Home / Blogs

A Short History of ITU Network Security Activity

Anthony Rutkowski

Since the inception of ITU precursors in 1850, its various bodies have treated the subject of telecommunication network security as both an obligation of signatories to the treaty instruments as well as an ongoing collaborative activity. However, what it actually did in those activities was constrained by its jurisdiction and participant competency — which encompassed international public telecommunication services provided primarily by designated government agency service providers known as PTTs. In the ITU, those terms meant the international public telegraph and telephone networks, together with the underlying transport circuits, and ensued in what is now known as the ITU-T.

In the 1970s as the ITU-T work expanded to encompass international public packet data X.25 networks. Shortly afterwards, an attempt was also made to expand the work into digital services to end users in a fairly massive effort known as Integrated Services Digital Networks (ISDN). In the 1980s, these efforts were expanded through a cooperative arrangement with the International Organization for Standardization (ISO) to a set of computer based offerings known as OSI Services.

This ITU-T work treated security as a kind of vague requirement in the context of the many standards developed for operators of public telecommunication network equipment and services. Even in late 1980s, the term "security" never appears in conjunction with the work of any ITU group. The ITU-T did, however, begin tangentially to get involved in the subject in conjunction with its ISO joint work on authentication of directory service listings that gave birth to the X.509 PKI encryption standard in 1988. X.509 implementations, however, were subsequently picked up and taken over by other standards bodies. A series of OSI security specifications known as the X.800 series were adopted in 1996. ISDN and OSI Services failed catastrophically in the marketplace and little if any this ITU-T work is used today except for historical reference purposes.

Over the past twenty years, as the ITU-T work significantly declined and its remaining participants searched for something to do, efforts were begun around 2004 to nominally treat the subject of network security at a high level, and its Study Group 17 began to assume some study responsibilities reflected in a new title of "Security, languages and telecommunication software." It subsequently adopted some generic security specifications from 2007 onwards. The security specifications of any significance were replicated from other standards bodies. The ones created by the ITU-T itself are abstruse academic material not known to be used. See X.800, X.1000-1069, and X.1100-1600 series Recommendations. Some Next Generation Network (NGN) security standards were also developed during this period, but have also failed in the marketplace. See Y-series Recommendations. All of this material is publicly available.

When the ITU-D (development assistance) was formed in the 1990s, security was not part of its remit. Around 2006, the ITU-D security work began in the form of funded studies for guides for developing countries and a dedicated cybersecurity group was created that attracts a handful of people to update the guides. It also sponsors many small security workshops and related initiatives in developing countries.

Some gloss of ITU security involvement also emerged from the WSIS policy initiatives external to the ITU from 2003 onwards that encouraged the ITU to be a "facilitator" of ICT security. This resonated with the ITU General Secretariat that began maintaining a small but active public relations staff that produces copious web-based self-promotional material asserting all kinds of network security roles and competencies the organization does not possess.

So why is this ITU security history relevant today? Because its Secretary-General's new draft of an unneeded and worthless treaty instrument called the International Telecommunication Regulations mentions the word "security" no less than 36 times. Although the term "security" is never defined, the draft leaves the impression that the ITU is competent to deal with the subject of network security.

The reality today is that almost all work relating to network security occurs in myriad other public-private global bodies where it is pursued on a significant scale among expert communities. It is that array of work in other venues that is used worldwide. What purports to occur in the ITU is basically irrelevant and involves a relative handful of people who appear at meetings or workshops in ITU-T, ITU-D, or the General Secretariat for the purposes of maintaining largely website-based fictions to appear responsive to some political mandate of its conferences or leadership. Although a few knowledgeable and dedicated individuals participate in its work, the ITU as an institution has not possessed in modern history, and today does not possess the competence to deal with the subject matter of network security; and treaty mandates will not alter that reality.

Any treaty-based reliance on the ITU's network security competency would be perilous for the global infrastructure and irresponsible for nation States to recognize. I should know — I was the designated leader of the ITU-T cybersecurity work for the past four years who had to deal with these realities.

By Anthony Rutkowski, Principal, Netmagic Associates LLC

Related topics: Cybersecurity, Networks, Policy & Regulation, Telecom


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

Discover ACCELR/8, a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks