US Computer Emergency Readiness Team (US-CERT)

    Summary: The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. It is a branch of the Office of Cybersecurity and Communications' (CS&C) National Cybersecurity and Communications Integration Center (NCCIC). US-CERT is tasked with protecting non-military government and civilian computers and networks from cyberattacks. Established in 2003, US-CERT reflected Congress's recognition of the growing vulnerability of computer networks responsible for running critical parts of the national infrastructure, such as banks, air traffic control, and public utilities. US-CERT's primary function is to create an overall picture of potential vulnerabilities by providing government agencies and private companies a place to report actual or attempted illicit use of cyber networks. US-CERT issues periodic bulletins on perceived problems while protecting parties from the potential embarrassment of public disclosure. Reports of malfeasance affecting government agencies are mandatory; participation by private enterprise is voluntary. In February 2023, US-CERT and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which provided a control system security focus in collaboration with US-CERT, were retired and integrated into the Cybersecurity and Infrastructure Security Agency (CISA) and streamlined their mission statement and information through a new website, CISA.gov, under the US Department of Homeland Security.

    In-Depth Overview: The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. It is a branch of the Office of Cybersecurity and Communications' (CS&C) National Cybersecurity and Communications Integration Center (NCCIC). The agency customarily refers to itself as "US-CERT" to distinguish it from the approximately 350 other unrelated organizations worldwide that are focused on computer security and also use the acronym CERT.

    US-CERT describes itself as a "public-private partnership" whose mission is "providing response support and defense against cyberattacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners." US-CERT is also "the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS)."

    US-CERT's first level of responsibility involves non-military government computers. All federal agencies are required to report to CERT violations, or "imminent threat of violation" of "computer security policies, acceptable use policies, or standard computer security practices."

    Such violations are rated on a rising scale of severity from one to six:

    Category 1: "Unauthorized Access." Cases in which an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resources.

    Category 2: "Denial of Service" (DoS). Large-scale demands for service that result in "attacks that successfully prevent or impair the normal authorized functionality" of federal government systems.

    Category 3: "Malicious Code." Any virus, worm, spyware, bots, Trojan horse, or other "code-based malicious entity that infects or affects an operation system or application."

    Category 4: "Improper Usage." Defined as "a person violates acceptable computing use policies."

    Category 5: "Scans/Probes/Attempted Access." Comprising "an activity that seeks to access or identify a federal agency computer, open ports, open protocols, service, or any combination for later exploit."

    Category 6: "Investigation." "Unconfirmed incidents that are potentially malicious or anomalous activity."

    Of these violations, unauthorized access is by far the most common.

    US-CERT categories notwithstanding, the agency's then-director, Randy Vickers, told a conference in March 2011 that the threshold for a cyber event of national significance remained vague, and that anyone who could define that threshold would "probably win the new Nobel Peace Prize for cybersecurity, because that is the toughest thing to define."

    When: US-CERT came into existence in 2003. Its mandate was included in the Federal Information Security Management Act (FISMA) of 2002.

    Who: US-CERT is part of the Department of Homeland Security, the cabinet-level department organized in the wake of the terrorist attacks of September 11, 2001. It was designed to coordinate security operations across previously independent agencies or agencies that were part of other cabinet departments. The agency works in partnership with private companies that provide computer security services, as well as academic institutions, other federal agencies, local and state governments, and international organizations.

    In its first five years, US-CERT had four directors. The fifth director, Randy Vickers, was appointed in 2009 but resigned unexpectedly on July 22, 2011, effective immediately and without providing a reason. Vickers's resignation followed a series of attacks on government computers, including those of the United States Senate, the Federal Bureau of Investigation, and the Central Intelligence Agency. In 2023, US-CERT was integrated into the Cybersecurity and Infrastructure Security Agency, of which the director was Jen Easterly.

    Why: US-CERT was established in recognition of the importance of civilian networked computing to national security - especially infrastructure deemed critical to the smooth functioning of the economy. US-CERT operates independently of similar military agencies. It predated by six years the Defense Department's Military Command for Cyberspace, established in 2009 by then-Defense Secretary Robert Gates. US Cyber Command is responsible for dealing with the threat of cyber warfare attacks and for using cyberspace as a possible weapon against enemies.

    In the wake of the 9/11 terrorist attacks, the simultaneous growth of Internet access by individuals worldwide and the opening of computers to outside access was identified as a potential threat to national security. Such attacks could be launched by individual "hackers" or by government agents posing as anonymous users and taking advantage of the Internet's anonymity. Targets could include civilian operations, such as banking, air traffic control, and infrastructure (e.g., electric utilities), which had become vulnerable to myriad tactics, including spyware or mini-programs waiting to be launched at a later time. Such attacks have been made easier due to the fact that many "secured" locations share software with independent outsiders; Web browsers, which may include email functions, are often cited as an example.

    To guard against attacks, US-CERT's primary tactic has been to share data so that computer security experts in both government and private enterprise are informed of external events and the measures used to combat them. US-CERT assures the privacy of parties reporting attacks, as many institutions (such as banks) are loath to make public successful or even attempted intrusions into private data networks. The privacy of incoming reports is provided by the Critical Infrastructure Information Act of 2002, which created the Protected Critical Infrastructure Information (PCII) Program. The PCII Program enables members of the private sector to voluntarily submit confidential information related to the cyber infrastructure with the assurance that the information will be protected from public disclosure.

    In return, US-CERT issues periodic bulletins about vulnerabilities of widely distributed software, as well as updated versions that may be downloaded automatically to computers. Despite undergoing several reorganizations since its inception, US-CERT remained committed to the nation’s cybersecurity in the 2020s and felt this was best accomplished through the promotion of collaboration and partnerships between the federal government and private businesses and individuals. US-CERT has maintained a secure operations center and an updated website with cybersecurity information for the public. It has worked to alert the public to issues such as malware and malicious codes. US-CERT has emphasized the need for collaboration to be effective and has provided an alert system and Government Forum of Incident Response Security Teams (GFIRST) that has responded to specific incidents.

    Bibliography

    CISA: Home Page. U.S. Department of Homeland Security, 2023, www.cisa.gov/. Accessed 26 September 2024.

    Hersh, Seymour M. "The Online Threat." The New Yorker, 1 Nov. 2010, www.newyorker.com/magazine/2010/11/01/the-online-threat. Accessed 26 Sept. 2024.

    Hildreth, Steven A. "Cyberwarfare." Congressional Research Service Report, 19 June 2001, p. 20. search.ebscohost.com/login.aspx direct=true%26db=tsh%26AN=18318225%26site=isc-live.

    US-CERT: United States Computer Emergency Readiness Team.CISA, 5 Oct. 2023, www.cisa.gov/sites/default/files/publications/infosheet‗US-CERT‗v2.pdf. Accessed 26 Sept. 2024.

    Wilson, Clay. "Cyberwarfare: BT-1017." Congressional Research Service: Report, 9 Dec. 2003, p. 2.