CSIRTs: A Global Dialogue with Cyber Incident Responders | IGF 2023

Cybersecurity Experts Emphasise Trust and Collaboration at Global Dialogue Workshop

During the “C-SERTS: Global Dialogue with Cyber Incident Responders” workshop at the Internet Governance Forum, the panel, moderated by Koichiro “Sparky” Komiyama, delved into the complexities of global cybersecurity, underscoring the pivotal role of Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs). Panelists included Yusuke Yamaguchi, Serge Droz, Masae Toyama, and Kaleem Ahmed Usmani, each offering insights from their respective roles and regions.

Yusuke Yamaguchi opened the discussion by recounting the origins of the first CERT, established in 1988 in response to the Morris worm incident, which highlighted the need for coordinated efforts to address cyber threats. He described the diverse landscape of CERTs/CSIRTs, which serve various entities, from corporations to national governments, and face a multitude of responsibilities and challenges.

Serge Droz, from FIRST (Forum of Incident Response and Security Teams), emphasized the importance of collaboration and trust among incident responders, likening their role to that of firefighters who must work together irrespective of political boundaries. He noted that FIRST provides a platform for secure information exchange and collective action to secure cyberspace.

Masae Toyama discussed the role of AP CERT (Asia Pacific Computer Emergency Response Team), focusing on the challenges of maintaining member interaction and neutrality, especially during the pandemic. She highlighted the significance of in-person meetings for trust-building and the necessity of expanding AP CERT’s membership to include eligible teams from the Asia-Pacific region that are not yet members.

Kaleem Ahmed Usmani shared the perspective of Africa CERT, concentrating on capacity building, incident coordination, and preparedness exercises. He stressed the importance of regional cooperation in threat management and the need for technical infrastructure to support information sharing and threat monitoring.

The panelists collectively acknowledged the challenges faced by CSIRTs, including political polarization, sanctions, and resource constraints. They stressed the need for international cooperation, given the borderless nature of cyber threats, and the importance of including under-resourced civil society organizations in cybersecurity efforts.

A key takeaway from the discussion was the fundamental role of trust in the effectiveness of incident response. Trust is crucial for the exchange of confidential information and for forming strong, collaborative relationships that enable teams to respond to incidents efficiently.

The session concluded with a consensus on the need for continued collaboration and support among cybersecurity teams to build resilience and handle incidents effectively. The panelists called for the cybersecurity community to join hands, share expertise, and work together to enhance global cybersecurity resilience. They also highlighted the importance of in-person meetings for fostering trust and building capacity within the cybersecurity community.

Noteworthy observations included the recognition of the unique challenges faced by different regions, such as the Asia-Pacific and Africa, and the need for tailored approaches to capacity building and threat management. The panel also touched upon the role of strategic alliances, such as NATO and the Shanghai Cooperation Organisation, in cybersecurity cooperation, illustrating the multifaceted nature of international cybersecurity efforts.

Koichiro Sparky Komiyama:
Thank you very much. Good morning, everyone. Welcome to this workshop, C-SERTS, global dialogue with cyber instant responders. I welcome you all very much. Thank you for coming, even 8.30, early in the morning. My name is Yusuke Yamaguchi. I’m the director of the Japan computer emergency response team, and I’m work as a director for global coordination division at JPCERT. Like many of you here, I’m enjoying my third IGF, my third in-person IGF. It’s lovely to see the, you know, lovely to see all the participants in the same big room and share the space with each other. Also, it’s fantastic to see the diversity of participants this time. I think compared to the previous one, I think maybe the charm of Kyoto or, you know, weak Japanese, we succeed to get all the people coming, flying and we had a great boost of exhibition in the hallway, bent orange boxes, all excellent, and we see the fireworks at Gala. So today for this workshop, let me begin with may I show the slides online. So what I like to do with this workshop is CERT, computer emergency response team, or CCERT, computer security, again, incident response team, is an organizational unit that provides service and support to define the constancy for preventing, detecting, handling cyber security incidents, and it used to be recognized as firefighters in internet or cyberspace. When there’s a fire, firefighter come to rescue you. In the case of cyber security incidents or cyber breaches, a CCERT come to your place to rescue you or system administrator or cyber security team. It was first established in 1988, so 35 years ago. Immediately after the mass computer virus outbreak called Morris worm, it hit, it crashed one in ten e-mail servers at But again, 1988. So immediately after this case or incident, U.S. Department of Defense convened a meeting with inviting all the stakeholders and decide to launch a new organization or team to share the remediation or mitigation with everyone else. So that’s the first CERT, computer emergency response team. A lot has happened since then. We have now many CCERTs around the globe. For example, Japan, we have more than 500 CCERTs in, for example, companies like Sony, NTT, and others. And some CCERTs work to protect employees. Some of them, they are to protect their products and services. And then others, for example, some others represent own government or country and work as a national point of contact. So CCERTs in their role also need a cooperation across the border because cyber security incidents are pretty international or global by its nature. And that means simply because the fact cyber security incidents are international or global, we need to form a regional or international collaboration scheme. Right now we have several international or regional CCERT collaboration forum, namely, for example, APCERT in Asia, AFRICCERT in Africa, TFCCERT in Europe, OICCERT, this is not regional, but sponsored by organization of Islamic countries, so it’s a culture backed up by cultural organization. And we have a few new kids on the block, for example, PAXON in Pacific Islands, and ASEAN CERT for 10 Southeast Asian ASEAN member states. However, cooperation among CCERT is facing these significant challenges. You can see various reasons or obstacles that cause CCERTs cannot share or cannot talk to their counterpart in other country, frankly, but I think we’d like to ask our distinguished partners to introduce several challenges they see, they witness regionally or internationally. So let me explain the structure of this panel. We have a short period of time, just an hour, so we are going to break this into three distinct chunks. First, we invite three panelists, two from remote, one sitting with me here, ask three panelists to introduce what first AP CERT, Africa CERT, for who they are and what are the challenges for them and others. And in the second segment, I will throw several questions to those panelists, and the last part, the third segment, is a Q&A session with you, so please prepare good questions for our panelists. Now, thank you, Saochi, Karim, for your patience. Now, without further ado, let me introduce you to our panel. First, we have Saochi online. He’s a current board member of FIRST, Forum of Incident Response Team. He’s also a former chairperson of FIRST, leading this international global organisation. He also works with, or affiliated with, Ministry of Foreign Affairs Switzerland, so he’s our first panelist. Now, second, we have Masa sitting next to me. She works for JP CERT, so we work for the same organisation, and one of her main roles is serving AP CERT, Asia Pacific Wide Sea CERT community as a secretariat. Then we have Mr Karim Usmani. He has been leading CERT Mauritius, CERT MU, a national CERT of Mauritius. In this workshop, he also represents African CERT community, Africa CERT, where he plays a critical role. He also participated last year in the sixth round of UN GGE on cyber, as one of 25 or 26 experts. So thank you all. Thank you all for joining us, even though it’s the middle of the night for Karim and Saochi and very early for Masa. So let us jump in to FIRST segment, Saochi. I first like to invite you to share with us who’s FIRST as an organisation and its community. I also like to know how it helps secure the cyberspace. So, Saochi, the floor is yours.

Serge Droz:
Thank you, Sparky, and welcome, everybody, to this session on C CERT. Sparky, you already mentioned that FIRST was started more than 30 years ago to bring instance response teams together. And that’s where we still are. It’s actually in the name. It’s a forum, the Forum of Instance Response and Security Teams. We bring together security teams so they can work together. Cyber security incidents never respect boundaries because the internet is something that doesn’t respect boundaries. So instance responders have to work together and they need a place where they can start to meet. Typically, instance responders don’t have non-disclosure agreements or contracts that kind of regulate how they should work together, how they should treat confidential information. We often treat confidential information because you don’t really want to talk publicly about things that have gone wrong. So FIRST provides the forum or a platform where these teams can work together. It started out 30 years ago with a couple, a handful of teams in the United States, and then slowly started expanding to Europe and Asia. And now FIRST really is a global organization with members from more than 100 countries. We currently have nearly 700 teams which are members, compromising more than 5,500 instance responders that need to work together on a daily basis exchanging information. A couple of years ago, this was still kind of a fairly easy thing. The internet didn’t have that importance that it has today. Also, the world was a lot less polarized. But now things are starting to get more difficult. We have more and more polarization. We have political opinions that diverge. But Sparky mentioned instance responders are like firefighters. Firefighters don’t typically argue in front of a fire who is right, who is wrong, whose house this is. Your job is to extinguish the fire. That’s our job. But this political environment makes it kind of hard to actually do this. And just one example is sanctions that often prevent us from working together. We have certain countries where we have no members because people probably run into issues with sanctions from other countries. And that is a challenge because the internet still connects to all these places. So what I feel first is a success story. And instance response is a success. I think the internet is usable. We all do e-commerce despite all the horror stories about cybercrime we hear about, the horror stories we hear about, malicious cyber operations. We all can use the internet globally in the west, in the east, in the south and in the north. But we need to make sure that we can continue doing this. And despite different political opinions and conflicts, that instance responders can continue working together. That is the big challenge first is facing today. And I think with that, I want to hand on over to Masa to tell us a little more or to Sparky to introduce Masa.

Koichiro Sparky Komiyama:
Thank you so much. Thank you. Thank you very much. You know, you first mentioned the global nature of CSET community first. And I was surprised to hear you have more than 700 membership right now. And still the broad membership is suffering. It has a common challenge like us in Asia, the polarization, even among engineers or firefighters work on the ground. Well, I still believe your success story will continue. But anyway, I think it’s your turn, Masa. I’d like to know, again, what is your vision for CSET and why you need a regional collaboration even though we have an organization like FIRST? And I’m also curious if there’s any change in your community for the last few years. Anyway, Masa, please. The floor is yours.

Masae Toyama:
Right. Good morning. Good afternoon, everyone. This is Masa. I’m currently serving as a secretariat of AP CERT. First of all, it’s a great honor for me to be a speaker with three of you, Sparky and Celgy and Harim, who have contributed so much to the CERT communities. As I said, AP CERT is a forum of the Asia Pacific region. My job is to manage the infrastructure and to ensure AP CERT runs smoothly. So I’d be happy to speak from the viewpoint of the secretariat who takes care of administrative duties. Back in AP CERT, AP CERT was formed in February 2003, so it’s like 20 years anniversary this year. And the AP CERT has been in charge of secretariat since its establishment, and we’ve been coming so far nicely. Since AP CERT is a voluntary community of 33 teams from 24 countries and economies, from India in the west to Tonga in the west, yeah, so members CERT vary in size and maturity. National CERTs make up the majority of members CERT, but academic CERTs, financial sector CERTs and private company CERTs such as Panasonic and Group IB in Singapore are also members. Yeah, so one of the collaboration activities that I’d like to highlight in this session is we do have AP CERT cyber annual drill, so it’s the event that we get together and the check the incident response flow for each team, and we also have the AP CERT flow for each team. So for the realization of this drill, we create scenarios together and check response status of member organization. So this year we had 16th drill, and the theme of the supply chain is Africa CERT. With the total of 35, over 35 teams taking part of including OIC CERT and Africa CERT members, so we actually extend the invitation to the drill for OIC CERT and also Africa CERT. So it’s one of the form of regional collaboration and beyond the We are now expected to have more teams from the participation from other regional collaboration communities, also inside the AP CERT members. I think I should stop now to pass the floor to Karim. Thank you.

Koichiro Sparky Komiyama:
Thank you very much. I have a very quick question. So how many members do you have from how many countries or economies? In AP CERT you mean? Yes, we have 33 teams from 24 countries and economies. I’m not sure how many economies we have in Asia, but it seems like it has a very good coverage or it has very good coverage among AP region. Thank you very much. I also think it’s very interesting AP CERT not work inside or within Asia Pacific, it also team up with the AP CERT members, so it’s a good way to know how many people are there for exercise or drill. So that is a good segue to Karim’s part. So Karim, now I’d like to give the floor to you. We’d like to know who Africa CERT is, how members of the community like Africa CERT? I also like to know how CERT Mauritius engage with even other than Africa CERT, because, for example, I see several activities at African Union on cyber security, and anything from your past experience. So over to you, Karim.

Kaleem Ahmed Usmani:
Good morning, everyone. And this is 3.35 in the morning in Mauritius. First of all, Sparky, thank you for giving us the floor. So here I’m having two hats, and first of all, of course, I’m heading the Mauritian computer emergency response team. And at the same time, as Sparky mentioned, I’m working and talking on behalf of Africa CERT. And as Martha mentioned, like any other CERTs which we are talking about, AP CERT, the same like is the regional CERT in Africa. And this particular Africa CERT has been operating for quite some time, and then the kind of activities which we are doing is not very different than what other regional CERTs are doing. And especially we are working on different things, and incident handling surely is one among them, because As Sparky mentioned, Serge has been talking about that we are the firefighters and once we are firefighters, we have to work along with the different teams in Africa and along the globe in order to coordinate those cyber incidents which we are talking about. If quickly, I come back to the question that how many teams we have, of course, we all know that Africa is very big, we are having 35 countries in Africa right now, we are having some 26 national search, the countries who have the national search in Africa and they are all members of Africa plus also other organizations, they are joining Africa search over the years and the whole idea here of Africa search is to coordinate cyber security incidents and obviously, we are focusing very much on capacity building within the continent and within that particular capacity building, we have been organizing a number of activities where first and then even Japan search has been actively supporting that and some of the activities where first has been there is the first technical symposium which has been organized for a few years and actively our first in Africa search working together. Again, Japan search has been very instrumental in providing its resources to Africa search for many years, in fact, now down the line and I think we are thankful to Spock where he has been actively supporting the cause of capacity building in Africa and he has been traveling extensively into the continent in order to provide capacity. So, technical symposium is one and through that symposium, a number of activities are happening and then lately, we also started a continental cyber drill and this continental cyber drill is an activity where a number of teams and a number of countries are participating. So, already we had two additions, so we started in 2021, 2022 and this time, we are going to organize in Maputo Mozambique from the 9th and the 10th of November where we are expecting again more than some 35 to 36 teams. So, that number is growing but again, the idea is to build capacity, build a preparedness of the teams and then this is where different activities we are doing as part of the cyber drill. So, right from the TTX to capture the flag and then the technical simulation exercises, they are all happening and then as Spock mentioned that we are opening it to the across the region so that more and more teams not only from Africa, they could join from other regions and then we can share their experiences of incident response so that we understand what kind of threat surface are there in other regions and accordingly based on to that, we are able to manage that. So, that’s something what is in there and then even if we see again a few activities which we are trying to promote apart from many other because like any other regional effort, we are also the part of the different forums. So, in different forums, if I talk about we are the part of the ITU-SD17 AFR activities, we are part of the ITU-D4 CSIRT capacity building, we are part of the GFCE partners since 2021 and we have been also involved into writing the engagement strategy for FOST in Africa since 2015. This Africa CIRT also has introduced Professor Suguru Yamaguchi’s fellowship and I think Spock is here and again, Professor, he has been supporting these activities and again, we did those started fellowship program again into Africa and we are a part of the symposium as I mentioned, we are a part of the GFCE CIRT, OIC CIRT, again we are working actively with ICANN. So, in a nutshell, more and more teams are joining Africa CIRT because more and more teams are the countries they are setting up their national CIRT. So, that’s what we have been trying so that because out of 54 countries, the number of CSIRT teams in Africa is fairly lower than other regions and I believe even FOST has been promoting and focusing up to that so that more and more teams are able to, countries in particular are able to have their national CIRT and that is something even we are promoting all the way. So, one specific activity which also I’d like to mention here is information sharing and information sharing I believe is important across the regions and that’s what we are trying to do within Africa. We have come up with our own different platforms in different countries of the teams and then these teams, they are sharing that particular information and that’s what we are promoting at. So, maybe I’ll quickly, I’ll stop here so that if there are more questions, I’ll be able to take it up later. So, in a nutshell, that’s what Africa CIRT does very much around capacity building, incident coordination and obviously preparedness exercises. Back to you, Swati. Thank you very much.

Koichiro Sparky Komiyama:
Thank you. Thank you, Karim. It’s good to know. I still remember Africa has a little bit more than 50 countries in the giant continents and you succeed in attracting many states to be part of this community. I’d like to clarify, Karim, if for example ISPs in Mauritius or South Africa like to join Africa CIRT, can they be a member of Africa CIRT? Yes, they can. To answer your question,

Kaleem Ahmed Usmani:
I suppose yes, they can and then maybe you have been asking the support from Mauritius as in supporting Africa CIRT. Then quickly maybe in a sentence or two, we are again along with Africa CIRT and providing support for building capacity for different things and that’s what we have tried to do. We are engaging with different teams and then adding their expertise in order to conduct any activity which we are trying to do and this is helping us in a way to build capacity along with other partners, international partners, for example, FIRST and many more. So, that’s where things are happening in this fashion. Thank you.

Koichiro Sparky Komiyama:
Thank you so much, Karim. It’s good to know since in the beginning you have a very strong tie with a global community like FIRST, although it seems like there’s a pretty regional challenges like, you know, the wider, the big continent with lots of, how do I say, the gaps in the capacity not only for cyber security but for other matters. Thank you all. Thank you all three panelists for your remarks and I also like to add two points before we go to the Q&A part. First, sorry for someone from Europe or other region other than Asia and Africa. As we have like APCIRT in Asia or Africa CIRT in Africa, so TFC CIRT and other organization are pretty active in getting CIRT team together in Europe and, of course, EU is trying to consolidate cyber security talent for their project and, again, PACSAN, an ongoing effort in Pacific Islands, again, to get the CIRT from all the island nations and also we have ASEAN CIRT, which they will be officially established soon. So, today we don’t have a representative from those regions but I like to make sure things are happening in the region. And my second point is there are also collaboration of CIRT stemmed from a strategic alliance, not from the computer security or cyber security field. For example, NATO has they have been trying to force the cyber security cooperation among NATO member states. Many of you haven’t heard this before but security dialogue between Australia, India, Japan, United States is trying to follow that path, too. And I also heard Shanghai Corporation Organization, SCO, led by or moderated by China, convene a regular meeting by CIRT of member states. Finally, there’s a similar attempt by CIS. CIS is a Eurasian intergovernmental security dialogue, not alliance, including last year. But at CIS, there’s also a very active sharing and cooperation among CSIRTs of each state. So, these intergovernmental efforts can be distinct from, for example, APCIRT or FIRST because FIRST, I think most of the members are from private sectors, APCIRT as well, and I just learned from Karim that private sector can be part of Africa CIRT. So, there’s clearly a difference in the membership status and a CSIRT network of multi-stakeholder organization. So, that means either APCIRT or FIRST or Africa CIRT, private sector or civil society can play a crucial role. Anyways, with contribution from our panel, we now understand how those global or regional collaboration mechanism works. Thank you to all the panelists. So, who was calling you? Okay. So, now I’d like to ask a few questions to our panel. By the way, Saochi, Karim, we have like 30 people sitting in a room, watching carefully your fight at 3.45 in the morning. So, yeah, please stay awake for another 15 minutes. And I also encourage audience on site or online to prepare your questions as well, because in the next segment, I will ask you for any questions to the panelists. So, I first like to ask this to Saochi, since before your current position, you also worked for messaging companies in Switzerland and others, and you have quite a rich experience in dealing with international organization and civil society in Switzerland and everywhere. Is it, you know, from your own perspective or from FIRST point of view, is it important to protect the under-resourced civil society or it’s simply not the role of FIRST?

Serge Droz:
So, thanks, Sparky. This is really a very good question. It’s something that sometimes keeps me awake a little bit or makes me fall asleep slower. FIRST members are mostly from the private sector. They’re typically tech companies that are mature enough to realize that they actually need IT security. There are banks, because banks know that they’re attacked, because that’s where the money is and where the criminals go. Other parts of the membership communities are states, because states realize that this is important. But really, what we are missing is civil society. We are missing many of the organizations that protect individual users, that protect minorities, that protect groups that are under pressure. Part of this is explained through the resources these people have. Sometimes I have the impression a CSIRT is in this community or the security person in this community is just one person and their cat. And these people just don’t have the resources to apply for FIRST membership and become a member. Yet, we exactly need these people. We as a community, as a global community, we need to start thinking about how we can support this. That sounds all nice and dandy and easy, but it’s actually quite a challenge, because for very good reasons, quite often members of civil society distrust big companies, they distrust states. And that is a challenge. And again, I think we have to get the firefighter paradigm. A firefighter doesn’t really care if the house of a billionaire is on fire or a poor person. It just shouldn’t make a difference. And that’s the same way we have here. Our hope really is that civil society gets up and starts talking to us. And I do know a lot of people in the FIRST community that are more than happy to start helping and supporting these communities, appreciating that they don’t have the resources that many of us within FIRST have. So here’s a pledge also to a lot of the organizations present at the IGF, start talking to us. This is too important.

Koichiro Sparky Komiyama:
Thank you so much, Saúl. Now, I really miss you. I miss the fact that you cannot sit with us this time. But thank you so much, Saúl. And for Karim and Masa, I have the same question for two of you. In what circumstances have you faced or have you felt a mismatch between expectations outside your community and your own capacity? I think people like myself asking Africa or Ibiza to do this, in those cases, do you think you are self-sufficient and can respond to any requests outside or you have any, you know, you identify any area you need to work on? So, I’m not sure who goes first. Maybe. Karim, can you go first? Ladies first? Okay. Ladies want you to start first.

Kaleem Ahmed Usmani:
All right. No problem. Okay. Okay. Okay. So, coming back to this question, Sparky, this is, again, interesting because and that’s what we have been talking about and that’s what we should discuss because capacity and then the deliver to your constituency or to your region is, in fact, is important. And this is, again, a very demanding and a daunting task for any region. And then the same applies to Africa. And just to put it on record here that we have been trying to, because our team size is smaller than other regions in different things, but the way of modus operandi of Africa is a little bit different because we are trying to gather teams together. And with those teams, we are trying to execute the needs of the region. So, I think that’s a little bit differently we are trying to operate. And, yes, lots of capacity building is happening along with other stakeholders in different things. Actively, Africa has been able to form different working groups at the same time. And we are trying to extract the expertise of experts within the region in order to build up the capacity around those areas. And especially if I talk about critical infrastructure, if I talk about the cyber diplomacy, if I talk about the SCADA assistance, if I talk about information sharing. So, these kind of things are happening already. And I believe that, especially on the part of the critical infrastructure security, that’s what the region is picking it up. Because if we see Africa from other regions, so their focus on building capacity around critical infrastructures have been of failing slower than other regions. And the reason is, of course, the expertise and then also in terms of their preparedness for different reasons. So I believe that that’s the focus slide for us and from there we are trying to pick it up and this is where with the different agencies we are trying to train people within the region on critical infrastructure protection and specific training programs have been started. So it’s just the beginning but of course that’s the challenge for us where more teams in more countries they could be exposed to this kind of training so that they are able to well protect their infrastructure or critical infrastructure better. So I think I’ll stop here.

Koichiro Sparky Komiyama:
Thank you very much. To me it sounds most of the issue or challenges you have right now is not regional. It sounds we are facing the same or pretty similar challenges together at the same time. Masa?

Masae Toyama:
Okay so honestly I don’t have any big difference between the expectation from other communities and what we are doing in AP CERT. So instead I would like to mention about the challenging we had if I may. So one of the challenges that we face as AP CERT is it’s challenging to keep the members interaction going after the pandemic. So basically before the pandemic we had several times to get together for example annual general meetings and also steering committee meeting to exchange the honest view or the current status for each organization. But during the pandemic we had to end up with communication online. So right now we are so excited to restart the in-person activities and then we had steering committee meeting in September last month exactly same place here and it was the first time in four years. So yeah we’d like to resume this kind of activity again and we also would like to continue to reach out to the support those team in the region that are eligible for AP CERT membership but are not yet members. So basically the Asia-Pacific region refers to the APNIC boundaries. So there are some countries where that is not a member of AP CERT yet. For example Pacific Island, certain Pacific Islands and also Middle Asia. So yeah we’d like to talk about this topic and extend the interest for joining AP CERT. And then for us another topic is for us it’s more important than ever before not to lose a sense of balance in order to maintain neutrality. To give an example of China, mainland China, Hong Kong, Taiwan, Macau are all equally represented as independent teams in AP CERT. And such an organization is very unique given the current circumstances. So that’s one of the key that secretariat and also steering committee is focusing on and we try to keep neutrality as much as possible to maintain one of the great features of AP CERT. Thank you so much.

Koichiro Sparky Komiyama:
The last part of your statement, the neutrality is pretty difficult to define or how to achieve but I get your point. As a secretariat you like to serve for your members equally. I think that’s what you like to achieve. Thank you all the panelists and now I’d like to open the floor for audience for your questions. We have two microphones so please come up in front of one of those. Who’s first? We don’t see any question online at the moment. Okay, I see. Oh, great. So please identify yourself before we have a question.

Kaleem Ahmed Usmani:
Good morning everyone. Clay from FIRST, so same organization as SEARCH. Just a kind of broad question for everyone, particularly around the regional networks. What can the regional networks do to improve cyber security more broadly that they’re not doing already? What are some kind of ambitious activities that you think organizations like AP CERT, Paxon, Africa CERT, C-CERT Americas, you know, name them all, could do to kind of spread resilience beyond just the incident response community?

Koichiro Sparky Komiyama:
So I guess this is a question mainly for Karim, Masa, or maybe myself. Karim, if I may go first or you’d like to pick up this question? The way you prefer, Sparky, you can go ahead and then I can… Sure, thank you. My response to the question on how regional C-CERT network can help mitigate the problem. We sometimes see regional threat or regional issues in cyberspace. I’ll give you an example. There’s a very popular Korean IPTV set box, which is quite vulnerable. And since it’s a very popular device, it can be sold and it is widely used in Japan, Hong Kong, Singapore, maybe Malaysia, and of course, Korea. Even to this date, we have similar type of the regionally popular products. And in those cases, for example, in AP-CERT, there’s a joint traffic monitoring project, and we see spike in certain ports of TCP traffic and can at least tell affected countries or affected C-CERTs of affected region to check to see if there is something they’d like to address. So the existence of regional threat is, to me, the major motivation to maintain the regional collaboration framework. Karim?

Kaleem Ahmed Usmani:
Thank you, Sparky. And thank you, Cleve, for this wonderful question, in fact. Because this cuts across all the regions, and as you rightly said. But again, the way I want to answer this question, there are different things, obviously, if I look at the African region. And one of the things is how do we manage threat best? And once how do we manage threat best and the way we see in Africa, so monitoring of threats is a kind of a challenge for each and every country. And the reason is that different countries, they have a different level of maturity. And some countries, they have started a little earlier. Some of the countries, they have started some five, six, seven years back. And some of the countries, they are starting now. And once they are starting now and then five years back and then earlier, they have a different level of maturity. And we being a third community, I believe, and other regions, they have done it. How can we join hands together in order for us to monitor things regionally or specific to a particular region where different teams, they could join hands together in order to manage a threat? And one example could be sort of a regional monitoring and information sharing support, which the country, they can have. And just on to that part, like SARDIC in Africa, Southern African Development Community, they have set up a SARDIC CSER task force. And this SARDIC CSER task force has been set up still in a very initial stage with a view that we can have a common goal. And then all different teams, those who have the capacity, they are able to help the countries in the case of cyber crisis. So that’s one component. But I think the second component also which we need to understand is that a technical infrastructure, which is very important. And technical infrastructure, because in terms of a number of things, technical infrastructure for information sharing, technical infrastructure for a bot detection, technical infrastructure for a honeypot setup, and then combining all these together and then monitoring somewhere from a security operation center. So this is not a new concept, but this is the kind of a concept which is required in the region so that everybody could help each other in order to manage threats better. So I think that’s what is coming to my mind, and this is where I want to stop. Thank you very much. Back to you, Sparky.

Koichiro Sparky Komiyama:
Thank you, Karim. Thank you very much. We have another question. Please.

Audience:
Good morning, and thank you to the panel. My name is Tom. I’m from the National Institute of Cybersecurity in Taiwan, and I just am here to say that we’re here to help. We are a newly established institute, and we have a mandate to collaborate internationally. And as Toyama-san said, we’re also really excited to get back into physical interactions. And so my question for the panel is I’m looking at different models that countries are using to bring people together physically to improve cyber capability in different countries. And I saw, for example, in 2021, Lithuania established a regional cyber defense center, and they’ve been gathering together with Ukraine, Georgia, Poland, and the USA in person to help improve the cyber defense of the region. So they’re all quite advanced cyber actors. But should we, those of us that have the capability to fly places and meet in person, be conducting those kind of activities around the world? Thank you.

Koichiro Sparky Komiyama:
Thank you very much. That’s a pretty interesting question. I’d like to begin with, I’m not sure if the Slovenian regional collaboration is done by CSETs in the region or militaries. So we see, of course, many activities by our armed force, military defense, and other forces in the region. But as far as I can recall, there’s no international permanent joint operational center which Japan is part of. But Serge, Karim, do you have any thoughts on this question?

Serge Droz:
Yes. So I think what you kind of implied is that the in-person gatherings are about kind of building up capacity, building up know-how, and stuff like this. I would wager that the real importance about these type of meetings and about the physical get-togethers is to actually form trust. Because trust is the fuel that instance response works on. If you were dealing with an incident, you’re typically dealing with something that you don’t want to have public. It’s kind of embarrassing. Your host organization got hacked. So you only want to talk to people you trust. You trust them that they don’t kind of blur this out to the rest of the world. You have to share secrets. And I think that’s the main reason why you should be doing this. And this also ties in a little bit into the previous questions about what the regional organization should do. In my view, what really distinguishes instance response from, say, a trade association or something like this is that we build communities that trust each other and that kind of share a common language. If you look at FIRST’s mission, one of the three missions we have is building or working on a global language. And this is not about French versus German or something. It’s about having the same understanding of the challenges and being able, during a crisis, to talk to each other and to work with each other. Again, if you take the firefighter equivalent, if you’re a firefighter and you’re kind of really going into a house that’s burning, you just have to trust the people outside to do the right thing. And I think that, for me, is the important thing. And that’s really what these meetings are. And I know you, Sparky, from many of the board meetings where we had a lot of discussions. And what I really take out is that if I have an issue in Japan, I actually trust you to do the right things. And I tell you a lot of things that I wouldn’t really tell many other people. So I think, for me, that is the essence of getting us together. And that’s the justification why I still should travel during times where we have climate change and we should reuse traveling.

Koichiro Sparky Komiyama:
Thank you, Serge. We are running up the time. So, Karim, can you provide a very short answer to the question and also the final piece of advice or message for our audience? And then, Serge, go back to you just for 15 seconds of your last message. Masa, you too. Thank you. Karim.

Kaleem Ahmed Usmani:
Thank you, Sparky. I think just to answer this question, something like a confidence-building measure, which is obviously part of the cyber diplomacy, but I think it very much applies into this context. And confidence-building measure cannot happen unless and until we don’t sit together and then we talk to each other. And this is very much based on truth across building. And that’s something that has started in Africa and many other regions, and Asia, I know, and Europe, I know. Again, in Africa. So if we sit together, and that’s what we have started trying to do with SARDIC. And I think this will work. And why it will work, because we have to have the trust of the people. And once people trust you, they come back to you. And once they come back to you, definitely things get better in terms of instant resolution. So to short answer of this question, of course, we can discuss for hours. But I think confidence-building measure is important for us to be able to outreach the different teams and the communities in order to resolve incidents. That’s the answer for this question. And then I think the final thing which I wanted to say, which Sparky has asked, is I think we have to join hands together. Because we need each other as a community to build resilience around our systems and infrastructure. And alone we cannot do much. And this is where I think this forum is going to help. Because we have the expertise, we have the experts, and then I think we can all join hands together to get things better for the continent and for the region. So thank you very much. With my final words, Sparky, back to you.

Koichiro Sparky Komiyama:
Thank you, Karim. So, Masa, 15 seconds.

Masae Toyama:
15 seconds, right. I believe that the future development of cyber security at the regional level should not only deal with emergency response when needed, but rather continue with normal collaborative activities such as tours and events in APC community, which make more sense for emergency coordination. And those who are interested in such activities, please refer to APC annual report, which is available for everyone. Thank you.

Koichiro Sparky Komiyama:
Thank you, Masa. 15 seconds.

Serge Droz:
So, speaking for first, I mean, my big wish really is that we have strong cyber security communities all around the globe. And that these communities can work together and that they do the right thing. So we also should continue thinking about what is it CSER should be doing and what is it they shouldn’t be doing. But that’s for our next panel. Thanks.

Koichiro Sparky Komiyama:
All right. Thank you, panelists, and thank you, our audience. This is the end of the session. Thanks for everyone for joining this panel. Thank you very much, and see you next IGF. Thank you. Karim, Saoji, thank you very much. Now you can go to bed. Yes, I will. Thank you. Bye bye. Bye bye. Bye everyone.