT which would represent each member state at the national level.
“National CERTs are CERTs that have been given a mandate by their Governments to deal with computer security incidents. So a country can have many CERTs, as the UK does, but only one of them can be the National CERT,” he said.
“Where there are no national CERTs the role often falls unofficially to another CERT in that jurisdiction and this was the case with IRISSCERT. In most cases national CERTs would deal with computer security incidents and also on matters relating to national security or issues impacting governments. In many cases National CERTs would be privy to more sensitive information/issues than other CERTs.
“In Ireland’s situation the new national CERT has been set up to look after critical network infrastructure and Government departments and IRISSCERT will continue to support the business community. Where needed we will work with the national CERT.”
I spoke with Bob Ayers, former cyber intelligence officer for the US Army and the Defense Intelligence Agency (DIA) and now commercial director of Glasswall Solutions. He claimed that incident response groups have been collaborating since they began 20 years ago with ‘FIRST’, which now boasts 200+ active members of FIRST, but he said that in Europe it depends on a trust between members.
He said: “A few years ago the Ministry of Defence CERT had someone share a zero-day vulnerability before a patch was available, and since then there has not been any requests fo
r information. They can have the best people in the world but if they are not working together then they don’t recognise national boundaries. FIRST advises you to cross boundaries.”
Asked on what level CERTs collaborate and share information, Honan said that in his network they do share and work with others, but one of the challenges new CERTs face is being able to work with other established CERTs.
“This is not a form of elitism, but more a case of trust. CERTs work with very sensitive information about security incidents and criminal activity so they need to ensure whomever they are sharing information with will not breach that trust.
“To facilitate this there are a number of networks that a CERT can join to establish and gain trust. In Europe there is the TF-CSIRT which supports CERTs and CSIRTs within Europe, and globally there is FIRST. To join these groups you have to go through a vetting process whereby your integrity as a CERT, your ability to contribute at a useful level and your processes and procedures are secure is determined, and you also pay a membership fee.
“You are also required to attend regular meetings to help establish relationships, build trust and share information that may be too sensitive to do so over email etc. IRISSCERT is a member of TF-CSIRT and a member of FIRST.”
Honan said that this is a complex landscape and a CERT is not something that can be set up quickly due to it being vetted by Carnegie Mellon and also gaining trust and cooperation of existing CERTs, although this should not be as big an issue for national CERTs.
The UK CERT may be in its infancy with its head only having been in the seat since the 11th November, but as Honan said, gaining trust of other national CERTs should not be the issue. Getting the UK’s existing localised CERTs and private industry to play ball may take more effort.