Transcription
CSIRT Basicsfor Policy-MakersWorking PaperThe History, Types & Cultureof Computer Security IncidentResponse TeamsBy Isabel Skierka, Robert Morgus, Mirko Hohmann, Tim MaurerIn this paper, we examine the history, types and culture of Computer SecurityIncident Response Teams (CSIRTs). Some CSIRT practitioners and policymakers have differing views of what a national CSIRT should be, how it shouldoperate, where it should be situated and how it should relate to the rest of thecomputer security incident response network within its country. This briefis intended to provide a short history and overview of the culture of CSIRTsin order to help build a common understanding. This lays the foundation forsubsequent publications, which will examine some of the critical issues in greaterdepth.This paper is the first in a series examining the role of CSIRTs in cybersecurityand is part of a joint project of New America and the Global Public PolicyInstitute (GPPi), called “Transatlantic Dialogues on Security and Freedom in theDigital Age.” For more information on the project, visit:www.digitaldebates.org.MAY 2015
NEWAMERICAThe authors would like to thank the members of the Steering Committee of the project“Transatlantic Dialogues on Security and Freedom in the Digital Age” (for moreinformation, visit www.digitaldebates.com), the participants of the workshop hosted inWashington, D.C., on February 19, 2015, and all the experts who volunteered their timeto contribute to the study.This brief is the first in a series of papers on CSIRTs. The studies to follow will shedlight on recent and current trends related to CSIRTs in cybersecurity policy, situateCSIRTs in the broader cybersecurity discussion, and look at how and when theprinciples of the CSIRT community coincide or conflict with other policy objectives.Finally, the studies will examine ways to increase the cooperation and effectiveness ofthe global network of CSIRTs.This report has been funded with the assistance of the European Union Delegation tothe United States and the Ministry of Foreign Affairs of the Netherlands. The contentof this report is the sole responsibility of New America and GPPi, and can in no way betaken to reflect the views of the European Union or the Ministry of Foreign Affairs ofthe Netherlands.
In Memory of Roger HurwitzIn April 2015, the cybersecurity community lost one of its brightest thinkers, Dr. RogerHurwitz. Roger was one of the most active members of the steering committee of thisproject, and his thoughtful insights, sharp humor, and infectious smile and enthusiasmfor the subject will be missed by this team and indeed by all who knew him.
Table of ContentsAcronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7History and Evolution of CSIRTs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9CSIRT Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11CSIRT Functions Today: Beware of the “R” in CSIRT . . . . . . . . . . . . . . . .13Maturity of National CSIRT Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16CSIRT Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23TRANSATLANTIC DIALOGUES ON SECURITY AND FREEDOM IN THE DIGITAL AGE4
CIIPCIPCIRTCSIRTDARPADFNDoD ISACISPITJPCERT/CCJTF-CNOMoUNBSOAsia Pacific Computer Emergency Response TeamBrazilian Academic and Research NetworkComputer Security Incident Response TeamCambridge University Computer Emergency Response TeamComputer Emergency Response Teamor Computer Emergency Readiness TeamBrazilian National Computer Emergency Response TeamComputer Emergency Response Team Coordination Centerat Carnegie Mellon UniversityComputer Emergency Response Team Coordination Center KoreaEuropean Central Bank Computer Emergency Response TeamComputer Emergency Response Team forEU institutions, bodies, and agenciesGhana Computer Emergency Response TeamIsraeli Government Computer Emergency Response TeamFormer Dutch Computer EmergencyResponse Team RijksoverheidBrazilian Internet Steering CommitteeCritical Information Infrastructure ProtectionCritical Infrastructure ProtectionComputer (or Cyber) Incident Response TeamComputer (or Cyber) Security Incident Response TeamDefense Advanced Research Projects Agency(U.S. Department of Homeland Security)Deutsches Forschungsnetzwerk(German Research Academy Network)Department of Defense Computer Emergency Response TeamEuropean Union Agency for Network and Information SecurityForum for Incident Response and Security TeamsFinancial Services Information Sharing and Analysis Center (U.S.)Global Network Operations and Security CenterFormer Dutch Governmental ComputerEmergency Response TeamIndustrial Control Systems Cyber EmergencyResponse Team (U.S.)Information and Communications TechnologyIncident Response TeamInformation Sharing and Analysis CenterInternet Service ProviderInformation TechnologyJapan Computer Emergency Response Team Coordination CenterJoint Task Force-Global Network OperationsMemorandum of UnderstandingNIC.br Security OfficeCSIRT BASICS FOR POLICY-MAKERS5
TSMESURFnetTF-CSIRTToSUS-CERTNational Coordinating Center for TelecommunicationsNational Cybersecurity and Communications Integration CenterNational Cyber Security Centrum of the NetherlandsNon-Disclosure AgreementBrazilian Network Information CenterOman Computer Emergency Readiness TeamSoftware Engineering Institute at Carnegie Mellon UniversitySecurity Emergency Response TeamSingapore Computer Emergency Response TeamSri Lanka Computer Emergency Readiness TeamSmall and Medium EnterprisesCollaborative organization for ICT inDutch higher education and researchTask Force Computer Security Incident Response TeamTerms of ServiceUnited States Computer Emergency Readiness Team(housed in the U.S. Department of Homeland Security)TRANSATLANTIC DIALOGUES ON SECURITY AND FREEDOM IN THE DIGITAL AGE6
IntroductionComputer Security Incident Response Teams (CSIRTs) are an important pillar of theglobal cybersecurity. Some describe CSIRTs as akin to digital fire brigades, centers fordisease control, or digital Emergency Medical Technicians – first responders whosemission is to put out the fire, or to assess the situation and keep the victim alive.1 Whatwas once a small and informal community is now composed of hundreds of CSIRTs,which are increasingly managed by national or regional coordinating bodies withinmore formally organized institutional networks. They have come to form a key part ofthe complex regime of “loosely coupled norms and institutions” that govern cyberspacetoday.2 At the same time, CSIRTs are facing a tipping point. They are becomingincreasingly part of the broader cybersecurity policy discussion and fa
i Key term: Computer security incident - A computer security incident can be broadly defined as a real or suspected adverse event in relation to the security of computer systems or networks. Examples include attempts to gain unauthorized access to a system or its data, unwanted disruption, and unwanted system changes. See: "CSIRT
