Computer systems, networks and infrastructures are the foundation of a digitally connected society. They are managed and maintained by a diverse and transnational group of actors. While many cybersecurity scholars have focused on the role of states and private companies in the ‘making of cyber-security’, such emphases tend to obfuscate the plethora of practices, understandings and communities across the public-private continuum that are engaged in identifying, handling, and responding to incidents and threats. Historically, incident response has been continually associated with the role of CERTs or Computer Security Incident Response Teams (CSIRTs) – an organisation that operates as a focal point to the identification, reporting and handling of cyber incidents. These so-called — yet often-unseen —‘digital fire brigades’ or ’first responders’ (Skierka et al. 2015) possess specific communicational designs (e.g.: informal networks based on interpersonal relationships, protocols such as Common Vulnerability Scoring System and others) and jointly comprise a global network of information sharing and cooperation. However, as a practice, incident response remains perennial to the functioning of any interconnected system and infrastructure, often taking different institutional forms across public and private institutions. In addition, incident response also signifies the operation of many communities working on conducting these routine activities that are focused on the repair, maintenance, improvement and measurement/classification of cybersecurity incidents that may or may not be under a CERTs or CSIRTs. In general terms, incident response predates institutionalised forms of ‘teams’. From a system administrator monitoring networks in an institution to more offensive-facing teams such as Security Operation Centres (SOC), different communities engage in incident response. Teams have taken distinct shapes and forms in response to numerous factors that include but are not restricted to business incentives for threat-detection and more ‘active’ approaches, national cybersecurity concerns, and acceptance of widespread discourses around the lack of professional capacities as an inherent condition to contemporary cybersecurity challenges (Shires, 2018). The politics of change in incident response practices do not occur in a vaccum, rather they are co-produced (Jasanoff, 2004) in a landscape where cybersecurity has become the object of dispute in geopolitical battles, regulatory agendas, business solutions, among other areas. These changes are often enunciated in official speeches from heads of state, crystallized in government and business reports, and stabilized through the development of tools, manuals and standards that suggest new ways for conducting ‘response’. From G7 2021 declaration mentioning responsible state behaviour in cyberspace to cybersecurity manuals, incident response is a key function for coordination, resilience, and stability of cyberspace. Understanding and exploring the spectrum of political challenges reconfiguring incident response can therefore aid in better-capturing challenges in coordination and the fragmentation of efforts to respond to cyber threats. What is more, it provides a perspective of how particular representations of incident response are crystallized and the consequences that has to cybersecurity governance. So, while incident response is networked as a practice, we explore the tensions that arise in networking processes. Based on document analysis of CSIRT manuals, cybersecurity regulations and policies, and incident response literature, the paper looks at three areas where these tensions arise: professional development, regulatory advances, and geopolitical disputes. Each of these areas provides an important insight into the ways in which ‘response’ is prescribed, stabilised and networked in emergent ways – and the consequences they bring to the politics of cybersecurity. The paper is divided into three parts. First, we explore some of the factors that are shaping how incident response is practised and understood, and why this matters for understanding new configurations of cybersecurity politics. Second, the paper analyses the different ways in which incident response has been institutionalised and the impact that has to shifting the actors and practices that integrate ‘incident response’. Third, we discuss some of the ‘pressure points’ that have been contesting and reshaping the supposed borders of how and who should be involved in ‘response’.
Read full abstract