Transformative Changes in Incident Response

– December 2023
Today we interview Jeffrey James Carpenter, the honoured representative of the global CSIRT community, former CERT/CC leader and FIRST Hall of Fame inductee.

OCSC: Jeffrey, over your extensive career, you've been a first-hand witness to the evolution of cyber incident response. From your early days at CERT/CC to your current position, what are some of the most transformative changes you've seen in the field?

Jeffrey James Carpenter: Over the course of my career, I've witnessed a profound transformation in the cybersecurity field. Initially viewed as a niche area, it has now become a global priority. The changes are evident across several dimensions. Firstly, the human aspect. In the 1990s, cybersecurity roles were quite rare, but they have now emerged as a fundamental part of technology professions. This shift is further highlighted by the establishment of dedicated university programs aimed at training the next generation of cybersecurity experts.

Regarding processes, there's been a significant evolution. We've moved from merely reactive measures to adopting more proactive strategies. This mirrors the progression seen in the fire service, where the focus has shifted from just having an incident response plan to rigorously testing and learning from these tests.

Technologically, the change has been dramatic. We've transitioned from limited, device-specific isolated data to an era of abundant centralized telemetry. This shift is akin to moving from communicating via Morse code on telegraph wires to the immediacy of instant messaging. However, the current challenge lies in effectively interpreting this deluge of information.

OCSC: What about the opposite side?

JJC: The nature of adversaries has also changed drastically. The threat landscape has diversified, evolving from isolated incidents involving nation-state actors or vandals to a widespread financial crime industry. This industry now targets a range of entities, extending well beyond just governments and defense contractors.

These shifts underscore the importance of continual evolution and adaptation in cybersecurity. It's a theme I'm particularly excited to delve into further at the upcoming conference.

OCSC: Your work has transcended borders, helping to establish various national incident response capabilities worldwide. Based on your international experience, where do you see the global community succeeding, and what common hurdles should emerging CSIRTs be prepared to face? Furthermore, how do you envision the future of global cooperation in cybersecurity?

JJC: We have made significant strides in establishing national CSIRT capabilities worldwide, recognising their unique role distinct from law enforcement and intelligence. While the increase in capabilities is commendable, rising global instability will lead to reduced cooperation and increased fragmentation.

However, it is encouraging to observe the private sector's effective cross-border collaboration. Global cooperation, in my view, extends beyond mere information sharing; it is about uniting communities of interest such as suppliers, sector peers, and regional alliances to bolster our collective strength. There is considerable potential to enhance these partnerships, moving past simple data exchange to robust, collaborative defence mechanisms.

The concept of a CSIRT, since its inception with the founding of the CERT Coordination Center in 1988, has evolved more gradually than the threats we face. The contemporary cybersecurity landscape, influenced by DevSecOps, cyber insurance, legislative frameworks, supply chain dependencies, and reliance on cybersecurity vendors, necessitates a reimagining of the CSIRT model. Integrating security deeper into business practices is essential, and I believe the function and structure of CSIRTs will—or indeed must—undergo a radical transformation in response to these drivers.

OCSC: As a key speaker at the upcoming Open Cyber Security Conference (OCSC), what topics or insights are you most excited to share with attendees? What message would you like to extend to both new and long-standing members of this ever-evolving field?

JJC: At the OCSC, I am eager to delve into the intersection of technology convergence, infrastructure management, and the evolving concepts of resilience and risk. The intersection of these elements is reshaping the fabric of organisational security, and I look forward to exploring this transformation.

Furthermore, I will address a critical question facing our community: Beyond technical expertise, what competencies are essential for success in incident response? We must broaden our skill sets to include strategic thinking, effective communication, and an understanding of the broader business implications of cybersecurity.

To both newcomers and veterans of cybersecurity, I extend this invitation: Join me in a conversation that challenges us to expand our horizons, to not only respond to incidents but to anticipate and shape the future of security in an era of unprecedented change.

OCSC: Thank you Jeff and see you soon in Tenerife for OCSC24!

JJC: Thanks, see you there!