[Bp_certs] About types of CERTs
Cristine Hoepers
cristine at cert.br
Fri Jul 25 11:32:40 EDT 2014
Hi Andrew, Gaus,
On Fri, Jul 25, 2014 at 12:11:02PM +0000, Andrew Cormack wrote:
> > -----Original Message-----
> > > 2) Since there are already teams calling themselves "national
> > > CERT" out there, helping them to describe more accurately which
> > > of those functions they actually provide, so a "national CERT"
> > > that is actually only dealing with Government and/or critical
> > > networks doesn't get swamped with reports about problems in its
> > > citizen IP address ranges. Also saving those who report to it
> > > some frustration.
> >
> > And this (and your subsequent paragraph) I read as "once you
> > define your constitunecy and agree on functions that you will
> > provide (Paf's step #2) - publish them your web site on a
> > prominent place".
>
> No, I'm only talking about constituencies at the moment, though we
> could move on to services later if you want. Part 2 (actually
> possibly more on-topic for this group) is a message to the
> Government - who may have heard from an international forum or
> wherever that they need a "national CERT"
More than "have heard from" I would say that they are being mandated
or "strongly encouraged" to -- but don't have the slightest idea about
what a CERT is, much less a "national CERT" -- and the term "national
CERT" is the one being used, among others, in a context that gives the
idea that "if you have one team, and it is national, it will solve all
your problems".
> - that there's more to improving the security of your country than
> setting up a CERT for the internal Government network.
Or setting up CERTs at all -- it is a more complex ecosystem -- I
would like to see governments demanding better software security,
changing university curricula for developers and engineers, for them
to consider security in the design, for example (just read the latest
news about helth care security, the internet of things, cars, etc, and
you'll see they haven't learned a thing about security and are not
thinking about it).
Also, it is not just about creating one team that will save and
protect your country. That is not going to happen -- security is made
inside each organization, and can benefit from having coordinating
teams facilitating the coordination, the cooperation, sharing
information, and
And other scary thing is that international government organizations
are making recommendations about CERTs and about international
cooperation, without taking into consideration what is already out
there.
For the NETMundial I helped to write a contribution that was pretty
much a survey of existing cooperation initiatives in security and
incident handling, with the intent to show that there is no "miracle
solution", and that we have a lot of initiatives to take into
consideration, instead of creating new forums. If anyone is
interested:
- The Importance of a Multistakeholder Approach to Cybersecurity
Effectiveness
- Entitled by: Cristine Hoepers, Klaus Steding-Jessen, Henrique
Faulhaber
- Organization: Brazilian Internet Steering Committee - CGI.br
http://content.netmundial.br/contribution/the-importance-of-a-multistakeholder-approach-to-cybersecurity-effectiveness/180
There 2 other contributions that also brought about cooperation,
FIRST, MAAWG, etc:
- Towards an open, free and robust Internet for the future
- Entitled by: Walid Al-Saqaf
- Organization: ISOC-Yemen
http://content.netmundial.br/contribution/towards-an-open-free-and-robust-internet-for-the-future/115
- Google Submission for NET mundial Conference
- Entitled by: Ross LaJeunesse
- Organization: Google Inc.
http://content.netmundial.br/contribution/google-submission-for-netmundial-conference/147
> > How is your 2) different if we consider a CERT in an academic
> > world? We have many teams calling themselves academic but they
> > provide different services to its constituency. So we should
> > then do the same for them as we want to do for "national CERTs".
>
> No - because "academic CERT" does roughly define the
> constituency. "National CERT" doesn't. So the latter need more help.
Agree -- and I would like to add here, as anecdotes, phrases I heard
in the past few years, while talking to police makers in ITU, OAS and
IGF meetings (this a mix of comments from people from all continents,
from develop and developing countries):
"What is the value of a CERT if you can't arrest anyone?"
-- a country representative in a delegation, at a meeting about
establishing Cooperation among CERTs
"How can you, as a National Team, work if you can't screen all the
traffic that comes in and out of your country?"
-- a prospective "national CERT" manager, while trying to learn more
about CERT.br services in the process of stablishing his team
"So your staff is not made of Police Agents and Forensic Experts?"
-- the same prospective manager
"National CERTs should only be called so if they are part of a
national Defense Capability and are able to stop attacks"
-- High ranking Military in a meeting about establishing Cyber
Commands
> > I am afraid that I still do not see a magic in attaching a word
> > "national" to a team (unless you get a big budget and _that_
> > would be magical indeed).
>
> Nor do I. But there are lots of them popping up, serving lots of
> different constituencies, and that's confusing, maybe dangerously
> so.
I agree with Andrew -- I don't care how people call me or other teams.
But I care that the name is being misused either by innocence or by
especific agendas.
> > I do understand that every government would like to have a team
> > that they own and control. They would also like it to be the most
> > prominent in a country and by attaching "national" to it they
> > hope to achieve that goal. That is perfectly understandable and
> > fine. But I still fail to see why national teams are so special
> > that we need to focus on them specifically.
They are being asked to create teams with this name. And, to add to
confusion, International organizations are confused as why different
countries have different structures, and teams at different
organizations. Some private, some not for profit, some in the
government.
IMHO this happens mainly because different countries have different
cultures, different political regimes, and more important, they
stablish the teams were there is expertise, funding, and trust from
the community.
But some are feeling the need to have a "template" for teams with
national responsibility. Having a document that shows that the world
is more complex and that diversity is good, would not be a bad idea.
> > The point I am trying to make is that (to me) "national CERT"
> > is not a special type of a team. It is just the same as any other
> > CERT. Obviously I have not read all papers published on this
> > topic but I am pretty sure that if you would remove words
> > "national" and "government" from them that you would end up
> > with a document that can be used to establish a CERT in a
> > non-profit organization or a bank.
Not quite, more below.
> With the exception of "CERT-of-last-resort", which I think *is* a
> different service, then I mostly agree. They may be more likely to
> have special relationships with police/legislators/security
> services, though.
Agreed -- but more and more, teams with national responsibility are
assuming different ways of being coordination teams.
> > I am not against that a team calls itself "national CERT" but
> > when we are creating best practices why we would not make them
> > universal instead trying to constrain ourselves to a niche
> > which (to me) is virtual.
>
> Because the term "national cert" is moving from confusing to
> downright misleading.
I can't agree more.
> I hate to think how many hours I've wasted on discussions about
> "security" when no one actually defined what they meant by that
> term. To my mind "national CERT" has nearly as much potential for
> misunderstandings :(
You have no idea how comforting it is to know that I'm not alone!
Cheers,
Cristine
> Andrew
>
> > Thanks,
> >
> > Gaus
> >
> >
> >
> >
> > >
> > > Andrew
> > >
> > >
> > > > -----Original Message-----
> > > > From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf
> > Of
> > > > Damir Rajnovic
> > > > Sent: 25 July 2014 08:31
> > > > To: bp_certs at intgovforum.org
> > > > Subject: Re: [Bp_certs] About types of CERTs
> > > >
> > > > Hi all,
> > > >
> > > > It seems to me that I have joined mid-stream into this thread
> > > > a few days ago so I am probably missing the initial context.
> > > >
> > > > This is fascinating discussion but I have one very simple
> > > > question which is about importance of being "national CERT"?
> > > > (sorry, could not help myself)
> > > >
> > > > A team can call itself whatever they like - national, CNI,
> > > > semi-national or Exalted CERT for Official Monster Raving Loony
> > > > Party - all that it matters is what is their constitency. If
> > > > an incident involves that constituency (or a subset of it),
> > > > then that team is who you need.
> > > >
> > > > I can understand that for the team itself there might be a
> > > > significance if it can attach a specific title to itself because
> > > > then the team can get more funding or prestige. But is that
> > > > really what is important? We can certainly list all known
> > > > names and we can invent a few more but what is the end goal?
> > > >
> > > > Thank you,
> > > >
> > > > Gaus
> > > >
> > > > On Thu, Jul 24, 2014 at 05:29:02PM +0000, Andrew Cormack wrote:
> > > > > And to those trying to reach out to a particular CSIRT role in
> > > > > another country. In theory you should be able to tell the
> > > > > difference from the 'constituency' definition in RFC2350, but
> > > > > I suspect it'd be easier to have distinct names for each role
> > > > > so that 'national CERTs' could flag up which they were.
> > > >
> > > >
> > > >
> > > >
> > > > ==============
> > > > Damir Rajnovic <gausix at gmail.com>
> > > > Telephone: +44 7825 049 500
> > > > ==============
> > > > There are no insolvable problems.
> > > > The question is can you accept the solution?
> > > >
> > > >
> > > > Incident Response and Product Security
> > > > http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
> > > >
> > > >
> > > > _______________________________________________
> > > > Bp_certs mailing list
> > > > Bp_certs at intgovforum.org
> > > >
> > http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
> >
> > ==============
> > Damir Rajnovic <gausix at gmail.com>
> > Telephone: +44 7825 049 500
> > ==============
> > There are no insolvable problems.
> > The question is can you accept the solution?
> >
> >
> > Incident Response and Product Security
> > http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
>
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
More information about the Bp_certs
mailing list