Keep CSIRTs out of the lines of fire

by Serge Droz on behalf of the FIRST board
Thursday, February 24th, 2022

As the ongoing conflict in the Ukraine keeps escalating, we continue receiving reports about an increase of cyberattacks.

FIRST has members from nearly 100 countries, among them teams from the conflict region. Together with all FIRST members these teams have helped fight cyber crime and protect their users from malicious cyber operations. This will not change during this crisis. CSIRTs are often dubbed the fire fighters of the internet; with good reason: Incident responders are usually the first to mitigate an attack and help victims recover. This is particularly true for teams with a national responsibility, that protect critical infrastructures, which enjoy special protection during conflicts.

States have recognized this by agreeing to the 11 norms proposed in the UN GGE 2015 consensus report.

FIRST encourages states and all its members to respect these norms, in particular norms
k: States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

and
f: A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;

FIRST aspires to bring together incident response and security teams from every country across the world to ensure a safe internet for all..

In the spirit of the mission of FIRST, our intention is to point members to the cyber norms as a reminder of the purpose of national response teams.

2022-02-26: This blog has been reviewed and edited on items that detracted from its intended message.