E.3 Emergency Response Organizations

The Department of Justice, FBI, and U.S. Secret Service organizations listed below investigate violations of the federal laws described in Chapter 25. The various response teams that comprise the Forum of Incident and Response Security Teams (FIRST) do not investigate computer crimes per se, but provide assistance when security incidents occur; they also provide research, information, and support that can often keep those incidents from occurring or spreading.

Note that federal agencies often have field (local) offices where you can get more personal contact, although not all field offices are staffed by personnel with the same level of training as those at headquarters offices. You can check your phone directory for local numbers: look under "U.S. Government."

E.3.1 Department of Justice (DOJ)

10th & Constitution Ave., NW
Criminal Division, (Computer Crime & Intellectual Property Section)
John C. Keeney Building, Suite 600
Washington, DC 20530
(202) 514-1026

E.3.2 Federal Bureau of Investigation (FBI)

In addition to the NIPC, the FBI also runs the Infraguard?a set of regional cooperative efforts uniting the FBI and local businesses to protect against computer crime. The Infraguard links may be found on the NIPC web pages.

National Infrastructure Protection Center
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW
Washington, D.C. 20535-0001
(202) 323-3205

E.3.3 U.S. Secret Service (USSS)

Financial Crimes Division
Electronic Crime Branch
U.S. Secret Service
Washington, DC 20223
Voice: (202) 435-7700

E.3.4 Forum of Incident and Response Security Teams (FIRST)

The Forum of Incident and Response Security Teams (FIRST) was established in March 1993. FIRST is a coalition that brings together a variety of computer security incident-response teams from the public and private sectors, as well as from universities. FIRST's constituents comprise many response teams throughout the world. FIRST's goals are to:

  • Boost cooperation among information technology users in the effective prevention of, detection of, and recovery from computer security incidents

  • Provide a means to alert and advise clients on potential threats and emerging incident situations

  • Support and promote the actions and activities of participating incident response teams, including research and operational activities

  • Simplify and encourage the sharing of security-related information, tools, and techniques

FIRST sponsors an annual workshop on incident response that includes tutorials and presentations by members of response teams and law enforcement.

FIRST was incorporated in mid 1995 as a nonprofit entity, and migrated FIRST Secretariat duties away from NIST. The Secretariat can be reached at:

FIRST Secretariat
First.Org, Inc.
PMB 349
650 Castro Street, Suite 120
Mountain View, CA 94041
Email: first-sec@first.org

FIRST consists of a large number of member organizations. Check online for the most up-to-date list of members. If you have a security problem or need assistance, first attempt to determine which of these organizations most clearly covers your operations and needs. If you are unable to determine which (if any) FIRST group to approach, call any of them for a referral to the most appropriate team.

Most of these response teams have a PGP key with which they sign their advisories or enable constituents to report problems in confidence:


Most teams monitor their phones 24 hours a day, 7 days a week.

E.3.5 Computer Emergency Response Team Coordination Center (CERT/CC)

One particularly notable FIRST team is the CERT® Coordination Center, which serves all Internet sites. CERT grew from the computer emergency response team formed by the Advanced Research Projects Agency (ARPA) in November 1988 (in the wake of the Internet Worm and similar incidents). The CERT/CC charter says that the organization will work with the Internet community to facilitate its response to computer security events involving Internet hosts, take proactive steps to raise the community's awareness of computer security issues, and conduct research into improving the security of existing systems. Their archive (http://www.cert.org) contains an extensive collection of alerts about past (and current) security problems.

You can contact CERT/CC at:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
(412) 268-7090 (24-hour hotline)
Email: cert@cert.org

    Part VI: Appendixes