{"id":40537,"date":"2021-07-08T11:00:13","date_gmt":"2021-07-08T15:00:13","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=40537"},"modified":"2021-07-09T04:24:41","modified_gmt":"2021-07-09T08:24:41","slug":"global-cyberincident-response","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/global-cyberincident-response\/40537\/","title":{"rendered":"How the world could improve its cross-border cyber firefighting"},"content":{"rendered":"

If a cyberattack knocked out the energy grid<\/a> or hospital<\/a> in your town, you\u2019d expect a fast response. You\u2019d perhaps imagine critical infrastructure operators, computer emergency response teams and cybersecurity vendors would coordinate, exchanging information and helping victims.<\/p>\n

But today, global cross-border coordination mechanisms for a major attack on critical infrastructure aren\u2019t there yet. In the event of an attack, those affected tend to look around for the right person to call and ask for help, delaying response and putting users and cyber stability at greater risk. What can be done about this lack of a system?<\/p>\n

What\u2019s been achieved so far?<\/h2>\n

We\u2019re not entirely alone in the wilderness when dealing with critical infrastructure incidents. Since 1998, states have been talking about working with information and communication technology in the interests of peace and security. Countries have agreed on three international documents that pave the way for a global response to a critical infrastructure attack.<\/p>\n

The 2015 UN Group of Governmental Experts (GGE) report<\/a> includes non-binding norms for critical infrastructure protection and asks governments to \u201ctake appropriate measures to protect their critical infrastructure from ICT threats.\u201d It also promotes assisting victim states. The 2021 UN Open-Ended Working Group (OEWG) consensus report<\/a> recommends states \u201cconsider nominating a national Point of Contact (PoC) at technical, policy and diplomatic levels.\u201d In the advance copy of the 2021 GGE report<\/a>, 25 government experts elaborate on how to implement norms, including on critical infrastructure protection and assistance. States also clarify how Points of Contact (PoCs) can work.<\/p>\n\t\t\t

\n\t\t\t\t\t\t\t\n\t\t\t\t\t\"\"\t\t\t\t<\/a>\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t

Protecting whole countries<\/p>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t

Kaspersky National Cybersecurity<\/span><\/h3>\n\t\t\t\t\t\t\t\t\t\t\t<\/header>\n\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Meeting the most stringent security requirements and ensuring supreme protection for highly critical infrastructures.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t

\n\t\t\t\t\tSee solution<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/article>\n\t\t<\/div>\n\t\n

With these steps, the global community has a good base for developing a global incident response. But it\u2019s important to start implementing these agreements while clarifying what victims should and shouldn\u2019t do, the private sector\u2019s role and how any party should gather and exchange information for incident response and mitigation.<\/p>\n

High on the cyber expert agenda<\/h2>\n

Experts have been discussing improving global response mechanisms, for example, at the world cybersecurity conference, RSA<\/a>, in 2021. One RSA Conference session saw experts from INTERPOL<\/a>, the global Forum of Incident Response and Security Teams (FIRST)<\/a> and Switzerland\u2019s Federal Department of Foreign Affairs (FDFA)<\/a> sharing views.<\/p>\n

Craig Jones, INTEROL\u2019s Director of Cybercrime, said information and communication technology incidents are underreported and under-investigated because there\u2019s no unified mechanism to inform everyone of an attack.<\/p>\n

When attacks happen, people don\u2019t dial 911 or call the police \u2013 we\u2019re normally a second or third call after their IT security. But we should be among the first to investigate \u2013 with computer emergency response teams, private partners and across borders.<\/p>\n

Craig Jones, Director of Cybercrime, INTERPOL<\/p><\/cite><\/blockquote>\n

Jones continued, \u201cIt\u2019s in everyone\u2019s interests to thoroughly investigate incidents and to gather and share as much information as possible.\u201d<\/p>\n

Despite the value of unified action, the current geopolitical situation contributes to a lack of information-sharing and low trust between states.<\/p>\n

Serge Droz, Chair of FIRST, says building trust in a difficult political environment can\u2019t be rushed. \u201cCybercriminals love \u2018divide and conquer.\u2019 That\u2019s why our biggest challenge is to decide how we\u2019ll all work better together.\u201d<\/p>\n

Building trust and cooperation between states<\/h2>\n

Jon Fanzun, Special Envoy for Cyber Foreign and Security Policy at Switzerland\u2019s FDFA, spoke of what\u2019s needed for greater trust between states and between states and the private sector.
\n<\/p>

The global community needs consensus on how international law applies in cyberspace, how human rights should be protected online, how norms of responsible state behavior should be implemented and what the role of other stakeholders is. We must also implement what we agreed on and to hold those who violate agreements accountable.<\/p>\n

Jon Fanzun, Special Envoy for Cyber Foreign and Security Policy at Switzerland's FDFA<\/p><\/cite><\/blockquote>\n

The Geneva Dialogue on Responsible Behavior in Cyberspace<\/a>, led by the Swiss FDFA and implemented by DiploFoundation<\/a>, is an example of building greater trust and closer community. The dialogue shapes a joint vision of digital security and global policy processes for a trusted, secure and stable cyberspace.<\/p>\n

What should the mechanism be like?<\/h2>\n

The mechanism should start by giving recommended technical and operational national Points of Contact (PoCs) in the event of an attack. These would serve as a \u2018final station\u2019 in reaching out to a national computer emergency response team, law enforcement agency or cybersecurity professionals to exchange technical information to help cross-border cooperation and incident response.<\/p>\n

Computer emergency response teams (CERTs) must be neutral, just as firefighters focus on extinguishing a fire, not attributing blame or chasing arsonists. Ensuring this neutrality would build trust and encourage parties to exchange information for joint success.<\/p>\n

Serge Droz, Chair of FIRST<\/p><\/cite><\/blockquote>\n

How a global incident response mechanism might work<\/h2>\n

There could be a three-step process in a scenario such as a country\u2019s energy grid being attacked.<\/p>\n

Step 1: National Points of Contact (PoCs) would facilitate further coordination with the country\u2019s other authorities, as they organize cyber exercises regularly and have developed incident notification cross-border procedures, tools and templates.<\/p>\n

Step 2: PoCs would connect the attacked energy grid with the software manufacturer and a cybersecurity company, and CERTs of the attacked country and software manufacturer\u2019s country.<\/p>\n

Step 3: PoCs would quickly exchange information on the threat and analyze and compare forensic samples to address the incident.<\/p>\n

This mechanism would ensure a timely and coordinated global response and mitigation, and enhance the global community\u2019s technical and operational capacities, contributing to cyber stability.<\/p>\n

There are encouraging signs like the UN open-ended working group on cyber<\/a> and the sixth GGE process<\/a>. It shows, despite confrontations in cyberspace, states want to keep up critical dialogue for cyber stability. For everyone else, including us at Kaspersky, it\u2019s important to follow these processes and engage proactively, supporting states with our expertise to help keep our shared cyberspace open, stable and secure.<\/p>\n","protected":false},"excerpt":{"rendered":"

When there’s a major attack on critical infrastructure, we need global cross-border coordination mechanisms to investigate and respond. And we’re not there yet.<\/p>\n","protected":false},"author":2659,"featured_media":40538,"template":"","coauthors":[4140],"class_list":{"0":"post-40537","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-infrastructure","7":"emagazine-tag-global","8":"emagazine-tag-infrastructure","9":"emagazine-tag-law"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/global-cyberincident-response\/40537\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/40537","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2659"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/40538"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=40537"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=40537"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}