Welcome to IGF2017! Create your schedule below and participate!
Venue Map
Back To Schedule
Monday, December 18 • 11:50 - 13:20
Critical issues in improving cyber security incident response (WS39)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Proposer's Name: Mr. Maarten Vanhorenbeeck
Proposer's Organization: Forum of Incident Response and Security Teams (FIRST)
Co-Proposer's Name: Mr. Michael Carbone
Co-Proposer's Organization: Access Now
Mr,.Maarten,VAN HORENBEECK,Technical Community,FIRST
Mr.,Michael,CARBONE,Civil Society,Access Now

Session Format: Panel - 90 Min

Country: United States
Stakeholder Group: Technical Community

Country: United States
Stakeholder Group: Civil Society

Speaker: Cristine Hoepers
Speaker: Audrey Plonk
Speaker: Githaiga Grace
Speaker: Mallory Knodel
Speaker: Martijn de Hamer

Content of the Session:
This panel, proposed by FIRST, an international association of CSIRT, and Access Now, a civil society CSIRT, aims to identify critical issues that may affect how CSIRT are trusted or otherwise effective in responding to security incidents across multiple stakeholder groups. Issues that are expected to be raised include privacy of users, human rights issues involved in security response, and the tension between network security monitoring for security purposes, and surveillance.

The goal of the session is to identify types of behavior that may have developed over time between stakeholders around the work of CSIRT. Output from the session will be submitted to a number of forums, including the IGF BPF on Cybersecurity, or the FIRST Special Interest Group on Ethics.

Relevance of the Session:
While much work is being done on making the internet a trustworthy, secure network that can support various uses such as cultural exchange, business transactions and government, security incidents will continue to have an impact.

A cornerstone of security programs both in government and business is the development of a strong incident response program. Incident response programs often result in the creation of a specific entity, commonly referred to as a Computer Emergency Response Team (CERT) or Computer Security Incident Response Team (CSIRT). These organizations exchange information with their peers to detect incidents, and take appropriate steps to mitigate negative impact on their host organization.

CSIRT can have a role that is limited to a particular industry, a specific country, or a specific organizational network. They can also be responsible for the response to security issues in software and networks widely used by individual users.

A concern of incident response is the fact that it needs to operate well across stakeholder groups. Each group has a separate responsibility: government may CSIRT protect national security, protect the economic capability of a state, or protect its citizens. Private sector companies operate large parts of the internet and its infrastructure, and are required to ensure product safety. Civil society helps protect and ensure individual and organizational rights. The technical community is responsible for ensuring the "glue" between each of these works well, and the internet is an enabling service.

In order to truly shape our digital future, these core issues, covering privacy, human rights issues, and tension between stakeholder groups must be openly discussed, learned from, and our ability to deal with them improved.

Tag 1: Cybersecurity
Tag 2: Human Rights Online
Tag 3: Privacy

The workshop is planned as an interactive session with a moderated panel of experts. 40% of the time will be allocated to opening statements from the experts, in which they will be asked to address the indicated questions. 25% of the time will be allocated to interventions from the floor, 25% to interventions from remote participants and 10% of the time for closing statements.

Our lineup of confirmed expert panelists consists of:

Audrey Plonk, Senior Director, Global Cybersecurity and Internet Governance Policy, Intel Corporation (Private sector)
Grace Githaiga, Co-convenor for the Kenya ICT Action Network (Civil society)
Martijn de Hamer, Head of the National Cyber Security Operations Center at NCSC-NL (Government)
Mallory Knodel, Association for Progressive Communications (Civil society)
Cristine Hoepers, General Manager, CERT.br (Technical Community)

Moderator: Michael Carbone, Manager Education Programs, Access Now (Civil Society)
Remote moderator: Maarten Van Horenbeeck, Director, Forum of Incident Response and Security Teams (FIRST)

The following are the way specific topics will be addressed:

Affiliation: Civil Society

We will request Civil Society to discuss some of the challenges civil society experiences when dealing with security incidents, and engaging CSIRT community members for help, in particular those CSIRT from the government or private sector.

Affiliation: Government

We will request our government participants to discuss:
- The challenges in operating a CSIRT, and how to cooperate with other stakeholder groups, such as civil society.
- The implications of working with data on victims of cybersecurity incidents.

Affiliation: Private sector

We will request our private sector participant to discuss some of the challenges in working on product security issues with other stakeholder groups. For instance, how does the impact and response to a security incident change when the incident is exploited, and to what degree does the response become more sensitive. As an example, by disclosing the existence of a vulnerability, exploitation of vulnerable internet users may see an increase when no patch is available.

Affiliation: Technical community (CERT.br)

We will request our technical community participant to share anecdotes, concerns and learnings from working with different stakeholder groups. We will also ask them to share some of the concerns they have identified as being an organization that is required to work with all other stakeholders to coordinate the response to a major incident.

We will specifically ask in-person and remote participants to provide examples of issues they have seen, or to confirm or dispute issues the expert panelists have raised. 

As part of this panel, we have confirmed panelists from Africa, Latin America, Western Europe and North America. We anticipate the panel will be gender equal, which at this point holds true for our confirmed panelists. Representation exists from civil society, government and technical community. Currently each of the speakers listed has been confirmed. If we do need to make replacements closer to the date, we will continue to maintain the same stakeholder group/gender balance to the degree possible.

One of our goals with this panel is to create a forum in which civil society, government, technical community and private sector have the ability to meaningfully interact on some of the more important issues hindering their collaboration in cybersecurity, and in particular in global incident response.

We also plan to engage the potential audience with interest in this session through a number of third party organizations and initiatives, including FIRST, the BPF on Cybersecurity and several industry mailing lists to call for both remote and in-person attendees to participate.

Onsite Moderator: Michael Carbone
Online Moderator: Maarten Van Horenbeeck
Rapporteur: Maarten Van Horenbeeck

Online Participation:
During the session, we will ensure online participation in the following ways:

- A moderator is assigned to the online question queue whom is similar in background and technical expertise as the in-room moderator. The workshop proposer and author of the background paper will be online moderator;
- We will immediately relay questions as the "next up" question from the audience when one is flagged by a remote participant, to avoid unnecessary waiting for the remote participant. If the number of remote questions and comments overwhelms the number originating from the in-person group, we will switch to granting an opportunity to speak to someone remote, and then to someone attending in-person next;
- We plan to specifically advertise the session through relevant forums and mailing lists (including FIRST and the BPF on Cybersecurity) to sollicit participation by remote attendees. Where possible, we will engage with a number of the NRIs which have previously participated in cybersecurity session, or have shown an interest, to contribute their ideas.
- During the session closing, we will do a specific call to get closing remarks from a small number of remote (2-3) participants. We will announce this at the beginning of the session to ensure remote attendees can prepare their thoughts throughout the session.

Discussion facilitation:
The following agenda will be followed:

- Panel introduction by the moderator
- Each panelist introduces some areas of sensitivity around incident response operations they have experienced
- Panel moderator to ask panelists about their views on some of the issues shared
- Moderator to ask remote participants, and local participants, to raise issues they see as being sensitive in conducting incident response on security issues
- Moderator to ask panelists to provide input on some of the issues raised
- Moderator to ask remote and local participants for questions and ad


Session Organizers

Monday December 18, 2017 11:50 - 13:20 CET
Room XXV - E United Nations Office at Geneva (UNOG)