[Bp_certs] Bp_certs Digest, Vol 2, Issue 21

Aaron.MARTIN at oecd.org Aaron.MARTIN at oecd.org
Tue Jul 29 09:53:06 EDT 2014 

Hello all,

I agree that the discussion on what is a national CSIRT, and the different kinds of national CSIRTs in operation, is very informative.

We are trying to elaborate such a typology for our work on developing statistical guidance for national CSIRTs. 

We have found that, generally speaking, it may be possible to classify national CSIRTs' constituencies as follows:

i) national CSIRTs with responsibility for all sectors in a country/economy
ii) those that are responsible for all networks in a country/economy except those owned/operated by government or military
iii) those that are only responsible for networks in the public sector, government and/or critical infrastructure; and
iv) those responsible for private sector networks, particularly critical infrastructure.

We would be happy to work with this community to elaborate and improve this basic typology. In fact, it is something that our delegates would greatly appreciate and would feed nicely into the guidance we are currently drafting.

We look forward to the ongoing discussions.

Best,
Aaron Martin
OECD
Cybersecurity and Privacy
Division for Digital Economy Policy

+33 1 45 24 94 77
aaron.martin at oecd.org
www.oecd.org/sti/security-privacy

-----Original Message-----
From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of bp_certs-request at intgovforum.org
Sent: 24 July, 2014 6:00 PM
To: bp_certs at intgovforum.org
Subject: Bp_certs Digest, Vol 2, Issue 21

Send Bp_certs mailing list submissions to
	bp_certs at intgovforum.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
or, via email, send a message with subject or body 'help' to
	bp_certs-request at intgovforum.org

You can reach the person managing the list at
	bp_certs-owner at intgovforum.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of Bp_certs digest..."


Today's Topics:

   1. Re: About types of CERTs (Robin M. Ruefle)


----------------------------------------------------------------------

Message: 1
Date: Thu, 24 Jul 2014 15:37:03 +0000
From: "Robin M. Ruefle" <rmr at cert.org>
To: Cristine Hoepers <cristine at cert.br>, "bp_certs at intgovforum.org"
	<bp_certs at intgovforum.org>
Subject: Re: [Bp_certs] About types of CERTs
Message-ID: <876A3A66C32D0A48AFECC0D0832FA1A1A45C518A at marathon>
Content-Type: text/plain; charset="iso-8859-1"

Hello all,

This is a great discussion and certainly providing a lot of food for thought.  I hadn't really thought previously about the need to define different types of National CSIRTs, just like we define different types of CSIRTs.  I think outlining these different types would be very beneficial for the community to increase understanding but also to provide better awareness and training materials for not only those starting or deciding to start a CSIRT - but those in the government or other management areas who need to understand these differences and similarities - and the usefulness and "mission" of each type.

I am reminded of a conversation I had recently about a CSIRT which was located within the Federal Police, even though they were acting as a National presence for certain activities, they were not interested in doing so for engaging the public, handling public incidents, or doing awareness and training and outreach. Instead they were actively encouraging the development of what I think you are calling the "good old CSIRT" to handle those particular activities.   The Federal Police CSIRT was more interested in threat intelligence and defense activities. But they wanted to see this other CSIRT in operation as a partner.  Now, I know some others with similar CSIRTs within law enforcement or intelligence, do not always feel that way.

I think it would be interesting to get some perspective from people in some of the countries where there are multiple CSIRT teams handling different communities.

Through this discussion I am really getting the feeling that defining these different types of National CSIRTs is an area that has been greatly lacking in the literature and that perhaps with more information available - people will have a better understanding.

There is a lot of good information in the emails that are being exchanged. I think we can take a lot of that information and put it into a document that gives an overall view of "National" CSIRTs, what they can be, their different activities, focus, and constituencies, and the general thought that having one is not enough in today's world. I know that might not be the goal of this forum work, but I think it can be a side benefit if we want.  I'd be happy as time permits, outside of the other work this forum is doing, to start to pull together some of the information and send it out for review (wouldn't be any time soon, but maybe within the next few months.)


Robin

Robin Ruefle
Team Lead, CSIRT Development and Training Team Enterprise Threat and Vulnerability Management Team CERT Program Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 U.S.A. 

Email: rmr at cert.org
http://www.cert.org/


-----Original Message-----
From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of Cristine Hoepers
Sent: Thursday, July 24, 2014 10:42 AM
To: bp_certs at intgovforum.org
Subject: Re: [Bp_certs] About types of CERTs

Hi,

On Thu, Jul 24, 2014 at 03:12:05PM +0200, Miros??aw Maj wrote:
> Dear All,
>
> Interesting discussion :)!

Excellent discussion indeed!

> W dniu 23/07/14 15:23, Andrew Cormack pisze:
> > Cristine
> >
> > I was interested to see that "national CERTs" now think that term
> means "teams whose constituency are networks/organizations/assets of 
> National importance".
>
> Exactly! Additionally we should respect the fact that "National 
> importance constituencies"  are protected more and more often not only 
> by nat/gov CERTs. Private CERTs are also delivering services to them.
> BTW - the trend of establishing CERTs for critical infrastructures 
> also should be considered regarding this discussion.

That was exactly my point when I started this thread.

A "CSIRT with National Responsibility" is not necessarily a "Government CSIRT".  Although, we are seeing more and more governments that want to push the idea that to be a CSIRT serving "National importance constituencies", you have to be part of the government.

Also, we need to keep in ming the fact that if a CSIRT is serving a Government organization does not mean it has National responsibility.

I would characterize as CSIRTs with National Responsibility those serving any of these constituencies in a Coordination role:

- Critical infrastructures (e.g. ICS-CERT)

- Coordination Center for Government networks (e.g. GovCERT.AT in
  Austria, CTIR Gov in Brazil, CERT.Gov.PL in Poland, etc)

- Teams of last resort, that usually also coordinate incidents with
  major ISPs and private sector networks (e.g. CERT.at in Austria,
  CERT.br in Brazil, CERT.PL (former CERT Polska) in Poland, etc)

Also, we are seeing more and more "Cyber commands" and "Cyber Defense Centers" being created, with the mission of "protecting the nation" -- I still have mixed feelings about calling these organizations CSIRTs at all -- but there are countries that are pushing this.  Not to mention all the trend to have "National CSIRTs" under Intelligence organizations (if I'm not mistaken this is the case in Sweeden and Denmark), and under the Police (this is the case for Mexico, for example).


> > That means we need another term for what I used to call the "CERT of 
> > last resort", for example if you have an incident in the UK and 
> > neither the FIRST, TI or RIPE directories give you a specific 
> > constituency CERT for the affected IP address, where (if anywhere) 
> > do you send it? Depending on the country, that may be something the 
> > "national CERT" does (I think Rohana was saying that in Sri Lanka it 
> > is), it may be done by someone else, or it may not be done by 
> > anyone.

That use to be my understanding of "National CERTs too" -- but the definition evolved after we got international government organizations more involved into this.  I saw this definition change a lot after we started having Organizations like ENISA, NATO, ITU and OAS recommending the creation of "National CERTs" -- each one with its own definition of it.  The countries that already had some CSIRTs by the time this recommendations came out, are just having more teams being added, some more local coordination to try to figure out, etc.  But I'm seeing more and more governments of countries that had fewer CSIRTs, trying to make all "National CSIRTs" inside government organizations.

It is a big confusion, to say the least.

And, going back to the panel on the National CSIRTs Meeting -- the discussion was exactly about the role of National Teams in the next 20 years...


> I like this description of "CERT of last resort". It is becoming a 
> kind of technical but very important function. My guessing is that it 
> does apply mostly to "good-old" CERTs which are very much recognized 
> by communities but for some reasons they stop to play formally the 
> official roles because of establishing national or governmental CERTs 
> in their countries.

Goes to my previous point.

And I think in these cases the governments are yet not understanding the role of a CSIRT, and they are missing the vital services that the "good-old" CERTs offer and, most importantly, the vital importance of "National CERTs" that are neutral, that can talk to all stakeholders without making them to think they are talking to a regulator or to the police.


> BTW - besides of terms national and governmental there is another one
> - "de facto national" and it is introduced by ENISA (see:
> CERT type filter at:
> https://www.enisa.europa.eu/activities/cert/background/inv/certs-by-country-interactive-map).
> As much as I understand it - it is about CERTs which play a role of 
> national CERT but they are not officially legitimized by governments 
> of their countries.

Interesting term -- and looking at the teams that are listed when I choose this option, it gives me some of the most active teams, that we at CERT.br have a strong cooperation with, and that are teams we can count on when we need a partner.

But don't get me wrong, they are not the only ones -- but it is interesting that they are among the most active and reliable.

Best regards,
Cristine

--
Cristine Hoepers, D.Sc.
General Manager
CERT.br/NIC.br
http://www.cert.br/

> Kind Regards
> Miroslaw Maj
> --
> Cybersecurity Foundation
> 20 Tytoniowa Str
> 04-228 Warsaw, Poland
> tel:    +48 22 112 0 800
> mobile: +48 608 508 702
> e-mail: miroslaw.maj at cybsecurity.org
> www:    http://www.cybsecurity.org/
>
>
> >
> > Being that CERT is a pretty thankless job (I spent a year, many years ago, running a pilot "last resort" CERT for European academic networks!) but in terms of public perception of the Internet, it seems to me it's an important one. The really severe incidents may be the ones within the constituencies of national CERTs (as defined above) but I hope they are few and far between. The ones (viruses, fraud, phishing, spam, ...) that affect the vast majority of Internet users, every day, and make them worry whether the Internet is a safe place to do business/work/education don't come from those constituencies.
> >
> > So if one of our objectives is to suggest how governments should 
> > build public confidence in the Internet, it seems to me that they 
> > ought to be thinking about how to provide some sort of incident 
> > response/victim support for those constituencies too. I'm afraid 
> > it's not something we've cracked in the UK - at the moment we have 
> > getsafeonline.org providing advice to the citizen - but the policy 
> > on where to report online frauds etc. seems to change frequently and 
> > isn't at all well publicised :(
> >
> > So I'm very interested to hear about the Kenyan approach of using the telcom association and internet exchange as a hub. That sounds a bit like the German initiative https://www.botfrei.de/en/ that has advice for end users but also (if I understand correctly) provides a helpdesk that ISPs can direct customers to where they've spotted traffic that suggests a botnet infection. That seemed to me like a nice mix of automation for the majority of customers with detailed human help for the few that need it.
> >
> > Best wishes
> > Andrew
> >
> > --
> > Andrew Cormack
> > Chief Regulatory Adviser, Janet
> > t: +44 1235 822302
> > b: https://community.ja.net/blogs/regulatory-developments
> > Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
> > not-for-profit company which is registered in England under
> > No.2881024 and whose Registered Office is at Lumen House, Library 
> > Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No.
> > 614944238
> >
> >
> >> -----Original Message-----
> >> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf 
> >> Of Cristine Hoepers
> >> Sent: 16 July 2014 00:37
> >> To: bp_certs at intgovforum.org
> >> Subject: [Bp_certs] About types of CERTs
> >>
> >> Dear all,
> >>
> >> First of all, thanks for the interest in the IGF CERTs BPF!
> >>
> >> I would like to share some thoughts, considering discussions I 
> >> participated in previous IGF and pre-IGF events, and the discussion 
> >> that took place in the mailing list a few days ago, about CSIRTs 
> >> with national responsibility (in short "National CSIRTs" or 
> >> "National CERTs"), which has also brought a little bit of 
> >> discussion about other types of CSIRTs.
> >>
> >> There is no right or wrong about who hosts a National CSIRT, or 
> >> which services it should provide.  From experience, each country 
> >> will need to identify what works best in its case, as well as 
> >> consider other issues like services, funding, local internet 
> >> governance structure and cultural issues, among other factors that might impact the decision.
> >>
> >> Also, several countries have more than one National CSIRT, and the 
> >> number is growing each year.  In the last National CSIRTs meeting, 
> >> about 2 weeks ago, there was a very interesting discussion about 
> >> the future of National CSIRTs and their role.  In this panel there 
> >> was an agreement that National CSIRTs are teams whose constituency 
> >> are networks/organizations/assets of National importance, and that 
> >> the number of such teams tend to increase.
> >>
> >> I would like to share some examples of National CSIRTs that are 
> >> operated by different stakeholders -- note that the focus of the 
> >> information is to give examples of different hosting organization, 
> >> not the constituency served by each team:
> >>
> >> - CERT.br - is operated by NIC.br, a not for profit organization that
> >>   implements the decisions and projects defined by the Brazilin
> >>   Internet Steering Committee - CGI.br.  And CGI.br is the
> >>   multi-stakeholder internet governance body in Brazil.  All funding
> >>   comes from <.br> domain name registration.
> >>
> >> - CERT.PL (previously CERT Polska) - is operated by NASK (Research and
> >>   Academic Computer Network), a research institute which conducts
> >>   scientific studies, operates the national .pl domain registry and
> >>   provides advanced IT services.
> >>
> >> - JPCERT/CC - is an independent non-profit organization.
> >>
> >> - CARICERT - is sponsered by the Cura?ao Bureau Telecommunication and
> >>   Post (BT&P).
> >>
> >> - Egyptian CERT - is operated by the Ministry of Communications and
> >>   Information Technology.
> >>
> >> - CERT-EE - operated by the Estonian Information System Authority
> >>   (RIA), a subdivision of the Estonian Ministry of Economic Affairs
> >>   and Communications.
> >>
> >> A more complete list of CSIRTs that have responsibility for an 
> >> economy or a country can be found here:
> >> http://cert.org/incident-management/national-csirts/national-csirts
> >> .cfm
> >>
> >> I'll not get this e-mail even longer, but there are CSIRTs in many 
> >> different organizations, with different missions and services.  The 
> >> most important of all is that these CSIRTs work in cooperation to 
> >> make the Internet more stable and secure.  A list of teams that are 
> >> members of FIRST (the Forum of Incident Response and Security
> >> Teams) can be found here: http://first.org/members/teams
> >>
> >> I personally think the work of the CERT BPF is a great opportunity 
> >> for us all to share experiences, best practices, questions, case 
> >> studies, but most of all it is a great opportunity for us to 
> >> identify challenges and try to find a way to start answering the 
> >> open questions.
> >>
> >>
> >> Best regards,
> >> Cristine
> >>
> >> --
> >> Cristine Hoepers, D.Sc.
> >> General Manager
> >> CERT.br/NIC.br
> >> http://www.cert.br/
> >>
> >> _______________________________________________
> >> Bp_certs mailing list
> >> Bp_certs at intgovforum.org
> >> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.o
> >> rg
> > _______________________________________________
> > Bp_certs mailing list
> > Bp_certs at intgovforum.org
> > http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.or
> > g
>
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org

_______________________________________________
Bp_certs mailing list
Bp_certs at intgovforum.org
http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org



------------------------------

Subject: Digest Footer

_______________________________________________
Bp_certs mailing list
Bp_certs at intgovforum.org
http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org


------------------------------

End of Bp_certs Digest, Vol 2, Issue 21
***************************************

More information about the Bp_certs mailing list