Policy Paper 19 November 2015

National CSIRTs and Their Role in Computer Security Incident Response

by Robert Morgus, Isabel Skierka, Mirko Hohmann, Tim Maurer
GPPi & New America

Executive Summary

Computer Security Incident Response Teams (CSIRTs) are an important pillar of global cybersecurity. What was once a small and informal community now comprises hundreds of CSIRTs, including governmental and non-governmental institutions. An important trend in recent years has been the institutionalization and creation of national CSIRTs (nCSIRTs). Indeed, the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE), which is leading the international community’s efforts in negotiating global cybersecurity norms under the auspices of the United Nations, made several references to nCSIRTs in its 2015 report and encourages countries to establish nCSIRTs.

Where these teams reside within a given government, as well as their role, authorization, authority and funding, vary from country to country. Some teams reside within government structures like ministries, others are part of law enforcement or intelligence agencies, and still others are set up as non-governmental organizations. As a result, there are significant discrepancies between nCSIRTs around the world, such as in their interaction with the law enforcement and intelligence agencies of their host country. Moreover, the process of establishing an nCSIRT is not without friction. Some cybersecurity experts and CSIRT practitioners are concerned that the trend toward nCSIRTs is leading to politicization and undermining trust relationships within the community. While the increasing political attention on CSIRTs demonstrates a laudable effort to enhance cybersecurity, policy-makers must be aware of the potential unintended negative consequences.

This report analyzes these issues in greater detail and has three sections. First, it provides an overview of nCSIRTs as a distinct category and community within the broader CSIRT landscape. Their existence is a fairly recent development, and we hope that this introductory overview will be useful for policy-makers, scholars and CSIRT practitioners alike. Second, we examine the different priorities of government actors in network defense and how these priorities sometimes conflict. Third, we present policy recommendations that aim to clarify the role, mission and organizational setup of nCSIRTs as well as their relationship with intelligence and law enforcement agencies.

We argue that an nCSIRT’s mission and mandate must be clearly and transparently defined, and that nCSIRTs should not be part of an intelligence or law enforcement agency, nor report directly to either. Similarly, an nCSIRT should not engage in political activities like the control of content and the censorship of free speech, nor collect digital intelligence for reasons other than securing computer networks and systems. Finally, we believe that governments should endorse the UNGGE’s norm regarding CSIRTs and should not use CSIRTs to conduct or support offensive cyber operations. They should also not prevent CSIRTs from providing assistance.

Introduction

Computer Security Incident Response Teams (CSIRTs) are an important pillar of  global cybersecurity. What was once a small and informal community now comprises hundreds of CSIRTs, including governmental and non-governmental institutions. Moreover, CSIRTs arose from an often discreet and sometimes deliberately secretive community of technical experts who were primarily operationally minded; now, they are at the forefront of national and international cybersecurity policy-making. An important trend in recent years has been the creation of national CSIRTs (nCSIRTs).

In its 2015 report, the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE), which is leading the international community’s efforts in negotiating global cybersecurity norms at the United Nations, made several references to nCSIRTs. Most notably, the UNGGE encouraged states to “establish a national Computer Emergency Response Team (CERT), Computer Security Incident Response Team (CSIRT) or to officially designate an organization to fulfill this role. . . .States should support and facilitate the functioning of and cooperation among national CERTs, CSIRTs, and other authorized bodies.”1

This is a process not without friction. Based on our participation in international cybersecurity policy processes at the UN, the Organization for Security and Cooperation in Europe (OSCE) and elsewhere, as well as in some of the CSIRT community discussions at the 2015 annual Forum of Incident Response and Security Teams (FIRST) Conference and the 2015 annual meeting of nCSIRTs, there remains a significant gap between the traditional security policy–oriented and the network security–oriented communities, even as they increasingly converge and overlap in cybersecurity matters.

As we have noted in the first study of our publication series on CSIRTs, many CSIRT practitioners share the goal of ensuring technical network security and making the Internet more secure.2 Apart from sharing threat information, CSIRTs also cooperate by sharing response and mitigation strategies with each other, traditionally very informally, in small meetings, phone calls or chats with practitioners they trust or deem likely to be affected by a specific threat. These informal ways of cooperation form the basis of organic trust relationships among CSIRTs, though they are increasingly complemented by automated information-sharing systems.

There is growing concern among some in the technical and security research communities that the trend toward nCSIRTs is leading to politicization and undermining the trust relationships of the community. As the Best Practice Forum on Establishing and Supporting Computer Security Incident Response Teams (CSIRT) for Internet Security notes, “New national centres are created. In some cases, these centres may report to national security or law enforcement institutions. While not necessarily inappropriate, this can in some cases seriously hamper cooperation with other CSIRTs.”3 Relatedly, in November 2015, reports suggested that Carnegie Mellon Universitys CERT Coordination Center (CERT/CC) has been helping the FBI break the anonymity function of The Onion Router (Tor), the secure browsing application used by privacy conscious users to browse anonymously. As a result, some speculate that CERT/CC risks losing its reputation as an honest broker in the IT security and incident response community.4

We analyze these issues in greater detail and seek to contribute to the broader debate on nCSIRTs. In this report, we have two primary goals. First, we aim to provide an overview of nCSIRTs as a distinct category and community within the broader CSIRT landscape. Their existence is a fairly recent development, and we hope that this basic overview will be useful for policy-makers, scholars and CSIRT practitioners alike. Second, we hope to highlight that the nationalization of CSIRTs raises important questions about the ideal role and function of these new institutions, and about how they do, can and should relate to the existing community and other government actors.

This report has three parts. We start with an introduction of nCSIRTs. Next, we examine the role of nCSIRTs in incident response and their relationship with law enforcement and intelligence agencies. The latter were selected because those in the community who see existing trust relationships as at risk repeatedly referenced law enforcement or intelligence agencies’ relationships with nCSIRTs as a source of concern. Finally, we present four policy recommendations aimed at building a legal framework for, and increasing transparency regarding, nCSIRTs.

The content of this report is based on a review of existing literature;5 interviews with experts and practitioners who work in law enforcement and intelligence agencies, security research and CSIRT communities around the world; and an expert workshop held in Washington, DC, with experts from the United States and abroad. The authors did their best to collect data globally and to interview experts from different regions.
But due to several constraints, the majority of the interviews were conducted with experts in the US and Europe.

Further research and case studies covering different regions are needed to advance the nascent research efforts on nCSIRTS. Moreover, the analysis – especially in the second part – mainly focuses on democratic countries and their bureaucratic structures. It is also important to note that nCSIRTs are only one component of incident response, and that the first response is usually carried out by private sector companies that own and operate the infrastructure as well as firms that specialize in incident response.

We hope that this report will be helpful for the UNGGE process and the implementation of its consensus report, which includes the following suggested norm:

    States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.6

Effectively implementing the UNGGE’s recommendations requires a better understanding of the CSIRT landscape and raises a number of questions. For example, what does “authorized emergency response teams” mean? Can any CSIRT be authorized by a state and thereby included under the protective umbrella of this norm or only nCSIRTs? Can a state simply authorize a CSIRT and then communicate that authorization? Or does the authorization process include some sort of peer review or recognition? Moreover, what constitutes “harm,” as used in the report? Does unauthorized access to an information system constitute harm? Similarly, what constitutes “malicious international activity”? And what about the idea that a state should not prevent a CSIRT from providing assistance? These questions will be explored in greater depth in the third and final paper of our series.

...

The full policy paper is available for download. For references, please refer to the full policy paper.

This paper is part of a joint project by GPPi and New America called Transatlantic Dialogues on Security and Freedom in the Digital Age.

Essay 27 August 2018

Wider das autoritäre Modell

by Thorsten Benner, Mirko Hohmann
Internationale Politik

Book 16 July 2018

Cybersecurity in Germany

by Isabel Skierka, Martin Schallbruch
Springer

Policy Paper 28 June 2018

How European Internet Foreign Policy Can Compete in a Fragmented World

by Mirko Hohmann, Thorsten Benner
GPPi

Commentary 19 April 2018

Digital Geneva Convention: Microsoft als Normunternehmer

by Thorsten Benner
Microsoft Berlin

Commentary 12 April 2018

Germany’s Half-Baked Approach to Fighting Disinformation

by Alexander Pirang
Council on Foreign Relations