 Our next panel will focus on the question whether we need a cyber red cross. What that exactly means you will hear later on during the discussion. So let me first start by introducing the panelists. And let me also point out that after this panel we'll have a 15 minute coffee break. So this panel will run for the next 60 minutes and then we will break for 50 minutes and give you a chance to recover. And let me start with introducing Tom Muller who is the chief of communications of US CERT. That's the computer emergency response team for the US. And Tom will talk more about that in a second. To his left is Will Harvey who is the lead for cybersecurity incident management in the UK cabinet office. And Professor Duncan Hollis who is the James E. Beasley professor at Temple University. And it's a pleasure to also have François Stamm who is the head of the regional delegation of the International Committee of the Red Cross with us today. I don't think this panel has ever been assembled in this constellation with somebody from the Red Cross with an international lawyer and technologist and a government official. So I look forward to this discussion over the next hour. And we'll do a Q&A, we'll start out with a moderated discussion. And first of all because I imagine that some of you in the room this might be the first time that you've heard about a computer emergency response team. So Tom, I'd like you to kick us off by briefly explaining what is a CERT and what do you do at US CERT? Well, so for those of you who are not familiar with the concept, a computer emergency response team or a computer security incident response team. Am I live? Okay, is a team of mostly, you know, you'll have technical individuals involved and essentially after an incident is identified or detected or reported via third parties, go and try and assess the extent of the incident, minimize the damage, remediate the root cause, whatever that might have been. And then, and this is very important, pass the results of their analysis on to their trusted partners in their community. And that last function is not one that you see in a lot of other incident response activities such as like EMTs or firefighters per se, but it is very important to the cybersecurity community as it is global. All these systems are interconnected and it does sort of, I think, teal off some of this conversation that it's necessary to have these trust communities that can rely on one another that once they've identified an incident affecting a network under their control, that they ensure that their partners around the world or within an industry are not similarly affected. What I do at US CERT specifically is that I try to establish those trust relationships, ensure that US CERT is appropriately situated within the various communities of trust in cybersecurity operations, make sure that people know that they can trust us, that, you know, we strengthen those relationships and explain to people how our authorities and our controls work to protect their information that they choose to share, and also sort of serve as the face of US CERT at various types of engagements including this one. So the chief of communications was a role that did not exist until a few years ago when we established that essentially, yes, you have these technical individuals. They're very sound at doing malware analysis. They're very good at digital media forensics. They're very good at identifying incidents from network traffic and they're very good at remediating those things and helping perform on-site incident response. What often gets left out is that there is a need for some professional class of technical people who are also good with information sharing, trust relationships, or as they call them in office space, people skills. And what's fascinating about CERTs is that they've been around for quite a while, right? Like, they've been around long before we called this cyber. 25 years, 26. Could you briefly talk a little bit about the history and the evolution of CERTs and to give people in the room an idea of how long they've been around and how this... And so in 1988, the Morris Worm was launched and had consequences far beyond what anybody including the author imagined. Shortly after that, other people caught on to the idea of launching worms across the NASA Internet. And what happened was that as a result of that, you had Carnegie Mellon Software Engineering Institute, the Department of Energy, the Department of the Air Force, and several other research and defense organizations. Globally, in fact, this all had to form their own sort of incident response teams, ad hoc. And then they realized, you know, like, hey, the only thing, the way we're really effective is if we work together. And so about 26 years ago, you had the first sort of confluence of a few of these teams. I think there were only half a dozen of them around the world at the time. And I think they all met in Pittsburgh. And what's come of that since then is an organization, a non-governmental organization called FIRST, the form for incident response and security teams in which U.S. CERT is a member. And it's been really fascinating to talk to the people in that community and note how many of them have actually been part of it for 26 years and also sort of like what has changed and what hasn't over that time. I think this whole idea, this notion of cooperative action, information sharing, and strong trust relationships is one of those things that has evolved the most. But it's also one of those areas where we still need to make a great deal of progress. And you were working for the UK government, which just went through the exercise of setting up CERT UK. So it'd be really interesting to hear what was the process like. You were at the core of it. How did you go about setting up CERT? What were some of the challenges you saw? How did you improve on existing models? Sure, sure. So we weren't starting from scratch in the UK. We had a number of CERTs. As Tom said, there's a history of a few decades long. And there were a few organisations within the UK taking on CERT-type functions. Some were governmental, some were non-governmental. What we really came to realise as a government was a need for a bit more coordination on our part. So we had a strong CERT function looking at securing government systems. And we had a CERT function looking at UK critical infrastructure. But that left quite a big gap in the middle for the rest of the economy. And as you heard some of the speakers earlier today articulate, this is a sort of problem you can't address without heavy engagement with industry. Both the infrastructure that you really care about as a nation is privately owned and run. The organisations who are going to assist companies dealing with instance are also largely privately owned and run. And you need a focal point to build those relationships and to foster collaboration. That was one of the driving forces behind setting up a national CERT. Another one was the international dimension. So most of the problems we've been talking about today can't be solved by any one country on its own. There's a need to share information between countries. And there's a need to collaborate on solving an incident. An incident doesn't simply come from one place and affect infrastructure in that place. It may involve infrastructure in a number of countries and affect a company in an entirely different country. So for the UK to resolve incidents it needs to be able to collaborate quickly with other countries, ideally through their CERT community as a non-political engagement and non-diplomatic engagement. It's a purely technical engagement to reduce the harm of an incident. Those were some of the driving forces behind creating CERT UK. We started from a point of engaging very widely with UK industry, with foreign CERTs, to get a picture of what the need that each potential user of CERT UK would have and to take that into our own design of what we were going to do. In terms of setting that up over, we announced it at the end of 2012. It took on board a lot of our lessons from hosting the Olympics then, where we had brought together a lot of response teams in a single place to make sure we were well positioned to respond to anything that might disrupt that event. That wasn't really done on a particularly sustainable basis. You can't just kind of put everyone's team together in a basement somewhere, put all their systems in one place and have them on 24-7. But we need a sustainable way to realize some of the benefits we had from that kind of close collaboration and that real-time information sharing. And that was what we wanted to embody within CERT UK. We started work on that right away, as I said, with a lot of engagement with existing CERT teams in the UK and abroad. Companies that we identified as priority to engage with, whether they were within supply chain of other large companies or parts of the critical infrastructure themselves. And came about a few kind of key priority tasks for CERT UK. One was the management of incidents at the national level. So it's a national level concern. CERT UK would have to bring together all the different agencies that would be involved. It wouldn't necessarily have to direct their resources, but it would outline the kind of priorities for the response and focus on reducing the harm from any given incident. As Tom has mentioned, another area we looked at was really around sharing information. We already had built a platform online where a community of companies could come together, anyone could join for free, and they could share information in a trusted platform to one other, each other about incidents they'd seen, vulnerabilities they'd discovered, and the approaches they'd taken to mitigating these. We wanted to take that information sharing, which was very much focused around UK critical infrastructure and broaden it out to a wider economy so that any business in the UK could benefit from this. And lastly, we wanted to have a much more focused effort at building collaborative relationships with counterpart CERTs around the world so that in the event of an incident there's a very quick way to get in touch with another country to either find out if they have any information pertinent to it, an incident, or if the infrastructure that's causing problems based in their country to try and get them to take action, to take the pressure off the victim organization and in return we reciprocate when we receive those contacts from other countries. This was quite a challenging proposition for a government. Normally contacts with other countries run through an equivalent of a State Department. There wasn't a coordinated hub where technical individuals could simply reach out to technical individuals in other countries. CERT UK has to be that international point of contact. It doesn't want to get drawn into wider diplomatic debates. An early decision was that it should really sit outside of our normal diplomatic structures. It doesn't want to get embroiled in wider bilateral or multilateral discussions. It wants to focus on resolving an incident at hand. We took a similar approach to how we'd structure it in the rest of UK government structures. We recognized that huge numbers of agencies and departments have an interest in cybersecurity issues, but they weren't really the primary concern when thinking from a CERT point of view. The focus being on reducing the harm from incidents, learning from them and sharing information. That requires a lot of collaboration, a lot of building trust relationships. Whilst law enforcement might have a legitimate interest, we made a pretty early decision that we would have no law enforcement role. We would engage with them, we wouldn't put any legislation in there around how it might do that, and they would force law enforcement to use their normal challenge of engagement and engage on a collaborative basis rather than direct any activity of CERT UK. A similar approach was taken for regulatory authorities that had an interest in cybersecurity just to keep the interest as far out from CERT UK as we could, such that anyone reporting in to CERT has trust that their information will be handled appropriately and on a confidential basis, and the entire focus of the engagement will be on mitigating the harm from any given incident and then learning from it what can be done, sharing with agreement of the person who's reported it so that the community as a whole can benefit. That was the basis or the design principles for CERT UK. We launched it last March, so it's relatively young in terms of the response teams you see around the world, but many of the individuals have been drawn from other response teams, so it carried with it both a significant amount of technical expertise and experience, but also interpersonal relationships that would be really useful in building trust with other response teams both in the UK and around the world. So as you've heard CERT, the CERT community is quite a technical community that's been around for a long time and that works in a very interesting way transnationally. Tom mentioned the role of a firefighter. Duncan, we just happened to call off a piece of calling for a cyber red cross. Tell us a little bit more about what are some of the challenges that also will already alluded to and what this idea of a cyber red cross is about. Sure. So coming at this from an international legal perspective, Bruce actually in the session before mentioned, we have all these different legal ways to govern problems and I think we've heard some common themes coming out of the day so far in terms of what the challenges are generally and I assume then challenges specific to the CERT. One is obviously the distributed nature of the threats. We have a wide variety of causes. We have a wide variety of actors and a wide variety of facts. So it's a really complex problem. We have a distributed capacity to defend against that problem. So part of the issue is that that capacity is really unevenly distributed. So particularly when you think about all the CERTs in the United States, we have relatively speaking a pretty robust capacity, but you turn to say the next billion internet users or communities around the world and it's much less. Third, we have an atmosphere, I think it's now been said three or four times, but I'll say it again, an atmosphere of distrust right now. That when we look at global cyber security, we have a lot of distrust often based on national lines but including various corporate interests that are assumed to be aligned with nations or kind of in disagreements with one another. And then we're also undergoing at the present time systemic or structural change. IANA is being shifted from something that was affiliated loosely with the Department of Commerce to something new. You have a group of government experts at the UN who've managed to agree that international law applies in cyberspace. They agreed to that and then they promptly have had to start re-debating whether that actually was true. You have questions of whether the International Telecommunications Union should get back into the internet. We'll be circling back to the four beginning as early as 2016. So given that environment, part of what I think Tim and I and others have been talking about for more than a year now is what models can we use to think about how to govern the space beyond the ones that we already have. And one of the things given the existence of CERT communities and CERT communities was what about some sort of global federation of assistance organizations who cooperate in some way independent of governments. And that led to the analogy to the Red Cross. So I should be clear. I'm not saying the Red Cross should get into cyberspace. It has a place in cyberspace to the extent, say, the laws of war are implicated, but this is not a proposal that the Red Cross should take over cyberspace. It's rather that we can look to the Red Cross and think about it in various ways and think about whether there are lessons. And I'll offer just quickly now four, and then maybe we can talk about it. One is we can look to its orientation. We can look to its structure, its norms, and its processes. So what do I mean by orientation? I think one of the things the Red Cross assumes is hurricanes are inevitable, earthquakes are inevitable, wars may be inevitable. And rather than try and stop hurricanes, earthquakes, and wars, let's figure out how to reorient the analysis and improve human security, right? Make victims better as much as we can. And so one of the ideas for a global cyber federation or whatever you want to call it is kind of reorienting at least some portion of the discussion away from that inevitable my security, your security, my government security, your intelligence security, and reorienting the discussion into a more cyber-specific, what about the security of the network, of this shared environment we all come to rely on? So I think there's something about that orientation that Bear's thinking about and whether we can develop that in cyberspace. But what really interests me was the structure of the Red Cross because most of us tend to think of the Red Cross either very locally or on the international level, but it's both, right? There are 188, I think, Francois can correct me, national societies, the American Red Cross, the UK has a Red Cross, every nation has this Red Cross that deals with certain types of threats of a certain scale. Then there's a federation of these Red Cross societies that coordinates when those threats get beyond the scale that any individual national society can deal with. And then there's the international committee of the Red Cross that's designed to deal with war and things like political dissidents and the like. And so one of the things that at least I think, again, Bear's thinking about is that structure can that be replicated? Because I think what's unique about it is it's non-governmental but not anti-government, right? It's designed, it's made up of non-governmental people, it's recognized by governments, governments appreciate the work it does, but it doesn't make the Red Cross an agent of any individual government. It's multi-layered, right? It has all these different layers to deal with the complexity of all the various threats to human security that we encounter. And it's multifunctional, right? It's proactive and reactive. It does assistance, it does access, it does education, right? It does all of these things. So in terms of the orientation and the structure, what makes that all work? I think some of it is actually norms. We talked a little bit this morning about the need for cyber norms. I think even Admiral Rogers said, what about some cyber norms? So my proposal is what about having some norms for those who try and make cybersecurity work? Neutrality, independence, impartiality at least are the features of the Red Cross on which it's relied for 150 years. So it's neutral. There may be fighting, but it's not going to take sides in the fight. It's impartial. If you're a victim, you're getting help. It doesn't matter what you're a victim of, whether it's in cyber terms, interoperability error or North Korean hacking your systems or the US hacking your systems, right? The idea is it's neutral. It's impartial. It provides victims with assistance across the board. And it's independent. The idea is that it's recognized by governments. Most national societies are actually recognized in a state or local law as an independent organization that should not be an agent of the state because once you're an agent of the state, then you're going to presume to be pursuing state interests. And what we have here is a giant, what we call in the academy, a collective action problem where each of us pursuing our own interests lowers cybersecurity overall and makes this a worse space, whereas if we can get out of that collective action problem through some more neutral, impartial, independent federation, if you will, that might improve things. And the last thing I'll say is what struck me particularly of interest about the Red Cross is its origins. I mean, it starts with a Swiss businessman, Henry Dunal, on the battlefield of Sulphurino, sees the devastation on the battlefield, all the victims who are not getting help and decides to do something about it. He's not a doctor, he's not a warrior, but he goes to physicians, he goes to militaries and says, can't we do something to organize aid and does it in a non-governmental way in an incremental way? It doesn't solve everything overnight, but it builds and builds so that eventually it at least helps things. It doesn't stop them, but it makes the world, I would think, a better place. And so all, I think one thing is, with all analogies, it's not perfect, but at least it bears thinking about whether we might be at a point, in the state of cyber insecurity, whether we might benefit from such an entity or a movement might be the better word. Thank you, Duncan. And we will flesh this out more and we look forward to your Q&A. François, many thanks for joining us. One of the goals of New America's Cybersecurity Project is to break down silos and to learn from other fields. You've heard earlier that when it comes to cyber, we are still trying to figure out how we can actually improve security. So many thanks for coming and sharing with us what we might be able to learn from the humanitarian field. So it would be great to hear a little bit from your experience about the importance of the humanitarian principles and the way that the recross is set up based on following what Duncan already said. Yes, thank you. I mean, Duncan spoke very eloquently about those things, but sorry, the principles. Yes, first, starting with neutrality. I think that's a very important one that was obvious by Henri-Dunot that it was needed to have a neutral institution to gain access. But I think maybe what I should stay to study is that those principles were designed to allow us to work in a conflict situation, in a situation of armed conflict. And here, I think maybe the question we need to answer before whether we need a cyber red cross is whether cyber attacks and cyber wars do constitute an armed conflict in the legal sense of the term. But that's maybe another matter. But anyway, those principles are there. They are essential tools for us to be able to work in situations of armed conflict. We do not work with armed escorts. So we gain access. Proximity is very important. The ICRC needs to gain access to victims of armed conflict that we are mandated to protect and assist. And in order to do this without the benefit of armed escorts, we need to gain the trust of all the parties. We do not judge the parties. We do not question the reasons why the parties went to war. We are concerned with international humane law, which gives us the mandate to provide this protection and assistance. And IHL International Humane Law, Law of Armed Conflict, deals with what is authorized and not authorized when you are engaged in an armed conflict. It is not about the reasons, the legal or not, that make you going into war. So neutrality is very important for us to gain this access. Impartiality was also mentioned already in Sulferino. I mean, you know, I was very impressed with surgeons who treated wounded according to the most urgent cases. And that's still very much the case. So we provide assistance only on the basis of urgency and needs. There is no preference when delivering assistance. And also independence, that was mentioned. And it's also a very important thing. The ICRC is independent from any political, from any government, from any supra-governmental organization like the UN. It's just a Swiss private company based in Geneva, but very internationally in nature. But it is independent from all governments and even the national Red Cross or Red Crescent societies. As you mentioned, Duncan, almost every country has one such society in the world. I think there are only three or four countries on the planet that don't have one. They are technically independent from their government. I say technically, because unfortunately in some countries these independence can be questioned. We also have some time problems of other things, but I think the model in writing is sound. It is demanded that these societies be absolutely independent from their governments. Now I think as I said, I think the framework for us is armed conflict and also the Geneva Convention, International Metal Law, that gives us this mandate but also protection. The Red Cross gives you protection for having an armed conflict or the Red Crescent. It's the same level of protection. It's just a different symbol which is a bit of a problem because it gives a religious connotation to these two emblems but that's another discussion. But anyway, in terms of international protection under IHL, it's exactly the same thing. Now of course the problem is two things. When you don't shoot at the ambulance but when you put weapons in an ambulance or when you put a sniper on the roof of the hospital you of course compromise the protection and another challenge is dual use objects like a bridge like a power station that can have both a military strategic interest but also can be of interest for the civilian population. And there are rules whether you can target or not depending of the importance in military terms of a bridge for instance. And of course with the internet, I think the big challenge is that the internet is the ultimate dual use thing. I mean everything goes on the internet. So how do you distinguish it? I mean if you want some Red Cross humanitarian thing that would also rely on the internet from other things that could be, I mean how do you apply the principle of distinction which is one of the most important principles in terms of law of armed conflict. There are objects, there are legitimate targets in times of war. There are objects, people you can legitimately target and kill and there are other objects that you should never target. How do you do this on the internet platform which is just one thing. So I think that's a very important challenge. I can tell that Duncan as the international lawyer is just waiting to jump in to talk about HL and dual use but before you do that we had a workshop last week where we already discussed some of these issues and I'd be curious to hear your reactions of what you took away from that and the analogy to the humanitarian space and these principles based on your experience of having set up SirQK. So a lot of the principles really resonate. I mentioned already that two of the key success criteria are around trust and collaboration. So whilst we can never take a government funded entity and claim it's completely neutral, completely impartial and completely independent what we're trying to do is separate it from as many other legitimate government interests as possible so that people's interaction with it can be on a assumption of trust and on a known quantity that this will be focused on addressing the issue they've brought to assert that they will control how the information is shared by the cert or if it's not shared at all and whilst the cert may recommend that something is reported to law enforcement as a crime it will never proactively take that step. We might allow law enforcement officials into the information sharing platform they have to sign up to terms and conditions just as any other user and in their case it explicitly states that they can't act on what they're seeing as a crime without the victim's consent even if they immediately recognize it as a crime and that's trying to really just distance it from as much of the kind of wider policy discussions around cyber security to try and maintain it on as neutral a basis as it can be so that it's approachable by other countries as well they can get in touch with cert UK and not have to worry about any wider baggage that may be in the bilateral relationship will be brought into that interaction that it should be approachable and they should be able to focus on mutual interest in reducing the harm from cyber attacks and so yeah the idea of independence neutrality is good there, we should note that governments don't have the monopoly on certs, there's plenty out there that are privately funded there's plenty in academia and we looked at really how what kind of model we could build for a national cert we included not funding it through government and that remains open for the future is that we may move it out to a different funding model to give it increased independence the primary reason for funding it as a start-up from government was really the speed of creation it was much quicker if we were able to have funds to bear start working immediately build relationships immediately and then look at a longer term funding model so it's funded through my office till the end of next year and we have to settle this year how it's funded thereafter so if anybody in the room wants to fund cert UK please talk about it after this any other reactions from the panelist on this idea and what we can learn from the immunity process just on funding and independence it's an important point because ICRC is funded by governments the US government is and has been the top donor to the ICRC for many years and it's all the more difficult to prove you're independent especially when you work in Afghanistan for instance my colleagues in Afghanistan when they deal with the Taliban the Taliban also have access to the internet and they see very well who gives money to the ICRC it's the US, the British people they fight or they used to fight every day you have to prove and also to the duration of your engagement that you have to prove you're independent but I'm personally convinced that these governments give us money and not only let us be independent but they give us this money because we are independent and the ICRC would never accept direction from a government without this would be the end of the ICRC so I think it's difficult to explain and it's constantly the cause of many questions UK actually you guys have a good term for this the quasi non-governmental organization which is actually quite a lot of national certs or certs that serve a national level role when they are not actually expressly part of the government as US cert is they are usually but at this way when we meet with our international counterparts who belong to a quasi non-governmental organization it's very easy to spot because there is a representative from their sponsoring agency along for the ride so to speak and I think when US cert evolved from its origins at the General Services Administration at the National Institute for Standards of Technology and at cert.org and Cardi G. Mellon you could see that sort of having said basically it was first a public-private partnership with a lot of focus on the relationship with the software engineering institute and then as the Department of Homeland Security grew up what it's become today is sort of that critical infrastructure mission the private sector mission and all those trust relationships became more and more important over time and that's where we started to see how important it is to try and ensure that there is as much independence from other as you put it legitimate government interests and that we have to make sure that there are firewalls or very clear lines between what we you know how we operate and what law enforcement does what the Department of Defense does and so forth following up on that and your comments you mentioned that governments are giving the ICRC money and respect the protection of the independence of the Red Cross I would argue that's not the normal case for governments to give money and then say do whatever you want with it and as we look at certs it seems to me that their protection independence right now is at a much weaker foundation than what the Red Cross currently enjoys in humanitarian organizations we do whatever you want I mean they are very demanding about what we do with the money and of course we have to provide every kind of details as to what we have done with the money and they obviously they are happy because they keep giving us money but again it is in situations of conflicts so I think there is a notion of emergency of human suffering of humanity which is maybe still currently lacking in the internet world I don't know any other comments before we move to the Q&A I would just say again I think we are not dealing with bodies lying on a battlefield we are dealing with mostly bruised bank accounts and egos to date although there is the threat at some point we could see the casualties from cyber security threats but again I think one of the things that makes this cyberspace interesting and what attracted me to the Red Cross idea was that at the end of the day the Red Cross is responding to both things and I know man-made cause unless I guess there is a climate change argument but hurricanes and earthquakes at the same time things that are very man-made war, conflict, refugee situations and one of the things Bruce had mentioned in the last session was so often with cyber security threats in the initial discovery phase you don't know if this is an internal computer error that something is going wrong or if it is somebody external to your system that's as I understand it and so one of the questions is what about having something where the assistance is there to assist and not worry about who did it because so often as we regulate things it's all about prescription once we know who did it we know what the legal or governing framework is and that's a real problem for now with cyber security so I have to say I'm a little disappointed because I thought at least one of these people would disagree with the idea and the analogy to a cyber Red Cross so I want to open it up to the Q&A and hope that at least one of you might disagree or have some other feedback so we have mic runners and maybe we start in the back I'm Rachel Southerman with Fox News Radio interesting idea here with the cyber Red Cross taking it from a perspective from folks who don't know about this exactly how would a cyber Red Cross work in say the case of the Sony hack what would such an organization like CERT or a group like that what would they do to help I look at the analogy specifically around the idea of international norms in cyber security in the case of an incident or data breach like the recent Sony event I believe from my perspective international norms would do a great a great deal of good in terms of setting a base level of trust expectations between similar organizations in different countries so for example if we identify that one of the compromise systems being used to impact Sony is located in a country like China for example then there's not two to three days of thinking about it it's simply that our counterparts in China operate according to these norms we trust them based on those expectations this is information that they need to protect their own networks and therefore we should give it to them as a common courtesy not necessarily as a sort of like oh what are the operational security implications or any of that sort of stuff I think you in a way that's maybe a little more dismissive than the importance of what does actually take place during those two to three day conferences but there is a lot of consideration given where I think norms could shortcut a lot of that and get us directly to this is how we work together with our counterparts around the world so let's do as we normally do and not spend so much time thinking about it or trying to set up particular protocols for communication fresh a quick follow up though maybe one of you could answer exactly though I don't mean to be dense but how would if you're talking about international norms a cyber red cross I mean red cross the idea of helping people in a disaster situation whether it be a company or a government or individual who is hacked or under cyber threat how exactly would this organization help so again at least as we were kind of kicking the idea around I'm not sure it's an organization so much as a federation it's an association of existing entities who right now aren't necessarily operating according to any set of organizing principles other than the technical value of like we're going to be able to identify threats and recommend patches and share information but they're doing so in an environment right now where there's a lot of distrust so that you know if no offense to Tom US cert goes to certain countries and says we have this threat and here's how you know we think you should deal with it they're going to say yeah you and the FBI and the NSA or vice versa we might get something from the Chinese and say why should we trust you whereas if we could create an environment that at a certain level there are certain entities that could talk to each other in a trusted way that might improve the overall level of cyber security that's not to say that the US military or US intelligence or other governments intelligence agencies aren't going to continue to use the space in the way that they want just like the Red Cross doesn't expect countries to stop fighting but it's the idea of can you create a community where there's certain entities that are associated with neutrality and independence that then raises their ability to be effective right I think we already have people trying to be effective and the question is no offense again I'm not sure how effective we are 2014-2015 where cyber security seems to be going this way not this way to use the the motions we were seeing earlier today and so one of the questions is how do you get around that and so that's the idea of you know is there a way to empower someone neutrally to be more independent that everybody can trust and it's a fairly it's why we have courts right it's why when people have a fight they go to a court to resolve it because you know if you just pick one side selection or the other that person is not going to be trusted in neutral and so the idea of some sort of third party neutral association could improve things if you know people gather around it and you know the story of the Red Cross is a powerful story that over time this thing built to today we almost take it for granted that of course there's this Red Cross and they are here to help and and people take that seriously maybe I can just explain briefly how the Red Cross would respond I mean does respond at times of crisis I mean first we distinguish if it's a natural disaster like a hurricane or tsunami or an armed conflict and if it's a natural disasters it is either the national society where the country happened for example in Katrina it was the American Red Cross that took the lead so we determine a lead agency and then it is of course supported by the other members of the movement other national societies and the federation it can also be the federation that takes that become the lead agency if it is a natural disaster if it is an armed conflict it will be usually the ICRC which is international which is independent Geneva based that will be the lead agency but the ICRC would also rely a lot on the work of national Red Cross or Red Cross societies for instance what we do in Syria or in Afghanistan also largely with the support of the Syrian Arab Red Crescent Society or the Afghan Red Crescent Society but the ICRC has the lead so in this situation in the Red Cross world we I think and that's sometimes the cause of tension but we need to determine a lead agency and to add just one more note and I think that's also an interesting example of where this analogy hits the limits in terms of it's somewhat misleading of thinking of certs and the R of the response is too much because we have evolved and some of the functions don't necessarily focus on the response aspect which is done by a lot of private security firms but that doesn't mean as the system evolves that some of those could be could move in that direction as well. I mean that's a real limit on the metaphor so in most response team in setting ups at UK the first thing we did wasn't to go out and get some fast cars it's not that kind of a response and the kind of difference between this model is there isn't a kind of physical focus for a response in any case even to a large scale incident so even even if something is confined to a single company it's often distributed around the world you're not talking about putting people from a single cert in cars and dispatching them to help that company indeed a lot of companies would not really welcome the presence of people knocking on the door saying hi I'm from the government we had to fix your systems I appreciate the information sharing in advance they may appreciate being a seek advice whilst they are dealing with an incident where certs can help in terms of building a community around the world that helps tackle a collective action problem Duncan alluded to earlier is a lot of capacity building where we're dealing with quite scarce human resources here there's limited people with sufficient expertise to be credible in the cert field and it's hard particularly in the developing world just to stand that up from scratch capacity building can really help engaging with other certs on information sharing also really helps build up a knowledge base that you can work with within your own nation the community is often very giving of its time and there is a lot of work both within certs and within national governments on norms we've had a lot about that today which is really what is acceptable and not acceptable behaviour for countries in peacetime in cyberspace and those norms really could help build significant trust about what nation states should do, how certs should act and a lot of the discussion there has focused on instant response what can one country expect of another country when it's dealing with an incident can it go and ask for assistance is that other country obliged to assist is it a favour other things we shouldn't assist on thank you this has been fascinating I'm Anne Lodlina with the Lodlina group I would like to follow up on the funding issue and then also just frankly the need issue Tim you're the only one who I heard actually mentioned private sector and business the thing with the red cross is there was a need that no one and nothing was trying to fulfill we have private businesses trying to fulfill this and while they have a profit motive they're typically just want to make their customers happy US cert only goes where it's invited and we know that there are folks in the business world of cyber who are not thrilled with US cert for going and taking away their business now my question is since there is not a vacuum of helpers business companies or even non-business entities such as US cert and the UK cert and other certs how can the model and I find it intriguing and I think it's worthwhile really evolve to be funded and then to work and why is there a need when you do have some suppliers so two things one and Francois may correct me historically I think one of the remarkable things about the story of the red cross is first of all when do not propose it to a group of the Swiss the Geneva Public Works Society where it was coolly received it took a while to build among the most fervent early objections the United Kingdom Government and the French Government the United Kingdom Government said Florence Nightingale taught us what we needed to know about aiding war victims we've got this this is a function that should be done by governments we can handle it the French objection was nobody can be neutral and it won't work and so it took those governments to see the value of having some neutral independent organization on the I certainly I think the is the idea is at least I've been thinking about it is nobody's saying that because we have a red cross we shouldn't have an oxfam we shouldn't have doctors without borders we shouldn't have other aid societies or the like and so I mean unless you actually think that we have enough cyber security right now and that we're status quo is okay it seems we need to be thinking of new ways to improve the overall level of cyber security and to the extent you could have some sort of federation that operated in cooperation not necessarily competition with industry that might work but again I think part of this is just like you know do not turn to the professionals and said help me figure this out it's got to be part of a conversation it's not going to be you know one panel at a conference and then suddenly have it it's got to be something that takes on a little bit of a life of its own certainly the expectation when we do an onsite incident response and as you accurately pointed out as invited the expectation is we're going to a private sector firm that has asked for our assistance in a data breach there will already be a private sector cyber security consulting firm incident response firm present so the idea is to ensure that there is no base for criticism that we are competing with industry in the incident response business that said I think it's interesting though that the idea that a non-governmental organization facing the same kind of problems would would be able to necessarily you know sort of like say like okay but we're not really stepping in and doing somebody else's business or something like that I think some of the distinctions we might be drawing between a non-governmental organization that is almost fully sponsored by a government agency and the government agency itself may not be the most useful ones for this discussion I think the idea though that we should establish some international norms among entities that call themselves SIRTs is certainly a valuable one and we've been we've been discussing that it well. In terms of the role of the private sector absolutely recognize that it's a familiar description to Tom in the UK often that UK will be assisting and there will be a private instant response firm there as well often the advice may be to a firm simply to contract in an instant response firm there's two areas where the interests definitely aren't crossing over one is that SIRTs are often notifying companies that they have a problem that they don't until that point no they have a problem those firms would obviously not be getting in touch with an instant response firm or the case and in general SIRTs also have an awareness raising and sharing best practice role which again is waking up more businesses who from a national perspective they may be responsible for things we really care about as a government critical information infrastructure, critical national infrastructure or just services citizens really feel that couldn't do without but for below that threshold if we're constantly raising awareness amongst these companies that they've got to raise their bar at least to a certain level to be considered to be taking reasonable measures to protect their customers again it's healthy for the cybersecurity industry as a whole in setting up SIRT UK I had some anxiety that when I approached private companies there might be exactly the reaction you described hang on you're going to step into our turf a bit here you might be taking business away from us the reaction was much the opposite there was a very almost instant recognition of the need to collaborate recognition of some of the failures I've just described in terms of people's lack of awareness of some of the problems or not responding because they weren't aware of breaches recognition that actually confirms affected by an instant might not know which is a good firm to go to so in the UK we have set out some standards by which response firms can go and get themselves accredited just to give clients assurance that they're the real deal they're not snake oil salesmen a lot of firms contribute for free to our information sharing platform for them it's a way of building credibility in a platform where they're not allowed to do sales but to establish relationships with us, potential clients and build their credibility as trustworthy firms you could turn to at a time of need I want to add one last thing about the nature of a government non-government cert but sort of a central generally independent computer emergency response team that we see is that the private sector incident response firm is there as long as they can bill you and that's not to cast any aspersions on the proximate and the motives and the sort of the proximate incentives if you will of the members of those teams but once you are unable to continue to pay those invoices or unwilling to then that ends their engagement the law enforcement partners that are frequently engaged in these issues their proximate incentive as many of you well know is often to take a case to the appropriate prosecuting attorney's office and make sure that some bad guys are interdicted so to speak and that's a good one too I like that one and then at the defense level at the national security level that's a very different proximate incentive as well if you look at all of these four different entities the sort of independent cert the private sector incident response team the law enforcement partners and sort of a national security defense type of environment everybody has the same goal at the end of the day we all converge in terms of we want the internet to be a safer more secure place for our children for everyone around the world but how we get there and what our proximate incentives are sort of like what we think when we get up in the morning is what differentiates and I think the value of this red cross analogy or the idea of an independent cert and norms that can help establish the bona fides of such an independent cert whether it be government sponsored or not are that you have an entity whose proximate incentive, whose real goal is to ensure that your business is operating safely and securely, your customers are properly protected and the citizenry are as safe as they can be from online threats and that to me is like one of the things that would make this type of analogy unique and approaches some of the challenges I've noticed in my experience we have time for two more questions and then I'll ask you for some final remarks if you have any so just be prepared here in the middle and then we'll go to the social media Hello, I'm Teresa Hitchens and I'm with the University of Maryland Center for International Security Studies at Maryland but I spent the last six years at UNIDR which is a research organization connected to the UN in Geneva where I worked on the GGE issue on cyber security so I wanted to ask the question about forums and norm setting how do you go about setting norms when there isn't one international forum to do this we have a problem in that we also have a huge problem that maybe you could address is that different countries have different ideas about what the norm should be and there are fundamentally different conceptions so how do you deal with that maybe it's not a problem at the cert level it might be a different thing so I'd like to hear some talk about that Thanks Teresa I can speak to the governance problem one of the reasons as I've thought about this for the last several years and came to this conclusion you think about the other regulatory models either nationally or internationally and they all have lots of problems so you almost get here by default the national problem of how do you distinguish cyber crime from cyber wars problematic internationally you have these competing models for internet governance the existing multi stakeholder model versus the push by some to have a government driven model where we're going to manage cyber space and cyber security through like we do atomic energy or trade you know governments only with observers from outside the government so again what struck me about the Red Cross it's the one space where governments recognize and value this unique entity that is the Red Cross as a movement a Red Cross movement but that hasn't necessarily been captured by governments but also is recognized and appreciated by them and thus may thread the needle between what I think you've got now is most of the existing processes seem to be aligned in the geopolitical sphere with one or another camp right and so part of the idea is that if we're going to actually have change you might have to come up with something that's new that everybody can say well maybe we can meet in the middle there rather than you know somebody suddenly waking up and deciding actually the ITU is the right place for internet governance and cyber security or it's absolutely the wrong place and I'm not speaking to that but it seems to me that's a problem that we have ongoing and so one of the questions of at what point do you actually need to say we need something new because existing processes and governmental forums are all kind of have their own histories and baggage that make them difficult for this sort of a solution I think one challenge is the form I mentioned at the very beginning the form of incident response and security teams which contains something like now close to 400 vetted and recognized CERT CERT type organizations in public and private quasi NGO all types are from around the world the problem is is that everybody in that organization is a member of an incident response team so when we sit down and say we should have a special interest group to discuss norms that government and non-government CERTs can share amongst each other to inform trust and help oops, data breach so it is sort of like there is a bit of an intention span issue and that's not necessarily to again, indict any of the people who go into my line of work but it really is that we are a firefighting organization and fires break out at arbitrary intervals so it has been difficult in many cases to sort of get the momentum going and then keep it going to establish some of these things but it is something that has been discussed for a long time, people have thought about it people have definitely agreed this would definitely help me in my mission but it is time for perhaps we start to solidify or crystallize I mean it is an issue we recognize should sit outside the CERT space partly for the problem that Tom has described and best be given to the diplomats to really have those discussions to try and come up with some norms for state behavior it is not it is not the only area of international diplomacy where states start from pretty fundamental fundamentally different positions so they can handle it it is a slow drawn out process but in the meantime there is constant actions by states that set some of those norms for us so if you look at some of the actions described earlier today whether it is indicting three PLA officers or publicly naming North Korea after the Sony breach it gives people an idea of what the US does and does not find acceptable it sets some lines in the sand that can help speed that discussion along so the last question will be from the social media and I encourage you to combine it with the final remarks this clock is actually quite effective at making sure we end on time so Andy okay so pulling together some issues in social media to create one question because I get one was saying arguably CERTs derive their strength from the focus on the technical would a humanitarian role inadvertently politicize and compromise that position I think that we raised similar issues at a conference meeting of several national level CERTs last summer and I actually posed the question to several of sort of my counterparts or rather my bosses counterparts about something similar to that that you know like is it going to distract us from what we're actually our core competencies if you will if we continue to get engaged in sort of like geopolitical non-technical you know types of engagements and the response universally consensus response across the panel was that it's unavoidable that at this juncture it is there's too much attention being given to these types of issues and that CERTs need to be able to speak for themselves or others will speak for them and we may not like the results so a continued focus on the technical obviously is our core competency and we never lose side of that but it's absolutely necessary to get better at navigating these types of issues and ensuring that the best interests of our constituents are what comes first I would agree that a CERT needs its technical competence first and foremost if it's going to continue to give value to its constituents and customers and have credibility with its international peers but you know there has to be a certain point where you realize that you know so much time you can spend on the floor before you've got to go fix the roof and whether that's CERTs engaging internationally with one another or with international policy teams so I'm fine for CERT UK to phone me up and ruin my day by posing some policy problem that is hampering their business and for me to take it up with the foreign office or state to feed it into international discussions I guess for my part I think I would separate out the humanitarian from the political analogy is more to the humanitarian focus which is what are governments exist for is to promote human security and when governments are failing to do that they can either get better or they can try and come up with new alternatives and that's the question of whether there could be any basis for international cooperation right now in a world where there's not going to be a treaty there's not going to be some global cyber police force and so the question is what can we have that could make things a little bit better and that's the question but I guess it's up to the at the end of the day the technical value is if you had a federation it would also have to be effective it would actually have to share that information in a way that raised the floor for everyone I just wanted to say I don't think you can separate these issues I mean the world we live in is very messy and the humanitarian cyber current and future wars will almost always have a cyber dimension that will probably grow in the future so I think you should be strong enough and flexible enough to address these different dimensions and that will be a challenge on that happy note what I wanted to get out of this panel was to raise the awareness of search among you and then also spark the debate about the cyber red cross which I hope we have achieved please join me in thanking the panel