National & International Information Sharing Model in Cybersecurity & CERTs
04 September 2014 - A Host Country Session on in Istanbul,Turkey
The following is the output of the real-time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> MODERATOR: Okay. (Language other than English). Yes. Right now I'm going to switch in English. I'm sorry. I started in Turkish. Now I'm switching in English. My main research focus is distributed artificial intelligence. One of my group is working on the area of cyber security and security.
As you know, cyber security is very important issue. It is not only an issue for the industry, it is an issue for society. One of the biggest challenges for the future is cyber security. That means to have a solution to protect us from the people who are attacking us.
I have the honor today to introduce to you some experts from my left side, Maarten, his origin is from Belgium. He is living in United States. And from the right side is Ali. Ali is -- his origin is, as me, is from Turkey, he is in the United States working for Microsoft. Mehmet is one of the security experts. Next panelists is Sacid Sarikaha, and he is responsible for the regulation and standardization and one of the areas is what we have to try to regulate, to try to develop some standardization is in cyber security. And the -- our last panelist Ali, he is working for a company whose origin is consulting company, but Ali is one of the cyber security experts. He is a member of the cyber security staff in Turkey.
I think each of them can introduce themselves later on. And if you allow, I will start to with Maarten. Maarten, you can try to explain to the audience about what you're feeling about cyber security, what you think is one of the largest issue for the society. It's all of the society. And the second question is, is what you think how the future -- a solution for the problem can look like.
>> MAARTEN VAN HORENBEECK: Thank you very much. And thank you very much to all the event and workshop organizers for inviting first to be here today.
First of all, I'll tell you a little bit more about the organization that I represent really does. First was -- is the form of incident response and security teams. And it was founded in 1989 shortly after the first internet worm. Incident response teams at the time needed to find a way to talk to each other and engage each other instantly when there was an incident.
One of the things that is extremely clear is that the internet holds the key to economic development, for people to be able to make a living and to be able to do business across the country borders. That is what we need to protect and that is really what cyber securities is about.
First this started out with a few cyber security teams in how to protect the internet. First, consists -- today, consists of over 500 security teams in over 66 countries across the world.
A very big key to what we see is the solution to the information security or cyber security problem is information sharing.
The ability to share information, to share expertise is incredibly crucial to making sure we deal with the security issues that exist today.
And in this workshop, I expect we'll end up talking about the mechanics of information sharing and what the best approach to that is. But in order to give me sort of entrance into it, I'd like to tell you a little bit about what we see as the prerequisite conditions to enabling information sharing.
So before you actually sign that agreement to share information with someone, before you actually decide to exchange information with another party, there are a couple of things that really need to be in place.
The very most important element of that is actually trust. People will only share and will only use information that shared if they know the people they're working with, if they have been able to work together before and the result of those exchanges has been positive. And finally, if they know the partners they are working with are trustworthy. You can know if someone is trustworthy either by working with them yourself or by having friends of yours decide whether they are trustworthy and you take the argument of those friends as very valuable. That is called vetting. Where someone says, "This organization is good to work with. It is good to include that organization in any information-sharing project."
Second, there is such a thing as capacity. It is not just important that you trust other partners. It's also important that when you share something with those partners, that you know that they are going to use that information in the way that you expect that they will use it and that they have the right capabilities to deal with the incident that you're describing.
And finally, you need technical systems and standards to be able to exchange that information. When you really trust someone and you have a large set of data that would be really useful for both of you to partner on dealing with an information security incident, you still need to find a way to share that information a good way that is actually use able. You can develop standards for how to work together, describe how to get the data and how to exchange it.
In a combination of those things, I would like to refer to it as connectedness. On the internet, we need connectivity and to be able to connect to each other and share information, but at the same time, we need a sense that we can connect with each other and that the data we're go to go share is actually going to be useful. I like to refer to that as "connectedness." It is a combination of having both the connectivity and also having a shared understanding of what will happen with the information.
Within first, the organization, the way that we actually implement the principles is, for instance, by vetting new team. We will work with that team and find sponsors that have already done work with them before and can confirm that they enjoined working with that team and that the collaboration with that team is successful. We will organize conferences and events. These teams have the ability to work together to exchange experiences on what they've done together. And finally, we will work on standards development and create ways that those teams can work together on how to share standards together and write the code together and that enables the sharing.
I know that was quite a bit. I hope it illustrates how we as an organization see the prerequisites to information sharing and how it's possible to share information at a very good technical level with all those prerequisites fulfills. So that really summarizes, I think, the core for what I think is is important when you engage in an information-sharing relationship.
>> MODERATOR: Okay. Thanks. Now, the Microsoft software is not too secure. I mean -- sorry. Mehmet, can you please describe your view to the cyber security and the solution, what your company is working on?
>> MEHMET AKCIN: Thank you very much. First of all, I would like to thank you for reminding me to speak here. It is an honor to speak to you guys. I would like to respond to you first of all about the comment that you made which is that Microsoft is not secure. I think I would like to look at the picture from a different angle which is that Microsoft has the biggest market share in the computer market, therefore, it is the biggest target for those who want to have bigger attacks.
That does not mean Microsoft is least secure. If you look at 2013 and 2012, amount of bug releases in each operating system. Actually, Microsoft had less bugs than Linux and Macro SX. I would like to ask a quick question: How many people in the room does not understand Turkish. I would go along with English. This would be the first time I speak my native language in my homeland, but it's not going to be. Don't worry. I will switch back and forth.
We sit down in several meetings, you know, long meetings. There are different subjects or discussions, you know, going on. Internet Governance Forum. I work for Microsoft and oversee high-level activities, internet governance and security.
Today I would like to speak about security, high level, but also with some very direct examples.
Computers were found somewhere like 25 years ago in terms of personal computers as we know it, right? At that time, nobody really think about doing anything malicious with these devices. All they wanted to do is some computing, writing text, printing, painting stuff, playing games.
But later on, obviously, some bad people happened to be around and they happened to do some bad things for computers, which we call "viruses." We have to have one of the founders of the internet with us today. When the internet came, the ability to distribute viruses amongst computers was even bigger. Now, everything was connected to each other. There was multiple websites to distribute these viruses.
It is not just computers now. Cell phones, tablets is part of cyber security thinking. It is internet of things, right? Everything that is connected to internet needs cyber security.
So Microsoft has a unit that is specially dedicated to fight with digital crime. I wanted to bring so many people from that unit here and I wanted to also bring people who work with this digital crimes unit, day to day. So I prepared a video. I haven't viewed them. And I would like to play that video for you. So could you please -- (Language other than English).
>> (Video). The shear scale of the challenge of cyber crime is far greater than anybody ever imagined before.
>> People are using their mobile phones to make transactions. People are on the web buying things more than they ever have before.
>> Over 90 percent of money is digital.
>> There is technology pieces on our side and technology pieces on the bad guys side as well.
>> I don't have to break into somebody's house to get something. This is international crime.
>> The answer to this problem is not simply a public prime. It is a public/private partnership and Microsoft is at the core of the solution.
>> Microsoft is game changing in the fight against cyber crime.
>> It's vital that we have a set of relationships where people can come together and not work at the speed of Government or the speed of business. But at the speed of cyber.
>> Now we're able to go on the offensive in a completely legal way using civil litigation actions using Microsoft resources.
>> We are able to make impactful changes by taking things to a much larger scale.
>> Hopefully we will see more coordination where Microsoft has muscles on the inside. We will not just follow-up, we will take them down, and we will utilize the knowledge to see if we can catch the perpetrators.
>> If we try to build the present in the image of the past, we would miss out entirely on the challenge of the future.
>> Because of the company of the Microsoft and the Digital Crimes Unit, the work they're doing is really heroic and I believe it represents enormous hope for the future.
>> Our goal is to take new steps forward to really ensure it's a lot harder in the future for cyber crime to pay off. (End video)
>> MEHMET AKCIN: First of all, this is a short example of what we do. I would like to give examples of what we do. You know a lot of computers are infected around the world. Some antiviruses systems don't even not find out these viruses. They have some sort of mechanisms to hide themselves.
So what we have is kind of like a special police operations kind of thing and I don't want to say "special police" because that is probably the worst way of explaining. It's like there are actual dedicated people who are looking for these infected machines on behalf of our customers who use Windows and then we detect them. We do everything possible to clean those machines.
So we have a second media which we will go into more details and actually explain some of the operations we make and that will be it.
So the second video (Language other than English). And that will be it for me.
>> (Video) Every year, criminals are getting more sophisticated in figuring out how to exploit the internet for purposes of doing harm to others.
>> These guys are really sophisticated. They're technology oriented.
>> It's everything from malicious code and computers virus. To child pornography, internet fraud.
>> Cyber crime is truly global crime. Transnational crime in nature that is different from what used to be.
>> There's no set boundary for where they might come from and no set boundary where they might attack. Especially if it is financially motivated.
>> The techniques of the adversaries keeps getting more sophisticated. It doesn't cost much to attack. It costs more to attack.
>> Giving more of our information to the cloud, you have to have a level of commitment from a company like Microsoft. The Cyber Crimes Center is integral.
>> We are at a critical time. The problem is getting worse. At the same time, our technology is getting much more sophisticated. It is clear that this is the time we harness the power of that technology so that we have the most powerful ability in the world to fight crime on the internet.
>> The Cyber Crimes Center is a place, a global headquarters. It is a place where our most talented lawyers, intelligence specialists work together with industry partners to combat cyber crime and investigate real cyber crime cases every minute of every day. That includes mapping capabilities. It includes malware detection capabilities. All sorts of forensic techniques that allow us to detect, monitor and control them.
>> We need global alliance.
>> Where there are bad guys in one country doing damage in another country, our ability to have a global footprint and be able to interact with law enforcement in all these different countries is essential.
>> It is important to work at the speed of cyber.
>> If you worked alone, what you would see is these complex networks. You would take down one site and another one pops up. It becomes a game of Wack 'Em All. We take things on a much larger scale because they have the visibility and expertise to do that.
>> Ultimately, though, everybody's wrong.
>> I think it's exciting this development of this Microsoft Cyber Crimes Center, with the technology, having it be 24/7. That is the type of response we need as a society.
>> Cyber defense is a team sport. Everybody has to be involved. It has to be a private sector. It has to be a public sector. It has to be international.
>> It's an obvious sign to enforcement that Microsoft is serious about cyber crime. That Microsoft is serious to work with law enforcement.
>> When there is a criminal anywhere in the world who is trying to separate an elderly person from their money, trying to defraud somebody, trying to steal their personal information, we have a better capability to connect the dots, follow the leads, work with law enforcement and ultimately prove to that criminal that this is not a way for them to make money.
>> Innovation is at the heart of Microsoft at the company. It is not just in how we make products. It is how we fight crime. This place is at the epicenter of our commitment to innovation in fighting crime.
>> It helps ensure that our customers get the benefit of all of this expertise. That they have a safer and reliable computing environment. It also enables us to do something for the world as a whole, we hope, in terms of ensuring everybody -- no matter what kind of computing device they're using -- can do so with more confidence. (End video)
>> MEHMET AKCIN: Thank you. I'll be happy to answer questions online or offline.
>> MODERATOR: Okay. Thank you very much. Thank you very much, Mehmet. So these videos show the dimension of the problems, and the second is the complexity of cyber security.
From my point of view, it is a complexity which brings us to the point we need some regulation in order that everybody from us using systems, clouds solution, all of the solution. I think we need something like the standardizations and regulations. I am fully convinced that we need regulations. And can you describe your position how the solution for the cyber security can look like? What's regulation?
>> I will try. Thank you very much. Good afternoon. I would like to thank the organizers forgiving me this opportunity. I am head of IT department in Turkey. I will try to share what is going on with cyber security and indent handling. I will try to share our experiences.
As you see, we have been studying about cyber security since 2008. From that year to now, many things has been changed as all over the world. Like in Turkey or so. Until 2012, we didn't have any entities or local bodies directly related to the cyber security issues.
After that time, in 2012, a high-level cyber security board has been established and this board is chaired by Minister of Maritime Affairs Transport and Communications. So there is a high-level representatives are different parts of the Government and organizations.
So this board created some rules and created an action plan in order to enhance the cyber security in Turkey. And we have until that, we have strategy for that. And in Turkey, everybody knows what to do -- what have to do for cyber security issues and also incident handling.
One of the most important things that covered by this action plan is incident response teams. How we share the information about cyber security because this is one of the most important things in the cyber world. If there is an incident, there is a security issue, then we have to share this information in order to get ready for these security breeches.
So incident response teams is one of the most important things that is captured by the action plan. In this action plan, critical infrastructures are also prioritized. So we deal with the critical infrastructures first, and then the other infrastructures.
And one of the most important infrastructures is electronic communications and we are regulating the electronic communications sector. We can regulate this area and we start to working about it. And we get collect -- collect some ideas and thoughts from the sector in order to find a good solution, a suitable solution for everyone. And we prepared regulations for our sector.
So where he decided -- ISPs have to create their cyber security response teams. As authority, also we created a CERT team in order to have communications with national CERTS and the other operators.
But this is not the start of our efforts. Before that, as I mentioned earlier, we started our studies in 2008. Between 2008 and 2012, we have conducted three cyber security exercises to enhance the capability of our operators as well as the national Governmental bodies in Turkey.
I believe these help enhancing cooperation and sharing and knowing each other. This is one of the most important things. This help us very much for our experiences.
And after that, we have -- after the action plan, we have national CERTS. All infrastructures, as well as the related bodies are connected to this national C-CERT. So we have a tree-like structure that is going top to down. And this makes us communicate easily and effectively.
And after that, we prepared some guidance documents and guidelines for C-CERTS in order to enhance our capabilities and create some standardization and you know, for better communications and so on.
So we believe that because we believe that it's very important to be in the same track because if someone do another type of regulation or another type of structure, create another type of structure, then there will be some difficulties to share our experiences or our information effectively.
So we create some guidelines and shared this where the related parties and published them. And after that, we are -- you know, focusing on helping improve our information-sharing model and how to enhance trust between the legal bodies and the other C-CERTS located in Turkey.
And to sum up, I can say five things that we learned from our experiences, how to -- you know, deal with the cyber incidents, how to create cyber security issues. So the most important thing, I believe, is creating a model. And this is -- this is critical, but you can use best practices because this is not the first time -- if you are creating some model. There are good examples -- best practices, and many of them are shared with public.
And this is the first thing that I can share. The second thing, enhancing -- sharing capabilities and willingness to share information is very important because we don't share any information. The system will not work. Then all the things that you have done goes to zero. Nothing. This is very important. As authority, we do some regulations in order to make our operators to do their duties or do their homework.
So if it's necessary, it becomes an important item to do regulations for this. And following up what is going on after creating such a model is very important because we see that some countries create some -- you know, C-CERTS, national C-CERTS and the model will not work because nobody is sharing, and nobody is following up on what is going on. And it's very important to educate the target, the C-CERTS and sharing experiences and make them on the same track.
And last, but not the least, seeking for more stakeholders is more important because cyber security is not in just national. It has national and international things that you can learn -- or you have to learn. To be more efficient, it's very important to share your willing -- sharing your information and other things with the other stakeholders. And thank you very much.
>> MODERATOR: Okay. Thank you very much. I forget to switch on. Thank you very much. Our next speaker is Ali. Ali is part of national security incident response study group and even as moderator, can you please describe your view of the cyber security -- you're working in this group as expert. Can you describe your viewpoint for the cyber security, the complexity, how a solution can look like. I mean, you are working on this solution, too. How a solution can look like for this problem.
>> ALI: Thank you very much for the question. And thank you very much for inviting ution as part of the initiative to this wonderful conference.
You know, throughout the panel, other panelists and throughout other sessions in the IGF, it has been noted again and again that it all comes down to trust between different stakeholders that are trying to achieve the same goal. Today, I think, when it comes to achieving a better cyber incident response capability, we'll have to emphasize it again, and you know, when we mention about a successful C-CERTS, it obviously depends on a number of parameters range from a set of clear goals, open communication, like Maarten mention, a good set of tools, people, training. Funding. Understanding the needs of different stakeholders as well.
It is not only collaboration between other C-CERTS, but collaboration between stakeholders, the need -- the openness to get feedback from the citizens, or if it's a C-CERT of a particular incident. Why is this important? It's quite simple, like all the videos Mehmet has shown. No C-CERT will have a complete set of technology, staff, know-how, or most importantly, data, to prepare for and respond to complex incidents, and we have seen many of these complex incidents in recent years. You have seen some in the media, and many of them you helped respond to, I'm sure of the
These incidents required cooperation between national C-CERTS, industry-wide C-CERTS and cyber crime units which are not typically considered C-CERTS.
Open communication and data sharing is a must in these instances we have seen. Often times, a particular threat might have been picked up by one C-CERT, but other C-CERTS might have missed it, and they will only recognize the threat when it is on their doorsteps and there is very little time to act on it.
I'm emphasizing trust, but you may be thinking, since we have a regulator or, why -- you know, just try to build trust and not enforce, by law, mandatory data sharing? Why not make it mandatory for all organizations to share particular type of data? That is one way to go about it, to make it by law. But there's contradictory research. There is research contradicting that. Research clearly shows that by making mandatory data-sharing laws, you actually under mind the existing trust or whatever trust you could have built by spending effort and you undermine all the future efforts. By putting one type of C-CERT is the hierarchy high above to the others and mandating some sort of information flow up to the C-CERTS that are higher in the hierarchy.
Good examples that have been shared throughout IGF continue to stress that there should be equal footing among C-CERTS like Maarten mentioned first, there has to be participation by different C-CERTS and they have to really showcase their capabilities and convince others that they have -- that they're delivering on the set of goals that they have promised.
So we believe that it's absolutely crucial that building trust instead of forcing each of these corporations or national organizations, Government institutions, to actually act on it.
Now, one way of fostering trust and delivering better results is obviously creating channels for collaboration. First that Maarten represents is an excellent channel. I want to follow-up with two examples of open communication platforms.
One example is from Turkey. The Turkish Government has realized the importance of trust and open communication and initiated the volunteer group called "Cyber Security Initiative." It is a good example of public/private partnership. It is comprised of several people. It is to help improve and influence the legislation and to make sure it adheres to good practices.
We have witnessed that different stakeholders view the cyber issue from different angles. Private sector demands one thing. The Government institutions have certain needs and the vendors are maybe not prepared to deliver on each of these needs. So we have witnessed that it is absolutely crucial to have all the stakeholders in one room as frequent as possible to discuss open issues and to help standardize certain processes and basically at the end of the day, help the legislators gain from their experience and needs.
And one of the topics as part of the initiative to be worked on is one of the National Incidence Response Group, which I'm part of. We need to focus on two areas. The information-sharing model with -- that should be part of the national C-CERTS, the industry-wide C-CERTS and the local C-CERTS as mandated by the law. The other one is conducting efficient cyber attack simulation or exercises.
As was mentioned, we have already -- as Turkey conducted, three of them, there were some international. But there's a lot of experience to be gained from other nations that have been conducting similar exercises. So we made that a priority in this working group, how we actually can conduct more efficient exercises. Why did we focus on these two things, information-sharing model and better exercises? These are tools to instill trust in the stakeholder community. When you perform exercises, you understand the capabilities and the weaknesses of other stakeholders, your peers, and when you have a standard model to share information, you're actually -- you actually get assurance and confidence that other parties will deliver as you expect them to.
The other example I want to give is from private sector as Mr. Shine mentioned, I work for a global organization. We have actually sponsored a group in World Economy Forum in 2012 in Dallas. The experience we have gathered helped us form a trusted community of 15 global corporations and public institutions that share cyber intelligence data among each other.
We have been running this experiment for about a year. Within that trusted community, the participants observed that before the experiment began, they all thought that the data stream that they already had was enough -- or good enough to respond to certain type of threats. But after the experiment -- you know, after a year -- they all realized that data collected and -- you know, basically shared between this trusted community is so much more valuable than what they had by themselves, that they want to continue the experiment. They want to fund this experiment and double the size of the community.
Various lessons have been learned throughout this experiment and we continue to learn new ones. Few is how to automate data sharing. Face-to-face is good collaboration, but at the end of the day, it's about intelligence feeds that need to be automated. How you govern a trusted community. Last but not least, cross-border information sharing which is a big challenge for all regulators in all countries.
In closing remarks, I want to encourage all of you to get in open dialogue. Motivate and push your public institutions as well as private stakeholders. Use platforms such as the Cyber Initiative in Turkey to gain from.
>> MODERATOR: Thank you very much for excellent contribution. Now we are switching to the next step -- next stage in our workshop. Right now, we would like if you have any question, you have the opportunity to ask our experts.
>> AUDIENCE MEMBER: Hello.
>> MODERATOR: Please switch off. Okay. It's okay.
>> AUDIENCE MEMBER: Okay. Hello. I want to ask something about the video we have seen.
>> MODERATOR: Sorry?
>> AUDIENCE MEMBER: Microsoft.
>> MODERATOR: Microsoft.
>> AUDIENCE MEMBER: Someone said 90% of money is digital. What is he talking about? Is he talking about bit coins? I want to understand what he is talking about. I don't imagine that really 90% of our money is digital. And not even the transactions -- unless you are talking about a certain country, a certain region, I don't know. But it is too much. 90% of money is digital?
>> I believe that those are the transactions that are online commerce or the money that is available via a computer access.
>> AUDIENCE MEMBER: Anyway, okay. Second question is that how do Microsoft -- I know, we have worked with Microsoft in Beirut and the Regional Bureau and they where are supportive for all of our cyber security activity. But about Cyber Crime Center, do you work on some capacity building?
>> I believe with the capacity, you mean training, correct?
>> AUDIENCE MEMBER: Exactly.
>> We do have several activities. First of all, I am not exactly sure about Beirut, if you're asking about Beirut. We had about 50 people attending in Istanbul. There are opportunities out there that we can be more active. We are happy to hear that, from academia and public sector. We know you are our customer.
>> AUDIENCE MEMBER: Exactly. They are doing great work. I'm not -- but I was asking to see if something has changed, if -- you know, sometimes it takes time to get the help we need or the experts we need, because you have work to do. Another question, please, for the Turkish expert who has spoken about the national team for cyber securities. It's pleasing to me that your team is under the Ministry of Maritime Affairs? Is that it?
>> No. It is under the telecommunications presidency.
>> AUDIENCE MEMBER: Aren't you say, you say, unique experience?
>> We can't hear you.
>> AUDIENCE MEMBER: As everyone knows, cyber security -- national cyber security concerns many entities.
>> AUDIENCE MEMBER: Like the Ministry of Interior, the Ministry of Defense. Communication. How come in your country, it is the TRA who is guiding or who has taken -- who is heading initiative?
>> Actually, as I said earlier, we have cyber security board. This board includes high-level entities of the Government. So Minister of Interior and also our authority and other entities are represented in this board. So this board decides what is a strategy, what is an action plan, what Turkish entities, what private sector has to do, and other things. So they are represented.
>> AUDIENCE MEMBER: It is more than clear what you said. What I want to understand is what do you really think of this issue? I think that cyber security is more general and it's broader than this --
>> Sure, you are right. But you have to deal with these issues regarding to the national security also, because --
>> AUDIENCE MEMBER: Exactly.
>> You have to deal with it. And also we are -- we are working with other entities like NGOs, other private sector companies as Alibe said. We are working with experts coming from universities, academia, private sectors, and to create a multi-stakeholder structure for, you know, dealing with the cyber security issues. The Cyber Security Counsel is not the only entity we have. We are trying to get everybody involved in Turkey as well as other people outside of Turkey.
>> AUDIENCE MEMBER: Thank you.
>> I want to add something quickly as well. I don't live in Turkey. From the outside, this is an effort led by BTK, however, it is not necessarily exclusive, but it's inclusive and it's open to anyone, my ministry, any participation that wants to collaborate. And that's pretty much how it is anywhere in the world.
>> Thank you.
>> MODERATOR: Thank you very much. We have questions here. This gentleman?
>> AUDIENCE MEMBER: Hello. My name is Patrick Carey and I'm from the British Federational Authority. I'm involved in the EU network information security platform which supports the development of the directive for network information security which is part of the EU cyber security strategy. So there is a lot of international interest in Europe as well as much, much wider looking at the requirements for incident notification, risk management and information sharing in particular across major sectors.
At the same time they are coordinating with NATO because different states can't have different solutions. It's too difficult. Ukraine came up yesterday and today in our cyber discussions. It would be helpful to know how your cyber journey might collaborate with these other major activities.
>> So it's all about supply and demand, right, at this moment what I understand from the initiative you carry there is some demand from our customers. Pretty much NATO and every Government is our customer. If there is a demand to enable opportunities, if there is a demand for us to enable new technologies where concerns towards enabling the communications in security --
>> AUDIENCE MEMBER: (Off mic).
>> As you said, there are -- you know, some different regulations regarding to network security network information security, so we also have some regulations regarding to them. And we also set some rules to the operators that is -- that has critical infrastructures. So we have to -- you know, create a minimum level of security in order to get, you know, secure all over the world. I believe that.
And also, we get deep into the EU's regulation regarding network information security and get many points from that. Also, standardization is very important and we use ISO standards, mainly 27001 regarding to, you know, information security management.
So these are the things, but -- these are things that I can say. So ...
>> I would like to add to that briefly. The current state of Turkish collaboration with international efforts in setting standards or sharing information is -- has multiple fronts. One of them is through actual -- the foreign capital in -- you know -- has invested a lot in current infrastructure. From telecoms to investigation, there has been a lot of foreign capital invested in Turkey. Information trickles down and the efforts that has been happening in EU headquarters and US headquarters, it trickles down to Turkey.
From a regulation standpoint, we as the private sector, participants, observe that our regulation -- whether that be the financial regulators, or the energy regulator really benefits from the efforts that have been ongoing in EU, or otherwise, like the ISO standards and our registration gets drafted most of the time in accordance with that. How we form C-CERTS in all of the critical structures players. What we lack is two-way communication. Part of that might be that we don't feel mature enough to contribute. I feel that needs to change quickly. There's been a lot of effort in Turkey to speed things up when it comes to cyber security. I think we need to be represented in all these efforts, whether that be by some Government institutions or some other non-profit institutions like the Cyber Security Initiative.
>> MODERATOR: We have two questions, I think. Yeah.
>> AUDIENCE MEMBER: My question is going to be a little bit public, private, communication, not relation, communication. At the end of the day, regulatory is making some regulation and establishing some bodies like incident response team and such kind of thing. Did Turkish Government make communication where vendors like Microsoft and other companies? If it is a software company, did Government make communication with other vendors in order to get open points of the subjects to close, or other vendors. Did you make physical communication? Do you have such kind of -- did you have such kind of study?
>> Thank you. Actually, we have a live person here who is -- you know, attending and -- one of the responsible of the groups that we are created. We created cyber security issue. I cannot tell how many of the private sectors are private sector companies are involved in this, but there are many. For example, Microsoft is one of them.
>> AUDIENCE MEMBER: 67.
>> We are closely working with the private sector because it is one of the most important parts of the cyber security world. So we cannot go through and we can not -- you know, enhance our capabilities. And we are doing it. And try to enhance this cooperation. Thank you.
>> I thought I would chime in on that because I like to hear that there is so much collaboration between the public sector and the private sector. There was one case study that I thought would illustrate well how that can actually be done in a very, very positive effect. So to give you just one example in Luxembourg quite recently, the national CERT started operating a national C-CERTS together, and people could go and adopt it. They operated in such a way that they actually provide access to this information-sharing tool for all companies that are actually based in Luxembourg. It is a way to enable information sharing in one of the CERTS in the private sector.
To many larger corporations, it seems that data has to be very specific to be useful. Security incident data has to be very detailed to be useful. And the reality is that for most corporations that are actually at a fairly low level of sophistication, even information that is in the public domain, it can be enhanced. There is a lot of information that is out there but people cannot put it together because it is so diverse. A national C-CERT is able to put together both the vulnerability data that comes from vendors such as Microsoft together with the local contacts that makes local enterprise have something to act on. It is something that is being done in Luxembourg. Thanks for the question, also.
>> MODERATOR: Thank you for your contribution. Our next question.
>> AUDIENCE MEMBER: My question is related to (indiscernible). Do you think that cloud saves are safe or secure? And my second question, what kind of action did Microsoft take after this incident?
>> Really good question, actually, actual question. It's kind of hard to answer. There are certain people who are target. There are -- it's -- first of all, you know, I'm not going to speak on behalf of Apple's iCloud pictures. There were celebrity pictures that were leaked. I don't know if you know. Apple made public announcement about this.
Is cloud safe? I would ask this question. Cloud is an environment where there are multiple aspects of the operation is shared. What logically is considered not to be shared is not shared. Having said that, there are multiple ways that Microsoft is working to make sure the cloud services is secure. And I can refer you to actually to an address for what we do for security. But the problem -- especially with the question you ask, is that there are some targets. When there is a big target like that, security measurements should probably be elevated.
>> MODERATOR: Anybody else wants to answer that? One more question from the back. We have one more question.
>> Can we get the mic?
>> AUDIENCE MEMBER: Well thank you for the panel. Good afternoon. I have a question related, again, to the concept of the critical infrastructure. I come from academia. And from an academic point of view, the critical infrastructure is defined as the theme of the things that are kind of related to the well being, the survival of a national state, a country.
In most country, this is shared heavily, the private sector, by the Government. How you -- how do you manage this concept of sharing information that you emphasize whether it is related to the critical infrastructure? I'm asking this because the critical infrastructure is that part of cyber security related to national security. Thank you.
>> MODERATOR: We have several experts who can answer this question. The information that was shared as I understood which was information where we have experience in where we can share information in order to avoid any incident. As you heard, incidence response -- one of our goal is try to avoid incidents. One solution for that to share information to get -- collect experience, to share that, but it is not sharing of information about the critical infrastructure. How is the architecture of the critical infrastructure -- let me say, the critical infrastructure today, we have electricity, power on telecommunication, we have a lot of -- I mean, the problem is really very complex. It is cyber security -- it is issue that critical infrastructure, as you know, the smart grid, where a cyber security issue is very important. To have a solution for that.
From my point of view, in spite of that, it is very important to share information, to collect information, and information -- information, I mean, experiences, information in order to avoid incident. Okay. I think --
>> (Off mic)
>> As experts mentioned, you cannot force to share information. Actually, this is very important thing. This -- an incident can be, you know, effect the national security. And this should be shared with the -- you know, national CERTS or other C-CERTS and others. But you cannot force it.
This is why we have mentioned building trust is very important. So if you build trust, and if the -- if an operator or a private company has a trust and you have -- if you have built it, then they will share it. Otherwise they will have some concerns regarding to their entity or their company. So they will not share.
But this is why we are trying to enhance trust. Thank you very much.
>> AUDIENCE MEMBER: Thank you very much.
>> MODERATOR: There is a remote person who has question.
>> REMOTE MODERATOR: We have a question from a remote participant. What is the plan for the next cyber exercises in terms of national and international.
>> Thank you very much. As I said earlier, we have done three national exercises and one international. The international one is conducted this year in 2014. The next year, we are planning to do a national exercise. And in 2016, we are planning to do an international one. This is the plan. But I don't know if we can manage or not. Thank you.
>> MODERATOR: Any other questions? Any other questions from audience? No? Good. We are going to summarize our session. I would like to give all of our -- each of our panelists to give the last statement. Maarten.
>> MAARTEN VAN HORENBEECK: I think during this session you heard a lot of interesting things about what happened here in Turkey. Some of these things that are take-aways, for me, there is a lot of interest in both using regulation where it's necessary, at the same time also using with bottom-up processes where the C-CERT has an interest in what is happening in Turkey. That is the key take away. One organization with not go it alone.
In order to deal with security problems, we need to build partnerships between different organizations that each have their role. Mehmet presented a few great videos that actually show that the role of an organization like Microsoft is also very important. These companies have access to certain data that can really help drive investigations into bad activity on the internet. At the same time other organizations have a role in responding to those incidents.
And the role for us, really, as people who are here at the IGF is to really be able to find where those relationships matter and make sure that the right people connect with each other so we can all put together a framework in which we can deal with incidents comprehensively, where there is a compromised machine, where the attack originates, all the way to where it can be addressed, both at the software level and at the network level. I think those are for me the things that I walk away from this session. I would like to thank everybody from participating. And also the audience.
>> Yesterday I was in a different room. The subject was very similar cyber security and I heard this comment where people were discussing about cyber security a few years ago -- many years ago. And a comment struck my head which was "When internet was found, everybody trusted each other. And later on, the trust fall." Right now, it's not high trust anymore. It is no trust. I think there is no trust anymore. We are in public. The environment that you have trust is actually the people that you establish that. Especially speaking in the cyber security area we have all mentioned that establishing that trust is very important. Keeping that trust level active is important because roles change, people change, but operations stay.
So it's very important for us to keep the communication channels open where we can collaborate and a company -- I represent a company the size of Microsoft and I am sure what we do is in different levels are done by different companies like Google, Yahoo,
et cetera. We can't do it ourselves.
>> Thank you. It is important to get together with the different sectors like private sectors, NGOs, academia, et cetera, in order to create a better cyber world by means of security. So we are going to be in an enhanced position for this, and we are trying to enhance our cooperation capabilities and also as Maarten said, there are many case studies. Best practices. There was a best practices forum regarding C-CERTS. There are many resources, documents and other things that you can learn many things about the experiences. So this is the things that I can say for today. Thank you very much.
>> Referring back to the question from the lady at the back, you know, how do critical infrastructure providers share with each other information, and why would they do that? Fundamentally, humans are very good at receiving help when they feel threatened. We would always raise our hand and hope somebody would pick us up from that horrible situation we are in. It is a question whether the organization or the nations really recognize the size of the threat that's at their doorsteps. Not one celebrity could have fought what happened to them in the last few days. Neither could one company fight back to the size of the threat.
So we just have to realize that none of us, alone, including even -- you know, a nation itself with a lot of resources can tackle the problem alone. One we realize that, I think, the human nature will prevail and we will ask for help and we will find partners we can trust and find a way to exchange information.
>> MODERATOR: Thank you very much. Let me thank the organizer first of all, and his staff, who organized this very, very fruitful event. And it allowed us to such a subject which is very hot. We've understood the cyber security issue. It's a very hot topics, but very complex problem. We realize nobody is able to solve this problem alone; therefore we need for the solution, different type of skills where we bring all of them together to solve them.
Cyber security is a challenge for the society. From my point of the view, the solution has several dimensions: One is education. Education -- meaning of education is for me, one hand is to educate students. Other hand to do training for the employees -- company employees, not only for the employees to inform the society about the problems. Other part of the solution is the research -- that means work on the solution. Work on the different aspect of the solution. And the last part -- last dimension is from my point of the view is regulation and standardizations. I mean, we heard about cloud technology. From my point of the view, it is necessary for the future.
We have to define some regulations where -- which allow ution to check our systems even for the cloud technology, cloud solution, to protect our society and to protect our companies from this type of attack, this type of risks in order to avoid the incidents. Thank you very much for your attention and you have opportunity to discuss with the panelists our workshop. Thank you very much for the excellent contribution. Thank you very much.