[Bp_cybersec_2016] Proposal for the cybersecurity BPF goal and topic

Jerome Athias athiasjerome at gmail.com
Mon Jun 27 11:02:37 EDT 2016 

Greetings

I think that this report could give some ideas.

https://www.ourinternet.org/report

Best regards

On Tuesday, 21 June 2016, Maarten Van Horenbeeck <maarten at first.org> wrote:

> Hi Marilyn, Neil,
>
> Thanks for the thoughts and great suggestions. I agree that there's value
> in identifying programs where SME's can support end user awareness.
>
> One issue I'm a bit concerned about is making this group try to "boil the
> ocean". There's thousands of potential effective programs that can be stood
> up, but it's very difficult to be comprehensive if we go that route.
>
> The reason "cooperation" is such an appealing topic, is because we can
> focus on projects that require multiple stakeholders to be involved and
> coordinate their efforts.
>
> Many projects may need to be executed by only a single party. Those are
> probably too numerous for us to discuss in the BPF. Other projects, though,
> require strong communication and cooperation to exist between multiple
> stakeholder groups. If we can gather ideas on what those types of projects
> are, identify stakeholders from different groups that were involved, and
> document how they cooperated, that would be really valuable.
>
> This becomes particularly helpful as we move across the world, and make it
> less centric on just one part of the world. In the CSIRT BPF, with support
> of Wout, we reached out to a couple of stakeholders individually and asked
> them to describe some of the things they did that were successful and
> helpful -- we ended up including case studies of KISA's Cyber Cleaning
> Centre and National DDoS shelter, a case study from SWITCH-CERT, and a case
> study on coordinated disclosure.
>
> The outcome would be a resource that helps:
>
>    - policy makers understand what the roles and responsibilities of each
>    of the groups are, and how to design policy that supports them working
>    better together;
>    - individual stakeholders understand better what their tools are to
>    connect with the rest of the community.
>
> Thanks again for the great discussion so far.
>
> Cheers,
>
> Maarten
> Director, FIRST
>
>
> On Tue, Jun 21, 2016 at 5:58 AM, Marilyn Cade <marilynscade at hotmail.com
> <javascript:_e(%7B%7D,'cvml','marilynscade at hotmail.com');>> wrote:
>
>>
>> I do understand, Neil, as I have a rather extensive history of work in
>> this area, and in the engagement of the experts.  However, NOT sure that
>> you understood my reference to SMEs, who are in the millions around the
>> world.
>>
>> Perhaps I was not too coherent.
>>
>> Hope you forgive me.
>> M
>>
>> ------------------------------
>> From: neil at cauce.org <javascript:_e(%7B%7D,'cvml','neil at cauce.org');>
>> Date: Tue, 21 Jun 2016 05:52:22 -0700
>> To: bp_cybersec_2016 at intgovforum.org
>> <javascript:_e(%7B%7D,'cvml','bp_cybersec_2016 at intgovforum.org');>
>>
>> Subject: Re: [Bp_cybersec_2016] Proposal for the cybersecurity BPF goal
>> and topic
>>
>> Hi,
>>
>> I’m sorry, but I disagree, strongly, with much if any at all user focus
>> to our work.
>>
>> at this point in time, all the attacks I see are of a technical nature,
>> the capacity for an end-user to protect themselves is almost negligible
>> these days.
>>
>> spam, phish and malware distribution is based on vulnerabilities in
>> software such as wordpress, or other commercial site compromises. the
>> *vast* majority of unwanted communication comes no longer from hacked
>> home computers but dedicated servers (compromised as well) at hosting
>> companies, or by way of hijacked IP space. there is nothing an end user can
>> do to mitigate that.
>>
>> passwords? They don’t matter when firms who hold them continually get
>> hacked, their user databases stolen and exploited (admittedly the one bit
>> of advice I give to end users is to use discrete passwords for every site
>> they engage with)
>>
>> the big win is when we get organizations and enterprises, governments and
>> commercial entities to step up to industry standards, such as BP38 to avoid
>> DNS amplification attacks, or force compromised entities to report breaches.
>>
>> As someone whose organization, cauce, is the oldest end-user advocacy
>> group on the Internet, I believe I’m in a unique position to say end-user
>> education, which we did for decades is a feel-good for government, but
>> ultimately almost entirely useless (yes, we’ve turned 180 degrees in our
>> position on this).
>>
>> The real win to protect end-users is to regulate*, fully implement
>> *existing* best practices, and create law to force those caretakers of
>> our data to protect our privacy and treat PII in a respectful manner, and
>> punish those who abuse it.
>>
>> There will doubtlessly be examples of ‘yes but, if an end-user does this
>> it will fix things’ and they may be right But again, if we want massive
>> wins, using what M3AAWG/London Action Plan/CAUCE has outlined repeatedly in
>> our omnibus best practice documents, the current state of affairs would not
>> be so dismal.
>>
>> * Industry self-regulation has been an utter failure (look at marketers
>> self-regulating in Brazil and the U.S., and many other places for examples
>> of that))
>>
>> respectfully,
>>
>>
>> Neil Schwartzman
>> Executive Director
>> Coalition Against Unsolicited Commercial Email
>> http://cauce.org
>> Tel : (303) 800-6345
>> Twitter : @cauce
>>
>>
>>
>>
>> On Jun 21, 2016, at 5:29 AM, Marilyn Cade <marilynscade at hotmail.com
>> <javascript:_e(%7B%7D,'cvml','marilynscade at hotmail.com');>> wrote:
>>
>> I am both supportive, and perhaps, wanting a bit more.
>>
>> It is important to deal with the problems. It is also important to
>> prevent problems .
>> Thus, I think that this group should consider a two pronged approach:
>>
>> Remediation and Prevention/early intervention:
>>
>> Users are the most vulnerable, and the most under informed and thus
>> sometimes add to, create, or are the source of vulnerabilities.  Malicious
>> attacks are receiving focused intervention. BUT, users, whether they are
>> SMEs, or individual users, could benefit from more attention.
>>
>> This could be a sub theme in the Cooperation between stakeholders, where
>> both governmental agencies, or commercial suppliers highlight the kind of
>> user support/education/interventions that they provide, that might be
>> leveraged across SG or considered by developing countries for relevance.
>>
>> Example:  program to teach children about the importance of strong
>> passwords, and how they can coach their parents
>> Example:  program by the mobile providers and handset providers to simply
>> 'keeping your data safe online'
>> Example: Community outreach programs supported by governmental agencies
>> at the sub national level to reach SMEs and NGOs
>>
>>
>>
>> ------------------------------
>> From: ilishebo at gmail.com
>> <javascript:_e(%7B%7D,'cvml','ilishebo at gmail.com');>
>> Date: Tue, 21 Jun 2016 08:31:16 +0200
>> To: maarten at first.org <javascript:_e(%7B%7D,'cvml','maarten at first.org');>
>> Subject: Re: [Bp_cybersec_2016] Proposal for the cybersecurity BPF goal
>> and topic
>> CC: bp_cybersec_2016 at intgovforum.org
>> <javascript:_e(%7B%7D,'cvml','bp_cybersec_2016 at intgovforum.org');>
>>
>> Maarten,
>>
>> Well elaborated and I hope we go for this suggested route...
>>
>>
>>
>> *Michael L. Ilishebo,*
>>
>>
>> *Kitwe, Zambia*
>>
>> *Mobile Contacts:*
>>
>>
>>
>>
>> *+260965361255 <%2B260965361255>+260977361255
>> <%2B260977361255>+260955361255 <%2B260955361255>*
>>
>> *Social Media Handles*
>>
>> *Twitter: @ilishebo*
>>
>> *Skype: michael.ilishebo*
>>
>>
>>
>>
>> *"walk a mile,for a while,with a smile"*
>>
>> On Tue, Jun 21, 2016 at 3:04 AM, Maarten Van Horenbeeck <
>> maarten at first.org <javascript:_e(%7B%7D,'cvml','maarten at first.org');>>
>> wrote:
>>
>> Hi everyone,
>>
>> Earlier this week, at the FIRST conference in Seoul, some of us had a
>> discussion around opportunities for focus in this BPF. We wanted to propose
>> a way forward of getting this BPF to contribute most to the wider
>> multi-stakeholder community.
>>
>> Reviewing the outcomes of the spam and CSIRT Best Practices Forums over
>> the last two years, we believe the cybersecurity BPF would most benefit
>> from addressing cooperation between stakeholder groups as a topic.
>>
>> One of the lessons we learned during our work on the BPF on “Computer
>> Security Incident Response Teams” was that it attracted a fairly narrow
>> audience, mostly engineers working on technical issues. While CSIRT teams
>> in most cases find agreement within their community, there were significant
>> communication issues when engaging with other stakeholder groups, in
>> particular policy makers, civil society, but also law enforcement and even
>> industry.
>>
>> During the BPF, we managed to gain consensus on what makes the community
>> more effective at communicating.
>>
>> We believe that the community would benefit from having a
>> multi-stakeholder discussion, including each of the major IGF stakeholder
>> groups, on how to engage and communicate with each other on cyber security
>> issues. This would support the Internet Governance Principles laid out at
>> the NETmundial Statement, that recognize that "Effectiveness in addressing
>> risks and threats to security and stability of the Internet depends on
>> strong cooperation among different stakeholders".
>>
>> More concretely, this process would consist of:
>>
>>    - Defining the typical roles and responsibilities of each of the
>>    stakeholder groups in making the internet a secure and safe place for
>>    people to socialize and conduct business;
>>
>>
>>    - Identifying the typical communication mechanisms between
>>    stakeholder groups to discuss cybersecurity related concerns;
>>
>>
>>    - Collecting a set of successful case studies on existing
>>    communication between stakeholder groups that has helped improve
>>    cybersecurity.
>>
>>
>> In order to be effective, we will need to recruit an appropriate number
>> of representatives from each stakeholder group that have an interest in
>> participating. During the CSIRT BPF, we had significant success reaching
>> out 1:1 to stakeholders, and inviting them to participate in our meeting in
>> Brazil. We’d propose a similar step to gain acceptance.
>>
>> Today, the word “cybersecurity” is often loaded with context, and many
>> organizations associate it with government decision making, or commercial
>> security solutions. Within the IGF, we have an opportunity to redefine
>> cybersecurity as a common goal between all stakeholders, and getting to a
>> good definition of what cooperation should look like.
>>
>> The final product paper could, just as the BPF on CSIRT did, help to
>> inform each of the constituencies on the roles of other stakeholders, and
>> identify appropriate methods of communicating and discussing difficult
>> security issues.
>>
>> We're happy to discuss this proposal further during the next call.
>>
>> Best regards,
>>
>> Andrew Cormack,
>> *Jisc*Adli Wahid, *FIRST*
>> Cristine Hoepers, *CERT.br/NIC.br <http://cert.br/NIC.br>*
>> Peter Cassidy, *Anti-Phishing Working Group (APWG)*
>> Maarten Van Horenbeeck, *FIRST*
>> Serge Droz, *FIRST*
>>
>> _______________________________________________
>> Bp_cybersec_2016 mailing list
>> Bp_cybersec_2016 at intgovforum.org
>> <javascript:_e(%7B%7D,'cvml','Bp_cybersec_2016 at intgovforum.org');>
>> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org
>>
>>
>>
>> _______________________________________________ Bp_cybersec_2016 mailing
>> list Bp_cybersec_2016 at intgovforum.org
>> <javascript:_e(%7B%7D,'cvml','Bp_cybersec_2016 at intgovforum.org');>
>> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org
>> _______________________________________________
>> Bp_cybersec_2016 mailing list
>> Bp_cybersec_2016 at intgovforum.org
>> <javascript:_e(%7B%7D,'cvml','Bp_cybersec_2016 at intgovforum.org');>
>> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org
>>
>>
>>
>> _______________________________________________ Bp_cybersec_2016 mailing
>> list Bp_cybersec_2016 at intgovforum.org
>> <javascript:_e(%7B%7D,'cvml','Bp_cybersec_2016 at intgovforum.org');>
>> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org
>>
>> _______________________________________________
>> Bp_cybersec_2016 mailing list
>> Bp_cybersec_2016 at intgovforum.org
>> <javascript:_e(%7B%7D,'cvml','Bp_cybersec_2016 at intgovforum.org');>
>> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_cybersec_2016_intgovforum.org/attachments/20160627/5ee2bfee/attachment.htm>

More information about the Bp_cybersec_2016 mailing list