Computer Emergency Response Teams

CYBER SECURITY NATIONAL CRITICAL INFRASTRUCTURE

I recently commented about Cyber Security National Critical Infrastructure in a posting titled This is the ultimate game of cops and robbers

http://timhjrogers.blogspot.com/2018/09/this-is-ultimate-game-of-cops-and.html

Following attendance at the meeting to discuss CERT [Computer Emergency Response Teams] I have the following observations.

Overall I think the meeting was a positive step in the right direction but my inclination would be to prioritise Government and National Critical Infrastructure before discussion with Visit Jersey, Association of Jersey Charities, Jersey Business, Digital Jersey etc.

I am sure all the SMEs and Voluntary Sector would welcome a government funded Computer Emergency Response Teams to co-ordinate advice, action, reporting for Jersey.

However perhaps Government and National Critical Infrastructure (Health, Ports, Electricity, Water ) should be the role models and help by setting the tools, templates and techniques that SMEs and Voluntary Sector can follow.

There is consensus that initiatives like Cyber Essentials CE is good. But also recognition that cost, understanding and expertise are a barrier to large-scale take-up of Cyber Essentials (see link below)

There is concern about States of Jersey suppliers certification requirements

1. From 2018, suppliers awarded any new government contract worth more than £25,000 will need to commit to adopting Cyber Essentials, or a higher standard, within 12 months.

2. From 2020, all suppliers in receipt of contracts valued at more than £25,000 will need to demonstrate adherence to Cyber Essentials or a higher standard.

This is likely to create more fear than compliance in the absence of funding or guidance.

It is noted in the UK that despite being years’ ahead with Cyber Essentials the take-up has been low.

It is noted that some Government departments or quangos don’t meet suppliers certification requirements and it seems premature to mandate this as a requirements without the training, tools, templates and techniques (ostensibly from CERTS) to make this happen.

However rather than challenge the wisdom of CERTS, this instead highlights how important they are and that perhaps the government’s ambition for CERT should be in-place to help facilitate and support Cyber Essentials.

COMPUTER EMERGENCY RESPONSE TEAMS

There was good discussion about the wide variety of approach and content for CERTs. It seems many people take many different approaches.

It its most basic level both CE and GDPR require planned responses to breaches and information security events and any toolkit (including one supplied by me) include all the tools, templates and techniques necessary to satisfy that requirement.

However at a macro level it doesn’t make sense for 100’s of small businesses duplicating effort that a central Computer Emergency Response Teams might do faster, cheaper, better and with considerably more expertise and co-ordination.

Take for example co-ordinating regulatory reporting for OIC, JFSC, Police, NIST etc.

Or another example, offering standardised advice and guidance on tools, templates and techniques

Or perhaps noticing patters of cause and effect that are not obvious in isolation, but can be managed better from “higher-up”


CONSCLUSION

The CERT [Computer Emergency Response Teams] initiative is a good one. But it needs to be co-ordinated with Cyber Essentials and States of Jersey suppliers certification requirements.


As always, feedback welcome – particularly form people who have experience and knowledge to contribute on CERTS and Cyber Essentials



LINKS

CERT [Computer Emergency Response Teams]
https://en.wikipedia.org/wiki/Computer_emergency_response_team

About Cyber Essentials
https://www.gov.je/StayingSafe/BeSafeOnline/ProtectYourBusinessOnline/pages/cyberessentials.aspx