Critical issues in improving cyber security incident response

18 Dec 2017 11:45h - 13:15h

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

The session aimed at identifying critical issues that may affect how Computer Security Incident Response Team (CSIRT) are trusted or otherwise effective in responding to security incidents across multiple stakeholder groups. Mr Gustaf Björksten, from Access Now, moderated the panel.

Ms Mallory Knodel, Senior Technical Coordinator at the Association for Progressive Communications (APC), talked about good examples of co-operation between civil society organisations and CERTs (Computer Emergency Response Teams). She mentioned that confusing information security with national security is something that erodes trust and she emphasised the fact that CERTs need to work in a collaborative manner with civil society and other relevant stakeholders. It is not about civil society becoming technical experts, but about them partnering with the technical community and clearly voicing their questions, issues and priorities.

Ms Cristine Hoepers, General Manager of, talked about FIRST, the global Forum of Incident Response and Security Teams. She mentioned the value of joining the community and working with each other in an environment of trust. Additionally, she mentioned that FIRST is not just a technical community, but has participants from all stakeholder groups. Hoepers also brought up the question of whether we currently have too much automation, and questioned whether we have enough knowledgeable people to work on these issues. The speaker also reflected on the fact that national CERT teams, when they get too close to the government, decrease their co-operation with the global community. Hoepers says this is the first time in history that the government cannot provide security without co-operation. However, a lot of governments are failing to realise that.

Mr Pedro Veiga mentioned that the added value of CSIRT (Cyber Security Incident Response Team) is considerable, since it allows for the creation of a web of trust. If information on security incidents arrives on time,  and arrives from a trustworthy source, it can be very easy to mitigate. Trust is fundamental. He went on to reflect on Portugal’s national strategy for security in cyberspace and how it tried to create different sectors that co-operate but do not mix. There are specific areas like the national security centre, cyber-defense, the cyberterrorism, and cyber-intelligence.

Ms Audrey Plonk, Senior Director at Global Cybersecurity and Internet Governance Policy at the Intel Corporation, spoke from the perspective of the private sector. He mentioned Intel’s social responsibility approach, and their corporate policies which are aligned with the UN Declaration of Human Rights. In case a complex problem arises, the company involves their technical stakeholders to come up with suitable solutions, but also engages externally with academia, CERTs or governments. She mentioned how Intel looks at who is using a particular product, whether it is a human rights group, or whether they know that group is particularly relying on a feature, or on a set of technologies, and they try to factor that in in their processes.

Ms Grace Githaiga, Co-convenor for the Kenya ICT Action Network, referred to the criminalisation of technical expertise. She mentioned an example where during an election, there were accusations that the electoral system was hacked. The response to that situation was not properly thought through, and it did not take into account the merits and demerits of the concrete incident. She finalised by stating that It is important to distinguish between hackers and people who are experimenting with technology.

By Tamar Colodenco