As part of achieving our mission of enabling incident response teams to more effectively respond to incidents, FIRST often contributes technical expertise to Internet Governance stakeholders by providing context, best practices and information around the role of security teams.
As an outcome of the World Summit on the Information Society in Tunis in 2005, the United Nations Secretary-General announced in July of 2006 the creation of an internet governance body called the Internet Governance Forum (IGF). The IGF is a forum for multi-stakeholder dialogue on public policy issues related to internet governance.
Rather than a formal body of negotiation, the IGF is the United Nations forum which creates an opportunity for open and inclusive dialogue and the exchange of ideas around internet governance. Participants in the IGF hail from all major stakeholder communities: private sector, intergovernmental organizations and government, civil society, academia and the technical community.
FIRST and its experts, as members of the Technical Community, regularly participates in the Internet Governance Forum as part of technical panel sessions, and through more structured working groups. This enables the FIRST community to share its expertise and best practices with other technology community stakeholders, and by creating awareness of the mission of incident response and security teams with policymakers.
In 2013, the IGF Multistakeholder Advisory Group (MAG) decided to increase its intersessional work, including the development of a Best Practices Forum on Establishing Computer Security Incident Response teams for Internet Security. Maarten Van Horenbeeck, Christine Hoepers, Adli Wahid, Yurie Ito and Jean-Robert Hountomey participated as lead experts to the forum. Various other FIRST members contributed to the discussions.
The forum’s goal was to determine opportunities and challenges involved in the establishment of Computer Emergency Response Teams.
A video recording of the Best Practices Forum meeting in Istanbul is available. The session was led by Christine Hoepers, Adli Wahid and Maarten Van Horenbeeck of FIRST:
The final outcome document can be downloaded here.
The multi-stakeholder group noted the following insights:
- There is a strong preference for the term CSIRT over CERT. This is the reason why the CSIRT abbreviation is used in this document.
- There are different CSIRT within different organizations. Their goals, constituency and services may differ. However, all are involved in mitigating cybersecurity incidents or emergencies on behalf of its constituency. This constituency can be within their own organization and/or can be delivered to others outside of it.
- The most important factor is that these CSIRT are able to work together, accept each other’s information and deliver what they are supposed to.
- In cooperation, everything comes down to trust. There is no legislation that can give trust to an organization. It is built up over time, time and again, with delivering what is needed and promised, in a timely fashion, and providing the security and adhering to the sensitivities needed for cooperation.
- The success or failure of a CSIRT has everything to do with the correct determination of its deliverables, next to the perceptions of other stakeholders. Sometimes, success is not clearly defined, which contributes to confusion around whether the CSIRT is delivering or not.
- The way CSIRT cooperate on the global, regional and national level on sharing knowledge, providing training facilities and actively work on trusted relationships has led to documents that are freely shared and available to all. These documents often describe a possible way to achieve a certain goal, rather than define a common practice which the community has converged upon.
- Many CSIRT around the world mitigate incidents and respond to emergencies on a daily basis and are successful in their work. They do so in collaboration with many different partners. There are several formal and informal networks that have proven to be a success. However, these networks are not easily accessible to everyone concerned yet, due to regional differences in budgets and priority settings.
- There is a clear need for a “CSIRT of last resort” in a country. It is not important who this CSIRT is, as long as its function is clear to all and it is able to act on request for assistance from third parties. In many countries this will be a national, governmental CSIRT, but, as examples show, it may also be a CSIRT operated by other stakeholders. The most important thing is that a CSIRT is able to coordinate any incident at a national level, when no other party involved is able to take on that role.
During the main wrap-up session, Adli Wahid provided a briefing on the Best Practices Forum. A video of the complete wrap-up session is available in English, Arabic, Spanish, and Turkish.
A video recording of the Best Practices Forum meeting in João Pessoa is available. The session was moderated by Christine Hoepers of FIRST.
A transcript from the session is also available here.
The final outcome document can be downloaded here.
The multi-stakeholder group noted the following insights:
- There is a need for policymakers to discuss the role of CSIRTs with the CSIRT community to avoid misconceptions around the role of CSIRTs.
- CSIRTs are recommended to be actively involved in relevant policy discussion at both the national and international level. In order to engage with other stakeholders it is important to be where they are. The provided examples show that it brings influence and understanding.
- Every government has the right to create the CSIRT it needs. It is recommended though that governments make an informed decision, taking into consideration the potential consequences of their choice.
- Where CSIRTs are concerned privacy and security have to stand together in order for a CSIRT to be truly successful.
- Data protection is a term that is better understood in a general sense than privacy. Hence it is advised to use this term in a CSIRT context more as it is far more concrete.
- Data protection has to be at the core of the work of a CSIRT.
- It is recommended to involve Data Protection Commissioners more in the work of CSIRTs.
- To ensure transparency and accountability where data protection is concerned, it is advised to make a study whether a standard protocol can assist attaining transparency, as well as more conscious decisions about limits to data sharing, anonymization of data where possible and the handling of data by CSIRTs.
- CSIRTs should minimize data collection and processing, while also focusing on their constituency and anonymizing relevant information.
- A well-run CSIRT is an essential part in the protection of data and security within a society.
- Further study is recommended into the expanding role of CSIRTs. This could e.g. include whether there are sensible limits to tasks given and what role a CSIRT can play in enhancing cooperation in the security chain between other stakeholders, e.g. manufacturers of ICT products and providers of ICT services and does the current definition of a CSIRT match the reality of work asked and tasked.
- Further study is recommended into the ways CSIRTs and law enforcement can enhance their cooperation in meaningful ways, each from within its respective mission.
- Further study is recommended into responsible disclosure and how to create conditions that ethical hackers can contribute to a safer Internet experience for all.
- CSIRTs have a role in handling effects of cybercrimes and providing technical support for investigations, but cybercrime is overall crime and as such should be dealt by law enforcement entities, like the police. Containing too much of this work within a CSIRT, or making a CSIRT part of a law enforcement agency is likely to have significant impact on its ability to work with the private sector.
- The work of this BPF is seen as extremely valuable by the community. It is recommended to be continued
During the main wrap-up session, Christine Hoepers provided a briefing on the Best Practices Forum. A video of the complete wrap-up session is available in English, Arabic, Spanish, Russian, French and Chinese.
Leading up to the 11th session of the IGF in Mexico, Several FIRST experts contributed a formal response to the BPF on cybersecurity. In addition, we invited our members to submit individual responses where they had meaningful best practices to add, upon which several submitted a public response.
A video recording of the Best Practices Forum meeting in Guadalajara is available. The session was moderated by Maarten Van Horenbeeck of FIRST:
The following provisional statements found general consensus across the multi-stakeholder community which participated in the forum:
- The involvement of government, private sector, civil society and other stakeholders in handling cybersecurity was stressed as fundamental in terms of sharing best practices, sharing results of critical assessments and identifying globally accepted standards of cybersecurity. All stakeholders must understand, respect and trust each other’s expertise and competences.
- It was emphasized that to many today, the word “cybersecurity” is often loaded with context, and many organizations associate it with government decision making, or commercial security solutions. Within the IGF, it was said, there is an opportunity to redefine cybersecurity as a common goal between all stakeholders, and to work towards finding a common understanding about what productive cooperation and collaboration might look like.
- It was said that the term “cybersecurity” can mean very different things to different stakeholders depending upon the context in which it’s being used. (national security; public security; enterprise security; incidence response; personal security; protection against large scale data breaches and cyber crime/online crime; uncertainties about how our data is being used; surveillance and other online threats, etc.)
- There was broad agreement that the roles and responsibilities of stakeholders are evolving in making the Internet a secure and safe place for people to socialize and conduct business. It is clear that security is no longer just the purview of governments and that it is increasingly a multistakeholder imperative.
- Evolving understandings of cybersecurity make efforts to ensure the Internet is a secure and safe place an important focus of policy that requires input from multiple stakeholders. Starting from a dominant technical perspective of cybersecurity and focusing on protecting information infrastructure, debates around cybersecurity have rapidly broadened, bringing in many issues from cybercrime to secure access policies to data ethics and human rights under its banner.
- There was general consensus within the BPF around the notion that cybersecurity initiatives should be built on democratic, multistakeholder processes, ensuring the meaningful and accountable participation of all stakeholders, including governments, the private sector, civil society, the technical community, the academic community and users.
- It’s imperative to promote more robust, effective and timely information-sharing, cooperation and coordination among cybersecurity stakeholders at the national, regional and international levels. Cooperation and collaboration is key in cybersecurity, not only to avoid duplicate work and analysis, but also in respect to less mature entities, being able to profit from the experience and expertise of others and as such develop faster thereafter.
- Within the CSIRT community, automating information exchange where possible, and ensuring CSIRT’s ability to process information at an increasing pace is extremely important. CSIRT’s can often be resource constrained in terms of qualified analysts, and allowing them to focus on harder problems that require expert review is critical. However, it is important to clarify that prior to any automated exchange taking place, it is crucial for stakeholders to set expectations around how the data will be used. Sharing indicators may not be helpful if they are not used correctly, or are used for different purposes than intended. While there are typically many technical means of addressing a security incident, it is most important that goals are aligned and expectations are clearly set.
- For CSIRTs to effectively work with each other, or other peers within the community, trust is a crucial requirement. Trust is typically not established through legal agreements, but through a history of working with each other. Developing trust is easiest when the objectives of both organizations align. When both organizations have as goal to remediate the incident and restore operations, they both see value in the information exchange.
- There is a need for more civil society involvement in cybersecurity debates in all countries, and in particular in developing countries. Furthermore and in parallel with increased participation, more opportunities for education and awareness raising among civil society groups on issues of cybersecurity should be supported. For cybersecurity cooperation and collaboration to be enhanced globally – and particularly in global south countries – the first step is to create a level playing field in terms of knowledge, skills and capacity for engagement.
During the main wrap-up session, Maarten Van Horenbeeck provided a briefing on the Best Practices Forum. A video of the complete wrap-up session is available in English, Arabic, Spanish, and French.
FIRST was represented in the following panels:
Cross border cooperation in incidents involving (Internet) Critical Infrastructure
Maarten Van Horenbeeck participates in discussion on how cross border incidents can be resolved, and whether a new “law of the seas” that applies to cyberspace, would be beneficial, or not. More information on the workshop, and a transcript, can be found here.
FIRST was represented in the following panels:
Multi-stakeholder approaches to cybersecurity awareness
Board member Adli Wahid represents FIRST in a discussion on cybersecurity awareness. A transcript is available here.
Building Technical Communities in developing countries
Board member Maarten Van Horenbeeck represents how FIRST came to be, and grew into the organization it is today, in a discussion on building technical communities that work in developing countries.
National and International Information Sharing Model in Cybersecurity & CERTs
Maarten Van Horenbeeck discusses some of the key elements that make information sharing programs successful.
FIRST was represented in the following panels:
Let’s break down silos in cybersecurity and cybercrime!
Christine Hoepers and Maarten Van Horenbeeck represent FIRST, how it overcomes information sharing challenges, and where it still sees issues today.
FIRST would like to thank the following individual FIRST participants for having been significant contributors to our ongoing engagement with the IGF and other internet governance forums: Yurie Ito, Christine Hoepers, Serge Droz, Adli Wahid, Andrew Cormack, Belisario Contreras, Don Stikvoort and Jordana Siegel. We would also like to thank UN consultant Wout de Natris for his support of the CSIRT BPF project.