Nonprofit FIRST aims at global coverage for cyber incident responders

With the burgeoning global growth of internet connectivity and web-enabled devices, there needs to be a national computer incident response capability in every country on earth.
(Getty Images)

With the global growth of internet connectivity and web-enabled devices, there needs to be a national computer incident response capability in every nation, attendees at an international cybersecurity information-sharing conference heard Tuesday.

The goal of worldwide coverage by cyber-responders, however, is complicated by the lack of technical capacity in the less-developed countries of the global south, Thomas Schreck, a computer engineer with Siemens, told the the 2017 International Information Sharing Conference. It’s also an issue of trust, he said, noting that many cyber-response teams are government agencies from countries that are adversaries of one another.

Nonetheless, the Forum of Incident Response and Security Teams — a global nonprofit — aims to have member teams in every country in the world “within 10 years,” said Schreck, who is the group’s chairman.

FIRST currently has 385 members in 82 countries, Schreck said, but “most of our members are in the developed countries.” There are more than 70 member groups in the U.S., 33 in Japan and 27 in Germany.


When the Mirai botnet struck a year ago, many of the infected devices that attacked U.S. infrastructure provider Dyn — bringing the internet to its knees across the East Coast — were not from the developed world, Schreck reminded attendees at the conference.

That’s important, because FIRST members are incident responders like the Department of Homeland Security’s U.S. Computer Emergency Response Team, or U.S.-CERT, as well as incident response teams from the private sector. If there’s no response capability in a country — no one to issue warnings and advice to consumers and companies there — malware infections are going to be much harder to deal with.

“We want to have the ability that our members can find a local team that can mitigate the issue … at least one team in each country that we can go to and say, ‘This IP address is infected [with Mirai or some other malware], please can you mitigate it,” Schreck said.

He said that currently there were large gaps in FIRST’s global coverage. For example, “We would like to be in position where the whole of Africa is covered,” he said.

There were two stumbling blocks putative members had to get over, he told CyberScoop in an interview after his presentation.


The first was the group’s $2,000 annual membership fee. “It looks like a small amount, but many countries, they don’t have the money,” he said, explaining that in many without a national CERT — for example South Africa — incident response fell, de facto, to the NRENs — the national research and education networks set up by academics to make use of internet connectivity.

“The NRENs [computer security incident response teams, or] CSIRTs are often the national teams — not necessarily officially, but unofficially,” he said.

To help putative members over the resource issue, FIRST operates a fellowship program, he said. Each year, up to four qualified teams would have their first year’s membership fee waived altogether and their second year’s reduced. “After two years, they have to pay,” he said.

The second stumbling block was that members had to meet the criteria for being an incident response team, he said, with a mission statement and certain baseline capabilities. Two existing members have to sponsor a would-be member and one has to make a site visit to verify that the new team met the criteria.

But beyond the stumbling blocks for individual putative members, loom the cloudy considerations of geopolitics.


“We would like every nation to have a FIRST member [team],” he said, but “The issue is complicated.”

There are sanctions questions, for instance with Iran, where it is illegal without a special waiver to provide any services to the country, he said.

More importantly, he said, there is an issue of trust. “We have Russian members, we have Chinese members,” he said.

“You don’t necessarily know who is behind an email address” for a national CERT or any other FIRST member, he said. That issue wasn’t restricted to adversary nations, but was more generalized. “It’s a very large organization,” he said of FIRST. “You have to build up that trust face-to-face” — for instance at FIRST’s annual global conference.

Technical measures, like a secure online chat system, would only get you so far, Schreck said. “What we’re trying to provide is a platform to build up trust, to have the technical capabilities to exchange information” in a verifiable and tamper-proof way. “But also building trust on a one-to-one basis, a team-to-team basis. That’s hard to do by only reading emails or looking up someone’s contact information in a  database,” he said.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts