National CSIRTs and Their Role in Computer Security Incident Response

Computer Security Incident Response Teams (CSIRTs) are an important pillar of global cybersecurity. What was once a small and informal community now comprises hundreds of CSIRTs, including governmental and non-governmental institutions. An important trend in recent years has been the institutionalization and creation of national CSIRTs (nCSIRTs). Indeed, the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE), which is leading the international community’s efforts in negotiating global cybersecurity norms under the auspices of the United Nations, made several references to nCSIRTs in its 2015 report and encourages countries to establish nCSIRTs. 

Where these teams reside within a given government, as well as their role, authorization, authority and funding, vary from country to country. Some teams reside within government structures like ministries, others are part of law enforcement or intelligence agencies, and still others are set up as non-governmental organizations. As a result, there are significant discrepancies between nCSIRTs around the world, such as in their interaction with the law enforcement and intelligence agencies of their host country. Moreover, the process of establishing an nCSIRT is not without friction. Some cybersecurity experts and CSIRT practitioners are concerned that the trend toward nCSIRTs is leading to politicization and undermining trust relationships within the community. While the increasing political attention on CSIRTs demonstrates a laudable effort to enhance cybersecurity, policy-makers must be aware of the potential unintended negative consequences. 

This report analyzes these issues in greater detail and has three sections. First, it provides an overview of nCSIRTs as a distinct category and community within the broader CSIRT landscape. Their existence is a fairly recent development, and we hope that this introductory overview will be useful for policy-makers, scholars and CSIRT practitioners alike. Second, we examine the different priorities of government actors in network defense and how these priorities sometimes conflict. Third, we present policy recommendations that aim to clarify the role, mission and organizational setup of nCSIRTs as well as their relationship with intelligence and law enforcement agencies. 

We argue that an nCSIRT’s mission and mandate must be clearly and transparently defined, and that nCSIRTs should not be part of an intelligence or law enforcement agency, nor report directly to either. Similarly, an nCSIRT should not engage in political activities like the control of content and the censorship of free speech, nor collect digital intelligence for reasons other than securing computer networks and systems. Finally, we believe that governments should endorse the UNGGE’s norm regarding CSIRTs and should not use CSIRTs to conduct or support offensive cyber operations. They should also not prevent CSIRTs from providing assistance.

Read the full paper here.