30 Years - a Look at the TF-CSIRT Community

– January 2024
Today we interview Silvio Oertli, Chair of the TF-CSIRT Steering Committee, the organisation representing the community, that celebrates its 30th birthday during the OCSC24 conference.

OCSC: Silvio, as we mark 30 years of the TF-CSIRT Community, could you reflect on the most significant milestones in terms of collaboration and impact within the cybersecurity incident response landscape?

Silvio Oertli: Even though I haven't been in the community that long, I can picture the milestones that had a great impact on the way the community has worked together over the years.

Like everything else, the incident response community seems to have started with something big... in our case with a big incident. Back in 1989 the "Wank Worm" incident, which primarily affected NASA, showed that incident response teams around the world needed to improve their cooperation and communication with each other. Based on that, FIRST (Forum of Incident Response and Security Teams) was formed in the US to address this need.

I think the idea of TF-CSIRT was the inspiration that in 1993 a few CSIRT teams, lead by CERT-NL (SURFcert) and DFN-CERT, got together and decided to have regular meetings. With the fact that more and more universities introduced the Internet and computers at their sites, CSIRTs were established as a national research and education network community in Europe. At that time, the Trans-European Research and Networking Association (TERENA), the forerunner of GÉANT, wanted to create a central EuroCERT to co-ordinate the interaction of teams in Europe in the event of a major incident. For a number of reasons this approach has failed after three years, but in my opinion this was a necessary step to reach where we are today.

In 2000, at a meeting in Paris, the teams involved in EuroCERT decided that instead of having a central body, coordinating the teams and providing fully fledged services supported by the members, each team should have its own portfolio and the teams should remain in a regularly organised and volunteered collaborative environment.

So instead of this planned top-down approach, the peer-to-peer network between the teams that we have today was formed. This Task Force (TF-CSIRT) has been more than well supported by TERENA and later by GÉANT over the years. The community has been able to grow, to include new teams, to develop training for new and old members of this community. Each for itself, but all together.

The TF-CSIRT was formed from the CSIRTs of the NRENs, but was never limited to them. From the beginning, the TF-CSIRT also liked to work with other organisations such as FIRST or CERT/CC, so that even in different organisations a common sense of cooperation was established worldwide.

Another milestone was the establishment of ENISA, the European Union Agency for Cybersecurity, in 2004. Later, with the NIS Directive** coming into force in 2016, the "CSIRTs Network" was established, consisting of the national teams of the EU Member States and CERT-EU. The fact that each EU Member State now has at least a national CSIRT team connected to peers in this formal network, and that many of the teams were already members of the TF-CSIRT before joining the CSIRTs Network, has extended the network and made incident handling and information exchange even easier.

In 2010, the community developed a framework called SIM3, to assess the maturity of security incident management within the teams. The TF-CSIRT community started with the ability to certify your team against this framework. The framework is not only to show others how mature you are, but because of the simple fact that you have to be re-certified every three years, always gives you an indication of where you need to improve. So, even in 2010, no one expected that many teams would go for certification, but more and more are doing so.

The last milestone for the TF-CSIRT community in my opinion would be September 2022 - when we changed the organisational structure, from a task force being a part of GÉANT, to a core element of the Open CSIRT Foundation. This move should allow us to deliver more value to the community by integrating the great input and support from GÉANT and RIPE NCC... Yes, we have used this move to get closer to the RIPE community, as we have seen that in addition to academic, government and commercial teams, more and more teams from Internet Service Providers are joining us.

OCSC: Looking ahead, what are the strategic priorities for the TF-CSIRT Community? How do these priorities align with global cybersecurity trends and the emerging challenges that incident response teams face?

Silvio Oertli: The main focus of the community is to enable and promote the exchange (sharing) of information, techniques and best practices. I think today it is not possible for everyone to know everything about cybersecurity. So it is more important that you know someone who knows someone who can help you in an incident. Also, it is crucial that you know what kind of mistakes others have made when building a service, during an incident or when trying to analyse something. But it's very important that people share both their successes and failures. With this in mind we've introduced training sessions during our meetings to share knowledge and have kept the closed session for teams to talk about failures. In the case of the TRANSITS training, we also like to stick to a volunteer model, so that trainers from the community can talk about the "daily life of an incident responder".

Given the challenges related to lack of funding and lack of computer specialists, we try to keep our meetings and training as affordable as possible.

OCSC: Collaboration is vital in effective incident response. How is the TF-CSIRT Community working to deepen engagement and cooperation among its members, and potentially, with other global incident response entities?

Silvio Oertli: When you have a community like this, it is always a challenge to build up the level of trust needed for good collaboration. Most of the time this collaboration is held together by personal contacts. We like to support these bridges with time for social interaction at our meetings. However, it can happen that teams disagree about certain things or even distrust each other because of a problem that has happened. For this reason, TF-CSIRT has always had a formal "Dispute Resolution Procedure" to talk to each other with the aim of resolving the situation.

OCSC: Considering the themes of this year's Open Cyber Security Conference, how does TF-CSIRT's mission resonate with the discussions and initiatives being highlighted at the OCSC? Additionally, could you share any specific expectations or outcomes that TF-CSIRT anticipates from this conference in terms of forging new partnerships, knowledge exchange, or strategic developments?

Silvio Oertli: We're looking forward to seeing new people at the conference, expanding our peer-to-peer network, welcoming representatives from similar initiatives around the world and building trust with colleagues. We believe that the success of good incident handling today is the result of fast and good cooperation between the teams.