CREATING TRUST IN CRITICAL NETWORK INFRASTRUCTURES

Chairman’s Report*

The nature of the problem

Critical infrastructure protection consists of providing for the confidentiality, integrity, availability and authentication of information and communication systems, including the data and information transferred over these systems. There are numerous developments, which are transforming current information and communication systems. The complete and total protection of critical infrastructures is never achieved. It is an ongoing, dynamic process. It is too narrow to take into consideration only the Internet when planning for critical infrastructure protection. Instead, it is important to contemplate the new ubiquitous information environment.

Most of the issues related to protecting critical infrastructures are non-technical. The most important of these issues is the management of large, complex organizations for which current understanding is limited.

Critical infrastructure protection, cyberterrorism, and information warfare form a continuum. All relate to preserving the functioning of the critical infrastructure, so measures taken to protect it will assist in all these domains. Generally, they differ principally in terms of the actors involved and their intent. While cyberterrorism and information warfare receive a lot of publicity, it is essential to keep in mind that the vast majority of threats to, and breaches of, the critical infrastructure come, not from hackers, crackers, and terrorists, but from employees, who are negligent, fatigued, or insufficiently trained, and who unwittingly cause breaches or vulnerabilities.

It is important to raise awareness of the need for a systematic and consistent approach to security issues and to promote user education and training. A programme of education and training needs to be developed at all levels, including for schoolchildren, in order to reinforce an understanding of security issues, and to discourage teenagers from becoming hackers. Security should also become a component of information system design courses. This could be done, for example, by ensuring the systematic inclusion of security considerations during design projects.

It is notable that the performance criteria and quality of service requirements for the Internet are shifting rapidly, as it becomes a mass medium used increasingly widely throughout society. The early Internet performance standard was “best effort”. It was apparent from discussions that this quality of service performance and guarantee is no longer sufficient, and that a standard similar to that applied to telephony services and emergency services — i.e. constant availability — is what may be required. It is worth examining this question of performance criteria to decide on the standard. Is it to be similar to voice telephony, emergency telephone services, electricity provision, or some other standard?

In any event, human activity is increasingly entwined with the continued functioning of critical infrastructures. This, in turn, is increasingly dependent on the goodwill of people all around the world, including teenagers, for the continued functioning of the global network of networks. Many policy issues arise from this fact including jurisdiction, mutual assistance, evidence and criminal prosecution.

Critical infrastructure protection includes not only the important issue of robust performance for daily business and personal activities, but also inevitably raises issues of law enforcement and national security. This is also true of other important resources, such as electricity, energy, and water resources. Similarly, while law enforcement and national security issues must be competently addressed, they must be accomplished in the context of the use of these critical infrastructures in civil society. In this regard, privacy and security are compatible and can be mutually reinforcing. Protection of personal data will enhance the protection of critical infrastructures.

There is a need for more studies and an increased understanding of risk tolerance, risk assessment, and risk management in the area of critical infrastructure protection. It would be useful, in this context, to study analogous areas, such as the insurance industry, to import valuable lessons on risk into the critical infrastructure domain.

It was noted repeatedly that a lot is known about computer security, but that implementation lags far behind, with continued failure to implement security measures. There are a number of reasons for this deficit. Data on security vulnerabilities, threats, and breaches is insufficient. An incentive structure to encourage the private sector to improve critical infrastructure protection is absent. This is exacerbated by technology and competition cycles, which provide further disincentives for private sector attention to, and investment in, critical infrastructure protection. Better data will certainly help because it will demonstrate the case for improved critical infrastructure protection. The fact remains that the intrinsic security of the global network of networks is deteriorating all the time. There are many factors that contribute to this increasing insecurity, including the continual addition of more computers, communication networks, data, information, and, most significantly, fallible human beings to the global network. In addition, there is an inverse relationship between the wide availability of hacking tools on the World Wide Web and the sophistication of hackers.

A prime concern is the way in which companies, individuals and government organizations can be encouraged to take security measures. A number of participants indicated the need for an incentive structure, such as tax reductions, to enhance the willingness to improve security levels. Workshop participants agreed that the issue of security is not primarily a technological one. Secure protocols and technical responses to threats exist. However, the political and financial will to implement them is often lacking. Security is often regarded as a non-revenue producing activity and thus receives low priority, especially during times of economic recession.

The need for international collaboration

A recurring theme at the workshop was the need for international collaboration in the protection of critical network infrastructures. It was quite clear to all participants that the current level of collaboration falls short in many respects.

Improved attention and activity on critical infrastructure protection is urgently needed at all three levels: international, national and sub-national. Increased international effort and collaboration can provide an important and efficient resource for national and sub-national processes. International consultation will help to build consensus and provide more convergence in approach, which is important for providing protection of the global networks in a predictable, coherent, sustainable and robust manner.

At the present time, collaboration between nations (at regional and international level as well as at sub-national level) and across sectors is limited and often relies on personal contacts. Greater levels of cooperation are restricted by the multitude of national laws and the limitations placed on the exchange of information. Better mechanisms, based on procedures rather than on friendships, need to be put in place. Agencies involved in the protection of critical network infrastructures need to have a mandate that enables them to collaborate actively with foreign agencies in response to threats and attacks. To improve cooperation, laws and guidelines should be streamlined at international level, to provide agencies with comparable tools across borders.

Future work

It was recommended that where appropriate, governments, in consultation with the relevant industry sectors, begin a process of risk assessment of the vulnerabilities and risks to national networks, with a view to producing a follow-up action plan that would address those risks. In addition, it would be useful to identify existing relevant mechanisms, activities, and institutions already at work on aspects of the issues of critical infrastructure protection.

Advanced infocommunication networks, including the Internet, are highly dependent upon critical telecommunication infrastructure, e.g. for backbone and access networks. With convergence, there are clearly synergistic interests for both telecommunication and Internet providers in providing and operating secure networks. A review of national policy and/or regulatory stances may be appropriate, bearing in mind that asymmetric policies or regulation may potentially impede progress in information systems security and network infrastructure protection. By way of an example, national or regional security certification schemes covering both sectors might be envisioned.

Because of the many dimensions of the problems, it was considered unlikely that a single international forum would be able to resolve information systems security and achieve network infrastructure protection. Therefore, it would be most beneficial to work towards advancing specific areas in a number of international forums. Concrete examples of initiatives to be taken include information sharing, international technical standards and monitoring, halting cyberattacks in progress, coordinating legal systems and providing assistance to developing countries. These items are discussed in detail in the POLICY AND STRATEGY TRENDS.

In developing a framework for international collaboration, it is useful to consider three dimensions of cooperation, all of which form a spectrum of possible actions:

• Formal and informal, including the full spectrum of activities ranging, for instance, from a treaty-level formal arrangement to ad hoc cooperation between security experts and other stakeholders. It may be difficult to achieve such a treaty, but on the other hand, staying with ad hoc arrangements is likely to be unsustainable;

• Multilateral and bilateral, depending on the geographical scope of the level of cooperation;

• Active and passive forms of defence against unauthorized intrusion.

Of course, successful international cooperation must first be founded on effective cooperation at the national and sub-national levels. The country case studies and other country presentations revealed a range of problems in this area, ranging from turf wars, to overlapping mandates and unclear legal frameworks. Some countries have a proliferation of different organizations that are attempting to address network security issues, leading to a duplication of work and to financial resources being thinly spread.

Suggested role for ITU

A number of suggestions were discussed with respect to the role of ITU, some of which are listed here:

• ITU should quickly review its current work programme vis-à-vis information systems security and network infrastructure protection and take action to reinforce its activities in this area. It was considered that ITU, as an organization made up of representatives of both governments and the private sector involved in coordinating global telecommunication networks (including IP-based networks) and services, represented a distinctive international forum for cooperative initiatives.

• Mention was made of the need for improved technical standards for both information and systems security. Participants also pointed to the need for improved cooperation on Internet Protocol (IP)-related vulnerabilities and improved security standards between ITU and other relevant standards development organizations such as the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C).

• The topic of information systems security and network infrastructure protection should be placed on the agenda of the World Summit on the Information Society (WSIS), as public trust in this domain is a cross-cutting issue that is integral to the development of an information society.

• In order to take forward the discussions initiated at the workshop on “Creating Trust in Critical Network Infrastructures”, it is proposed that a bulletin board be created on the ITU website to discuss possible avenues of cooperation.

• Where there are national or regional security certification standards that have been developed, consideration could be given to the development of an international mutual recognition scheme for security certification.

• ITU could assist, for instance, in elaborating common criteria for the designation of critical infrastructures.

• The ITU Telecommunication Development Sector (ITU–D) should consider developing a programme of assistance to developing countries on awareness of critical infrastructure protection issues.

• ITU should disseminate widely the discussions and report from the workshop on “Creating Trust in Critical Network Infrastructures”, to its three Sectors, its Member States, as well as to other international organizations, standards development organizations and other appropriate entities.

 

The full text of the Chairman’s Report is available at www.itu.int/osg/spu/ni/security/docs/cni.10.doc.

 

* This article is adapted from extracts from a report produced by the Chairman of the ITU Strategic Planning Workshop on the topic of “Creating Trust in Critical Network Infrastructures”. The workshop was held in Seoul (Republic of Korea) from 20 to 22 May 2002.