What are the hardest and best parts about setting up and managing a national CSIRT, and chairing TF-CSIRT? Why is the international response community so collaborative? And what exactly is a computerologist? Baiba Kaškina tells all.
Established in 2006, Latvia’s academic CSIRT was converted into a national CSIRT in 2011. CERT.LV enjoys a unique position, based in the Institute of Mathematics and Computer Science while funded by the Ministry of Defence since 2013. This dual seat has benefitted the CERT.LV team with access to both the expertise and the funding to grow and pursue interesting projects.
Here, CERT.LV general manager Baiba Kaškina shares her experiences and insights for GÉANT Cyber Security Month 2022.
When did you first realise CERT.LV was making a positive difference?
At the beginning, we ran campaigns once or twice a year which we called ‘Computerologist’. We invited members of the public to bring along their devices and we checked if they were infected or not. Computerologist doesn’t sound as good in English! – but the idea is like doctors, gynaecologists or stomatologists.
That service wasn’t commercially available back then, and so we used to get huge queues. People were very eager for us to check their devices and to cure them if possible. And we really got a lot of thank yous and appreciation for helping them.
People generally understood the doctor analogy. Although we did have some curious cases where somebody came along without a device, asking for a check up on themselves.
What do you enjoy most about your role as CSIRT general manager?
Firstly, I really like the fact I’m doing something useful and meaningful for my country, for people using the internet, for safer cyberspace in Latvia. It’s not about making somebody else rich.
Secondly, the job is always changing, always challenging and interesting. It’s never boring. There are always new things coming up.
And thirdly, I have really wonderful colleagues, both at home and internationally. It’s always been a pleasure to work in the incident response community. I think that’s a big asset to make this very difficult job more pleasant, and to make somebody want to come to the office and not to consider other career challenges.
What are the biggest challenges you face now in managing CERT.LV?
While we’ve been very successful at keeping existing people, recruiting new people is extremely challenging. It’s partly due to the shortage of security professionals in general, and the fact we can’t pay the same salary levels as in the commercial sector. The amount we can pay has just increased, so I hope next year we’ll be in a better situation.
Something that’s both a challenge and an opportunity is how much the cyber topic has evolved. Ten years ago, it was really a matter for technical people, and politicians didn’t want to know much about it.
Nowadays, it’s on everybody’s agenda. Everybody’s! You look at any level – be it the European Commission, or national parliament, or any ministry – and you find cyber everywhere.
So there is more demand for our opinion. And it’s challenging to participate in all of these efforts – to find resources and decide which ones are most important.
A third challenge is the shortage of qualified security professionals across all government departments. When a problem occurs, there’s almost nobody who can respond to our requests for proper information. This impacts our work a lot.
What important lessons have you learned during your career?
Time estimations are always a problem. In many cases, unless it’s a short simple project, the reality is almost double the initial time estimation. We’ve learned this the hard way.
Another important lesson I’ve learned is not to commit to too much. To realise that, even if the issue is important, the highest priority is that my team remains in a sound mental state and can perform their duties. Rather than us putting in, say, 200% of effort one week, then the next week everyone’s in their sickbed.
So we have to really balance what we can take on with maintaining the team’s ability to carry on in a sustainable way. Because there’s always, always more you could do.
I think saying “No” to some things is something you have to learn the hard way as well!
What advice would you give to another country that wants to set up a national CSIRT?
There are lots of things to think about when setting up a CSIRT, but I’d highlight two things in particular.
Firstly, it’s very important to decide where the CSIRT will be located within the government or other national organisations. It’s very hard to define the right place, because almost every country has a different solution.
There is no one correct answer. But it does impact hugely what the team will be able to do, how it will be funded, how easy it will be to recruit people, and so on.
The crucial thing is that the command chain to somebody important isn’t too long. So in a crisis when the CSIRT team needs to escalate things, they can reach out to a minister or to the Prime Minister.
Secondly, you want a well-written cyber security law that defines the constituency, the authority, the responsibilities of the team, and so on. Putting all this into legislation helps enormously later on to avoid debates about what the team can and should do.
Nowadays, this is much easier because there are already lots of good examples around to take inspiration from.
You’ve often said the incident response community is full of cooperation and support. Why do you think that is?
Cooperation is the core nature of cyber security activities, for national or academic teams at least. You cannot – well, you should not – compete in this area.
We have a common goal, to protect our constituencies. And the better we collaborate, the more useful information we share, the better we can do our work, and the better we can protect our communities.
I think this has really been the core part of all training and education for CSIRT teams. And this culture has grown into the core of the international response community. New people who join the community quickly learn that this is the way we do things.
And we should do as much as possible to preserve and maintain this community feeling and trust, as the community continues to grow.
What’s your biggest lesson learned from your time as chair of TF-CSIRT?
One big lesson was definitely that finding compromises is sometimes very hard. Whether among the steering committee or within the whole community, it takes time and effort. It didn’t always happen as easily as I would have liked. And that’s normal.
Another is that it’s very rewarding to lead such a community, but it also takes a lot of time and effort if you want to do it properly. The time commitment has to be there. That’s also why I’m a bit careful nowadays when I take on another assignment!
What are you most proud of from your time as TF-CSIRT chair?
While I was the chair, we started discussions about how to reorganise TF-CSIRT. This process continued without me after my term ended.
I’m very glad to see it’s now taken real form and shape with the Open CSIRT Foundation. This is something I feel like I’ve contributed to and I’m happy about how it has turned out.
Another example is that during I think only my second meeting as chair, we had to discuss raising the fees for the Trusted Introducer service. And that was really the most difficult discussion and arguments that I’ve had throughout the time I was chair.
We had to do a lot of explaining to people about why a fee raise was necessary and the reasoning behind the new price. There was quite a lot of misunderstanding at that time about how TF-CSIRT is funded in general, how the money flow works, who gets what, and so on.
That was really difficult, but the end result was positive. And to achieve consensus, more or less, on such a sensitive topic…that’s something I still remember.
How has the role of TF-CSIRT chair evolved over time?
When I started as the chair it was like this: there are three meetings a year, I come to the meeting, I read the agenda, say thank you to speakers, and that’s all the job is.
But it evolved a lot in the five years I was chair. We opened up a lot of discussions on strategy, on where TF-CSIRT is going. There were a lot of intermediate meetings, there were documents the Steering Committee was preparing. The change was huge.
By the time I finished being the chair it was a very different role. A richer role, and much busier!
The TF-CSIRT chair doesn’t really need deep technical knowledge, beyond a general understanding of how incident response works. It’s mostly about soft skills – being able to find compromises, to think in a global manner, to consider the political impact. Those things are way more important nowadays.
What advice would you give to anyone who would also like to chair TF-CSIRT one day?
I would definitely support and encourage this person, because being chair is a great thing to do.
But I would also caution them of the effort and time they will need to invest. And that they will have to be very patient and good at finding compromises.
About Baiba Kaškina
Baiba Kaškina is the general manager of CERT.LV, the Latvian national and governmental CSIRT, which she helped establish. Between 2014-2019 Baiba chaired TF-CSIRT, the international task force for computer security incident response teams. In 2021, Baiba was awarded Latvia’s highest state honours, The Order of Three Stars, in recognition of her outstanding professional achievements.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on dev.connect.geant.org/csm2022