Aspecto Legal

Incidents can affect large numbers of people, businesses and services, and they can have public safety ramifications. Therefore, they are potentially of interest to the wider public. The role of media in informing about incidents is essential, and media-related activities may pop up all along the operational cycle of a reporting scheme. Because most of these activities concentrate around follow-up to an incident, we choose to discuss this issue here. Our research suggests that there are four kinds of situations where the reporting scheme's staff is most likely to work with the media:

1. Collecting information about incidents;

2. Answering queries from the media;

3. Distributing information about incidents;

4. Raising awareness about threats.

Collecting information. Media are valuable additional sources of information about incidents. Where the service providers do not feel motivated to report, or are impeded from reporting by external factors, media may be the first to bring an outage to the attention of the scheme's organizers. Media attention may also signal social sensitivity of an outage. Monitoring media coverage thus becomes

15 http://www.cert.org/csirts/services.html#reactive

important, especially in schemes with a rectification element, where the organizers may request the service provider to report about such incidents.

Answering queries. Many scheme organizers are approached by the media with queries about threats or particular incidents. While their public function obliges the organizers to inform, they also have to respect legal obligations for protecting privacy and business secrets. As argued in section 4.5.1 above, confidentiality is a major concern of the reporting parties, and indiscrete handling of the data might demolish the trust towards the scheme's staff. As a result, the media policies need to delicately balance multiple obligations, a task which mustn't be under-estimated. The respondents mostly recommended commenting generally on the type of incident, on its consequences for the public, vulnerabilities that people should be aware of, and other necessary details, while avoiding pointing fingers publicly at specific companies, or releasing specific company data about the incident. Issuing guidelines, training the staff appropriately and/or assigning the role of spokesperson are practical steps that may help in handling this issue.

[Regulator] "public relations experts are always involved, in order to ensure fast and competent response towards the media in case of requests."

Distributing information. In certain cases, the scheme organizers need to actively counter rumours or panic, to inform a large audience about an event, a threat, or a progressing incident response, or to distribute other critical information. The organizers rarely have better means to do this than through the media. For this purpose, again, it is vital to cultivate know-how in dealing with the media – e.g., organizing press conferences, producing and distributing news releases, etc. In certain cases this role is assigned to special organizations within the government sector with which the scheme staff cooperates.

[Government Ministry: "Where media can distribute information on the progress of incident response or actions to be taken by the public, the media co-ordinator which is close to/part of the crisis response team will cooperate with media. Also information from outside the crisis management teams / structure which is gathered by the media is used in decisions on the response actions."

FICORA Finland: In the case of a small-scale DDoS attack in Finland shortly after the 2007 attack on Estonia, FICORA reacted with a press conference in order to prevent panic and inform the public appropriately.

Raising awareness. Continuous awareness building belongs to regular operations especially in cybersecurity failure prevention – or in other words, in the CERT area. There the organizers need to educate the public about vulnerabilities and threats, and also about good practices how to avoid further incidents. Again, media are an important channel for doing that. Maintaining up-to-date and well structured web sites, regular contact with the media via news releases, seminars, newsletters, email alerts etc. belong to the best practices here.

INTECO CERT Spain: "A large number of media are subscribed to our advisories and alerts of our website so they are in contact with us. Sometimes the media contact us requesting more information or advice about security issues: alerts, advisories, etc. We believe in the importance of Web2.0, and especially RSS/XML applications in awareness raising activities."

 Reporting schemes will typically interact with the media under several circumstances: when media report about an incident; when they request comment from the authorities about incidents; when the authorities need to communicate with the public about an incident, and when organizers need to raise awareness about incidents or threats.

 Elaborate media policy and train/employ staff for answering media queries.

 Use media actively for distributing information about serious incidents or countering rumours and panic.

 Develop a long-term media strategy for continuous awareness raising.

6 Managing Reporting Scheme

The previous three chapters have discussed how to identify an incident reporting need, how to engage cooperation and arrange concrete reporting procedures. Apart from these tasks, mostly located around the launch of the scheme, the scheme needs attention as it operates. On the one hand, incidents need to be monitored and evaluated in order to implement appropriate reactions: network topology upgrades, awareness raising, changes in cybersecurity or emergency response policies. On the other hand, the organizers need to manage the evolution of their scheme. Then it becomes important to collect feedback on the scheme's functioning and to plan improvements or extensions.

In this chapter, we will review three channels that may serve to monitor and manage the reporting scheme:

1. To analyze incidents individually and follow up with the incident owners;

2. To evaluate incidents statistically and draw lessons;

3. To manage long-term evolution of the scheme.

The practices quoted in this chapter should help in disseminating information to the constituency, requesting particular changes at the service provider's networks, collecting information on the scheme's functioning, and adjusting its structure as the nature of the challenge develops.

Figure 6: Key Tasks in Managing The Reporting Scheme