Executive Summary
SG 17 (16-25 September 2009)

Cybersecurity: Several significant if not historical actions were taken to bring about substantially enhanced global cybersecurity. These actions include the adoption of a Cybersecurity Information Exchange Framework that imports more than twenty best of breed standards for platforms developed over the past several years by government agencies and industry to enhance cybersecurity. These platforms capture and exchange information about the security "state" of systems and devices, about vulnerabilities, about incidents such as cyber attacks, and related knowledge "heuristics." The Framework pulls these platforms together to facilitate their global interoperability and use. It also is designed to be "extensible" and capable of evolving over time to include new threat-specific capabilities.

As the meeting ended, the importance of this work was underscored by a participant from one of Japan's leading national security laboratories demonstrating already how it was implementing the new specifications and enhancing their interoperability.

Computer Incident Response Teams (CIRTs), WTSA-08 Res. 58: WTSA Res. 58 notes the importance of national Computer Incident Response Teams (CIRTs) to cybersecurity and calls for supporting their creation in Member States. The Resolution then calls for the TSB Director to undertake several steps supporting the creation of CIRTs, including collaborating with international experts and bodies, and facilitating collaboration between national CIRTs, including information exchange. Two of ITU-T's Questions (Q.3/17 and Q.4/17) have been active in assisting the TSB Director.

It was apparent that the national CIRT environment worldwide is very much in a state of rapid evolution, and that a broad array of CIRT related organizations and groups of organizations exist. The FIRST organization - which has long existed as the principal global organization among Computer Emergency Response Teams - is clearly the primary vehicle for coordination and cooperation. However, a rapidly growing number of national CIRTs seem to be emerging somewhat independently of each other and with their own collaborative communities and organizations. A wiki-based initial compilation of discovered CIRTs and related agencies and bodies was developed.

In the area of information exchange, the current situation is rather unstructured, albeit with a number of significant platforms that have been developed and embraced by many of the larger CIRTs. In part, the new Global Cybersecurity Information Exchange Framework based on studies completed over the past two years and adopted at the SG17 is designed to meet this information exchange need.

Q.4/17, in collaboration with Q.3/17 of SG 17 proposed several important initial actions pursuant to Res. 58 to the TSB Director:

• Organizational Framework Development. There is presently no coherent approach for a structure of CIRTs and related organizations. The five section structure developed on the Wiki site (http://www.ituwiki.com/Main_Page) is suggested as a basis for such a structure and is initially suggested as a cybersecurity organizational taxonomy.
• Cybersecurity Information Exchange Identifiers including those for cybersecurity organizations. The existence of many if not most CIRTs and related organizations is not presently known. TSB, FIRST and other available assets should be used to maintain authoritative global identifiers for cybersecurity organizations and information in a dedicated OID arc.
• Collaboration with FIRST. The FIRST organization has for many years served as a global collaboration mechanism among CIRTs worldwide. The ITU-T should establish a formal cooperative relationship with FIRST and work in close cooperation on achieving Res. 58 objectives, including the hosting of joint workshops and other activities.
• Advancing the Cybersecurity Information Exchange Framework. The new framework being developed in Q.4/17 is intended in part to provide a comprehensive set of capabilities for CIRTs, and the TSB Director is urged to facilitate its evangelization.

Identity management (IdM): the meeting approved two standards:

X.1250, Baseline capabilities for enhanced global identity management trust and interoperability
This Recommendation describes baseline capabilities for global identity management (IdM) trust and interoperability (i.e., to enhance exchange and trust in the identities used by entities in telecommunication/ICT networks and services). The definitions and need for identity management trust are highly context dependent and often subject to very different policies and practices in different countries. The trust capabilities include the protection and control of personally identifiable information.

X.1251, A framework for user control of digital identity
This Recommendation defines a framework to enhance user control and exchange of their digital identity related information. The Recommendation also defines user and functional requirements of the digital identity information exchange. The work includes providing the user with the ability to control the release of personally identifiable information.

And another very important two Recommendations were agreed for determination at this SG 17 meeting: X.1252 and X.1275.

X.1252 provides a collection of terms and definitions used in identity management (IdM) and it sets the stage for common definition for the whole industry.

The other Recommendation, X.1275, Guideline on protection of personally identifiable information in application of RFID technology provides guidelines and best practices regarding RFID procedures that can be used by service providers to gain the benefits of RFID while attempting to protect personally identifiable information.

Object Identifiers (OID): The International OID tree has about 98,000 registrations recorded in the OID repository at http://www.oid-info.com (but many more have been allocated in practice), and provides for the identification of objects (of any sort) via a hierarchical allocation scheme controlled jointly by ITU-T and ISO/IEC. OIDs allows for the identification of objects using any of the languages of the world (in a structured and hierarchical fashion).

Work is also progressing on an OID Resolution System (ORS) that will support the use of International OIDs in conjunction with (RF)ID tags to obtain multimedia information concerning the identified object. It is intended that this OID Resolution System will contain security features to ensure that the returned information is from a trusted source and is resistant to malicious attacks.

The SG 17 ASN.1 & OID project also continues to assist countries (e.g., Argentina, Bosnia and Herzegowina, Brazil, Honduras, Iran, Malaysia, Tunisia, Ukraine, Uruguay), and in particular developing countries, in setting a national registration authority for OIDs.

Joint ITU-T/ISO/IEC set of standards on Open Distributed Processing (ODP): is now complete.

Other formal ITU Languages: New versions of the ITU System Design Languages under responsibility of this group are planned and were progressed during the meeting, with the first scheduled release being the SDL-2010 version of the Specification and Description Language in 2010. A version of the User Requirements Notation (URN), and Message Sequence Chart (MSC) language is scheduled for later in the 2009-2012 period. Work is proceeding on providing Unified Modeling Language UML profiles for ITU System Design Languages. The UML profile for MSC should be the next to be considered for approval in late 2010 or 2011. The profiles enable the ITU languages and models in these languages to be integrated using UML and tools based on UML technology.

Directory: The sixth edition of the ITU-T X.500-series of Recommendations has been subject to ITU/TSB editing. A final editorial check has been done by the Project Editor and the different parts are published or ready for publication.

Extensive work was performed on the Password policy Working Draft. Several comments were received and dealt with. A new working draft has been produced. It was agreed that the work on Password policy was progressing successfully and that it can go to PDAM state within ISO/IEC.

A first Working Draft on X.500 Communications support enhancements was also produced.

Q.11/17 is maintaining a web site, http://www.x500standard.com/ acting as an online X.500 Implementers’ Guide. It has the advantage that new issues and their resolutions are made available in a timely fashion. Currently, there is a link from the SG 17 Implementers’ Guide page into this online Implementer’s Guide.

Telebiometrics: The meeting approved the following standard: X.1081, Amd.1, The telebiometric multimodal model - A framework for the specification of security and safety aspects of telebiometrics - Amendment 1: Objet Identifier assignments under the Telebiometrics arc.

This Amendment allocates arcs under the object identifier allocated for the work on telebiometrics, with top level OID-IRI value “/Telebiometrics”. Eight arcs are defined for ITU-T X.1081, ITU-T X.1082 and the six parts of ITU-T X.th. Under the arc allocated to ITU-T X.1081, new arcs are allocated to layers (scientific, sensory, metric), fields of study (physics, chemistry, biology, culturology, psychology) and modalities (video, audio, tango, chemo, radio).

The meeting agreed to the determination of the following standards:

X.1081, Amd.2, The telebiometric multimodal model - A framework for the specification of security and safety aspects of telebiometrics - Amendment 2: Appendix V on information on hierarchies. This Amendment updates the current edition (2002) with clarification on hierarchy theory and provides a bibliography.

X.1082, Amd.1, Telebiometrics related to human physiology - Amendment 1: Object Identifier assignments under the Telebiometrics arc. This Amendment allocates arcs under the object identifier allocated in ITU-T X.1081 Amendment 1, for the work on human-physiology, with OID-IRI value “/Telebiometrics/Human_Physiology”. The new arcs are related to symbols (14 arcs) and symbol combinations (4095 arcs).

Security architecture and framework: significant progress has been achieved in the review of three draft Recommendations, namely; X.interfaces, X.1034 (revised) and X.gsiiso.

X.interfaces, Architecture of external interrelations for a telecommunication network security system, serves as a foundation for developing the detailed recommendations for network security with regard to external objects effect.

X.1034 (revised), Framework for extensible authentication protocol (EAP)-based authentication and key management: the framework can be used as a basic tool for enabling user authentication and distribution of session keys in a data communication network and can be applied to protect data communication networks with either wireless access network or wired access network with a shared medium.

X.gsiiso, Guidelines on security of the individual information service for operators: this provides the guideline on security of the individual information service for operators

Draft X.interfaces is planned for determination at the April 2010 SG 17 meeting while draft X.1034 (revised) and X.gsiiso are planned for consent at the December 2010 SG 17 meeting

Work was also progressed on the initiative on business use of telecommunications/ICT security standards that was initiated at the February 2009 SG 17 meeting. The project will start with experts within SG 17 proposing standards that could be included in the summary sheets before we reach out to other ITU study groups and other SDOs. The meeting called for closer collaboration with ITU-D in the execution of the project which is expected to benefit mainly the developing countries.