Improving Cyber Resilience Worldwide

Against the backdrop of an ever-changing cyber threat landscape, Cybersecurity and Incident Response Teams (CSIRTs) play a key role in managing and mitigating cybersecurity incidents. In celebrating three decades of international collaboration within a global community of trusted experts in Europe, the Open CSIRT Foundation organized a unique event, the Open Cybersecurity Conference, at the end of February 2024. At the time of this event, a similar version of this interview was previously published by SWITCH-CERT, also in German and French.

Silvio, as we mark 30 years of the TF-CSIRT Community, could you reflect on the most significant milestones in terms of collaboration and impact within the cybersecurity incident response landscape?

Silvio Oertli: Even though I haven’t been in the community that long, I can imagine the milestones that have had a big impact on the way the community has worked together in these times.

Like everything else, the incident response community seems to have started with a big incident. Back in 1989, the “Wank Worm” incident, which primarily affected NASA, showed that incident response teams around the world needed to improve their cooperation and communication with each other. Based on that, FIRST (Forum of Incident Response and Security Teams) was formed in the US as an answer to that question.

I think the idea of TF-CSIRT was the inspiration that, in 1993, a few CSIRT teams, initiated by CERT-NL (SURFcert) and DFN-CERT, got together and decided to have regular meetings. With the fact that more and more universities introduced the Internet and computers at their sites, CSIRTs were established as a national research and education network community in Europe. At that time, the Trans-European Research and Networking Association (TERENA), the forerunner of GÉANT, wanted to create a central EuroCERT to co-ordinate the interaction of teams in Europe in the event of a major incident. For a number of reasons, this approach failed after three years and, in my opinion, this was necessary to form what we have today.

In 2000, at a meeting in Paris, the teams involved in EuroCERT decided that, instead of having a central body coordinating the teams and providing fully fledged services supported by the members, each team should have its own portfolio and the teams should remain in a regularly organized and volunteered collaborative environment.

So instead of this planned top-down approach, the peer-to-peer network between the teams that we have today was formed. This Task Force (TF-CSIRT) has been more than well supported by TERENA and later by GÉANT over the years. The community has been able to grow, to include new teams, to develop training for new and old members of this community. Each for itself, but all together.

The TF-CSIRT was formed from the CSIRTs of the NRENs but was never limited to them. From the beginning, the TF-CSIRT also liked to work with other organizations such as FIRST or CERT/CC, so that even in different organizations a common sense of cooperation was established worldwide.

Another milestone was the establishment of ENISA, the European Union Agency for Cybersecurity, in 2004, and in 2016, with the entry into force of the NIS Directive 1, the “CSIRTs Network” consisting of the national teams of the EU Member States and CERT-EU was established. The fact that each EU Member State now has a CSIRT team connected to peers in this formal network, and that many of the teams were already members of the TF-CSIRT before joining the CSIRTs Network, has extended the network and made incident handling even easier.

In 2010, the community developed a framework called SIM3 to measure the maturity of security incident management in teams. The TF-CSIRT community started with the ability to certify your team against this framework. The framework is not only to show others how mature you are, but the fact that you have to be re-certified every three years always gives you an indication of where you need to improve. 

So, even in 2010, no one expected that many teams would go for certification, but more and more are doing so.

The last milestone for the TF-CSIRT community was September 2022, when we changed the organizational structure from a task force as part of GÉANT to a foundation, the Open CSIRT Foundation. This move should allow us to deliver more value to the community by integrating the great input and support from GÉANT and RIPE NCC. Yes, we have used the move to get closer to the RIPE community, as we have seen that in addition to academic, government, and commercial teams, more and more teams from Internet Service Providers are joining us.

Looking ahead, what are the strategic priorities for the TF-CSIRT Community? How do these priorities align with global cybersecurity trends and the emerging challenges that incident response teams face?

Silvio: The main focus of the community is to enable the sharing of information, techniques, and best practices. I think today it is not possible for everyone to know everything about cybersecurity. So, it is more important that you know someone who knows someone who can help you in an incident. Also, that you know what kind of mistake others have made when building a service, during an incident or when trying to analyze something. But it’s important that people share their successes and failures. With this in mind, we have introduced training sessions at our meetings to share knowledge and have kept the closed session for teams to talk about failures. In the case of the TRANSITS training, we also like to stick to a volunteer model, so that trainers from the community can talk about the “daily life of an incident responder.”

Given the challenges of lack of funding and lack of computer specialists, we try to keep our meetings and training as affordable as possible.

Collaboration is vital in effective incident response. How is the TF-CSIRT Community working to deepen engagement and cooperation among its members, and potentially with other global incident response entities?

Silvio: When you have a community like this, it is always a challenge to build up the level of trust needed for good collaboration. Most of the time this collaboration is held together by personal contacts. We like to support these bridges with time for social interaction at our meetings. However, it can happen that teams disagree about certain things or even distrust each other because of a problem that has happened. For this reason, TF-CSIRT has always had a formal “Dispute Resolution Procedure” to talk to each other with the aim of resolving the situation.

Silvio Oertli works as a Security Engineer at Switch-CERT (Universities & Registry). Before joining Switch-CERT, he worked in IT investigation for law enforcement agencies from 2008. In addition to his IT engineering degree, he holds a Bachelor of Law. Silvio has been on the TF-CSIRT Steering Committee since September 2018 and the Chair of TF-CSIRT since September 2019.