12. In Conclusion
• A CERT is a multistakeholder process, engaging its
community directly
• A CERT is part of a bigger Internet multistakeholder
community
• Expertise must be obtained, and maintained
• Trust and neutrality are PARAMOUNT’
• Start small, with a long-term view
• Start now!
12
I guess you know APNIC is the IP address registry for Asia Pacific – distributing IPv4 and IPv6 addresses.
These days we serve over 13,000 network operators –Telcos and ISPs, data centres, institutions, government agencies and enterprises who run their own networks.
We’ve been involved in Internet capacity building for many years – training and technical assistance across many topics – but these days Security is at the top of the list for our members, and many others in the community.
So there is huge interest and I often hear the question of what it takes to make a safe Internet, especially in meetings like this, also in meetings such as the Internet Government Forum, where people come together to discuss these critical Internet issues.
I think we all know there’s no easy answer to that question.
The Internet is part of the real world now, and it has pervaded all aspects of society.
So I often answer the question about Internet safety by asking back, what does it take to make a safe society, against all the threats that we know about.
And if you look at safety broadly there are MANY threats – not only crime in many forms but also accidents, negligence, natural disasters.
And how do we keep ourselves safe?
Well I think today we know how: after many years of building society, we have a network of components, all playing their roles.
Take Fire for instance: A fire brigade or department is a specialised body – they know how to deal with fire and fire emergencies, expertly.
But they don’t work alone – they deal closely with others – police, health professionals, educators, also regulators and industry - to make sure that fire safety is as good as it can be.
Something very important in safety is incident response and that’s something we also know very well
– the need to have a recognised point of contact which reaches that fire department when it’s needed.
So this is all an analogy for Internet safety – as I mentioned.
On the internet we also have many threats, almost the same variety as there are in the real world, with as many sources and causes.
And I think it’s easy now to recognise that every one of these real world threats also exists online.
And we have a Fire Department on the Internet, normally referred to as the CERT – Computer Emergency Response Team, CERT/CC - … Coordination Centre,
or CSIRT – Computer Systems Incident Response Team.
And the CERT is quite like a fire department – it’s a highly expert group which is oriented to Incident Response.
It operates at a national or local level to help coordinate readiness and response to Internet security incidents of all kinds.
And like the fire department, the CERT doesn’t try to do everything. A CERT works with others who pursue or prosecute actual offenders, set regulations, or repair damaged caused.
There are some differences with the traditional fire department however,
This is for a number of reasons:
The knowledge and expertise of the Internet security landscape exists within the operational community itself.
The amount of information involved and the rate of change is huge: so information sharing is essential across the community.
This also means education and capacity building as an ongoing process involving all stakeholders.
And: The issue of Trust is critical – because information which is shared can be critical to security, highly sensitive and often confidential.
So theres a the need for CERTs to play a role with is integrated with the community it serves.
If this sounds like a typical Internet multistakeholder arrangement, then indeed it is.
CERTs emerged with the Internet itself, in the late 1980s, and are a very good example of the power of and need for a multistakeholder approach in Internet matters; where all parties play a critical role.
SO there is a critical feature of the CERT community which is Trust.
As I said, information is critical, and in the wrong hands, information about an incident, or about how to mitigate an incident; can be used to prolong an attack, or mount the next attack. And today, security information has enormous value.
So Trust is taken very seriously in the CERT community, and so-called “circles of trust” exist among the individual experts in that community. Not between institutions but between individuals.
The circles are expanded carefully: Introductions are necessary, sometimes with multiple people needing to vouch for a new member.
So in building a new CERT, entering existing circles of trust is maybe the most sensitive and important consideration.
And to be effective a CERT must have links into multiple trusted circles. These exist in law enforcement, and CERT staff need to be trusted to participate with those folks.
Also regionally and internationally: there’s the community of CERTs in AP region, and APCERT itself; there are groups like FIRST which are critical for information sharing.
These groups will offer huge support but before working operationally with you, they must trust your CERT, and in particular the individual members of the CERT staff.
I can’t stress enough that we are talking about individuals here. If staff change at a CERT, it has to start all over again,
(FIRST = Forum of Incident Response and Security Teams)
So how do you get a CERT started?
(explain)
APNIC has been involved in many CERT discussions, and as you may know, we provided support to the Tonga CERT in its establishment.
Our Adli Wahid travelled to Tonga twice, giving advice and training, on this process.
We strongly feel that CERT.to has started on the right foot and in the right direction.
The Tongan Government have leadership and support to the CERT, but from the very start followed a multi-stakeholder approach to ensure that trust and confidence, and neutraility of the CERT are maintained.
The planning process is quite detailed actually, and here’s an extract of the checklist for the first year’s activities – just to show you a glimpse of what is involved.
Since Tonga, APNIC is continuing work with partners in the region, with ITU, Agencies like JICA and DFAT, ISOC, ICANN and others – on security in general and CERTs in particular.
And hope to see developments in the Pacific in the coming year and more
A CERT is a critical component of maintaining Internet security.
Without it any community can be more vulnerable to cyber risks of all kinds; and have a much harder time managing and recovering from those risks.
(explain)
See you again in Vanuatu for the Pacific ICT days including Pacific IGF!
One challenge is that if a circle grows too much or too fast then trust can be diluted. Risks increase, and information sharing is threatened.
So a natural evolution which has happened all over the world is that a national CERT will “spin off” other CERTs which look after specific sectors – network operators, law enforcement, and high-security communities link Banking. This is something to expect, if not to plan, from the early days of any CERT.