I attended the 27th Annual FIRST conference in Berlin recently. I have attended regularly for the last four years, and this year I noticed a couple of important things. Firstly, if you’ll forgive the pun, there was an increase in people working on cyber-risk metrics. Secondly, people were very interested in the work we do here at the Centre for Risk Studies. They asked lively, challenging, questions around cyber-insurance, how we quantify risks, and how our economic and macro-economic work is going.
When I am funded to attend a conference (where I also delivered two presentations), I always try to write up some of the sessions I saw to give maximum value to the work I do. So without further ado…
As I was presenting on the first day, I missed the beginning of Mariko Miya’s presentation but managed to I catch the second half by standing at the back. She is preparing cyber security for the 2020 Olympic Games in Tokyo, and she is spending time learning from other countries experiences in cyber-security during their hosting of the Olympics games. I have great admiration for our Japanese professionals when it comes to cyber-security and incident response, they often plan ahead strategically while most of us are fighting fires.
As if to illustrate my point about the uptick in metrics research and my esteem for the Japanese digital forensics and incident response (#DFIR) community, you should have seen Yurie Ito and Wes Young’s presentation! Unfortunately, not available online as a PDF from the conference, it was very good. Lucky for you, dear readers, I can share their new website and collaborative project. They are in need of statisticians, economists, and risk researchers to help them make the site better and more useful. They are both seasoned techies and capable incident handlers and, as such, they seek the advice of other experts where necessary. The readers of this blog would be ideal candidates to assist them in quantifying cyber-risk in a light and usable national categorisation.
Andrew Cormack is always on hand at FIRST to help with legal advice, regulation studies, privacy principles, and encouragement. This year was no exception, and he was seen around the halls encouraging young researchers and giving them hints on protecting their work legally, and good principles for future situations. He is quite tireless in this, and well known accordingly.
Eric Zielinski was someone I met randomly in what we call “the hallway track” – the phenomenon by which an attendee can learn just as much milling about in the hall making new contacts as they can attending official presentations. His work on statistics of incidents with R ought to interest our insurance readers very much.
For those of you wondering why we don’t yet have a standard measure of cyber risk, I refer you to the brilliantly simple illustration of standardisation problems in vulnerability reporting by Manion, Uchiyama, and Tereda. It is painful for the community to admit and yet speaks volumes of why we’re still working on risk metrics 27 years after the advent of the first “internet worm”.
I have left out many fantastic presentations, but I hope you’ll read more widely about the digital forensics and incident response community. A number of other people have blogged too, so don’t just take my word on it.
Referring to the title of this post: I believe the FIRST community is an emergent immuno-response to malicious behaviour on the internet. As it becomes apparent to society that there are a growing number of embedded security risks in the products we rely on day to day, those that chose to protect the wider internet, regardless of personal or corporate profit collaborate. They gather together and exchange signatures of “bad-ness”, enumerating the ills they come across. They may work for countries but they know that a country cannot protect itself unilaterally in cyber space. Their goal is the health of the whole system and not only the part they inhabit. Like white-blood cells, they roam the system helping where they can and handling new issues every single day.