Canada needs a CERT

Over the weekend a twitter discussion led to an (oft-discussed) idea that we, the Canadian infosec community, need to start a CERT-like entity here in Canada (if you’re not Canadian and live in a country without a CERT, then keep reading but do a mental “s/Canada/$yourCountry/g”). Below are my initial thoughts (and some from the weekly podcast by Mr Arlen and Mr Lewis) on a few of the important questions we’ll need to explore in the coming months to actually build a national CERT.

What is a CERT?

A CERT, or Computer Emergency Response Team, is primarily a clearinghouse for infosec information, provides advisories or alerts to its members and acts as a coordination point between other CERTs, such as corporate CERTs or other regional CERTs.

There are many equivalent terms for a CERT – CSIRT (Computer Security Incident Response Team), CIRT (Computer Incident Response Team ) and WARP (Warning, Advice and Reporting Point) are just a few.

Why do we need a CERT?

I think the better question is, why don’t we need a CERT? I really couldn’t come up with an answer that didn’t sound like I was ignoring the importance of the internet and computers to the Canadian economy. To repurpose points from Brian Honan’s talk about IRISS, the Irish CERT, at Source Barcelona:

• We need a point of coordination for incidents otherwise we, as a country, can’t respond in a timely manner;
• We need a forum for providing unbiased guidance;
• The bad guys are collaborating, we should be too; and
• We need national capabilities to help protect the sectors of our economy that depend on the Internet and technology (which is pretty much all of them).

Also, a lot of our peers in the western world as well as trade partners around the globe have CERTs, they certainly aren’t any different from Canada and if they’ve decided it’s worthwhile why haven’t we?

What should our CERT do?

Our CERT should do pretty much what IRISS, the aforementioned Irish CERT, does. Brian Honan says it so much better, so just go watch his talk from SOURCE 2010 in Barcelona, slides are here.

In short, I think we should provide:

• A place for organizations to report incidents;
• Alerts and advisories;
• Trusted introduction to other CERTs; and
• Knowledge sharing.

Don’t we have that already?

We have some industry specific ones such as CFI-CERT that serve the Canadian Banks. We also have the CCIRC, run by PWGSC (Public Safety Canada), but that’s for national critical infrastructure only; there is CanCERT which you have to pay for access, which is kind of antithetical to the whole concept in my opinion. However, to be fair to the people at EWA (the folks that run CanCERT) there’s clearly a market need and they’re making some money by meeting that need.

Why hasn’t the Canadian government built a national CERT?

To be honest, I don’t know. I’ve heard multiple stories from others including:

• We think industry needs to do it;
• We don’t want to interfere in private sector;
• We have processes for dealing with the really big stuff that needs our attention;
• The RCMP and CSIS work with the relevant parties as needed; and
• We’re working on something, it’s coming soon.

Whatever the reason, to steal and butcher a line from a movie: “If you guys were going to create a national CERT, you’d have created a national CERT”. The short of it is, it needs to be done and if the government ever comes along with something meaningful, there no reason the efforts can’t coexist, collaborate and better protect Canada.

How will we operate this?

We’ll need to be cost conscious in this endeavour, in part because every dollar gathered will need to stretched and funding is not guaranteed at this point. Again taking a page from IRISS, volunteers probably make the most sense. The volunteer aspect also means you need to leverage technology to automate as much as you can otherwise you run the risk of burning out your volunteer base through sheer boredom. Technology will be needed to make this work and since this is a Canadian national CERT, I question the wisdom in leveraging resources or services located in other countries to deliver any part of this, most especially if we’re trying to encourage incident reporting. So while we might get away with volunteer labour, we’ll still need to pay for something, we’ll need to build something.

How are we going to pay for it?

That’s a good question, here are a few thoughts:

1. We’re probably not going to get any money from our government, at least not in the first few years till the CERT proves itself;
2. Charging fees for any of the CERT services will completely disincentivise potential users resulting in decreased adoption;
3. Vendor have money but their money isn’t free, displaying their logos in exchange is reasonable, but more than that may erode trust in what the CERT is trying to accomplish. However, sponsorship from IT companies outside the infosec industry might be the way to go, especially if they’re participating in the CERT community itself;
4. Charitable giving from benefactors or member sponsorship might be the way to go but securing a more than a one time commitment is essential to ensuring multi-year operating costs can be covered;
5. Kickstarter is de rigueur but it is just another form of donation although could be useful for the initial bootstrapping.

What are we going to call this thing?

CERT itself is a trademarked term, one has to apply to Carnegie Mellon University to use it. While I see a lot of value in getting the right to officially call it a CERT, it’s not required to started delivering value. What we call it isn’t critical at this juncture, but whatever we call it we will need to make sure it works in both English and French, we are Canadian after all.

What happens next?

Over the next few weeks, a few of us will put our heads together, consult with other CERT founders and then propose to the community at large a plan to move forward. Volunteers will be needed, members will be needed and eventually money will be needed, so stay tuned.