Britain launches CERT-UK — but forgets the user
Yesterday, with great fanfare, the UK launched its first national CERT: CERT-UK. It’s function according to the new website: “Working with partners across industry, government and academia to enhance the UK’s cyber resilience.”
Isn’t there someone missing? What about the user? We are always told that security is only as strong as its weakest link — and that is likely, especially in an age of BYOD and remote working, to be the user with his Android, or XP laptop at home.
But the UK government has only ever been interested in protecting big business. That includes the national infrastructure because the national infrastructure comprises the biggest of big business. The UK government has never been interested in nor concerned about the people.
Indeed, the user is specifically excluded from the CERT.
Members of the public experiencing cyber issues should contact websites such as:
If they suspect a cyber related crime they should contact Action Fraud.
UK launches first national CERT
In other words, anyone other than the national CERT.
It doesn’t need to be like this. Back in 2002 a visionary member of the Centre for the Protection of the National Infrastructure (CPNI, comprising representation from the Cabinet Office, MI5 and CESG) founded Warning Alerts and Reporting Points (WARPs).
WARPs can be viewed as small, discrete CERTs — sharing security information among each WARP’s membership. The vision was to develop a network of WARPs that could then also share information between each other; helping, advising and supporting.
At that time I still owned ITsecurity.com. I approached the founder with an idea to develop an ‘end-user’ WARP via the website. To be fair, he foresaw problems, but ran with it. There were problems — intense distrust from the local government and bureaucratic WARPs towards the private sector, for one.
But the end for me came when I saw that CESG had circulated a new malware warning to the ‘government’ WARPs, but refused to allow the ‘private sector’ WARPs to see it. The reasoning was that CESG’s brief was to support government, but not private industry. I shut down all of the WARPs I was operating. What was the point?
The reality is that the British security services (CERT-UK’s first two named partners are CESG and CPNI) have secrecy ingrained in their DNA. They will gather data into the CERT but find great difficulty in handing it out. And, as we have seen, they will do nothing for the end-user.
And yet it is the end-user that is potentially the primary weakness in defending the national infrastructure. Remote working is now a way of life, either with mobile devices on the move or laptops and desktops at home. In just the last two days we have seen a new variant of Android malware that steals data. And the Philips SmartTV has a vulnerability that could allow access back into attached PCs. The credentials that could be stolen from the end-user could provide the access that could cripple the national infrastructure.
Postscript on WARPs
When that visionary founder retired, CPNI left the WARP project to die. The website still exists; but the last mentioned Annual Forum was in 2009. It is always a tragedy when a revolutionary and worthwhile idea is just abandoned.