Forum of Incident Response and Security Teams

The Forum of Incident Response and Security Teams (FIRST) is a global forum of incident response and security teams.^[2] They aim to improve cooperation between security teams on handling major cybersecurity incidents. FIRST is an association of incident response teams with global coverage.^[3]

Forum of Incident Response and Security Teams

Abbreviation	FIRST.org
Formation	August 7, 1995
Type	501(c)(3) not-for-profit public charity
Headquarters	Cary, North Carolina
Members	750+ organizations from more than 110 countries [1]
Chair of the board	Tracy Bills
Key people	Tracy Bills, President Chris Gibson, Executive Director
Website	www.first.org

The 2018 Report of the United Nations Secretary-General's High-Level Panel on Digital Cooperation noted FIRST as a neutral third party which can help build trust and exchange best practices and tools during cybersecurity incidents.^[4]

History

FIRST was founded as an informal group by a number of incident response teams after the WANK (computer worm) highlighted the need for better coordination of incident response activities between organizations, during major incidents.^[5] It was formally incorporated in California on August 7, 1995, and moved to North Carolina on May 14, 2014.^[6]

Activities

In 2020, FIRST launched EthicsFIRST, a code of Ethics for Incident Response teams.^[7]

Annually, FIRST offers a Suguru Yamaguchi Fellowship, which helps incident response teams with national responsibility gain further integration with the international incident response community.^[8] It also maintains an Incident Response Hall of Fame, highlighting individuals who contributed significantly to the Incident Response community.^[9]

FIRST maintains several international standards, including the Common Vulnerability Scoring System, a standard for expressing impact of security vulnerabilities;^[10] the Traffic light protocol for classifying sensitive information;^[11] and the Exploit Prediction Scoring System, an effort for predicting when software vulnerabilities will be exploited.^[12]

FIRST is a partner of the International Telecommunication Union^[13] (ITU) and the Department of Foreign Affairs and Trade of Australia on Cybersecurity.^[14] The ITU co-organizes with FIRST the Women in Cyber Mentorship Programme, which engages cybersecurity leaders in the field, and connects them with women worldwide.^[15]

Together with the National Telecommunications and Information Administration, FIRST also publishes guidelines for multi-party vulnerability disclosure, in scenarios such as the Heartbleed vulnerability in OpenSSL.^[16]

In 2019, the Wall Street Journal reported Huawei Technologies Co. had been suspended from the Forum of Incident Response and Security Teams due to changes to US technology export restrictions.^[17] In 2017, a NATO-style coalition of 41 states, including all Gulf Cooperation Council states, intended to work closely with FIRST to heighten levels of cybersecurity cooperation.^[18]

Internet governance implications

In his study of Internet Governance, Joseph Nye identified FIRST as an "incident response regime", supporting global cyber activities.^[19]

Political scientists focused on international security have considered organizations such as FIRST to be transparency and confidence-building measures in cyberspace, "elements of international policy that reduce threats, build trust, and make relationships between states more predictable".^[20]

The FIRST community has also been considered an example of "science diplomacy", as its technical community offers a means of navigating tensions in a way political actors re not able to.^[21]