GCHQ has announced that businesses that fall victim to cyber attacks will be able to call upon "a list of government assured, certified providers of response and clean up services in the event of a cyber-attack" under a new accreditation scheme led by the Council for Registered Ethical Security Testers (CREST), the professional body that represents the technical security industry.
Organisations whose networks could be considered nationally significant will be able to tap into expertise of suppliers accredited under a "small and focused" cyber incident response scheme run by the Government where those systems are subject to "sophisticated, targeted attacks", GCHQ said. Under the scheme GCHQ's information assurance arm CESG and the Centre for the Protection of National Infrastructure (CPNI) would be responsible for certifying suppliers of cyber incident response services as being up to the job.
The launch of the two schemes follows the previous piloting of a cyber incident response scheme run by CESG and CPNI late last year.
"The pilot concluded that the objectives of the National Cyber Security Strategy in providing greater resilience to Critical National Infrastructure (CNI) companies, as well as wider public and private sector organisations, can be best met by adopting a complementary twin track approach for certified Cyber Incident Response services," GCHQ said in a statement.
"This approach will enable all those organisations that may be victims of cyber-attack – SMEs, national and multinational industry, the CNI, the wider public sector and central government – to source an appropriate incident response service tailored to their particular needs and allow GCHQ and CPNI to focus on the most challenging attacks," it added.
Under the main CREST-led certification programme, suppliers of cyber incident response services will have to put in place measures that meet standards on protecting "client information" if they wish to obtain accreditation under the scheme.
"CREST will audit the service providers against these standards and ensure compliance through codes of conduct," GCHQ said. "This combined with professional qualifications for individuals will provide the buying community with confidence in the integrity and competence of the companies with whom they are contracting. The CREST standard for the industry-led segment will act as a foundation to establish a strong UK cyber incident response industry able to tackle the vast majority of cyber-attacks. This will enable service providers to establish a track record and, if they so choose, apply for certification under the CESG/CPNI-led scheme for the most sophisticated cyber-attacks."
GCHQ said that it was appropriate for there to be a separate cyber incident response scheme specifically dealing with networks of national significance.
"Some organisations need incident response support equipped to tackle the most sophisticated of attacks," it said. "Only a small number of industry providers are likely to achieve the necessary expertise and quality standards to successfully tackle the threats and techniques employed by highly skilled threat actors and related to networks of national significance."
Chloë Smith, Minister for Cyber Security said: "We know that UK organisations are confronted with cyber threats that are growing in number and sophistication. The best defence for organisations is to have processes and measures in place to prevent attacks getting through, but we also have to recognise that there will be times when attacks do penetrate our systems and organisations want to know who they can reliably turn to for help."
"I am delighted to announce a unique Government-Industry partnership to tackle the effects of cyber incidents. This scheme and others like it, together with the ‘10 Steps to Cyber Security’ guidance for business launched last year, are an important part of our effort to provide assistance to industry and government in order to protect UK interests in cyberspace," she added.