You are here

IGF 2017 - Day 3 - Room XI - WS38 International Cooperation Between CERTS: WS38 Technical Diplomacy for Cybersecurity

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> PABLO HINOJOSA: Good morning.  A welcome to the Workshop 38 about International Cooperation Between CERTS: Technical Diplomacy for Cybersecurity.  Note that this is a question, so we're here to explore this. 

I work for the Internet Registry for Asia‑Pacific, I'm Pablo Hinojosa.  We serve 16,000 networks, and the aim is to support Internet development in Asia‑Pacific and promote an open, stable, secure Internet.  We are part of the Technical Community and our voice is network operators and engineers in the Asia‑Pacific.  More and more our members, the network operators, they have come to us asking for support with their cybersecurity needs. 

A few years ago with my colleague we started an effort to connect and establish a closer relationships in the region and beyond.  This has been a great experience and a benefit to our members, and also a positive impact to the ecosystem of the Internet.  We're committed to the view of the Internet as an ecosystem, and that's why we cannot see network operators and Certs working in isolation.  And that brings us to the IGF, it is a great platform to connect isolated groups that could be working closer together for the good of the global Internet.  That's a bit of background.

The second part:  I have had the great fortune of meeting Madeline Carr and Duncan Hollis a couple of years ago, and we have had many discussions and we agreed on one thing ‑‑ probably on a few others ‑‑ one main thing, and that's the fact that discussions in the field have grown in parallel, not together, to the international discussions in the field of Internet Governance.  These discussions, if taken to a decision level eventually, it will have a profound impact on the way that networks operate, and we also felt that a good idea would be to connect international law experts working on information security with public policy experts working on Internet Governance and we also are involved, the Technical Community.

Last year in Mexico we organized the workshop on the subject of cybernorms, and we were successful in bringing together different groups and starting a dialogue.  We have members of the U.N. governmental group of experts and international law experts and members of the Technical Community, and we talked about trust and how Internet Governance participatory schemes could feed into discussions about responsible State behaviors and protecting the public core of the Internet. 

It is for me a great honor and pleasure to be working with Madeline Carr and Duncan Hollis on a second workshop here in Geneva.  It is somehow a sequel, has been designed with a different approach.  Like the first workshop on cybernorms, this is also about connecting the Internet Technical Community, this time, the community and this is an analysis of the protocols and interpreting them in an effective, diplomatic way. 

The question here, it is whether there are lessons to learn and concepts to share from the CERT community that could be useful to disentangle the international cybersecurity discussions, inform treaty‑level initiatives and foster responsible State behaviors.  The workshop here is a risky proposition because the community is very much focused on what they do, responding to incidents and solving problems.  They I don't think see themselves as cyber diplomats.  Meanwhile, the international cybersecurity discussions among States are somehow detached from the day‑to‑day operation of networks.  We will find a space in which the communities with communicate with each other and contribute with the processes. 

Before we proceed, just a bit of housekeeping, this room, as you can see, feel, it is not very applicable to what we're trying to do so we have to work against architecture.  That's why we have a bit of a strange seating arrangement for the core group that will participate here.  The idea is that the session will be recorded and webstreamed right now and the camera is over there.  When you speak, it would be great if you can speak very close to the microphone because it is being transcribed and the transcribers are lacking a lot because of proper audio ‑‑ I'm trying to speak close to the microphone.  It is difficult, but please speak close to the microphone.  The transcription only works if all is clear. 

We're trying to foster a dialogue.  Please avoid long interventions like mine, aim for 3 minutes and do not exceed 5.  Now I'll give the floor to Madeline Carr to introduce experts and to get into the subject.

>> MADELINE CARR: Thank you, Pablo.

Thank you, everyone, for being here this morning.  As Pablo Hinojosa said, we're excited about building the links between the different communities that indeed come to the IGF but very often sit in different rooms in the IGF.  We're grateful to you all being here this morning.

I'm an international relations academic, the area of research is the international political dimensions of cybersecurity and international Internet Governance.  I look at the way that States and non‑State actors cooperate, compete, try to collaborate, try to find some mechanisms for dispute resolution in this space.  It is becoming increasingly clear to me over the years I have been doing this that these issues cannot be addressed within a single discipline alone.  For that reason actually I have recently moved from a department of international relations to the faculty of engineering at University College London. 

If we look a little bit at how the issues have come to the international political agenda, I mean, for many years, decades, some States have been producing national security strategies where they kind of look at the global geopolitical context and they provide some kind of assessment of their place in that context.

In 2003 the United States produced its first national cybersecurity strategy.  Prior to that, cyber had been folded into the general security strategy of the States.  After 2003 other States rapidly began to follow by producing these national cybersecurity strategies in which they would ‑‑ yeah, look at the context, look at geopolitics, look at their own capabilities and kind of devise a strategy for forward momentum.

Following this, there was a momentum for States to develop CERT or CSIRTs, and they were seen as a sign of maturity of the State.  If they developed a national cybersecurity strategy and established a CERT, they were seen to be on their way to, you know, some kind of maturity in the context and some kind of capacity to deal with the complexities of global cybersecurity. 

What we saw sort of happen, sort of quite quickly after that, it was a tension emerge because while States were very keen to establish CERTs and for all kinds of good reasons, it became evident that the kind of close working of a CERT and national government, especially the intelligence community, could actually undermine the efficacy of a CERT for all kinds of reasons we'll discuss later.  I don't need to kind of preempt too much for this room. 

Essentially the CERTs struggled to maintain their independence and autonomy.  So this problem emerged that governments want to establish CERTs, they feel they need to and they have good reasons for that, but that too close of a collaboration can actually undermine the CERT.  It was the kind of problem that we have been looking at.

Now, recently, the United Nations group of experts in 2015 ‑‑ was it 2015, my mind is blank ‑‑ basically this group got together to try to establish some ‑‑ what we could say rules of the road for responsible State behavior in cyberspace, and they proposed 11 rules or suggestions or norms they call them.  One of them dealt explicitly with CERTs with two parts saying States should not conduct knowingly ‑‑ should not knowingly support activity to harm CERTs, so CERTs should not be a part of any kind of political conflict and also that CERTs should not be used for offensive State‑based behavior, malicious activity.

That kind of signals how CERTs are brought into this political agenda.  They're now ‑‑ CERTs are now definitely a component of the geopolitics of cybersecurity.  Whether that's a good or bad thing, they are. 

So part of the research we have been looking at is this idea of science diplomacy, and science diplomacy is in a very simple ‑‑ it is an established body of work, and it looks at ways that scientists can sometimes do things.  They can lead cooperation that politicians are unable to.  In very difficult, political context, scientists can often overcome that and they can cooperate together in a way that's not possible politically.  That doesn't mean that CERT should be diplomats or shouldn't be.  It is just a lens that we have been looking through, how is it that these CERTs are able to cooperate across political divides.  In global politics we're stalled with cybersecurity.

With that, I want to hand over to Leonie who has done interesting research on this.  Maybe you can share some of the work we have been doing here.

>> LEONIE TANCZER: Good morning, everyone. 

I'm probably one of the proponents of the idea of science diplomacy and CERTs, and we consider them an inadvertent scientific actor and we base this on research we're conducting at the university and we have so far conducted 20 interviews with CERTs, and this called for other actors to come forward if they would like to participate in the research on CERTs practices and their role in cybersecurity network. 

I want to use this opportunity to basically make three points we found in the course of our research, and Madeleine highlighted one: 

One, this is increasingly considered as diplomatic actors based on the fact that scientists collaborate for us, and the Technical Community collaborates across nation borders, it is a multistakeholder group and there are three particular aspects one can see that there is a diplomatic element to the work, there is a lot of formality or informality. 

One thing I have learned, if you want to build trust, you go with a pint with someone.  The other thing, there is a lot of community around CSIRTs, they have formal, informal structures to incorporate, and that's the last point around the Diplomatic elements.  That they kind of consolidate a nature of community, a community that negotiates, that mediates across different cultures and practices and that's important for information sharing and to secure the Internet infrastructure and respond sufficiently to cybersecurity incidents.

The other important point I want to make, the increasing professionalization.  What we mean with that, it is that in the course of the interviews we identified that a lot of CSIRTs and PSIRT engage in formal, informal networks that are engaging in being formalized.  And an example of this is the directive where there is an important role and where the European Union Member States are basically encouraged to look at international CERTs participating across borders and facilitating this within the nations and across.

An important thing, the first community in this regard that plays an important role ‑‑ and I'm sure that colleagues on the panel will go into more depth with that ‑‑ an interesting aspect we see, group size here by CSIRTs, more established, bigger, there are issues around split up groups focusing primarily on financial issue, for example.  It is harder to share information in a massive group where there is various political actors involved and where there may be an issue around being concerned about sharing certain information. 

That's the last point I want to make, which is the one that really struck me when I conducted the interviews.

Now, cybersecurity, it is an established concept, we see that in the issue of malware and others have highlighted this.  What we see, and an important incentive for discussions today, it is that CSIRTs are increasingly being interfered with by governmental actors. 

Cybersecurity is a national issue.  It is nationalized to a certain extent and to the Technical Community of CERT is established from a need‑driven basis.  Now that there is increasing formalization, and States for example established their own CSIRTs, this affects the trust networks that established over years and decades.  This is a purely defensive tool, and I think that's important to discuss in regards to the U.N. GGE discussions that one needs to acknowledge the CSIRTs community has a specific role, a trust network requiring this freedom to interact across borders and they do that currently very effectively, but we do see an increasing threat by incorporating CSIRTs on ministries or bodies like national cybersecurity centers which are then associated, for example, actors and bodies that might counteract like incident response because vulnerabilities is something that one can exploit.  This can interfere with the trust network.  This is an important aspect that we think we need to address today and in the future, and I'm sure the first actors of the panel have something to say to that as well. 

I think it is a good step forward to open up this debate, along with the incident response for policy session which is a good way to have the CERT community and policymakers to come together to discuss this issue in more depth.

Thank you.

>> MADELINE CARR: Thank you, Leonie Tanczer. 

I want to bring in Adli Wahid, a security specialist and is involved in the CERT community.  And oddly, amongst other comments I wondered if you could elaborate a bit on what you see as the role of CERT/CSIRTs in this role.

>> ADLI WAHID: I will touch on two topics and   basically talk about CERTs and how and why we cooperate, and I think attendees in the session can understand a bit about the multivision and why we do this kind of thing and perhaps then relate to the bigger conversation on participation of CERT/CSIRTs within realm of political activities, so on, so forth.

One thing I should put in context, the Internet is very distributed.  When you have a security incident, there is a need to be able to, number one, respond quickly to mitigate, to make sure that the damage can be contained and that they will not distribute further and cause more damage.  There is an interest there not to just protect your own network but also the networks in general, the bigger networks.  You would not want to, for example, have financial losses to be accumulated, to be increased, or you don't want to have the stability of the Internet to be affected.

While the term CERT/CSIRTs sounds reactive, but the whole incident response process is actually very proactive.  You can see that, for example, once there is an incident, the IT community is interested in seeing what others are seeing.  Can we know how the attack works, what are the indicators?  From there, it helps other people to perform analysis, right, and certain mitigation steps can be applied and in the end, you know, lessons learned out of this whole thing, so that we can use it in making better policies or improving cybersecurity in general.  So the community works closely with one another. 

The first CERT was established maybe 30 years ago perhaps.  This is not new, and in fact, they're celebrating the 30th Anniversary next year.  The community had existed for a long time.  One thing that I hear more and more in the conversation about CERTs within the other stakeholder domain, non‑technical community, we focus on the national CERTs and for nations to work together through these and so on, so forth.  You must understand that many of the CERTs are not related to nations.  In fact, many of the first memberships are private CERTs that are linked to hospitals, academia, to banks, so on, so forth.  Even without documented policies on how countries should talk to one another, the CERT communities engages with one another actively through various means.  One is, yes, as I mentioned earlier, through information sharing. 

We share information on threats, but there are also a lot of activities that happen outside of crisis time.  This is a thing where a CERT sends an advisory to another CERT or shares Best Practices on how to set up CERTs for example.  CERTs work together in cybersecurity exercises to increase preparedness, to understand who is at the other end, who is the other person that's answering the phone.  It is more than just establishing institution relationships but trying to establish human to human relationships so that in a time of crisis I'm very comfortable to call Marten at 3:00 a.m. in the morning and he's not going to be mad at me.  We have that relationship.

We have the information sharing, the other aspect, getting together, sharing insights, what people are seeing, what are the difficulties in applying some form of mitigations, is there a way forward to improve things.  All of this may sound like it happens naturally, but it doesn't.

There is a lot of efforts within the communities to develop some kind of a protocol for information sharing.  For example, if you go to first website, you see this TLP, the traffic light protocol.  This sets expectation on how information will be shared and can be shared with one another.  There is a lot of the activities also in developing tools where, you know, CERTs share a lot of information on things that they use to either automate or make things more effective when it comes to information sharing.  It is more than just sharing a piece of the advice, but also people getting together to develop and work on projects.  I hope that within a few minutes I have highlighted why we do, work together, secondly, how we actually work together to have better collaboration and coordination when it comes to information sharing.

Thank you very much.

>> MADELINE CARR: Thank you.  That was a fantastic overview of a long, complex, mature community.  Well done in 3 minutes.

I wanted to bring in Marten Van Horenbeeck.  Marten Van Horenbeeck is at first the industry association of CERTs and obviously has a sophisticated perspective on this as well.  Marten, I wondered if you could amongst your comments if you could maybe make a comment on how the CERT community sees the U.N. GDE norm on protecting CERT and not engaging them in political conflict if you have a view on that.

>> MARTEN VAN HORENBEECK: Thank you.  Thank you for the opportunity to be here today and speak with you.

It is a great question.  I think they don't see themselves as political actors busying themselves as engineers, Technical Community members that work together to deal with incidents. 

I want to jump back to something said earlier, the nationalization of cybersecurity.  Cybersecurity is not actually a national concept.  By definition it is almost impossible to make it that.  We all rely on cooperation, CSIRTs in particular, to deal with the security incidents. 

For example, we all use software written in other countries.  When there is a security vulnerabilities, an inability in the software, we have to engage with the vendor and individuals that have wrote that software to get a batch.  Outside of that, CSIRTs can mitigate, but not fix the issue. 

The reason why this is important, the risk of calling this science diplomacy, it is putting some power, some control with governments on what it is that CSIRTs can do and how they engage. 

I will quickly use a short example of where that can lead to trouble.  It is an example, it is a bit more on the extreme end but I think it is very relevant to the discussion.

In about 2011 there was a piece of malware written at the time by a particular incident response team in Iran.  They wrote that there was a particular malware that they referred to as Stars.  The Technical Community, the CSIRTs community around the world read about it and discarded it because they didn't have ways to engage because of government sanctions and so on.  It wasn't taken very seriously.  It wasn't very well investigated.  A few months later, the malware sample did make its way into the international community, and it was very easy to find the new sample to gather for the report.  The sample actually generated an image of Stars that had some data encoded in it.  What made this relevant, that particular sample actually exploited security vulnerability in a well‑known word processer that a lot of individuals across the world use.  Because there was no real ability of the it CSIRTs to engage at an international level with the CSIRTs in Iran that reported the issue, that vulnerability didn't make its way to the wider community until several months later, which also meant that the batch of that vulnerability, it was delayed exposing users all across the world.

We could make the argument that someone who is attacked with a particular vulnerability doesn't have any incentive to share that vulnerability with the CSIRTs community.  That's actually somewhat inaccurate in a sense that even a government doesn't have the ability to protect all of their infrastructure when they don't have access to a batch by a vendor.  They can fix, mitigate, they cannot make sure that they're not compromised or don't have gaps in the defensive posture there.  It is important to recognize that some political acts can actually make CSIRTs cooperation far more difficult.  If we do what we do in science diplomacy, it creates an agency for the government to make decisions on whether or not a CSIRTs should engage.  I think that's something that we should somewhat shy away from as a Technical Community.  We identify when there is an issue, we help resolve the issue, coordinate with the stakeholders and move back to normal.

In terms of the U.N. GDE norm, in particular I can tell you that within the CSIRTs community there is very little discussion on that norm.  In a sense that I'm fairly certain that a lot of the Technical Community isn't aware of the existence of the norm and to what degree an implementation effort is underneath it to put it in place.  It is highly relevant, but it is restrictive in a sense that when you think of compromises on CSIRTs it is difficult to come up with a good Example of a CSIRT that was compromised by another State.  However, there are several examples of infrastructure that supports the CSIRTs that was compromised by other States. 

A great example in that field is antivirus vendors.  There are several examples of the antivirus vendors compromised and leveraged to perform something that is inherently an offensive act or something that would undermine the ability of the antivirus vendor to defend.  The antivirus vendor, if it doesn't fit in the definition of a CSIRTs when you think of national CERTs or public security incidents, the response teams, but in a way, it is infrastructure that's leveraged by the CSIRTs community to actually defend the incidents.  It is important to think about the wider context as well and wonder if the norm in that sense is truly effective or if there is implementation work that needs to happen underneath.

Thank you.

>> MADELINE CARR: Thank you.

I would like to bring in Louise Marie Huriel who works on questions of software.

>> LOUISE MARIE HURIEL: Okay.  I hope the microphone is okay.

First of all, I thank Madeline Carr, Pablo Hinojosa and Duncan Hollis for the opportunity and for hosting this discussion which I think it is a good part to thinking about norms and going deeper in that and understanding some of the challenges and thinking together, which I think is the purpose of this panel.

I think while the question of the day is, and as has been tackled well, what do CERTs/CSIRTs and the challenges and opportunities that come up when we associate them with science diplomacy.  I would suggest that there are three dimensions that need to be considered in talking about Diplomatic characteristics of the activities of CERTs and unfortunately we don't have time to go deep into each of them but hopefully we'll get that to ‑‑ to discuss that in the debate.

The dimensions that I think are flows for us to tackle this, it is first the international cooperation between national CERTs and CSIRTs, the cooperation of CERTs and CSIRTs at the national level and most importantly the relationship between national CERTs and stakeholders and in this case mainly the government which has come up over and over again this kind of relationship and the previous speakers, that's why I would like to suggest that be not stick only with the idea of science diplomacy but take a step in the broader idea of CERTs as embedded in the political scenario of national, international cybersecurity tensions which is really undeniable because even though sometimes you have the silos, different stakeholder groups trying to make sense of what cybersecurity is, they're inevitably connected to each other and there's many spillovers as we saw already, how it is a particular political context plays into effect and helps us to understand the role of CERTs. 

Let me give a quick example that I have been researching more deeply. 

Throughout the cycle of international events hosted in Brazil in the past years and starting in the Rio de Janeiro Plus 20 Conference of 2010.  What we have seen is a demand for a development of internal mechanisms, and I think that's a global trend of internal mechanisms to respond to incidents and level‑up cybersecurity capacities.  So responding to the demand, we saw a great deal of institutionalization, cybersecurity through creation ever policies it, development of national strategies and establishment of a cyber defense center and later a cyber command in Brazil.  In in context, the national CERT was actively engaged in educating, building skills, being a part of the training, making other stakeholders understand what do CERTs do and that's a corn that Marten and Adli shared well over here.

This was a particular moment where we see the three dimensions that I mentioned before.  The national CERT, it worked with the National Defense Center, Cyber Defense Center with intelligence agencies and other stakeholders throughout the period.  CERTs are indicators of cybersecurity development and maturity, and many governments sought to establish or restructure the place of CERTs in the institution and structures to pursue this idea of good national cybersecurity mechanisms.  This is what I'm inclined to think of as a surfacing of cybersecurity as a concern on the national and international Agendas and that is perhaps what we were talking about when we talk about the nationalization or the politicization of cybersecurity and incidents such as we have seen in talks over and over again that have contributed to the horizontal spread and shared concern and has become both an object of political dispute and a concern of how individuals on the other hand are very exposed and vulnerable.

While on the practical side, on the day‑to‑day notifications and circulations between CSIRTs and CERTs, it is a purely technical support, CSIRTs has played a meaningful role in establishing Channels for building confidence between countries and among cyber related institutions, these are an example of the national CERTs, the APs and others throughout the region or the establishment of content specific time‑bounded CERTs, CSIRTs such as in the case of Brazil, Olympics, there was a trust network created and they built somewhat in the neutrality discourse, the highlights of how the relationship among the CSIRTs is an evidence of cooperative structures and let me just close by sharing a very interesting conversation that I had with one ‑‑ with a colleague that works in the CERT.  He came up to me and said, well, even if everyone does their homework in terms of security, it doesn't mean that we're really secure.  We have gotten to the point where not only do we have to understand cybersecurity should and is a shared concern and responsibility, but actors such at CSIRTs, especially the national ones, they're a part of the political dimension to participate.  We need them to look at CERTs as a cybersecurity government ecosystem.

I believe that the question and challenge for us to think about cybersecurity as an issue is for us to think about cybersecurity as a governance issue and in the sense of questioning what are the impacts of the surfacing effect of cybersecurity and the shared concern and how do we keep leveraging common interests to preserve the cooperative structures such as CERTs and how do we still keep this kind of flexibility and the trust networks while at the same time understanding this process of shared concerns and the process of surfacing the cybersecurity internationally and nationally?  Where do we establish and how do we get to this kind ‑‑ this is a necessary question to ask when we think about cybernorms.  

Thank you.

>> MADELINE CARR: Thank you.

I think those four interventions really start the conversation between the two communities, the Academic Community, who studies these things, and the Technical Community.  The Academic Community that studies these things from a national, international cybersecurity perspective, and the Technical Community who sees as Marten said, not a national issue but a global cybersecurity issue and the mechanisms for approaching that

And I'm proud that we hand over right on time to my colleague Duncan Hollis who will now bring in the International Policy Community

>> DUNCAN HOLLIS: Thank you.

I want to apologize.  I woke up this morning with this sound, my voice.  It is not that pleasing, so I'll try to communicate nonetheless. 

Thank you to Madeline Carr and Pablo Hinojosa, I'm the junior partner at the table.  They crafted this plan, and I'm along for the ride so to speak.

In listening to our first part of our conversation, it strikes me what we heard is what I call a descriptive approach.  We're thinking of how do the academics describe and visualize what the CERT and CSIRTs community does, how does the CSIRTs community envision itself, what do they experience and the like.  As has been alluded to, there has been a movement to treat CERTs not as actors but subjects of the norm‑making process that we have seen in international forums as we enter a world where cyber diplomacy is a thing ‑‑ and we have cyber diplomats sitting in the room with us ‑‑ that there is this question of what role should the CERT as a subject of the normative project, what role should they have and what role do we want not just for those that already exist, but let's remember the expansion of the communities and there are countries looking at developing and putting in place national CERTs or CSIRTs, and taken what was previously private CSIRTs and moving them in government and there are questions on how that should be done, what are the boundaries for that, autonomy remaining in the CSIRTs, should ‑‑ what relationship does it have with law enforcement, the intelligence community, et cetera.

I will ask Vladimir Radunovic to kind of give us a little initial overview of where that normative vision for CERTs came from and where it is now, and then we'll bring in some of our government folks and folks from the ICT community to offer their views.

>> VLADIMIR RADUNOVIC: I apologize, I won't look at a camera.

Two bits of research that may be useful:  One, with regards to the risks.  The whole environment has changed as we have heard also yesterday with the entrance of States and with cybersecurity.  We have tried to map the countries that actually say that they have offensive cyber capabilities ‑‑ and there is a map available, you will see it in this IGF daily and the Digital Watch Observatory.  It shows 20 countries at least that say themselves today that they have offensive cyber abilities, more or less are responsible saying how they'll use it, some are not.  There are 9 more which have strong indications that they have and probably many more. 

Much of the offensive cyber capabilities are hidden in the defense framework as sort of a preemptive defense and so on, even an intelligence.  That's a bit of information which changes ‑‑ which is sort of a changing when it comes to the role of the CERTs.  The orbit of research, it is the research done earlier this year by Diplo and unfortunately accurate because there was no changes in the U.N. GGE process, otherwise we would have to update it and basically it serves to compare or ‑‑ compare the norms and the report of the U.N. GGE 2013 and as with the work plan on security and with the organization of America States, subsequently the strategy and declaration strengthening cooperation of cybersecurity and so on.

One of the findings in that, focusing on CERTs particularly, there are incidents where the documents refer to CERTs directly or indirectly.  There is a whole set of things that's related to enhancing the CERT cooperation and incident response.  One as mentioned in the beginning, what was said about knowingly supporting activities against CERT or using them in cyberattacks.  There is another one, which is for instance highlighted by the GGE and the U.S. establishing CERT, including for the protection of infrastructure and facilitating cooperation between CERT such as exchanging information and norm vulnerabilities, attack patterns and Best Practices for mitigating rights.  Coordinating responses and then organizing exercises and supporting each other in handling the incidents and then facilitating regional cooperation.  That's something that probably the CERTs should take into account.  Those are specific links.  There are those that are not linked directly to CERTs but could be attributed to CERT.  One is about exchanging information, particularly, there is a link to encouraging experiences ‑‑ sharing experiences and lessons learned in dealing with threats and creation of regional databases of potential threats and possible remedies in cooperation with working with CERTs, that's particularly the iOS document. 

Then we have a couple of points on a point in contact points.  GGE says more or less the national contact point and contact data of existing national structures such CERTs, and this is a question of what's the difference between national contact points and CERTs.  This is emerging, it is more or less clear to us but not normatively clear.  Sharing information then among appointed counterpoints and establishing a content directly database without duplicating certain networks, that's particularly within the Asian Regional Forum and the GGE.  There is a point related to critical infrastructure which goes on providing channels for online information sharing on threats to critical infrastructure and modalities for realtime information sharing together with CERTs.  And there are a couple of bits, all of the documents also relate to capacity building, so there are a couple of bits which talk about the need of capacity building and some are particularly related to incident response, and it is suggested capacities on how to report a cyberincident and to whom.

I will stop with that, I think this gives an idea where CERT is mentioned in the documents.

Thank you.

>> DUNCAN HOLLIS: Thank you.

I think that's a great overview.  It highlights the fact that we have now for the last several years in various international Forums seen these efforts to ‑‑ by non‑CERTs, they're putting on the CERT community or certain norms of behavior.

I would like to bring in a few of the folks with experience of representing governments.  I'll introduce them as a group and let them respond.  We have Karsten Geier, who represented the German government on these issues for a number of years, and also has recently Chaired the GGE from last summer that failed to reach a consensus report.  Most people know this.

We're joined by Tobias Feakin, who represented, Australian and Gavin Willis.  For the group of you, I'm kind of curious, you can cherry‑pick from the following kind of set of questions, one I'm kind of interested to know from your perspective or your understanding of the international conversations why have CERTs or CSIRTs been brought into the voluntary norms of the CBMs, et cetera. 

Second question, how do you understand the relationship of CSIRTs to national governments?  I understand when I use that term CSIRTs it is probably needing to be desegregated.  We have on one hand certain national or the nationalization of certain CSIRTs, and that may be the one of most interest but as suggested earlier, we have plenty, if not a majority of CSIRTs and there was the point about the similar functions they perform and why focus on only national CSIRTs in this role and not offering similar norms or what have you for the private folks, let alone the industry that's engaged in much of the same activity.

The third question, the one that this whole panel raises, which is there parallel or potential in this idea of CERT diplomacy, is this an idea from a government perspective that has appeal with the current geopolitical environment, where if the politicians, diplomats can't talk, maybe the scientists can talk to each other.  Are there problems that as Marten suggested, does it resonate when he says some political acts to make the CSIRT act more particular?

Karsten Geier, it is it is okay with you, I will give you the privilege of taking the floor first.  Thank you for joining us.

>> KARSTEN GEIER: Thank you.

I'm not sure I'm happy to thank you for giving me the opportunity to explain failure.

Which I won't do, by the way!

I will use the floor to make a comments and then maybe set a bit of the background on what the GGEs have been doing so far.

The comment, I have been listening attentively to this conversation and wondering if we're not talking past each other.  Cyber diplomacy to me is about solving problems which the world wouldn't have if we didn't have an Internet.  I think we have been discussing a problem this morning which doesn't exist at all and that's because I think we may be discussing two different levels of problems.  I believe that as a matter of fact, the CERT/CSIRTs community plays an important role at both levels.  A primary role at the first level, secondary role at the second level, let me explain.

Cyber diplomats, people representing governments on matters, what they do, they try to agree the rules to state behavior with regard to information communication technologies.  In particular, the primary target of cyber diplomacy must be to prevent the use ‑‑ not the use of information communication technology in international conflict, but to prevent international conflict to emerge inadvertently, unvoluntarily from incidents which have happened in cyberspace, which are due to the use of information communication technologies.  You can imagine a scenario in which ‑‑ I don't know ‑‑ one country you have a serious ICT incident and the government rightfully or wrongfully attributes that to another government and then other government says it wasn't us, and tempers flare and it escalates.  This is an important scenario on which we are talking.  This means that the cyber diplomats, representing governments, they only come in to play at a relatively late phase of the game.  They only come into play if an incident has escalated to the points where the technical communities, the source of the CSIRTs have not resolved it.  So the far, fortunately I think almost all incidents have been resolved at the technical level without government interference.  That's a very good thing.  I would strongly encourage the CERT/CSIRTs community to continue about what they have been doing successfully, establishing their own patterns of interaction and rules of procedure and establishing its own channels of communication to manage the marriott of incidents that we see every day so that they don't ever come to the attention of people like myself.

This also may be explaining the role of the contact points that we have been establishing in the area and in other regional context in which the U.N. has been encouraging.  Those are the political contact points, for instance, Tess risk of jeopardizing it national peace and security, they're not meant to replace CERT/CSIRT contact.

Let me explain a bit where we are in the U.N. with the GGEs.  So discussions on ICTs in the context of international peace and security have been going on since 1998 since the Russians brought it to the national assembly.

At first, there was not a lot of enthusiasm for the topic for any number of reasons, one reason was that people didn't understand what was going on.  Now, the U.N. is not different from any other big organization that's faced with a new problem, if it doesn't know how to handle the new problem, it asks a group of experts to study the matter and revert.  The U.N. context, that's called a group of government experts.  So 2004, 2005 the General Assembly convened a group of government experts to study the matter, and that group met and it couldn't agree on a consensus report, setting a very unfortunate precedent for a later GGE.

The General Assembly was not discouraged by this lack of consensus and convened another GGE and Kevan sat on that, every development that followed since 2009 to 2010 is Gavin's fault but that GGE did produce a consensus report which concluded that existing and potential threats in the sphere of information security may cause substantial damage to International Security and the affects carry significant risk for public safety, the security of nations and the stability of the globally linked international community as a whole.

What this means, that in 2010 after only 12 years of negotiations, finally the U.N. arrived at the consensus that, yes, there is a problem.  Mind you, the U.N. has on occasion been overtaken by glaciers.

The U.N., General Assembly convenes in 2013 another GGE and that one produced ‑‑ Gavin, with all due respects, neither of us were on that group ‑‑ that actually produced a landmark report, international lawyer, the U.N. charter is applicable and is essential to maintaining peace and stability. 

Following on the heels of that success, there was a 2014, 2015 GGE, the fourth, which offered insights on how existing international law applies, but also a set of voluntary, non‑binding legally non‑binding norms of responsible state behavior to reduce the risks, international peace, security, stability, and those non‑binding norms actually also covered behavior of governments with regard to the role of CERTs and CSIRTs and the idea was to protect exactly what the CERT/CSIRTs are doing, to encourage their positive, stabilizing role and to prevent them from ‑‑ prevent them being politicized between the governments.  That's the purpose of bringing the CERT/CSIRTs into the norm GGE report and then another was developed to deepen and internalize the reports of the previous GGE report and the experts on that group wanted to produce a report, what they called a report plus which would be a concrete recommendations to governments on how to implement the recommendations contained in believe GGE reports and we got very close.

In June of this year, 23rd of June, we had about ‑‑ I don't know ‑‑ far more than 90% of our report consensualized, but there was a point on which it was impossible to reach agreement, and so unfortunately we had to report failure to the general secretary.  It was certainly not for lack of trying and it was also not for ‑‑ for lack of advice received.  Anyway, the discussion right now is how to take this forward, the way to go next.  I won't bore you with that. 

Maybe one final word is I believe that cyber diplomats, that governments should refrain from interfering in the work of the CERT/CSIRTs community.  It is important work going on very, very well for a number of years without us getting into their way.  I think we're well advised to continue to not getting in the way of CERT/CSIRTs and these experts.  At the same time, I believe that we're well advised to listen to the advice we're getting from the technical experts, from the CERT/CSIRTs community where it is offered.  Otherwise, there is a good chance we'll write and produce nonsense.  A number of GGE experts have had technical experts, CERT members as advisers in their teams and we have all benefited from it in our discussions.

I'll stop it there.

>> DUNCAN HOLLIS: Thank you very much.  I'm particularly impressed that you did in less than 8 minutes an entire survey of the history of the group of government experts.

I want to invite both Toby and Gavi.  N to contribute maybe not on the GGE process individually but we have situated where we fit into this this and the terms of taking that as a foundation, what are your thoughts on this question of CERT diplomacy, what's right role of a is CERT from a national perspective, is nationalizational good by keeping them autonomous?  What's the views?  I will turn it over to either of you that wants to take the floor first.

>> TOBIAS FEAKIN: There is a temptation to over use CERTs and they're a Diplomatic tool and partner to have when in a discussion because basically dealing with the operational community whose concerns are based around how do I get the job done, not how do I deal with politics.  It is incredibly useful.  I'll use a clear case study, track one dialogue with China last week, there was a lot of difficult discussions that we had, at the end of it we signed an awesome agreement between our CERTs and found amazing case studies where they're assisting one another in fighting cybercrime and assisting with sharing information.  It is your second trek of diplomacy behind the scenes getting the job done.  Something to be careful of, not pointing the finger at them too often, the national CERT team saying do something more for us, they're stretched.  They're part of the Diplomatic toolkit we have. 

I think in Australia ‑‑ and in many other countries as well ‑‑ they play a vital role from Australia's perspective and bilateral relationships in a regional setting.  We are very proud of this, they're doing incredible work in bringing the community together and sharing with us diplomats in the Foreign Affairs world and making sure that we're aware of the work that they do and how we can capsulate on that.  We conversely try to push funding so that we can support good project works that they have.  There is a number of projects that the Australian CERTs are working on now, specifically in the Pacific, and building those linkages, operational linkages, bringing together people in the Pacific of being involved in the setting up of the CERTs or are already involved in the CERTs. 

There is a very strong role that CERTs can play, and something that we started to do a lot of now from Australia's perspective, in building the linkage between international law and norms and how they actually relate to operational issues and we found a very willing partner coming in the room, talking about operational issues and how the law, norms are directly applicable to the kinds of operational issues that they deal with. 

We found that one of the single most useful ways of making norms, international law more visible and comprehensible to a broader range of States than otherwise may be the case.  I think, you know, this at the do all manners of good work which has been described.

I think ‑‑ I'll go back to where I started and tie up so that we can have a bit more discussion ‑‑ I think there is a danger that we lean on them too much.  I think that's my concern.

It is important not to spoil this very practical operational focus that they have and ensure that some of the geopolitics don't spoil the really good work that we do. 

I'll leave it there.  Thank you.

>> GAVIN WILLIS: Good morning, everybody.

I'll respond to Karsten in a way saying I'm recently back from the telecom conference and we failed to agree on a new resolution, so I'm happy to join in the team of people that's been failed in international cybersecurity negotiations.

Moving on closer to the subject today:  First of all, we have to be careful to avoid generalization.  All CERTs are different. 

We have a third structure in the U.K., it is part of the national cybersecurity center and the Minister for which is the foreign secretary.  I doubt if any of the national CERTs report to the foreign Minister.  That's an unusual situation.  Each nation should make their own decision on what the constituency is.  We have a structure that works for the U.K., most likely not working for other nations, we don't believe one‑size‑fits‑all.  Our national CERT has a good outreach program.  For several years we have been leading members of a private club of European government CERTs.  During the negotiations for the E.U. network and information security directive we strongly supported the proposal to form a network and that directive obliges the national CERTs to meet regularly.  We're a member also of FIRST.  Inserting a note of reality, the performance of national CERTs is likely to be judged on how well the national networks are defended.  International cooperation must have a business case and there will be priority calls made.

The case is often clear if a neighboring country has a problem, it may well affect the U.K. and we may face a similar issue.  We have a very strong relationship with the national CERTs of all our neighbors.  Being realistic, it is easy to justify a continuing and close relationship if the flow of data is in both directions or should try to give as well as to take and behave in a trustworthy manner, trust must be earned by the way.

Leaving to a higher level, there are agreed norms from the GGE as we heard for in particular for the exchange of information.  National CERTs are actually in a position to be conduits for that as part of their usual work.

They should wherever possible be open to requests for assistance or information from other nations.  We're very clear that we want all nations to have effective national CERTs.  The title of this session includes diplomacy, there are many definitions of diplomacy.  If that's the ex-personal presentation of a nation's policies, such as a free, open, secure Internet and yes, indeed, the CERTs have an opportunity to contribute to that.

Thank you.

>> DUNCAN HOLLIS: Thank you.

So we have heard from a variety of stakeholder communities so far, we have heard from the academics, the Technical Community itself and heard from the perspective of the "cyber diplomats."  I will turn now before we open it up to the room and remote participants to final communities that may have a view on this question of CERT diplomacy.  On behalf of the ICT, we have the director of cybersecurity global cybersecurity strategy and policy at Microsoft who can offer us a bit of a perspective from the Microsoft perspective how you all see obviously the importance of CSIRTs but where do you come out of this idea of the polarization and how they should be integrated in the cyber Diplomat toolkit as suggested versus the Marten perspective, we have worked well alone, leave us alone and finally, I would be interested to know from a research perspective and from outside of what's been a largely Western conversation so far on this panel, you know, how from a Malaysia, that kind of perspective is this conversation viewed and what you may contribute.

>> ELINA NOOR: We would agree with a lot of what was said.  I don't know if we have a lot of new points to add from the Microsoft perspective.

Throughout much of this week actually it has been interesting for us to see how much discussion there has been not only on cybersecurity, the landscape, the need for cybersecurity norms or even this conversation around the treaty.  We have heard from many people, of course, also in response to some things we have proposed that treaties take a long time, are cumbersome.  It is important for us to address these questions in a multifaceted way and we need to make sure that we address this practical reality we live in that the threats really are increasing.  We are see something a proliferation of nation State actors in cyberspace, sophisticated groups, some organized crime and we are concerned about the impacts of the disruptive cyberattacks.  As a result, I think it is important to think about not only longer-term measures such as norms, how to implement them, potentially more binding agreements, but also more immediate steps.  This is where thinking about the community and what it can do, it’s critical.

I'll make three brief points:  One, it is incredibly ‑‑ remains incredibly important to build out national incident response capacities.  They do play a critical role in analyzing, responding to incidents.  The key piece here, it is that there is a significant difference and variety in the capabilities that they have, even in regions such as here in Europe.

To give you an example, it is ‑‑ for us, it was really interesting to see as within the European Union the network information security directive, Europe's first real cybersecurity regulation that was adopted.  At the start of that negotiation, by far, not all European Union Member States had a national CERT, just as by far not many of them had a national cybersecurity strategy.  This is in 2012 to 2013 context.  The situation has significantly improved although there are a couple of Member States at this stage that just recently actually inaugurated their national CERTs.  I think it is important in that context to then also think about some of the proposals that are made, for example, in the directive which talks about the need for mandatory information sharing, both from companies to national regulators and also as put in place essentially requirements for governments to exchange information.  The details are still being worked out.

That really brings us to the point of ‑‑ there is a difference between mandatory incident notification and a top‑down Coordination Mechanism and voluntary information sharing, which communities for many years have been doing and is very, very good at.  We need to be mindful as governments regulate the space and by the way, we do believe that there is room for regulation here, what we need to be mindful, we preserve the voluntary information exchanges and the trusted networks.  That's one point.

I will say more about trust.  I think it has been mentioned before, building out that trust is absolutely critical.  Again, using the example of what we're seeing here in Europe, prior to this directive coming into force, we had a situation where just like industry is interfering certain information with all E.U. Member States or countries globally, also countries within the E.U. were not necessarily all sharing with all 28.  There are reasons for the different levels of trust.  I think building out that trust, it does take time.  You can't regulate trust.  Everybody figured that out.  How do we actually build that mutual understanding?  How do we build capacities for responding to large‑scale incidents?  How do exercise that and throughout the processes throughout time build that trust.  I think there is an interesting framework in place for this now and it needs to be filled with life and it is interesting to see how much of that can be a model maybe for other parts of the world as well.

Finally, a stretch goal, and maybe more provocative to think about how we can leverage CERTs to increase transparency and accountability in cybersecurity through informing the processes that are needed for cyberattack attribution.  I want to be careful here.  I don't think that CERTs are the ones conducting the process, that's a political process and we have seen that at the political level recently where there are decisions to attribute for example an attack.  CERTs have certain technical capability ability and one thing that's hampered a more coordinated attribute to date is there are not common methodologies in place, not necessarily common thresholds to determine and of course every attribution case is different.  I think using ‑‑ governments would be well‑served to leverage expertise to see how that is coordinate that had does reside in CERTs. 

I want to finish with, you know, to answer your question, Duncan, more directly, as has been said before, I think it is incredibly important that for CERTs to work effectively, they cannot and should not be politicalized, they are not diplomats and shouldn't be.  We have to recognize this critical role that CERTs are playing in our increasingly digitalized world as first responders.  Those are the first and last best hope that we have and they need to be able to function without technical, political interference.

Thank you.

>> CAMINO KAVANAGH: I'll start off by saying that in the region that I come from, Southeast Asia, probably the wider region, there is a high regard for the Technical Community.  And part of the reason for that is because of the prioritization of the economic, commercial benefits and opportunities that come with the Internet in Southeast Asia primarily.  There is a lot of prospect in seeing the developing of the country and the commercial opportunities that come along with that.  There is also unfortunately a lack of awareness of the policy discussions surrounding cyberspace which is why there is this alternative focus on the Technical Community and capacity building instead.  It is not necessarily a bad thing, but for us, we work in the policy realm, I think that we're listening intently, trying to square the circle between the Technical Community on one hand and the policy community on the other trying to figure out if there is a convergence point where they should have a convergence point between the two.

I think that after listening to audience interventions, my ‑‑ my start point was that let's leave the Technical Community to its own.

I think my position has not changed very much at all having listened to all of the interventions.  I say this, there are two different start points, we've listened to the Technical Community believing itself to be an international community that crosses borders, but on the other hand, when you have government agencies like the national security council in my country which is the lead agency for cyber affairs which has a start point of securing borders, prioritizing secrecy, those are very different start points to begin with.  There is a huge gap between the start points that might not ever converge at any point.

When you have two very different beginnings, and you have a history of trust issues, a trust deficit, for example, in Southeast Asia, although we all share border, we've the historical legacy of trust issues, you have problems like how confidence building measures take 20 years before they can even be considered to evolve in preventive diplomacy which is where we are at in the Forum for example.  The Technical Community, you have points of contact quite easily, the policy community on the other hand has been a negotiating point of contact and from the outside you would think that this is fairly simple, you know.  Let's just identify a person and a phone number.  Apparently it doesn't work that way in a policy community, at least not for me.

The U.N. has occasionally been overtaken by glacier, I say that at times we have been overtaken by the U.N.  So again, how do you square this with the speed of technology and all of the developments that come along with that?

Let me end on this point, I don't want to leave this discussion open‑ended at least from my point of view:  I will say that at the track 2 level there are mechanisms that have been trying to merge the conversation between the technical, policy communities.  You have examples like the council of security operation and the Asia‑Pacific which is supposed to mirror the regional forum and groups like this, they have been working in a smaller study group, trying to bring in the Technical Community as well as policy community in the same room to talk to each other to understand the issues better and to escalate whatever the gaps or recommendations there may be to detract an official level.  This is not always successful there has only been one study group that's worked on cybersecurity issues and that's largely been focused on the technical side of cybersecurity.  There's recently been a study group on Maritime environmental protection which some of you may know can be a contention issue because of the territorial dispute in our region in the South sea and on the track 2 level, what we saw in discussions, government representatives, non‑governmental representatives taking on very strict national positions which stymied the discussion from the get‑go.  We have this problem at the track 2 level even of unstraddling ourselves from national positions.  Not every non‑governmental representative is truly independent or non‑governmental, depending on what country you come from.

I will end on that slightly pessimistic note with a bit of hope to say that it is possible to have a conversation as we are now, bringing in the technical, policy communities.  It might be better to leave it separate so that they can both do what they do best.

Thank you

>> PABLO HINOJOSA: Our time has come fast and we're soon to arrive at our stop.

I would like to give the floor to Daniel.

>> I'm from the ICT for Peace Foundation, and I cannot resist now to just comment a bit because we've several partners in the room that have been involved with us and in helping launch this cybersecurity policy and diplomacy capacity building program which started in 2014 with the support of the U.K., Germany, Switzerland, and especially also Australia which then started with OES. 

And to say, you know, it was always the aim and the ambition to have both communities in the workshops which is very interesting.  I know and understand the complexities bringing them together.  Still, we believe that both communities have to understand the other language, and we have now done a number of workshops also in the African Union with African Union States, and in particular also with Southeast Asia, several workshops starting in Singapore, 2015 and now also moving into what we call the CMLV countries and we were there talking to bring in the CERT component.  We continue on that.  I think it is an important model regarding continuing in Cambodia, and it is interesting that the Cambodia host renamed our workshop from cybersecurity policy and diplomacy to norms workshop.

Thank you very much for your attention.

>> I'm a consultant.  I used to be a consultant with the IGF Secretariat on the Best Practice forum on CSIRTs and I have worked a lot with the team and I would like to share that work and try to make the square a bit more of a circle.

What we're talking about, the proof of two alternate realities, the world of the Internet where the governments were not present when it really took off and the one that's now trying to catch up and be involved.  We have the task forces, the working groups, there is ICANN, IRRs, there is ICT companies that grew very global in a few decades like Microsoft, that are now alternate realities to what traditional diplomacy is about.  The fact we're sitting here together discussing this proves that we're trying to find each other and what the meaning of the different worlds is.

There are things ‑‑ we'll stop with examples.  The Best Practice Forum on CSIRTs started in the summer of 2014 and I was pulled in in a late stage and reading all the documents I said you're not talking to governments, the big question is leave us alone, understand what we do, understand what our affect is on the global security.  I said to them go and talk to them.  The first response was you're not allowed to write that!  Two months, three months later, I was allowed to put in one recommendation, start talking to each other.  A year later they were together and the fact that we're talking here is proof that everybody is trying to reach out to one another.

Trying to make it round.  Yes, we're in very different worlds, diplomacy is a totally different interstate thing while they're doing with colleagues that they know and trust and working.  Where do you need each other?  Where ask of can you strengthen each other?  Where can you make the world a bit safer together?  I think that having perhaps a bit different discussion that we're having now, but identifying the true problems you run into, that you run into, and the IGF runs into with implementing the standards, et cetera, you will get a totally different discussion, because then you're going to the heart of things.

I'll finish, I'll give one example and talked yesterday, I gave this example, what is threatening individuals and institutions, organizations most inherent, insecure devices that come in the markets.  What if we started the Working Group in the IGF, elsewhere, saying two years from now, there is no device coming on the market that doesn't have some sort of an inherent building security.  The goal, it is effective, everybody on the planet, it is ‑‑ you can set a whole horizon together and you need all of the players.  If that's something that we can do, it may actually change the world.

>> PABLO HINOJOSA: Unfortunately, time has come to an end. 

The only thing that I would like to say is that be started on point A and jumped into a train, it went really fast.  We hopefully made some contact inside of the train.  We arrived at point B.  I think point B is not a final destination, it is just an intermediary point.  I think ‑‑ I hope that after we leave the train we can still perhaps share a journey another time. 

It is an honor, a privilege to have all of you here.  The YouTube link was not available during the session.  They tell me that it will be perhaps by tomorrow.  I have recorded the audio and the transcript worked pretty well.

The last words, I would encourage the core group to meet outside for a picture. 

And with that, I thank all of you to attend and we're welcome to any comments on the usual Twitter and other media.

Thank you very much.

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 678