Home / Blogs

A Short History of ITU Network Security Activity

Anthony Rutkowski

Since the inception of ITU precursors in 1850, its various bodies have treated the subject of telecommunication network security as both an obligation of signatories to the treaty instruments as well as an ongoing collaborative activity. However, what it actually did in those activities was constrained by its jurisdiction and participant competency — which encompassed international public telecommunication services provided primarily by designated government agency service providers known as PTTs. In the ITU, those terms meant the international public telegraph and telephone networks, together with the underlying transport circuits, and ensued in what is now known as the ITU-T.

In the 1970s as the ITU-T work expanded to encompass international public packet data X.25 networks. Shortly afterwards, an attempt was also made to expand the work into digital services to end users in a fairly massive effort known as Integrated Services Digital Networks (ISDN). In the 1980s, these efforts were expanded through a cooperative arrangement with the International Organization for Standardization (ISO) to a set of computer based offerings known as OSI Services.

This ITU-T work treated security as a kind of vague requirement in the context of the many standards developed for operators of public telecommunication network equipment and services. Even in late 1980s, the term "security" never appears in conjunction with the work of any ITU group. The ITU-T did, however, begin tangentially to get involved in the subject in conjunction with its ISO joint work on authentication of directory service listings that gave birth to the X.509 PKI encryption standard in 1988. X.509 implementations, however, were subsequently picked up and taken over by other standards bodies. A series of OSI security specifications known as the X.800 series were adopted in 1996. ISDN and OSI Services failed catastrophically in the marketplace and little if any this ITU-T work is used today except for historical reference purposes.

Over the past twenty years, as the ITU-T work significantly declined and its remaining participants searched for something to do, efforts were begun around 2004 to nominally treat the subject of network security at a high level, and its Study Group 17 began to assume some study responsibilities reflected in a new title of "Security, languages and telecommunication software." It subsequently adopted some generic security specifications from 2007 onwards. The security specifications of any significance were replicated from other standards bodies. The ones created by the ITU-T itself are abstruse academic material not known to be used. See X.800, X.1000-1069, and X.1100-1600 series Recommendations. Some Next Generation Network (NGN) security standards were also developed during this period, but have also failed in the marketplace. See Y-series Recommendations. All of this material is publicly available.

When the ITU-D (development assistance) was formed in the 1990s, security was not part of its remit. Around 2006, the ITU-D security work began in the form of funded studies for guides for developing countries and a dedicated cybersecurity group was created that attracts a handful of people to update the guides. It also sponsors many small security workshops and related initiatives in developing countries.

Some gloss of ITU security involvement also emerged from the WSIS policy initiatives external to the ITU from 2003 onwards that encouraged the ITU to be a "facilitator" of ICT security. This resonated with the ITU General Secretariat that began maintaining a small but active public relations staff that produces copious web-based self-promotional material asserting all kinds of network security roles and competencies the organization does not possess.

So why is this ITU security history relevant today? Because its Secretary-General's new draft of an unneeded and worthless treaty instrument called the International Telecommunication Regulations mentions the word "security" no less than 36 times. Although the term "security" is never defined, the draft leaves the impression that the ITU is competent to deal with the subject of network security.

The reality today is that almost all work relating to network security occurs in myriad other public-private global bodies where it is pursued on a significant scale among expert communities. It is that array of work in other venues that is used worldwide. What purports to occur in the ITU is basically irrelevant and involves a relative handful of people who appear at meetings or workshops in ITU-T, ITU-D, or the General Secretariat for the purposes of maintaining largely website-based fictions to appear responsive to some political mandate of its conferences or leadership. Although a few knowledgeable and dedicated individuals participate in its work, the ITU as an institution has not possessed in modern history, and today does not possess the competence to deal with the subject matter of network security; and treaty mandates will not alter that reality.

Any treaty-based reliance on the ITU's network security competency would be perilous for the global infrastructure and irresponsible for nation States to recognize. I should know — I was the designated leader of the ITU-T cybersecurity work for the past four years who had to deal with these realities.

By Anthony Rutkowski, Principal, Netmagic Associates LLC

Related topics: Policy & Regulation, Security, Telecom

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Did the DPRK Hack Sony?

Can Big Companies Stop Being Hacked?

One Year Later: Lessons Learned from the Target Breach

Wait and See Approach on Abuse

Privacy, Risk and Revenue

Related News

Topics

Industry Updates – Sponsored Posts

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

Sponsored Topics

Afilias

DNSSEC

Sponsored by
Afilias
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
dotMobi

Mobile

Sponsored by
dotMobi
Verisign

Security

Sponsored by
Verisign