[Bp_cybersec_2016] Proposal for the cybersecurity BPF goal and topic
Maarten Van Horenbeeck
maarten at first.org
Mon Jun 20 21:04:10 EDT 2016
Hi everyone,
Earlier this week, at the FIRST conference in Seoul, some of us had a
discussion around opportunities for focus in this BPF. We wanted to propose
a way forward of getting this BPF to contribute most to the wider
multi-stakeholder community.
Reviewing the outcomes of the spam and CSIRT Best Practices Forums over the
last two years, we believe the cybersecurity BPF would most benefit from
addressing cooperation between stakeholder groups as a topic.
One of the lessons we learned during our work on the BPF on “Computer
Security Incident Response Teams” was that it attracted a fairly narrow
audience, mostly engineers working on technical issues. While CSIRT teams
in most cases find agreement within their community, there were significant
communication issues when engaging with other stakeholder groups, in
particular policy makers, civil society, but also law enforcement and even
industry.
During the BPF, we managed to gain consensus on what makes the community
more effective at communicating.
We believe that the community would benefit from having a multi-stakeholder
discussion, including each of the major IGF stakeholder groups, on how to
engage and communicate with each other on cyber security issues. This would
support the Internet Governance Principles laid out at the NETmundial
Statement, that recognize that "Effectiveness in addressing risks and
threats to security and stability of the Internet depends on strong
cooperation among different stakeholders".
More concretely, this process would consist of:
- Defining the typical roles and responsibilities of each of the
stakeholder groups in making the internet a secure and safe place for
people to socialize and conduct business;
- Identifying the typical communication mechanisms between stakeholder
groups to discuss cybersecurity related concerns;
- Collecting a set of successful case studies on existing communication
between stakeholder groups that has helped improve cybersecurity.
In order to be effective, we will need to recruit an appropriate number of
representatives from each stakeholder group that have an interest in
participating. During the CSIRT BPF, we had significant success reaching
out 1:1 to stakeholders, and inviting them to participate in our meeting in
Brazil. We’d propose a similar step to gain acceptance.
Today, the word “cybersecurity” is often loaded with context, and many
organizations associate it with government decision making, or commercial
security solutions. Within the IGF, we have an opportunity to redefine
cybersecurity as a common goal between all stakeholders, and getting to a
good definition of what cooperation should look like.
The final product paper could, just as the BPF on CSIRT did, help to inform
each of the constituencies on the roles of other stakeholders, and identify
appropriate methods of communicating and discussing difficult security
issues.
We're happy to discuss this proposal further during the next call.
Best regards,
Andrew Cormack,
*Jisc*Adli Wahid, *FIRST*
Cristine Hoepers, *CERT.br/NIC.br*
Peter Cassidy, *Anti-Phishing Working Group (APWG)*
Maarten Van Horenbeeck, *FIRST*
Serge Droz, *FIRST*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_cybersec_2016_intgovforum.org/attachments/20160620/98e7e9d7/attachment.htm>
More information about the Bp_cybersec_2016
mailing list