Responding to cyber threats: Establishing an effective computer incident response team

15 Jun 2017 09:00h - 10:45h

Event report

[Read more session reports from WSIS Forum 2017]

The session moderated by Mr Mohd Shamir Bin Hashim (Senior Vice President, International & Government Engagement Division, CyberSecurity Malaysia), featured discussions on the importance of a coordinated response to ICT security incidents and how this contributes to the broader development agenda. Bin Hashim introduced all the session speakers and said that one of the main points of the session is about which capacities are required to establish a well-functioning computer security incident response team (CSIRT).

In his speech, Mr David van Duren (Head of the Global Forum on Cyber Expertise Secretariat) presented the Global Forum on Cyber Expertise (GFCE) and its main initiatives. According to van Duren, the GFCE is an informal platform with 60 members around the world, which aims to exchange cyber expertise at a global level. He said that there are national and thematic initiatives and some deliverables, like reports, toolkits and guidelines, are available to help the community implement best practices. Another line of action is to bring together relevant parts and promote strategic discussions through workshops and attending meetings like the WSIS and the IGF.

Mr Luc Dandurand (Head, ICT Applications and Cybersecurity Division, International Telecommunication Union (ITU)) started by talking about the importance of a national CIRT team. Dandurand presented the ITU CIRT programme  implementing 12 national CIRT projects, four of which are ongoing. This programme uses the GFCE CSIRT maturity framework to build national CIRTs. He said that it is not necessary to implement all the frameworks at the same time, because it is has a flexibility to fit the needs of the moment, depending on the organisation’s maturity level. According to Dandurand, there are some important aspects that have to be observed for successful CIRT implementation: clear communication with stakeholders, a well trained team, and reasonable expectations. In the future, he believes that information about security threats will be shared through machine readable formats, facilitating the exchange between CIRTs. Finally, he concluded with a reflection about the importance of national coordination involving all the stakeholders, and training to be ready in case of a national cybersecurity crisis.

In his speech, Mr George Michaelides (Commissioner, Office of the Commissioner of Electronic Communications and Postal Regulation) brought the customer point of view to the discussion. He said that it is important to demonstrate the economic impacts of cybersecurity, to raise awareness about the importance of national CSIRTs. According to Michaelides, an implementation of a CSIRT team can be based on three Ps: people, process, and products. He explained that products can be thought of in terms of the technology provided and services rendered, and that the process takes into account the strategy and how to measure what is being delivered. He said that people are the big challenge, because it is necessary to think how to find the right people, how to train and build trust between them. Michaelides ended his participation saying that, commonly, national CSIRTs are a government organisation and a common problem is motivating people, since governments  have slow decision processes and have delays when it comes to funding projects.

Prof Dr Vilius Benetis (NRD CIRT/NRD CS) began his speech by saying that cybersecurity is not well defined, thereare many different definitions. In his opinion, a CSIRT is a technology-driven organisation and has as its objective to provide a safe digital space. Based on his observation, Benetis said that the time required to build a CSIRT and deliver the needed services is between six to ten years. Some people believe that one year can be sufficient for this work, but it is necessary to limit expectations because some services can be delivered after a year, but they may not necessarily be good enough. He concluded by saying that it is important to focus on trust and competence within the team, invest in a platform for information sharing, and to grow together as part of a CSIRT team.


by Nathalia Sautchuk Patrício