APNIC Foundation Program Director Sylvia Cadena participated at the Stockholm Internet Forum from 15 to 18 May 2017 and presented an overview of APNIC's support for CERT development in the region to help ensure the Internet remains secure and stable.
5. • RFC2350: Expectations for
Computer Security Incident
Response (1998)
• Infrastructure Setup
• Develop procedures / policy
• Training for CERT staff
• Establishing relationships /
trust
• Promoting the CERT
• A CERT is a multi-
stakeholder process,
engaging its community
directly
• A CERT is part of a bigger
Internet multi-stakeholder
community
• Expertise must be obtained,
and maintained
• Trust and neutrality are
PARAMOUNT’
• CERTs can start small, with
a long-term view
5
CERT Establishment
From a development perspective, a secure and resilient Internet infrastructure is essential if Internet-based, development-focused innovations are to satisfy the expectations of their users and fulfil their promise. Entrepreneurs and government services must have access to such infrastructure if their applications, services and tools are to prosper and achieve their expected impact. This applies particularly to applications and services such as mobile banking, telehealth, online education, training and employment, and e-government. If the network infrastructure cannot adequately and securely support Internet-based innovations, the opportunities to bring the Internet’ s socio-economic benefits to the region’ s communities will be considerably diminished.
I think we all know there’s no easy answer to that question.
The Internet is part of the real world now, and it has pervaded all aspects of society.
So I often answer the question about Internet safety by asking back, what does it take to make a safe society, against all the threats that we know about.
And if you look at safety broadly there are MANY threats – not only crime in many forms but also accidents, negligence, natural disasters.
//
And how do we keep ourselves safe?
Well I think today we know how: after many years of building society, we have a network of components, all playing their roles.
Take Fire for instance: A fire brigade or department is a specialised body – they know how to deal with fire and fire emergencies, expertly.
But they don’t work alone – they deal closely with others – police, health professionals, educators, also regulators and industry - to make sure that fire safety is as good as it can be.
//
Something very important in safety is incident response and that’s something we also know very well
– the need to have a recognised point of contact which reaches that fire department when it’s needed.
//
So this is all an analogy for Internet safety – as I mentioned.
On the internet we also have many threats, almost the same variety as there are in the real world, with as many sources and causes.
And I think it’s easy now to recognise that every one of these real world threats also exists online.
And we have a Fire Department on the Internet, normally referred to as the CERT – Computer Emergency Response Team, CERT/CC - … Coordination Centre,
or CSIRT – Computer Systems Incident Response Team.
And the CERT is quite like a fire department – it’s a highly expert group which is oriented to Incident Response.
It operates at a national or local level to help coordinate readiness and response to Internet security incidents of all kinds.
And like the fire department, the CERT doesn’t try to do everything. A CERT works with others who pursue or prosecute actual offenders, set regulations, or repair damaged caused.
//
There are some differences with the traditional fire department however,
This is for a number of reasons:
The knowledge and expertise of the Internet security landscape exists within the operational community itself.
The amount of information involved and the rate of change is huge: so information sharing is essential across the community.
This also means education and capacity building as an ongoing process involving all stakeholders.
And: The issue of Trust is critical – because information which is shared can be critical to security, highly sensitive and often confidential.
So there is a the need for CERTs to play a role with is integrated with the community it serves.
If this sounds like a typical Internet multistakeholder arrangement, then indeed it is.
CERTs emerged with the Internet itself, in the late 1980s, and are a very good example of the power of and need for a multistakeholder approach in Internet matters; where all parties play a critical role.
//
APNIC is working on a project to strengthen Internet security by fostering and supporting the development of Computer Emergency Response Teams (CERTs) at the national level. This will be done through a bottom-up, research-led capacity building program for selected security personnel, policymakers, relevant government departments, ISPs and telecom operators in the region. The outcome will be a strengthened, more cohesive, integrated and trusted security community measured by the number of people trained and engaged and CERTs established.
SO there is a critical feature of the CERT community which is Trust.
As I said, information is critical, and in the wrong hands, information about an incident, or about how to mitigate an incident; can be used to prolong an attack, or mount the next attack. And today, security information has enormous value.
So Trust is taken very seriously in the CERT community, and so-called “circles of trust” exist among the individual experts in that community. Not between institutions but between individuals.
The circles are expanded carefully: Introductions are necessary, sometimes with multiple people needing to vouch for a new member.
So in building a new CERT, entering existing circles of trust is maybe the most sensitive and important consideration.
//
And to be effective a CERT must have links into multiple trusted circles. These exist in law enforcement, and CERT staff need to be trusted to participate with those folks.
Also regionally and internationally: there’s the community of CERTs in AP region, and APCERT itself; there are groups like FIRST which are critical for information sharing.
These groups will offer huge support but before working operationally with you, they must trust your CERT, and in particular the individual members of the CERT staff.
I can’t stress enough that we are talking about individuals here. If staff change at a CERT, it has to start all over again,
(FIRST = Forum of Incident Response and Security Teams)
//
Investing in the development of cybersecurity capacity strengthens the ability of communities and networks to respond to security attacks, threats and problems. This improved regional resilience provides an important flow-on benefit to the cybersecurity community, which is better informed and positioned to handle any attacks and problems. A more capable Internet security community improves the overall health of the Internet ecosystem and provides a valuable network of partners and contacts to help identify, mitigate, and respond to cyber threats.
So how do you get a CERT started?
(explain)
APNIC has been involved in many CERT discussions, and as you may know, we provided support to the Tonga CERT in its establishment.
Our Adli Wahid travelled to Tonga twice, giving advice and training, on this process.
We strongly feel that CERT.to has started on the right foot and in the right direction.
The Tongan Government have leadership and support to the CERT, but from the very start followed a multi-stakeholder approach to ensure that trust and confidence, and neutraility of the CERT are maintained.
//
A CERT is a critical component of maintaining Internet security.
Without it any community can be more vulnerable to cyber risks of all kinds; and have a much harder time managing and recovering from those risks.
(explain)
Investing in the development of cybersecurity capacity strengthens the ability of communities and networks to respond to security attacks, threats and problems. This improved regional resilience provides an important flow-on benefit to the cybersecurity community, which is better informed and positioned to handle any attacks and problems. A more capable Internet security community improves the overall health of the Internet ecosystem and provides a valuable network of partners and contacts to help identify, mitigate, and respond to cyber threats.
APNIC is working on a project to strengthen Internet security by fostering and supporting the development of Computer Emergency Response Teams (CERTs) at the national level. This will be done through a bottom-up, research-led capacity building program for selected security personnel, policymakers, relevant government departments, ISPs and telecom operators in the region. The outcome will be a strengthened, more cohesive, integrated and trusted security community measured by the number of people trained and engaged and CERTs established.
The project’s strategy starts with a readiness assessment to define 4 island nations in the Pacific where CERTs can be established (access to funding and stakeholder support).
Understanding Physical infrastructure; Info &services infrastructure; Enabling environment; Regulatory frameworks; Staffing, skills and gender strategy; Cyber threads; Operations; Finances.
A training and technical assistance strategy is designed based on the assessment results.
Mentoring is provided to join the circles of trust and aquire the skills needed, as well as to manage