Nº 2 2014 > Cybersecurity
ITU consolidates global alliance against cyberthreats
The battle to eradicate misuse of information and communication technologies (ICT) for criminal or other purposes has yet to be won as challenges to cybersecurity such as denial-of-service attacks, identity and data theft, and destructive malware proliferate and become more sophisticated.
In line with its Global Cybersecurity Agenda, ITU has consolidated its global alliance with governments, academia and industry experts to promote a culture of cybersecurity awareness and a holistic approach to counter misuses of online networks. Altogether 149 ITU Member States have joined the coalition, cooperating among themselves and with ITU at the global level.
In collaboration with United Nations agencies, other international organizations and the European Commission and, in association with IMPACT — the International Multilateral Partnership against Cyber Threats — ITU is helping countries around the world to address cybersecurity challenges.
Some 50 countries have received assistance to assess their national cybersecurity preparedness and response capabilities since the World Telecommunication Development Conference in 2010 (WTDC‑10). Five countries (Burkina Faso, Kenya, Montenegro, Uganda and Zambia) have received support to set up a national computer incident response team (CIRT) and eight others (Barbados, Burundi, Côte d’Ivoire, Cyprus, Ghana, Jamaica, Tanzania, and Trinidad and Tobago) are currently receiving assistance to do likewise.
The cybersecurity needs of the least developed countries are the focus of particular attention under ITU’s “Enhancing Cybersecurity in Least Developed Countries” project.
Member States also have access to ITU’s comprehensive cybersecurity-related research, analysis and training materials.
ITU has also established formal cooperation with cybersecurity companies such as Symantec and Trend Micro, which have agreed to share information on current and emerging global cyberthreat trends, as well as with the United Nations Office on Drugs and Crime to build mechanisms to counter cybercrime. In addition, ITU is working with the global Forum for Incident Response and Security Teams (FIRST) — the world’s biggest computer incident response teams association — to share best practice on how to develop national incident response capabilities and, through IMPACT, with INTERPOL to synergize with the law enforcement community.
Another key component of ITU’s Global Cybersecurity Agenda is its Child Online Protection initiative established in conjunction with other United Nations agencies and partners as an international collaborative network for action to promote safe online behaviour. In this regard, specific guidelines have been developed for children, parents, guardians, educators, industry and policy-makers.
Harmonization of cybersecurity legal frameworks
A persistent concern is the lack of harmonization of cybersecurity related legislations, which makes it difficult to investigate and prosecute offenders if the categorization of cybercrimes and other misuses of cyberspace differ from country to country. In response, ITU is familiarizing selected countries with legal aspects of cybersecurity and helping to harmonize their legal frameworks with a view to making them applicable and interoperable across the world. An example of ITU’s cybercrime legislation resources is its publication (in six languages) entitled “Understanding Cybercrime: A Guide for Developing Countries and the Toolkit for Cybercrime Legislation”.
Responding to cyberattacks
IMPACT’s centre in Malaysia is playing a key role in supporting ITU’s mandate on cybersecurity to introduce technical measures to combat new and evolving cyberthreats. Designed to be the world’s foremost cyber-threat information resource, the centre has been set up to deploy an early warning system and to provide timely guidance to countries under cyberattack. It also plans to link designated ICT experts in ITU Member States to a dedicated communication network that will enable them to mount a collaborative response to cybersecurity emergencies at short notice.
The essential role of cybersecurity training
The important role that ICT play today in providing services in sectors as varied as health, education, finance and commerce, highlights the paramount need to be aware of both the opportunities offered by a secure cyberenvironment and the threats inherent to cyberspace. Today, however, there is a shortage of qualified cybersecurity professionals in all countries — including the most technologically advanced among them.
To help bridge this gap, ITU has organized cybersecurity training workshops for more than 2700 government officials, regulators and public and private sector ICT professionals around the world. The workshops cover various technical and policy aspects of ICT security, including malware analysis and investigation, securing networks and forensics. Some of these workshops feature mock trials to test participants’ knowledge of national legal frameworks applicable to cyberrelated offences. In addition, several national computer incident response teams around the world have taken part in ITU-IMPACT cyber drills conducted within simulated cyberattack scenarios to test their communication and response capabilities in emergencies.
Following are snapshots of how ITU has been helping to address cybersecurity issues since WTDC‑10 in the Africa, Americas, Asia-Pacific, Commonwealth of Independent States and Europe regions. Information on cybersecurity developments in the Arab world is contained in the article focusing on the Arab region (see https://itunews.itu.int/En/4943-Arab-States-BR-Digital-connectivity-gaining-ground-in-the-Arab-world.note.aspx).
In the framework of a joint ITU-European Commission project to create harmonized ICT policies and an efficient regulatory environment in African, Caribbean and Pacific countries, model policies on cybercrimes, electronic transactions and data protection have been developed and are now being transposed into domestic legislations.
Under the project known as HIPSSA (Support for the Harmonization of ICT Policies in Sub-Saharan Africa), input was provided to the African Union to develop a continent-wide Convention on Cybersecurity.
Many African countries have benefited from ITU-IMPACT assessments of their cyberthreat preparedness and response capabilities (Botswana, Burkina Faso, Burundi, Cameroon, Chad, Cote d’Ivoire, Democratic Republic of the Congo, Ethiopia, Gabon, Gambia, Ghana, Lesotho, Mali, Niger, Nigeria, Kenya, Senegal, Sierra Leone, Swaziland, Tanzania, Togo, Uganda, Zambia and Zimbabwe). Since 2010, four of them (Burkina Faso, Kenya, Uganda and Zambia) have set up computer incident response teams and four others (Burundi, Ghana, Côte d’Ivoire and Tanzania) are in the process of doing likewise, with ITU-IMPACT support.
Various other cybersecurity initiatives are foreseen in Africa, and in July 2013 Nigeria’s Communications Commission signed a Memorandum of Understanding with ITU to set up a regional cybersecurity centre in Nigeria. This regional centre will facilitate collaboration on combating cyberthreats at the regional and national levels—with an emphasis on activities related to protecting children online.
An ITU-led series of Africa Child Online Protection summits is also planned to identify risks and vulnerabilities to children in cyberspace, to develop practical tools to help minimize risks, and to share knowledge and experience. In 2013, the First Lady of Nigeria, Dame Patience Goodluck Jonathan, graciously agreed to be ITU’s Champion for Child Online Protection.
Finally, in 2014, ITU-IMPACT will organize a training workshop for African country computer incident response team personnel during which a simulated cyberattack will be staged to test their computer-incident preparedness and response skills.
Joint action by ITU and the Association of Southeast Asian Nations (ASEAN) has increased regional cooperation to address cybersecurity challenges. It has also been instrumental in strengthening the capacities of several least developed or developing countries to counter cybersecurity threats and manage related emergencies.
Cambodia, Lao P.D.R., Myanmar and Viet Nam are among the countries to have received direct assistance in this regard in recent years. Cooperation on cybersecurity issues between these countries was enhanced following their participation in an ITU/ASEAN subregional workshop held in Myanmar in 2011. The workshop focused on national computer incident response team policies, procedures, best practices, challenges and opportunities.
Cooperation between Asia-Pacific countries on combating cybercrime was further consolidated at a regional workshop organized by ITU and the United Nations Office on Drugs and Crime (UNODC) in Seoul, Republic of Korea in 2011.
In partnership with IMPACT, ITU has continued to assess the capacity of existing national computer incident response teams of several Asia-Pacific countries to manage cybersecurity emergencies, to help set up these teams in countries where they do not exist, and to provide training and material assistance. Afghanistan, Bangladesh, Brunei, Bhutan, Cambodia, Lao P.D.R., Maldives, Myanmar, Nepal, Sri Lanka and Viet Nam, have received various forms of assistance to bolster their cybersecurity in recent years.
Several countries in the region are benefiting from ITU expertise on cyberthreats. Since 2012, ITU-IMPACT cyberthreat preparedness assessments have been conducted in 15 countries in the Americas (Anguilla, Antigua and Barbuda, Barbados, Costa Rica, Dominica, Dominican Republic, Grenada, Ecuador, Haiti, Honduras, Panama, Saint Kitts and Nevis, Saint Lucia, Suriname, and Trinidad and Tobago).
Memoranda of Understanding have been signed with Barbados and Jamaica to establish national critical incident response teams and discussions are under way to do likewise in Trinidad and Tobago. Furthermore, plans have been agreed to create a subregional critical incident response team overseen by the Organisation of Eastern Caribbean States. ITU-IMPACT will provide the necessary technical input and training to establish and manage these critical incident response teams, which aim to strengthen national cybersecurity capacity and to enhance regional and international collaboration in this domain.
In collaboration with the Latin American and Caribbean Internet Registry (LACNIC) the first edition of the ITU-IMPACT cyberdrill exercises for the Americas region took place in Montevideo (Uruguay), in August 2013, with the participation of ICT and security experts from Barbados, Bolivia, Chile, Colombia, Ecuador, Paraguay, Peru, Trinidad and Tobago, and Uruguay.
As part of the joint ITU-EU Commission project to create harmonized ICT policies and an efficient regulatory environment in African, Caribbean and Pacific countries, the cybercrime legislative frameworks in 8 of the 15 beneficiary Caribbean countries were reviewed in 2011 and 2012, and final recommendations for updated legislation developed through stakeholder consultations were submitted to Barbados, Grenada, Saint Kitts and Nevis, and Trinidad and Tobago. Proposed national legislation or amendments to existing laws were also transmitted to Haiti, Jamaica, Saint Lucia, and Saint Vincent and the Grenadines.
Commonwealth of Independent States
More than 90 ICT and security experts from Europe, the Commonwealth of Independent States and Asia-Pacific discussed strategic aspects of cybersecurity and cybercrime during an ITU-IMPACT cross-regional seminar organized in partnership with the Odessa National Academy of Telecommunications (Ukraine) in March 2012. Legal frameworks and international cooperation to combat cybercrime, child online protection and the role of public-private partnerships were among agenda topics. Participants proposed the creation of a public reference repository of recommended and prohibited Internet resources for children.
A year earlier (April 2011), cross-regional cooperation on child online protection was boosted at a workshop attended by some 55 cybersecurity experts from CIS and European countries organized by ITU, in partnership with the Odessa National Academy of Telecommunications of Ukraine. Armenia and Kyrgyzstan benefited from targeted assistance to develop national cybersecurity strategies, and Ukraine received guidance in setting up a national body for the registration of object identifiers.
ITU also supported the government of Azerbaijan in organizing an international conference on cybersecurity in 2013, in partnership with the World Bank, the World Economic Forum and INTERPOL.
In partnership with the Bulgarian Ministry of Transport, Information Technology and Communications, the “ITU Regional Forum on Cybersecurity for Europe and CIS” took place in Sofia, Bulgaria, in October 2012. The forum brought together more than 90 participants from 19 countries.
During the forum, ITU and IMPACT organized a cross-border cybersecurity drill for Europe and the CIS countries designed to test national cyberresponse capabilities and improve readiness and reaction in the event of a cyberattack.
The “Applied Learning for Emergency Response Team” (ALERT) cyberdrill featured eight actively participating countries: Armenia, Bulgaria, Moldova, Montenegro, Romania, Slovakia, Turkey and Ukraine, with 11 other nations taking part as official observers: Albania, Austria, Azerbaijan, Croatia, Italy, Kyrgyzstan, Luxembourg, Malta, Poland, Portugal and Tajikistan.
A series of scenarios totalling 250 minutes were triggered during the exercise to put participants to the test and observe their responses. These scenarios included phishing, web defacement and wireless security breach. The simulation, which was sponsored by ABI Research, also benefited from the participation of ITU-IMPACT’s key industry partners including Codenomicon, Internet Society Bulgaria, Kaspersky Lab, Lirex.com, Microsoft, Symantec and The Cyber Guardian.
Cyberemergency preparedness assessments were conducted in Albania, Bosnia and Herzegovina, Montenegro, Serbia, and the Former Yugoslav Republic of Macedonia with a view to establishing computer incident response teams in these countries.
In September 2013, Montenegro hosted the eleventh ITU conference on regulatory frameworks to protect the interests of electronic communication users in Europe. Participants sought to identify the main user protection challenges, reviewed current regulatory frameworks, and exchanged views on regulatory best practices.