The Crucial Role of the CSIRT

By Thomas Hawkins | January 23, 2018

Computer Security Incident Response TeamBorn out of crisis, the modern Computer Security Incident Response Team, or CSIRT (pronounced ‘see-sert’) is responsible for coordinating the response to an organization’s computer security incidents. 

With cybersecurity threats everywhere, CSIRTs play an indispensable role in the retirement industry, and in the future, should become a vital component for facilitating industry-wide collaboration in the face of cyberattacks

The History of the CSIRT

In November 1988, the internet was largely unknown to the world, used primarily by governments, governmental bodies, researchers and educational institutions. 

It thus came as a major shock when, on November 2nd, Robert Tappan Morris, then a student at Cornell University, launched the world’s first self-replicating computer worm via the internet.  Known as the “Morris Worm” the malicious code crippled 6,000 computers, or almost 10% of the computers that were then connected to the internet.  The incident was resolved five days later, but required international collaboration to resolve and resulted in massive duplication of effort and wasted resources. 

Out of the chaos caused by the Morris Worm, the Computer Emergency Response Team / Coordination Center, or CERT/CC, was formed.  Organized as a non-profit, federally-funded research and development center, CERT/CC became the driving force behind CSIRTs.

Nowadays, cybersecurity threats can emanate from almost anywhere, requiring organizations to devote significant resources to hardening and continually evaluating their security.  No matter what the investment or the range of security measures that are in place, all organizations must acknowledge that they have some level of vulnerability to attack, and must stand ready to deal with security incidents.

That’s where the CSIRT comes in.

The CSIRT and Its Role

Put simply, a CSIRT is a team that’s assigned the responsibility for coordinating and supporting the response to a computer security event or incident.  CSIRTs can be created for almost any entity, such as nation-states, governmental entities, businesses, power grids, educational institutions and non-profit organizations.

Depending on the entity that a CSIRT serves, their mission, structure and specific responsibilities may vary, but all CSIRTs endeavor to:

  • Minimize and control the damage from computer security incidents
  • Provide guidance for recovery activities
  • Work to prevent incidents from happening in the future

Every CSIRT should have a well-defined plan of action, should an incident occur.  The goal of a CSIRT plan is to maintain mission-critical services and to protect assets and data in the event of a cyberattack or other malicious activity. 

According to CERT, a successful CSIRT plan should include processes for:

  • Notification and communication
  • Analysis, response and resolution
  • Collaboration and coordination
  • Maintenance and tracking of records
  • Evaluation and quality assurance

At Retirement Clearinghouse (RCH), our CSIRT consists of individuals who are highly-familiar with our information security infrastructure, network, core business functions and business partners.  Should the need arise, the RCH CSIRT team is the best-qualified to detect, respond and resolve security incidents, while keeping all parties involved and informed.

The CSIRT and Our Defined Contribution System

Much like the early internet, America’s defined contribution system is a decentralized, interconnected web that includes:

  • Plan sponsors
  • Recordkeepers
  • Third party administrators
  • Asset managers
  • Other parties

Sensitive, protected information resides within each entity and often moves between them, representing a tempting target for bad actors.  Therefore, it’s important that every organization in this chain – small, medium or large – establish a CSIRT. 

It’s also critical that there be a robust level of coordination established between retirement industry CSIRTs, in the event a widespread incident occurs with the potential to affect multiple entities within the defined contribution system.  Effective communication amongst retirement industry CSIRTS could become crucial advantages, should large elements of the system be attacked.

While this level of widespread collaboration does not presently exist, there are signs that it’s coming. 

Recently, the Department of Labor’s ERISA Advisory Council and other industry organizations, such as SPARK, have begun to examine cybersecurity issues and to establish cybersecurity standards for recordkeepers.   We believe that this effort should ultimately be extended to include computer security incident response teams, or CSIRTs. 

Let’s hope that our defined contribution system never has to experience its own version of the Morris Worm!

Back