[Bp_certs] Challenges of running a CERT/CSIRT

Wed Jul 23 09:54:02 EDT 2014

> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> Adli Wahid
> Sent: 23 July 2014 00:58
> To: bp_certs at intgovforum.org
> Subject: [Bp_certs] Challenges of running a CERT/CSIRT
> 
> 
> >Hello everyone!
> >
> >I think most people would probably agree that have an incident
> response
> >team or capabilities is critical these days for most organisations (or
> >countries for that matter). Some organisations require it as part of
> the
> >Enterprise-wide risk management framework or cyber security strategy.
> >
> >There are some good  available resources out there of how to go about
> >setting up & running a  CERT/CSIRT. One very good example is available
> >from ENISA¹s website here:
> >
> >https://www.enisa.europa.eu/activities/cert
> >
> >And I think a few other organisations have developed similar guides so
> >that it is easy to understand how the organisation can be structured,
> what
> >tools are needed to run the operation  and so on. If you know of any
> other
> >sources of reference like the above please let us know.
> >
> >Establishing a CERT/CSIRT is one thing - running it successfully is
> >probably another story. For this Best Practice initiative we are also
> >interested in learning  the challenges that are faced by CERT/CSIRTs.
> I
> >think Patrick already mentioned that not having clear definition of
> the
> >role can lead to operational problems (lack of trust). Funding is
> probably
> >another one - without which teams are not able to for example acquire
> >tools or hire staff (or send them to conferences / training).
> >
> >Please share your observation on some of other challenges or issues
> that
> >could affect the operation of a CERT/CSIRT. Thanks!
> >
> >
> >Best Regards,
> >
> >--
> >Adli Wahid                        email:     adli at apnic.net
> >Security Specialist, APNIC        sip:  adli at voip.apnic.net
> >http://www.apnic.net              phone:    +61 7 3858 3100

Adli
One of the biggest barriers I hear about (maybe because of my job title nowadays) is that CERTs think the law prevents them doing incident response. In fact I'm usually pleasantly surprised when I actually talk to regulators how much they do 'get' incident response - "incident response protects privacy, of course we support it" was one comment from a national privacy regulator. So maybe we should be engaging more with regulators to ensure that legislation does leave us the space we need and that we agree on how to use it?

One area that does concern me is where countries are creating special laws for their national CERTs. I think there's a risk there of creating undesirable barriers between those CERTs and the others in their countries. If I'm an 'ordinary' CERT and my constituents share information with me knowing that it's protected by 'ordinary' law, will I lose my constituents' trust if I share it with a national team that has special exemptions from that law? That concern has also been expressed when dealing with law enforcement - if I share information with them as intelligence, do I lose control of whether it may eventually turn up being used as evidence in a public court? So I think it's important for teams that do have special powers or authorities to also offer agreements on how shared information will and won't be used. Otherwise there's a risk that less information will go to them than Internet safety requires.

Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238