Building trust through CSIRTs interactions

Considering the importance of an efficient and uninhibited information flow between constituents and CSIRTs, building a trust-based cybersecurity ecosystem is one of the key prerequisites for effective CSIRT functioning. Therefore, CSIRTs are crucial players in cybersecurity and a target group in the Cyber Balkans project implemented by the e-Governance Academy, Center for International Legal Cooperation (CILC, the Netherlands), National Cyber and Information Security Agency (NÚKIB, Czech Republic), with expert support from national CERTs of Estonia, Latvia, and Slovenia. 

Specialist workshops have been developed and conducted in the Western Balkans to enhance regional knowledge sharing and cooperation. An excellent example of such training was a two-day workshop in April 2024 in Tirana, Albania, focusing on national CSIRT’s cooperation with its constituency. The workshop covered topics such as the principles of collaboration with CSIRTs, cooperation with local and central governments, international partners, essential and important service providers, and the private sector and citizens. 

The workshop provided a great blueprint addressing issues and topics that are relevant for CSIRTs today and in the future. The main topics revolved around mapping main stakeholders, how to build trust with them and what consider to when communicating with them based on CSIRTs role and responsibilities. 

Learning from European Union experiences is always part of building up CSIRTs in the Western Balkans, so such workshops often involve experts from the Member States. In this case, Estonian and Latvian experiences were included. The overall aim was to create a forum for regional good practice exchange and an opportunity to discuss some of their teams’ key current and future challenges. Emphasis was also put on the difficulties deriving from implementing the EU NIS 2 Directive. 

How to build trust with stakeholders? 

Trust plays a critical role in cybersecurity, but trust cannot be achieved solely through emails or virtual channels; it requires real-life interactions and meetings. CSIRTs also must consider that stakeholders who fall victim to malicious cyber activities often experience a misplaced sense of shame; hence, blame should never be directed at the victims but rather at the perpetrators of such cyberattacks. 

For example, the Traffic Light Protocol (TLP) https://www.first.org/tlp/ is a helpful tool to facilitate greater information sharing, i.e., sharing with the correct recipients/audience. It was highlighted that when assigning a traffic light label to information (e.g., red, amber, green, clear), one should always consider what the recipient is expected to do with that information. As an example, where recipients are required to take action or possibly disseminate the information further, TLP Red would not be an appropriate label. 

While not a primary client of CSIRTs, citizens frequently provide valuable information. The main partners, both within (e.g. ISPs, ccTLD, local hosting companies) and outside (e.g. ISPs, hosting companies, Big Tech, FIRST / TF-CSIRT) were discussed. However, remembering that malicious threat actors typically do not utilise the infrastructure within the target country but operate from abroad. Therefore, the significance of international CSIRT cooperation formats, such as FIRST and TF-CSIRT, is even more critical as CSIRTs need partners for learning and information sharing. 

Cooperation with the central and local government 

Central and local government bodies are typically the primary clients for national or governmental CSIRTs. Such collaboration is usually mandated by legislation. The session delineated the range of services that CSIRTs can offer these government entities, including Single Points of Contact (SPOC), assistance with incident management and investigations, phishing takedown activities, the provision of threat intelligence, and awareness raising. 

Cooperation with essential and important service providers 

The essential and important services providers typically rank as the second most important clients of national/governmental CSIRTs, mandating cooperation with these entities under the NIS 1 and 2 directives.  

CSIRTs offer services to these entities, such as incident management and investigation, assistance with takedowns (predominantly phishing), threat intelligence and vulnerability landscape provision, and awareness-raising and sharing of best practices. Additional information about the possible services can be also found on the FIRST Services Framework’s website https://www.first.org/standards/frameworks/. Notably, unlike central or local governments, CSIRTs typically do not serve as these service providers’ point of contact (SPOC). 

Cooperative aspects with private entities demand additional flexibility (e.g. regarding non-disclosure agreements (NDAs), and explored approaches to situations where, for example, essential/important service providers suspect that they have been compromised and how CSIRTS can provide guidance in these situations. 

Cooperation with the private sector and citizens 

In the services CSIRTs provide to the private sector and citizens, they occasionally assume the role of SPOCs. Also, it was emphasised that CSIRTs usually are not involved in incident management or investigation in this setting. This situation may arise, for example, when an SME supplies identical software solutions to multiple CI providers, and that software becomes compromised. CSIRT usually assists citizens with the takedown of phishing sites. Nevertheless, CSIRT teams seldom provide threat intelligence to these parties. 

And even if the law does not mandate direct cooperation with private citizens, a lenient approach should be adopted. 

Private citizens may not be aware of the constituents of the respective CSIRT team. Therefore, when capacity allows, the CSIRT team should assist citizens by focusing on prioritisation. Such interactions could be partially automated, with citizens receiving standard feedback emails from the CSIRT team expressing gratitude for their submissions. This practice demonstrates to citizens the value of providing and sharing information. 

CSIRTs – the more the merrier?  

A hot topic around CSIRTs is the possibility of having multiple CSIRTs within a country. Various pros and cons were discussed, and these discussions will continue in the wider CSIRT community. 

Cooperation with international partners 

Another stakeholder group for CSIRTS are international partners such as the international CSIRT community (e.g. FIRST, TF-CSIRT, CSIRTs Network, ENISA, also NATO CCDCOE), other foreign CSIRTs, CSIRTs with very specific mandates (products/services), internet service providers (ISPs), content providers, big tech companies and many more.  

For this target group, building personal contacts (e.g. attending events, establishing and maintaining contact bases) is essential. There might also be necessary to sign Memorandum of Understandings (MOUs) in fostering cooperation with other CSIRT teams. While occasionally required for political reasons, ideally, such formal agreements should not be necessary given the collaborative nature of the CSIRT community.   

The capacity-building efforts for CSIRTs are ongoing, also among the Cyber Balkans project. While issues are often raised on a more technical level, these more general topics and discussions about the roles and setups of CSIRTs provide a good ground for open discussions and a strategic approach to CSIRTs. 

This article is based on the topics and observations of the 2-day workshop “Effective CSIRT Constituency Building “that took place on 16-17 April 2024, in Tirana, Albania, at Europe House. The workshop was part of the Cyber Balkans project. Financed by the European Union.