IGF 2017 WS #39 Critical issues in improving cyber security incident response

Short Title: 

Critical issues in improving cybersecurity incident response

Proposer's Name: Mr. Maarten Vanhorenbeeck
Proposer's Organization: Forum of Incident Response and Security Teams (FIRST)
Co-Proposer's Name: Mr. Michael Carbone
Co-Proposer's Organization: Access Now
Mr,.Maarten,VAN HORENBEECK,Technical Community,FIRST
Mr.,Michael,CARBONE,Civil Society,Access Now


  • Panel introduction by the moderator
  • Each panelist introduces an areas of sensitivity around incident response operations they have experienced
  • Panel moderator asks panelists about their views on some of the issues shared
  • Remote participants, and local participants, are asked to raise issues they see as being sensitive in conducting incident response on security issues
  • Panelists provide input on some of the issues raised
  • Concluding remarks by the panelists


- Date: December 18th, 2017
- Time: 11:30am – 13:15pm 

- Session Organizer:    
Maarten Van Horenbeeck , FIRST (Technical Community)
Michael Carbone, Access Now (Civil Society)

- Chair/Moderator: 

Gustaf Bjorksten, Access Now (In-person moderator)
Adli Wahid, FIRST (Remote moderator)

- Rapporteur/Notetaker: 
Maarten Van Horenbeeck, FIRST           

- List of Speakers and their institutional affiliations:   
Cristine Hoepers,  General Manager, CERT.br (Technical Community)
Audrey Plonk, Senior Director, Global Cybersecurity Policy, Intel Corporation (Private Sector)
Grace Githaiga, Co-convenor for the Kenya ICT Action Network (Civil Society)
Mallory Knodel, Association for Progressive Communications (Civil Society)
Pedro Veiga, Deputy Director, NCSC -PT (Government)

- Key Issues raised (1 sentence per issue):      

  • Information overload has in some cases led to an over-reliance on automation, which is degrading trust, as there are often misunderstandings behind the impact of an incident or abuse report.
  • The network of cooperation that CSIRTs have built only works effectively when there is trust between organizations. This trust can be affected by where a CSIRT is positioned, and what organizations it is experienced at working with.
  • How are Human Rights baked into the work of incident responders?
  • Technical expertise is now more commonly criminalized. This makes it more difficult for incident responders to effectively deal with incidents, and for capacity to be built.

- If there were presentations during the session, please provide a 1-paragraph summary for each presentation:  

There were no presentations during the session.  There were opening comments which have been integrated in other parts of this report, as they covered the same topics.              

- Please describe the Discussions that took place during the workshop session (3 paragraphs):     

A main topic of discussion was to share bad and/or good experiences that stakeholder groups have had reporting security incidents to CSIRTs. In this discussion, it was identified that a critical component of sharing involves the need for any organization to have a contact which is responsive, and that the report must be adequately handled.  An interesting observation was that as we’re spending more effort working on automating processes, we sometimes miss the significance behind “why” someone is reporting a security incident, or abuse. This can sometimes lead to the CSIRT determining an issue is not a security issue, without providing detailed guidance on why it is not, and without an opportunity for the reporter to refute this determination. One way this challenge could be addressed is by ensuring civil society, and other stakeholder groups that sometimes may feel misunderstood, to participate in technical community and CSIRT events, and share their experiences. There may also be value in more regional and local cooperation and events that help build communities of knowledge, where specific problems are likely to be most understood. Finally, there is a need for more people to become well trained on incident response – and a real value in growing the community of sectoral CSIRT, which typically have a similar understanding of the basic problems their constituencies face.

The panellists also discussed how raising incidents to the right stakeholders quickly can be challenging, but is a core function of a CSIRT. The example was raised of financial institutions, which originally were concerned about sharing information, but quickly realized that an incident which undermines trust has the ability to affect the entire sector. They became strong supporters of the concept.

There are configurations in which raising issues, and cooperating across organizational boundaries, become troublesome. A core concern is where a CSIRT is located. For instance, a national CSIRT that focuses on protecting national infrastructure may be limited in dealing with incidents that do not directly affect that infrastructure, but have impact beyond national security. In addition, a CSIRT positioned in an intelligence agency may not be widely trusted, or may have classification challenges in sharing information with others. Quite often, it is good to have CSIRTs with very specific responsibility, but have a “CSIRT of last resort” that works with the entire community and takes the main coordination action. There is no one-size-fits-all, though, and these challenges must be considered when CSIRTs are developed and expected to work successfully with others.

The group discussed how human rights are baked into the work of CSIRT. In an example stated during the session, support for human rights came from the top, with the organization developing principles aligned with the UN Declaration of Human Rights, and then translating these to tactical decisions through the development of policies and individual discussion with technical stakeholders. This was particularly important in engaging with external stakeholders. It was noted this may affect cooperation with other third party organizations, such as CSIRT in governments, where there may be concern arounds human rights implementation.

An issue raised was the criminalization of technical expertise. This covered areas such as arrests of security trainers, encryption and the use of VPNs. A panellist noted that today we are seeing several “knee-jerk responses” rather than measured responses based on an assessment of the actual security situation. This can lead to interference with innovation. Asked how CSIRTs can push back, it was noted that in debates such as “exceptional access” and encryption, it is very important for the technical community and private sector, to educate government on the technical challenges and trade-offs involved. Many concepts from the pre-Internet era are being pushed to law enforcement online, without understanding that the trade-offs in the Internet realm can be quite different.

Two questions from the audience deserve special note due to the lengthy discussion:

  • A questioner asked how CSIRT can help develop good practices. Today, CSIRTs share information around incidents, but do not always make it available externally to the wider community. As a result, organizations may be compromised through the same mechanisms as previous compromises. Repeated compromise can drive business away from small and medium enterprises, or from countries with more limited cyber security capacity. Another questioner asked a similar question, how it is possible that CSIRT have “information overload”, as was discussed in the session, whereas little information is available to small and medium enterprises. It was noted that organizations often have limited cyber security expertise to interpret some of the more detailed sharing that takes place in the CSIRT community. That information is typically summarized and shared by CSIRT to their communities, but not in all cases. One panellist noted how CSIRT often share recommended actions, based on their analysis of these incidents, rather than deep technical detail on individual compromises, and that these actions of “basic hygiene” are critically important to preventing compromise. It was also by another panellist that smaller organizations should be recommended to invest in cybersecurity capable IT resources to have at least some capability to be able to leverage the information made available to improve their defences.
  • A questioner challenged the panel by asking if the CSIRT community, and its model of cooperating between “pockets of trust” that have built within communities, can continue to scale. A panellist noted the work of the IGF Best Practices Forum on CSIRT on identifying reasons how trust develops, and that if widely considered, trust in this way can continue to develop. Another panellist noted how there is value in transnational, non-state bound CSIRT that help promote sharing between wider communities, rather than on the local level, and can help bring new “local” CSIRT into that wider community. Finally, it was raised that such CSIRT, as well as topic/community-focused organizations often have funding constraints, and that this is something which needs to be addressed for the community to continue to develop.

- Please describe any Participant suggestions regarding the way forward/ potential next steps /key takeaways (3 paragraphs):    

  • A participant from the technical community raised that it is critical for government, the incident response community, civil society and private sector to come around the table and educate each other on their respective concerns regarding encryption. There is too little technical debate on the challenges and risks involved, and little actual ongoing debate. Technical community members should actively educate and create awareness around the technical challenges of certain proposed solutions on cybersecurity.
  • A civil society participant raised that there should be more “civil society aware” CSIRT, who understand the challenges this stakeholder group faces. It’s difficult and expensive to build all technical expertise in the civil society community, so creating CSIRTs specifically to support them is more challenging than educating CSIRTs on how they can cooperate with civil society. Suggestions that were raised included having more civil society participation in CSIRT conferences.
  • The role and configuration of CSIRT is to be carefully considered when a new CSIRT is being built. For instance, when a CSIRT is part of a national intelligence capability, sharing with that CSIRT may be more difficult for various stakeholders. In addition, greater secrecy within that CSIRT may limit its ability to cooperate. Previous work in the IGF Best Practices Forums on Cybersecurity and CSIRT also indicated this limitation. Having sector or organization-specific CSIRT is a must, but a “CSIRT of last resort” may be able to provide additional methods of communication between those organizations and others, under rules that are better understood by all stakeholders.
  • A question that was raised by audience members, and which may be worth further consideration, is how information can be made to more effectively flow to small and medium enterprises. It was noted that these organizations often do not invest in the basic cyber security capability to process the information currently available.

The outcome from this session, including video recording, transcript, and this summary, will be contributed to the FIRST Special Interest Groups on Ethics, and the IGF Best Practices Forum on Cybersecurity, for further consideration and discussion.


Gender Reporting

- Estimate the overall number of the participants present at the session:

There were approximately 60 total participants

- Estimate the overall number of women present at the session:

Approximately 20 participants were women. The panel itself was gender balanced, with three out of five speakers being women.

- To what extent did the session discuss gender equality and/or women’s empowerment? 
- If the session addressed issues related to gender equality and/or women’s empowerment, please provide a brief summary of the discussion:

The session did not directly address issues related to gender equality and/or women’s empowerment. However, it did consider challenges in how technical community, government and public sector security teams can successfully cooperate with civil society organizations.

Session Format: Panel - 90 Min

Country: United States
Stakeholder Group: Technical Community

Country: United States
Stakeholder Group: Civil Society

Speaker: Cristine Hoepers
Speaker: Audrey Plonk
Speaker: Githaiga Grace
Speaker: Mallory Knodel
Speaker: Martijn de Hamer

Content of the Session:
This panel, proposed by FIRST, an international association of CSIRT, and Access Now, a civil society CSIRT, aims to identify critical issues that may affect how CSIRT are trusted or otherwise effective in responding to security incidents across multiple stakeholder groups. Issues that are expected to be raised include privacy of users, human rights issues involved in security response, and the tension between network security monitoring for security purposes, and surveillance.

The goal of the session is to identify types of behavior that may have developed over time between stakeholders around the work of CSIRT. Output from the session will be submitted to a number of forums, including the IGF BPF on Cybersecurity, or the FIRST Special Interest Group on Ethics.

Relevance of the Session:
While much work is being done on making the internet a trustworthy, secure network that can support various uses such as cultural exchange, business transactions and government, security incidents will continue to have an impact.

A cornerstone of security programs both in government and business is the development of a strong incident response program. Incident response programs often result in the creation of a specific entity, commonly referred to as a Computer Emergency Response Team (CERT) or Computer Security Incident Response Team (CSIRT). These organizations exchange information with their peers to detect incidents, and take appropriate steps to mitigate negative impact on their host organization.

CSIRT can have a role that is limited to a particular industry, a specific country, or a specific organizational network. They can also be responsible for the response to security issues in software and networks widely used by individual users.

A concern of incident response is the fact that it needs to operate well across stakeholder groups. Each group has a separate responsibility: government may CSIRT protect national security, protect the economic capability of a state, or protect its citizens. Private sector companies operate large parts of the internet and its infrastructure, and are required to ensure product safety. Civil society helps protect and ensure individual and organizational rights. The technical community is responsible for ensuring the "glue" between each of these works well, and the internet is an enabling service.

In order to truly shape our digital future, these core issues, covering privacy, human rights issues, and tension between stakeholder groups must be openly discussed, learned from, and our ability to deal with them improved.

Tag 1: Cybersecurity
Tag 2: Human Rights Online
Tag 3: Privacy

The workshop is planned as an interactive session with a moderated panel of experts. 40% of the time will be allocated to opening statements from the experts, in which they will be asked to address the indicated questions. 25% of the time will be allocated to interventions from the floor, 25% to interventions from remote participants and 10% of the time for closing statements.

Our lineup of confirmed expert panelists consists of:

Audrey Plonk, Senior Director, Global Cybersecurity and Internet Governance Policy, Intel Corporation (Private sector)
Grace Githaiga, Co-convenor for the Kenya ICT Action Network (Civil society)
Martijn de Hamer, Head of the National Cyber Security Operations Center at NCSC-NL (Government)
Mallory Knodel, Association for Progressive Communications (Civil society)
Cristine Hoepers, General Manager, CERT.br (Technical Community)

Moderator: Michael Carbone, Manager Education Programs, Access Now (Civil Society)
Remote moderator: Maarten Van Horenbeeck, Director, Forum of Incident Response and Security Teams (FIRST)

The following are the way specific topics will be addressed:

Affiliation: Civil Society

We will request Civil Society to discuss some of the challenges civil society experiences when dealing with security incidents, and engaging CSIRT community members for help, in particular those CSIRT from the government or private sector.

Affiliation: Government

We will request our government participants to discuss:
- The challenges in operating a CSIRT, and how to cooperate with other stakeholder groups, such as civil society.
- The implications of working with data on victims of cybersecurity incidents.

Affiliation: Private sector

We will request our private sector participant to discuss some of the challenges in working on product security issues with other stakeholder groups. For instance, how does the impact and response to a security incident change when the incident is exploited, and to what degree does the response become more sensitive. As an example, by disclosing the existence of a vulnerability, exploitation of vulnerable internet users may see an increase when no patch is available.

Affiliation: Technical community (CERT.br)

We will request our technical community participant to share anecdotes, concerns and learnings from working with different stakeholder groups. We will also ask them to share some of the concerns they have identified as being an organization that is required to work with all other stakeholders to coordinate the response to a major incident.

We will specifically ask in-person and remote participants to provide examples of issues they have seen, or to confirm or dispute issues the expert panelists have raised.

As part of this panel, we have confirmed panelists from Africa, Latin America, Western Europe and North America. We anticipate the panel will be gender equal, which at this point holds true for our confirmed panelists. Representation exists from civil society, government and technical community. Currently each of the speakers listed has been confirmed. If we do need to make replacements closer to the date, we will continue to maintain the same stakeholder group/gender balance to the degree possible.

One of our goals with this panel is to create a forum in which civil society, government, technical community and private sector have the ability to meaningfully interact on some of the more important issues hindering their collaboration in cybersecurity, and in particular in global incident response.

We also plan to engage the potential audience with interest in this session through a number of third party organizations and initiatives, including FIRST, the BPF on Cybersecurity and several industry mailing lists to call for both remote and in-person attendees to participate.

Onsite Moderator: Michael Carbone
Online Moderator: Maarten Van Horenbeeck
Rapporteur: Maarten Van Horenbeeck

Online Participation:
During the session, we will ensure online participation in the following ways:

- A moderator is assigned to the online question queue whom is similar in background and technical expertise as the in-room moderator. The workshop proposer and author of the background paper will be online moderator;
- We will immediately relay questions as the "next up" question from the audience when one is flagged by a remote participant, to avoid unnecessary waiting for the remote participant. If the number of remote questions and comments overwhelms the number originating from the in-person group, we will switch to granting an opportunity to speak to someone remote, and then to someone attending in-person next;
- We plan to specifically advertise the session through relevant forums and mailing lists (including FIRST and the BPF on Cybersecurity) to sollicit participation by remote attendees. Where possible, we will engage with a number of the NRIs which have previously participated in cybersecurity session, or have shown an interest, to contribute their ideas.
- During the session closing, we will do a specific call to get closing remarks from a small number of remote (2-3) participants. We will announce this at the beginning of the session to ensure remote attendees can prepare their thoughts throughout the session.

Discussion facilitation:
The following agenda will be followed:

- Panel introduction by the moderator
- Each panelist introduces some areas of sensitivity around incident response operations they have experienced
- Panel moderator to ask panelists about their views on some of the issues shared
- Moderator to ask remote participants, and local participants, to raise issues they see as being sensitive in conducting incident response on security issues
- Moderator to ask panelists to provide input on some of the issues raised
- Moderator to ask remote and local participants for questions and additional input
- Moderator to ask two-three remote participants to provide their final views on the session topic and conversation
- Concluding remarks by the panelists

Conducted a Workshop in IGF before?: No
Link to Report: