The scheme, said GCHQ, will be “will be a HMG quality-assured service provided by industry that organizations can turn to for assistance when they have suffered a cyber security incident.”
Chloë Smith, the minister for cyber security, added, “The growing cyber threat makes it inevitable that some attacks will get through either where basic security is not implemented, or when an organization is targeted by a highly capable attacker. ‘Cyber Incident Response’ services provide access to organizations certified by CESG/CPNI to respond effectively to cyber incidents. It builds on the ’10 steps to Cyber Security’ guidance on how to reduce the risk of vulnerability to attack.”
The scheme is launched initially as a pilot scheme aimed primarily at government departments and the national infrastructure, but is expected to widen to include business generally. Four companies have so far been certified as members of the scheme: Context Information Security, BAE Systems Detica, Cassidian and Mandiant. All four have existing close relationships with government security services.
Context Information Security has UK offices in London and Cheltenham (where GCHQ is located). “Organisations notified of attacks or those interested in getting advice about detection and mitigation will now have a clear pointer to specialist help with the level of trust and quality-assurance delivered by the scheme,” commented Alex Church, Context’s technical director.
BAE Systems Detica is part of BAE, Britain’s (and one of the world’s) largest defense and aerospace manufacturers. Detica started as Smith Associates carrying out research on defense matters for the UK government. “Detecting and dealing with [today's] attackers is extremely difficult for most organisations, and hence this scheme should be welcome relief for those that currently don’t know who to turn to for help,” said Martin Sutherland, Detica’s managing director.
Cassidian is part of the European EADS conglomerate. Its website notes, “Cassidian, partner in Eurofighter, is a worldwide leader in state-of-the-art solutions for armed forces and civil security.”
Mandiant is a US company. It describes itself as “the ONLY information security company that can both: tell a company when it has been compromised, and tell what the material impact of the breach is.” When it discovered the breach at the South Carolina Department of Revenue, it was Mandiant that the US Secret Service recommended for forensic incident response.
GCHQ’s Cyber Incident Response scheme is not without its doubters. Professor Ross Anderson of the Cambridge University Computer Laboratory – a long term critic of GCHQ – suggested, “you might ask yourself whether you'd trust any firm that GCHQ trusts.” He added, “we have issues with [Detica] in that they produced a report on the cost of cybercrime to the UK economy that was simply ludicrous.” Anderson is not alone in believing that governments use inflated ‘costs’ “to justify everything from increased surveillance to preparations for cyberwar.” GCHQ is a strong advocate for the UK government’s Communications Bill, generally dubbed the ‘snooper’s charter.’