Collaborating on international incident response

At the 2021 RSA Conference, a panel of experts discusses the need for better collaboration in thwarting cybercrime.

NotPetya crippled large companies around the globe, Sony Pictures was hacked as retaliation for releasing a movie, and more recently, ransomware hit Colonial Pipeline. These crimes are not just hard to portray on the news, they are also complicated for companies, law enforcement, and policy makers around the globe. The Internet does not care about borders, and attacks that originate in one country may victimize targets in multiple other countries, which makes jurisdiction truly tricky.

The solution lies in communication — lots of it — and collaboration. However, that’s more than a bit too simple.

At RSA 2021, INTERPOL Director of Cybercrime Craig Jones, Special Envoy for Cyber Foreign and Security Policy, Federal Department of Foreign Affairs (FDFA), Switzerland Jon A. Fanzun, and Chair of FIRST (Forum for Incident Response and Security Teams) Serge Droz spoke on a panel called “The ticking ‘cyber-bomb’ and why there’s no global policy response to fix value-chain risks.” Kaspersky’s Senior Manager of Public Affairs Anastasiya Kazakova moderated. The group discussed particular challenges and pondered possible ingredients for a global response.

The general consensus favors better collaboration and sharing of awareness of threats and security-related issues across borders. However, jurisdictions are tied to territorial borders, which law-enforcement organizations must respect; unfortunately, we cannot say the same about criminals.

“Cybercriminals love ‘divide and conquer’ — if we’re divided, criminals flourish. That’s why this is our biggest challenge, much bigger than a technical challenge, to decide on how we all work better together,” explains Droz.

Droz’s sentiment may sound dire, but cross-border collaboration has actually increased in recent years. Private entities, CERTs, law enforcement groups, and governments are beginning to work together to help victims. For example, the No More Ransom project has helped victims of ransomware decrypt files without paying anyone. And recently, Europol, Bundeskriminalamt (Germany), Politie (Netherlands), Polisen (Sweden), Australian Centre to Counter Child Exploitation, Australian Federal Police and Queensland Police Service, the FBI and ICE (USA), and the Royal Canadian Mounted Police collaborated on a multinational takedown of prolific child sexual abuse platforms on the dark web.

Those examples give us all hope, but we need to do more. Specifically, we need organizations to embrace the collaboration and start to normalize the way we look at cybercrime. We also need to build greater trust to enable more information sharing and exchange across stakeholder groups and borders.

At Kaspersky, we see this collaboration as a three-step process that can help us prevent and respond to attacks on critical infrastructure:

  1. National points of contact (POCs) facilitate further coordination with other relevant authorities in a country, organizing regular cyberexercises and developing cross-border procedures, tools, and templates (e.g., for incident assessments, requests for assistance, or responsible vulnerability exchange);
  2. In case of attack, POCs connect the attacked critical infrastructure organization with the appropriate software manufacturer, cybersecurity company, and CERTs for their country;
  3. POCs then quickly exchange information on the threat, analyze it, and compare forensic samples to remediate the incident efficiently.

We envision such collaboration growing and leading to a brighter future.