The idea of a global CERT has been proposed multiple times in the course of several years. And while it has not always been proposed in the same form, the concept is the same nonetheless. The idea is very simple — we need a global CERT (Computer Emergency Response Team) to coordinate all other CERTs in the world.
Let us examine this idea through a dialog between two imaginary people, Mr. Pro and Mr. Con, who will debate some issues related to a global CERT, or G-CERT as we will call it for short. We will start the discussion by asking Mr. Pro to explain the benefit of a G-CERT.
Pro: There are multiple benefits of a G-CERT. For starters, it will enable the coordination of CERT on a global basis. If one team is under attack, they would be able to utilize G-CERT to contact another team from where the attack is originating. This could be done quickly and accurately, with no time wasted in locating who to contact.
Con: When saying “enable coordination” we imply that coordination is not happening already. Furthermore, we are suggesting that things are not currently working and that we have to do something to correct that. I would say that none of these suggestions are accurate. Coordination is happening and CERTs are cooperating. That may not be visible from the outside, but that is by design. Teams that are not involved in the incident are not involved in the communication either.
Being able to contact the right group who is able to help during an incident is very important. Having a maintained list of such contacts would indeed be invaluable. But to be truly useful, such a list must be public so that anyone can find the information when needed. We do not need a G-CERT to ask but we do need someone who would locate the right contacts and maintain the list.
Pro: Another area where G-CERT can help is to provide a global view of the landscape, what is happening on a global scale. G-CERT would enable us to see an overall pattern, where now we can only see a few isolated acts. We would be able to produce more accurate trends and maybe some predictions.
Con: A global picture is a great goal but there are a few questions that must be answered first. Who would supply data? If I am attacked, what would compel me to report that to G-CERT? In some places, organizations must report if personal information has been compromised, but that is only a fraction of all possible incidents. Stretching that legislation to force organizations to disclose all kind of attacks would put undue burden on the organizations. If the information provided in the press regarding the number of incidents that are occurring is accurate, organizations would spend most of their time reporting things and not actually improving their security.
Pro: One possible way to address the reporting issue is to extend the existing legislation and mandate that all incidents be reported to G-CERT directly or, as another option, to a national entity who will then report to G-CERT. Obviously, this multi-step reporting should be used for non-real-time incidents.
Con: To start, it is not universally agreed what a computer security incident is. There are definitions–such as the one documented in Special Publication 800-61 from the US government’s National Institute of Standards and Technology–but even two organizations using the same definition can classify the same event differently. That is possible since the definitions say that an incident is essentially “….a breach of security policy….” and policies do differ among the organizations. This, by default, guarantees that the global picture will have holes. Admittedly, smaller holes than exist today, but holes nonetheless.
Secondly, mandating reporting has issues of its own. Many, especially smaller, organizations may not be able to quickly remove vulnerabilities used for an initial compromise. If a report of their compromise becomes public before they have the opportunity to properly address the issue, miscreants could simply target them again. That would increase the vulnerability of the organization, and we must avoid that from happening. And making reporting secret will not change this either, as such reports have a tendency of leaking. Any reporting must be done on a voluntary basis and not be mandated.
The next question we must ask is who will have access to the reports and trends and who will benefit from them? If I am contributing as a source of information then I would like to have access to the reports. And if I would have access to the reports, how would I benefit from them? As a small horticultural business I am not sure that I can take full advantage from the fact that one particular criminal gang is deploying new malware.
Pro: It is true that not everyone will be able to directly benefit from the reports that G-CERT would produce. I would argue that G-CERT should produce a multitude of reports, each targeted toward a particular constituency. A horticultural business would not benefit from a deep technical description, but a software vendor, law enforcement agency, or academic group probably would. That same horticultural business would then benefit indirectly because the academic community would develop new algorithms to detect the malware, industry would produce new defensive applications, and law enforcement agencies would capture criminals. In the end, everyone would benefit.
Further benefits could be realized from the training materials that G-CERT would be able to produce. The team would handle many incidents, and that expertise could be captured and passed on to other teams.
Con: G-CERT is designed to perform coordination and not to handle individual incidents. Having the whole world as a constituency means that G-CERT would not have a real constituency whose system it would monitor, guard, and clean. Handling incidents and coordinating them are separate aspects. G-CERT would not necessarily have real, hands-on experience in dealing with incidents, so it would not be in a position to create adequate training material nor to present it.
CERTs that are handling incidents today already have that expertise. Instead of G-CERT describing how someone else does things, it would be much better to enable existing CERTs to transform their knowledge into training material that others can use.
Pro: While the initial idea is for G-CERT to perform only coordination, there is nothing preventing it from offering incident handling as a service. That way G-CERT would gain hands-on experience and, thanks to all other reports, be able to offer better protection to organizations who would pay for that service.
Con: Indeed, nothing prevents G-CERT from developing a paid-for service and gaining the experience. But if we were to make incident reporting mandatory, as suggested, then G-CERT would be in a privileged position over all other organizations offering similar services. G-CERT would have much more information to learn from and, more importantly, information that is not available to any other organizations. That would skew the market and rig it against all other organizations. If we want to avoid that, G-CERT would have to make all information available to every organization.
But then we have another issue to deal with. Since reporting to G-CERT would be mandated it could not sell “raw” information, and G-CERT would have to give away information — or access to it — for free, with no limitations or conditions. This means that I, as a miscreant, could establish a front company and ask for access to all incident reports that G-CERT has. That would be great for me since I would be able to see who was compromised and then just try the same exploit again. Even for legitimate businesses this would be great, as they would be able to see which of their competitors had been compromised and how.
The only way to avoid this mess is not to mandate incident reporting and make it voluntary. But then G-CERT loses its information sources and, with them, the ability to make reports and all other such helpful things.
At this point we will conclude this dialogue between Mr. Pro and Mr. Con and leave it to you to make your conclusions on whether or not a global CERT is necessary.