[Bp_cybersec_2016] Proposal for the cybersecurity BPF goal and topic

Maarten Van Horenbeeck maarten at first.org
Tue Jun 21 10:33:53 EDT 2016 

Hi Marilyn, Neil,

Thanks for the thoughts and great suggestions. I agree that there's value
in identifying programs where SME's can support end user awareness.

One issue I'm a bit concerned about is making this group try to "boil the
ocean". There's thousands of potential effective programs that can be stood
up, but it's very difficult to be comprehensive if we go that route.

The reason "cooperation" is such an appealing topic, is because we can
focus on projects that require multiple stakeholders to be involved and
coordinate their efforts.

Many projects may need to be executed by only a single party. Those are
probably too numerous for us to discuss in the BPF. Other projects, though,
require strong communication and cooperation to exist between multiple
stakeholder groups. If we can gather ideas on what those types of projects
are, identify stakeholders from different groups that were involved, and
document how they cooperated, that would be really valuable.

This becomes particularly helpful as we move across the world, and make it
less centric on just one part of the world. In the CSIRT BPF, with support
of Wout, we reached out to a couple of stakeholders individually and asked
them to describe some of the things they did that were successful and
helpful -- we ended up including case studies of KISA's Cyber Cleaning
Centre and National DDoS shelter, a case study from SWITCH-CERT, and a case
study on coordinated disclosure.

The outcome would be a resource that helps:

   - policy makers understand what the roles and responsibilities of each
   of the groups are, and how to design policy that supports them working
   better together;
   - individual stakeholders understand better what their tools are to
   connect with the rest of the community.

Thanks again for the great discussion so far.

Cheers,

Maarten
Director, FIRST


On Tue, Jun 21, 2016 at 5:58 AM, Marilyn Cade <marilynscade at hotmail.com>
wrote:

>
> I do understand, Neil, as I have a rather extensive history of work in
> this area, and in the engagement of the experts.  However, NOT sure that
> you understood my reference to SMEs, who are in the millions around the
> world.
>
> Perhaps I was not too coherent.
>
> Hope you forgive me.
> M
>
> ------------------------------
> From: neil at cauce.org
> Date: Tue, 21 Jun 2016 05:52:22 -0700
> To: bp_cybersec_2016 at intgovforum.org
>
> Subject: Re: [Bp_cybersec_2016] Proposal for the cybersecurity BPF goal
> and topic
>
> Hi,
>
> I’m sorry, but I disagree, strongly, with much if any at all user focus to
> our work.
>
> at this point in time, all the attacks I see are of a technical nature,
> the capacity for an end-user to protect themselves is almost negligible
> these days.
>
> spam, phish and malware distribution is based on vulnerabilities in
> software such as wordpress, or other commercial site compromises. the
> *vast* majority of unwanted communication comes no longer from hacked
> home computers but dedicated servers (compromised as well) at hosting
> companies, or by way of hijacked IP space. there is nothing an end user can
> do to mitigate that.
>
> passwords? They don’t matter when firms who hold them continually get
> hacked, their user databases stolen and exploited (admittedly the one bit
> of advice I give to end users is to use discrete passwords for every site
> they engage with)
>
> the big win is when we get organizations and enterprises, governments and
> commercial entities to step up to industry standards, such as BP38 to avoid
> DNS amplification attacks, or force compromised entities to report breaches.
>
> As someone whose organization, cauce, is the oldest end-user advocacy
> group on the Internet, I believe I’m in a unique position to say end-user
> education, which we did for decades is a feel-good for government, but
> ultimately almost entirely useless (yes, we’ve turned 180 degrees in our
> position on this).
>
> The real win to protect end-users is to regulate*, fully implement
> *existing* best practices, and create law to force those caretakers of
> our data to protect our privacy and treat PII in a respectful manner, and
> punish those who abuse it.
>
> There will doubtlessly be examples of ‘yes but, if an end-user does this
> it will fix things’ and they may be right But again, if we want massive
> wins, using what M3AAWG/London Action Plan/CAUCE has outlined repeatedly in
> our omnibus best practice documents, the current state of affairs would not
> be so dismal.
>
> * Industry self-regulation has been an utter failure (look at marketers
> self-regulating in Brazil and the U.S., and many other places for examples
> of that))
>
> respectfully,
>
>
> Neil Schwartzman
> Executive Director
> Coalition Against Unsolicited Commercial Email
> http://cauce.org
> Tel : (303) 800-6345
> Twitter : @cauce
>
>
>
>
> On Jun 21, 2016, at 5:29 AM, Marilyn Cade <marilynscade at hotmail.com>
> wrote:
>
> I am both supportive, and perhaps, wanting a bit more.
>
> It is important to deal with the problems. It is also important to prevent
> problems .
> Thus, I think that this group should consider a two pronged approach:
>
> Remediation and Prevention/early intervention:
>
> Users are the most vulnerable, and the most under informed and thus
> sometimes add to, create, or are the source of vulnerabilities.  Malicious
> attacks are receiving focused intervention. BUT, users, whether they are
> SMEs, or individual users, could benefit from more attention.
>
> This could be a sub theme in the Cooperation between stakeholders, where
> both governmental agencies, or commercial suppliers highlight the kind of
> user support/education/interventions that they provide, that might be
> leveraged across SG or considered by developing countries for relevance.
>
> Example:  program to teach children about the importance of strong
> passwords, and how they can coach their parents
> Example:  program by the mobile providers and handset providers to simply
> 'keeping your data safe online'
> Example: Community outreach programs supported by governmental agencies at
> the sub national level to reach SMEs and NGOs
>
>
>
> ------------------------------
> From: ilishebo at gmail.com
> Date: Tue, 21 Jun 2016 08:31:16 +0200
> To: maarten at first.org
> Subject: Re: [Bp_cybersec_2016] Proposal for the cybersecurity BPF goal
> and topic
> CC: bp_cybersec_2016 at intgovforum.org
>
> Maarten,
>
> Well elaborated and I hope we go for this suggested route...
>
>
>
> *Michael L. Ilishebo,*
>
>
> *Kitwe, Zambia*
>
> *Mobile Contacts:*
>
>
>
>
> *+260965361255 <%2B260965361255>+260977361255
> <%2B260977361255>+260955361255 <%2B260955361255>*
>
> *Social Media Handles*
>
> *Twitter: @ilishebo*
>
> *Skype: michael.ilishebo*
>
>
>
>
> *"walk a mile,for a while,with a smile"*
>
> On Tue, Jun 21, 2016 at 3:04 AM, Maarten Van Horenbeeck <maarten at first.org
> > wrote:
>
> Hi everyone,
>
> Earlier this week, at the FIRST conference in Seoul, some of us had a
> discussion around opportunities for focus in this BPF. We wanted to propose
> a way forward of getting this BPF to contribute most to the wider
> multi-stakeholder community.
>
> Reviewing the outcomes of the spam and CSIRT Best Practices Forums over
> the last two years, we believe the cybersecurity BPF would most benefit
> from addressing cooperation between stakeholder groups as a topic.
>
> One of the lessons we learned during our work on the BPF on “Computer
> Security Incident Response Teams” was that it attracted a fairly narrow
> audience, mostly engineers working on technical issues. While CSIRT teams
> in most cases find agreement within their community, there were significant
> communication issues when engaging with other stakeholder groups, in
> particular policy makers, civil society, but also law enforcement and even
> industry.
>
> During the BPF, we managed to gain consensus on what makes the community
> more effective at communicating.
>
> We believe that the community would benefit from having a
> multi-stakeholder discussion, including each of the major IGF stakeholder
> groups, on how to engage and communicate with each other on cyber security
> issues. This would support the Internet Governance Principles laid out at
> the NETmundial Statement, that recognize that "Effectiveness in addressing
> risks and threats to security and stability of the Internet depends on
> strong cooperation among different stakeholders".
>
> More concretely, this process would consist of:
>
>    - Defining the typical roles and responsibilities of each of the
>    stakeholder groups in making the internet a secure and safe place for
>    people to socialize and conduct business;
>
>
>    - Identifying the typical communication mechanisms between stakeholder
>    groups to discuss cybersecurity related concerns;
>
>
>    - Collecting a set of successful case studies on existing
>    communication between stakeholder groups that has helped improve
>    cybersecurity.
>
>
> In order to be effective, we will need to recruit an appropriate number of
> representatives from each stakeholder group that have an interest in
> participating. During the CSIRT BPF, we had significant success reaching
> out 1:1 to stakeholders, and inviting them to participate in our meeting in
> Brazil. We’d propose a similar step to gain acceptance.
>
> Today, the word “cybersecurity” is often loaded with context, and many
> organizations associate it with government decision making, or commercial
> security solutions. Within the IGF, we have an opportunity to redefine
> cybersecurity as a common goal between all stakeholders, and getting to a
> good definition of what cooperation should look like.
>
> The final product paper could, just as the BPF on CSIRT did, help to
> inform each of the constituencies on the roles of other stakeholders, and
> identify appropriate methods of communicating and discussing difficult
> security issues.
>
> We're happy to discuss this proposal further during the next call.
>
> Best regards,
>
> Andrew Cormack,
> *Jisc*Adli Wahid, *FIRST*
> Cristine Hoepers, *CERT.br/NIC.br <http://cert.br/NIC.br>*
> Peter Cassidy, *Anti-Phishing Working Group (APWG)*
> Maarten Van Horenbeeck, *FIRST*
> Serge Droz, *FIRST*
>
> _______________________________________________
> Bp_cybersec_2016 mailing list
> Bp_cybersec_2016 at intgovforum.org
> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org
>
>
>
> _______________________________________________ Bp_cybersec_2016 mailing
> list Bp_cybersec_2016 at intgovforum.org
> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org
> _______________________________________________
> Bp_cybersec_2016 mailing list
> Bp_cybersec_2016 at intgovforum.org
> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org
>
>
>
> _______________________________________________ Bp_cybersec_2016 mailing
> list Bp_cybersec_2016 at intgovforum.org
> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org
>
> _______________________________________________
> Bp_cybersec_2016 mailing list
> Bp_cybersec_2016 at intgovforum.org
> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_cybersec_2016_intgovforum.org/attachments/20160621/63ff42d6/attachment.htm>

More information about the Bp_cybersec_2016 mailing list