United States Computer Emergency Readiness Team

Overview

The United States Computer Emergency Readiness Team (US-CERT) has played an important role in public sector data security. US-CERT is a partnership between the Department of Homeland Security (DHS) and the public and private sectors. It is currently positioned within the National Cyber Security Division (NCSD) of DHS's Office of Cybersecurity and Communications.^[1]

Established in 2003 to protect the nation's Internet infrastructure, US-CERT coordinates the nation’s efforts to prepare for, prevent, and respond to cyber threats to systems and communication networks. The organization interacts with federal agencies, state and local governments, industry professionals, and others to improve information sharing and incident response coordination and to reduce cyber threats and vulnerabilities. It serve as a focal point for the government’s interaction with federal and non-federal entities on a 24-hour-a-day, 7-day-a-week basis.

US-CERT is identified by the Office of Management and Budget (OMB) to serve under FISMA as the Federal information security incident center to:

• Provide timely technical assistance to operators of agency information systems regarding security incidents, including guidance on detecting and handling information security incidents;
• Compile and analyze data about incidents that threaten information security; and
• Inform operators of agency information systems about current and potential information security threats and vulnerabilities.

US-CERT also provides a method for citizens, businesses, and other important institutions to communicate and coordinate directly with the federal government on matters of cybersecurity. The private sector can use the protections afforded by the Critical Infrastructure Information Act to electronically submit proprietary data to US-CERT.

In the event of a security issue or disruption affecting data and applications, US-CERT facilitates coordination of recovery activities with the network and security operations centers of owners and operators of these networks and with government officials (e.g., incident response teams) responsible for protecting government networks. NCSD is the government lead on a public/private partnership supporting US-CERT and serves as the lead for the federal government’s cyber incident response through the National Cyber Response Coordination Group.

US-CERT provides the following support: (1) cyber security event monitoring; (2) advanced warning on emerging threats; (3) incident response capabilities for federal and state agencies; (4) malware analysis and recovery support; (5) trends and analysis reporting tools; and (6) other support services in the area of cyber security. US-CERT also provides consumer and business education on Internet and information security.

On November 2, 2012, US-CERT was merged into the National Cybersecurity and Communications Integration Center (NCCIC).

Branches

US-CERT is composed of several branches: Operations, Situational Awareness, Future Operations, and Mission Support. Each branch has specific responsibilities:

• The Operations branch is to receive and respond to incidents, disseminate reasoned and actionable cybersecurity information, and analyze various types of data to improve overall understanding of current or emerging cyber threats affecting the nation’s critical infrastructure.
• The Situational Awareness branch is to identify, analyze, and comprehend broad network activity and to support incident handling and analysis of cybersecurity trends for federal agencies so that they may increase their own situational awareness and reduce cyber threats and vulnerabilities. As part of its responsibilities, the branch is responsible for managing the information garnered from the US-CERT Einstein program, which obtains network flow data from federal agencies, and analyzing the traffic patterns and behavior. This information is then combined with other relevant data to (1) detect potential deviations and identify how Internet activities are likely to affect federal agencies and (2) provide insight into the health of the Internet and into suspicious activities.
• The Future Operations branch was established in January 2007 to lead or participate in the development of related policies, protocols, procedures, and plans to support US-CERT’s coordination of national response to cyber incidents.
• The Mission Support branch is to manage US-CERT’s communications mechanisms, including reports, alerts, notices, and its public and classified website content.

Incident reports

US-CERT receives reports on the following:

• attempts to gain unauthorized access to a system or its data
• unwanted disruption or denial of service
• the unauthorized use of a system for the processing or storage of data, and
• changes to system hardware, firmware, or software characteristics without the owners' knowledge, instruction, or consent.^[2]

Over the past 5 years, the number of incidents reported by federal agencies to US-CERT has increased dramatically, from 5,503 incidents reported in fiscal year 2006 to about 41,776 incidents in fiscal year 2010 (a more than 650% increase). The three most prevalent types of incidents and events reported to US-CERT during fiscal year 2010 were: (1) malicious code (software that infects an operating system or application), (2) improper usage (a violation of acceptable use policies), and (3) unauthorized access (where an individual gains logical or physical access to a system without permission). Additionally, according to Department of Homeland Security (DHS) officials, US-CERT detects incidents and events through its intrusion detection system, supplemented by agency reports, for investigation (unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review).

Publications

US-CERT disseminates cybersecurity information through a website and through mailing lists. Among the products that it provides are:

• Cybersecurity Bulletins: Weekly bulletins written for system administrators and other technical users that summarize published information concerning new security issues and vulnerabilities.
• Technical Cybersecurity Alerts: Written for system administrators and experienced users, technical alerts provide timely information on current security issues, vulnerabilities, and exploits.
• Cybersecurity Alerts: Written in a language for home, corporate, and new users, these alerts are published in conjunction with technical alerts when there are security issues that affect the general public.
• Cybersecurity Tips: Tips provide information and advice on a variety of common security topics. They are published biweekly and are primarily intended for home, corporate, and new users.
• National Web Cast Initiative: DHS, through US-CERT and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has initiated a joint partnership to develop a series of national webcasts that will examine critical and timely cybersecurity issues. The purpose of the initiative is to strengthen the Nation’s cyber readiness and resilience.

In addition, the US-CERT Portal provides a secure, web-based, collaborative system to share sensitive, cyber-related information and news with participants in the public and private sector, including Government Forum of Incident Response and Security Teams (GFIRST), the Chief Information Security Officer Forum, ISAC members, and various other working groups. Authorized users can visit the US-CERT Portal. Similarly, the NCCIC's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) publicly shares a series of unclassified alerts and advisories to provide timely notification to critical infrastructure owners and operators concerning threats to critical infrastructure networks, as well as information about current security issues, vulnerabilities, and exploits.

References

1. The responsibilities of US-CERT are outlined in 44 U.S.C. §3546. Its complete set of operating procedures may be found on the US-CERT website. Separate procedures are in place for the Department of Defense as identified in Directive O-8530-1 and all components report incidents to the Joint Task Force Global Network Operations (JTF-GNO), which, in turn, coordinates directly with the US-CERT.
2. Telecommunications Outage and Intrusion Information Sharing Report, at 6.

Source

• "Publications" section: Encryption and Evolving Technology: Implications for U.S. Law Enforcement Investigations, at 12.

See also

• Air Force Computer Emergency Response Team
• APCERT (Asia-Pacific)
• AusCERT (Australia)
• CanCERT (Canada)
• CERT.at (Austria)
• CERT.Brazil
• CERTA (France)
• CERT-Bund (Germany)
• CERT-CNN (Spain)
• CERT-Difesa (Italy)
• CERT-FI (Finland)
• CERT GOV PL (Poland)
• CERT-Hungary
• CERT-In (India)
• CERT-IST (France)
• CERT-IT (Italy)
• CERT-NL (Netherlands)
• CERT-PA (Italy)
• CERT Polska (Poland)
• CERT-RENATER (France)
• CERT-RO (The Netherlands)
• CERT Coordination Center
• GARR-CERT (Italy)
• GCERT (Malaysia)
• GovCERT.au (Australia)
• GovCERT.ch (Switzerland)
• GovCERT.it (Italy)
• GOVCERT.NL (The Netherlands)
• GovCertUK
• ICS-CERT (Industrial Control Systems Cyber Emergency Response Team)
• Irish Reporting & Information Security Service (IRISS-CERT)
• JPCERT Coordination Center
• Korean CERT
• KrCERT/CC
• MODCERT (U.K.)
• MyCERT (Malaysia)
• NorCERT
• Organisation of the Islamic Conference-CERT (OIC-CERT)
• RU-CERT (Russia)
• SingCERT (Singapore)
• UKCERT
• US-CERT National Cyber Alert System