Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.
Tim Maurer and Duncan Hollis from the New America Foundation published a piece in Time last week in which they proposed the idea of creating a Red Cross (yes, that one) for cyberspace. In a nutshell, they argue that a global federation of Computer Emergency Response Teams (CERTs), similar to the Red Cross and Red Crescent movement, could provide neutral, impartial and independent cybersecurity assistance to those who require it. According to Maurer and Hollis, this is required to "restore trust in the Internet and protect information technology that increasingly supports critical infrastructure, and through it, human existence." They both expounded on the idea earlier this week at a New America Foundation event.
Kudos to Maurer and Hollis for pitching the idea and starting the debate—it’s definitely one worth having. However, if past experience is any indication, a neutral, impartial and independent global cybersecurity entity that can provide assistance to those in need faces enormous challenges.
There have been efforts in the past to set up an organization akin to a federation of CERTs. The International Telecommunication Union (ITU), a UN agency, has run a global cyber security incident response team known as ITU-IMPACT since in 2008. ITU-IMPACT bills itself as an impartial, trusted and politically neutral information sharing and analysis platform with membership open to all ITU member states. Despite this, the organization has struggled with legitimacy issues. Certain countries (particularly in the West) are reluctant to share confidential and sensitive information with it as UN organizations are routinely and successfully targeted for foreign intelligence purposes. Why would a country share confidential vulnerability information with an entity with a high likelihood of getting intercepted? That partially explains why the countries with the most advanced cybersecurity capabilities (e.g. Russia, the United States, Japan, the United Kingdom, Singapore, France) are not IMPACT members. Furthermore, the experience with ITU-IMPACT also highlights the challenge of creating politically neutral international entities. Ever since IMPACT’s creation, it has become a political football reflective of a larger debate at the ITU as to the organization’s appropriate role in cybersecurity and Internet governance. These divisions have hampered IMPACT’s effectiveness and credibility.
Maurer and Hollis are well aware that building a Red Cross-like entity on the back of the existing CERT community is going to be difficult. For example, they note the impartiality and neutrality challenges as some CERTs are run by governments (e.g. US-CERT, the Canadian Cyber Incident Response Centre, Colombia’s CERT). That’s only part of the problem. It is not inconceivable that three-letter intelligence agencies use government-run CERTs to gain insight into others’ security vulnerabilities or use them to disclose previously classified indicators of compromise to shut down certain state-sponsored cyber activity. This is an existing challenge in the CERT community which already hinders global cybersecurity cooperation. As much as it would be desirable, it’s hard to imagine that self-interested countries would voluntarily give up this capability for some higher humanitarian purpose.
Lastly, the Red Cross and CERTs derive their value from fundamentally different sources, which makes transferring the model from one community to another difficult. In cases of armed conflict, the Red Cross provides assistance to the sick and wounded based on publicly available medical information—doctors generally have the same background and the knowledge required to treat a patient doesn’t differ all that much from one country to another. While CERTs are generally well trained, a CERT’s effectiveness in responding to an incident is only as good as the existing information they have on hand, such as a large databank of malware samples, indicators of compromise, and information fed to it by its client base. The information asymmetry that exists among CERTs makes it less likely that a team dispatched to solve a computer security problem will have all the information it needs to do its job than a doctor or nurse sent to treat the sick and wounded.
At its most fundamental level, a lack of trust among the main cybersecurity actors hampers cybersecurity cooperation because everyone senses they are vulnerable. It also doesn’t help that cybersecurity is often portrayed as a national security issue which makes everyone jittery and reluctant to cooperate. Developing a cyber Red Cross presumes that some form of trust already exists in order for a federation of CERTs to emerge. Baby steps, like setting the norms and response times for CERT requests for assistance, are required first. Tom Millar from US-CERT alluded to this in his remarks at the New America panel when he said (and I’m roughly paraphrasing) that responding to a request for assistance shouldn’t take three days while a foreign ministry considers its options.
Only once everyone has the same baselines for international cyber cooperation and have experience interacting with each other will we be in a better position of talking about a Red Cross for cyberspace.