Virtual discussion at the GFCE Working Group A&B
Is there a need, and why, for an international approach to protect critical infrastructure (CI)? Are there any additional sectors or dependencies which should be categorised as critical? What are the main existing and emerging threats and risks to CIP, considering the emerging tech such as Artificial Intelligence (AI)? What would minimum cybersecurity measures for CIP include? What are the examples of working regional/international arrangements to respond to ICT incidents affecting CI? And how do existing cyber norms assist stakeholders in promoting responsible behaviour in cyberspace and ensuring CIP?
On 27 May the Global Forum on Cyber Expertise (GFCE) Working Group A and B and Geneva Dialogue on Responsible Behaviour in Cyberspace organised a joint interactive virtual discussion to discuss the implementation of agreed cyber norms, including on critical infrastructure protection.
The session started with the presentation of the first chapter of the Geneva Manual, which focuses on norms related to supply chain security and the reporting of ICT vulnerabilities. The first chapter highlights the substantial role of the private sector in their implementation of these norms, but also acknowledges the critical function of civil society and academia in raising awareness about cybersecurity issues and influencing policy and corporate governance.
During the roundtable discussion, participants debated whether an international approach is needed to protect critical infrastructure, which is currently defined and regulated at the national level. Some participants supported a common approach based on guidelines to identify what constitutes critical infrastructure in different countries. They emphasized the need for a shared understanding of what critical infrastructure is. Additionally, participants highlighted the importance of informal communication channels in managing incidents and exchanging vulnerability information.
For the simulation exercise, participants were divided into two groups to play different roles: a telecommunications company as a critical infrastructure facility and a national cybersecurity agency. Each group received messages and questions to develop a response.
In the group representing a critical infrastructure facility, participants stressed the importance of clear roles and responsibilities between the facility operator and its service providers, as well as the implementation of zero-trust architecture. In the event of a data breach, security operations centers (SOCs) were noted as crucial for monitoring systems, whether on-premises or in the cloud. Clear communication with customers and authorities, based on detailed information and forensic analysis, was also highlighted as an essential step in incident response.
The discussions highlighted the complexities of responding to cybersecurity incidents, especially those involving third-party service providers. The exercise underscored the need for clear communication channels, international cooperation for cross-border cybersecurity threats, and robust incident response planning. Participants also noted the potential benefits of cyber insurance for recovery efforts after a cyberattack.
Another group discussed the security incident from the perspective of a national cybersecurity agency. They debated how much information to share with a neighboring country’s national CERT, which had been hit by a ransomware attack and was requesting assistance. The discussion considered the Traffic Light Protocol (TLP) classification and the implications of sharing sensitive information. They also discussed existing relationships between agencies and the need for a pre-established information-sharing platform. The importance of adhering to cyber norms and establishing a mechanism for mutual assistance in cybersecurity incidents was emphasized.
The session concluded with stressing the importance of the exercise in understanding the nuances of agreed-upon cyber norms and the need for preparedness and collaboration among stakeholders.
