Arkadiy Kremer Chairman ITU-T Study Group 17 Session 2: Role of Standardization in Cybersecurity

ITU Open Forum on Cybersecurity, 6 December 2008 “We have received a strong message from our members that ITU is, and will remain the world’s pre-eminent global telecommunication and ICT standards body. And we hear also, and very clearly, that ITU should continue on its mission to connect the world, and that bringing the standardization gap, by increasing developing country participation in our work, is an essential prerequisite to achieve this goal”. Malcolm Johnson, TSB Director (Closing speech at the WTSA-08) 2 of 23

ITU Open Forum on Cybersecurity, 6 December 2008 Strategic direction  WSIS Action Line C5, Building confidence and security in use of ICTs  WTSA-08 Resolution 50, Cybersecurity – Resolves “that ITU-T continue to evaluate existing and evolving new Recommendations, and especially signaling and telecommunication protocol Recommendations, with respect to their robustness of design and potential for exploitation by malicious parties to interfere destructively with their deployment in the global information and telecommunication infrastructure”.  WTSA-08 Resolution 52, Countering and combating spam – Instructs ITU-T study groups “to continue collaboration with the relevant organizations (e.g., IETF), in order to continue developing, as a matter of urgency, technical Recommendations with a view to exchanging best practices and disseminating information through joint workshops, training sessions, etc.“ 3 of 23

ITU Open Forum on Cybersecurity, 6 December 2008 Strategic direction (cont.) 4 of 23  Plenipotentiary Resolution 130, Strengthening the role of ITU in building confidence and security in the use of information and communication technologies – Instructs Director of TSB to intensify work in study groups, address threats & vulnerabilities, collaborate, and share information  Plenipotentiary Resolution 149, Study of definitions and terminology relating to building confidence and security in the use of information and communication technologies - Instructs Council to study terminology  ITU Global Cybersecurity Agenda. Key work areas: Legal Measures, Technical and Procedural Measures, Organizational Structures, Capacity Building, International Cooperation. World renowned Group of High-Level Experts report to ITU Secretary General contains recommendations in each of the five areas

ITU Open Forum on Cybersecurity, 6 December 2008 Coordination 5 of 23  ISO/IEC/ITU-T Strategic Advisory Group Security Oversees standardization activities in ISO, IEC and ITU-T relevant to security; provides advice and guidance relative to coordination of security work; and, in particular, identifies areas where new standardization initiatives may be warranted (portal established, workshops conducted)  Global Standards Collaboration ITU and participating standards organizations exchange information on the progress of standards development in the different regions and collaborate in planning future standards development to gain synergy and to reduce duplication. GSC-13 resolutions concerning security include Cybersecurity (13/11), Identity Management (13/04), Network aspects of identification systems (13/03), Personally Identifiable Information protection (13/25).

ITU Open Forum on Cybersecurity, 6 December 2008 ITU-T security activities 6 of 23  Study Group 17 is the lead study group in the ITU-T for security – responsible for: Coordination of security work Development of core Recommendations  Most of the other study groups have responsibilities for standardizing security aspects specific to their technologies (TMN security, IPCablecom security, NGN security, Multimedia security, etc.)

ITU Open Forum on Cybersecurity, 6 December 2008 SG 17 Security Project 7 of 23  Security Coordination Within SG 17, with ITU-T SGs, with ITU-D and externally Kept others informed - TSAG, IGF, ISO/IEC/ITU-T SAG-S… Made presentations to workshops/seminars and to GSC Maintained reference information on LSG security webpage  Security Compendium Includes catalogs of approved security-related Recommendations and security definitions extracted from approved Recommendations  Security Standards Roadmap Includes searchable database of approved ICT security standards from ITU-T and others (e.g., ISO/IEC, IETF, ETSI, IEEE, ATIS)  ITU-T Security Manual – assisted in its development

ITU Open Forum on Cybersecurity, 6 December 2008 Core Security Recommendations 8 of 23  Strong ramp-up on developing core security Recommendations in SG approved in approved in under development for approval next study period  Subjects include:  Architecture and Frameworks  Web services  Directory  Identity management  Risk management  Cybersecurity  Incident management  Mobile security  Countering spam  Security management  Secure applications  Telebiometrics  Ubiquitous Telecommunication services  SOA security  Ramping up on:  Multicast  Traceback  Ubiquitous sensor networks  Collaboration with others on many items

ITU Open Forum on Cybersecurity, 6 December 2008 Core Security Recommendations (cont.) 9 of 23 ITU-T Recommendation X.1205 Overview of Cybersecurity Summary This Recommendation provides a definition for Cybersecurity. The Recommendation provides taxonomy of security threats from an organization point of view. Cybersecurity threats and vulnerabilities including the most common hacker’s tools of the trade are presented. Threats are discussed at various network layers. Various Cybersecurity technologies that are available to remedy the threats are discussed including: routers, firewalls, antivirus protection, intrusion detection systems, intrusion protection systems, secure computing and audit and monitoring. Network protection principles such as defence in depth, access management with application to Cybersecurity are discussed. Risk management strategies and techniques are discussed including the value of training and education in protecting the network. Examples for securing various network based on the discussed technologies are also discussed.

ITU Open Forum on Cybersecurity, 6 December 2008 Core Security Recommendations (cont.) 10 of 23 ITU-T Recommendation X.1206 A vendor-neutral framework for automatic notification of security related information and dissemination of updates Summary This Recommendation provides a framework for automatic notification of security related information and dissemination of updates. The key point of the framework is that it is a vendor- neutral framework. Once an Asset is registered, updates on vulnerabilities information and patches or updates can be automatically made available to the users or directly to applications regarding the Asset.

ITU Open Forum on Cybersecurity, 6 December 2008 Core Security Recommendations (cont.) 11 of 23 Recommendation ITU-T X.1207 Guidelines for telecommunication service providers for addressing the risk of spyware and potentially unwanted software Summary Recommendation ITU-T X.1207 provides guidelines for telecommunication service providers (TSPs) for addressing the risks of spyware and potentially unwanted software. This Recommendation promotes best practices around principles of clear notices and user's consents and controls for TSP web hosting services. This Recommendation develops and promotes best practices to users on personal computer (PC) security, including use of anti-spyware, anti- virus, personal firewall and security software updates on client systems.

ITU Open Forum on Cybersecurity, 6 December 2008 Core Security Recommendations (cont.) 12 of 23 ITU-T Recommendation X.1231 Technical Strategies on Countering Spam Summary This Recommendation emphasizes technical strategies on countering spam, and includes general characteristics of spam and main objectives of countering spam as well. Furthermore, recognizing that there is no single solution to resolve the spam problem, this Recommendation also provides a checklist to evaluate promising tools for countering Spam.

ITU Open Forum on Cybersecurity, 6 December 2008 Core Security Recommendations (cont.) 13 of 23 ITU-T Recommendation X.1240 Technologies involved in countering spam Summary This Recommendation specifies basic concepts, characteristics, and effects of spam, and technologies involved in countering spam. It also introduces the current technical solutions and related activities from various standard development organizations and relevant organizations on countering spam. It provides guidelines and information to the users who want to develop technical solutions on countering spam. This Recommendation will be used as a basis for further development of technical Recommendations on countering spam.

ITU Open Forum on Cybersecurity, 6 December 2008 Core Security Recommendations (cont.) 14 of 23 ITU-T Recommendation X.1241 Technical framework for countering spam Summary This Recommendation provides a technical framework for countering spam. The framework describes one recommended structure of an anti-spam Processing Domain, and defined function of major modules in it. The key point of the framework is that it establishes a mechanism to share information about spam between different servers. Systems follow the framework would improve efficiency through interconnection

ITU Open Forum on Cybersecurity, 6 December 2008 Core Security Recommendations (cont.) 15 of 23 Recommendation ITU-T X.1244 Overall aspects of countering spam in IP-based multimedia applications Summary This Recommendation specifies the basic concepts, characteristics, and technical issues related to countering spam in IP multimedia applications such as IP telephony, instant messaging, etc. The various types of IP multimedia application spam are categorized, and each categorized group is described according to its characteristics. This Recommendation describes various spam security threats that can cause IP multimedia application spam. There are various techniques developed to control the spam which has become a social problem. Some of those techniques can be used in countering IP multimedia application spam. This Recommendation analyzes the conventional spam countering mechanisms and discusses their applicability to countering IP multimedia application spam. This Recommendation concludes by mentioning various aspects that should be considered in countering IP multimedia application spam.

ITU Open Forum on Cybersecurity, 6 December 2008 Identity Management 16 of 23  Networks are increasingly distributed, converged, and packet based where access to services can be based on identity contexts and roles and accessed anywhere, anytime.  Security and trust of identity information in this environment is significantly more complex. Users may have multiple, context dependent “identities” Network services may require different identity trust levels Identity information is distributed throughout the network  Old methods of managing of identity information are inadequate, may limit services, and cause significant cybersecurity problems  Consequently, a new, robust set of secure and trusted capabilities is needed i.e IdM

ITU Open Forum on Cybersecurity, 6 December 2008 IdM is a set of capabilities that 17 of 23  Attach identity data to a person, device, or application.  Facilitate the secure storage, retrieval and secure exchange of identity data.  Provide significantly better identity lifecycle management.  Can allow user control of personally identifiable information (PII).

ITU Open Forum on Cybersecurity, 6 December 2008 ITU-T work on IdM 18 of 23  Managing digital identities and personally identifiable information key aspect for improving security of networks and cyberspace  Effort jump started by IdM Focus Group which produced 6 substantial reports (265 pages) in 9 months  JCA-IdM and IdM-GSI established by TSAG in December 2007 Main work is in SGs 17 and 13  Intense work program, difficult  First IdM Recommendations determined under TAP: X.1250, Capabilities for global identity management trust and interoperability X.1251, A framework for user control of digital identity Y.2720, NGN identity management framework  Many additional IdM Recommendations are under development  Working collaboratively with other key bodies including: ISO/IEC JTC 1/SC 27, Liberty Alliance, FIDIS, OASIS

ITU Open Forum on Cybersecurity, 6 December 2008 Challenges 19 of 23  Addressing security to enhance trust and confidence of users in networks, applications and services  Balance between centralized and distributed efforts on developing security standards  Legal and regulatory aspects of cybersecurity, spam, identity/privacy  Address full cycle – vulnerabilities, threats and risk analysis; prevention; detection; response and mitigation; forensics; learning  Uniform definitions of cybersecurity terms and definitions  Effective cooperation and collaboration across the many bodies doing cybersecurity work – within the ITU and with external organizations  Keeping ICT security database up-to-date

ITU Open Forum on Cybersecurity, 6 December 2008 Challenges (cont.) 20 of 23  There are a number of standards in field of security of telecommunication and information security. But a standard is the real standard when it is used in real world applications. Business and governmental bodies need to learn more about standards from their business applications rather than from a technical point of view.  Report for the next IGF on the business use of the main security standards Who does this standard effect? Status and summary of standard. Business benefits Technologies involved Technical implications

ITU Open Forum on Cybersecurity, 6 December 2008 Challenges (cont.) 21 of 23 WTSA-08 Resolution 76, Studies related to conformance and interoperability testing, assistance to developing countries, and a possible future ITU mark programme  Interoperability of international telecommunication networks was the main reason to create ITU in the year 1865  Conformance testing would increase the chance of interoperability of equipment conforming to ITU standards  Technical training and institutional capacity development for testing and certification are essential issues for countries to improve their conformity assessment processes, to promote the deployment of advanced telecommunication networks and to increase global connectivity  ITU-T study groups will develop the necessary conformance testing Recommendations as soon as possible  ITU-T Recommendations to address interoperability testing shall be progressed as quickly as possible

ITU Open Forum on Cybersecurity, 6 December 2008 Some useful web resources 22 of 23 ITU Global Cybersecurity Agenda (GCA) ITU-T Home page Study Group LSG on Security Security Roadmap Security Manual Cybersecurity Portal Cybersecurity Gateway ITU-T Recommendations ITU-T Lighthouse ITU-T Workshops

ITU Open Forum on Cybersecurity, 6 December 2008 Thank you! Arkadiy Kremer 23 of 23