11^th FIRST Conference on Computer Security Incident Handling and Response

Stream 1: 19:00
Title: FIRST's role in the International Infrastructure Issues for Global Incident Response

We are working on a project involving the SEI and the US State Department. The project stems from the US State Department's interest in encouraging cooperation with other governments on protecting critical infrastructure assets.

The work we are undertaking involves the development of a white paper discussing the International Infrastructure Issues for Global Incident Response. In it's current form the paper outlines a vision consisting of the following four interdependent key elements:

1. An infrastructure to enable and coordinate global incident response efforts
2. A forum to facilitate the discussion and development of international standards, policies and agreements that support global security incident response
3. A capability to participate in the improvement of technology through the collection, analysis and dissemination of practical experiences, data and lessons learned in the global incident response community
4. A professional organization to enhance the recognition and education of incident response and security personnel and teams

This vision cannot be achieved without international participation, commitment and cooperation among governments, law enforcement, commercial organizations, researchers, and practitioners such as FIRST members who have experience in responding to current incidents.

The US State Department is interested in getting feedbackfrom the FIRST membership on the white paper and ideas expressed within it.

From FIRST's perspective, this is a opportunity to build on the work of previous task forces and consider what role FIRST can play in this vision. The first draft of the white paper will be distributed at or prior to theFIRST conference in Brisbane and we are planning to hold a BoF at the conference to obtain verbal feedback.

Many organizations, including Telcordia Technologies (formerly Bellcore/Bell Communications Research) have been assisting several domestic (USA) and international tradition telecommunication organizations in recent years in responding to the telephony convergence. These large carriers have a structured topology, a structured methodology, and a very predictable operation. On the contrary smaller unrestricted organizations have emerged throughout the world in the past decade providing niche data services to local markets.

Now these nontraditional carriers are merging domestically and globally. UUnet, ANS, BBN, and CompuServe are now one, under a not so traditional carrier MCIWorldcom. Digex is now under Intermedia. MCI and BT form Concert. DialUp Points of Presence (POP) are growing like mushrooms all over the world; Africa, Asia, South Pacific, Carribean, South America, and hundreds more each day. The explosion of dedicated circuits to not just academic and research institutions is bring millions of new hosts onto the Internet monthly.

And what will the future be for the EU carriers? Asia? What was non-traditional is now the norm. We cannot expect traditional actions or reactions to tomarrows incidents and threats.

This BOF will openly discuss how we as incident handlers will respond to these new carriers. We will explore whats happening in the industry and discuss options for handling incident response with these ever changing organizations.

The goal of this BOF will be provide the participants with the tools and information to collect and maintain data concerning the global telephony carriers in order to assist in the incident response process.

This will be a Q&A session where people can ask Jeff Carpenter, the parliamentarian for the FIRST AGM, any questions about Robert's Rules of order or parliamentary procedure that they wish. Topics that can be covered are the reasons why certain things are done they way are, explanations on how to accomplish specific things in a meeting, or, if nothing else, perhaps try to stump the parliamentarian with complex questions.

Many FIRST teams issue advisory notices about security vulnerabilities. The preparation for issue of such notice typically involves a number of parties, possibly including one or more discoverers of a vulnerability, one or more vendors of vulnerable products, and one or more coordinating entities.

A set of informal norms have arisen for this process. However, these norms don't seem to be written down anywhere, and are being tested both by cultural changes within the security community, and by structural changes, such as the increasing number of teams and the advent of the "security company" as a real force.

There is significant disagreement about how such advisories should be timed, and about what responses should be expected from the various parties. Public announcements by outside parties threaten the relevance of advisories issued under the traditional "wait for the vendor" regime. Simultaneous issuance of advisories by multiple organizations is becoming more frequent. Furthermore, the issue of credit for discovering security vulnerabilities has begun to become important.

This session will be centered around issues of advisory timing and credit in advisories, but may extend to discussion of other norms of the advisory process, and of other processes for disclosure of security bugs. The goal is to start a discussion which may eventually result in better-defined, better-accepted, and more appropriate norms.

The FIRST Steering Committee will be conducting a pre-conference meeting on Sunday 13 June 1999. Attendance and participation at the pre-conference meeting is limited to FIRST team members and their invited guests, subject to approval by the Steering Committee. This BoF session has been scheduled to permit further discussion of topics that are not resolved during the Sunday meeting.

This session may also be used or extended as necessary to prepare and discuss motions to be put during the FIRST AGM at 16:30 on Thursday 17 June.

Last modified: Mon Jun 7 10:06:08 EST 1999