<br><br>On Tuesday, 12 July 2016, Dave Aitel <<a href="javascript:_e(%7B%7D,'cvml','dave.aitel@gmail.com');" target="_blank">dave.aitel@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">Likewise, while it is annoying to have your CERT non-functional, a CNA attack on a CERT is not life-ending or otherwise special in any way - I'm not privy to whatever discussion at the UN/Tallinn drove them to the conclusion that a CERT was something special in the response fabric - one could as well label "Amazon AWS" as off limits. As much as I love the people on our CERTs, we have </span>duplicate<span style="line-height:1.5"> response effort in many different agencies (in particular, DHS/NSA/FBI/CIA/DOD). No sane country is going to take CNE against CERTs off the plate.</span></div><div></div></div></blockquote><div><br></div><div>Anything that fails a dodgy curry thought experiment (what if your entire team went for lunch and ate a bad curry which made them sick for a week) cannot be considered critical infrastructure because you've clearly shown it isn't important to you that much. </div><div><br></div><div>The second part is that UN/Tallinn conference attendees are often working at CERTs so there may be a certain conflict of interest there. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">If what you're saying is: There are some places you should not attack, I would point out that the translation into cyber world is "There are some effects on systems you should try not to have". For example: "Trojan tanything you want, but don't actually damage the dam system near NY because we will respond to that as it could cause massive loss of life and clean water".</span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">The thing that makes Cyber special here is that there is no end to the thread when you pull on it - there is no red line you can draw around a hospital or dam system. </span></div><div></div></div></blockquote><div><br></div><div>This is a very good point. CERTs are supposed to be purely defensive and it sort of holds true in "peacetime" with some exceptions like the alleged assistance FBI got from one of the CERTs to do some Tor hacking, but it cannot possibly hold true in "wartime" - where defending from an intrusion would involve perhaps a big DDoS of known C2 nodes or manipulating the global Internet routing table for some traffic redirection, inspection and black holing - all offensive actions. Besides, if YOU are the one attacking and you expect counter measures deployed against you, you might have a national CERT mitigate those counter measures that </div><br>
<br><br>-- <br>--<br>Konrads Smelkovs<br>Applied IT sorcery.<br>