When there’s a major attack on critical infrastructure, we need global cross-border coordination mechanisms to investigate and respond. And we’re not there yet.
If a cyberattack knocked out the energy grid or hospital in your town, you’d expect a fast response. You’d perhaps imagine critical infrastructure operators, computer emergency response teams and cybersecurity vendors would coordinate, exchanging information and helping victims.
But today, global cross-border coordination mechanisms for a major attack on critical infrastructure aren’t there yet. In the event of an attack, those affected tend to look around for the right person to call and ask for help, delaying response and putting users and cyber stability at greater risk. What can be done about this lack of a system?
What’s been achieved so far?
We’re not entirely alone in the wilderness when dealing with critical infrastructure incidents. Since 1998, states have been talking about working with information and communication technology in the interests of peace and security. Countries have agreed on three international documents that pave the way for a global response to a critical infrastructure attack.
The 2015 UN Group of Governmental Experts (GGE) report includes non-binding norms for critical infrastructure protection and asks governments to “take appropriate measures to protect their critical infrastructure from ICT threats.” It also promotes assisting victim states. The 2021 UN Open-Ended Working Group (OEWG) consensus report recommends states “consider nominating a national Point of Contact (PoC) at technical, policy and diplomatic levels.” In the advance copy of the 2021 GGE report, 25 government experts elaborate on how to implement norms, including on critical infrastructure protection and assistance. States also clarify how Points of Contact (PoCs) can work.
With these steps, the global community has a good base for developing a global incident response. But it’s important to start implementing these agreements while clarifying what victims should and shouldn’t do, the private sector’s role and how any party should gather and exchange information for incident response and mitigation.
High on the cyber expert agenda
Experts have been discussing improving global response mechanisms, for example, at the world cybersecurity conference, RSA, in 2021. One RSA Conference session saw experts from INTERPOL, the global Forum of Incident Response and Security Teams (FIRST) and Switzerland’s Federal Department of Foreign Affairs (FDFA) sharing views.
Craig Jones, INTEROL’s Director of Cybercrime, said information and communication technology incidents are underreported and under-investigated because there’s no unified mechanism to inform everyone of an attack.
When attacks happen, people don’t dial 911 or call the police – we’re normally a second or third call after their IT security. But we should be among the first to investigate – with computer emergency response teams, private partners and across borders.
Craig Jones, Director of Cybercrime, INTERPOL
Jones continued, “It’s in everyone’s interests to thoroughly investigate incidents and to gather and share as much information as possible.”
Despite the value of unified action, the current geopolitical situation contributes to a lack of information-sharing and low trust between states.
Serge Droz, Chair of FIRST, says building trust in a difficult political environment can’t be rushed. “Cybercriminals love ‘divide and conquer.’ That’s why our biggest challenge is to decide how we’ll all work better together.”
Building trust and cooperation between states
Jon Fanzun, Special Envoy for Cyber Foreign and Security Policy at Switzerland’s FDFA, spoke of what’s needed for greater trust between states and between states and the private sector.
The global community needs consensus on how international law applies in cyberspace, how human rights should be protected online, how norms of responsible state behavior should be implemented and what the role of other stakeholders is. We must also implement what we agreed on and to hold those who violate agreements accountable.
Jon Fanzun, Special Envoy for Cyber Foreign and Security Policy at Switzerland's FDFA
The Geneva Dialogue on Responsible Behavior in Cyberspace, led by the Swiss FDFA and implemented by DiploFoundation, is an example of building greater trust and closer community. The dialogue shapes a joint vision of digital security and global policy processes for a trusted, secure and stable cyberspace.
What should the mechanism be like?
The mechanism should start by giving recommended technical and operational national Points of Contact (PoCs) in the event of an attack. These would serve as a ‘final station’ in reaching out to a national computer emergency response team, law enforcement agency or cybersecurity professionals to exchange technical information to help cross-border cooperation and incident response.
Computer emergency response teams (CERTs) must be neutral, just as firefighters focus on extinguishing a fire, not attributing blame or chasing arsonists. Ensuring this neutrality would build trust and encourage parties to exchange information for joint success.
Serge Droz, Chair of FIRST
How a global incident response mechanism might work
There could be a three-step process in a scenario such as a country’s energy grid being attacked.
Step 1: National Points of Contact (PoCs) would facilitate further coordination with the country’s other authorities, as they organize cyber exercises regularly and have developed incident notification cross-border procedures, tools and templates.
Step 2: PoCs would connect the attacked energy grid with the software manufacturer and a cybersecurity company, and CERTs of the attacked country and software manufacturer’s country.
Step 3: PoCs would quickly exchange information on the threat and analyze and compare forensic samples to address the incident.
This mechanism would ensure a timely and coordinated global response and mitigation, and enhance the global community’s technical and operational capacities, contributing to cyber stability.
There are encouraging signs like the UN open-ended working group on cyber and the sixth GGE process. It shows, despite confrontations in cyberspace, states want to keep up critical dialogue for cyber stability. For everyone else, including us at Kaspersky, it’s important to follow these processes and engage proactively, supporting states with our expertise to help keep our shared cyberspace open, stable and secure.