Last month, I was in Nadi, Fiji, for the 10th Policy and Regulation Forum for Pacific (PRFP-10), conducted by the Asia Pacific Telecommunity (APT).
This meeting included policy makers and regulators from 12 countries in the Pacific to discuss issues such as satellite and submarine cable connectivity, licensing mechanisms, and challenges for spectrum management.
During the meeting, I had the chance to speak in a session about cyber threats and security, along with colleagues from KISA (Korea), CERT Australia and ICANN. Below is a short summary of what I spoke about.
CERTs play key role in Internet safety
In meetings like this, I often hear the question of what it takes to make a safe Internet.
We all know there’s no easy answer to this question, so I often answer the question about Internet safety by asking the question what does it take to make a safe society, against all the threats that we know about? Likewise, there is no easy answer to this question but we do know quite well what it takes to mitigate most or all of the risks which affect us.
Take fire for instance: a fire brigade, or department, is a specialised body that knows how to respond to fire incidents and fire emergencies. But it’s important that the fire department is not expected to “solve” the problem of fire; instead they have to work closely with many others agencies – police, health professionals, educators, also regulators and industry – to make sure that fire safety is as good as it can be for society as a whole.
On the Internet, we also have many threats, probably as many as there are in the real world, with as many different sources and causes. And we have a kind of a Fire Department on the Internet, normally referred to as CERTs – Computer Emergency Response Teams.
CERTs are a group of experts which are oriented to respond to incidents. They operate at a national or local level to help coordinate readiness and response to Internet security incidents of all kinds. It’s important that CERTs work with others agencies who take responsibility for pursuing and prosecuting actual offenders, setting regulations, and repairing the damage incurred during cyber attacks.
Like a fire department, a CERT plays a role that is closely connected to the community it serves. This is for a number of reasons. The knowledge and expertise of the Internet security landscape exists within the operational community itself, and the amount of information involved (and the rate of change) is huge, so information sharing is essential. In some cases, a CERT might be involved in education for schools or community groups, in mobilising volunteers and community groups, and in helping to promote awareness in other parts of the community.
The issue of community trust is critical – because information which is shared can be highly sensitive.
CERTs have a long history, in Internet terms. They emerged during the 1980s, from the Internet’s early multistakeholder environment, and stand as a very good example of the power of (and need for) a multistakeholder approach, where all parties play a critical role.
APNIC has been involved in many CERT discussions over the years because CERTs are widely recognised as a critical component of Internet security. Without a CERT to serve it, any given community will be more vulnerable to cyber risks of all kinds and have a much harder time managing and recovering from those risks.
The launch of Tonga CERT, the first national CERT in the Pacific, is one recent example of APNIC’s support for this community. The preliminary success of CERT.to can be attributed to the Tongan Government’s leadership and support for the CERT, followed a multi-stakeholder approach that ensured that trust, confidence and neutrality of the CERT were built from the outset. The case is an example to follow because it showed that vision and leadership, together with technical expertise and an inclusive/consultative approach, sufficed to make a CERT happen.
Following the successful effort in Tonga – made possible with generous funding from the Internet Society – I am happy to report that APNIC will continue to support CERT development in the Pacific. Through technical training and cross-sector, public-private engagement, these activities will be seeking financial support through the newly established APNIC Foundation. The idea is to continue to raise awareness, build a more mature understanding of cyber threats, and support CERT development in the Pacific.
Ultimately, through this and other partnerships, a more comprehensive, trust-based network of security experts and contact points will be developed in the Pacific.
ICANN-GAC workshop
At the end of the week, I was also very happy to join a second meeting at the same venue in Nadi, Fiji. This time it was an ICANN-GAC workshop that gathered government representatives from 17 island nations to discuss public policy issues related to the ICANN and the Internet more broadly, including DNS, IP addressing, IXPs, security and others.
This meeting specifically addressed the question of participation in ICANN processes from the Pacific, which is considered by the GAC as an “under-served region” of the world.
During the meeting I had the opportunity to reiterate APNIC’s commitment to Internet development in general; and again more specifically, in raising awareness and understanding of cyber threats. Ultimately, through efforts such as the one triggered by the APNIC Foundation in the Pacific, a more mature, trust-based, and multi-stakeholder approach to Internet security will continue to be developed.
I would like to congratulate the GAC “under-served regions working group” and ICANN staff for facilitating this successful gathering at the Pacific, that I do hope can be repeated regularly with similar levels of participation.
I wish to also thank APT for the opportunity to attend the PRFP-10, and for their efforts with ICANN to colocate the meetings together, making them more effective and interesting to all who attended.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.