A little more than two months ago I heard the good news that the Samoa National Computer Emergency Response Team (SamCERT) had been established. Congratulations to the team at the Ministry of Communications and Information Technology (MCIT) and the security community in Samoa!
With this news, I started to think more deeply about the state of cybersecurity in the Pacific and what makes it work. It feels like yesterday that we held the third incident response workshop for the Pacific community where one of the hypothetical scenarios was a tabletop exercise for the Pacific Games 2019 (held in Samoa that year).
Read: CERTs and cybersecurity in the Pacific
The role of enterprise CERTs/CSIRTs
While it is encouraging to see national CERTs/CSIRTs being established and efforts to support them, it’s not just governments that need these incident response capabilities. Let’s not lose sight of the need to make sure enterprises or organizations are equipped to respond as well. There are a few reasons for this:
- CERTs with national capabilities do not have their eyes and hands on enterprise networks. Yes, they can be that point-of-contact for entities that would like to reach out to the constituents they serve but they don’t manage your infrastructure. Therefore, ‘doing security’, which includes planning, monitoring , detection and response, is your responsibility.
- Having worked at a national CERT before, I remember that we heavily relied on the information and insights shared by the enterprise CSIRTs. This is because they can provide more context for a particular scenario. Imagine a situation where a new worm was unleashed (this was more common at that time). Without getting feedback from the local CERTs/CSIRTs community, it would be very hard to publish an advisory that is tailored to the local scene. Local information-sharing initiatives are much more meaningful if many can contribute — the more the merrier!
- National CERTs/CSIRTs tend to be limited in their resources impacting what they can do during an incident. While it is true that there are some huge cybersecurity agencies out there, in many instances the national teams are fairly small. This is the case for many teams in the Asia Pacific region. A ‘supply-chain’ incident like the recent ransomware attack using the Kaseya platform provides good food for thought about the importance of having internal incident response capabilities, and the role of national CERTs/CSIRTs in handling and coordinating a national crisis.
- Enterprise CERTs/CSIRTs contribute to the overall security improvements of the organization. There are many ‘services’ they can offer besides the expected fire-fighting roles. Take a look at this document, The CSIRT Services Framework, which was put together by the FIRST community. It outlines the list of services that be performed by an enterprise CSIRT.
The global CSIRT community
Speaking of FIRST (the largest CERT/CSIRT community with teams from 98 economies) you’ll quickly realize that the majority of the member teams are enterprise CSIRTs or PSIRTs (Product CSIRTs). Your CSIRT does not have to be a FIRST member, but the point is that many organizations have a dedicated CSIRT and make an effort to connect with wider incident response community.
Read: APNIC and FIRST cement security collaboration
Closer to our region we have a good example of this in the form of the Nippon CSIRT Association — a community of CERTs/CSIRTs in Japan. A list of members is available, but what is more interesting to me are the activities and various working groups that have been established to support the members. Imagine the immense value of this type of community work in improving the security ecosystem and enhancing the work of the national CERT.
The work must go on
I personally hope that we don’t just get excited about supporting the establishment of national CERTs only and the work ends when that’s done. In my experience, this is just the starting point. Here at APNIC, we are keen to support both national and enterprise CSIRTs.
Check out some of the past and future webinars on this topic or join our security tracks, which are usually jointly organized with FIRST or APCERT, at our APNIC conferences (registrations are now open for APNIC 52!).
We have also conducted several CSIRT establishment workshops with materials developed by the community such as FIRST and TERENA; feel free to reach out to us.
The APNIC Foundation has supported the establishment of CERTs in the Pacific via cyber security capability and awareness projects.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.