FIRST Threat Intel Coalition SIG

Membership Requirements and Veto Rules

Mission

This special interest group aims to improve civil society organization’s access to threat intelligence, and help coordinate mitigation efforts to civil society organizations targeted by threat actors where possible. Commercial cyber threat intelligence reporting neglects threats to civil society, and these organizations cannot afford private feeds or customized protection products. Hence, civil society organizations lack information on the threats they face, yet they belong to the most vulnerable actors online. To improve that situation, this special interest group aims to discuss challenges, find possible workarounds and eventually facilitate contact between CSOs in need of assistance and threat intelligence researchers who are able to help.

For sharing threat intelligence among parties, trust is paramount. All parties within the SIG must respect that the intelligence within this group is primarily shared to protect individuals and organizations within civil society that are likely to fall victim to cyber espionage or attack. To facilitate the development of trust within the group, the FIRST Threat Coalition SIG has put together a series of membership rules.

The FIRST Threat Coalition SIG is a semi-open group. An application can be put forward online, or via invitation by a pre-existing SIG member. The application will be filled out on FIRST Portal, and the necessary membership information will be forwarded to the chairs and FIRST Secretariat. Members join as individuals, not as representatives of their respective organizations.

Applications must provide the following information:

Name of applicant;
All affiliations of the applicant at the time (the SIG recognizes that affiliations will change over time);
Reasons for joining the SIG.

While applications to join are welcome, they must ensure that they are in a relevant field to the SIG’s mission: being involved in cyber threat intelligence research, or being connected to civil society organization for example in an outreach or cyber threat capacity. There are no formal requirements for membership. However, prospective members should be able to make a clear case either 1) why they will likely be in need of, or could benefit from, the type of assistance this group offers, or 2) the potential contributions they could make to the group, and specifically how they may be able to assist civil society. These two questions can be answered by mentioning thematic and geographic areas of expertise, as well as frequent pain points. Instead of stating explicit capabilities, answering how they hope to contribute to this group’s mission will be most helpful.

There is no expectation that people are able to share and leverage intelligence actively: the group operates on a good faith basis.

Membership

Members of the FIRST Threat Coalition SIG have access to the following:

Members will be able to share cases without vetting and will be able to share sensitive information on threats in a trusted environment.
Members will be invited to FIRST Threat Coalition SIG private events.
Members will be given access to the FIRST Threat Coalition SIG Slack Group.

Because the SIG’s mission is to facilitate secure sharing and trust between members of civil society and the private sector, a diverse perspective within the group is necessary. Membership requests for individuals who bring a diverse perspective to the SIG will be prioritized.

Member Responsibilities

Attending Meetings and participating in threat discussions within the larger group or smaller working groups; Active participation is expected. The minimum requirement is attending at least one full group meeting per year.
Updating the SIG of any change in affiliations within 30 days of beginning a new role;
Outreach to new stakeholders and members;
Serving on a rotating membership vouch committee that validates no-vouch requests at least once a year;
And other more voluntary contributions, including but not limited to:
- Helping formulate information sharing policies;
- Providing meeting agendas;
- Facilitating trust building and sharing between parties.

Vouching for Membership

Once the applicant has submitted their interest, their membership will be reviewed by the co-chairs in an informal conversation and then submitted to the wider group to be seconded. The co-chairs will make every effort to avoid any unconscious bias in the process, continue to reach out to other organizations and develop a clear and fair review matrix. During this time, members have the ability to second a membership request, or submit a “no-vouch” request to the co-chairs. A minimum of two secondings, with zero no-vouch requests, is sufficient to provide membership to the applicant.

Criteria for No-Vouch

The following items are adequate reasons for a “no-vouch” request:

The applicant is actively sanctioned internationally or by the U.S. government;
The applicant has demonstrated verifiable behavior that would erode trust in the SIG, including but not limited to:
1. Publishing TLP:RED¹ information publicly;
2. Associating themselves with a government-affiliated organization surveilling or causing harm to civil society organizations;
3. Consistently demonstrates behavior that violates the FIRST code of conduct.
4. Previously misusing shared resources for personal or institutional gain.

The “no-vouch” request must include the specific reason for the request, and supplementary material: links or methods to verify that the activity spurring the no-vouch request has occurred.

Review Process for No-Vouch

Once receiving a “no-vouch” request, the rotating SIG vouch committee (consisting of four individuals chosen every month, plus one of the co-chairs) will review the request and supplementary material. If the co-chairs, upon reviewing the supplementary material, are able to discern adequate reasoning for a no-vouch, they will second the no-vouch and the applicant will not be admitted.

Termination of Membership

If a member of the SIG:

Does not attend at least one meeting in a given year;
Violates the FIRST Code of Conduct²;
Violates the FIRST Threat Coalition SIG Intelligence Sharing Process;
Or otherwise conducts themselves in a way that falls under the criteria for a “no-vouch” request while they are a member;

Any other member of the SIG may submit a request anonymously for the member’s removal or suspension. The process for membership removal will be identical to the review process for “no-vouch” requests. The member will have the opportunity to justify their actions prior to any suspension. The co-chairs will notify members of impending suspension and provide one month of time for justification. If the co-chairs do not receive a reply within that time frame, the membership will be terminated. Otherwise, the co-chairs will consider the justification and inform the member of their decision within two weeks.

Changes to this policy

This policy can be changed during in-person SIG meetings through majority vote. Proposed changes must be submitted to the SIG co-chairs in advance of the meetings.

Regardless of whether there is a majority vote of SIG attendees, the SIG does not vote on publishing information shared through the SIG - the process of handling TLP;RED information is clearly laid out in the FIRST Threat Coalition SIG Sharing Agreement here.

1. CISA Definition: TLP:RED information is information not for disclosure, restricted to need-to-know participants only. Unauthorized disclosure of TLP:RED information can lead to impacts on a party's privacy, reputation, or operations.↵

2. These rules apply to all members of this group, regardless of whether they themselves are FIRST members or not.↵