Time sure does fly when you’re having fun! Five years ago (this month) I began my role here at APNIC as its first Security Specialist. I still remember the warm welcome I was given by the HR team and other colleagues, including a brief lesson on how to make coffee.
Although I had past experience with security operations, having worked for national and enterprise security incident response teams, the Regional Internet Registry world and its community was still new to me at that time. Luckily APRICOT 2014, held in my home economy, Malaysia, was just around the corner. It provided me with a great opportunity to get first-hand experience with the community, learn about their concerns and see the APNIC Secretariat in action.
Since those early days, APNIC has increased its security engagement with key stakeholders — Members, Law Enforcement Agencies (LEAs) and judiciaries, security teams (CERTs/CSIRTs), and policy makers — year-on-year, to the point that we’ve had to employ additional security specialists to meet the growing demand. Engaging with such a broad community has been rewarding and insightful, primarily because the majority of discussions have involved sharing with and learning from others.
More than just training
Over the years, APNIC has diversified its security-related engagement activities.
Training is a key deliverable but there are also several other initiatives, including our Ready to ROA campaign, which promotes routing security and encourages Members to create resource certificates.
Security events also provide a great opportunity to reach out to the community and learn about current challenges. Some of the exciting local security conferences in recent times have been the Sri Lanka CERT Annual Conference, Mongolia Security Conference, the Honeynet Project Annual Conference and Vietnam Security Bootcamp.
Big ups to all #cybersecurity #netsec #infosec conferences in the Asia Pacific region who have been fostering the next generation of #security specialists through hackathons and fellowships 👏🙌https://t.co/Emuup46Eh4 pic.twitter.com/iIIwRtYIRR
— APNIC (@apnic) December 12, 2018
Security is not only being discussed by ‘geeks’, which is why we’ve been privileged to be invited and contribute to forums such as APECTEL, APrIGF, and the IGF, where we have been able to engage with other stakeholders.
C for collaboration
The Asia Pacific region is expansive. For this reason, collaborating with partners is not optional, it’s critical.
We’ve had many successful outcomes from joint activities and events. One I always like to highlight is the FIRST Technical Colloquia (or the FIRST TCs).
Excellent line-up for today’s @FIRSTdotOrg TC at #APNIC46! Honored to be trusted w/ MC duties at the 1st FIRST engagement in the Pacific & 6th paired up w/ @APNIC conferences! 🌴🌊🖥️🔐 Check-out the presentations here: https://t.co/R4IHcBcLiA pic.twitter.com/EaSWBaqRfR
— Klee Aiken (@a_Klee) September 10, 2018
The one-day security plenary has been a permanent feature at APRICOT and APNIC conferences since 2015. It’s not just a speaking event, rather it’s a platform to highlight issues, call for collaboration, and mentor emerging security contributors in our region. There are many contributing parties but the usual suspects are from the Forum of Incident Response and Security Teams and the Asia Pacific Computer Emergency Response Teams (APCERT).
Another positive collaboration we’ve had in the LEA space is with INTERPOL. We have contributed modules on Internet security and the DNS for workshops delivered in Singapore and Fiji. Since then we have been invited to give training for other LEAs around the region.
— APNIC (@apnic) November 6, 2017
A popular item in our security engagement toolbox is a desktop exercise where participants get to experience a data breach incident. The original content of the exercise — scenario, gameplay and supporting tools — was jointly developed with friends from Access Now and the Asia Cloud Computing Association for RightsCon2015 in Manila. Since then we have replicated the session at different events and still find it useful for encouraging positive conversations between different stakeholders so they can improve security together.
In 2016, we supported training activities organized by JICA for CSIRTs from Cambodia, Laos, Viet Nam, Myanmar and Timor-Leste. From this series of engagements, we collaborated to develop the first course on the APNIC Academy: Introduction to Cyber Security.
Then there are the multiple CSIRT engagements we’ve recently conducted in the Pacific, which I summarized last year.
Busy six months of #cybersecurity capacity development activities in the Pacific region ends in launch of the region’s newest CERT, writes @adliwahid https://t.co/bLAq7adwcu #netsec #CERT pic.twitter.com/zd1AUkfTMK
— APNIC (@apnic) July 9, 2018
The next five years
There’s definitely a lot of interest and awareness among our stakeholders across the region (and globally) to improve and prioritize security. I can see a lot of initiatives being carried out in different areas, from developing national strategies to new laws and creating more security specialists to help defend organizations from security incidents.
At the same time, security remains fragile with different actors actively exploiting weaknesses in systems and people to achieve their goals — just read the full data breach incident report released by the Singapore government and you’ll understand security in theory versus in practice. I think it’s critical that we understand the context before giving solutions. Ultimately organizations would like to fulfil their security goals or their responsibilities but there is no ‘one size fits all’ kit to be used.
Thankfully reinforcements are available in the form of Jamie Gillespie, Klee Aiken, and sometimes the APNIC training team led by Tashi Phuntsho. This has allowed us to not only fulfil growing demand but also expand the outreach work for different stakeholders or focus on certain geographical areas. On that note, you should hear more about the APNIC community honeynet project this year.
In a nutshell, I am very grateful with the opportunity given to me by APNIC and the support I get from many colleagues from the different teams at the office, especially in experimenting and enabling new trusted relationships to be built for reaching a higher goal. On top of that, the work has been fun for the most part and helped me grow personally. I have made many new friends in different places and learned about their unique cultures (and captured a lot of photos along the way too)!
Yes, we’ve achieved a lot in the past five years but there’s still a lot more that we all can do to make sure the Internet remains stable and secure for everyone. We’re always open for suggestions and stay tuned for more highlights!
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.