Geneva Manual exercise group 2

27 May 2024 14:15h - 14:45h

Table of contents

Disclaimer: This is not an official record of the session. The DiploAI system automatically generates these resources from the audiovisual recording. Resources are presented in their original format, as provided by the AI (e.g. including any spelling mistakes). The accuracy of these resources cannot be guaranteed.

Full session report

Cybersecurity professionals tackle hypothetical ransomware crisis in national response exercise

In a collaborative exercise aimed at enhancing national cybersecurity, a diverse group of professionals convened to discuss strategic responses to a hypothetical cyber incident. The exercise was designed to simulate a scenario where participants, representing a national cybersecurity agency, would need to address a ransomware attack impacting critical infrastructure.

Manuel Preciozo Ruiz initiated the session by outlining the exercise’s framework and stressing the importance of group collaboration. He proposed using a shared Google Docs to facilitate the exchange of ideas and context for the exercise. Before diving into the exercise, participants introduced themselves, with Klee Aiken, Judith Hellerstein, and others briefly stating their roles and affiliations.

As the discussion unfolded, it became evident that the group was tasked with differentiating their approach from another group, which was tackling the same exercise from the perspective of a critical infrastructure company. Manuel clarified that while the other group focused on the company’s viewpoint, their group was to approach the scenario as a National Cyber Security Agency.

Anastasiya Kazakova, among others, participated actively in the conversation, which revolved around the importance of information sharing, the assessment of the security situation, and the potential connections between incidents. The group debated the extent to which they should share information with a neighboring country’s national CERT, which had also been affected by a ransomware attack and was requesting assistance.

The participants discussed the Traffic Light Protocol (TLP) classification and the implications of sharing sensitive information. They considered the existing relationships between agencies and the need for a pre-established platform for information sharing. The group also touched upon the importance of adhering to cyber norms and the responsibilities of state actors in such situations.

Barbara Marchiori de Assis provided a counterpoint to some of the more speculative aspects of the conversation, suggesting that the group might be reading too much into the information provided.

As the exercise drew to a close, the group prepared to reconvene in the main room. They planned to discuss their findings and compare them with the other group’s perspectives, with the aim of understanding the contrasting approaches and informing future discussions on the Geneva documents.

The exercise highlighted the complexities of responding to cyber incidents, the critical role of information sharing, and the importance of international cooperation in cybersecurity.

Session transcript

Manuel Preciozo Ruiz:
Nastia said the plan was to work as a group, as a national cybersecurity agency. So I’m going to share a Google Docs with you in which you will get the context for the exercise and within these Google Docs you will be able to share your thoughts on the questions. But I think before I do that, it would be good if maybe we can quickly introduce ourselves, say our role, familiarize with who is who in the room. I don’t know, who wants to start?

Klee Aiken:
Hello, I’m Clay. Y’all have already heard who I am. I’ll pass it on to Orhan.

Judith Hellerstein:
Thank you, Clay. I think most of you also heard about me. So I’m Orhan from ITU. I’m happy to be here. Thank you. I’ll pass it to Judith. I’m just here as an observer. So I’m just observing. But is the other group doing critical infrastructure or what?

Manuel Preciozo Ruiz:
No, so yeah, the other group is more focusing on critical infrastructure. It’s the same exercise but from a different point of view. So the other group pretends to be a critical infrastructure company. We are National Cyber Security Agency, if that makes sense.

Anastasiya Kazakova:
Yes. No worries.

Guests:
Anyone else wants to introduce themselves? Hello, everyone. This is Serene Moduba from Gambia. Nice to be here. Thank you. Thank you, Serene. We lost you there for a second, Lawrence. Oh, sorry. Let me see. I’m not sure if I’m still audible now. And you’re saying, Lawrence, you’re from FAST. Pleasure to be here. Maybe Manuel, just call them one by one to introduce themselves. Otherwise, you know, everybody’s waiting who’s going to start next. Yeah, honestly. Giovanna, would you like to introduce yourself, please? I’m holding the event room. I’m technical support. I see. We also have Francesca from Cyber Peace Institute. Hi, Francesca. And thank you, Rosanna, from INCIVE in Spain. I think Barbara is from Deloitte. Yes. Yes, hi, Juan. You’re like a professor calling out the names of the students. Exactly, you know. I mean, where’s my book? I’m checking who is not in the class, you know. So, hi, Manuel. Hi, I’m here. I’m glad. So, I work at Deloitte. I work at Deloitte. I work at Deloitte. I work at Deloitte. I work at Deloitte. I work at Deloitte. I work at Deloitte. So, hi, Manuel. Hi, I’m here. So, glad. So, I work at Deloitte. Worked for Juan in the past. I’m a member of the working group A. So, glad to be here and start working and start the discussion.

Manuel Preciozo Ruiz:
Did you all get the link and open it, by the way? I sent it in the chat. Yeah. So, if you could open it and read the context and let me know if you have any questions. But also feel free to, I think what we can start doing is maybe focusing on question one first. Everyone is welcome to like add their own thoughts in there. And then maybe we can discuss some of the answers and then go on like this about it. Let’s give it a couple of minutes, if that works. Thank you, Clay. One second, I have someone ringing on my door. I’ll be here in a minute. If in the meantime, you can fill in the questionnaire.

Orhan Osmani:
Better go. Amazon is not going to wait for you.

Manuel Preciozo Ruiz:
Exactly.

Klee Aiken:
Critical infrastructure there.

Orhan Osmani:
Indeed.

Klee Aiken:
All right, folks. Pretty short kind of scenario here. Hopefully everyone’s had the chance to read it either in the doc or in the chat. So, the first question is really just looking at what is the security assessment of the situation? What are the key points that you would pull out from this scenario? What can you glean?

Serign Modou:
Okay. For the point one, I was thinking it would be good to relate the two incidents. Just to see whether there is a connection between them or whether the attack patterns are the same or not. Thank you.

Klee Aiken:
I guess if I could push you for a little bit more information. Seeing as one incident was shared with us from an internal source, Ministry of Defense, and the other was from an external national cert, a foreign neighboring country. How much information are you willing to share or ask for to be able to make that assessment? Because at the moment, presumably the neighbor is not aware of the incident that you had. I don’t know if I’m getting ahead of myself, Manuel. I’ll hand it back to you.

Manuel Preciozo Ruiz:
No, no. That was a good clarification. Sorry, Orhan.

Orhan Osmani:
No, I was going to say, but also this one does not show that the incidents are linked to each other. One is clearly stating it’s a ransomware attack. The other one does not define what kind of attack it is, and so on. So, I think those are assumptions we need to share more information. As Kipi said, what information we want to share. In this case, it’s very difficult to understand anything without being really transparent and sharing whatever is really happening.

Manuel Preciozo Ruiz:
Any other thoughts? So, one of the points I’m hearing here is that we don’t know whether the other country is affected by the same incident as well. Sorry, I caught that on the middle. Yeah, so we could add that to the document. Any other thoughts on this regarding the main points?

Serign Modou:
Hello. In addition, I was thinking it would be good if the national side were able to kind of dig further to identify the attack patterns and also the kind of the likely type of attacks and all that it entails. And if they’re able to establish such, then also it would be good to inform the other end that we have, if they are the same, or if no information is given regarding the other end also, it’s to inform them that we have an attack also. So, share the information that they’re able to get. And if the other end will let that what they were able to have is in line with what these people have, then probably they can easily work together. To dig further and to see whether the attack are from the same source or similar, something like that. Thank you.

Orhan Osmani:
And also, and also, I mean, also they could look like separate attacks. One is basically targeting the third country, critical infrastructure. The other one is targeting only one critical infrastructure. And then ransomware is mainly connected to asking for, you know, for money, for kind of ransom. But the other one on top does not say, are they asking for any ransom or just attack on the country to kind of cripple it, not to be able to work and move forward.

Anastasiya Kazakova:
So we also don’t know what’s the motive. We could put it that way.

Orhan Osmani:
I think the motive is clear on the first case. On second one, it’s not really clear. First one is basically crippling the economy of a country. If you attack all this critical infrastructure, it means they know you’re looking more to cripple it and to ask for money. So.

Manuel Preciozo Ruiz:
Any other thoughts? Also welcome, feel free if you can unmute yourself to write in the chat and we can gather your input. That also works.

Orhan Osmani:
Mano, what’s the purpose of this exercise, if I get off?

Manuel Preciozo Ruiz:
Sorry?

Orhan Osmani:
What’s the purpose of this exercise? What’s the objective?

Manuel Preciozo Ruiz:
So the purpose is that after we have answered these questions, then we come back to the main room, discuss the answers and we will compare them with those with the other group. And all this is just to basically get the contrast of both groups on how the different perspectives from the agency and the critical infrastructure company, what’s the baseline understanding and what do they differ and how. Also on the Geneva documents, they can take this into account for the discussions, if that makes sense.

Klee Aiken:
So. Maybe it would be worth kind of exploring a little bit what our next steps would be, because we don’t actually have that much information and, you know, usually a safe, safe answer to any cyber incident tabletop is get gather more information. But perhaps we could ask ourselves, why is this information TLP read? And if that is there. any information that we can, you know, bring down to TLP Amber, so we can have a bit more of an equal dialogue between government and the critical infrastructures impacted within the country, but also with our counterparts in the neighboring country to be able to determine similarities and see if the incidents are related.

Manuel Preciozo Ruiz:
Do others agree with what Claude said or?

Orhan Osmani:
I’m also here because I’m involved in two different national cybersecurity agencies, because, you know, talking about neighboring countries. So, on the NCA level, we need to have this collaboration, working together and so on, so basically to know how to share this information, how to, yeah. I mean, quite a lot of room to improve, you know. On the NCA level, we need to agree on how transparent we’re going to be with each other, you know. Do we have really, you know, clear information sharing platform where we share, you know. Basically, we don’t have to go and guess, you know, since we are neighboring countries and, you know, we want to share, so the memo doesn’t need to be sent. It should be automatically shared information, so then we can see where we stand in terms of collaboration and responding together.

Manuel Preciozo Ruiz:
I’m writing also, it’s unclear whether the neighboring countries are able to share the information or have a platform for sharing this information pre-established.

Orhan Osmani:
The way I’m saying, because, you know, looking at the memo and that’s understanding natural subscription authorities or agencies, when you create a memo, there are a number of approvals, something that memo is allowed to get out, but if you have clearly established, like, information sharing platform, you know, information is shared immediately. They can see what’s happening in your neighboring country. So, you just click on the button and you share the information, so.

Manuel Preciozo Ruiz:
Yeah.

Klee Aiken:
And I suppose we actually have an interesting question. I’m just reading a little bit more closely. The national cert from the neighboring country is asking for assistance to investigate the ransomware attack that they’re facing. So, there’s an interesting capacity building angle, but also, you know, there’s a lot of questions about, you know, how do you, you know, so there’s an interesting capacity building angle, but also, considering the situation that we’re in ourselves, would we feel comfortable providing assistance? Because, obviously, we have a bit of a challenge that we want to deal with ourselves. And how to treat that type of information that you have access to, should we send folks across there?

Anastasiya Kazakova:
So,

Manuel Preciozo Ruiz:
any thoughts, any further thoughts on this? Would we be willing to have the cert from the neighboring country? As Clay said, it’s, yeah. What would you do in this situation? What would others do in their view?

Orhan Osmani:
I guess there is kind of collaboration established already. That’s why they would ask.

Manuel Preciozo Ruiz:
So, you would think the answers would be, in principle, yes.

Orhan Osmani:
I guess so. I mean, let’s say our team is more advanced than neighboring one. Of course, we need to help our neighbors. But, you know, just I’m not very convinced on the ransomware attack, you know. So, it’s already done the thing. So, basically, the hackers have already been in the system past three to four weeks. So, you know, basically, what can you do there already? Yeah, it depends on criticality of the national level, but it looks very critical on our national level. So, infrastructural attacks are now, should we work on ourselves or help the neighbors who are already deep in the attack?

Klee Aiken:
Just to throw some more crazy comments out there to add to the conversation. It’s interesting that it says in the last line that we are aware of the ransom attack, suggesting that we’re aware before we even heard from our national CERT colleagues, which would suggest that perhaps we were withholding information in the past already, which potentially could have prevented the incident impacting our neighbors. So, we should have a pretty solid review of our information sharing partnership and openness.

Orhan Osmani:
That’s also great to throw another thing. How we were aware and how did we know on the ransomware attack? Was it on the dark web? Where was this information? Or somebody in the country told us before they requested the help? I think lots of questions to be asked.

Barbara Marchiori se Assis:
Hi, Barbara here. I think you guys are reading too much into it, because they’re just aware of it. They say they don’t have further information. So, it seems to me it’s more like they were aware of some probably general information in the press, such as, well, things are not working. It was a ransomware attack, but they don’t have further information. So, it seems very superficial, just as general. So, I think you guys are into the conspiracy theory here a bit.

Orhan Osmani:
Barbara, that’s Clee and me. So, basically, that’s our job in conspiracy theory is to find what is in between the lines and we find the letters. So, I know that’s the thing.

Anastasiya Kazakova:
Okay. We have five minutes until we convene again on the main room. So, I don’t know if everyone has the document open, just to be ready for when the breakout or when we’re

Manuel Preciozo Ruiz:
called into the main room. Is there anything? I tried to capture some of the things we were saying on the go.

Serign Modou:
I have another thing, because in any constituency of critical infrastructure, there are critical infrastructure players that are there. So, it would be good to at least write to them immediately to notify them of this attack and what the attack entails. So, that could be also another point. Thank you.

Klee Aiken:
I guess to put on the norms hat again, we should consider our responsibilities as a responsible state actor for norm one, interstate cooperation on security, norm two, considering all relevant information, because we do not have enough information, seven, to protect our critical infrastructure, and eight, to respond to requests for assistance, but of course, considering the situation that we’re in.

Orhan Osmani:
Let’s see. We are not at all conspiracy theorists. We have solutions as well.

Manuel Preciozo Ruiz:
I’m assuming, Clay, you’re the one writing at the moment, or not? Yeah, I’m assuming you are.

Klee Aiken:
That’s me.

Manuel Preciozo Ruiz:
Okay, good. I think we have good points on the assessment of the situation. Obviously, as we said, there’s things that are unclear. Things that are unclear, that’s perfectly fine, but it’s also good to identify and assess it. But then, regarding points two and three, is there anything else that you’re missing in there? I noted serene points on informing other critical infrastructure providers in the constituency. I see someone is typing, establish future information sharing mechanism and assistance, as we were saying. Very good. Would that be an immediate reaction response? It depends. It can be established ad hoc also for this situation. And then, on point three, regarding the response to the national CERT, I noted what, Orhan, you mentioned regarding the fact that it depends if there was a previous relationship, if the other CERT has less capacities. You also noted that the attack was already well underway. Anything else we’re missing there on the response? Did I capture your points correctly, Orhan, do you think? Okay, that’s good. Does anyone want to be the, I’m happy to be, but I think it would be better if you would also be sort of the reporter. I’m not sure if we’re going to need, I’m assuming we will, but if any of you want to report on behalf of the group, that will be welcome. Perhaps, Orhan, you… No, no, I’m out. So, somebody who didn’t speak, you know, conspiracy theorists cannot speak now.

Anastasiya Kazakova:
No, we’re not judging, we’re not judging.

Orhan Osmani:
No, no, with Barbara, I know Barbara for a long time. Don’t worry, you know, we are friends.

Anastasiya Kazakova:
I know. Okay.

Orhan Osmani:
I think Clee can start, then we can add up the rest.

Anastasiya Kazakova:
Yeah, it can be a team effort, okay. That’s good. Okay, I think we’re gonna be back on the main room soon, so see you there. Thank you.

AK

Anastasiya Kazakova

Speech speed

134 words per minute

Speech length

101 words

Speech time

45 secs

BM

Barbara Marchiori se Assis

Speech speed

177 words per minute

Speech length

89 words

Speech time

30 secs

G

Guests

Speech speed

163 words per minute

Speech length

250 words

Speech time

92 secs

JH

Judith Hellerstein

Speech speed

140 words per minute

Speech length

53 words

Speech time

23 secs

KA

Klee Aiken

Speech speed

157 words per minute

Speech length

593 words

Speech time

227 secs

MP

Manuel Preciozo Ruiz

Speech speed

134 words per minute

Speech length

871 words

Speech time

389 secs

OO

Orhan Osmani

Speech speed

192 words per minute

Speech length

774 words

Speech time

242 secs

SM

Serign Modou

Speech speed

171 words per minute

Speech length

255 words

Speech time

89 secs