Diversity and Cyber Resilience: Views of an Incident Responder

24 March 2021
Diversity and Cyber Resilience: Views of an Incident Responder

There is no doubt that the internet today has become one of the largest global infrastructures. Many individuals’ livelihoods and incomes depend on it as do some of the largest companies and economies. Security teams from the private and public sectors spend significant resources protecting users from crime or malicious cyber operations.[1] At first glance, this seems to be working well so far: most users conduct business online and most states still feel its advantageous to connect, rather than disconnect from the internet. However, a deeper look will show that security experts and policy makers today base their decisions on biased and incomplete information, leaving large segments of the population vulnerable to cyber threats.

Far too often defenders and policy makers lack the required diversity in terms of gender, geographical origin, expertise, as well as the ability to engage with others. This creates significant risks as adversaries can exploit the gaps in threat intelligence and come up with ever new ways to take advantage of blind spots.[2]

For instance, attacks on civil society, while widespread, are not present in commercial threat intelligence feeds; that is, the information that allows security specialists to identify attacks. Similarly, gender-based abuse, in particular the targeting of women, rarely makes it on the agenda of policy makers or defenders or often remains a well-meaning line without any consequences. Another example is the failure of large social media networks to take cultural divergences and value systems of users into account. Misuse is assessed according to values and standards appropriate for the location of their headquarters and often ignores the concerns of users from other cultures or locations.

One of the causes of those problems is illustrated looking at the source of threat intelligence. Most threat intelligence is provided by organizations with specific agendas. Private security companies cater to possible customers, while states typically take a political stance focusing on strategic assets. In the short term this may be effective, but in the long run it can be disastrous. Victims not on the radar of security firms or states often lack the resources to detect and investigate attacks, or fear that publishing their results may further victimize them.

Ensuring that cyberspace remains free, open and secure requires a comprehensive picture of the threat landscape and a collaboration of security teams across the globe. In this respect cyberspace differs significantly from the physical realm. In the internet, actions by one actor may affect anyone else, a small group of actors may bring down an entire nation while at the same time nation states may target individuals outside their territory.

To tackle these issues, Computer Security Incident Response Teams (CSIRTs) have, for many years, collaborated across borders, driven by a common goal: protecting their users and preventing incidents from spreading.[3] What often starts as a reluctant first request for help frequently turns into a solid collaboration creating a lot of value. This common history of collaboration not only creates trust, but also fosters an understanding of the other party’s context and setting. 

It is interesting though to look at the incident response community in some more detail. It can be considered the oldest security community in the internet. It thus already carries a historic burden: Formed over thirty years ago it has been shaped by mostly men from North America and Europe who then dominated engineering professions. This has carried to present days, as noted by a new UNIDIR report: “the informality of cybersecurity response communities – often composed of close trust networks formed through years of interaction – means that they may have lower participation from women and minoritized group”. CSIRTs have been very successful, mostly because they collaborate, are informal and operate in close and trusted circles. Yet exactly this may have led to a lack of diversity in terms of gender, culture and geography.

Diversity is needed horizontally and vertically to enhance cyber resilience. Policy makers need to consult with operators, i.e. the tech community, and vice versa. And it is important that all affected parties sit at the table, including users. This is challenging, as all these groups are not uniform, but diverse in itself. There is no standard user and an Internet service provider in an emerging economy probably faces different problems than its peer in central Europe. Moreover, the next four billion users coming online will likely use the internet in very different ways than the average user today. After all, that is one of the Internet’s amazing feats: providing a fertile ground for innovation, good and bad.

To effectively address these challenges, the UN Secretary-General’s 2020 Roadmap for Digital Cooperation proposes a way forward, founded on “an unprecedented mix of disciplines and sectors and geographic, gender and age diversity”. The Secretary-General’s message needs to be heard and implemented. Doing so will require voluntary measures as much as regulatory guidelines.

[1] Malicious cyber operations refer to any activities that violate national or international law victimizing targets. While criminals usually conduct such action for financial profits states do so to promote their interests, e.g. surveilling critics or achieving a military objective. 

[2] Threat intelligence includes technical information, such as internet addresses or e-mail addresses used by attackers, but also more general descriptions of the modus operandi particular to a specific actor.

[3] CSIRTs can be considered the fire fighters of the internet. These teams stop attacks the moment they are detected and ensure that victims are protected, and services can be resumed as fast as possible. CSIRT are typically not involved in attribution or prosecution, i.e. they are neutral and rely heavily on collaboration.

Serge Droz is a senior IT-Security expert and seasoned incident responder, working as the head of security at ProtonMail. He studied physics at ETH Zurich and the University of Alberta, Canada and holds a PhD in theoretical astrophysics. He has worked in private industry and academia in Switzerland and Canada in different security roles, at a national CERT in Switzerland for more than 20 years.

Serge is the chair of the board of directors of FIRST (Forum for Incident Response and Security Teams), the premier organisation of recognised global leaders in incident response. In this role he actively participates in discussion relating to cyber security at various policy bodies, in particular related to norm building.