1. The Problem: Users’ Confidence in the Use of ICTs is declining

The transformation of societies into information societies, made possible by the integration of Information and Communication Technologies (ICTs) within every sphere of human activity, makes individuals, organizations and countries increasingly dependent on globally networked infrastructures. Unfortunately, accompanying this greater dependency on information and communication infrastructure, there is also growing and more sophisticated misuse of ICTs for malicious and criminal purposes in many different guises — from direct attacks on physical infrastructures, identity theft, financial fraud, invasion of privacy to virus attacks, spam and online child pornography. We are all affected by the cybersecurity choices of others. For example, the majority of spam today is sent through hundreds of thousands of home user computers that have been taken over by spammers. Therefore, the weakest links in the global Internet have the potential to affect and wreak damage throughout the entire global ICT infrastructure.

2. This Problem is Growing: Cyber-Threats are Intensifying

Cybersecurity is growing in importance to countries and stakeholders around the world due to several reasons, including:

• Inherited Architecture of the Internet: the Internet began as a closed network with a limited number of trusted users, meaning that authentication was not an issue. The original design philosophy of the Internet is now several “generations” behind the latest technological challenges (consider, for example, the issue with inherited architecture posed by the ‘millennium bug’). The challenge now is how to replace or modify the inherited architecture of the Internet to build a safe and secure modern information and communication infrastructure.
• Anonymity Online: the lack of user authentication on the Internet means that it is easy to be anonymous and/or to falsify identity information in order to act without fear of reprisal (although conversely, anonymity may be one way in which users may feel more protected, by not giving away personal information and guarding against invasions of privacy).
• Society’s Growing Dependency on ICTs: modern lifestyles are increasingly dependent on ICTs at work and at home, in the storage, processing and transmission of electronic data for everything from bank accounts and financial assets to health records. In some countries, the Internet has become such a vital part of society that it is often difficult to remember how people functioned without it. Loss of connectivity, data or information and/or the ability to communicate, can have profound economic and societal consequences. Few organizations have the capabilities to prevent, respond to, and recover from incidents.

3. Global Challenges in Cybersecurity
The following selection of current and emerging issues emphasizes the need for close collaboration between all stakeholders (this selection is not exhaustive).

3.1 Loopholes in Current Legal Frameworks

Cyber-criminals are increasingly exploiting vulnerabilities and loopholes in national and regional legislation. There is clear evidence that some are shifting their operations to countries where appropriate and enforceable laws are not yet in place and are now using these locations as a base from which to launch attacks, even on countries that have criminalized the misuse of ICTs.

Almost all national legislation is designed to be enforceable in well-defined jurisdictions, whether these are national, subregional or regional. However, such attempts cannot provide a comprehensive solution to the global nature of the legal challenges faced today. Some laws in place today may even shift the problem of enforcement from one country to another, because in today’s borderless information society, cyber-criminals can act across multiple territories and jurisdictions. The challenges posed by global networks such as the Internet can only be effectively addressed on a global scale. A global legal framework is therefore needed to provide a sound basis from which to combat the misuse of ICTs and to ensure effective enforcement.

3.2 Absence of Appropriate Organizational Structures

In many countries, the absence of national institutional structures to respond to incidents is a significant problem in responding to cyber-attacks. Some countries and regions have put in place structures for watch, warning and incident response and have established mechanisms to coordinate responses and minimize the impact of cyber-attacks on users.

Cyber-attacks are not limited to any specific country or region, as viruses, worms, and other malicious software can spread rapidly via email to users located in any part of the globe. Swift and close coordination among responsible agencies is vital at the national, regional and global levels to provide for a rapid response to limit the harmful effects of cyber-attacks. Some initiatives have been launched to enhance communication among organizational structures at the national and regional levels in order to coordinate emergency response, but more needs to be done.

3.3 The need for Global Solutions

Experience to date with globally interconnected information networks has made it painfully clear that the challenges to cybersecurity cannot be effectively addressed by individual nations alone or even groups of industrialized countries.

Cyber-criminals are not bound to geographical locations and countries cannot close their borders to incoming cyber-threats. This means that time and geography are no longer barriers to where and when cyber-attacks are launched or where potential victims are located. Attempts to try and resolve these challenges at the national or regional levels have so far proved insufficient.

At the international level, greater coordination and more linkages are needed between all stakeholders. Given the urgency of tackling the challenges to cybersecurity, there is a need for simple, pragmatic steps towards international cooperation, with increased capacity-building to promote cybersecurity based on national experiences and country-specific needs. An inclusive dialogue is needed, involving all stakeholders and international organizations that have a role and expertise in cybersecurity-related issues. A global culture of cybersecurity is needed, while building trust amongst the stakeholders is needed for security to be improved worldwide.

4. Policy dialogue on national, regional and international strategies

The outcome documents from the two phases of the World Summit on the Information Society (WSIS) emphasize that building confidence and security in the use of ICTs is a necessary pillar for building a global information society. Through its activities in standardization, radiocommunication, development and policies and strategies, ITU has a long-standing track record in promoting security in telecommunications and ICT networks and services. As a consequence, WSIS entrusted ITU to play a leading role in the facilitation of WSIS Action Line C5: Building Confidence and Security in the Use of ICTs.

The High-Level Segment of Council provides a forum for senior policy-makers to deliver policy statements on their perspectives on cybersecurity, spam and combating cybercrime. A non-exhaustive list of issues is presented here, with the objective of facilitating their discussions at the High-Level Segment of Council:

4.1 Possible questions to be discussed:

• What are the greatest cyber-threats currently faced in your country?
• What are the key elements to be considered in formulating a national strategy for cybersecurity and for preventing cybercrime?
• What role should be played by governments in promoting a culture of cybersecurity at the national, regional and international levels?
• What does your government consider to be the highest priority activities for addressing current and emerging cyber-threats at the national, regional and international levels?