[Bp_certs] About types of CERTs

[Cristine Hoepers]

Dear all,

First of all, thanks for the interest in the IGF CERTs BPF!

I would like to share some thoughts, considering discussions I
participated in previous IGF and pre-IGF events, and the discussion
that took place in the mailing list a few days ago, about CSIRTs with
national responsibility (in short "National CSIRTs" or "National
CERTs"), which has also brought a little bit of discussion about other
types of CSIRTs.

There is no right or wrong about who hosts a National CSIRT, or which
services it should provide.  From experience, each country will need
to identify what works best in its case, as well as consider other
issues like services, funding, local internet governance structure and
cultural issues, among other factors that might impact the decision.

Also, several countries have more than one National CSIRT, and the
number is growing each year.  In the last National CSIRTs meeting,
about 2 weeks ago, there was a very interesting discussion about the
future of National CSIRTs and their role.  In this panel there was an
agreement that National CSIRTs are teams whose constituency are
networks/organizations/assets of National importance, and that the
number of such teams tend to increase.

I would like to share some examples of National CSIRTs that are
operated by different stakeholders -- note that the focus of the
information is to give examples of different hosting organization, not
the constituency served by each team:

- CERT.br - is operated by NIC.br, a not for profit organization that
  implements the decisions and projects defined by the Brazilin
  Internet Steering Committee - CGI.br.  And CGI.br is the
  multi-stakeholder internet governance body in Brazil.  All funding
  comes from <.br> domain name registration.

- CERT.PL (previously CERT Polska) - is operated by NASK (Research and
  Academic Computer Network), a research institute which conducts
  scientific studies, operates the national .pl domain registry and
  provides advanced IT services.

- JPCERT/CC - is an independent non-profit organization.

- CARICERT - is sponsered by the Curaçao Bureau Telecommunication and
  Post (BT&P).

- Egyptian CERT - is operated by the Ministry of Communications and
  Information Technology.

- CERT-EE - operated by the Estonian Information System Authority
  (RIA), a subdivision of the Estonian Ministry of Economic Affairs
  and Communications.

A more complete list of CSIRTs that have responsibility for an economy
or a country can be found here:
http://cert.org/incident-management/national-csirts/national-csirts.cfm

I'll not get this e-mail even longer, but there are CSIRTs in many
different organizations, with different missions and services.  The
most important of all is that these CSIRTs work in cooperation to make
the Internet more stable and secure.  A list of teams that are members
of FIRST (the Forum of Incident Response and Security Teams) can be
found here: http://first.org/members/teams

I personally think the work of the CERT BPF is a great opportunity for
us all to share experiences, best practices, questions, case studies,
but most of all it is a great opportunity for us to identify
challenges and try to find a way to start answering the open
questions.


Best regards,
Cristine

--
Cristine Hoepers, D.Sc.
General Manager
CERT.br/NIC.br
http://www.cert.br/