At the recent RSA Conference 2009 in San Francisco, United States, McAfee CEO DeWalt called for a global security architecture.

"Security threats are on the rise as the economy declines, and the solution will likely come from collaborative partnerships that span all IT platforms and international boundaries." "DeWalt painted a grim picture of the security landscape. Consumer confidence has gone down while unemployment and has risen, he said. And as the economy has gone into a tailspin, cybercrime has seen a sharp upward spike, with more malware detected in 2008 than in the previous five years combined. Last year, 80 percent of cybercrimes were financially motivated, he added."

"Many organizations are vastly underprotected or fail to regularly update patches and security software, which have opened up copious threat vectors for attackers, DeWalt said. In addition, the explosion of malicious threats in the last year can also be attributed to lack of user education and best security practices, as well as lack of comprehensive security." "One of the solutions, DeWalt proposed, would be to build comprehensive security architecture across numerous IT platforms that would be able to interoperate with companies' existing network infrastructure. That architecture would ultimately allow organizations to create correlating reports for every department and system, while allowing greater overall visibility into their organization's network, DeWalt said." "Cross-platform collaboration provides IT administrators a panoramic view into their network and allows communication across the threat vectors to shore up otherwise unseen security holes." "That same type of collaborative architecture will ultimately be required to extend across international borders and throughout global networks as the threats continue to become more sophisticated and the attacks more prevalent, DeWalt said. "The most depressing part of this is that we do not have a global architecture in place," he said. "We need to work together. Undoubtedly, (attacks) will continue to increase."

Read the full story on ChannelWeb.

Six new standards enabling a more secure ICT environment have been approved by ITU. Experts say that the standards represent an important achievement reflecting the needs of business in establishing risk management strategies and the protection of consumers.

Three ITU-T Recommendations cover a definition of cybersecurity, a standardized way for vendors to supply security updates and guidelines on spyware. While the other three focus on countering the modern day plague of spam by providing a toolbox of technical measures to help consumers and service providers.

Recommendations on spam are a direct response to a call from the World Telecommunication Standardization Assembly (WTSA), the quadrennial event that defines study areas for ITU-T. Members asked that ITU-T define technical measures to tackle this plague of the digital world following growing global concern at additional costs and loss of revenue to Internet service providers, telecoms operators and business users.

Read the full news article on the ITU-T newslog.

On 15 November 2006, a Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on fighting spam, spyware and malicious software had been released. "The Commission Communication on a Strategy for a secure Information Society aims at improving the security of network and information at large and invites the private sector to address vulnerabilities in network and information systems that can be exploited to spread spam and malicious software. The Commission Communication on the Review of the EU Regulatory Framework proposes new rules to strengthen security and privacy in the electronic communications sector." This Communication deals with the evolution of spam, and threats such as spyware and malicious software. It also takes stock of efforts made so far to fight these threats and identifies further actions that can be taken, including strengthening Community law, law enforcement, cooperation within and between Member States, political and economic dialogue with third countries, industry initiatives, and R&D activities.

Among the proposed actions in this Communication are:

1. Member States and competent authorities are called upon to lay down clear lines of responsibility for national agencies involved in fighting spam, ensure effective coordination between competent authorities, involve market players at national level, drawing on their expertise and available information, ensure that adequate resources are made available to enforcement efforts, and subscribe to international cooperation procedures and act on requests for cross border assistance.
2. Companies are encouraged to ensure that the standard of information for the purchase of software applications is in accordance with data protection law, contractually prohibit illegal use of software in advertisements, monitor how advertisements reach consumers and follow up on malpractice, and e-mail service providers to apply a filtering policy which ensures compliance with the recommendation and guidance on e-mail filtering.
3. The Commission aims to continue efforts in raising awareness and fostering cooperation between stakeholders. It also aims to continue to develop agreements with third countries including the issue of the fight against spam, spyware and malware, introduce new legislative proposals that strengthen the rules in the area of privacy and security in the communications sector, present a policy on cyber crime, involve ENISA expertise in security matters, and support research and development in its FP7 program.

With the accelerating development and spread of spam, spyware and malicious software, "the Commission is using its role as an intermediary to create greater awareness about the need for greater political commitment to fight these threats."

Read the full Communication here.
More on European Union Laws here.

The International Telecommunication Union (ITU) extended its call for papers for the ITU Symposia on ICTs and Climate Change to 29 February 2008.

The first symposium will be held in Kyoto, Japan (15-16 April 2008, hosted by the Ministry of Internal Affairs and Communication) and will be followed by finalizing the initial proposals at a second symposium in London, UK (17-18 June, hosted by British Telecom). These symposia will bring together key specialists in the field, from top decision-makers to engineers, designers, planners, government officials, regulators, standards experts and others. To contribute to this work, stakeholders are invited to submit an abstract, of maximum 300 words, for a paper or presentation which is relevant to one of more of the topics above.

The topics of interest at the symposia include:

• Climate change and the impact of ICTs
• Use of ICTs in monitoring climate change
• ICTs for mitigating the local effects of climate change
• ICTs and concerted action against global warming
• ICT standardization in the field of climate change

For more information on the ITU Symposia on ICTs and Climate Change, click here. For information on ITU's e-environment activities, click here.

Email Submission Operations: Access and Accountability Requirements by Carl Hutzler, Dave Crocker, Pete Resnick, Eric Allman, and Tony Finch has recently been released as Best Current Practice (BCP) 134. This document provides recommendations for constructive operational policies between independent operators of email submission and transmission services to mitigate the propagation of spam and worms. Its goal is to improve lines of accountability for controlling abusive uses of the Internet mail service. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. For more information, click here.

After the infamous Estonian cyberattack early this year, CyTRAP Labs proposes the 7 lessons learnt from the attacks, and points out how Estonia responded accordingly to these issues. Among the lessons and issues pointed out were:

This list was made in reference to the presentation of Hillar Aarelaid, eSStonia - the case of the Estonian DDoS attacks, given at the GovCERT.NL IT Security Symposium, Response & Responsibility, in Noordwijk, Netherlands.

Read the full article here.

A MAAWG document was recently released entitled "MAAWG Best Practices for the Use of a Walled Garden." This white paper discusses the criteria for exit and entry, remediation and subscriber education regarding walled garden. The primary goal of these practices is to help end-users become aware of and remove unwanted programs or malware residing on their personal computers and to stop the network from being used for abusive purposes. To access the white paper, click here. More information on MAAWG activities here.

The Washington Post reports on Google's call for new international standards on the collection and use of consumer data. "Peter Fleischer, global privacy counsel for Google, told a U.N. audience in Strasbourg, France, that fragmentary international privacy laws burden companies and don't protect consumers. He argued for an international body such as the United Nations to create standards that individual countries could then adopt and adapt to fit their needs. 'The ultimate goal should be to create minimum standards of privacy protection that meet the expectations and demands of consumers, businesses and governments,' Fleischer said, according to a transcript of the speech provided by Google."

Investigations over Google's privacy practices are currently conducted by the European Union. There have been controversy and criticisms on Google's privacy policies and its planned $3.1 billion merger with DoubleClick, an online advertising broker that sells banner and video ads. Critics argue that the merger which would enable the company to collect information on which sites users visit, would hurt competition in online advertising, and that it would aggregate too much consumer data in the hands of one company. According to Marc Rotenberg, executive director of the Electronic Privacy Information Center and a critic of the DoubleClick merger, "Google, under investigation for violating global privacy standards, is calling for international privacy standards... It's somewhat like someone being caught for speeding saying there should be a public policy to regulate speeding."

Fleischer proposes the privacy framework developed by the Asia-Pacific Economic Cooperation forum, which he refers to as a balance between information privacy, and business needs and commercial interests. However, critics say that the APEC standards are too lenient. Rotenberg adds further that the APEC rules put the burden on consumers, who must demonstrate that a company's privacy policy has harmed them. Guidelines developed in 1980 by the Organization for Economic Cooperation and Development which influenced the European Union's privacy laws and are usually preferred by privacy advocates, generally focus on the violation of privacy as a right rather than a demonstration of harm caused by the violation.

To read the full article, click here.
Read more about Peter Fleischer's views on privacy on his blog.

ICANN finalized on 23 August 2007 the IDN .test Evaluation Plan and is currently moving forward towards the insertion of IDN strings in the root zone. These IDN TLDs are the word "test" translated into eleven languages including: Arabic, Persian, Chinese (simplified and traditional), Russian, Hindi, Greek, Korean, Yiddish, Japanese and Tamil. The delegation of these TLDs and the evaluations, as described in the plan, is expected to commence in September 2007.

The plan has been modified based on comments received on the IDN public forum and also from consultations with ICANN Technical Advisory Committees. The last version was approved by the ICANN Board at their 14 August 2007 meeting, and the resolution directs ICANN Staff to implement the IDN .test Evaluation Plan, and report back to the ICANN Board following the conclusion of the evaluation.

Keep updated on the progress of this project by visiting http://icann.org/topics/idn.

Read the full article here.

ITU, in collaboration with the Secretaría de Comunicaciones, Argentina, will be hosting a workshop 16-18 October 2007 entitled Regional Workshop on Frameworks for Cybersecurity and Critical Information Infrastructure Protection. The workshop will be held in Buenos Aires, Argentina.

The description of the event, draft agenda, invitation letter, and practical information for meeting participants will be made available on the event website.

Contact cybmail@itu.int with any general queries you may have related to the workshop.

A Report entitled Personal Internet Security from the House of Lords Science and Technology Committee has been made available on Friday discussing primarily the issues pertaining to individual experiences of the Internet. In the report, the U.K., ISPs and others, has been said to unfairly hold Internet users responsible for online safety. According to the panel, this "laissez-faire" attitude toward personal security is what weakens user confidence. The report proposes that ISPs should be held responsible and avoid them from ignoring spam and malware notices, and that information technology vendors be held liable for not making products secure.

Network security, appliances and applications, how businesses and individuals use the Internet and policing of the online world were studied and dealt with in the Lords inquiry. It also noted that the U.K. government is at fault for not showing leadership in assembling available information and interpreting it for the public. "The Government are not themselves in a position directly to gather the necessary data, but they do have a responsibility to show leadership in pulling together the data that are available, interpreting them for the public and setting them in context, balancing risks and benefits. Instead of doing this, the Government have not even agreed definitions of key concepts such as 'e-crime'." The report recommends the establishment of a cross-departmental group in the Government, "bringing in experts from industry and academia, to develop a more co-ordinated approach to data collection in future. This should include a classification scheme for recording the incidence of all forms of e-crime. Such a scheme should cover not just Internetspecific crimes, such as Distributed Denial of Service attacks, but also e-enabled crimes - that is to say, traditional crimes committed by electronic means or where there is a significant electronic aspect to their commission."

The committee points out the need for more support for research from the industry as well. "The development of one or more major multidisciplinary research centres, following the model of CITRIS, is necessary to attract private funding and bring together experts from different academic departments and industry in a more integrated, multi-disciplinary research effort."

End-users are still predominantly viewed as unable to protect their own security according to the report. And private companies are driven by strong incentives to either promote security for profit or to oppose it as imposing costs on them according to lawmakers. The committee, thus, proposes that ISPs, being the link between the users and the network, could take more control over the network traffic by blocking or filtering traffic containing malicious code. "We do not advocate immediate legislation or heavy- handed intervention by the regulator," says the lawmakers, adding that the market must be nudged to provide better security.

Further recommendations of the committee include criminalizing trade in botnet services, no matter what their use, creating a unified, Web-based reporting scheme for e-crime, more action on creating a central e-crime police unit, fast ratification of the Council of Europe CyberCrime Convention, and educating courts on Internet crime.

Read the full article on Factiva Content Watch.
To access the report, click here.

An Informational draft RFC by John Curran was recently published, outlining an IPv4 to IPv6 transition plan. The paper provides a clear guidance to organizations regarding specific expectations that change over time, and vary greatly by organization. A timeline of the different phases was set with the intention of allowing enough time for the necessary planning and deployment steps which each organization must undertake. The author proposes the transition to predominantly IPv6-connectivity by Januaray 2011 in response to meeting the overall requirements of allowing the Internet to scale as specified in "The Recommendation for the IP Next Generation Protocol" [RFC1752].

On the contrary, Randy Bush provides a very informative presentation, IPv6 Transition & Operational Reality, regarding the reality of such a transition. The presentation discusses the different myths about IPv4 and IPv6, the emergence of a market for IPv4 addresses, and the transition from allocation to entitlement among others.

For more background data and interesting comments from Geoff Huston, read his IPv4 Address Report or his ISP column articles on The End of (IPv4) World, and Transition to IPv6.

The OECD's Ministerial meeting on the Future of the Internet Economy has been opened to an Online Public Consultation, providing an opportunity for all stakeholders to comment on the topics and issues to be discussed at event. The public consultation is scheduled to be open until 14 September 2007, and stakeholders and players may share their views and opinions with the OECD through their Online Questionnaire.

"The Ministerial represents an opportunity for high-level stakeholders from government, business, the technical community, and civil society to consider broad social, economic and technical trends shaping the development of the Internet Economy, and to discuss policies that can respond to evolving societal needs. The participation of all players in the dialogue is important to ensure that the Ministerial is able to benefit from a wide range of viewpoints and expertise."

For more information on the public consultation, go here or visit the OECD website.

The OECD Committee for Information, Computer and Communications Policy (ICCP), through its Working Party on Information Security and Privacy (WPISP) has developed the Recommendation on Electronic Authentication and the Guidance for Electronic Authentication. The project was made possible with the participation of Jane Hamilton from Industry Canada and with the support of delegates from Australia, France, Hungary, Korea, Norway, the United States, the OECD Secretariat and the Business and Industry Advisory Committee (BIAC) to the OECD. On 12 June 2007, the OECD Council adopted the Recommendation, and the Guidance for Electronic Authentication, was adopted by the ICCP Committee in April and declassified on 12 June 2007 by the OECD Council.

The Recommendation encourages efforts by OECD member countries to establish compatible, technology-neutral approaches for effective domestic and cross-border electronic authentication of persons and entities. It also reaffirms the important role of electronic authentication in fostering trust online and the continued development of the digital economy.

The OECD Guidance on Electronic Authentication aims to assist OECD member countries and non-member economies in establishing or amend their approaches to electronic authentication with a view to facilitate cross-border authentication. The Guidance sets out the context and importance of electronic authentication for electronic commerce, electronic government and many other social interactions. It provides a number of foundation and operational principles that constitute a common denominator for cross-jurisdictional interoperability.

Both the Recommendation and the Guidance conclude a work stream initiated in response to the "Declaration on Authentication for Electronic Commerce" adopted by Ministers at the Ottawa Ministerial Conference held on 7-9 October 1998 and serve as a bridge to future OECD work on identity management.

The ITU Telecommunication Standardization Sector with its Focus Group on Identity Management (FG IdM) works to facilitate the development of a generic Identity Management framework, by fostering participation of all telecommunications and ICT experts on Identity Management. To read more about the ITU-T FG IdM activities, go here.

Read the full article on the OECD Recommendation on Electronic Authentication and the Guidance for Electronic Authentication here.

28-31 Aug 2007 The ITU, in collaboration with the Viet Nam Ministry of Posts and Telematics and with support from the government of Australia, will be hosting a workshop 28-31 August 2007 entitled Regional Workshop on Frameworks for Cybersecurity and Critical Information Infrastructure Protection in Hanoi, Viet Nam.

The description of the event, draft agenda, invitation letter, and practical information for meeting participants is available on the event website. Further information is available from cybmail@itu.int.

To view the full article by On The Go Technologies Group as published by GRIDtoday on 28 May 2007, click here.

Although the European Commission decided against imposing new legislative restrcitions on radio frequency identification (RFID) tags for now (opting for "soft legislation" instead) , a top official warned on Monday that regulations are likely if future uses of the technology don't protect fundamental privacy rights, reports ZDNet. Gerald Santucci, head of the European Commission unit whose domain includes RFID issues, said he feared that rushing to place restrictions on industries hoping to use the technology would choke its potentially valuable application in health care, business, transportation and other realms. But if regulators deem that widespread RFID use is insufficiently safe, secure and privacy-preserving, then "Mrs. Reding [European Commissioner for Information Society and Media] will have no other option but to trigger legislation," Santucci told participants at a luncheon discussion in Washington DC. By the end of 2008, the commission plans to reevaluate whether legislation is necessary. It's unclear how restrictive any potential rules would be.

Read the full story here (ZDNet). More on the European Commission Policy on RFID can be found here.

RFID, along with sensors and nanotechnology, was one of the key techological developments explored in the 2005 ITU Internet Report on The Internet of Things. An ITU New Initiatives Workshop on Ubiquitous Networks Societies was also held in the same here. Network aspects of identification systems are being studied in the context of standardization by the ITU's JCA-NID.

ITU-T Study Group 2’s February meeting saw work continue on harmonizing numbering resources for child helplines. Study Group 2 is looking at the issue following a request from Child Helpline International (CHI). CHI is a global network of telephone helplines and outreach services for children and young people.

Specifically Study Group 2 is looking at the logistics of providing a global number. It previously conducted a survey which discovered that a wide range of numbers are in use globally and that there is support in many countries for studying a more harmonized solution. A review process will be an initial assessment of all of the various options for introducing childrens’ helplines. The fundamental question is whether a single number can be deployed worldwide. Other issues include how regulators will handle migration from existing services and who pays for the services.

See the Study Group 2 website and ITU-T Newslog for further information.

Standards that will ease the wide spread rollout of video over IP networks took a step forward in January. IPTV architecture and requirements, two fundamentally important areas in standards work were progressed at a recent meeting of the ITU-T Focus Group on IPTV (FG IPTV). There was general consensus in the meeting that FG IPTV will successfully develop documents which will accelerate introduction of IPTV to the global market. Setting the architecture and requirements in stone allows the rest of the work to continue with greater ease.

Meeting at the Microsoft conference center, Mountain View California, at the invitation of the Alliance for Telecom Industry Standards (ATIS) the group saw a record number of contributions and experts worked often late to keep up with the workload. Nearly 90 documents were dealt with in the fields of architecture and requirements alone. Malcolm Johnson, newly elected Director of ITU’s Telecommunication Standardization Bureau said in a message he sent to the event: "The excellent cooperation between ITU-T and ATIS is an example of the spirit of cooperation that I believe now pervades in the standards world... From what I have seen there is a great deal to be satisfied by in terms of the progress that FG IPTV has achieved so far."

In opening comments, ATIS President & CEO Susan Miller shared with the 200 meeting attendees that IPTV is serving as a ''change agent" for the industry, and "as both the business case and principal driver for accelerating deployment of the next generation network. "Miller noted that for North American service providers in particular, "IPTV is a critical ingredient to bundled service offerings that encompass television services, mobile services, Internet access, and much more. We have seen in the last decade, enormous investments in broadband, and fiber deployments to the home and to the premise," said Miller. Also important a document outlining terms and definitions in the field was created.

While seemingly mundane this work is crucially important in ensuring consistency of comprehension in an area where many standards outlining different aspects of IPTV will co-exist. Further discussion is expected on whether and how to treat the issue of redistribution of content to a point past an IPTV terminal device, and, in particular, how content protection and content management functions can or should apply in a home network environment. Other issues examined and progressed were accessibility issues for people with disabilities, AV codecs and content format requirements. Output and other documents can be found here.
See also the ITU-T newslog for further information. 

The next meeting of FG IPTV will be held from 7 to 11 May 2007 in Bled, Slovenia.

One of the Intenet's pioneers, Dr. Larry Roberts, gave a presentation yesterday at ITU World Telecom Forum 2006 in Hong Kong entitled Optimizing the Internet Quality of Service and Economics for the Digital Generation. Dr. Roberts discussed standardization work in the ITU on end-to-end QoS signalling to better deliver video over the Internet. In particular, he discussed the work on a new flow based, in-band signaling standard called Y.flowreq.

In response to the needs for health information management, ITU-T Study Group 16 has also developed the ITU-T SG 16 Technical Paper TP.RTM "Roadmap for Telemedicine" which aims to define the areas in which a set of open global international standards for e-health applications is currently needed.

To read more about the ITU-T Study Group 16's work on e-health, visit their E-Health and Standardization section.

ITU-T Focus Group on Security Baseline for Network Operators has issued a survey which seeks to assess the security preparedness of network operators. The results from the survey will be used in preparation of a new ITU-T Recommendation: "Security Baseline for Network Operators". Participants are asked about their level of preparedness for various security threats.

Once approved the ITU-T Recommendation will show the readiness and ability of operators to collaborate and coordinate counteraction against security threats arising from interconnected networks. The Security Baseline will allow network operators to assess their network and information security posture in terms of what security standards are available, which of these standards should be used to meet particular requirements, when they should be used, and how they should be applied. It will also identify security Recommendations and standards to support evaluation of operators’ network security and information security.

Commencement of the first draft of the Recommendation will begin towards the end of 2006.
See the online survey which is aimed at network and service providers.

A deadline of 24 November 2006 has been set for survey responses.

A new tool that gives a unique overview of ITU-T’s Next Generation Network (NGN) related activities has been released. The NGN Project Management Tool, was developed with the support of a voluntary contribution for one of the ITU-T Sector Members.

Since the work towards standards for NGN is taking place across a number of different ITU-T study groups and other standards development organizations (SDOs) the ability to coordinate and view all NGN work in one place will be invaluable to the swift and efficient publication of NGN specifications.

Essentially a repository of information from ITU and other SDOs, the system was asked for by members of the various Study Groups working on NGN. Key will be the ability to keep track of the latest versions of Recommendations and provide detailed information for experts and summaries for management.

Access information on the NGN Project Management Tool here.

John MacDonald, a member of the ITU team that created the new VDSL 2 standard, will take part in an upcoming Webinar on this topic, 21 November 2006. The Webinar, the second on the topic that ITU has contributed to, will outline what VDSL2 is, which are its competitive differentiators and benefits, and how it allows service providers to compete with cable and satellite operators - by enabling the delivery of enhanced voice, video and data services over a standard copper telephone cable.

ADSL (Asymmetric Digital Subscriber Line) is a product of ITU-T, ITU’s standardization arm, and is the world's most widely deployed broadband access technology. It has enhanced users' experience of the Internet, provided access to digitized content, and fuelled the delivery of streaming video and the development of online gaming by offering downstream data rates of up to 8 Mbit/s. Today, service providers must ensure their DSL offerings can compete against other market options from cable operators. One way to do so, is by offering services over VDSL2 (ITU-T Recommendation G.993.2) - very high-speed DSL - a new version of DSL, which gives service providers the ability to deliver even higher bandwidth and more enhanced services to consumer and business customers.

Delivering up to 100 Mbit/s both up and downstream, a tenfold increase over ADSL (Asymmetric DSL) VDSL2 provides for so-called fiber-extension, bringing fiber-like bandwidth to premises not directly connected to the fiber optic segment of a telecom company’s network. By deploying VDSL2 operators expect to be able to offer services such as high-definition TV (HDTV), video-on-demand, videoconferencing, high-speed Internet access, and advanced voice services. Importantly VDSL 2 offers carriers a solution that is interoperable with the DSL equipment many already have in place. In addition, VDSL 2 will work with both legacy ATM networks and next generation IP-based networks.