CREATING TRUST IN CRITICAL NETWORK INFRASTRUCTURES
The nature of the problem
Critical infrastructure protection consists of providing for the
confidentiality, integrity, availability and authentication of information and
communication systems, including the data and information transferred over these
systems. There are numerous developments, which are transforming current
information and communication systems. The complete and total protection of
critical infrastructures is never achieved. It is an ongoing, dynamic process.
It is too narrow to take into consideration only the Internet when planning for
critical infrastructure protection. Instead, it is important to contemplate the
new ubiquitous information environment.
Most of the issues related to protecting critical
infrastructures are non-technical. The most important of these issues is the
management of large, complex organizations for which current understanding is
Critical infrastructure protection, cyberterrorism, and
information warfare form a continuum. All relate to preserving the functioning
of the critical infrastructure, so measures taken to protect it will assist in
all these domains. Generally, they differ principally in terms of the actors
involved and their intent. While cyberterrorism and information warfare receive
a lot of publicity, it is essential to keep in mind that the vast majority of
threats to, and breaches of, the critical infrastructure come, not from hackers,
crackers, and terrorists, but from employees, who are negligent, fatigued, or
insufficiently trained, and who unwittingly cause breaches or vulnerabilities.
It is important to raise awareness of the need for a systematic
and consistent approach to security issues and to promote user education and
training. A programme of education and training needs to be developed at all
levels, including for schoolchildren, in order to reinforce an understanding of
security issues, and to discourage teenagers from becoming hackers. Security
should also become a component of information system design courses. This could
be done, for example, by ensuring the systematic inclusion of security
considerations during design projects.
ITU 020110/Yong-Hwan Lee, TTA
Workshop participants agreed that the issue of
security is not primarily a technological one. Secure protocols and technical
responses to threats exist. However, the political and financial will to
implement them is often lacking. Security is often regarded as a non-revenue
producing activity and thus receives low priority, especially during times of
It is notable that the performance criteria and quality of
service requirements for the Internet are shifting rapidly, as it becomes a mass
medium used increasingly widely throughout society. The early Internet
performance standard was “best effort”. It was apparent from discussions
that this quality of service performance and guarantee is no longer sufficient,
and that a standard similar to that applied to telephony services and emergency
services — i.e. constant availability — is what may be required. It is worth
examining this question of performance criteria to decide on the standard. Is it
to be similar to voice telephony, emergency telephone services, electricity
provision, or some other standard?
In any event, human activity is increasingly entwined with the
continued functioning of critical infrastructures. This, in turn, is
increasingly dependent on the goodwill of people all around the world, including
teenagers, for the continued functioning of the global network of networks. Many
policy issues arise from this fact including jurisdiction, mutual assistance,
evidence and criminal prosecution.
Critical infrastructure protection includes not only the
important issue of robust performance for daily business and personal
activities, but also inevitably raises issues of law enforcement and national
security. This is also true of other important resources, such as electricity,
energy, and water resources. Similarly, while law enforcement and national
security issues must be competently addressed, they must be accomplished in the
context of the use of these critical infrastructures in civil society. In this
regard, privacy and security are compatible and can be mutually reinforcing.
Protection of personal data will enhance the protection of critical
There is a need for more studies and an increased understanding
of risk tolerance, risk assessment, and risk management in the area of critical
infrastructure protection. It would be useful, in this context, to study
analogous areas, such as the insurance industry, to import valuable lessons on
risk into the critical infrastructure domain.
It was noted repeatedly that a lot is known about computer
security, but that implementation lags far behind, with continued failure to
implement security measures. There are a number of reasons for this deficit.
Data on security vulnerabilities, threats, and breaches is insufficient. An
incentive structure to encourage the private sector to improve critical
infrastructure protection is absent. This is exacerbated by technology and
competition cycles, which provide further disincentives for private sector
attention to, and investment in, critical infrastructure protection. Better data
will certainly help because it will demonstrate the case for improved critical
infrastructure protection. The fact remains that the intrinsic security of the
global network of networks is deteriorating all the time. There are many factors
that contribute to this increasing insecurity, including the continual addition
of more computers, communication networks, data, information, and, most
significantly, fallible human beings to the global network. In addition, there
is an inverse relationship between the wide availability of hacking tools on the
World Wide Web and the sophistication of hackers.
A prime concern is the way in which companies, individuals and
government organizations can be encouraged to take security measures. A number
of participants indicated the need for an incentive structure, such as tax
reductions, to enhance the willingness to improve security levels. Workshop
participants agreed that the issue of security is not primarily a technological
one. Secure protocols and technical responses to threats exist. However, the
political and financial will to implement them is often lacking. Security is
often regarded as a non-revenue producing activity and thus receives low
priority, especially during times of economic recession.
The need for international collaboration
A recurring theme at the workshop was the need for international
collaboration in the protection of critical network infrastructures. It was
quite clear to all participants that the current level of collaboration falls
short in many respects.
Improved attention and activity on critical infrastructure
protection is urgently needed at all three levels: international, national and
sub-national. Increased international effort and collaboration can provide an
important and efficient resource for national and sub-national processes.
International consultation will help to build consensus and provide more
convergence in approach, which is important for providing protection of the
global networks in a predictable, coherent, sustainable and robust manner.
At the present time, collaboration between nations (at regional
and international level as well as at sub-national level) and across sectors is
limited and often relies on personal contacts. Greater levels of cooperation are
restricted by the multitude of national laws and the limitations placed on the
exchange of information. Better mechanisms, based on procedures rather than on
friendships, need to be put in place. Agencies involved in the protection of
critical network infrastructures need to have a mandate that enables them to
collaborate actively with foreign agencies in response to threats and attacks.
To improve cooperation, laws and guidelines should be streamlined at
international level, to provide agencies with comparable tools across borders.
Vandals and criminals are no longer restricted to a
single geographic location. A hacker in one country can attack a network in
another country using tools from a third country...
It was recommended that where appropriate, governments, in
consultation with the relevant industry sectors, begin a process of risk
assessment of the vulnerabilities and risks to national networks, with a view to
producing a follow-up action plan that would address those risks. In addition,
it would be useful to identify existing relevant mechanisms, activities, and
institutions already at work on aspects of the issues of critical infrastructure
Advanced infocommunication networks, including the Internet, are
highly dependent upon critical telecommunication infrastructure, e.g. for
backbone and access networks. With convergence, there are clearly synergistic
interests for both telecommunication and Internet providers in providing and
operating secure networks. A review of national policy and/or regulatory stances
may be appropriate, bearing in mind that asymmetric policies or regulation may
potentially impede progress in information systems security and network
infrastructure protection. By way of an example, national or regional security
certification schemes covering both sectors might be envisioned.
Because of the many dimensions of the problems, it was
considered unlikely that a single international forum would be able to resolve
information systems security and achieve network infrastructure protection.
Therefore, it would be most beneficial to work towards advancing specific areas
in a number of international forums. Concrete examples of initiatives to be
taken include information sharing, international technical standards and
monitoring, halting cyberattacks in progress, coordinating legal systems and
providing assistance to developing countries. These items are discussed in
detail in the POLICY AND STRATEGY TRENDS.
In developing a framework for international collaboration, it is
useful to consider three dimensions of cooperation, all of which form a spectrum
of possible actions:
Formal and informal, including the full spectrum of
activities ranging, for instance, from a treaty-level formal arrangement to
ad hoc cooperation between security experts and other stakeholders. It may
be difficult to achieve such a treaty, but on the other hand, staying with
ad hoc arrangements is likely to be unsustainable;
Multilateral and bilateral, depending on the geographical
scope of the level of cooperation;
Active and passive forms of defence against unauthorized
Of course, successful international cooperation must first be
founded on effective cooperation at the national and sub-national levels. The
country case studies and other country presentations revealed a range of
problems in this area, ranging from turf wars, to overlapping mandates and
unclear legal frameworks. Some countries have a proliferation of different
organizations that are attempting to address network security issues, leading to
a duplication of work and to financial resources being thinly spread.
should quickly review its current work programme vis-à-vis information systems
security and network infrastructure protection and take action to reinforce its
activities in this area. It was considered that ITU, as an organization made up
of representatives of both governments and the private sector involved in
coordinating global telecommunication networks (including IP-based networks) and
services, represented a distinctive international forum for cooperative
Suggested role for ITU
A number of suggestions were discussed with respect to the role
of ITU, some of which are listed here:
ITU should quickly review its current work programme vis-à-vis
information systems security and network infrastructure protection and take
action to reinforce its activities in this area. It was considered that ITU,
as an organization made up of representatives of both governments and the
private sector involved in coordinating global telecommunication networks
(including IP-based networks) and services, represented a distinctive
international forum for cooperative initiatives.
Mention was made of the need for improved technical
standards for both information and systems security. Participants also
pointed to the need for improved cooperation on Internet Protocol
(IP)-related vulnerabilities and improved security standards between ITU and
other relevant standards development organizations such as the Internet
Engineering Task Force (IETF) and the World Wide Web Consortium (W3C).
The topic of information systems security and network
infrastructure protection should be placed on the agenda of the World Summit
on the Information Society (WSIS), as public trust in this domain is a
cross-cutting issue that is integral to the development of an information
In order to take forward the discussions initiated at the
workshop on “Creating Trust in Critical Network Infrastructures”, it is
proposed that a bulletin board be created on the ITU website to discuss
possible avenues of cooperation.
Where there are national or regional security certification
standards that have been developed, consideration could be given to the
development of an international mutual recognition scheme for security
- ITU could assist, for instance, in elaborating common criteria
for the designation of critical infrastructures.
The ITU Telecommunication Development Sector (ITU–D)
should consider developing a programme of assistance to developing countries
on awareness of critical infrastructure protection issues.
ITU should disseminate widely the discussions and report
from the workshop on “Creating Trust in Critical Network Infrastructures”,
to its three Sectors, its Member States, as well as to other international
organizations, standards development organizations and other appropriate
* This article is adapted from extracts from a report produced by the
Chairman of the ITU Strategic Planning Workshop on the topic of “Creating
Trust in Critical Network Infrastructures”. The workshop was held in Seoul
(Republic of Korea) from 20 to 22 May 2002.