Home / Blogs

A Short History of ITU Network Security Activity

Anthony Rutkowski

Since the inception of ITU precursors in 1850, its various bodies have treated the subject of telecommunication network security as both an obligation of signatories to the treaty instruments as well as an ongoing collaborative activity. However, what it actually did in those activities was constrained by its jurisdiction and participant competency — which encompassed international public telecommunication services provided primarily by designated government agency service providers known as PTTs. In the ITU, those terms meant the international public telegraph and telephone networks, together with the underlying transport circuits, and ensued in what is now known as the ITU-T.

In the 1970s as the ITU-T work expanded to encompass international public packet data X.25 networks. Shortly afterwards, an attempt was also made to expand the work into digital services to end users in a fairly massive effort known as Integrated Services Digital Networks (ISDN). In the 1980s, these efforts were expanded through a cooperative arrangement with the International Organization for Standardization (ISO) to a set of computer based offerings known as OSI Services.

This ITU-T work treated security as a kind of vague requirement in the context of the many standards developed for operators of public telecommunication network equipment and services. Even in late 1980s, the term "security" never appears in conjunction with the work of any ITU group. The ITU-T did, however, begin tangentially to get involved in the subject in conjunction with its ISO joint work on authentication of directory service listings that gave birth to the X.509 PKI encryption standard in 1988. X.509 implementations, however, were subsequently picked up and taken over by other standards bodies. A series of OSI security specifications known as the X.800 series were adopted in 1996. ISDN and OSI Services failed catastrophically in the marketplace and little if any this ITU-T work is used today except for historical reference purposes.

Over the past twenty years, as the ITU-T work significantly declined and its remaining participants searched for something to do, efforts were begun around 2004 to nominally treat the subject of network security at a high level, and its Study Group 17 began to assume some study responsibilities reflected in a new title of "Security, languages and telecommunication software." It subsequently adopted some generic security specifications from 2007 onwards. The security specifications of any significance were replicated from other standards bodies. The ones created by the ITU-T itself are abstruse academic material not known to be used. See X.800, X.1000-1069, and X.1100-1600 series Recommendations. Some Next Generation Network (NGN) security standards were also developed during this period, but have also failed in the marketplace. See Y-series Recommendations. All of this material is publicly available.

When the ITU-D (development assistance) was formed in the 1990s, security was not part of its remit. Around 2006, the ITU-D security work began in the form of funded studies for guides for developing countries and a dedicated cybersecurity group was created that attracts a handful of people to update the guides. It also sponsors many small security workshops and related initiatives in developing countries.

Some gloss of ITU security involvement also emerged from the WSIS policy initiatives external to the ITU from 2003 onwards that encouraged the ITU to be a "facilitator" of ICT security. This resonated with the ITU General Secretariat that began maintaining a small but active public relations staff that produces copious web-based self-promotional material asserting all kinds of network security roles and competencies the organization does not possess.

So why is this ITU security history relevant today? Because its Secretary-General's new draft of an unneeded and worthless treaty instrument called the International Telecommunication Regulations mentions the word "security" no less than 36 times. Although the term "security" is never defined, the draft leaves the impression that the ITU is competent to deal with the subject of network security.

The reality today is that almost all work relating to network security occurs in myriad other public-private global bodies where it is pursued on a significant scale among expert communities. It is that array of work in other venues that is used worldwide. What purports to occur in the ITU is basically irrelevant and involves a relative handful of people who appear at meetings or workshops in ITU-T, ITU-D, or the General Secretariat for the purposes of maintaining largely website-based fictions to appear responsive to some political mandate of its conferences or leadership. Although a few knowledgeable and dedicated individuals participate in its work, the ITU as an institution has not possessed in modern history, and today does not possess the competence to deal with the subject matter of network security; and treaty mandates will not alter that reality.

Any treaty-based reliance on the ITU's network security competency would be perilous for the global infrastructure and irresponsible for nation States to recognize. I should know — I was the designated leader of the ITU-T cybersecurity work for the past four years who had to deal with these realities.

By Anthony Rutkowski, Principal, Netmagic Associates LLC

Related topics: Policy & Regulation, Security, Telecom

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

Dyn Weighs In On Whois

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

Introducing the Verisign DNS Firewall

Sponsored Topics



Sponsored by

DNS Security

Sponsored by
Afilias - Mobile & Web Services


Sponsored by
Afilias - Mobile & Web Services


Sponsored by