Since the inception of ITU precursors in 1850, its various bodies have treated the subject of telecommunication network security as both an obligation of signatories to the treaty instruments as well as an ongoing collaborative activity. However, what it actually did in those activities was constrained by its jurisdiction and participant competency — which encompassed international public telecommunication services provided primarily by designated government agency service providers known as PTTs. In the ITU, those terms meant the international public telegraph and telephone networks, together with the underlying transport circuits, and ensued in what is now known as the ITU-T.
In the 1970s as the ITU-T work expanded to encompass international public packet data X.25 networks. Shortly afterwards, an attempt was also made to expand the work into digital services to end users in a fairly massive effort known as Integrated Services Digital Networks (ISDN). In the 1980s, these efforts were expanded through a cooperative arrangement with the International Organization for Standardization (ISO) to a set of computer based offerings known as OSI Services.
This ITU-T work treated security as a kind of vague requirement in the context of the many standards developed for operators of public telecommunication network equipment and services. Even in late 1980s, the term "security" never appears in conjunction with the work of any ITU group. The ITU-T did, however, begin tangentially to get involved in the subject in conjunction with its ISO joint work on authentication of directory service listings that gave birth to the X.509 PKI encryption standard in 1988. X.509 implementations, however, were subsequently picked up and taken over by other standards bodies. A series of OSI security specifications known as the X.800 series were adopted in 1996. ISDN and OSI Services failed catastrophically in the marketplace and little if any this ITU-T work is used today except for historical reference purposes.
Over the past twenty years, as the ITU-T work significantly declined and its remaining participants searched for something to do, efforts were begun around 2004 to nominally treat the subject of network security at a high level, and its Study Group 17 began to assume some study responsibilities reflected in a new title of "Security, languages and telecommunication software." It subsequently adopted some generic security specifications from 2007 onwards. The security specifications of any significance were replicated from other standards bodies. The ones created by the ITU-T itself are abstruse academic material not known to be used. See X.800, X.1000-1069, and X.1100-1600 series Recommendations. Some Next Generation Network (NGN) security standards were also developed during this period, but have also failed in the marketplace. See Y-series Recommendations. All of this material is publicly available.
When the ITU-D (development assistance) was formed in the 1990s, security was not part of its remit. Around 2006, the ITU-D security work began in the form of funded studies for guides for developing countries and a dedicated cybersecurity group was created that attracts a handful of people to update the guides. It also sponsors many small security workshops and related initiatives in developing countries.
Some gloss of ITU security involvement also emerged from the WSIS policy initiatives external to the ITU from 2003 onwards that encouraged the ITU to be a "facilitator" of ICT security. This resonated with the ITU General Secretariat that began maintaining a small but active public relations staff that produces copious web-based self-promotional material asserting all kinds of network security roles and competencies the organization does not possess.
So why is this ITU security history relevant today? Because its Secretary-General's new draft of an unneeded and worthless treaty instrument called the International Telecommunication Regulations mentions the word "security" no less than 36 times. Although the term "security" is never defined, the draft leaves the impression that the ITU is competent to deal with the subject of network security.
The reality today is that almost all work relating to network security occurs in myriad other public-private global bodies where it is pursued on a significant scale among expert communities. It is that array of work in other venues that is used worldwide. What purports to occur in the ITU is basically irrelevant and involves a relative handful of people who appear at meetings or workshops in ITU-T, ITU-D, or the General Secretariat for the purposes of maintaining largely website-based fictions to appear responsive to some political mandate of its conferences or leadership. Although a few knowledgeable and dedicated individuals participate in its work, the ITU as an institution has not possessed in modern history, and today does not possess the competence to deal with the subject matter of network security; and treaty mandates will not alter that reality.
Any treaty-based reliance on the ITU's network security competency would be perilous for the global infrastructure and irresponsible for nation States to recognize. I should know — I was the designated leader of the ITU-T cybersecurity work for the past four years who had to deal with these realities.
By Anthony Rutkowski, Principal, Netmagic Associates LLC
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
Minds + Machines