IGF 2017 WS #38 International cooperation between CERTS: technical diplomacy for cybersecurity?

Short Title: 
CERT diplomacy for cybersecurity

Proposer's Name: Mr. PABLO HINOJOSA
Proposer's Organization: APNIC
Co-Proposer's Name: Ms. Madeline Carr
Co-Proposer's Organization: Cardiff University
Ms., Madeline, CARR, Academia, Cardiff University
Mr., Vladimir, RADUNOVIC, Civil Society, DiploFoundation
Mr., Duncan, HOLLIS, Academia, Temple University

Additional Speakers: 
  • Pablo Hinojosa, Strategic Engagement Director, APNIC
  • Dr. Madeline Carr, Associate Professor of International Relations and Cyber Security, University College London
  • Dr. Leonie Tanczer, Research Associate, University College London
  • Adli Wahid, Senior Internet Security Specialist, APNIC. Board member of First.org
  • Maarten Van Horenbeeck, Board member of First.org and Vice President, Security Engineering, Fastly.
  • Louise Marie Hurel, Cybersecurity Project Coordinator, Igarapé Institute
  • Duncan Hollis, Associate Dean for Academic Affairs & Professor of Law, Temple University School of Law
  • Karsten Diethelm Geier, Head of Cyber Policy Coordination Staff, Federal Foreign Office, Germany
  • Tobias Feakin, Ambassador for Cyber Affairs, Australia
  • Gavin Willis, National Cyber Security Centre, UK
  • Jan Neutze, Director of Cybersecurity Policy, Microsoft
  • Elina Noor, Director, Foreign Policy & Security Studies, Institute of Strategic and International Studies (ISIS), Malaysia
  • (remote) Camino Kavanagh, Visiting Fellow, Dept. War Studies, King's College London

1. Setting the scene. New research on "science diplomacy" and CERT cooperation. (Academia).
2. Discussion.
2.1. Technical community. How CERT cooperation works. (Tech/CERT community)
2.2. Update on UNGGE and state cooperation. GCCS. And more. (Government)
3. Debate
3.1. Whether CERT cooperation is (or not) a form of diplomacy
3.2. Whether CERT cooperation can (or cannot) help improve responsible cyber behaviors
3.3. Whether existing technical cybernorms are to be recognised formally by states
4. Conclusion
4.1. Key take-aways
4.2. Follow-up questions


- Key Issues raised (1 sentence per issue):                 

  • In the last 30 years, CERTs/CSIRTs (hereafter referred as CERTs) have developed and grown in many different shapes and configurations. Most of them are not related to governments or national interests.
  • The establishment of CERTs has become an indicator of cybersecurity development and maturity and many governments have sought to institutionalize CERTs as part of their national cybersecurity mechanisms.
  • The performance of national CERTs is likely to be judged on how well the national networks are defended. However, the distributed nature of the Internet makes it very difficult to contain damages within national borders.
  • As governments may increase regulation and oversight in the CERT space, it is crucial to preserve the voluntary information exchanges and the trust that has been earned through collaboration.
  • CERTs cooperate, share information and maintain trust, even in difficult political contexts. Some academic researchers consider CERTs as inadvertent diplomatic actors, similar to the way that scientists have long been able to collaborate across borders.
  • Alternative to the view of CERTs as diplomatic actors, is the view that official cyber diplomats, representing governments, only come into play at a late phase, when an incident has escalated to a point where the CERTs cannot respond, that is, when international peace and security are at risk.
  • Political contacts and/or institutions at a governmental level cannot replace CERT work. In fact, most incidents are being resolved at the technical level without government interference.
  • As cybersecurity concerns have grown, CERTs have become a component of the geopolitics of cybersecurity. Increased government interventions can affect well established networks of trust and undermine the work of CERTs.
  • Political decisions should not prevent CERTs from resolving incidents. It is important that CERTs can respond quickly to make sure damages can be contained and not distribute further in the Internet ecosystem.
  • The role of cyber diplomacy (as practiced by government representatives) is not to prohibit the use of ICTs in political conflict. It is to avoid inadvertently prompting an international conflict by accidental provocations in cyber space.
  • For CERTs to work effectively, they cannot and should not be politicized. CERTs play an important role as first responders. They need to be able to function without technical or political interference.
  • For the last several years CERTs have become subjects of norm making processes. Such is the case of the UNGGE. The latter agreed in 2015 on non-binding norms of responsible state behaviour, including not conducting or knowingly supporting activities to harm CERTs or using CERTs to engage in malicious international activities. The idea behind these norms is to protect the work CERTs are doing and to prevent them from being instrumentalized by the governments.
  • However, there is little awareness of the UNGGE normative process within the CERT community nor is there much awareness of any efforts underway in implementing those norms.
  • In some countries, national CERTs play an important role in track 1.5 and track 2 diplomacy, particularly in bilateral settings. CERTs have become part of the diplomatic toolkit to assist governments with information sharing to fight cybercrime and in building linkages between international law and norms and how they relate to operational issues.
  • However, other track 2 settings have not been successful in trying to merge the conversation between the technical and the policy communities, mostly because of the difficulty to find trusted points of contact in the policy arena.
  • Cybersecurity is a shared concern and responsibility. Actors such at CERTs, especially national ones, are part of a political dimension. We, thus, need them to look at CERTs as part of a cybersecurity governance ecosystem, without undermining their technical relevance and independence.

- Please describe the Discussions that took place during the workshop session (3 paragraphs):    

  • Because the CERT community is very much focused on responding to incidents and solving cybersecurity problems, they do not perceive themselves as cyber diplomats. However, the international political community is increasingly referring to CERTs in strategies, proposed codes of conduct and coordination documents. The CERT community may not be fully aware of the extent to which they are becoming a subject of global politics. 
  • By analysing differences in cooperation, information sharing and trust protocols of the CERT and the diplomatic communities, this workshop raised awareness about both actors and reduced the level of disconnect and miscommunication between them.
  • More engagement and shared understanding is needed to concentrate on positive impacts rather than negative influences that ultimately undermine global cybersecurity efforts.

- Please describe any Participant suggestions regarding the way forward/ potential next steps /key takeaways (3 paragraphs):   

  • Whether CERTs can inform the processes that are needed for international cyberattack attribution. While CERTs have certain technical capabilities on this front, attribution of cyber-attacks to states is a highly political process. There are no standard methodologies in place, nor common thresholds to determine attribution. Governments could benefit by leveraging CERT expertise on this front, but there are also significant risks in doing so that may affect CERTs’ trusted status and their ability to cooperate with other governments who may not support the political process.
  • Whether CERTs can​ initiate and play a relevant role in discussions with governments on some form of code of conduct or similar, for CERTs to remain independent, prevent harming each other and enhance response capabilities. Specifically, discussions on allowing CERTs to operate outside of sanctions regimes is important.
  • Governments should engage with the CERTs and their regional and global associations, such as the Forum of Incident Response and Security Teams (FIRST), to determine how to best operationalise the norms recommended by the 2015 UNGGE report.


Session Format: Debate - 90 Min

Country: Australia
Stakeholder Group: Technical Community

Country: United Kingdom
Stakeholder Group: Civil Society

Speaker: Vladimir Radunovic
Speaker: Madeline Carr
Speaker: Adli Wahid
Speaker: Duncan Hollis
Speaker: Alice Munyua

Content of the Session:
During IGF 2016, at “WS132 - NetGov, please meet Cybernorms”, we opened the debate. An increased commitment from state actors to coordinate on cybersecurity at the regional and international level (e.g. UNGGE, OSCE, Budapest Convention), has reached a point where future development of international norms that aim to regulate State behavior with regards to cyber operations need necessarily other stakeholders to give input or advice. At this workshop, we discussed the extent to which the technical community can support implementation of the GGE agreed norms and whether the IGF can serve as a platform to facilitate these engagements. Given the ongoing difficulties of negotiating global agreements on cybersecurity between state actors, we propose to continue this debate at the IGF 2017, this time focusing on the question of whether the increased regional and international cooperation that happens between CERTs and CSIRTs – both national and private – can support and advance current diplomatic endeavours to establish international norms of responsible state behavior in cyberspace.

Relevance of the Session:
There are many norms that are well established in the technical community. A good example of these technical norms are the practices by which CERT/CSIRT communities exchange technical expertise and share information on risk management and incident response. By establishing trusted networks for exchanging technical expertise, the CERT/CSIRT communities are indirectly engaging in what is referred to as 'science diplomacy'. This proposal aims to continue the debate, started during WS132 of IGF 2016, to understand how ongoing cooperative behaviors around the development of technical norms in the CERT/CSIRT community can help to reveal unrecognized common ground among states and, ultimately, help to improve international cooperation on cybersecurity.

Tag 1: Cybersecurity Norms
Tag 2: Internet Governance
Tag 3: Multistakeholder Cooperation

Dr. Madeline Carr and Prof. Duncan Hollis have been involved in academic research exploring the International cooperation system and studying the feasibility of treaty-based solutions for ruling state behavior on cyberspace. The Internet technical community has been solving cybersecurity incidents by establishing circles of trust for information sharing, and cooperating in emergency response and towards problem resolution. The IGF has provided a unique platform where the technical community and government representatives converge in useful dialogue to improve understanding of their particular norms and behaviors. This proposal to have a 90 minute debate, will continue the discussion from last year in WS132 on Cybernorms, for UNGGE followers and participants, together with the Internet and security ecosystems, mediated by academic research, to answer questions on International security cooperation, and advance towards better understanding of current and possible cybernorms that can possibly result in more responsible state and technical behaviors. A prospective agenda of the debate is:

1. Setting the scene. New research on "science diplomacy" and CERT cooperation. (Academia).
2. Discussion.
2.1. Technical community. How CERT cooperation works. (Tech/CERT community)
2.2. Update on UNGGE and state cooperation. GCCS. And more. (Government)
2.3. A civil society view on this. (Academia/Civil society)
3. Debate
3.1. Whether CERT cooperation is (or not) a form of diplomacy
3.2. Whether CERT cooperation can (or cannot) help improve responsible cyber behaviors
3.3. Whether existing technical cybernorms are to be recognised formally by states
4. Conclusion
4.1. Key take-aways
4.2. Follow-up questions

Last year, Workshop 132 on Cybernorms, successfully brought to the IGF participants from UNGGE and NATO, together with world renowned academics in the field of cybersecurity. These were new participants to the IGF, and one of the key agreements of the session was that there could be a mutually constructive way forward for the UNGGE to be more open and transparent and for Internet governance stakeholders to be more aware and involved in the UNGGE discussions. This proposal is a continuation of that effort, to bring into direct conversation the parallel worlds of the Internet governance multistakeholder community and the more formal, state-centric processes, such as UNGGE. In the lead towards the debate at IGF 2017, the organizers will take into consideration geographical diversity and gender balance.

Onsite Moderator: Pablo Hinojosa
Online Moderator: Duncan Hollis
Rapporteur: Vladimir Radunovic

Online Participation:
The rapporteur of UNGGE participated last year, remotely through WebEx, in workshop 132 on Cybernorms, asking an important question that influenced the outcome and facilitated agreements at the workshop. There were other remote participants through WebEx and also a wide audience through YouTube. We expect a similar if not a more active participation through online means, in terms of questions and comments being raised remotely by those that are not able to be physically present at the next IGF in Geneva.

Discussion facilitation:
There will be two co-moderators of the debate, each fostering the discussion on basically two sides: the UNGGE/governmental perspective, and the technical community/CERT perspective. These two co-moderators will first, help to set the scene by referring to new academic research on CERT diplomacy. Also by calling participants to provide updates on the UNGGE process and the GCCS event. The technical community will explain processes and networks of trust that are the basis of CERT collaboration. The co-moderators will foster a conversation, mainly by distinguishing things that were unknown to each party that merit better understanding and will help discover those issues that can help both parties increase mutual understanding. The co-moderators will lead the participants of the debate towards finding feasible paths for collaboration, which are the key expected outcomes of the workshop.

Conducted a Workshop in IGF before?: Yes
Link to Report: https://www.intgovforum.org/multilingual/filedepot_download/4098/246

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10

igf [at] un [dot] org
+41 (0) 229 173 678