House of Lords Cyber Hearings Continue: On CERTs And Trust
The House of Lords continued its committee hearings on EU large-scale cyber attacks yesterday. Giving evidence were Andrew Cormack of JANET and Chris Gibson of FIRST. They spoke almost with one voice on a variety of subjects, principal amongst them the role of Computer Emergency Response Teams (CERTs). Not as much of interest, perhaps, as the first session but some useful stuff came out of it.
Two main themes emerged. First, that trust is the key to building successful and effective CERT networks. This can be built by face-to-face interactions but also by working together consistently. Both men strongly support the view that trusting working relationships bear far greater fruit than national or transnational interventions could ever do. Although bodies like the EU have a role in facilitating this kind of dialogue (they praised ENISA in this regard) there should be minimal top-down imposition of CERT networks.
This second major finding, it was strongly implied, also applies to wider cybersecurity measures. In the context of the EU this suggests that local and personal relationships are more important than centrally planned structures. Keep member-state/EU’s hands off emergency response networks, unless acting as a bridge between communities and partner organisations if required. This would be useful, as only 25% of European IP addresses are currently covered by CERTs; the EU can help with the other 75%.
I’m not sure this is what the committee expected. It certainly surprised me somewhat, and gratified me too, although I guess this was also a thinly veiled statement against wider regulation.
Cormack and Gibson’s assertion that the internet is actually a pretty safe place, as long as one is cautious and careful, was welcome. A lot of paranoia is unwarranted, said Gibson, and Cormack counselled that user behaviour is critical: the problem is not the knowledge of vulnerabilities, for example, but getting people to act on that knowledge. I’ve been saying this for ages, and I’m glad this was drilled home at the hearing.
Both gentlemen agreed that there is a strong role for the EU as facilitator, but also as a co-ordinator for Europe-wide security exercises. I was encouraged that both men took a pretty realistic view of the threat. When asked what constituted ‘resilience’, Cormack took the entirely reasonable line that resilience is ‘the ability to not fail catastrophically’. The flipside is that networks can be allowed/expected to degrade but should do so benignly. This is a risk management approach, and a wise one. Total security is impossible, as most of us understand, and ramping up security past a certain point is subject to the law of diminishing returns.
There were other points too. Queried as to the likelihood of CERTs being taken over by criminals, both men gave this idea short shrift. What will make the press – if it does at all – is that neither man would publicly give details of the one occasion on which a CERT was denied membership of FIRST and blackballed. This evidence will be provided as a confidential submission and we will not hear the details unless leaked.
Video of the hearing is not yet online but should be available via here in the next few days. Written evidence is available here.
The next hearing is scheduled for Wednesday 9 December 2009 but is subject to change. Update: change it did, and I missed the 2 December hearing. AV available here. Evidently no-one else knew either – the public gallery looks empty.
