As a result of the WSIS, ITU was appointed sole facilitator of Action Line C5, “Building
confidence and security in the use of ICTs”. The rapid growth of ICT networks has created new opportunities for
criminals to exploit online vulnerabilities and attack countries' critical infrastructure. The future growth and
potential of the online information society are in danger from growing cyberthreats. Furthermore, cyberspace is
borderless: cyberattacks can inflict immeasurable damage in different countries in a matter of minutes.
Strategic Goal Four
Developing tools, based on contributions from the
membership, to promote end-user confidence, and to safeguard the efficiency, security, integrity and interoperability of
1 Information and communication network efficiency and security cover threats including, inter alia, spam, cybercrime, viruses, worms and denial-of-service attacks.
Governments, firms and individuals are now more reliant on the information stored and transmitted over advanced
communication networks. The costs associated with cyberattacks are significant - in lost revenue, loss of sensitive
data, damage to equipment, denial-of-service attacks and network outages. Analysts have estimated that the total cost of
online fraud will amount to some USD 105 billion in 2007, outstripping illegal drug sales worldwide for the first time .
ITU is working hard to address the emerging challenges associated with the information society. ITU's standardization
work directly addresses security vulnerabilities in networks and transmission capabilities.
Standards guarantee established levels of performance and security in technologies, systems and products, boosting
confidence among providers and end users. ITU's security standards cover a broad range of areas, including security
principles for IMT (3G) networks , IP multimedia systems, NGN, network security requirements, network attacks, theft and denial of service, theft of identity, eavesdropping, telebiometrics for
authentication and security of emergency telecommunications.
One key example is X.509, an ITU-developed Recommendation for electronic authentication over public networks and one of
the most important security standards in use today. The elements defined in X.509 are used in public-key certificates
for securing connections between web-browsers and servers, agreeing encryption keys and providing digital signatures.
ITU's work on electronic authentication has enabled jurisdictions around the world to recognize e-mail as legal
documents and to accord electronic signatures legal status.
“Standardization is a key building block in constructing a global culture of cybersecurity. We can and will win
the war against cyberthreats. We will do so by building on the work of the thousands of dedicated individuals - from
governments, the private sector and civil society - who come together, in organizations like ITU, to develop security
standards and guidelines for best practices.”
Director of the ITU Telecommunication Standardization Bureau
ITU's Standardization Sector (ITU-T) is uniquely positioned to bring together the private sector and governments to
coordinate work in the harmonization of security policy and security standards worldwide.
ITU works closely with other standards development organizations (SDOs) in setting standards for security and monitoring
security work and hosts a regular joint security workshop coordinating work between other SDOs. In conjunction with the
European Network and Information Security Agency and the Network and Information Security Steering Group, ITU publishes
an ICT Security Standards Roadmap highlighting existing standards, current work and future standards among key SDOs to
inform users about standards that are available and under development.
ITU study groups are engaged in many security-related activities and reviewing security questions is a key part of their
work. Study Group 17 is the lead study group on Communications System Security and has approved over one hundred
Recommendations on security for communications, mainly in the X series of Recommendations (by itself or jointly with
ISO/IEC). It regularly publishes a Security Manual on “Security in telecommunications and information technology” as an
overview of security issues and ITU-T Recommendations for secure telecommunications (the third manual was issued in
August 2006), as well as a Security Compendium containing a catalogue of approved ITU-T Recommendations related to
ITU is also engaged in direct technical assistance to build capacity in Member States, particularly developing
countries, to coordinate national strategies and protect network infrastructures from threats. National frameworks and
strategies are needed that allow stakeholders to use all the technical, legal and regulatory tools available in
promoting a culture of cybersecurity. While some countries are advanced in national cybersecurity and Critical
Information Infrastructure Protection (CIIP) strategies, others are only just beginning to consider the necessary measures to undertake. ITU-D is working on a Framework for Organizing a National Approach to Cybersecurity that identifies the main policy objectives of national strategies for cybersecurity in:
Developing a national cybersecurity strategy;
Establishing national government-industry collaboration;
Creating a national incident management capability;
Deterring cybercrime; and
Promoting a national culture of cybersecurity.
ITU is working with many partners from the public and private sectors on specific cybersecurity/ CIIP development
initiatives to assist developing countries in awareness and self-assessment, building capacity and expanding watch,
warning and incident response capabilities. ITU promotes the sharing of experience between and amongst developing and
developed countries through its online platforms, an active workshop programme and toolkits.
ITU is working to establish an international framework to promote cybersecurity - the Global
Cybersecurity Agenda (www.itu.int/gca/). An expert panel has been appointed to advise the ITU
Secretary-General on the complex issues surrounding cybersecurity. The High-Level Experts Group consists of
world-renowned specialists in cybersecurity from a broad range of backgrounds in policy-making, government, academia and
the private sector. This group will formulate proposals to the ITU Secretary-General on long-term strategies to promote
cybersecurity in five key work areas (Figure 3).
The work area on “Legal measures” is developing advice on how to deal with criminal activities committed over ICT
networks through legislation in an internationally compatible manner. “Technical and procedural measures” focuses on key
measures for addressing vulnerabilities in software products, including accreditation schemes, protocols and standards.
“Organizational structures” is developing a framework and response strategies for the prevention, detection, response to
and crisis management of cyberattacks, including the protection of critical information infrastructure systems.
“Capacity building” focuses on elaborating strategies for capacity-building mechanisms to raise awareness, transfer
know-how and boost cybersecurity on the national policy agenda. Finally, “International cooperation” is developing a
strategy for international cooperation, dialogue and coordination in dealing with cyberthreats.