Trusted communities are the lifeblood of cybersecurity, even when they work in the background, and they are vital to effectively keeping attackers at bay.
In 1988, one of the first pieces of computer malware – named the Morris worm after its developer – incapacitated a large share of the internet, which at the time was still a modest system comprising about 60,000 computers. This development gave birth to the idea of responding to future online security incidents with Computer Emergency Response Teams (CERTs). These teams of computer experts would be deployed whenever someone caused trouble on the internet and the resulting damage needed to be contained as quickly as possible. The launch of the first-ever ransomware attack – the AIDS Trojan – just one year later further confirmed the need for CERTs.
But the teams of IT security experts soon realised that there was often a limit to what they could do on their own. The CERTs had to network with one another so they could coordinate countermeasures to attacks that crossed national borders. And another factor was also key in this exchange: each team of specialists needed to learn about new security incidents from other groups as quickly as possible so it could efficiently protect its own infrastructure. The global Forum of Incident Response and Security Teams (FIRST) was established in 1990 for this very purpose. Its goal was to enable and encourage exchange between CERTs around the world through networking, communication, building trust and cooperation.
Now, over three decades later, the threat situation has fundamentally changed. The damage caused by cybercrime is growing every year, with global damage estimated at a trillion dollars for 2020 alone. What might be a lucrative business field for attackers is a growing challenge for IT security experts, which is why the issue of trusted communities has become all the more important. The reasons are the same as they were 30 years ago: CERTs need to learn from one another quickly and work together efficiently whenever an incident occurs.
Here are a few examples of trusted communities:
As different as trusted communities are, the basic rules for success always remain the same: participants need to make themselves personally known and get involved in the group. And information must only be used under the agreed conditions. What’s more, many of these communities aren’t open to the public, and admission is often by invitation only following a security check. And just like anything else in life, trust is something that takes time to build up, but it can be destroyed in an instant.
A trusted community with eight to ten participants naturally operates differently than one with over 500 parties. I asked Dr Serge Droz, Chair of FIRST and Senior Security Engineer at Proton Technologies, what role cooperation plays in cybersecurity, both on a national and an international level:
The global cybersecurity community is highly unusual in that we share our information and knowledge with the competition because we have a common enemy. Often, this adversary doesn’t care who they attack, as long as the end result is right for them. So it’s clear that security teams have to work together. Simply put, we don’t stand a chance of achieving anything on our own. This rings true for private companies and countries alike. At FIRST conferences, the individuals exchanging ideas are usually from similar organisations, so they’re actually in competition with each other. The reason for this is clear: you talk because you have the same problems.Dr Serge Droz, Chair of FIRST and Senior Security Engineer at Proton Technologies
I also asked Dr Droz what role trust plays and how to achieve it in a global context:
Trust is the air that CERTs breathe. You can’t survive without it. Trust is something human that can’t be automated or contracted. Incident responders build trust through joint collaboration and social sharing. It’s important to have a common goal. In our community, it’s to protect internet users. Experience shows that contracts and NDAs are irrelevant. What is important, though, is that teams clearly understand their roles and that they are transparent. Establishing a CERT within an intelligence agency doesn’t exactly inspire trust. FIRST has published a code of ethics to help teams act in a way that builds trust.Dr Serge Droz, Chair of FIRST and Senior Security Engineer at Proton Technologies
Today, FIRST comprises 566 teams worldwide. At the forum’s conferences, you can really sense the outstanding commitment to the common cause, despite geographical distances. And this, in turn, is the ideal condition for building trusting relationships that can then be specifically expanded in smaller groups － or in trusted communities. SWITCH has been an active FIRST member since 1995.