October 25th, 2012

Lela G. Jgerenaia Prof. Nazli Choucri Massachusetts Institute of Technology

Prof. Nazli Choucri

Lela G. Jgerenaia

Abstract With the inherently global nature of cyberspace and the presence of actors with divergent interests, cybersecurity risks are inevitable. Computer Emergency Response Teams (CERTs) are entities created to specifically deal with issues of cybersecurity, involving the prevention and mitigation of incidents and threats. The effectiveness of CERTs in responding to cybersecurity incidents has varied according to their sophistication and preparedness. This paper will first, (I) introduce cyberspace and cybersecurity, (II) provide background information on CERTs, (III) examine case studies of cyber attacks and CERT responses, (IV) evaluate CERTs and their limitations and discuss how increased data sharing among CERTs can improve cybersecurity, (V) propose solutions to facilitate international data sharing for augmented CERT effectiveness. I. Introduction Cyberspace is a global commons1 which creates a new arena for international relations. The global scope of cyberspace produces the potential for new international interactions, including threats and attacks. The potential threat to national security arising from competing actors in cyberspace prompted the creation of CERTs. National CERTs have had varying degrees of success in dealing with cybersecurity incidents. While the effectiveness of CERT responses have varied by state, CERTs are becoming increasingly important as the global use of internet grows and more global actors with divergent interests establish a presence in cyberspace. Faclitating and improving data sharing among CERTs of friendly nations, while challenging due to varying levels of development and sophistication, would benefit all involved nations in improving cybersecurity. Developing an incentive program may be a viable method of improving data sharing among national CERTs.2 II. Background Information on CERTs The first CERT was created at Carnegie Mellon University in response to the Morris worm in 1988. 3 Originally created to deal with the Morris worm and future cybersecurity

Fred, Schreier, On Cyberwarefare, A Centre for Security Development and the Rule of Law, DCAF Horizon 2015 working paper No.7. <http://www.dcaf.ch/Publications/On-Cyberwarfare>. 2 Nazli, Choucri, Cyberpolitics, Lecture Notes, Massachusetts Institute of Technology, Cambridge, MA, Fall 2012. 3 Nazli, Choucri, Stuart, Madnick, & Xitong, Li, Experiences and Challenges with using CERT Data to Analyze International Cyber Security, September 2009, pg. 2.

Prof. Nazli Choucri

Lela G. Jgerenaia

incidents, CERT evolved into two separate entities: US-CERT and CERT Coordination Center (CERT/CC). The first one is an arm of the Department of Homeland Security's National Cyber Security Division and responds to cybersecurity incidents and identifies potential security threats of national interest.4 The other, CERT/CC evaluates existing and potential cyber security risks and makes recommendations about best practices in cyber security, serving primarily in an advisory role.5 National CERTs have an increasingly important role in providing cyber security and protecting critical information infrastructure. 6 Although there are industry, corporate, national and regional CERTs,7 this paper will mainly focus on the latter two. CERTs maintain a domain of expertise in five fields: software awareness, secure systems, organizational security, coordinated response, and education and training.8 Many countries now have CERTs, although these teams have varying levels of development and sophistication. Estonia, which established a national CERT in 2006, has an internet-centric infrastructure, in which communication, banking and voting is carried out via the internet. 9 There are also regional CERTs which provide cybersecurity support to all member countries in a geographic region of the world. Asia Pacific Computer Emergency Response Team (AP-CERT) is an example of a regional CERT. Regional CERTs can be more effective than national CERTs due to data sharing, wider network for information dissemination, and greater collective experience in managing cybersecurity incidents.10 The cyber attacks on Estonia in 2007 and Lithuania in 2008 are useful examples to demonstrate both the strengths and weaknesses of CERTs. The cyber attack on Georgia in 2008 demonstrates the benefit of a collaborative response of national CERTs to cyber security incidents.

Unites States Computer Emergency Readiness Team (US-CERT), About us, retrieved 10/17/12, <http://www.uscert.gov/about-us/>. 5 Software Engineering Institute Carnegie Melon, CERT Coordination Center (CERT/CC), retrieved 10/17/12. <http://www.cert.org/certcc.html>. 6 European Network and Information Security Agency (ENISA), CERT Operational Gaps and Overlaps, December 2011 Report, pg. 3. <http://www.enisa.europa.eu/activities/cert/other-work/files/operational-gaps-overlaps>. 7 Stuart, Madnick, Cyberpolitics, Lecture Notes, Massachusetts Institute of Technology, Cambridge, MA, October 22. 8 Nazli, Choucri, Stuart, Madnick, & Xitong, Li, Experiences and Challenges with using CERT Data to Analyze International Cyber Security, pg. 3. 9 Eneken, Tikk, Kadri, Kaska & Liis, Vihul, International Cyber Incidents: Legal Considerations, Cooperative Cyber Defence Centre of Excellence (CCD COE) 2010, pg. 16-18. 10 Stuart, Madnick, Cyberpolitics, Lecture Notes, October 22.

Prof. Nazli Choucri

Lela G. Jgerenaia

III. III.1.

Case Discussions Cyber Attack on Estonia

The circumstances leading up to the 2007 cyber attacks in Estonia involved the moving of a Soviet memorial bronze statue in the capital city of Tallinn to a war cemetery outside the city. The plan to move the statue, a memorial to the Soviet victory over the Nazi army, incited rioting among ethnic Russians on April 26th 2007. Following the riots, the bronze statue was moved the next day by Estonian authorities, earlier than originally planned. That night, on April 27th, simple attacks in the form of pinging began on a large scale, resulting in denial of service (DoS). This initial wave of attacks was followed by a larger scale and better coordinated wave of attacks. This second wave was characterized by the larger scale use of botnets for

disseminated denial of service attacks (DDoS), defacement of government websites, and the use of internet forums to spread instructions for participation in the attacks and to coordinate attacks. The second wave attacks were also more sophisticated in the use of IP spoofing and proxy servers to disguise the origin of the attacks. System (DNS) servers.11 The Estonian Computer Emergency Response Team (CERT-EE) was instrumental in analyzing the nature of the attacks and coordinating the defense against the cyber-attacks with the aid of outside IT experts. CERT-EE responses to the DoS attacks included an increase in the bandwidth of the servers and also employed more advanced defenses including firewalling, using multiple servers, and blocking incoming internet traffic from outside Estonia. Through their analysis of attack patterns, CERT-EE determined that botnets were being used extensively in DDoS attacks and they identified attacks against the public and private internet infrastructure. The duration of intensive attacks against governmental and political websites and The attacks were initially targeted against

government websites and media outlets, and later against Estonian banks and Domain Name

11

Eneken, Tikk, Kadri, Kaska & Liis, Vihul, International Cyber Incidents: Legal Considerations, Cooperative Cyber Defence Centre of Excellence (CCD COE) 2010, pg. 15-23. <http://www.ccdcoe.org/publications/books/legalconsiderations.pdf>.

Prof. Nazli Choucri

Lela G. Jgerenaia

communication channels was determined to last from April 27th through May 9th. CERT-EE determined that most of the attacks came from outside Estonia, and were of a malicious nature.12 Under the circumstances, CERT-EE performed well in mitigating the most damaging attacks and limiting service interruption to critical information infrastructure such as banking. Most Estonians were only aware of the attacks due to media coverage and service interruptions to some online news websites.13 CERT-EE was fortuitously prepared for the cyber attacks due to the Estonian parliamentary elections of 2007. These elections were the first time that Estonians, or any nation, would elect their national parliament through internet voting. CERT-EE led a series of exercises in anticipation of potential cyber security incidents. These preparations included planning defenses against global botnet DDoS attacks and establishing direct contact with key actors in the cyber security community including banks, telecommunication companies, law enforcement agencies, and other CERTs. The readiness of CERT-EE and the cyber security community proved invaluable in the response and defense against the cyber attacks, which occurred only months after the elections. Another important response to the cyber attacks was information sharing by CERT-EE with international partners including other CERTs and cyber security organizations. These allies were able to provide valuable real-time technical assistance in managing the attacks.14 III.2. Cyber Attack on Lithuania A similar attack occurred in Lithuania in June 2008 following an amendment to the law on freedom of meetings and speech, prohibiting the display of Soviet and Nazi emblems or playing of the anthems of the Soviet Union or Nazi Germany. After the amendment was passed cyber attacks began on June 28th, 2008. The Lithuanian Computer Emergency Response Team (CERT-LT), which was established at the end of 2006, was the primary respondent to the incident. CERT-LT had been informed of the possibility of cyber attacks on June 26th and alerted the cyber security community within the government. However, the cyber security community in the private sector was not contacted about the threat and the private sector was
12

Eneken, Tikk, Kadri, Kaska & Liis, Vihul, International Cyber Incidents: Legal Considerations, Cooperative Cyber Defence Centre of Excellence (CCD COE) 2010, pg. 33-34. <http://www.ccdcoe.org/publications/books/legalconsiderations.pdf>. 13 Rain, Ottis, Scientist at Cooperative Cyber Defence Centre of Excellence, Interview, October 18, 2012. 14 Rain, Ottis, Interview.

Prof. Nazli Choucri

Lela G. Jgerenaia

most affected by the attacks. CERT-LT reported that over 300 websites, most hosted on a commercial Hostex server, were hacked into and files modified. The attacks targeted

government and commercial websites, defacing them with pro-Soviet and Russian slogans. CERT-LT advised Hostex on how to repair the damage and by July 1st most of the websites had been restored to their previous state. The Lithuanian attacks demonstrate the importance of information, collaboration and data sharing. The failure to alert the cyber security community in the private sector about the threat of attacks left the sector vulnerable and unprepared.15 III.3. Cyber Attack on Georgia During the August 2008 Russian-Georgian conflict over South Ossetia, the value of data sharing among CERTs and cooperative action with international cyber security organizations was demonstrated. On August 8th, the day following the Georgian attack on separatist forces in South Ossetia, cyber attacks against Georgian government websites were launched in tandem with the Russian military offensive into Georgia. DDoS attacks targeted government websites, communication networks, Georgian news websites, Georgian banks and foreign news portals sympathetic to Georgia. The attacks were similar in nature to the highly organized phase of cyber attacks in Estonia in 2007 with the extensive use of botnets and Russian language websites promoting and organizing cyber attacks.16 CERT Georgia, which normally provided computer network security technical support to educational institutions, served as the national CERT and was the primary responder to the cyber attacks. CERT Georgia was able to contact allies in the international community and received assistance from other national CERTs and cyber security organizations. CERT France and CERT Poland collected and analyzed log data on the cyber attacks. Two CERT-EE cyber security specialists visited Georgia to assist with mitigation of the cyber attacks.17 Defensive measures included transferring important websites to alternate servers based in the US, Estonia and Poland, and restricting internet traffic between Georgia and Russia

15

Eneken, Tikk, Kadri, Kaska & Liis, Vihul, International Cyber Incidents: Legal Considerations, Cooperative Cyber Defence Centre of Excellence (CCD COE) 2010, pg. 63. <http://www.ccdcoe.org/publications/books/legalconsiderations.pdf>. 16 Irakli, Lomidze, Cyber Attacks Against Georgia, Ministry of justice of Georgia, Data Exchange Agency, 2011. <http://www.dea.gov.ge/uploads/GITI%202011/GITI2011_3.pdf>. 17 Eneken, Tikk et al., Cyber Attacks Against Georgia: Legal Lessons Identified, Cooperative Cyber Defence Centre of Excellence (CCDCOE), NATO Unclassified version, November 2008: Tallinn, Estonia, pg. 14. <http://www.carlisle.army.mil/DIME/documents/Georgia%201%200.pdf>.

Prof. Nazli Choucri

Lela G. Jgerenaia

on the orders of the Georgian Communication Commission. 18 At the time of the attack, Georgias internet traffic was routed through Turkey and Russia and thus especially vulnerable to attack. Since then a fiber optic cable has linked Georgia to Western Europe via the Black Sea.19 IV. Evaluation of CERTs As demonstrated in the case studies, there are many problems faced by CERTs. More effective data sharing would significantly improve response to attacks as seen in the cooperative efforts of national CERTs and other cyber security entities assisting Georgia CERT to mitigate cyberspace damage in the 2008 conflict. Data and information sharing among CERTs as well as running practice exercises in incident response may help national CERTs to predict and identify new attacks quickly by analyzing and comparing historical patterns of cyber attacks, significantly limit damage from cyber attacks by employing established defensive measures, and proactively strengthen cyber security defensives against future attacks. 20 However, there are significant challenges involved with data sharing efforts by national CERTs. There are no universal terms or definitions for categories of incidents and security measures. Thus, different CERTs may use different terms for the same incident and this makes collaboration difficult.21 CERTs are generally not mandated by a national government so they may have different constituencies, funding sources, and services offered. 22 As a result of differing priorities, national CERTs tend to handle only a subset of all national incidents.23 CERTs were initially created to identify and manage cyber security incidents as a reactionary response. This can be effective when a response to an attack is swift and organized,
18

Eneken, Tikk, Kadri, Kaska & Liis, Vihul, International Cyber Incidents: Legal Considerations, Cooperative Cyber Defence Centre of Excellence (CCD COE) 2010, pg. 76-77. <http://www.ccdcoe.org/publications/books/legalconsiderations.pdf>. 19 Eneken, Tikk et al., Cyber Attacks Against Georgia: Legal Lessons Identified, Cooperative Cyber Defence Centre of Excellence (CCDCOE), NATO Unclassified version, November 2008: Tallinn, Estonia, pg. 6. <http://www.carlisle.army.mil/DIME/documents/Georgia%201%200.pdf>. 20 Eneken, Tikk, Kadri, Kaska & Liis, Vihul, International Cyber Incidents: Legal Considerations, Cooperative Cyber Defence Centre of Excellence (CCD COE) 2010, pg. 93. 21 Nazli, Choucri, Stuart, Madnick, & Xitong, Li, Experiences and Challenges with using CERT Data to Analyze International Cyber Security, pg. 4. 22 European Network and Information Security Agency (ENISA), CERT Operational Gaps and Overlaps, December 2011 Report, pg. 64. 23 Nazli, Choucri, Stuart, Madnick, & Xitong, Li, Experiences and Challenges with using CERT Data to Analyze International Cyber Security, pg. 13.

Prof. Nazli Choucri

Lela G. Jgerenaia

as seen in the case of Estonia which was preparing for cyber security incidents just months before the attack. CERT-EE was able to handle the heavy cyber assaults with an effective response and limit the damage, which would have been devastating to the internet-centric country. However, CERTs could benefit from a more forward thinking strategy rather than planning their defense against established methods of cyber-attack, since hackers often look for novel ways to attack their target and exploit new vulnerabilities. 24 Additionally, even wellorganized regional cybersecurity organizations like the European Network and Information Security Agency (ENISA), the European Unions center of expertise on cyber security,25 cite the lack of internal data sharing as a limiting factor in the effectiveness of the CERT community as a whole.26 V. Proposed Solutions Promoting data and information sharing among CERTs and other cyber security organizations has been identified as a key factor in improving cybersecurity. However, many factors have limited the ability and willingness to share data and information on national cybersecurity. Incentivizing CERTs to share data and cooperate could be accomplished through an international or regional organization. Membership into a larger umbrella organization could require data and information sharing on national cybersecurity. Incentive to join the organization could be in the form of funding for a national CERT, training for cybersecurity professionals, assistance with upgrading critical information infrastructure, and technical assistance with cybersecurity incidents and attacks. In addition to financial and technical assistance for

cybersecurity, national CERTs should have access to valuable cybersecurity resources. In a survey of major stakeholders, ENISA identified several key services of interest for its members including creation of a common malware hash database, aggregation of security announcements by a central body for later distribution to member CERTs, a central contact to act as an industry

24 25

Jeffrey, Carr, Inside Cyber Warfare, OReilly Media: 2012, pg. 15-16. ENISA, About ENISA, retrieved 10/23/12. <http://www.enisa.europa.eu/about-enisa>. 26 European Network and Information Security Agency (ENISA), CERT Operational Gaps and Overlaps, December 2011 Report, pg. 3. <http://www.enisa.europa.eu/activities/cert/other-work/files/operational-gaps-overlaps>.

Prof. Nazli Choucri

Lela G. Jgerenaia

liaison to obtain early warning on software vulnerabilities.27 These resources and services could also be offered to member CERTs as incentive to share data and security information. Examples of incentive programs have been seen in other large international organizations. The Council of Europe, the largest European organization focusing on human rights, cultural cooperation and the rule of law, requires national abolition of the death penalty as a condition of admission for all potential member states. Admission to the Council of Europe represents membership to the community of European nations, as well as gaining access to aid programs, and legal and economic advisory resources. 28 A larger governing body that has a significant stake in improving cyber security among member states, could mandate cyber security data sharing as a prerequisite for membership or to qualify for certain economic programs. World

Bank has identified cyber security in developing countries as a potential threat to the security of foreign direct investment in these countries. 29 An organization with significant political, economic or military clout could mandate cyber security data sharing as a precondition to membership or services. Alternatively, regional CERTs like AP- CERT could also mandate data sharing among its members in order to have access to certain services and resources, and could require data sharing for new members. More effective data sharing would significantly improve response to attacks and threats as seen in the cooperative efforts of national CERTs and other cyber security entities assisting Georgia CERT to mitigate damage in the 2008 conflict. VI. Conclusion The global commons 30 of cyberspace has created a new frontier in the area of international relations. While the world becomes more interconnected through the internet, significant challenges to safeguarding national interests arise. CERTs can be an effective tool in managing and mitigating cybersecurity incidents and threats, as seen in the cooperative CERT effort in the 2008 cyber attacks against Georgia. However, lack of data sharing and cooperation among CERTs significantly limits their effectiveness. Providing incentives for CERTs to share
27

European Network and Information Security Agency (ENISA), CERT Operational Gaps and Overlaps, December 2011 Report, pg. 4. 28 Council of Europe, The Council of Europe is a Death Penalty Free Area, retrieved 10/23/12. <http://hub.coe.int/what-we-do/human-rights/death-penalty>. 29 The World Bank Group, Cyber Security: A New Model for Protecting the Network, pg. 1. <http://siteresources.worldbank.org/EXTINFORMATIONANDCOMMUNICATIONANDTECHNOLOGIES/Re sources/CyberSecurity.pdf>. 30 Fred, Schreier, On Cyberwarefare.

Prof. Nazli Choucri

Lela G. Jgerenaia

their data can be a way to facilitate collaboration and improve cybersecurity. Similar efforts have been successfully employed in large international organizations to promote adoption of standards and laws among their members.

Prof. Nazli Choucri

Lela G. Jgerenaia

Bibliography
Carr, Jeffrey, Inside Cyber Warfare, OReilly Media: 2012. Choucri, Nazli, Madnick, Stuart & Li, Xitong, Experiences and Challenges with using CERT Data to Analyze International Cyber Security. Choucri, Nazli, Cyberpolitics, Massachusetts Institute of Technology, Lecture Notes, Fall 2012. Council of Europe, The Council of Europe is a Death Penalty Free Area, retrieved 10/23/12. <http://hub.coe.int/what-we-do/human-rights/death-penalty>. Cover image retrieved: 10/21/12, <http://www.shoreline-solutions.com/debit-credit-cardpersonalization-services-blog/2012/10/shoreline-supports-national-cyber-securityawareness-month-in-october/>. ENISA, About ENISA, retrieved 10/23/12. <http://www.enisa.europa.eu/about-enisa>. European Network and Information Security Agency (ENISA), CERT Operational Gaps and Overlaps, December 2011 Report. <http://www.enisa.europa.eu/activities/cert/otherwork/files/operational-gaps-overlaps>. International Telecommunication Union, Cybersecurity, retrieved 10/24/12. <http://www.itu.int/en/ITU-T/studygroups/com17/Pages/cybersecurity.aspx>. Lomidze, Irakli, Cyber Attacks Against Georgia, Ministry of justice of Georgia, Data Exchange Agency, 2011. <http://www.dea.gov.ge/uploads/GITI%202011/GITI2011_3.pdf>. Ottis, Rain, Scientist at Cooperative Cyber Defence Centre of Excellence, Interview, October 18, 2012. Unites States Computer Emergency Readiness Team (US-CERT), About us, accessed: 10/17/12, <http://www.us-cert.gov/about-us/>. Software Engineering Institute Carnegie Melon, CERT Coordination Center (CERT/CC), accessed 10/17/12. <http://www.cert.org/certcc.html>. Schreier, Fred, On Cyberwarefare, DCAF Horizon 2015 working paper No.7. Madnick, Stuart, Cyberpolitics, Lecture Notes, Massachusetts Institute of Technology, Cambridge, MA, October 22. The World Bank Group, Cyber Security: A New Model for Protecting the Network, pg. 1. <http://siteresources.worldbank.org/EXTINFORMATIONANDCOMMUNICATIONAN DTECHNOLOGIES/Resources/CyberSecurity.pdf>.

10

Prof. Nazli Choucri

Lela G. Jgerenaia

Tikk, Eneken et al., Cyber Attacks Against Georgia: Legal Lessons Identified, Cooperative Cyber Defence Centre of Excellence (CCDCOE), NATO Unclassified version, November 2008: Tallinn, Estonia. <http://www.carlisle.army.mil/DIME/documents/Georgia%201%200.pdf>. Tikk, Eneken, Kaska, Kadri &Vihul, Liis, International Cyber Incidents: Legal Considerations, Cooperative Cyber Defence Centre of Excellence (CCD COE) 2010. <http://www.ccdcoe.org/publications/books/legalconsiderations.pdf>.

11