International cooperation between CERTS: Technical diplomacy for cybersecurity? (WS38)

20 Dec 2017 10:15h - 11:45h

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

Mr Pablo Hinojosa, Asia Pacific Network Information Centre (APNIC), opened the workshop with a remark that the Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs) community can provide a good contribution for ongoing debate on cybersecurity norms.

Dr Madeline Carr, Associate Professor of International Relations and Cyber Security, University College London, gave her insights to the topic from the academic, international relations perspective. In 2003 the United States produced its first national cybersecurity strategy, and after that other states rapidly began to follow by producing their national cybersecurity strategies. It was a meant to develop a momentum for ,CERTs or CSIRTs and they were seen as a sign of maturity of the state. Carr noted that close cooperation between CERTs and the intelligence community could actually undermine the efficacy of a CERT. In the end, Carr shared the idea of science diplomacy – ‘it is an established body of work and it looks at ways that scientists can sometimes do things, they can lead cooperation that politicians are unable to.’

Ms Leonie Tanczer, Postdoctoral Research Associate at University College, London, presented her research on CERT practices and roles in international relations. She stressed three main points:

  • CERTs are considered as diplomatic actors based on the fact that the tech community collaborates across national borders in formal and informal ways to build trust. Also they have formal and informal structures to incorporate, negotiate and mediates across different cultures and practices .
  • Increasing professionalisation of CERTs
  • Politicisation of CERTs – cybersecurity became a national issue, and if previously CERTs were established  on a need-drive basis,  now  states establish their own national CSIRTs that affect the trust networks that were established over years and decades.

The perspective from the technical community was provided by Mr Adli Wahid, Board Member of Forum of Incident Response and Security Teams (FIRST). He made an insight to the work of CERTs. He said the incident response process is actually very proactive, CERTs respond quickly to mitigate the damage as not to distribute further and cause more damage. The goal is not to just protect your own network but also the networks in general. Wahid also noted that many of the CERTs are not related to nations, in fact, many of the first were private CERTs linked to hospitals, academia and banks. Also, personal and trusted contacts between CERTs professionals are highly important for incident information exchange.

Mr Marten Van Horenbeeck, Forum of Incident Response and Security Teams (FIRST), said that cybersecurity is not actually a national concept.  ‘By definition it is almost impossible to make it that.  We all rely on cooperation.  CSIRTs in particular deal with the security incidents.  For example, we all use software written in other countries, when there is are security vulnerabilities in the software we have to engage with the vendor and individuals that have written that software to get a patch.  Outside of that, CSIRTs can mitigate but not fix the issue’. He also pointed to a situation when CERTs are seen as agencies for states, so governments can interfere in their work and decide whether they should be engaged in cooperation and to what extent.

Ms Louise Marie Huriel, Research Associate, Policy and Geopolitical Analysis – ‎Center for Political and Strategic Studies, distinguished three dimensions to talk about diplomacy and CERTs: International cooperation between national CERTs, cooperation of CERTs on a national level and the relationship between CERTs and other institutions. She also stressed that independence of CERTs is the main condition for trust between them.

Mr Duncan Hollis, Associate Dean for Academic Affairs and a Professor of Law at Temple Law School, asked the panel a question of what role should CERTs as a subject of the normative project play.  He asked Mr  Vladimir Radunovic, DiploFoundation,  to  give  an initial overview of where that normative vision for CERTs came from.

Radunovic introduced a map of countries that actually say that they have offensive cyber capabilities. ‘20 countries at least that say themselves today that they have offensive cyber abilities, some of those are more or less responsible saying how they’ll use it, but many not.  There are 9 more for which there are strong indications that they have; but most likely there are  many more countries on this list’. Also, he presented the research ‘Towards a secure cyberspace via regional cooperation’ which compares a range of documents issued by  the UN GGE, OSCE, ASEAN Regional Forum and Organisation of American States (OAS), and outlined elements talking about CERTs in different way:

  • explicitly: not attacking CERTs and not using them for attacks; but also facilitating the cooperation among CERTs
  • implicitly: establishing contact points that should provide information about CERTs, and creating databases of contacts not duplicating CERT networks, sharing experiences in dealing with threats in cooperation with CERTs, and online information sharing on threats on critical infrastructure, together with CERTs
  • calling for enhancing capacities on incident response, CERT-to-CERT communication, and reporting incidents


By the end of the session Mr Hollis invited for discussion governmental representatives. Mr Karsten Geier, Head of Cyber Policy Coordination Staff, Federal Foreign Office, Germany, explained the essence of cyber diplomacy: the primary target of cyber diplomacy must be not to prevent the use of information communication technology in international conflict, but to prevent international conflict to emerge inadvertently, involuntarily from incidents which have happened in cyberspace, which are due to the use of information communication technologies. He also gave a brief history of the UN GGE process, concluding that only one point of discussion prevents the Group this year from the consensus report. Geier mentiond the necessity of contact points between governments and CERTs which won’t duplicate the CERT-to-CERT collaboration, but will serve political needs.

The delegate from Australia, Mr Tobias Feakin, Australia’s Ambassador for Cyber Affairs, said that in some countries CERTs are already a part of the diplomatic toolkit; diplomats use them for technical advises. CERTs also can be useful in building links between norms and operational issues.

Mr Gavin Willis, Head International Relations, National Technical Authority for Information Assurance, UK, asked to be careful and avoid generalisation of CERTs as they are different. ‘We have a CERT structure in the UK, it is part of the national cybersecurity center under the GCHQ and the Minister for which is the Foreign Secretary.  I doubt if any of the national CERTs report to the foreign Minister.’  He also said the UK CERT has a strong relationship with the national CERTs of neighbour countries.

The representative from Microsoft, Mr Jan Neutze, Director of Cybersecurity Policy , also stated that it is very important to keep CERTs behind politics and keep them working on trust in order to be functional first responders.

Finally, Ms Elina Noor, Director, Foreign Policy and Security Studies, ISIS Malaysia, expressed the opinion, that the technical community should be left alone without any interferences. She said that even at a track 2 level ‘we saw in discussions, government representatives and non-governmental representatives taking on very strict national positions which stymied the discussion from the get-go.’

By Ilona Stadnik