The role of National CERTs/CSIRTs in Implementing the UN Norms of Responsible Behavior in Cyberspace

A New Era in Cybersecurity

Cybersecurity today is no longer just a technical concern handled by IT experts; it is a whole-of-society issue that impacts the full spectrum of national functions, from economic stability to public health. As cyber threats evolve, governments must take a comprehensive approach that engages all stakeholders, from technical teams to top-level policymakers. This collaborative approach ensures that cyber threats are managed in ways that protect the sovereignty and security of nations, while adhering to international standards and norms.

In the context of international law, while diplomats typically lead conversations around responsible ICT use, these discussions often remain theoretical or aspirational. For these norms to be effective, they must be applied practically within the operational framework of national response teams. CERTs/CSIRTs are ideally positioned to take these norms and apply them in real-time, addressing the complexities of cybersecurity threats and fostering global cooperation.

Responsible Behavior for Incident Responders

The concept of responsible cyber behavior in the context of incident response is grounded in international law. For national CERTs/CSIRTs, it involves operating in a way that is ethical, transparent, and in full respect of both national and international laws. This behavior is designed to prevent, mitigate, and manage cyberattacks while ensuring that actions taken do not exacerbate conflicts or violate international norms.

Key principles for responsible cyber behavior include:

1. Respect for Sovereignty: National CERTs/CSIRTs must avoid affecting the infrastructure of other states, ensuring that their actions align with the sovereignty of all nations. This principle is particularly crucial when CERTs/CSIRTs work on identifying and addressing cyberattacks emanating from their jurisdiction.

2. Due Diligence: It is essential that national CERTs/CSIRTs ensure that their country’s cyber infrastructure is not being used for malicious activities that could harm other nations. By collaborating with international cybersecurity entities, CERTs/CSIRTs can proactively identify and mitigate threats before they escalate.

3. Transparency and Cooperation: Information sharing and cross-border collaboration are essential for an effective response to global cyber incidents. National CERTs/CSIRTs should regularly share indicators of compromise, vulnerabilities, and other relevant threat intelligence with their counterparts across the world to facilitate collective defense and response.

4. Protecting Human Rights: CERTs/CSIRTs must operate with an awareness of human rights, ensuring that cybersecurity measures do not violate freedoms such as freedom of expression or the protection of personal data during incident response.

5. Promoting International Peace and Stability: Incident responders must focus on preventing cyber conflicts from escalating by ensuring their actions do not contribute to geopolitical tensions. By considering all available data, including the possibility of false flag operations, CERTs/CSIRTs can mitigate the risk of unintended diplomatic fallout.

The UN 11 Norms of Responsible Behavior in Cyberspace

In 2021, the UN proposed 11 norms of responsible behavior for states in cyberspace. These voluntary guidelines are critical in shaping the actions of national CERTs/CSIRTs, as they help to set the standards for how countries should engage in cyberspace while respecting the rights and sovereignty of other states. The challenge for CERTs/CSIRTs is to translate these theoretical norms into actionable practices. The norms address concrete actions that can be implemented by National CERTs/CSIRTs and support their State in delivering measurable and quantifiable results that reflect their commitment with the norms of responsible behavior and international law:

• Do Not Harm Critical Infrastructure: National CERTs/CSIRTs must avoid enabling or executing cyberattacks that could damage critical infrastructure in other countries, such as energy grids, financial systems, or healthcare services. CERTs/CSIRTs can identify malicious activity targeting such infrastructure but must refrain from intervening in the systems of other nations without explicit permission.

• Protection of Critical ICT Infrastructure: CERTs/CSIRTs should take proactive steps to protect their country’s critical infrastructure and collaborate internationally to protect global infrastructure from cyber threats.

• Prevent Malicious Activities from Your Territory: States must ensure that their territory is not used to launch cyberattacks against other nations. CERTs/CSIRTs are tasked with detecting and preventing malicious activities originating within their jurisdiction, often in collaboration with Internet Service Providers (ISPs).

• Promote Cyber Conflict Prevention: CERTs/CSIRTs play a vital role in preventing the escalation of cyber conflicts by fostering collaboration and information sharing about emerging threats and vulnerabilities.

• International Cooperation: Global cybersecurity challenges require global solutions. CERTs/CSIRTs must work closely with international counterparts and organizations such as FIRST, CSIRTAmericas, and others to ensure that responses to cross-border incidents are well-coordinated and effective.

• Exchange of Information and Best Practices: Sharing technical expertise and operational best practices with other countries is essential to building a collective defense against cyber threats. Many international bodies, such as the Organization of American States (OAS) and Forum of Incident Response and Security Teams (FIRST), facilitate such exchanges, which strengthen the global cybersecurity community.

• Reporting Mechanisms: Establishing clear and effective mechanisms for reporting cybersecurity incidents that may have broader regional or global implications is crucial. These reporting systems enable faster and more effective international responses to cyber threats.

• Vulnerability Management: Effective vulnerability management is a cornerstone of cybersecurity, and national CERTs/CSIRTs must work together to identify, mitigate, and fix vulnerabilities before they can be exploited by malicious actors. Regular vulnerability assessments and the use of services like ShadowServer can help identify threats early.

• Capacity Building: CERTs/CSIRTs should engage in capacity-building efforts, particularly with less-resourced nations, to enhance their ability to respond to cyber threats. Programs such as FIRST, Global Forum on Cyber Expertise (GFCE) EU Cybernet, LAC4, and CSIRTAmericas support these efforts by providing training and resources to build technical and management capabilities.

National CERTs/CSIRTs are the frontline defenders of cyberspace, ensuring that their country's digital infrastructure is secure and resilient. They also play a critical role in implementing the UN norms of responsible behavior in cyberspace, acting as the operational link between international law and cybersecurity practices. By adhering to these principles and collaborating globally, CERTs/CSIRTs contribute not only to the safety of their own nations but also to the stability and peace of the broader digital ecosystem. Through their efforts, they help translate international expectations into concrete actions that enhance cybersecurity, protect human rights, and foster global cooperation.

Carlos Leonardo
FIRST Board of Directors

Published on FIRST POST: Jan-Mar 2025