Second draft report BPF on Establishing and Supporting Computer Security Incident Response Teams (CSIRT ) for Internet Security (2015)

Best Practices Forum on Establishing and Supporting Computer Security Incident Response Teams (CSIRT ) for Internet Security (2015) Second draft report   Introduction This is the second draft report of the Best Practice Forum (BPF or “Forum”) on Establishing and Supporting Computer Security Incident Response Teams (CSIRT) for Internet Security (2015). You are invited to reflect on this draft. The final date for comments is Wednesday 11 November 2015, the day of this BPF’s session in João Pessoa. This draft report covers the work of the BPF, and as such refers to “this Forum” as comments which came out of the working group. The draft report reflects the input delivered to the BPF in combination with the research conducted on behalf of the report. It is in no way meant to be limiting, and the group welcomes feedback, discussion and engagement across the IGF community and beyond. All are invited to join this BPF and comment or reflect on and add topics that in your opinion are missing in this report in its current state. The internet is a global phenomenon, and the topic of cyber security is being addressed by a community of incident responders, policymakers and others across the world. This group can only be successful by developing trust and community between these actors, both inside and outside the IGF community. This work builds on this BPF’s work in 2014, when the IGF organised a Best Practices Forum around the topic of CSIRT to find current best practices and to identify challenges the community faces. This led to a report published on the IGF website in 2014 . The detailed recommendations in the report and the necessity to involve different stakeholders in future actions has led the Multistakeholder Advisory Group (MAG) to agree on a continuation of this work and provide more in-depth analyses and solutions to the challenges at hand. In the past months the Forum discussed how to continue its work in meaningful and additional ways. This led to consensus on one main, overarching, theme being: “Misconceptions around the role and responsibilities of a CSIRT”. There is consensus in the Forum that this topic will cover many of the challenges identified last year and is deemed most important to continue in 2015. It was divided into subthemes, but also brought alight new challenges that will be described below. Other themes identified in 2014 have to be discussed outside of this Forum, e.g. within FIRST or other relevant conferences. With this choice comes the necessity for other stakeholders, outside of the CSIRT community, to get involved in this discussion and a different set of questions that need answers. A brief investigation showed that the misconceptions are rarely within the CSIRT community, but do apply in its interactions with various other stakeholder communities. As last year’s report extensively shows, the definitions of a CSIRT have been established over the years and have been used successfully by the CSIRT built ever since. This implicates that the misconceptions are elsewhere. One reason for misconceptions could be that certain stakeholders have demanded additional tasks from CSIRT that go beyond the traditional tasks and are met with distrust from the “older” CSIRT. In cases like these the constituency of a CSIRT may have changed, as well as in some cases its relationship with other CSIRT. There could be distinctions between these changes for government, academic or commercial CSIRT. On this basis the Forum decided to do extensive outreach to those involved from different angles. Governmental organisations, privacy advocates, NGO’s and supra national organisations. Responses were limited, with the notable exception of the Organisation of American States (OAS) and the European Union. This Forum warns that it requires more input from the various stakeholder communities in order to be effective. Serious issues have been addressed, that are not met in debate at this point in time. We still have time to change this, working towards and in João Pessoa in November. A key element of this approach will be to get additional involvement from outside of the direct CSIRT community. To do so, the BPF has invited several different stakeholders to join the session and provide input to the draft report. In the meantime the Forum focuses on what it has produced, topics that come from that and addresses the questions that need answers. Finally, that the work of this Forum can have unintended, but pleasantly surprising outcomes, is shown by input received from Serbia, that the recommendations of last year’s report were used as input for the building of a CSIRT in Serbia. You find more on this below. The BPF would like to take this opportunity to thank the many individuals who dedicated their time and knowledge working towards this report. 1. Definition of the issue The idea that there are general misconceptions on what a CSIRT is and more precisely around what it does is widespread within the CSIRT community. The effect of these misconceptions or of the actions taken by “others” on the basis of these misconceptions is the loss of trust. This directly affects the effectiveness of CSIRTs as they exchange information and assist each other during incidents and emergencies on the basis of that elusive term “trust”. As trust is a very personal quality, it is hardly possible to promote it. At best it is possible to describe conditions in which trust is promoted and created. The range of options is literally as wide as having legal agreements specifying standard protocols, to having a talk over a drink or two together at a conference. Trust only comes from personal relations in combination with the reliable delivery of services when a request is made. Nothing much will replace these conditions. No law, no directive, no best practice document can really take its place. This Forum has reached consensus on the fact that different CSIRT not only serve different constituents, can be embedded within different organisational forms, but also can have very different tasks. As one participant defined it: “The role of CSIRT is defined by the parent organization and CSIRT should perform duties as they are given to it”. As a result a CSIRT could function within the military, a university, a company, a regulatory office, an anti-terrorism organization, etc. What complicates matters is not only the informal exchange of data that becomes harder, there may be totally different laws involved. The same goes for the thought of a “neutral” CSIRT. Every CSIRT has a constituency and is financed by an organization, which makes true neutrality hard to achieve. Recently the topic of cyber war has risen to more prominence. Richard Stiennon’s book covers this topic, as does Bruce Schneier in an interview titled ‘We're in early years of a cyber arms race‘’ . This Forum points to these publications because it leads to an important question: What is the role of a CSIRT in a politically motivated hack, a cyber conflict or worse? Schneier states that current targets are not nation’s vital infrastructures, but companies, what he calls “soft targets”. From his personal point of view he provides the example of the Sony attack on which he is quoted: “Many of us, including myself, were sceptical for several months. By now it does seem obvious that it was North Korea, as amazing as that sounds ”. He mentions Stuxnet as an example of how hard it is to prove who is behind an attack or intrusion . Given the fact that nowadays nation states aggressively use vulnerabilities in software or defence systems of the attacked party, CSIRT become automatically involved to some degree. Any organization, with or without a CSIRT at hand, becomes involved when under attack or is intruded and will need to cooperate with (other) CSIRT and security companies to mitigate the attack or intrusion. The EU NIS directive even obliges critical infrastructure organisations to do so. The question may be whether this is enough, taking the almost daily disclosure of privacy sensitive data on the internet through hacks of systems. This is reiterated by Mark Goodman in his book Future Crimes . “This silence [i.e. not reporting incidents] is at the very heart [of] our cyber-security problems”, he states. The result being that: “these incidents cannot be aggregated and studied, common defences are not developed, and perpetrators roam free to attack another day”. Goodman advocates that admitting a cyber problem is the first step towards getting better . In what way are incidents or emergencies like these responsible for the way CSIRT are viewed from outside its own community? Do incidents like these give rise to view it differently? But also, what are incentives to report incidents and emergencies? The issue of misconception displays a lack of trust in (the intentions, ideas or actions of) “other entities” of which the basis could lie in many factors. Many questions come with this theme, some of which are not always addressed in a direct way. In certain cases, negative ramifications may be perceived when addressing these uncertainties directly. However, these are questions that need to be addressed in order to create a basis that may restore confidence in each other and the “other entities”. Fact is that the exact roles of a CSIRT are a prominent concern of many governments, CSIRT and international organizations- a prime example being the OECD report on CSIRT statistics . A whole chapter focuses on what a CSIRT is, aimed at policymakers, before it turns to the main topic of the report. The Global Public Private Institute published a paper in April 2015 called ‘CSIRT basics for policy makers. The history, types and culture of CSIRT’ which was co-sponsored by the European Commission and the Netherlands Ministry of Foreign Affairs. This Forum agrees that this is a sound approach. If CSIRT are involved in more general policy debates, they could stress every time that an explanation on what CSIRT are and do is included in the final paper. This way more people learn, directly from participation and indirectly by reading. An anecdotal account from one country’s participant illustrates that there can be deep mistrust between the (commercial) organisations that would benefit from cooperation with the national CSIRT and the CSIRT itself. This stems from the fact that in this casus, the national CSIRT works under the office of the national security advisor. This office is aligned with state security and law enforcement. The question is put how to work on building trust in countries where this type of alignment is common. Of course, each government has its own reasons for positioning a CSIRT in a particular way. There is room to improve the overall trust situation by identifying the common rationale behind CSIRT development, and understanding which relative level of distrust appears in each model. National CSIRT were discussed extensively in last year´s report. As one contributor sums up this year: “There is no right or wrong about who hosts a National CSIRT, or which services it should provide. From experience, each country will need to identify what works best in its case, as well as consider other issues like services, funding, local internet governance structure and cultural issues, among other factors that might impact the decision”. Clearly a government has the right to make the choice it made. If it reaches its own objectives, then it could be considered a success domestically - except for the fact that it may not reach objectives that it could have reached in different circumstances. There may be serious unintended effects or even well calculated effects on cooperation. It is important that government and policy decision makers are aware of these ramifications prior to making these important decisions, and the Forum sees a role for the BPF effort to contribute. It all starts however with what a CSIRT is, what it does, for whom and with what. These topics were comprehensively addressed last year . For now we will suffice with the given description of a CSIRT: “…there is a consensus that a CSIRT is a team of experts that responds to computer incidents, coordinates their resolution, notifies its constituents, exchanges information with others and assists constituents with the mitigation of the incident.” Reading it, it shows how careful this description is given: “there is consensus”. It suggests that there could be some dissenting opinions who have agreed to abide and those who decided not to live by it. This is different when the Forum discussed what a successful CSIRT is. No one single answer was given. The misconceptions must stem from the difference from the consensus of those involved in the Forum (so far) and those outside having different interpretations and views. For one, this situation is not unique. Several national CSIRT work within broader organisations with different tasks, tasks that may be in conflict with basic functions of CSIRT. It is of utmost importance, so it was advised in the Forum, to separate these broader functions from the CSIRT function and that those in management positions understand why separation of functions is necessary. This helps clarify what happens with data shared and allows us to measure whether notable positive results come from sharing that makes cooperation valuable and builds trust. There are some rules from experience that can assist in building a relationship that works: - Have a published agreement for how you will (and will not) use information shared with your CSIRT function; - Demonstrate that you can share information outwards too; - Be clear and realistic about what information you can use, what you'll use it for, and how that benefits the organisation sharing it with you; - Make sure you demonstrate that sharing information with you was useful; - Laws and regulation, as well as certification of organizations and individuals, while not in itself sufficient to help develop trust, can still be useful to make the behaviour of a CSIRT more predictable. This mix of measures is one of formal solution (a signed and published agreement) and informal ones that show good faith and usefulness and can be a basis from which discussions start. If partners show that they are willing to comply to these rules, there may be a basis to tentatively start preparing for cooperation. On the other hand, distrust may be justified in some cases and the question to ask oneself in such a case is whether there is a CSIRT or another entity at the table? This is explained more closely in the blogpost ‘Government CERTs and Information Sharing’. If CSIRT have different functions, e.g. investigative and/or enforcement or resort under a special firm or a different law, information sharing can become harder or even prohibited by law. This leads to very different questions that go well beyond “do I trust you (or not)”? This Forum has to look at in what ways have governments, in trying to find ways to make the internet a safer place, started to redefine what it needs a CSIRT for. This may well conflict with older definitions of CSIRT. When a governmental CSIRT, from protecting government networks scales up to being seen as a major digital defence line in protecting a country, tasks change accordingly. What are the consequences of this policy change and are these consequences fully understood or unintentional? That governments and other CSIRT, in the EU, are meant to step up efforts is shown by the intentions of the NIS Directive: “The aim of the proposed Directive is to ensure a high common level of network and information security (NIS) across the EU”. Not only national CSIRT are addressed, anyone operating critical infrastructure is obliged to step up their efforts, including the requirement to “report to competent authorities incidents with a significant impact on core services provided” . This led to an observation that a clash of cultures might be going on. Not only between different communities, if we stereotype the pony-tailed, t-shirt and flip flops cladded CSIRT personnel versus the suit and tie wearing, formal and reserved policymaker, but also between a concept of the internet. On one side another level of demands for protection of economic and national values and on the other the traditional, more libertarian internet community which values the freedom to tinker and trial new technologies. Beyond that it may (also) be a point of disagreement with the intelligence services and the military. Misconceptions are high between the two, but as someone observed, stating: "politicians and lawyers should leave CSIRTs alone, they know what they are doing”, when directly asked for input, is not helpful. Are there ways to meet on mutual ground and work together from there? At least part of the interest seems the same, looked at from a distance. Set of questions In order to come closer to the issue at hand, several questions have been presented to the Forum. The answers, which this report looks at in a later stage, without exception came from the CSIRT community, the OAS, with CSIRT in mind and the European Commission. Despite extensive outreach over the past months, the Forum has not managed to receive much input from other stakeholders. This seems to imply that there is further opportunity and need for the CSIRT community to investigate how to build trust and engagement outside the community. It also calls for other questions. If it is necessary to interact with these stakeholders in order to be able to keep working as the CSIRT community is used to, it is necessary to identify more specifically what is exactly at stake, what and who causes a lack of trust through misconceived actions. So e.g., who are these “other entities” the CSIRT community addresses? What are their actions and what makes these actions lead to losing trust in sharing vital information in mitigating incidents and emergencies? These are the kind of questions that need answering in order to address those that disturb the CSIRT landscape and e.g. invite them to the BPF meeting in João Pessoa in November. Over the months another question became apparent to the Forum. How do we engage other stakeholders? The direct way of alerting stakeholders on the debate and inviting them to participate and share with us their vision, did not lead to results. You are invited to share your ideas on how to proceed with this topic. Sub-themes CSIRT and privacy This topic did not lead to input from other stakeholders that could have brought the discussion further. That said, the internal discussion led to some interesting insights. CSIRT work with privacy sensitive data on a daily basis. For instance by learning about compromised computers and ultimately identifying its network owners to allow for remediation. The question is how to use the data, process it, notify those involved, what to share with other CSIRT and stakeholders involved? In all these actions there are decisions involving data protection (law). There is consensus between those involved at this stage that security and privacy go hand in hand and that CSIRT work continuously to protect the privacy sensitive data of their constituents. On a daily basis. In fact the question is put slightly different, within the CSIRT community: “How are you going to protect privacy and free speech on the Internet *without* a CSIRT to let you know when a malware strain is exfiltrating private data, or who will assist when a (D)DoS attack floods your preferred communications server with unwanted traffic? Neither of those can be done by the end user”. This is part of the misconception of the work CSIRT do, so the CSIRT community argues. Could this be altered by producing a paper “with explanation what kind of information could be given and under which circumstances?”. Confusion is exacerbated as there are so many different law and privacy regimes under which CSIRT operate. Two other questions were brought forward that may assist in bringing the discussion closer to a satisfactory end: - What privacy best practices should/could CSIRT adopt and implement?; - What role (if any) can/do CSIRTs play in prevention, mitigation, recovery from incidents involving data breaches? This comes forward also in the preposition that privacy is often in competition with security. This ought to be the other way around: privacy and security stand together and CSIRT are a key in achieving this. This is a principal argument in the debate within the Forum. It was argued that some entities go beyond security and want to implement control mechanisms. These same entities spread the claim that it is hard to have security if privacy measures are in place. In other words the outside debate focuses on control vs. privacy. It is obvious that trust issues between these entities and CSIRT are at play. One solution could be that the term “privacy” has to be abandoned from this debate. Privacy is subjective and means something different to many people, jurisdictions, etc. Data protection, including protecting the confidentiality and distribution of sensitive information, is easier to define in law, so a better term to use for this Forum as well. It was noted that when addressing the public at large, the term “privacy” is better understood, because this is what end users worry about. There is consensus in the Forum that data protection is one of the roles CSIRT have. It seems important to involve Data Protection Commissioners in the debate. It was noted that they often support the work of CSIRT. At the heart of the matter stands that there is no common data protection law around the world. On top of that judiciary regimes are quite different. This complicates any debate on the topic. The strictest privacy law arguably comes from the European Union. This Forum received an article called ‘Incident Response and Data Protection’ by Andrew Cormack on the decisions that EU CSIRT should consider or make on the basis of the Privacy Directive . The Directive permits the kind of processing that takes place at CSIRT, “provided certain conditions are met. The paper identifies these conditions and suggests measures that CSIRTs may use in planning and performing their activities to satisfy the requirements”. It looks at the matter from several angles and topics and provides potential ways forward. Being from 2011, it may have lost some of its actuality as the Privacy Directive is about to be renewed and in some instances becomes stricter. The good side is that the work of CSIRT is explicitly mentioned in the Directive: “The processing of data to the extent strictly necessary for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data, and the security of the related services offered by, or accessible via, these networks and systems, by public authorities, Computer Emergency Response Teams –CERTs, Computer Security Incident Response Teams –CSIRTs, providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. ...” And: “…This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.” The contribution from the European Commission to this report underscores our findings: “Privacy in itself not a limiting factor for the work of CSIRTs, as there are regulatory clauses in the legislation (at least in the EU) which allow CSIRTS to perform their work (incident response, forensics, log analysis) and access private data for the purpose of securing the networks. As for the cooperation with the wider community, in sharing information on vulnerabilities or threats the information can be anonymised and there is in most cases no issue of privacy either”. Andrew Cormack presented on three sensible steps to follow before processing data as a CSIRT: 1) Concentrate on constituency; 2) Minimise data and processing; 3) Think about information flows . In more practical terms this comes down to choices to be made between the necessity of investigation of a threat against the privacy of the individual. A conscious choice or “a balancing act”, as he calls it, between the two, assists in providing legitimacy for the ongoing work. At this point in time there is no final text of the new EU regulation on privacy, this is expected for the end of 2015, with a two year period for implementation for the Member States. Fact is, the work of CSIRT is fully recognized and supported under the set conditions. It is the set conditions that need to be crystalized. This could take the form of guidelines or best practices. Incidents, threats and attacks come from beyond the EU as well. What are best practices or common standards here that proved to be successful? In conclusion, it is important to understand for all those directly and indirectly involved that “a well-run CSIRT is an essential part of protecting their privacy and security“. Anyone who wants to expand on the topic is invited to do so. Policy and CSIRT Part of the misconception debate focuses on the misconceptions that policymakers have concerning the work and tasks of CSIRT. A good, recent summary of these tasks is provided in the recently published OECD report “Guidance for improving the comparability of statistics provided by CSIRT” . It even specifically aims at preventing misconceptions: “Those sections were largely intended for policy-making audiences.” One of the reasons the report was written, is the following: “Policy makers are increasingly interested in reliable, trustworthy information about current and historical cybersecurity trends and the effectiveness of digital security risk management measures (“security measures”). Due to CSIRTs’ unique role in the digital ecosystem, there is mounting interest in CSIRT-produced statistics to inform policy making in the area of cybersecurity.” In other words, it is extremely important what policymakers can expect from CSIRT. The question could be in how far not only the future work of this OECD working group could be used in further debating misconceptions. The infrastructure between policymakers and CSIRT is there, the basic work has been done. The OECD understands the importance of CSIRT and why misconceptions are to be avoided. The question should also be in which other policy processes could CSIRT successfully contribute and influence opinions? In its contribution the European Commission points to the fact that national or governmental CSIRT are in regular contact with policy makers. On influencing policy: “In general terms a country level CSIRT can indeed influence policy by bringing to the attention new threats, new techniques and vulnerabilities and highlight the need (if any) for additional regulation or coordination”. The Commission also points to the fact that policymakers have acknowledges the role of CSIRT in national cyber security strategies and refers this Forum to publications by ENISA and NATO/CCDCOE. (Supply) chain approaches to cyber security and the role of CSIRT The security and safety of the internet is becoming a major concern for all stakeholders. If it isn’t yet, it will be soon. CSIRT play a major role in creating a safer and more secure internet. The concept of a (supply) chain approach is regularly discussed in different fora. A part of botnet mitigation solutions, a topic many CSIRT and other stakeholders are involved in, can only be found by working with the whole chain. The question was posed whether CSIRT could play a more active, perhaps even leading role in addressing this approach. From an example from Switzerland, where an active and steering approach has been chosen, the Forum decided to look into the topic more closely and see if there are other examples and to which results they have led. An article by the Delft University of Technology underscores the concept of potential influence within the chain. It shows that having an anti-botnet initiative within a country is only one line of defence against, in this specific case Conficker, malware infections. This is a conclusion to be expected. Disinfection mitigates the result, but does not affect the root causes. In the longer term cyber development and capacity building will assist countries with higher infection rates due to a higher use of pirated software. The article continues: “The strong correlation with software piracy suggests that automatic updates and unattended cleanups are some of the strongest tools in our arsenal. It supports policies to enable security updates to install by default, and delivering them to all machines, including those running unlicensed copies” . As the article professes, most infections come from illegal or pirated software. This is one example of how changing relations or conditions within the supply chain could assist in securing the internet. Of course there are many other root causes. What roles do CSIRT play currently and are there roles foreseeable in the current mandate of CSIRT that can make a difference but perhaps (are under-)used? What examples are there of CSIRT working with the supply chain for a higher level of security and safety? We have a case study from Switzerland: “Cybercrime is money driven. Thus, making cybercrime more expensive is, besides arresting criminals, one way of reducing cybercrime. CERTs can’t do this on their own any more. Today the value chain in the internet is quite broad with several service providers, such as registrars, hosters, web designers etc. Criminals need infrastructure too. But hey typically prefer taking over buying. Today a lot of criminal infrastructure runs on compromised hardware, be this hacked home PCs or hacked (web) servers. SWITCH-CERT has two programs to tackle this issue. Initiated by Team Cymru’s Cert Assistance Program SWITCH CERT today processes thousands of IPs from hacked PCs daily. Different sources are aggregated and then distributed to respective network owners for remediation. Since last year these efforts are supported by the Swiss Internet Security Alliance. It's members, Banks, ISPs and hosters coordinate the effort of cleaning infected PCs by providing a common help to endusers and sharing intelligence. Operating the registry for the ccTLDs .ch and .li SWITCH closely works with the regulator to create a legal basis to fight the missus of domain names. The registry now has the power to shut down a domain name if it is used to steal personal information (phishing) or distribute malware. SWITCH today has a comprehensive program, working together with hosters and registrars to solve these issues before blocking. This means that over 80% of all incidents are cleaned up in less than a day. The close collaboration with all involved stakeholders was crucial to the success. We regularly meet with them and discuss how collaboration could be improved. We inform and provide tools to fix the issues. A recent, external study, analysing all publicly available information (Blacklists etc) concluded that .ch is the safest open ccTLD. Misconception: CERTs should create Awareness. It's important but it's not clear how efficient it is. Fact: CERTs must work closely and protectively with all stakeholders to be successful .” Another case study came from KrCERT/CC of the Republic of Korea. KrCERT maintains a number of services that are comprehensive and support their constituency in novel ways, which are not common across the CSIRT community. Their description of these services follows: “Korean government such as the ministry of science, ICT and future planning with Korea Internet & Security Agency, a mother organization of KrCERT/CC, conducts many reactive and proactive services to rapid respond to incidents and prevent spreading damages. The DDoS Shelter Service and the Cyber Curing Service are the representative of the government-led reactive services in South Korea. The DDoS Shelter Service has been operated since 2010 to minimize the damage caused by DDoS attacks on businesses that are not fully prepared. There are a lot of small medium-size enterprises such as online shopping malls in Korea due to advances in the Internet service. Also, it is a fact that some of them haven't been fully equipped to respond to security incidents by themselves. Therefore, the Korean government provides the DDoS Shelter Service for small and medium-size enterprises which cannot respond to DDoS attack in order to not only minimize economic damages of victims and protect their assets but also their customers continuous use the web services without disconnection. However, the DDoS Shelter Service isn't for anyone. Compromised enterprises cannot use this service continuously if they have the same attack after they got DDoS attack before. Enterprises, if they have the capability to equip or if they always become a target of DDoS attack, should protect their customers by their own countermeasures. The government encourages small medium-size enterprises in improving security awareness and capacity until they are ready to protect their assets, customers. The Cyber Curing Service aims to directly remove malwares from compromised PCs and it has been operated since 2011 after outbreak of a nation-wide scale of internet incident in South Korea. This service is a web browser based notification service with one-time dedicated anti-virus software which targets only one particular malware type. The Korean government developed notification system which cover most of Korean Internet service subscribers with Korean Internet Service Providers. One vendor can protect its customers only, however, if the government and the enterprises cooperate closely, we can protect most of Korean citizen. The reason we provide the government-led reactive services is that we are responsible for protecting Korean people. We strive to let Korean users use the Internet service without cyber threats and for enterprises, we guide them so they should protect their customers and themselves through raising security awareness.” These case studies from SWITCH and KrCERT are just two examples of ways that CSIRT have identified to provide extensive, non-standard services to their constituency which materially improve cyber security. Case studies - ENISA CSIRT – LEA cooperation program One of the instances where misconceptions on the work of CSIRT come to light is in cooperation between CSIRT and Law Enforcement Agencies (LEAs). ENISA has a program that runs now for a few years, in which the two stakeholder groups meet and learn about each other, the work carried out and search for ways that they can cooperate. The program is aimed at a better understanding and the building of trust between the two stakeholder communities. One of the participants gave an overview of the current state of affairs: “CERTs traditionally combat the effects of cybercrime: They help customers, i.e. their constituency to quickly recover and resume normal operation after an incident. CERTs typically work informal and with ease across national borders. Law enforcement agencies (LEAs) on the other hand are mostly interested in finding and prosecuting miscreants. LEAs are bound to strict procedures and find it difficult to collaborate across borders. It has been suggested, that CERTs could bridge the international gap to make Law enforcements more effective, or even "take over" some of its jobs. This is not working: CERTs do not have the authority to conduct police investigations, and it's not their job either. Rather a meaningful collaboration between CERTs and LEAs has to be established. This has been recognized by ENISA for quite some time. Since 2015 joint workshops have been organized to foster this collaboration. WPK 4.1 ind the 2015 ENISA Workprogramm aims at exactly this:"WPK 4.1: Support for EU cooperation initiatives amongst NIS–related communities in the context of the EU CSS". The process is a slow one though, due to the different cultures and the legal framework governing LEAs and CERTs. Specifically: − CERTs and LEAs often don't share the same vocabulary. ENISA is now developing a common taxonomy to solve this issue; − LEAs and CERTs cannot share information symmetrically. This often causes great frustration among CERTs as the police may not share information in ongoing investigations. Here I feel CERTs just have to accept this; − Much of the information obtained by CERTs may not be usable in courts; − The place of the crime is not where the damage occurs: Thus no LEA feels responsible; − Just having LEA on board is not enough, also prosecutors and possibly judges need to understand the issues and the ways CERTs work. SWITCH-CERT in Switzerland is working closely with law enforcement to address and explore these issues, so possible solutions can be found. But just "throwing a CERT at it" is not solving any problems. Unfortunately there are still many politicians and (mostly national) CERTs which just claim exactly that. Misconception: CERTS will solve the problem of cybercrime. Fact: CERTs play an important role in fighting cybercrime by supporting the authorities doing their job, but not taking it over.” The Switch contribution is underscored by the European Commission: “Most CSIRTs do not have a legitimate law enforcement function. In fact, they benefit from not having such a function because it lowers the threshold for individuals and organisations to report incidents and ask for help. However, most CSIRTs have a frequent cooperation with law enforcement as a technical support function to investigations”. Developing nations The Forum would like to learn of examples of CSIRT in developing nations, of successful implementation and of concerns like those voiced in the anecdotal example above. You are invited to share your insights with the Forum. - Regional specificities observed (e.g. Internet industry development) Some of the questions asked to the Forum aimed at identifying differences between regions. It proved hard to get beyond common observations. Yes, differences in cultures and jurisdictions will show differences in how a CSIRT is tasked and organised. Yes, in developing nations there seems to be a tendency to legislate around a CSIRT. The most safe, but rational conclusion was that a CSIRT will do what it is told to do, region notwithstanding. What was pointed out also, mostly in contributions from developed nations, was that the problems faced in developing nations are different in many cases from developed ones. There are problems with e.g. (a weaker) infrastructure, financial issues and the need to justify the work done in the face of an unknowing nation. This makes it hard to mature for CSIRT. Overall, it became clear that many factors play into the success of a CSIRT, and it is difficult to generalize across a region, let alone the world. An issue like under-funding may not be a regional specificity per se. So a difference between well-funded CSIRT and less or under-funded CSIRT could be justified here. All agree that sufficient funding is one of the basic ingredients that make a CSIRT function. For the others resourcefulness is the advice given. An example provided was that of volunteers coming together during an incident to assist, and later needing to find funding sources to make their effort “stick”. - Existing policy measures and private sector initiatives, impediments At the Global Conference on Cyber Space 2015 the CSIRT Maturity Toolkit was presented . “The purpose of this CSIRT Maturity Kit is to help emerging and existing Computer Security Incident Response Teams (CSIRTs) to increase their maturity level. This is achieved by offering a set of best practices that cover CSIRT governance, organisation and operations . As such it is one of the initiatives within the Global Forum of Cyber Expertise that was launched during the GCCS 2015 . - What worked well, identifying common effective practices The tasks of national CSIRT have expanded in the past 10 years. Their level of involvement and/or coordination efforts may have expanded. The Forum would benefit from identifying examples where this has worked well, and where there were unintended consequences. If this Forum could provide these examples, it is also able to show where trust is in place, perhaps even heightened and where it was lost. The involvement of CSIRT representatives in policy discussions proves to be influential. The examples this Forum was able to provide, clearly show that CSIRT and thus CSIRT’s role, can only be heard when voiced in policy discussions. Despite the fact that not all participating in this Forum see a role for CSIRT with/in law enforcement at all, others have indicated they do see a role, but mainly on the condition that the roles are truly and correctly separated. Both have their own role and within this role CSIRT can assist LEAs with building evidence, e.g. through providing technical expertise or analyses of complex attacks. Another way could be by providing information found. This is one of the main topics of the ENISA initiative discussed earlier and something that may prove effective. Discussing difficult topics often provides mutual understanding and helps to build trust to find solutions where these were unheard of before. The Forum identified there would be value in identifying cases where this collaboration took place with a successful outcome. In the fight against infected machines (bots) the example of Finland and more recently of Switzerland shows that a pro-active stance of CSIRT, in Finland backed-up by law, lead to diminished rates of infections, also making the country less attractive to target from an infection point of view. Quick disinfections are discouraging for criminals. It makes other countries safer as well. The private initiative in the Netherlands against Distributed Denial of Service (DDoS) attacks called Nationale Wasstraat (‘National Scrubstreet’) is a private initiative that claims to work well . A similar, but public, example can be found in the Republic of Korea’s National DDoS shelter as presented above. - Unintended consequences of policy interventions, good and bad Misconceptions are at the basis of this BPF’s draft report. There currently is consensus that the implications of stakeholders adding functions to the CSIRT function is a danger to the traditional and successful way of collaboration on a trust basis. What is hard to conclude on at this point in time is whether these measures are an unintended or an intended result, in as far that this result was calculated at the time of decision making. In order to draw this conclusion more information is necessary. Thus it becomes more an unresolved issue. Serbia After the IGF secretariat published the report on CSIRT in 2014, it was used as a background document for the local capacity building project and discussion on cybersecurity in Serbia. The adjusted summary of the document translated into Serbian was also added to the final booklet of the project . This shows how the report can be of influence in policy debates and can be noted as a tangible outcome of this Forum’s work in 2014. Other examples, good or bad The Forum would like to learn about examples which fall under this category and invites all to provide these. - Unresolved issues where further multistakeholder cooperation is needed A clash of cultures? There is a general feeling of distrust in the CSIRT community about “actions” of “other entities”. The CSIRT that are in place for some years now were built under the current examples of how CSIRT were defined in the past 20 years. With the interest of other governmental agencies and ministries in the internet and the importance to which the topic has risen for the economy and with that the national security of nations, the entities and people interested in the work of CSIRT have significantly changed. With that the idea of an “internet free state”, the concept of permissionless innovation and the libertarian, government free state of the internet have all come under pressure and are challenged. At the same time CSIRT, as brought forward in the Forum, have a tendency to shy away from policy making. On the other hand, in a 2015 FIRST initiative, the organizations participating did identify “cybersecurity policy advisory” as one of the new roles of a CSIRT, so there is some indication that the community does have an interest in contributing to policy as it is developed. At this point in time a clash of two, but most likely three cultures is taking place in which the traditional way of working of CSIRT is challenged. On the one hand there is the government which aims to increase the role of CSIRT where they take on a crucial response capability for the wider nation, often with some tension to involve law enforcement and the intelligence function. There is the technical community which wants to ensure its role is limited to those response capabilities, enabling it to work effectively with other CSIRT that have similar roles. On the other hand, companies with (vital) national interests often of a private nature have become prime targets. This brings that they are looked at differently from a security perspective. Their CSIRT, if they have one, are in the front line and most likely have gained in interest from higher management levels as well. Does all this bring the need with it to become involved in policy making? Or is it already more common place than this Forum thought at the start of this work cycle? From the Forum discussions, it appears that especially in developed countries there is a potential desire to contribute to the process, but there is no clear outcome. It most likely is important that the way CSIRT can operate most successful is highlighted, while other aspects may come to prominence through a better understanding of intentions or by force of tasking. There is a clearly felt need to be heard more, that asks for translation into action. The example of the OECD report, in which CSIRT’s work is written down extensively (and all experts of this Forum participated in), is one example of interaction that could lead to a wider range of influence and results. It shows how important being visible in influential places is. Most likely at the national level as much as international. By adding insights, knowledge and believes to policy circles influence is gained, mutual trust built and mutual understanding aimed at, perhaps even reached. From a clash of cultures to a mash of cultures? The OAS reported that to acknowledge the work of CSIRT within meetings and work is common practice for the organisation. They even bring the different communities together actively. Can this be an example for other relevant organisations? For commercial CSIRT an additional hurdle may be in place. Any form of cooperation, let alone the exchange of data, may attract the interest of competition authorities . Security is a topic that could be part of competition -one vendor may claim to be most secure in the market- but could also be looked at as a neutral topic, which allows for more effective information sharing. If all have the same problem, how can they solve it for themselves, but also for the common interest? While most commercial CSIRT have partnered successfully within transparent organizations, deep partnerships may require review with relevant competition authorities. This is an interesting question for the Forum to tackle, and perhaps develop case studies around successful security partnerships that lead to mutual and (perhaps) national benefit. While directly developing policy is an unlikely activity for a CSIRT, it is of importance that CSIRT provide at least some contribution to policy, even if it is simply educating policymakers on their work. Having influence is a two way street. Because the growth of the internet and the upcoming ever higher level of interconnection some things may never be the same again. Not being present, is the equivalent of not being heard. It is all about evolving to the next level, but also about keeping the good things. This may need interaction from CSIRT and is a topic this Forum invites input on. CSIRT and privacy In this Forum there is consensus that CSIRT are custodians of data protection. This is recognised by Privacy Commissioners and the European Commission. A provision for the work of CSIRT is part of the upcoming Privacy Directive of the European Union. One of the participants of the forum, Andrew McCormack, had previously published a paper with guidelines on the implications of privacy on incident response. He notes that in the context of European law, there are four major elements to be considered in the exchange of information: • Is Use/Disclosure necessary?; • Does the action support legitimate interests?; • Are the data subject’s interests protected?; • Is processing justified? While the full paper provides more detail on how to perform these tests, there is likely to be significant value for the CSIRT community to exchange their experiences in meeting legal requirements. Possible ways forward lay in the community exchanging these experiences, participating in multi-stakeholder dialogue that ensures that privacy, or better data protection and sharing both internal and community CSIRT protocols. - CSIRT How to conduct incident response activities in privacy-protecting ways? Guidelines could be developed, as well as tools, e.g. traffic light protocol, or perhaps a lightweight privacy impact assessment, if a more formal approach is wished for. How can a CSIRT demonstrate that it protects data/privacy? What could be looked into is what level of transparency can be provided on what information you share with whom in what circumstances. - Policymakers (and other concerned parties involved) The question from a CSIRT perspective is, how to communicate that incidents can harm privacy and how incident response can reduce/eliminate that harm. How can policymakers ensure that a country’s national CSIRT is trusted to protect privacy? More in general it was added whether CSIRT ought to receive a role as the “good custodian” of lost, stolen or leaked (privacy sensitive) information, so non-public data on the internet. If guidelines were to be developed on how to deal with this sort of information and how to send it (as close) to the source, immediate problems are resolved and transparency reached. At the same time this could be a part of the solution that ethical hackers are looking for as discussed on responsible disclosure below. Track records in assistance A dissenting opinion on the questions put to the Forum stated that it is not important whether something is called a CSIRT or not. It ought to be about the track record in providing assistance. In this vain it is important to note that a few respondents name commercial CSIRT as the most successful, in a general way. As voiced by Team Cymru: “Real operational issues are managed still by closed groups based on vetting on individuals, and no "approval" from any state will change that in the near term ”. The debate ought to focus on successful organisations and not successful organisations, when asked for assistance. From there a study is possible that brings the gap to light. In short, it is contested that some organisations are not CSIRT but call themselves CSIRT and others that do not call themselves CSIRT may be (successful partners). Is the need felt to make a distinction like this and produce a list of successful CSIRT/organisations? If so, in which way can this contribute to raising the bar and influence e.g. policy discussions around CSIRT? It calls for a different set of questions and comments then looked at up till now. If so, what is the best environment to do this research? Responsible disclosure Another unresolved issue is the position of ethical hackers. The topic was a parallel session at the Global Conference on Cyber Space 2015 and is one of initiatives of the Global Forum on Cyber Expertise that was launched during the GCCS 2015 . The session at the GCCS had not only hackers as a driving force, but also the (then) Dutch Officier van Justitie (District Attorney) Cybercrime Lodewijk van Zwieten and representatives of large corporations. At the closure of the GCCS those interested started the Working group for Organizing Coordinated Disclosures. The following contribution is by one of its members, Inbar Raz. Working group for Organizing Coordinated Disclosures (OCD) This informal Working group has as members the hacker community, large corporations, a district attorney, policymakers, representatives of CSIRT and others. The purpose of the Working group is to find a way to allow researchers to do their work, without fear of prosecution or persecution, while at the same time protecting the vendors from unnecessary actions, exposure and/or damage. The key word here is Ethics. The Working group aims at a Government-sanctioned Code-of-Conduct. A document that says: "If you did everything according to the rules in this document, then you will be protected from criminal prosecution". That would be the ideal outcome of the OCD. If needed it can be accompanied by a law or just by a formal directive for prosecutors. The people in the working group see responsible disclosure as reporting function, like e.g. on corruption. This Forum received a national example of a country where this process is well underway between stakeholders. Israeli pilot on disclosure Currently there is a pilot running in Israel. Security researchers, the hacker community, police and Government were brought together. A process was started with the intention to create a government-sanctioned procedure, that will allow for responsible research of security vulnerabilities, as well as a coordinated disclosure process, which aims to guard the interests of all involved parties (General Public, Vendors, and Researchers). It’s intended to finish the work in Israel in a relatively short term, and then present it as an example for other countries, as well as for the efforts in the OCD Workgroup. FIRST SIG The following information on this topic comes from FIRST. FIRST Special Interest Group on vulnerability coordination In 2015, FIRST, the Forum for Incident Response and Security Teams, initiated a Special Interest Group (SIG) for its members on vulnerability coordination. The SIG was proposed by ICASI, the Industry Consortium for Advancement of Security on the Internet, an association of several technology companies, but includes participation from across the CSIRT community. The SIG maintains the following goals: Develop and execute a strategy for improving vulnerability coordination globally. • Develop and Publish a common set of 'coordination principles'; • Develop and Publish vulnerability coordination best practices which include use cases or examples that describe scenario and disclosure paths; • Collate and Publish a compendium of coordination resource documents; • Review and Recommend methods for reporting/updating coordination directories (finding a contact (maybe a directory - a trusted contact)). While less focused on researcher coordination than both other groups, the SIG aims to address the issue of coordinating complex security vulnerabilities that have many affected parties -events such as the Bashdoor or Heartbleed vulnerabilities. The topic could be of interest to this Forum, because a better relationship of ethical hackers versus industry, CSIRT and the law can have a positive effect on the volume of security breaches. Mark Goodman in his book ‘Future crimes’ even propagates “contests” between thousands of interested individuals to search for vulnerabilities in software, what he calls “Gaming the system” . The online discussion in this Forum points to the need of establishing guides for prosecutors and/or Memoranda of Understanding that allow ethical hackers to work in a way that “prosecution is not in the public’s interest”. The government of The Netherlands is said to make responsible disclosure a topic during its presidency of the European Union. There are several questions being addressed by these and other working groups which are relevant to the function of the CSIRT community. 1. What is a "proper way" to conduct research on someone else's vulnerabilities? ● How can one perform the research without causing damage to existing data and services? ● How can one perform the research without breaching an unnecessary level of privacy?’ 2. What is the "proper way" to report the vulnerability to the vendor? ● How long after the research has been completed, must one report? ● What content must be minimally included in such a report? 3. What is the best way to publish your research results? ● Are there any timing constraints? ● Can the vendor impose a time frame? If so, who regulates that time frame? ● Should it be required to supply the vendor response? If anything, these working groups indicate that the role of CSIRT is likely to grow in the role of coordinating security vulnerabilities and the way they are addressed. This indicates some level of awareness should be built by new CSIRT that are being established. It also implies there is a close correlation with the trust a CSIRT has. If a CSIRT is run by a law enforcement or intelligence function, will it have the reasonable ability to assist security researchers, whose work is beneficial, but may in some cases take place around the edges of existing laws? This Forum invites input on other initiatives and would like to be informed if there are current law drafting processes on responsible disclosure ongoing and invites interaction between FIRST, the OCD Working group and the GFCE initiative. - Insights gained as a result of the experience There is consensus that funding is one of the basic elements for success for CSIRT. It gives it a chance to employ knowledgeable people, set targets, travel and interact with colleague CSIRT. It is however no guarantee for successful cooperation and building trust. The chance to reach this level is provided for at best. There is a tendency towards consensus that participation in and intervention at policymaking procedures allow CSIRT to be heard and have influence. The role of CSIRT seems to be changing in the face of interest professed by many other stakeholders in the work of CSIRT and the importance given to the work of CSIRT. This Forum has provided some successful examples of this expanding role and new ways of cooperation. At the same time there is a clearly expressed concern that these new roles, when not understood or applied in a right way, will lead to the loss of trust and cooperation. - CSIRTs in Developing and Emerging Economies One participant specifically noted an interest in understanding better how CSIRT are being developed in developing and emerging economies. While little information was provided during the process, the group will aim to include information on the specific elements that make CSIRT operations more challenging in this context during the session at the IGF meeting. - Proposed steps for further multistakeholder dialogue In this section the recommendations and outcomes of this year’s process will be presented. In the above sections several questions have been put to this Forum which will translate into said. As examples: This Forum strives for a translation of the outcomes of this work into actions at different levels by the respective stakeholders, either together or individually. There is a need for policymakers to discuss the role of CSIRT with the CSIRT community to avoid misconceptions around the role of CSIRT. Responsible disclosure of information in the possession of ethical hackers is a topic that needs further debate among stakeholders. A debate that goes beyond the European Union. The current initiatives mentioned in this report have the support of this BPF. The work of this Forum is seen as very valuable by those who participated. Some have advocated its continuation. A few reasons were provided. The BPF assists the community to focus on more controversial topics within the CSIRT community and gets them addressed. Several challenging topics lay ahead, e.g. security incidents in the cloud, CSIRT maturity, metrics, cooperation with LEAs, etc.. CSIRT work is evolving which involves changes to common, well tested approaches. Many of these discussions are taking place already, mainly outside of this BPF. A question that needs answering, is there a role for this BPF in the future, and if so in what form and on which topics? Please share your thoughts on this. The role of CSIRT is expanding. Does the definition of what a CSIRT is need redefining or an addition? Annex 1. The set of questions this Forum put to the community at the start of this process 1. To what degree do CSIRTs work on issues which are privacy sensitive? − Do CSIRTs help build up privacy protections for citizens? − In what ways can privacy be a limiting factor for a CSIRT to work together with the wider community? 2. What roles allocated to national CSIRT are controversial? − Do CSIRT have a legitimate law enforcement function? What are the benefits and concerns? − Do the roles of national CSIRT differ based on where they are built? E.g. is a regulator-hosted CSIRT different than one developed within the military, the private sector or academia? − What CSIRT implementations are successful today? − Is there value in having a "neutral" national CSIRT which is independent from all other organizations and run independently?What is the role of a CSIRT in a conflict? 3. How do differences between countries affect misconceptions around CSIRT? − Does the type of government affect the type of roles allocated to CSIRT? − Do CSIRT in the developing world focus on different services than the developed world? − How does funding affect the effectiveness of a CSIRT? − What are creative solutions for a lack of funding to operate a CSIRT function? 4. How do CSIRT interact with policy makers? − Do CSIRT typically have a dedicated liaison with the policy community? − Where do CSIRT help influence policy, for instance by spreading awareness? Are there areas where they should not? − How have policies internationally acknowledged CSIRTs? Do they focus on particular roles of the CSIRT? − What policy communities are most related to the CSIRT role? Technology, economy? How can we reach them more effectively? Annex 2. Recommendations of the 2014 BPF process “1. Misconceptions of functions and tasks of CSIRT. Misconceptions lead to misunderstandings that can seriously influence the performance of a CSIRT and thus the performance of fellow CSIRT. Cooperation and the development of CSIRT in different parts of government is an area that needs further development and discussion. 2. The mitigation of incidents involves sharing (privacy sensitive) data, There is a clear identified need to discuss this topic further with governments and (privacy) regulatory agencies. 3. National Point of Contact or CSIRT of last resort. The call to have such a point in as many countries as possible is evident. There is a need for further discussion on its functions and how to achieve this. 4. Privacy and free speech. There are concerns in how far (the work of) CSIRT may impede on free speech, as well as in what way CSIRT can contribute to a higher privacy standard in the world. 5. The implementation of good standards. There is a need for swifter implementation of Internet standards and good practices in general, and for an understanding of how CSIRT can contribute to this. 6. Cooperation with Law Enforcement and other regulatory Agencies. Mandatory cooperation with Law Enforcement Agencies (LEAs) tends to lead to reduced trust between CSIRT. On the other hand, some voluntary cooperation can often be helpful to certain types of investigations and reduce the overall issue of cybercrime. This thin line would benefit from further discussion with other stakeholders involved. 7. Training, education and participation in international meetings. The importance of this topics cannot be stressed enough in ensuring the success of a CSIRT. Capacity building in the CSIRT community requires further development. 8. The development of case studies. There is a need for extensive case studies, like e.g. happened with DNSChanger and Conficker, in the light of (the implementation of) lessons learned, potential cooperation with other stakeholders and reporting mechanisms in different jurisdictions”.