Are Cyber Security Incident Response Teams (CSIRTs) Redundant or Can They Be Relevant to International Cyber Security?

• Author: Dsouza, Zahra

TABLE OF CONTENTS I. INTRODUCTION 202 II. THE CYBER SECURITY INCIDENT LANDSCAPE 203 III. HISTORICAL BACKGROUND AND THE EMERGENCE OF CSIRTS 206 IV. LEGAL AND PRACTICAL OBSTACLES THAT LIMIT INFORMATION 214 SHARING V. RE-CONCEPTUALIZATION OF CSIRTS: EMERGENCY RESPONSE 217 A. History of the International Red Cross and Red Crescent 217 Movement (Movement) and Its Components B. Lessons for CSIRTs 223 VI. CONCLUSION 225 I. INTRODUCTION

Cyber security incidents can have severe consequences for individuals, businesses and states. The scope of the problem is expanding as adversaries develop increasingly sophisticated cyber tools and techniques. (1) Moreover, the scale of the problem is growing with increased interdependency. (2) Given the cross-border nature of cyberattacks, international cooperation is critical to prevent and respond to incidents. (3) A key response to cybersecurity incidents has been Cybersecurity Incident Response Teams ("CSIRTs"). A CSIRT is "a service organization that is responsible for receiving, reviewing and responding to computer security incident reports and activity." (4) CSIRTs traditionally served as intermediaries "between benign identifiers, who reported vulnerabilities, and software users" and disseminated vulnerability information. (5) However, CSIRTs face legal and practical challenges to their continuing existence. CSIRTs do not have a clear mandate: their role and relationship with the state, other CSIRTs operating within the state, and international actors are unclear and national laws impede the ability of CSIRTs to share data. (6) Moreover, the information collected and shared may be inaccurate due to under reporting and inconsistencies. Trust and cooperation are also impeded by the commodification of vulnerabilities, state perceptions of cyberspace as a new threat domain, the expansion of the CSIRT community, and advent of a "cyber regime complex." (7)

This paper examines the constitutive statutes of the International Red Cross and Red Crescent Movement ("Movement") and proposes that the role of actors in cybersecurity and CSIRT landscapes and CSIRTs be reconceptualized by adopting Movement functions and components. The first section of this paper will provide background on the cyber security incident landscape, explaining the nature and scope of the problem. The second section will provide background information on the global CSIRT network by describing the historical and current roles and responsibilities a CSIRT assumes and exploring current cooperation, collaboration, and information-sharing efforts. The third section will focus on the legal and practical obstacles that limit information sharing. The fourth section explores emergency response mechanisms to humanitarian crises and considers whether CSIRTs can be re-conceptualized. The paper concludes with the following recommendations: (1) that the Forum for Incident Response and Security Teams ("FIRST") serve as an umbrella organization responsible for providing information, support, and coordination between CSIRTs; (2) that States support National CSIRTs ("NCSIRTs") by enacting legislation that clearly defines the mandate of CSIRTs and their relationship with other actors and allocate resources for CSIRTs; and (3) that NCSIRTs assist victims and contribute to the community by assisting in the development of other CSIRTs. This will enable CSIRTs to coordinate the response to cyber security incidents at a global level.

2. THE CYBER SECURITY INCIDENT LANDSCAPE

   Cybersecurity incidents can have severe consequences for individuals, businesses, and States. Individuals may suffer financial loss through phishing or devastating psychological effects as occurred in the suicides associated with the leak of Ashley Madison customer details. (8) Businesses may suffer direct financial loss as a result of data theft and corporate espionage (e.g., cyberattacks on Target, Anthem, Home Depot, and J.P. Morgan) or physical damage to operating equipment, such as servers. (9) It is estimated that computer crime is costing the United States $10 billion, (10) and that computer fraud is now costing businesses in the U.K. 5 billion pounds a year. (11) Businesses also face indirect costs including liability and loss of reputation, customer confidence, and productivity. (12) Threat actors also target government agencies and their contractors, "potentially resulting in the disclosure, alteration, or loss of sensitive information, including personally identifiable information (PII); theft of intellectual property; destruction or disruption of critical systems; and damage to economic and national security." (13) For example, the data compromised in the hack of the Office of Personnel Management involved sensitive information of current, former, and prospective federal employees, including forms which contain details about the employees' personal life, family members, other contacts, interviews, record checks, fingerprint data (limited), polygraph data, (14) social security numbers, addresses, employment history, and financial records of approximately 21.5 million people. (15) States may also be concerned with attacks that threaten their values as evidenced by the cyberattack against Sony Pictures Entertainment. (16) The attack was in response to the release of a film depicting the assassination of the North Korean head of state and was viewed as an attack on freedom of expression. (17)

   The reach and impact of cyberattacks exceeds that of traditional crimes. Perpetrators of cybercrimes do not require physical proximity to their victims and are not impeded by national borders. (18) Cyberattacks can be carried out at high speeds and directed at multiple victims simultaneously, and attackers more easily can remain anonymous. (19) The adversaries in cyberspace include bot net operators, criminal enterprises, hackers, insiders, state-sponsored groups or states themselves, and terrorists. (20) The scope of the problem is also expanding as adversaries develop increasingly more sophisticated cyber tools and techniques. (21) Moreover, the scale of the problem is growing with increased interdependency. Information security incidents reported by federal agencies over the last several years have risen from 5,503 in fiscal year 2006 to 67,168 in fiscal year 2014. (22)

   Due to the cross-border nature of cybercrime, no State can deal with the problem independently. (23) For example, if a Pakistani national is suspected of illegally accessing a computer system located in the United States, Pakistan's Federal Investigation Agency may require information that is only available in the United States in order to investigate and prosecute the offense. (24) Therefore, international cooperation is critical to preventing and responding to cybersecurity incidents.

   International cooperation is impeded by difficult legal questions. Cybersecurity incidents often go unreported, (25) and even when they are reported, law enforcement prosecutors face significant challenges including technological and evidentiary, and jurisdictional hurdles. (26) For example, a number of developing countries do not have legislation that specifically addresses cybercrime. (27) Existing legislation enacted for the protection of physical property is not equipped to deal with cybercrimes. (28) For example, traditional search and seizure procedures cannot be applied to computer data. (29)

   Where legislation does exist, insufficient harmonization of cybercrime offences, investigative powers, and admissibility of electronic evidence across national legal frameworks impede the investigation and prosecution of cybercrimes. (30) For example, signatories of the Convention on Cybercrime ("Convention") (31) that have implemented legislation akin to the Convention may be reluctant to share data with states that are not parties to the Convention for fear that, in the absence of agreement on what constitutes cybercrimes, the receiving state may use the data to prosecute conduct that is not recognized as an offence, such as blasphemy online. Conversely, signatory states may be reluctant to receive data collected from states that have failed to implement civil liberties and due process safeguards, such as independent oversight and limits on the scope and duration of powers. Further, trans-border searches pose jurisdictional problems and have international ramifications. (32)

3. HISTORICAL BACKGROUND AND THE EMERGENCE OF CSIRTS

   The purpose of the CSIRT mandate is to develop and promote best management practices and technology applications to "resist attacks on networked systems, to limit damage, and to ensure continuity of critical services." (33) CSIRTs provide a range of services including proactive and reactive services, as well as security quality management functions. (34) With its reactive services, a team acts to mitigate incidents when notified. (35) Proactive services and security quality management, on the other hand, seek to prevent future incidents. (36) Victims are more likely to report intrusions to Computer Emergency Response Teams (CERTs) to obtain immediate technical assistance and when CERTs identify patterns, they can alert potential victims and seek assistance from other experts working to address the same problem. (37)

   Tracing the historical emergence of CSIRTs provides insight into the original conception of the purpose CSIRTs would serve. The first CERT was formed by the United States Department of Defense and Carnegie Mellon University in response to the Morris worm incident in 1988. (38) The CERT was created to improve communication, avoid redundant analysis, and ensure timely defensive and corrective measures to limit the damage done by cyber incidents. (39) In the 1990s, the United States' CERT lead the way for other countries to develop their own CERTs. (40) The United States'

   CERT adopted CERT Coordination Center (CERT/CC) as its official name, as many other response teams have chosen...