What would it take to create a cyber Red Cross?
Duncan Hollis wasn’t revealing some grand unknown when he described the current global cybersecurity landscape as an “atmosphere of distrust.” But he is ready to start a discussion on what type of group can move the interconnected world past its current state of affairs.
Hollis was part of a New America Foundation panel Monday that examined how the world would go about creating a Red Cross for Cybersecurity. An international law professor at Temple University, Hollis said he’d like to see a federation sit atop global computer emergency readiness teams (CERTs) to act as a conduit for information sharing that bypasses the political mechanisms of any one nation. The organization would mirror how the International Committee of the Red Cross conducts its mission in war zones, independent of any governmental regime.
“Most of us think of the Red Cross as either very locally or internationally, but it’s both,” Hollis said. “It’s nongovernmental but not anti-government. It’s recognized, and governments appreciate it, but it doesn’t make the Red Cross an agent of any government.”
Hollis elaborated on the need for such an organization in a Time magazine op-ed piece earlier this month, where he wrote that CERTs could use “a network of assistance organizations, united in a commitment to independence, neutrality, and impartiality” to help strengthen the information they are collecting on various threats around the world.
Two panelists representing CERTs agreed that while they have the capacity to dissolve cyber threats, they could use help in communicating their findings to those who need their information.
Will Harvey, who helped create the United Kingdom’s CERT, said there should be a “focused effort on building collaborative partnerships with CERTs around the world.”
“Most of the problems were talking about can’t be solved by any one country on its own,” Harvey said.
Tom Millar, the chief of communications for the US-CERT, said the Red Cross analogy fits to further what most CERTs want to accomplish with their work.
“The value of this Red Cross analogy is that you have an entity with its proximate incentive — its real goal — is to ensure your business is operating safely and securely and the citizenry is safest from online threats,” Millar said.
Hollis said any sort of organization could start to reach that goal by establishing a set of international norms that sets a base level for all countries to act upon. With those levels established, this organization could react based on the gravity of situation, much like the Red Cross does with natural disasters or acts of war.
“Right now we’re not dealing with dead bodies, just bruised bank accounts and egos,” Hollis said. “International norms would do a great deal of good in terms of setting a base level of trust expectations between similar organizations and countries.”
Outside of the trust needed for such an organization to operate, the idea also faced skepticism from the event’s audience, with one member of the crowd asking how such an endeavor would ever be funded in the midst of already established information-sharing groups.
“Nobody is saying because we have a Red Cross, we shouldn’t have an OXFAM or a Doctors Without Borders,” Hollis said in response. “Unless you think the status quo is OK, we should be thinking of new ways to improve the overall status of cybersecurity.”