The Challenges Facing Computer Security Incident Response Teams

Tim Maurer is the director of the Global Cybersecurity Norms and Resilience Project and Head of Research of New America’s Cybersecurity Initiative. Isabel Skierka is a research associate at the Global Public Policy Institute.

In mid-June, the German parliament scrambled to repel the worst cyberattack in its history. Meanwhile, 800 IT security experts and members of Computer Security Incident Response Teams (CSIRTs) from around the world met just a few blocks away at the annual meeting of the Forum for Incident Response and Security Teams (FIRST). Responding to attacks like the one against the Bundestag is at the core of a CSIRTs’ daily tasks. As cybersecurity has become a core strategic interest for companies and governments alike, there is a growing need to safeguard CSIRTs’ operational independence from other political objectives and strengthen them as a neutral pillar of global cybersecurity.

CSIRTs have been a cornerstone of cyber incident response for decades. Also known as Computer Emergency Response Teams (CERTs), CSIRTs are teams of technical experts with the mission to maintain and protect the security of their customers’ computer networks and systems that rely on it. For example, when the OpenSSL Heartbleeed vulnerability was discovered last year, which security expert Bruce Schneier called a “catastrophic bug,” US-CERT issued an alert and a white paper containing an overview of the systems affected, a description of the threat, and recommendations for solutions and mitigation. US-CERT worked with private sector partners, the FBI, Financial Services Information Sharing and Analysis Center, and Canadian Cyber Incident Response Center to prepare and disseminate alerts. CSIRTs, can be based at private companies, governments, universities or other organizations.

While their primary mission is technical in nature, they are under growing pressure to accommodate various policy and political objectives of the countries in which they are located.

A growing number of governments have been setting up national CSIRTs to coordinate CSIRT activity within their borders. Additionally, CSIRTs are increasingly referenced in cyber norm discussions at the United Nations and the Organization for American States. Cybersecurity capacity building efforts now routinely include programming aimed at creating national CSIRTs and strengthening cooperation between existing ones.

All of these activities raise a number of important policy questions: What constitutes a national CSIRT? How is it institutionalized? How should it function in countries with existing CSIRTs? Should it coordinate a national response to a major cyber incident and if so, how?

These are some of the questions we put to the CSIRT representatives at the FIRST conference as part of our CSIRT project. During the discussion, we explored ways to improve the policy and technical communities’ understanding on the role of CSIRTs. It became clear that cooperation between national CSIRTs can serve as a communication channel for countries with otherwise strained diplomatic relations and can help build confidence between them to improve network security. An example for collaboration is APCERT, a coalition of CSIRTs from thirteen economies across the Asia Pacific region, including the Japanese, Korean and Chinese national CSIRTs.

At the same time, as more and more governments establish national CSIRTs, there is a need to mitigate the risk of unintended consequences. For example, existing trust relationships among practitioners could be undermined if CSIRTs are perceived as being an agent of the government or company they work for. This makes it all the more important to enshrine operational principles that ensure CSIRTs can operate independently from other actors’ vested political and commercial interests. CSIRTs need to assess reported vulnerabilities and threats as a neutral party without a hidden or specific political agenda.

A major challenge that the CSIRT community faces is ensuring that existing relationships among its practitioners will continue to scale as more and more users and devices connect to the global network. Another challenge is to manage and integrate the growing number of government-driven CSIRTs into the existing governance system. We need more such opportunities to discuss these thoughts and build bridges across communities. Therefore, we were delighted to have the chance to also present these thoughts along with our research at the annual meeting of national CSIRTs that took place right after the FIRST conference.

It is only a matter of time until news breaks of the next big cyber incident. In recent years, the steady drumbeat of incidents has shown that cyberspace has become an environment rife with competition and conflict. But many cybersecurity threats, such as common viruses or botnets, affect just about everyone. The work of CSIRTs is an effective reminder that we should leverage common interests in keeping cyberspace safe and create a strong foundation for cooperative structures to emerge.