[Bp_certs] About types of CERTs

Cristine Hoepers cristine at cert.br
Thu Jul 24 10:41:58 EDT 2014 

Hi,

On Thu, Jul 24, 2014 at 03:12:05PM +0200, Miros??aw Maj wrote:
> Dear All,
>
> Interesting discussion :)!

Excellent discussion indeed!

> W dniu 23/07/14 15:23, Andrew Cormack pisze:
> > Cristine
> >
> > I was interested to see that "national CERTs" now think that term
> means "teams whose constituency are networks/organizations/assets of
> National importance".
>
> Exactly! Additionally we should respect the fact that "National
> importance constituencies"  are protected more and more often not only
> by nat/gov CERTs. Private CERTs are also delivering services to them.
> BTW - the trend of establishing CERTs for critical infrastructures also
> should be considered regarding this discussion.

That was exactly my point when I started this thread.

A "CSIRT with National Responsibility" is not necessarily a
"Government CSIRT".  Although, we are seeing more and more governments
that want to push the idea that to be a CSIRT serving "National
importance constituencies", you have to be part of the government.

Also, we need to keep in ming the fact that if a CSIRT is serving a
Government organization does not mean it has National responsibility.

I would characterize as CSIRTs with National Responsibility those
serving any of these constituencies in a Coordination role:

- Critical infrastructures (e.g. ICS-CERT)

- Coordination Center for Government networks (e.g. GovCERT.AT in
  Austria, CTIR Gov in Brazil, CERT.Gov.PL in Poland, etc)

- Teams of last resort, that usually also coordinate incidents with
  major ISPs and private sector networks (e.g. CERT.at in Austria,
  CERT.br in Brazil, CERT.PL (former CERT Polska) in Poland, etc)

Also, we are seeing more and more "Cyber commands" and "Cyber Defense
Centers" being created, with the mission of "protecting the nation" --
I still have mixed feelings about calling these organizations CSIRTs
at all -- but there are countries that are pushing this.  Not to
mention all the trend to have "National CSIRTs" under Intelligence
organizations (if I'm not mistaken this is the case in Sweeden and
Denmark), and under the Police (this is the case for Mexico, for
example).


> > That means we need another term for what I used to call the "CERT
> > of last resort", for example if you have an incident in the UK and
> > neither the FIRST, TI or RIPE directories give you a specific
> > constituency CERT for the affected IP address, where (if anywhere)
> > do you send it? Depending on the country, that may be something
> > the "national CERT" does (I think Rohana was saying that in Sri
> > Lanka it is), it may be done by someone else, or it may not be
> > done by anyone.

That use to be my understanding of "National CERTs too" -- but the
definition evolved after we got international government organizations
more involved into this.  I saw this definition change a lot after we
started having Organizations like ENISA, NATO, ITU and OAS
recommending the creation of "National CERTs" -- each one with its own
definition of it.  The countries that already had some CSIRTs by the
time this recommendations came out, are just having more teams being
added, some more local coordination to try to figure out, etc.  But
I'm seeing more and more governments of countries that had fewer
CSIRTs, trying to make all "National CSIRTs" inside government
organizations.

It is a big confusion, to say the least.

And, going back to the panel on the National CSIRTs Meeting -- the
discussion was exactly about the role of National Teams in the next 20
years...


> I like this description of "CERT of last resort". It is becoming a
> kind of technical but very important function. My guessing is that
> it does apply mostly to "good-old" CERTs which are very much
> recognized by communities but for some reasons they stop to play
> formally the official roles because of establishing national or
> governmental CERTs in their countries.

Goes to my previous point.

And I think in these cases the governments are yet not understanding
the role of a CSIRT, and they are missing the vital services that the
"good-old" CERTs offer and, most importantly, the vital importance of
"National CERTs" that are neutral, that can talk to all stakeholders
without making them to think they are talking to a regulator or to the
police.


> BTW - besides of terms national and governmental there is
> another one - "de facto national" and it is introduced by ENISA (see:
> CERT type filter at:
> https://www.enisa.europa.eu/activities/cert/background/inv/certs-by-country-interactive-map).
> As much as I understand it - it is about CERTs which play a role of
> national CERT but they are not officially legitimized by governments of
> their countries.

Interesting term -- and looking at the teams that are listed when I
choose this option, it gives me some of the most active teams, that we
at CERT.br have a strong cooperation with, and that are teams we can
count on when we need a partner.

But don't get me wrong, they are not the only ones -- but it is
interesting that they are among the most active and reliable.

Best regards,
Cristine

--
Cristine Hoepers, D.Sc.
General Manager
CERT.br/NIC.br
http://www.cert.br/

> Kind Regards
> Miroslaw Maj
> --
> Cybersecurity Foundation
> 20 Tytoniowa Str
> 04-228 Warsaw, Poland
> tel:    +48 22 112 0 800
> mobile: +48 608 508 702
> e-mail: miroslaw.maj at cybsecurity.org
> www:    http://www.cybsecurity.org/
>
>
> >
> > Being that CERT is a pretty thankless job (I spent a year, many years ago, running a pilot "last resort" CERT for European academic networks!) but in terms of public perception of the Internet, it seems to me it's an important one. The really severe incidents may be the ones within the constituencies of national CERTs (as defined above) but I hope they are few and far between. The ones (viruses, fraud, phishing, spam, ...) that affect the vast majority of Internet users, every day, and make them worry whether the Internet is a safe place to do business/work/education don't come from those constituencies.
> >
> > So if one of our objectives is to suggest how governments should build public confidence in the Internet, it seems to me that they ought to be thinking about how to provide some sort of incident response/victim support for those constituencies too. I'm afraid it's not something we've cracked in the UK - at the moment we have getsafeonline.org providing advice to the citizen - but the policy on where to report online frauds etc. seems to change frequently and isn't at all well publicised :(
> >
> > So I'm very interested to hear about the Kenyan approach of using the telcom association and internet exchange as a hub. That sounds a bit like the German initiative https://www.botfrei.de/en/ that has advice for end users but also (if I understand correctly) provides a helpdesk that ISPs can direct customers to where they've spotted traffic that suggests a botnet infection. That seemed to me like a nice mix of automation for the majority of customers with detailed human help for the few that need it.
> >
> > Best wishes
> > Andrew
> >
> > --
> > Andrew Cormack
> > Chief Regulatory Adviser, Janet
> > t: +44 1235 822302
> > b: https://community.ja.net/blogs/regulatory-developments
> > Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
> > registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
> > Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238
> >
> >
> >> -----Original Message-----
> >> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> >> Cristine Hoepers
> >> Sent: 16 July 2014 00:37
> >> To: bp_certs at intgovforum.org
> >> Subject: [Bp_certs] About types of CERTs
> >>
> >> Dear all,
> >>
> >> First of all, thanks for the interest in the IGF CERTs BPF!
> >>
> >> I would like to share some thoughts, considering discussions I
> >> participated in previous IGF and pre-IGF events, and the discussion
> >> that took place in the mailing list a few days ago, about CSIRTs with
> >> national responsibility (in short "National CSIRTs" or "National
> >> CERTs"), which has also brought a little bit of discussion about other
> >> types of CSIRTs.
> >>
> >> There is no right or wrong about who hosts a National CSIRT, or which
> >> services it should provide.  From experience, each country will need
> >> to identify what works best in its case, as well as consider other
> >> issues like services, funding, local internet governance structure and
> >> cultural issues, among other factors that might impact the decision.
> >>
> >> Also, several countries have more than one National CSIRT, and the
> >> number is growing each year.  In the last National CSIRTs meeting,
> >> about 2 weeks ago, there was a very interesting discussion about the
> >> future of National CSIRTs and their role.  In this panel there was an
> >> agreement that National CSIRTs are teams whose constituency are
> >> networks/organizations/assets of National importance, and that the
> >> number of such teams tend to increase.
> >>
> >> I would like to share some examples of National CSIRTs that are
> >> operated by different stakeholders -- note that the focus of the
> >> information is to give examples of different hosting organization, not
> >> the constituency served by each team:
> >>
> >> - CERT.br - is operated by NIC.br, a not for profit organization that
> >>   implements the decisions and projects defined by the Brazilin
> >>   Internet Steering Committee - CGI.br.  And CGI.br is the
> >>   multi-stakeholder internet governance body in Brazil.  All funding
> >>   comes from <.br> domain name registration.
> >>
> >> - CERT.PL (previously CERT Polska) - is operated by NASK (Research and
> >>   Academic Computer Network), a research institute which conducts
> >>   scientific studies, operates the national .pl domain registry and
> >>   provides advanced IT services.
> >>
> >> - JPCERT/CC - is an independent non-profit organization.
> >>
> >> - CARICERT - is sponsered by the Curaçao Bureau Telecommunication and
> >>   Post (BT&P).
> >>
> >> - Egyptian CERT - is operated by the Ministry of Communications and
> >>   Information Technology.
> >>
> >> - CERT-EE - operated by the Estonian Information System Authority
> >>   (RIA), a subdivision of the Estonian Ministry of Economic Affairs
> >>   and Communications.
> >>
> >> A more complete list of CSIRTs that have responsibility for an economy
> >> or a country can be found here:
> >> http://cert.org/incident-management/national-csirts/national-csirts.cfm
> >>
> >> I'll not get this e-mail even longer, but there are CSIRTs in many
> >> different organizations, with different missions and services.  The
> >> most important of all is that these CSIRTs work in cooperation to make
> >> the Internet more stable and secure.  A list of teams that are members
> >> of FIRST (the Forum of Incident Response and Security Teams) can be
> >> found here: http://first.org/members/teams
> >>
> >> I personally think the work of the CERT BPF is a great opportunity for
> >> us all to share experiences, best practices, questions, case studies,
> >> but most of all it is a great opportunity for us to identify
> >> challenges and try to find a way to start answering the open
> >> questions.
> >>
> >>
> >> Best regards,
> >> Cristine
> >>
> >> --
> >> Cristine Hoepers, D.Sc.
> >> General Manager
> >> CERT.br/NIC.br
> >> http://www.cert.br/
> >>
> >> _______________________________________________
> >> Bp_certs mailing list
> >> Bp_certs at intgovforum.org
> >> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
> > _______________________________________________
> > Bp_certs mailing list
> > Bp_certs at intgovforum.org
> > http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org

More information about the Bp_certs mailing list