Nº 10 2010 > News
Building confidence and security in the use of information and communication technologies
The Internet has become an integral part of modern societies, propelling the end user to the forefront of communication.
All kinds of information is available, in multiple formats. But how much of that information is genuine? Is information inaccurate or misleading — or even worse, is content malicious? Fraud, theft and forgery exist online just as they do offline. If users are to benefit from the full advantages of the Internet, then confidence in the infrastructure is of the utmost importance.
This is why world leaders at the second phase of the World Summit on the Information Society (WSIS) in Tunis in November 2005 entrusted ITU to take the lead in coordinating international efforts to promote cybersecurity. They named ITU as the sole facilitator for WSIS Action Line C5 on building confidence and security in the use of information and communication technologies (ICT). In line with these developments, ITU membership has been calling for a greater role to be played by ITU in matters of cybersecurity through various Resolutions, Decisions, Programmes and Recommendations. Since 2006, ITU has undertaken a wide range of activities to make communication over public telecommunication networks secure, reliable and user-friendly.
The ITU Global Cybersecurity Agenda (GCA), launched on 17 May 2007 by ITU Secretary-General, Dr Hamadoun I. Touré, is a framework for international cooperation to enhance confidence and security in the information society. It comprises five strategic pillars: legal measures; technical and procedural measures; institutional structures; capacity building, and international cooperation.
The Secretary-General also appointed a High-Level Experts Group from government, industry, international organizations, academia and research. Their goal was to propose strategies for a global response to the constantly evolving nature of cyberthreats and the increasing sophistication of cybercrime. After meetings in October 2007 and in May 2008, the group presented its strategic proposals to the ITU Secretary-General for assisting Member States to promote cybersecurity.
Proposals that are in line with the ITU mandate have been taken into account in the work programmes of its General Secretariat and three Sectors: Radiocommunication (ITU–R); Telecommunication Standardization (ITU–T); and Telecommunication Development (ITU–D).
Establishing appropriate legal infrastructure is an integral component of any national cybersecurity strategy. As part of the 2006 Doha Action Plan (DAP), ITU’s Telecommunication Development Bureau (BDT) has been assisting Member States to understand the legal aspects of cybersecurity in order to harmonize their legal frameworks.
Understanding Cybercrime: A Guide for Developing Countries, published in 2009, is an important part of this work and was intended as a tool for the developing world to better understand and assess the national and international implications of growing cyberthreats. In that same year BDT released a Toolkit for Cybercrime Legislation, developed by a group of experts, to provide Member States with sample legislative language and reference material to assist in harmonizing cybercrime laws and procedural rules. BDT also produced a background paper entitled Cybersecurity: The Role and Responsibilities of an Effective Regulator for the Global Symposium for Regulators, held in Beirut, Lebanon in November 2009.
Technical and procedural measures
ITU’s work on security covers a broad range of activities from network attacks, denial of service, theft of identity, eavesdropping, telebiometrics for authentication to security for emergency telecommunications.
Standards-development bodies have a vital role to play in addressing security vulnerabilities in protocols. ITU–T holds a unique position in the field of standardization in the sense that its work brings together the private sector and governments to coordinate work and promote the harmonization of security policy and security standards on an international scale.
Along with many key security recommendations, ITU–T has developed an overview of security requirements, security guidelines for protocol authors, security specifications for IP‑based systems, as well as guidance on how to identify cyberthreats and countermeasures to mitigate risks. ITU–T also provides the international platform for the development of the protocols that protect current and next-generation networks (NGN).
ITU’s work addresses security aspects in NGN architecture, quality of service, network management, mobility, billing and payment. ITU also reviews enhancements to security specifications for mobile end-to-end data communications and considers security requirements for web services and application protocols. In addition, it is now looking into new security areas related to cloud computing and smart grid.
In the move to Internet Protocol (IP)-based services, ITU’s H.235.x series Recommendations on “H.323 Security” define the security infrastructure and services (including authentication and privacy) for use by the H.300-Series IP multimedia systems (such as VoIP and videoconferencing) in point-to-point and multipoint applications. The H.235.x standards provide privacy to service providers and enterprises, while ensuring interoperability of multimedia products. The identity of users communicating through IP media is correctly authenticated and authorized using H.235.x, protecting their communications against different critical security threats.
Real-time multimedia encryption adds a further layer of security, guarding against call interception. ITU’s J.170 “IPCablecom Security Specification” defines security requirements for IPCablecom architecture enabling cable television operators to deliver secure two-way capability in the provision of IP services, including VoIP.
ITU’s X.805 Recommendation defines the security architecture for systems providing end-to-end communications. This Recommendation allows operators to pinpoint vulnerable points in a network and address them, and ITU’s security framework extends this with guidelines on protection against cyberattacks.
ITU–T X.1205 “Overview of Cybersecurity” provides a definition of cybersecurity and a taxonomy of security threats. It discusses the nature of the cybersecurity environment and risks, possible network protection strategies, secure communication techniques and network survivability (even under attack).
All ITU study groups conduct security-related activities and review security questions as part of their work. But it is ITU–T Study Group 17 that is the lead study group on telecommunications security and identity management. The group has approved over 100 Recommendations on security for communications, mainly in the X series of recommendations, either by itself, or jointly with the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) or with other relevant organizations. It regularly updates the manual on Security in telecommunications and information technology as an overview of security issues (the fourth edition was issued in September 2009). It also publishes electronically a Security Compendium on its website containing a catalogue of approved ITU–T Recommendations related to security and presenting an extract of security definitions from ITU–T and other sources.
ITU–T Study Group 17 launched the ICT Security Standards Roadmap promoting collaboration between international standards bodies. This became a joint effort in January 2007, when the European Network and Information Security Agency (ENISA) and the Network and Information Security Steering Group (NISSG) joined the initiative. The Roadmap promotes the development of security standards by highlighting existing standards, as well as current and future work among key standards-development organizations. The Roadmap informs users about security standards.
The role of ITU–T Study Group 17 was confirmed and reinforced by the World Telecommunication Standardization Assembly, which took place in Johannesburg, South Africa, in 2008 (WTSA‑08). Resolution 50 on “Cybersecurity” is guiding ITU–T work to build Recommendations sufficiently robust to prevent exploitation by malicious parties. And Resolution 52 on “Countering and combating spam” calls for the integration of the technical means to combat spam into the work of ITU–T study groups. Also from WTSA‑08 is Resolution 58: “Encourage the creation of national Computer Incident Response Teams, particularly for developing countries”, which ITU–T Study Group 17 is implementing.
Since September 2009, seven correspondence groups have been established on subjects including security coordination, e‑health, cloud computing and smart grid security, national centres for network security (NCNS), strategy for online transaction security, decentralized architecture for global IP network name resolution system, and cybersecurity information exchange framework (CYBEX).
Turning to radiocommunications, wireless applications such as 3G (or IMT‑2000) are becoming an integral part of daily life, and the global use and management of frequencies require a high level of international cooperation. Global frequency management is increasingly important for building confidence and security in the use of ICT.
This brings to the fore the mission of ITU–R to ensure, rational, equitable, efficient and economical use of the radio-frequency spectrum by all radiocommunication services, including those using satellite orbits, and to carry out studies and adopt Recommendations on radiocommunication matters.
Safeguarding quality of service against degradation or denial of service is vital for the secure functioning of networks, and many of ITU–R’s latest Recommendations on generic requirements and the protection of radiocommunications against interference are relevant for security. ITU’s work in radiocommunication standardization continues, matching the constant evolution in modern telecommunication networks.
ITU–R has approved Recommendations on security principles and mechanisms for 3G networks (in particular Recommendation ITU–R M.1078, but also Recommendations M.1223, M.1457 and M.1645). It has also released Recommendations on security issues in network management architecture for digital satellite systems (Recommendation ITU–R S.1250) and performance enhancements of transmission control protocol over satellite networks (Recommendation ITU–R S.1711).
As part of ITU’s collaboration with the International Multilateral Partnership Against Cyber Threats (IMPACT), the Global Response Centre (GRC) plays a pivotal role in realizing the Global Cybersecurity Agenda’objective of putting technical measures in place to combat new and evolving cyberthreats. Working with leading partners in academia and governments, the centre provides the global community with a real-time aggregated early-warning system. BDT is working with IMPACT to bring this resource to interested Member States as part of a broader strategy to assist them in their efforts against cyberthreats.
GRC offers two prime services: Network Early Warning System (NEWS); and Electronically Secure Collaboration Application Platform for Experts (ESCAPE). NEWS is designed to help countries identify cyberthreats early on and provide critical guidance on what measures to take to mitigate them. ESCAPE is an electronic tool that enables authorized cyber-experts across different countries to pool resources and collaborate with each other remotely, within a secure and trusted environment. By pooling resources and expertise from many different countries on short notice, ESCAPE enables individual nations and the global community to respond immediately to cyberthreats, especially during crisis situations.
The dearth of institutional structures to deal with cyber incidents (attacks, fraud, destruction of information, dissemination of inappropriate content) is a genuine problem in responding to cyberthreats. BDT, in partnership with IMPACT, is deploying capabilities to build capacity at the national and regional level. Coordination is under way with several ITU Member States, focusing on assistance for the establishment of National Computer Incident Response Teams (CIRTs).
With support received from the Australian Government and in partnership with other organizations (for example, AusCERT and IMPACT), ITU is assisting the Pacific Island countries in establishing a Pacific Computer Emergency Response Team (CERT). In cooperation with IMPACT, ITU also helped Afghanistan in a feasibility study on establishment of a national CERT.
People are the weakest link. One of the key challenges of cybersecurity is educating the end user. Understanding and awareness of the potential dangers are critical if the end user is to benefit from ICT safely.
This is a matter that concerns all stakeholders from governments and industry to education both at school and at home. Awareness of the opportunities offered by a secure cyber environment and of the threats inherent to cyberspace is vital. Programmes aimed at raising awareness and building capacity at all levels are important, and these also need to be undertaken within the international arena.
To assist Member States wishing to design their national approach for Cybersecurity and Critical Information Infrastructure Protection (CIIP), BDT has developed the National Cyber Security/CIIP Self-Assessment Tool, and is updating the current version. BDT has also developed the ITU Botnet Mitigation Toolkit to track botnets and mitigate their impact, with a particular emphasis on the problems specific to emerging Internet economies.
BDT is organizing regional cybersecurity forums for all ITU regions, using them as capacity-building vehicles for its different programmes and activities as well as operational platforms for cooperation at the regional and international levels.
In order to build capacity, BDT, through IMPACT’s Training and Skills Development Centre, conducts high-level briefings for representatives of Member States, providing them invaluable exposure and private-sector insight on latest trends, potential threats and emerging technologies.
The Internet and ICT have enabled interconnection between countries that was not possible before. Countries cannot easily close their borders to incoming cyberthreats and also cannot contain those coming from within. Attempts to solve these challenges at national or regional levels are important, but because cybersecurity is as global and far-reaching as the Internet, solutions need to be harmonized across all borders. This necessarily entails international cooperation, not only at government level, but also with industry, nongovernmental and international organizations.
International Multilateral Partnership Against Cyber Threats (IMPACT)
In March 2009, ITU Secretary-General Dr Hamadoun I. Touré and Malaysia’s then Prime Minister Dato’ Seri Abdullah Haji Ahmad Badawi inaugurated a state-of-the-art facility in Cyberjaya, Malaysia, which houses resources, facilities and experts to effectively address the world’s most serious cyberthreats. Called ITU–IMPACT, it is a global, multi-stakeholder public-private partnership and provides the physical and operational home for ITU’s Global Cybersecurity Agenda. As of August 2010, more than 50 Member States had formally agreed to take part in the services offered by ITU–IMPACT. ITU maintains a “virtual showcase” in Geneva of the early-warning system, crisis management and real-time analysis of global cyberthreats.
ITU Cybersecurity Gateway
The ITU Cybersecurity Gateway was revamped in 2009 to enable better information access, dissemination and online collaboration among stakeholders working in cybersecurity, with feedback being incorporated into the Gateway.
Child Online Protection
As part of the Global Cybersecurity Agenda, ITU in conjunction with other UN agencies and partners launched Child Online Protection (COP) in November 2008 as an international collaborative initiative for action to promote cybersecurity for children and young people by providing guidance on safe online behaviour. Several events have been organized, some examples being A Strategic Dialogue on Safer Internet Environment for Children, held in June 2009 in Tokyo, Japan, and an Open Forum on Child Online Protection, organized during the 4th Internet Governance Forum (IGF) in November 2009. Guidelines for protecting children online have been produced for policy-makers, industry, educators, parents, guardians and children. They were prepared by ITU in close collaboration with many organizations, including the United Nations Interregional Crime and Justice Research Institute (UNICRI), the United Nations Children’s Fund (UNICEF), the United Nations Office on Drugs and Crime (UNODC), the United Nations Institute for Disarmament Research (UNIDIR), INTERPOL and the European Network and Information Security Agency.
The COP Global Initiative announced on 17 November 2010 by the Patron of COP, Laura Chinchilla, President of Costa Rica and ITU Secretary-General, Hamadoun Touré at a ceremony in San Jose, Costa Rica, will provide a framework for coordinating existing global efforts and implementing a series of safety training and prevention activities. This new phase of the initiative will see COP shift from the production of guidelines to the development of industry codes of conduct, the establishment of national hotlines, and the development of national road maps and legislative toolkits.
Cybercriminals are not the only threats to the Internet. The vulnerabilities of ICT are a lure for potentially more damaging activities such as espionage. Cyber warfare and espionage have made their appearance and can pose serious threats to critical information infrastructure.
Even though national measures are being taken, cyberthreats remain an international problem. Loopholes in legal frameworks are being exploited by perpetrators, and harmonization between existing laws is far from satisfactory. Coupled with the absence of appropriate organizational structures, there is a genuine problem in responding to cyberthreats.
This is without looking at the constant evolution and sophistication of such threats and the vulnerabilities in software, and more recently hardware, applications. With the phenomenal growth in mobile adoption and new trends such as cloud computing, cyberthreats will likely spread to new levels.
Cyberthreats are global and therefore the solutions must be global too. It is vital that all countries reach a common understanding on cybersecurity to provide protection against unauthorized access, manipulation and destruction of critical resources.
ITU believes that the strategy for a solution must include identifying existing national and regional initiatives in order to set priorities and work effectively with all relevant players. With its 192 Member States and more than 700 private-sector companies and Associates, ITU is an excellent forum for action and response to promote cybersecurity and to tackle cybercrime. Its broad membership includes least developed countries, developing and emerging economies, as well as developed countries.
Much has been achieved, but cybersecurity is a constantly evolving challenge that needs to be continually addressed, because of the ever-changing nature of ICT. ITU will work unremittingly to build confidence and trust, ensuring a safe and secure cyber environment for all.