by Maarten Van Horenbeeck, FIRST Board of Directors
Monday, January 8th, 2018
In this blog, I'll briefly introduce how FIRST participated in the Global Conference on Cyberspace in New Delhi this November, showcase some of the work of our team members there, and how it contributes to making sure the voices of incident responders are heard by the policy community.
On November 23rd and 24th, FIRST participated in the Global Conference on Cyberspace (GCCS), an annual Internet policy event which is part of the “London Process”, a set of conferences where governments and the wider Internet community gather to “discuss and promote practical cooperation in cyberspace, to enhance cyber capacity building and to discuss norms for responsible behavior in cyberspace”. The first GCCS was organized in London by the UK Foreign Office and the Delhi event marked the fifth iteration.
These conferences have grown in participation from 700 in London in 2011, to 3500 in India. The constitution of the conference has also changed. While it originally was very much a government event, today it includes civil society and technical community in its participants. The program typically consists of a set of high level sessions, in which agendas are declared and discussed and smaller side sessions that make for more substantial discussion of specific topics. While the conference covers development of the internet in general, a large amount of its sessions cover cyber security.
The GCCS originally developed to build on the existing World Summit on Information Society (WSIS) process. This UN process had similar goals, but was organized by the International Telecommunications Union (ITU), rather than directly hosted by a single country.
In the GCCS process, each country coordinates a Chair’s statement, which does not reflect consensus, but reflects at a high level the discussion that took place over the duration of the conference. Notably, the GCCS does not have as outcome to develop treaties, or binding agreements, between states. Instead, the goal is to discuss sensitive and challenging topics, to allow each participating government to develop a level of consensus on specific topics.
Some GCCS have also led to more tangible outcomes. In 2015, during the GCCS, the Netherlands launched the Global Forum on Cyber Expertise (GFCE), which has become a central body for governments and other stakeholders to work with on cyber capacity building. The GFCE is a membership-based organization of 38 states, 11 inter-governmental organizations such as the African Union, Council of Europe and OSCE and 9 private sector enterprises. The GFCE also maintains partnerships with several non-profit organizations, including FIRST. The GFCE aims to promote cyber capacity building in a “vision where security, economy and human rights go hand in hand”.
FIRST has participated in the GCCS dating back to 2015, when we were invited to participate in a panel on CSIRT Maturity. Policymakers see CSIRTs as a critical part of the ability of the Internet to defend itself, but don’t always have much background on the type of work we do.
Security threats, to us a technical challenge we need to address, are often “securitized” and discussed in terms of national security threats. This often makes it more challenging for our community to work on them effectively. When a government believes a cyber attack has national security implications, they may ask make decisions around CSIRT capability that may be ineffective in addressing the technical and human risk the threat poses.
Governments increasingly feel the need to create new legislation in response to growing cyber threats. To promote effective laws it is important that policy and law makers understand how CSIRTs contribute to the security and stability of the internet, otherwise new legislation runs the danger of having adverse effects on the technical and human threats it tries to mitigate.
As a result of these ongoing challenges, FIRST participated in the session and shared some of the experiences and challenges our members face on the ground, responding to security threats. This participation was enlightening, as we could see first hand some of the discrepancies between the view of policymakers and authorities from various countries and the technical nature of our work. Shortly after the conference, FIRST also became a partner of the GFCE and started cooperating on two initiatives:
In 2017, FIRST decided to participate again and we sent Damir ‘Gaus’ Rajnovic and Maarten Van Horenbeeck. Koichiro Komiyama also represented FIRST in several discussions. Our goal, as with any policy conference, was to educate and provide awareness of the technical challenges our community faces. During the conference, we had approximately four meetings each day, in addition to the regular sessions. Much of these meetings covered the same topics. We aim to inform policy makers of the work FIRST does, our main vision and our three concrete goals:
In particular, we shared our experiences with the Fellowship program, to motivate policy professionals to identify suitable applicants and promote the program. We also shared updates on and promoted our training programs, including our new training focused on policymakers.
Another topic which is worthy of discussion for our community is that of norms development. As mentioned earlier, the original goal of the GCCS is to develop “responsible behaviors” or “rules of the road” for cyberspace. You may ask how these behaviors make their way into generally accepted practice.
This is where the political science concept of “norms” come in. Norms are voluntary measures that states agree on, which describe the expected behavior of states in particular scenarios. They either develop naturally and are recognized when a critical mass of other states respond to an event. For instance, states may respond to a hack and state it is not acceptable - when a large number of states respond, a norm may have been identified. Or they can be agreed upon ahead of time and used as guides by each state to determine whether an activity is appropriate.
Norms have recently been discussed in various forums and by different parties. Interesting reading includes this blog by Microsoft, including a few proposed norms for governments and the global ICT industry. In addition, in 2015, the UN Group of Governmental Experts (UNGGE), a group of experts in government convened by the UN General Assembly, published a document proposing a set of cyber security norms. One of these was particularly relevant to the incident response community:
“states should not conduct or knowingly support activity to harm the information systems of another state’s emergency response teams (CERTs/CSIRTs) and should not use their own teams for malicious international activity;”
Another group that has been active in norms development is the Global Commission on the Stability of Cyberspace (GCSC), initiated by the The Hague Centre for Strategic Studies and the EastWest Institute. The GCSC consists of 26 commissioners, representing most geographies and stakeholder groups (government, industry, the technical community and civil society).
During the GCCS in India, the GCSC published the following norm:
“Without prejudice to their rights and obligations, state and non-state actors should not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet and therefore the stability of cyberspace.”
While the public core is not directly defined, in an associated press release, the concept is called to include “Internet routing, the domain name system, certificates and trust and communications cables”.
Clearly, norms are an interesting topic of conversation and have some impact on the work of incident responders if implemented and accepted. As such this is an area we will track closely for our members. FIRST participated in several norms related discussions at the event and one of our goals is to bring some of this knowledge and awareness back to our membership.
FIRST will continue to participate in policy forums and bring awareness of these topics back to our membership. As an outcome of our board meeting in Montréal last October, we will be initiating in the next few months a policy working group, which we’ll use to keep members briefed of the events at the GCCS, GFCE and other forums. If that tickles your interest in becoming a FIRST member, read up on the process here.
We’ll also publish more blogs on our activities in this space and will keep the Internet Governance section of our web site updated with these initiatives. In particular, FIRST had a successful week right ahead of Christmas participating in the Internet Governance Forum in Geneva, Switzerland. And that, is for another blog!