CSIRT Project

As cybersecurity has risen up the political agenda, policy-makers taken greater interest in Computer Security Incident Response Teams (CSIRTs). The CSIRT Project is designed to examine the role of CSIRTs in cybersecurity by examining the history and evolution of CSIRTs, shedding light on recent and current trends in cybersecurity policy that relate to CSIRTs, embedding them in the broader cybersecurity discussion, examining where principles of the CSIRT community coincide or conflict with other policy objectives, and examining ways to increase the cooperation and effectiveness of the global network of CSIRTs. The project is supported by the Ministry of Foreign Affairs of the Netherlands.

Working Paper 1

CSIRT Basics for Policy-Makers: The History, Types & Culture of Computer Security Incident Response Teams

by Isabel Skierka, Robert Morgus, Mirko Hohmann, Tim Maurer
May 2015

Executive Summary

Computer Security Incident Response Teams (CSIRTs) are an important pillar of the global cybersecurity ecosystem. Some describe CSIRTs as akin to digital fire brigades, centers for disease control, or digital Emergency Medical Technicians - first responders whose mission is to put out the fire, or assess the situation and keep the victim alive.  Generally, a CSIRT is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity.

What was once a small and informal community now comprises hundreds of CSIRTs, which are increasingly managed by national or regional coordinating bodies within more formally organized institutional networks. They have come to form a key part of the complex regime of “loosely coupled norms and institutions” that govern cyberspace today.  At the same time, CSIRTs are facing a tipping point. They are becoming increasingly part of the broader cybersecurity policy discussion and face the need and challenge to accommodate other policy and political objectives. That is why it is important for policy-makers in this field to better understand the history, evolution, types, and culture of CSIRTs.

Over time, CSIRTs became an integral component of national and international cybersecurity efforts, and a growing number of governments set up national bodies to coordinate CSIRT activities. The expanding role of the state in the governance of CSIRT activities is part of a broader process wherein governments increase regulation and oversight over the information and communications technology (ICT) sector. To some, “securing cyberspace has definitely entailed a ‘return of the state’ but not in ways that suggest a return to the traditional Westphalian paradigm of state sovereignty.” As a result, CSIRTs can no longer confine their mission to providing incident handling assistance to their customers, but now need to coordinate with and communicate success to its overseers as well as peers.

As cybersecurity rises up the political agenda, more and more policy- and decision-makers are taking interest in the role of CSIRTs in cybersecurity. In this paper, we seek to explain their history, evolution, culture, and functions, with a specific focus on national CSIRT communities, in order to better inform policy decisions on CSIRTs and cybersecurity policy. This brief is the first study in a series of papers on CSIRTs. The next studies will shed light on recent and current trends relating to CSIRTs in cybersecurity policy, embed CSIRTs in the broader cybersecurity discussion, and look at how and when the principles of the CSIRT community coincide or conflict with other policy objectives and the relevance for cybersecurity. We will finally examine ways to increase the cooperation and effectiveness of the global network of CSIRTs.

Download the full working paper


Working Paper 2

National CSIRTs and Their Role in Computer Security Incident Response

by Robert Morgus, Isabel Skierka, Mirko Hohmann, Tim Maurer
November 2015

Executive Summary

Computer Security Incident Response Teams (CSIRTs) are an important pillar of global cybersecurity. What was once a small and informal community now comprises hundreds of CSIRTs, including governmental and non-governmental institutions. An important trend in recent years has been the institutionalization and creation of national CSIRTs (nCSIRTs). Indeed, the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE), which is leading the international community’s efforts in negotiating global cybersecurity norms under the auspices of the United Nations, made several references to nCSIRTs in its 2015 report and encourages countries to establish nCSIRTs.

Where these teams reside within a given government, as well as their role, authorization, authority and funding, vary from country to country. Some teams reside within government structures like ministries, others are part of law enforcement or intelligence agencies, and still others are set up as non-governmental organizations. As a result, there are significant discrepancies between nCSIRTs around the world, such as in their interaction with the law enforcement and intelligence agencies of their host country. Moreover, the process of establishing an nCSIRT is not without friction. Some cybersecurity experts and CSIRT practitioners are concerned that the trend toward nCSIRTs is leading to politicization and undermining trust relationships within the community. While the increasing political attention on CSIRTs demonstrates a laudable effort to enhance cybersecurity, policy-makers must be aware of the potential unintended negative consequences.

This report analyzes these issues in greater detail and has three sections. First, it provides an overview of nCSIRTs as a distinct category and community within the broader CSIRT landscape. Their existence is a fairly recent development, and we hope that this introductory overview will be useful for policy-makers, scholars and CSIRT practitioners alike. Second, we examine the different priorities of government actors in network defense and how these priorities sometimes conflict. Third, we present policy recommendations that aim to clarify the role, mission and organizational setup of nCSIRTs as well as their relationship with intelligence and law enforcement agencies.

We argue that an nCSIRT’s mission and mandate must be clearly and transparently defined, and that nCSIRTs should not be part of an intelligence or law enforcement agency, nor report directly to either. Similarly, an nCSIRT should not engage in political activities like the control of content and the censorship of free speech, nor collect digital intelligence for reasons other than securing computer networks and systems. Finally, we believe that governments should endorse the UNGGE’s norm regarding CSIRTs and should not use CSIRTs to conduct or support offensive cyber operations. They should also not prevent CSIRTs from providing assistance.

Download the full working paper.