National CERT/CSIRT – Mandate and Organisation paper

The latest paper form our law branch is now available!

This study explores the regulatory frameworks governing the functioning of national CERT/CSIRT capabilities across NATO countries. Special focus has been given to civilian/military cooperation and the incorporation of military capabilities into national crisis management mechanisms. The conclusions are based on desk research complemented by outcomes of a questionnaire-based survey among the member states of the NATO CCDCOE. Further information has been acquired through informal interviews with national representatives during the research period. The interest of the research was in peacetime situations and cyber operations under the threshold of use of force.

The report contains three substantive sections. First, it looks in general at the cyber security governance frameworks in the target countries, identifying their main responsibilities and competent authorities, and further discusses the role of civilian and military CERT/CSIRTs in terms of their constituencies and their place in national crisis management mechanisms. The second section explores examples of civilian-military cooperation at both national and international levels. Mindful of the sensitivity, our primary aim was to determine whether such cooperation existed and, if so, then what categories of activity were covered in general. The paper presents the results as an aggregate and does not necessarily make country-specific attributions. The final section of the report seeks to formulate recommendations for better crisis management and cyber security that might stem from the parallel existence of CERT/CSIRT capabilities across national civilian and military environments.

Our research shows that all responding states have civil-military digital/cyber cooperation established at the national level, either by law or under specific agreements and arrangements, confirm that these states are not working within a cyber security vacuum and will collaborate as or when needed or required. Nevertheless, the cooperation frameworks appear to largely reflect the traditional model of the deployment of armed forces on home soil in peacetime, i.e., in a limited supportive role when dealing with large scale emergencies. That, however, often implies specific legal procedures, such as declaring a state of emergency, a state of war or other formal approval procedures ascending to the highest executive or legislative levels. Such structures of governance might prove cumbersome, if not outright counterproductive, in a cyber context.

The collaborative aspect of civilian authorities and their military counterparts indicates potential nonetheless, particularly when taking into account the limited human and financial resources states available in the context of cyber security. It is notable that many states also have international cooperation arrangements, be they bilateral or multilateral, serving as yet further confirmation of the borderless nature of cyberspace and the threats it enables to spread.

Based on the findings, a set of recommendations is made for a further strengthening of civil/military
cooperation within national cyber incident response capabilities.