Law Enforcers and CSIRTs Meet in New Global Cybercrime Counter-Attack

WASHINGTON - LONDON - TOKYO - June 22, 2006. In a new global initiative against cybercrime the G8 Lyon High-Tech crime group will this month bring together Law Enforcement (LE) agents and Computer Security Incident Response teams (CSIRTs) at an international conference in Baltimore, Maryland, USA.

Brian Nagel, assistant director of the US Secret Service Office of Investigations will present a keynote address, "Building Effective Relationships between CSIRTs and Law Enforcement", in an endeavour to bridge what are seen as cultural and operational differences between LE and CSIRT approaches to security

The conference is being hosted from June 25-30 by FIRST, the worldwide Forum of Incident Response and Security Teams, which leads the world's fight-back against cyber-crime, and consists of the Internet emergency response teams from 180 corporations, government bodies, universities and other institutions spread across the Americas, Asia, Europe and Oceania.

Said Chris Panter of the US Department of Justice: "CSIRTS have deep technical knowledge and often are the first to see sophisticated computer network attacks. Law enforcement has technical capability and legal tools that can help trace and bring computer criminals to justice. Only by better understanding each others' capabilities and working together can we ensure that vital computer networks are protected and that there are serious consequences for those that attack them wherever they may be located."

He added that since the Law Enforcers’ priority was to track down and arrest the perpetrators of cyber-attacks, and FIRST’s priority was to intervene technically and resolve the incident, collaboration between the two "clearly goes a considerable way towards touching all the important bases."

Yurie Ito, of JPCERT Japan, who is joint-chair of the session for FIRST, said: "The G8 Lyon group and FIRST have this in common: G8 has a network of 24-hour points of contact for High-Tech Crime, and FIRST member teams likewise run an international, round-the-clock vigilance, early warning and intervention service against cyber incidents."

"But at the moment there are dissonances between Law Enforcement agencies and CSIRTs, because they view their missions in disparate ways, and process information differently."

"But where co-operation has taken place – for example in a joint operation by Microsoft, the FBI and local police to track down and arrest the ‘Zotob’ worm author – it proves devastatingly effective."

Lessons learned from incidents like the ‘Zotob’ episode will be brought to the conference to illustrate routes forward to collaboration through best practice.

"Cybercrime isn’t going away – it’s becoming more prevalent", said Mike Caudill, FIRST’s chair. "Incident Response teams are the people who shoulder responsibility for threats, vulnerabilities and intrusions. Only through working together with each other and with law enforcement can we effectively combat cyber-crime."

"That’s why this year’s FIRST conference is a landmark in the battle against high-tech crime. As well as the G8 Lyons session we have more than thirty presentations on subjects ranging from Botnets to Worm Detection systems, and from the use of time signatures to detect attack tools to the way networks can be designed to aid forensic investigations."

Yurie Ito added: "The internet is such a vast arena than inevitably there are duplications as different organisations work towards the same objectives. We believe that FIRST is best placed to maximise efficiency by bringing together groups whose activities overlap and aligning their efforts in a way that eliminates confusion and gets us all shooting at target from the same direction – and not taking two or three shots when one will do."

FIRST was last year appointed to manage the operational usage of the Common Vulnerability Scoring System, which provides open and universally standard severity ratings of software vulnerabilities

This appointment was made by the United States National Infrastructure Advisory Council, which advises President George W. Bush through the Department of Homeland Security on the integrity of information systems providing critical infrastructure for banking and finance, transportation, energy, manufacturing and emergency government operations.

FIRST's incident response teams draw their members from, among others, Apple, Boeing, British Telecommunications, Cablecom, Cisco Systems, Citigroup, Commerzbank, Deutsche Bank, Energis, Ernst and Young, Fujitsu-Siemens, the German Savings Bank, Google, Goldman Sachs, IBM, Intel, JP Morgan, Merrill Lynch, NASA, NATO, Nortel, Oracle, the Royal Bank of Scotland, Sprint, Sun Microsystems, Symantec, Wells Fargo, the American Red Cross Computer Emergency Response Team, CERT Bundeswehr, CERT Chile, the Danish Computer Security Incident Response Team, CERT Italiano, CERT Israeli Academic, Japan Security Operation Centre, CSIRT Korea, CERT Malaysia, Ontario Information Protection Centre, CERT Polska, CERT Slovenia, CERT Singapore, CERT Swiss Education and Research Network, CERT Taiwan, CERT US Department of Defense, CERT HM Government, UK, CERT US Department of Defence, the US Army Emergency Response Team, the US Computer Emergency Readiness Centre, the US Postal Service Computer Incident Response Team, the Massachusetts Institute of Technology, Georgia Institute of Technology and the Universities of Chicago, Georgia, Indiana, Michigan, Northwestern, Oxford, Pennsylvania State, Rechenzentrum, Stanford, and Wisconsin-Madison.