[Bp_certs] About types of CERTs

Andrew Cormack Andrew.Cormack at ja.net
Thu Jul 31 03:51:37 EDT 2014 

> -----Original Message-----
> From: Cristine Hoepers [mailto:cristine at cert.br]
> Sent: 25 July 2014 16:33
> To: Andrew Cormack
> Cc: Gaus; bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs

> For the NETMundial I helped to write a contribution that was pretty
> much a survey of existing cooperation initiatives in security and
> incident handling, with the intent to show that there is no "miracle
> solution", and that we have a lot of initiatives to take into
> consideration, instead of creating new forums.  If anyone is
> interested:
> 
> - The Importance of a Multistakeholder Approach to Cybersecurity
>   Effectiveness
> - Entitled by: Cristine Hoepers, Klaus Steding-Jessen, Henrique
>   Faulhaber
> - Organization: Brazilian Internet Steering Committee - CGI.br
> http://content.netmundial.br/contribution/the-importance-of-a-
> multistakeholder-approach-to-cybersecurity-effectiveness/180

Cristine
Good paper, thanks for the reference

In return, here's the blog post I did a couple of years ago on the risks of having laws that make some CERTs (typically "national" ones) "special":

https://community.ja.net/blogs/regulatory-developments/article/government-certs-and-information-sharing

The specific references are to European law, but I think the conclusion that "special" status can actually reduce the amount of information that others share with you, is general. And comes back to Patrik's point whether those you need to provide you with information can trust you to use it properly. That seems to me especially critical for CERTs that are supposed to have a nationwide view of threats but don't actually have their own network to monitor to see what is going on

Andrew
--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238

> There 2 other contributions that also brought about cooperation,
> FIRST, MAAWG, etc:
> 
> - Towards an open, free and robust Internet for the future
> - Entitled by: Walid Al-Saqaf
> - Organization: ISOC-Yemen
> http://content.netmundial.br/contribution/towards-an-open-free-and-
> robust-internet-for-the-future/115
> 
> - Google Submission for NET mundial Conference
> - Entitled by: Ross LaJeunesse
> - Organization: Google Inc.
> http://content.netmundial.br/contribution/google-submission-for-
> netmundial-conference/147
> 
> 
> > > How is your 2) different if we consider a CERT in an academic
> > > world? We have many teams calling themselves academic but they
> > > provide different services to its constituency. So we should
> > > then do the same for them as we want to do for "national CERTs".
> >
> > No - because "academic CERT" does roughly define the
> > constituency. "National CERT" doesn't. So the latter need more help.
> 
> Agree -- and I would like to add here, as anecdotes, phrases I heard
> in the past few years, while talking to police makers in ITU, OAS and
> IGF meetings (this a mix of comments from people from all continents,
> from develop and developing countries):
> 
>  "What is the value of a CERT if you can't arrest anyone?"
>   -- a country representative in a delegation, at a meeting about
>      establishing Cooperation among CERTs
> 
>  "How can you, as a National Team, work if you can't screen all the
>   traffic that comes in and out of your country?"
>   -- a prospective "national CERT" manager, while trying to learn more
>      about CERT.br services in the process of stablishing his team
> 
>  "So your staff is not made of Police Agents and Forensic Experts?"
>   -- the same prospective manager
> 
>  "National CERTs should only be called so if they are part of a
>   national Defense Capability and are able to stop attacks"
>   -- High ranking Military in a meeting about establishing Cyber
>   Commands
> 
> 
> > > I am afraid that I still do not see a magic in attaching a word
> > > "national" to a team (unless you get a big budget and _that_
> > > would be magical indeed).
> >
> > Nor do I. But there are lots of them popping up, serving lots of
> > different constituencies, and that's confusing, maybe dangerously
> > so.
> 
> I agree with Andrew -- I don't care how people call me or other teams.
> But I care that the name is being misused either by innocence or by
> especific agendas.
> 
> 
> > > I do understand that every government would like to have a team
> > > that they own and control. They would also like it to be the most
> > > prominent in a country and by attaching "national" to it they
> > > hope to achieve that goal. That is perfectly understandable and
> > > fine. But I still fail to see why national teams are so special
> > > that we need to focus on them specifically.
> 
> They are being asked to create teams with this name.  And, to add to
> confusion, International organizations are confused as why different
> countries have different structures, and teams at different
> organizations.  Some private, some not for profit, some in the
> government.
> 
> IMHO this happens mainly because different countries have different
> cultures, different political regimes, and more important, they
> stablish the teams were there is expertise, funding, and trust from
> the community.
> 
> But some are feeling the need to have a "template" for teams with
> national responsibility.  Having a document that shows that the world
> is more complex and that diversity is good, would not be a bad idea.
> 
> 
> > > The point I am trying to make is that (to me) "national CERT"
> > > is not a special type of a team. It is just the same as any other
> > > CERT. Obviously I have not read all papers published on this
> > > topic but I am pretty sure that if you would remove words
> > > "national" and "government" from them that you would end up
> > > with a document that can be used to establish a CERT in a
> > > non-profit organization or a bank.
> 
> Not quite, more below.
> 
> 
> > With the exception of "CERT-of-last-resort", which I think *is* a
> > different service, then I mostly agree. They may be more likely to
> > have special relationships with police/legislators/security
> > services, though.
> 
> Agreed -- but more and more, teams with national responsibility are
> assuming different ways of being coordination teams.
> 
> > > I am not against that a team calls itself "national CERT" but
> > > when we are creating best practices why we would not make them
> > > universal instead trying to constrain ourselves to a niche
> > > which (to me) is virtual.
> >
> > Because the term "national cert" is moving from confusing to
> > downright misleading.
> 
> I can't agree more.
> 
> > I hate to think how many hours I've wasted on discussions about
> > "security" when no one actually defined what they meant by that
> > term. To my mind "national CERT" has nearly as much potential for
> > misunderstandings :(
> 
> You have no idea how comforting it is to know that I'm not alone!
> 
> Cheers,
> Cristine
> 
> > Andrew
> >
> > > Thanks,
> > >
> > > Gaus
> > >
> > >
> > >
> > >
> > > >
> > > > Andrew
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On
> Behalf
> > > Of
> > > > > Damir Rajnovic
> > > > > Sent: 25 July 2014 08:31
> > > > > To: bp_certs at intgovforum.org
> > > > > Subject: Re: [Bp_certs] About types of CERTs
> > > > >
> > > > > Hi all,
> > > > >
> > > > > It seems to me that I have joined mid-stream into this thread
> > > > > a few days ago so I am probably missing the initial context.
> > > > >
> > > > > This is fascinating discussion but I have one very simple
> > > > > question which is about importance of being "national CERT"?
> > > > > (sorry, could not help myself)
> > > > >
> > > > > A team can call itself whatever they like - national, CNI,
> > > > > semi-national or Exalted CERT for Official Monster Raving Loony
> > > > > Party - all that it matters is what is their constitency. If
> > > > > an incident involves that constituency (or a subset of it),
> > > > > then that team is who you need.
> > > > >
> > > > > I can understand that for the team itself there might be a
> > > > > significance if it can attach a specific title to itself
> because
> > > > > then the team can get more funding or prestige. But is that
> > > > > really what is important? We can certainly list all known
> > > > > names and we can invent a few more but what is the end goal?
> > > > >
> > > > > Thank you,
> > > > >
> > > > > Gaus
> > > > >
> > > > > On Thu, Jul 24, 2014 at 05:29:02PM +0000, Andrew Cormack wrote:
> > > > > > And to those trying to reach out to a particular CSIRT role
> in
> > > > > > another country. In theory you should be able to tell the
> > > > > > difference from the 'constituency' definition in RFC2350, but
> > > > > > I suspect it'd be easier to have distinct names for each role
> > > > > > so that 'national CERTs' could flag up which they were.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ==============
> > > > > Damir Rajnovic <gausix at gmail.com>
> > > > > Telephone: +44 7825 049 500
> > > > > ==============
> > > > > There are no insolvable problems.
> > > > > The question is can you accept the solution?
> > > > >
> > > > >
> > > > > Incident Response and Product Security
> > > > > http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Bp_certs mailing list
> > > > > Bp_certs at intgovforum.org
> > > > >
> > >
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
> > >
> > > ==============
> > > Damir Rajnovic <gausix at gmail.com>
> > > Telephone: +44 7825 049 500
> > > ==============
> > > There are no insolvable problems.
> > > The question is can you accept the solution?
> > >
> > >
> > > Incident Response and Product Security
> > > http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
> >
> >
> > _______________________________________________
> > Bp_certs mailing list
> > Bp_certs at intgovforum.org
> > http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org

More information about the Bp_certs mailing list