I’ve had three discussions in two days about whether Government CERTs are different from others, which makes it a FAQ! It seems to me that legislation may be heading that way, and that that could create a potential problem for sharing information.
Most CERTs act in the interests of a particular, reasonably well-defined, constituency. However a Government CERT may also add a “national interests” role to its constituency role. That role may require them to share information and act in ways that other CERTs wouldn’t; it may also give them powers that other CERTs don’t have. Perhaps the clearest example of that is the Danish Government CERT, which is established and has powers assigned by the state through a special law that contains both powers and safeguards. There’s also a hint of a difference in the proposed European Data Protection Regulation, which states in Article 6(1) that “public authorities” – a category that might cover some government CERTs – cannot use the general “legitimate interests” justification that allows other CERTs to process personal data but must have those interests defined by law. There’s even a possibility that a Government CERT that also had powers to investigate criminal offences might fall outside the proposed Regulation and instead be covered by the proposed new Directive on Data Processing for Judicial Purposes instead.
If two CERTs are covered by different legislation (or even different parts of the same legislation) then that could hinder information sharing between them. If I have obtained information under one justification for one purpose and you want to use it for a different purpose and under a different justification then the law may prevent me releasing it to you (see, for example, Art 6(6) of the draft Regulation). Even if the law allows me to disclose the information, I may have concerns about any resulting change in how it may be used, or the safeguards that will protect it, from what I advertise to my users. Increasing the powers of a Government CERT could, paradoxically, reduce the amount of information that other CERTs are able to share with it. Ultimately “what I would like to share” may be reduced to “what I am required to share”.
Interestingly, this problem has occurred before. When the UK’s National High-Tech Crime Unit was created, they were aware that businesses might not be willing to share private information if they thought there was a risk of it being used as evidence in a criminal case, in which case both the information and its source would be likely to become public. The NHTCU addressed this by a formal confidentiality charter (the original website is long gone, but an unofficial copy still exists) that they would only used shared information as intelligence and would neither disclose it nor use it as evidence unless the source explicitly agreed to this. Perhaps this might be a way to address the Government CERT issue – effectively to separate the “CERT” and “Government” functions of the team and use information only as a “normal” CERT unless the source specifically agreed to allow it to be used for the “Government” role?
However the problem is resolved, it’s important that we don’t allow a split to develop within the Incident Response community between those who are empowered to deal with criminal and national security issues and those who aren’t. As was highlighted by both CERTs and law enforcement at the FIRST/TF-CSIRT meeting last month, we need more cooperation to deal with crime on the Internet, not less.