CSIRT Basics for Policy-Makers: The History, Types and Culture of Computer Security Incident Response Teams
Computer Security Incident Response Teams (CSIRTs) are an important pillar of the global cybersecurity ecosystem. Some describe CSIRTs as akin to digital fire brigades, centers for disease control, or digital Emergency Medical Technicians - first responders whose mission is to put out the fire, or assess the situation and keep the victim alive. Generally, a CSIRT is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity.
What was once a small and informal community now comprises hundreds of CSIRTs, which are increasingly managed by national or regional coordinating bodies within more formally organized institutional networks. They have come to form a key part of the complex regime of “loosely coupled norms and institutions” that govern cyberspace today. At the same time, CSIRTs are facing a tipping point. They are becoming increasingly part of the broader cybersecurity policy discussion and face the need and challenge to accommodate other policy and political objectives. That is why it is important for policy-makers in this field to better understand the history, evolution, types, and culture of CSIRTs.
Over time, CSIRTs became an integral component of national and international cybersecurity efforts, and a growing number of governments set up national bodies to coordinate CSIRT activities. The expanding role of the state in the governance of CSIRT activities is part of a broader process wherein governments increase regulation and oversight over the information and communications technology (ICT) sector. To some, “securing cyberspace has definitely entailed a ‘return of the state’ but not in ways that suggest a return to the traditional Westphalian paradigm of state sovereignty.” As a result, CSIRTs can no longer confine their mission to providing incident handling assistance to their customers, but now need to coordinate with and communicate success to its overseers as well as peers.
As cybersecurity rises up the political agenda, more and more policy- and decision-makers are taking interest in the role of CSIRTs in cybersecurity. In this paper, we seek to explain their history, evolution, culture, and functions, with a specific focus on national CSIRT communities, in order to better inform policy decisions on CSIRTs and cybersecurity policy. This brief is the first study in a series of papers on CSIRTs. The next studies will shed light on recent and current trends relating to CSIRTs in cybersecurity policy, embed CSIRTs in the broader cybersecurity discussion, and look at how and when the principles of the CSIRT community coincide or conflict with other policy objectives and the relevance for cybersecurity. We will finally examine ways to increase the cooperation and effectiveness of the global network of CSIRTs.