Workshop 38, UNIGF, Geneva December 18, 2017

Transcription

1 International Cooperation Between CERTS: Technical Diplomacy for Cybersecurity International Workshop 38, UNIGF, Geneva December 18, 2017 Participants: Pablo Hinojosa: Strategic Engagement Director at the Asia Pacific Network Information Centre (APNIC) Madeline Carr: Associate Professor of International Relations and Cyber Security, University College London (UCL STEaPP) Duncan Hollis: Professor of Law at Temple Law School. Leonie Marie Tanczer: Research Associate, University College London (UCL STEaPP) Adli Wahid: Senior Internet Security Specialist, APNIC and FIRST board member Maarten Van Horenbeeck: VP, Security Engineering at Fastly and FIRST board member Louise Marie Hurel: Cybersecurity Project Coordinator, Igarapé Institute Brazil Karsten Geier: Head of Cyber Policy Coordination in Germany's Federal Foreign Office. Chair of the 2017 UNGGE. Tobias Feakin: Australian Ambassador for Cyber Affairs Gavin Willis: UK National Cyber Security Centre Jan Neutze: Director of Cybersecurity Policy at Microsoft Elina Noor: Director, Foreign Policy and Security Studies, ISIS Malaysia. Camino Kavanagh: Visiting Fellow, Dept. War Studies, King's College London/ International Consultant and Rapporteur to the 2017 UNGGE PABLO HINOJOSA: Welcome to Workshop 38 on International Cooperation between CERTS: Technical Diplomacy for Cybersecurity. Note that this is a question so we are here to explore whether CERT cooperation is or is not a form of diplomacy. Let me give you a bit of background. My name is Pablo Hinojosa, I work for APNIC. APNIC is the regional internet registry for the Asia Pacific. We service the IPv4 / IPv6 Internet registry of around 16,000 networks. Our aim is to support Internet development in the Asia Pacific and to promote an open, stable and secure Internet. We are part of the technical community and our voice is mainly the voice of network operators and network engineers in the Asia Pacific. More and more, our members APNIC members the network operators have come to us asking for support with their cyber security needs. So, a few years ago, with my colleague Adli [Wahid], we started a network to connect and establish a closer relationship with the network operators community and the computer emergency response teams CERTs and CSIRTs in the region and beyond. This has been a great experience and of benefit not only to APNIC members but we really hope that it has had a

2 positive impact on the Internet ecosystem. We are very much committed to the view of the Internet as an ecosystem and that is why we cannot see network operators and CERTS working in isolation. That brings us here to the IGF which is a great platform to connect isolated groups that could be working closer together for the good of the global internet. So that is one bit of background. The second part; I have had the great fortune to have met Duncan [Hollis] and Madeline [Carr] a couple of years ago. We have had many discussions and we agreed on one thing (probably a few others!), but one main thing. And that was the fact that international discussions in the field of information security have grown in parallel not together with discussions in the field of Internet governance. And these discussions, if taken to a decision level, eventually will have a profound impact on the way networks operate. We also felt that it would be a good idea to connect international law experts working on information security with public policy experts working on Internet governance with also the technical community. So, last year in Mexico, we organized a workshop on the subject of cyber norms and I think we were successful in bringing together disparate groups and starting a dialogue. We had members of the UN Governmental Group of Experts, international law experts and members of the technical community. We talked about trust and how Internet governance participatory schemes could feed into discussions about responsible state behaviour and protecting the public core of the Internet. So, it is for me, a great honour and pleasure to be working with Madeline and Duncan on a second workshop here in Geneva. It is somehow a sequel but has been designed with a different approach. Like the first workshop on cyber norms, this is also about connecting the internet technical community this time the CERT / CSIRT community with international security experts. So, there is ongoing academic research analysing cooperation, information sharing and trust protocols amongst the CERT community and interpreting them as a diplomatic endeavour. The question here is whether there are lessons to learn and concepts to share from the CERT community that could be useful to disentangle international cyber security discussions, inform treaty level initiatives and foster responsible state behaviours. The workshop here is a bit of a risky proposition because the CERT community is very much focused on what they do; responding to incidents and solving problems. They don t (I don t think) see themselves as cyber diplomats. Meanwhile, international cyber security discussions amongst states are somehow detached from the day to day operation of networks. So, the idea here is to find a space in which these communities can communicate with each other and contribute to these processes. Before we proceed, just a bit of housekeeping. This room, as you can see and feel is not very amicable to what we are trying to do so we will need to work against architecture. This is why we have a bit of a strange seating arrangement for the core group that will participate here. The idea is that the session will be recorded. It is being web-streamed right now and the camera is over there [points]. So, when you speak, it would be great if you could speak very close to the microphone because it is being transcribed and the transcribers are suffering a lot from the lack of proper audio. And this is very uncomfortable I am trying to speak close to the microphone, it is difficult, but please speak close to the microphone. The

3 transcription only works if audio is clear. We're trying to foster a dialogue, please avoid long interventions like mine. Aim for three minutes and do not exceed five. Now I'll give the floor to Madeline to introduce experts and to get deep into the subject. >> MADELINE CARR: Thank you, Pablo. Thank you, everyone, for being here this morning. As Pablo said, we're excited about building the links between the different communities that come to the IGF but very often sit in different rooms in the building. We're grateful to you all for being here this morning. I'm an International Relations academic, and my area of research is the international political dimensions of cybersecurity and Internet governance. I look at the ways that state and non-state actors cooperate, compete, collaborate, and try to find some mechanisms for dispute resolution in this space. It is become increasingly clear to me over the years I have been doing this that these issues cannot be addressed within a single discipline alone. For that reason, actually, I have recently moved from a Department of International Relations to the Faculty of Engineering at University College London. If we look at little bit at how these issues have come onto the international political agenda, for many years, decades, some states have been producing national security strategies where they look at the global geopolitical context and they provide some kind of assessment of their place in that context. In 2003, the United States produced its first national cybersecurity strategy. Prior to that, cyber had been folded into the general security strategy of states. After 2003, other states rapidly began to follow by producing these national cybersecurity strategies in which they would look at the context, look at geopolitics, look at their own capabilities and devise a strategy for dealing effectively with challenges and opportunities. Following this, there was a momentum for states to develop CERTs or CSIRTs and both of these efforts came to be seen as a sign of maturity of the state. Those that developed a national cybersecurity strategy and established a CERT were seen to be on their way to some kind of maturity with some kind of demonstrable capacity to deal with the complexities of global cybersecurity. What we saw happen, quite quickly after that, was a tension emerge because while states were very keen to establish CERTs (and for all kinds of good reasons), it became evident that the kind of close working relationship between a CERT and a national government, especially with the intelligence community, could actually undermine the efficacy of a CERT for all kinds of reasons we'll discuss later. Essentially the CERTs sometimes struggled to maintain their independence and autonomy. So, this problem emerged that governments want to establish CERTs, they feel they need to and they have good reasons for that but at the same time, too close collaboration can actually undermine the CERT. It is this problem that we have been looking at. Recently, the United Nations Group of Governmental Experts proposed some, what we could call rules of the road for responsible state behaviour in cyberspace. They proposed 11 rules or suggestions or norms as they call them. One of these dealt explicitly with CERTs in two parts; first saying that states should not knowingly support activity to harm CERTs, so CERTS should not be part of political conflict, and also that CERTs should not be used for offensive state-based behaviour - malicious activity. That signals how CERTs are brought into the political agenda. CERTs are now clearly a component of the geopolitics of cybersecurity, whether that's a good or bad thing.

4 In our research, we have been looking at is this through the lens of science diplomacy which is an established body of literature that looks at ways that scientists can sometimes operate across borders and lead cooperation that politicians are unable to. In very difficult, political contexts, scientists can often overcome tensions and they can cooperate together in a way that's not possible politically. I need to stress that we don t argue that CERTs should be diplomats, it is just a lens that we have been looking through. How is it that these CERTs are able to cooperate across political divides? In global politics, we're somewhat stalled with cybersecurity. With that, I want to hand over to Leonie Tanczer who I work closely with and who has been doing some really interesting research on this. Maybe you can share some of the work we have been doing here. >> LEONIE TANCZER: Good morning, everyone. I'm probably one of the proponents of the idea of science diplomacy and CERTs. We consider them as an inadvertent diplomatic actor and we base this on research we're conducting at the University College London where we have so far conducted 20 interviews with various CERTs - and this is a call for other actors to come forward if they would like to participate in the research on CERTs practices and their role in the international cybersecurity network. I want to use this opportunity to basically make three points that we found in the course of our research and Madeline already highlighted one of them. One, CERTs and PSIRTS (Product Cyber Incident Response Teams) are increasingly considered as diplomatic actors based on the fact that just as scientists collaborate, the technical community collaborates across national borders. CERTs form a multi-stakeholder group and there are three particular aspects one can see that indicate that there is a diplomatic element to their work; there is a lot of formality or informality. One thing I have learned, if you want to build trust, you go for a pint with someone. The other thing, there is a lot of community around CSIRTs, they have formal, informal structures for cooperation - and that's the last point around the diplomatic elements. That they kind of consolidate a nature of community, a community that negotiates, that mediates across different cultures and practices - which is important for information sharing and to secure the Internet s infrastructure and respond sufficiently to cybersecurity incidents. The other important point I want to make, is the increasing professionalization of CERTs. In the course of the interviews, we identified that a lot of CSIRTs and PSIRTs engage in formal and informal networks that are now also increasingly being formalized. An example of this is the NIS Directive where CERTs play an important role and where the European Union Member States are basically encouraged to point the finger at one specific national CERT that should cooperate across borders and facilitate the CERTs cooperation within the nation state and across. The FIRST community plays thereby an important role - and I'm sure that colleagues on the panel will go into more depth with that but one interesting aspect we see relates to the group size of CSIRTs and the communication channels that they use. The more established and the bigger these channels become, the more likely it is that subgroups are being set up that focus on specific topics, such as financial issues. For example, it is harder for CSIRTs to share information in a massive group where there are various political actors involved and where concerns prevail how secure it is to share certain information.

5 And this relates to the last point I want to make, which is the one that really struck me when I conducted the interviews. This is the politicisation of CSIRTs. Now the politicisation of cyber security is an established concept. We see this in the context of malware as Kim Zetter as established. What we see, and an important incentive for discussions today, it is that CSIRTs are increasingly being interfered with by governmental actors. Cybersecurity is a national issue, it is nationalized to a certain extent while the technical community of CERTs is established from a needs-driven, technical basis. Now as there is increasing formalization of CSIRTs and states, for example, establish their own teams, this affects the CSIRT trust networks that have been established over years and decades. CSIRTs are a purely a defensive tool and I think that's important to discuss in regards to the UNGGE discussions. One needs to acknowledge the CSIRT community has a specific role, and is a trust network that requires freedom to interact across borders, and they do that currently very effectively. But we do see an increasing threat by incorporating CSIRTs into ministries or bodies like national cybersecurity centres, that then are frequently associated, for example, with actors and bodies that might counteract incident response concerns because for them vulnerabilities are something that can be exploited rather than mitigated. This can interfere with the trust network of CERT and is an important aspect we need to address today and in the future, and I'm sure the FIRST actors of the panel have something to say to that as well. I think it is a good step forward to open up this debate. On Monday, there was an Incident Response for Policy Makers session which is a good way to have the CERT community and policymakers to come together to discuss these issues in more depth. Thank you. >> MADELINE CARR: Thank you, Leonie. I want to bring in Adli Wahid, a security specialist with APNIC who is involved in the CERT community. Adli, amongst other comments I wondered if you could elaborate a bit on what you see as the role of CERT/CSIRTs in international peace and security. >> ADLI WAHID: I will touch on two topics and basically talk about CERTs and how we cooperate and secondly, why we cooperate. I think attendees in the session can understand a bit about the motivation and why we do this kind of thing and perhaps then relate to the bigger conversation on participation of CERT/CSIRTs within realm of political activities, so on, so forth. One thing I should put in context, the Internet is very distributed. When you have a security incident, there is a need to be able to, number one, respond quickly to mitigate, to make sure that the damage can be contained and that it will not distribute further and cause more damage. There is an interest there not to just protect your own network but also the broader network in general. You would not want, for example, financial losses to be accumulated, to be increased. Or you don't want to have the stability of the Internet to be affected. While the term CERT/CSIRTs sounds reactive, the whole incident response process is actually very proactive. You can see that, for example, when there is an incident. The CSIRT community is interested in seeing what others are seeing. Can we know how the attack works, what are the indicators? From there, it helps other people to perform analysis, so that certain mitigation steps can be applied and in the end, you know, lessons learned out

6 of this whole thing, so that we can use it in making better policies or improving cybersecurity in general. So, the CSIRT community works closely with one another. And this is not a new thing. The first CERT was established maybe 30 years ago perhaps after the Morris Worm. And in fact, FIRST is celebrating the 30th anniversary next year. The community has existed for a long time. One thing that I hear more and more in the conversation about CERTs within the other stakeholder domain, especially the non-technical community, is that Oh, you know, we focus on national CERTs and the need for nations to work together through the national CERTs. But you must understand that many of the CERTs are not related to nations. In fact, many of the FIRST membership are private CERTs that are linked to hospitals, academia, to banks, so on, so forth. Even without documented policies on how countries should talk to one another, the CERT community engages with one another actively through various means. One is, as I mentioned earlier, through information sharing. We share information on threats, but there are also a lot of activities that happen outside of crisis time. There is a thing where a CERT sends an advisory to another CERT or shares best practices on how to set up CERTs for example. CERTs work together in cybersecurity exercises to increase preparedness, to understand who is at the other end, who is the other person that's answering the phone. It is more than just establishing institutional relationships but trying to establish human to human relationships so that in a time of crisis, I'm very comfortable to call Maarten at 3am in the morning and he's not going to be mad at me. We have that relationship. We have the information sharing, the other aspect, getting together, sharing insights, what people are seeing, what are the difficulties in applying some form of mitigations, is there a way forward to improve things. All of this may sound like it happens naturally, but it doesn't. There is a lot of effort within the communities to develop some kind of a protocol for information sharing. For example, if you go to the FIRST website, you see this TLP, the Traffic Light Protocol. This sets expectations on how information will be shared and can be shared with one another. There is a lot of the activities also in developing tools where, you know, CERTs share a lot of information on things that they use to either automate or make things more effective when it comes to information sharing. It is more than just sharing a piece of advice, but also people getting together to develop and work on projects. I hope that within a few minutes I have highlighted why we work together, secondly, how we actually work together to have better collaboration and coordination when it comes to information sharing. Thank you very much. >> MADELINE CARR: Thank you. That was a fantastic overview of a long, complex, mature community. Well done in three minutes. I wanted to bring in Maarten van Horenbeeck. Maarten represents FIRST, the industry association of CERTs and he obviously has a sophisticated perspective on this as well. Maarten, I wondered if you could, amongst your remarks, make a comment on how the CERT community sees the UNGGE norm on protecting CERTs and not engaging them in political conflict - if you have a view on that.

7 >> MAARTEN VAN HORENBEECK: Thank you. Thank you for the opportunity to be here today and speak with you. It is a great question. I think CSIRTs and CERTs don't see themselves as political actors busying themselves as engineers but as technical community members that work together to deal with incidents. I want to jump back to something said earlier, the nationalisation of cybersecurity. Cybersecurity is not actually a national concept. By definition it is almost impossible to make it that. We all rely on cooperation - CSIRTs in particular - to deal with the security incidents. For example, we all use software written in other countries, when there is a security vulnerability in the software, we have to engage with the vendor and individuals that have written that software to get a patch. Outside of that, CSIRTs can help mitigate, but not actually fix, the issue. The reason why this is important, is that the risk of calling this science diplomacy is that it puts some power, some control with governments on what it is that CSIRTs can do and how they can engage. I will quickly use a short example of where that can lead to trouble. As an example, it is a bit more on the extreme end, but I think it is very relevant to the discussion. In about 2011, there was a piece of malware that was written about at the time by a particular incident response team in Iran. They wrote that there was a particular malware that they referred to as Stars. The technical community - the CSIRTs community around the world, read about it and they kind of had to discard it because they didn't have ways to engage with them because of government sanctions and so on. It wasn't taken very seriously. It wasn't very well investigated. A few months later, that malware sample did make its way into the international community, and it was very easy to tie this new sample together to that report because the sample actually generated an image of stars that had some data encoded in it. What made this relevant was that this particular sample actually exploited a security vulnerability in a well-known word processer that a lot of individuals across the world use. Because there was no real ability of the CSIRTs to engage at an international level with that CSIRT in Iran that reported the issue, that vulnerability didn't make its way to the wider community until several months later, which also meant that the patch for that vulnerability was delayed, exposing users all across the world. We could make the argument that someone who is attacked with a particular vulnerability doesn't have any incentive to share that vulnerability with the CSIRT community. That's actually somewhat inaccurate in a sense that even a government doesn't have the ability to protect all of their infrastructure when they don't have access to a patch by a vendor. They can fix, they can mitigate, but they cannot make sure that they're not compromised or don't have gaps in their defensive posture. It is important to recognize that some political acts can actually make CSIRT cooperation far more difficult. If we turn what we do into science diplomacy, it creates an agency for the government to make decisions on whether or not a CSIRT should engage. I think that's something that we should somewhat shy away from as a technical community. What we do is we identify when there is an issue, we help resolve the issue, coordinate with the stakeholders and move back to normal. In terms of the UNGGE norm in particular, I can tell you that within the CSIRT community there is very little discussion about that norm. In a sense, I'm fairly certain that a

8 lot of the technical community isn't aware of the existence of the norm and to what degree an implementation effort is underneath it to put it in place. I think it is highly relevant but it is restrictive in a sense that when you think of compromises on CSIRTs, it is difficult to come up with a good example of a CSIRT that was compromised by another state. However, there are several examples of infrastructure that supports the CSIRT that was compromised by other states. A great example in that field is antivirus vendors. There are several examples of the antivirus vendors being compromised and being leveraged to perform something that is inherently an offensive act or something that would undermine the ability of the antivirus vendor to help defend. Now the antivirus vendor typically doesn't fit in the definition of a CSIRT when you think of national CERTs or even when you think about product security incident response teams (PSIRTs). But in a way, they are part of the infrastructure that is leveraged by the CSIRT community to actually defend against the incidents. It is important to think about the wider context as well and wonder if the norm, in that sense, is truly effective or if there is implementation work that needs to happen underneath. Thank you. >> MADELINE CARR: Thank you. I would like to bring in Louise Marie Hurel who works on questions of governance of cyber security. >> LOUISE MARIE HUREL: Okay. I hope the microphone is okay. First of all, I thank Madeline Carr, Pablo Hinojosa and Duncan Hollis for the opportunity and for hosting this discussion which I think is a good step to thinking about norms and going deeper in that and understanding some of the challenges and thinking together, which I think is the purpose of this panel. The question of the day is, (and as has been tackled very well), what do CERTs/CSIRTs do and the what challenges and opportunities come up when we associate them with science diplomacy? I would suggest that there are three dimensions that need to be considered in talking about diplomatic characteristics of the activities of CERTs. Unfortunately, we don't have time to go deep into each of them but hopefully we'll get that discussion later. The dimensions that I think are necessary for us to tackle this are: first, the international cooperation between national CERTs and CSIRTs, second, the cooperation of CERTs and CSIRTs at the national level and finally and most importantly, the relationship between national CERTs and other stakeholders (in this case, mainly the government which has come up over and over again with the previous speakers). That's why I would like to suggest that we not stick only with the idea of science diplomacy, but take a step into the broader idea of CERTs as embedded in the political scenario of national and international cybersecurity tensions. This is really undeniable because even though sometimes you have the silos and different stakeholder groups trying to make sense of what cybersecurity is, they're inevitably connected to each other and there are many spill-overs as we saw already. How is it that a particular political context plays into effect and helps us to understand the role of CERTs? Let me give a quick example that I have been researching more deeply. Throughout the cycle of international events hosted in Brazil in the past years, and starting with the RIO plus 20 Conference of 2012, what we have seen is a demand for the development of internal mechanisms - and I think that's a global trend - of internal

9 mechanisms to respond to incidents and level-up cybersecurity capacities. So, responding to the demand, we saw a great deal of institutionalization of cybersecurity through the proliferation of policies, the development of national strategies and the establishment of a cyber defence centre - and later a cyber command, in Brazil. In this context, the national CERT was actively engaged in educating, building skills, being a part of the training, making other stakeholders understand what CERTs do, and that's a concern that Maarten and Adli shared very well over here. This was a particular moment where we see the three dimensions that I mentioned before. The national CERT worked with the national defence centre, cyber defence centre with intelligence agencies and other stakeholders throughout this period. CERTs have become indicators of cybersecurity development and maturity and many governments sought to establish or restructure the place of CERTs within the national cyber security institution and structures to pursue this idea of good national cybersecurity mechanisms. This is part of what I'm inclined to think of as a surfacing of cybersecurity as a concern on the national and international agendas. And that is perhaps what we were talking about when we talk about the nationalization or the politicization of cybersecurity. Incidents such as we have seen in talks over and over again (WannaCry) have been contributing to the horizontal spread and shared concern and have become both an object of political dispute and a concern of how individuals on the other hand are very exposed and vulnerable. While on the practical side, on the day-to-day notifications and circulations between CSIRTs and CERTs, it seems as if they are performing a purely technical support, CSIRTs can and have played a meaningful role in establishing channels for building confidence between countries and among national cyber related institutions, be it through the example of the national CERTs, such as APCERT which encompasses 30 CERTs throughout the region including China, Japan and Taiwan or be it through the establishment of thematic context specific, timebounded CERTs such as, in the case of Brazil, during the Olympics they established Rio Olympics CSIRTs to promote greater cooperation and coordination. So, these trust network are created and the neutrality discourse highlights of how the relationship among the CSIRTs is an evidence of cooperative structures. Let me just close by sharing a very interesting conversation that I had with a colleague that works in a CERT. He said that even if everyone does their homework in terms of security, it doesn't mean that we're really secure. We have gotten to the point where not only do we have to understand that cybersecurity is and should be and is a shared concern and responsibility, but actors such at CSIRTs, especially the national ones, they are a part of the political dimension to participate. We need then to look at CERTs as a cybersecurity government ecosystem. I believe that the question and challenge for us is to think about cybersecurity as a governance issue in the sense of questioning what are the impacts of the surfacing effects of cybersecurity and the shared concern? How do we keep leveraging common interests to preserve the cooperative structures such as CERTs? And how do we still keep this kind of flexibility and the trust networks while at the same time understanding this process of shared concerns and the process of the surfacing of cybersecurity internationally and nationally? Where do we establish and how do we get to this kind equilibrium which now seems a somewhat sceptical question to ask but this is a necessary question to ask when we think about cyber norms. Thank you.

10 >> MADELINE CARR: Thank you. I think those four interventions really start the conversation between the two communities, the academic community which studies these things from a national, international cybersecurity perspective and the technical community that sees it as, as Maarten said, not a national issue but a global cybersecurity issue and the mechanisms for approaching that. And I'm proud that we hand over right on time to my colleague Duncan Hollis who will now bring in the international policy community >> DUNCAN HOLLIS: Thank you. I want to apologize for my voice. I woke up this morning with this sound, my voice, it is not that pleasing so I'll try to communicate nonetheless. Thank you to Madeline Carr and Pablo Hinojosa, I'm clearly the junior partner at the table, they crafted this plan and I'm along for the ride so to speak. In listening to our first part of our conversation, it strikes me what we heard is what I call a descriptive approach. We're thinking of how do the academics describe and visualize what the CERT and CSIRT community does? How does the CSIRTs community envision itself? What do they experience and the like. As has been alluded to several times, there has been a movement to treat CERTs not as actors but subjects of the norm making process that we have seen in international fora as we enter a world where cyber diplomacy is a thing - and we have cyber diplomats sitting in the room with us - that there is this question of what role should the CERT (as a subject of the normative project), what role should they have and what role do we want, not just for those that already exist, but let's remember the expansion of the community, and that there are countries looking at developing and putting in place national CERTs or CSIRTs and taking what was previously private CSIRTs and moving them into government. There are a set of normative questions about how that should be done, what should be the boundaries for that, what autonomy should remain in the CSIRTs, should -- what relationship should it have with law enforcement, the intelligence community, et cetera. I will ask Vladimir Radunovic to give us an initial overview of where that normative vision for CERTs came from and where it is now and then we'll bring in some of our government folks and folks from the ICT community to offer their views. >> VLADIMIR RADUNOVIC: I apologize, I won't look at a camera. Two bits of research that may be useful: one is with regards to the risks. The whole environment has changed, as we have heard also yesterday, with the entrance of states and with cyber armament. What we have done is we have tried to map the countries that actually say that they have offensive cyber capabilities. There is a map available, you will see it in this IGF Daily and the Digital Watch Observatory. It shows 20 countries at least that say themselves today that they have offensive cyber capabilities. Some are more or less are responsible, saying how they'll use that capability, some are not. There are at least nine more that have strong indications that they have offensive cyber capabilities and probably many more that do because much of the offensive cyber capabilities are hidden in the defence framework as sort of a pre-emptive defence and so on, even an intelligence. That's a bit of information which changes when it comes to the role of the CERTs. The other bit of research which was done earlier this year by DIPLO, is (unfortunately) still accurate because there was no change as a consequence of the UNGGE process. Otherwise we would have to update it. Basically, it serves to compare the norms and the report of the UNGGE 2013 and 2015 with the OSCE CBMs [confidence building measures], with the ASEAN

11 Regional Forum Work Plan on Security and with the Organization of America States [OAS] Cyber Security Strategy and the Declaration on Strengthening Cooperation on Cyber Security and so on. One of the findings is that, focusing on CERTs particularly, there are incidents where the documents refer to CERTs directly or indirectly. There is a whole set of things that are related to enhancing the CERT cooperation and incident response. And one of those is what Madeline mentioned in the beginning, about not knowingly supporting activities against CERTs or using them in cyberattacks. There is another one, which is, for instance, highlighted by the UNGGE and the OAS, on establishing CERTs, including for the protection of infrastructure, and facilitating cooperation between CERTs such as exchanging information on known vulnerabilities, attack patterns and best practices for mitigating the threats, coordinating responses and then organizing exercises and supporting each other in handling the incidents, and facilitating regional cooperation. That's something that probably the CERTs should also take into account. Those are the very specific links. There are also some that are not linked directly to CERTs but that could be attributed to CERTs. One set of measures is about exchanging information, and particularly the OSCE and the ASEAN Regional Forum have a link to encouraging the sharing of experiences and lessons learned in dealing with threats, and the creation of regional databases of potential threats and possible remedies in cooperation with working with CERTs. That's particularly the OAS document. Then we have a couple of points on appointing contact points. OSCE and UNGGE says, more or less, nominating a national contact point and provide contact data of existing national structures such CERTs, updating contacts annually and notifying of changes. This raises a big question of what's the difference between national contact points and CERTs? This is emerging, it is more or less clear to us but not normatively clear. Sharing information among appointed contact points and establishing a content directly database without duplicating CERT networks, that's particularly within the Asian Regional Forum and the GGE. There is a point related to critical infrastructure which goes on providing channels for online information sharing on threats to critical infrastructure and modalities for real time information sharing together with CERTs and that s the ASEAN Regional Forum. At the end, there are a couple of bits, because all of the documents also relate to capacity building, so there are a couple of bits which talk about the need for capacity building. Some of those are particularly related to incident response, including incident response capabilities, CERT and CERT-to-CERT cooperation capabilities (which is quite interesting). The OAS suggested capabilities on how to report a cyber incident and to whom. I will stop with that, I think this gives an idea where CERT is mentioned in the documents. Thank you. >> DUNCAN HOLLIS: Thank you. I think that's a great overview. It highlights the fact that we have, for the last several years in various international fora, seen these efforts to -- by non- CERTs, these other actors, often governments - they're putting on the CERT community certain norms of behaviour. I would like to bring in a few of the folks with experience of representing governments, I'll introduce them as a group and let them respond. We have Karsten Geier who has represented the German government on these issues for a number of years and also has recently chaired the UNGGE forum last summer that failed to reach a consensus report. We're also joined by Tobias Feakin who represents the Australian

12 government as their Cyber Ambassador, and Gavin Willis who represented the UK government at the GGE in 2009 and For the group of you, you can cherry-pick from the following set of questions. One I'm kind of interested to know from your perspective or your understanding of the international conversations, why have CERTs or CSIRTs been brought into these international dialogues. What has been the motivation that has made them a kethe vulnerabilities Terry norms of the CBMs, et cetera. Second question; how do you understand the relationship of CSIRTs to national governments? I understand that when I use the term CSIRT it is probably needing to be desegregated. We have on one hand the nationalization of certain CSIRTs and that may be of most interest. But as suggested earlier, we have plenty, if not a majority of CSIRTs that are privately oriented and there was the point about the similar functions they perform and why focus on only national CSIRTs in this role rather than offering similar norms for the private folks, let alone the industry that's engaged in much of the same activity? The third question, the one that this whole panel raises, is there a peril or potential in this idea of CERT diplomacy? Is this an idea from a government perspective that has appeal particularly given the current geopolitical environment, where if the politicians and diplomats can't talk, maybe the scientists can talk to each other. Are there problems with that, as Maarten suggested? Does it resonate when he says some political acts could make the CSIRT behaviour more difficult? Karsten Geier, if is it is okay with you, I will give you the privilege of taking the floor first. Thank you for joining us. >> KARSTEN GEIER: Thank you. I'm not sure I'm happy to thank you for giving me the opportunity to explain failure. Which I won't do, by the way! I will use the floor to make comments and then maybe set a bit of the background on what the UNGGEs have been doing so far. The comment; I have been listening attentively to this conversation and wondering if we're not talking past each other. Cyber diplomacy to me is about solving problems which the world wouldn't have if we didn't have an Internet. I think we have been discussing a problem this morning which doesn't exist at all and that's because I think we may be discussing two different levels of problems. I believe that as a matter of fact, the CERT/CSIRTs community plays an important role at both levels. A primary role at the first level, secondary role at the second level, let me explain. Cyber diplomats, (people representing governments on matters of ICT use) do, is they try to agree the rules that apply to state behaviour with regard to information communication technologies. In particular, the primary target of cyber diplomacy must be to prevent the use -- not the use of information communication technology in international conflict -- but to prevent international conflict to emerge inadvertently or involuntarily from incidents which have happened in cyberspace, which are due to the use of information communication technologies. You can imagine a scenario in which -- I don't know -- one country has a serious ICT incident and the government rightly or wrongly attributes that to another government and that other government says it wasn't us, and tempers flare and it escalates.

13 This is an important scenario about which we are talking. This means that the cyber diplomats, representing governments, only come in to play at a relatively late phase of the game. They only come into play if an incident has escalated to the point where the technical community, the CSIRTs have not resolved it. So far, fortunately I think almost all incidents have been resolved at the technical level without government interference. That is a very good thing. I would very strongly encourage the CERT/CSIRTs community to continue what they have been doing successfully, establishing their own patterns of interaction and rules of procedure and establishing their own channels of communication to manage the myriad of incidents that we see every day so that they don't ever come to the attention of people like myself. This also maybe explaining the role of the contact points that we have been establishing in the OSCE area and in other regional contexts in which the UN has been encouraging - those are the political contact points, for instance, which really are at the risk of jeopardizing international peace and security. They're not meant to replace CERT/CSIRT contacts. That s a very important point. Let me explain a bit where we are in the UN with the GGEs. So, discussions on ICTs in the context of international peace and security have been going on at the United Nations since 1998 when the Russians brought it to the General Assembly. At first, there was not a lot of enthusiasm for the topic for any number of reasons. One reason was that people didn't understand what was going on. Now, the UN is not different from any other big organization that's faced with a new problem. If it doesn't know how to handle the new problem, it asks a group of experts to study the matter and report. In the UN context, that's called a Group of Governmental Experts. So , the General Assembly convened a group of government experts to study the matter. That group met and it couldn't agree on a consensus report, setting a very unfortunate precedent for a later GGE. The General Assembly was not discouraged by this lack of consensus and convened another GGE and Gavin sat on that. Every development that followed since 2009 to 2010 is Gavin's fault. But that GGE did produce a consensus report which concluded that existing and potential threats in the sphere of information security may cause substantial damage to international security, and that the effects carry significant risk for public safety, the security of nations, and the stability of the globally linked international community as a whole. What this means, is that in 2010 after only 12 years of negotiations, finally the UN arrived at the consensus that, yes, there is a problem. Mind you, the UN has on occasion been overtaken by glaciers. The UN General Assembly convened in 2013, another GGE and that one produced (Gavin -- with all due respects -- neither of us were on that group), that actually produced a landmark report that said that international law and in particular, the UN charter is applicable, and is essential to maintaining peace and stability. Following on the heels of that success, there was a GGE, the fourth, which offered insights on how existing international law applies. It also offered a set of voluntary, non-binding (legally nonbinding) norms of responsible state behaviour to reduce the risks to international peace, security, and stability. Those non-binding norms actually also covered the behaviour of governments with regard to the role of CERTs and CSIRTs and the idea was to protect exactly what the CERT/CSIRTs are doing, to encourage their positive, stabilizing role and to

14 prevent them from being politicized in the business between the governments. That's the purpose of bringing the CERT/CSIRTs into the norms in the 2015 GGE report. And then the was convened to deepen and to universalize the findings of the 2015 GGE report. The experts in that group wanted to produce a report, that they called a report plus which would provide concrete recommendations to governments on how to implement the recommendations contained in previous GGE reports, and we got very close. In June of this year, 23rd of June, we had about -- I don't know -- far more than 90% of our report consensualized but there was one point on which it was impossible to reach agreement, and so unfortunately, we had to report failure to the General Secretary. It was certainly not for lack of trying and it was also not for lack of advice received. Anyway, the discussion right now is how to take this forward, where to go next. I won't bore you with that. Maybe one final word is I believe that cyber diplomats, that governments, should refrain from interfering in the work of the CERT/CSIRTs community. It is important work going on very, very well for a number of years without us getting in their way. I think we're well advised to continue to not get in the way of CERT/CSIRTs and these experts. At the same time, I believe that we're well advised to listen to the advice we're getting from the technical experts, from the CERT/CSIRT community where it is offered. Otherwise, there is a good chance we'll write and produce nonsense. A number of GGE experts have had technical experts, CERT members as advisers in their teams and we have all benefited from it in our discussions. I'll stop it there. >> DUNCAN HOLLIS: Thank you very much. I'm particularly impressed that you did in less than 8 minutes an entire survey of the history of the Group of Government Experts. I want to invite both Toby and Gavin to contribute, maybe not on the GGE process generally. We have situated where the CSIRTs fit into this this but in terms of taking that as a foundation, what are your thoughts on this question of CERT diplomacy? What's the right role of a CERT from a national perspective? Is nationalisation good but keeping them still autonomous? What are your views? I will turn it over to either of you that wants to take the floor first. >> TOBIAS FEAKIN: I think there is a temptation as one of these so-called cyber diplomats to over use CERTs. They are one of the most wonderful diplomatic tools and partners that you can have when you re in a discussion because basically dealing with the operational community whose concerns are based around how do I get the job done, not how do I deal with politics. It is incredibly useful. I'll use a clear case study, track one dialogue with China last week, there was a lot of difficult discussions that we had, but at the end of it we signed an awesome agreement between our CERTs and found out about all these amazing case studies where they're assisting one another in fighting cybercrime and assisting with sharing information. It is your second track of diplomacy going on behind the scenes getting the job done. It s something to be careful of, not pointing the finger at them too often, (the national CERT team) saying can you do something more for us?. They're already stretched. They're absolutely part of the diplomatic toolkit we have - I think in Australia, and I see it in many other countries as well. They play a vital role from Australia's perspective in bilateral relationships, in a regional setting. We chair APCERT and we are very proud of that. They're doing incredible work in bringing the community together and sharing with us diplomats in the foreign affairs world and making sure that we're aware of the work that they do and how we can capitalise on that.

15 We conversely try to push funding so that we can support good project works that they have. There is a number of projects that the Australian CERT are working on now, specifically in the Pacific and building those linkages (operational linkages), bringing together people in the Pacific who are either going to be involved in the setting up of the CERTs or are already involved in the CERTs. There is also a very strong role that CERTs can play, and something that we started to do a lot of now from Australia's perspective, in building the linkage between international law and norms and how they actually relate to operational issues. We found a very willing partner with our CERT partner coming in the room, talking about operational issues and how the law and norms are directly applicable to the kinds of operational issues that they deal with. We found this to be one of the single most useful ways of making norms or international law more visible and more comprehensible to a broader range of states than otherwise may be the case. I think, you know, they do all manners of good work which has been described. I think -- I'll go back to where I started and tie up so that we can have a bit more discussion. I think there is a danger that we lean on them too much. I think that's my concern. It is important not to spoil this very practical operational focus that they have and ensure that some of the geopolitics don't spoil the really good work that they do. I'll leave it there. Thank you. >> GAVIN WILLIS: Good morning, everybody. I'll respond to Karsten by saying that I'm recently back from the ITU World Telecom Development Conference in Buenos Aires where I was the European Cyber Security Coordinator. At that conference, we failed to agree on a new cyber security resolution, so I'm happy to join in the team of people that's recently failed in international cybersecurity negotiations. Moving on closer to the subject today, first of all, we have to be careful to avoid generalization. All CERTs are different, all national CERTs are different. The UK national CERT is now in its third iteration of structure. It s part of the National Cyber Security Centre, which is part of GCHQ, and the Minister for which is the foreign secretary. I doubt if any other national CERT reports to its foreign minister. That's really quite an unusual situation. Each nation should make their own decision as to where the CERT lives and as to what the constituency is. We have a structure that works for the UK, most likely it would not work for other nations. We do not believe one-size-fits-all. Our national CERT has a strong outreach program. We cooperate bilaterally, regionally and at times, globally. For several years we have been leading members of EGC which is a private club of European government CERTs. During the negotiations for the EU Network and Information Security Directive we strongly supported the proposal to form an EU CSIRT network and that Directive obliges the national CERTs to meet regularly. We're a member also of FIRST. Inserting a note of reality, the performance of national CERTs is likely to be judged on how well the national networks are defended. International cooperation must have a business case and there will be priority calls made. The case is often very clear if a neighbouring country has a problem, it may well affect the UK and we may face a similar issue. We have a very strong relationship with the national CERTs of all our near neighbours. Again, being realistic, it is easy to justify a continuing and close relationship if the flow of data is in both directions. All should try to give as well as to take and behave in a trustworthy manner. Trust must be earned, by the way.