Question 22-/1: Securing information and communication networks: Best practices for developing a culture of cybersecurity

1 Statement of the situation

In view of

  1. the explosive growth in the deployment and use of information and communication technology (ICT) networks;

  2. that criminal attacks on cybersecurity are growing, and no efficient measures were able to stop them;

  3. the need to ensure the security of these globally interconnected infrastructures if the potential of the information society is to be achieved;

  4. the growing recognition at the national, regional and international levels of the need to develop and promote best practices, standards, technical guidelines and procedures to reduce vulnerabilities of and threats to ICT networks;

  5. the need for national action and regional and international cooperation to build a global culture of cybersecurity that includes national coordination, appropriate national legal infrastructures, and watch, warning and recovery capabilities, government/industry partnerships, and outreach to civil society and consumers;

  6. the requirement for a multi-stakeholder approach to effectively make use of the variety of tools available to build confidence in the use of ICT networks;

  7. that the UN General Assembly Resolution 57/239, "Creation of a global culture of cybersecurity" invites Member States "to develop throughout their societies a culture of cybersecurity in the application and use of information technology";

  8. that best practices in cybersecurity must protect and respect the rights of privacy and freedom of expression as set forth in the relevant parts of the Universal Declaration of Human Rights, the Geneva Declaration of Principles, and other relevant international human rights instruments;

  9. that the Geneva Declaration of Principles indicates that "A global culture of cybersecurity needs to be promoted, developed and implemented in cooperation with all stakeholders and international expert bodies", the Geneva Plan of Action encourages sharing best practices and taking appropriate action on spam at national and international levels, and the Tunis Agenda reaffirms the necessity for a global culture of cybersecurity, particularly Action Line C5 (building confidence and security in the use of ICTs);

  10. that ITU was requested by the WSIS Tunis 2005 in its agenda for the implementation and follow-up to be the unique facilitator/moderator for Action Line C5 "Building confidence and security in the use of ICTs". ITU-T, ITU-R, ITU-D and the General Secretariat based on such responsibility and in response to relevant resolutions adopted by the WTDC (Doha, 2006), with the expectation of updating them in Hyderabad 2010 this year, by the PP-06 (Antalya, 2006) as well as by WTSA-08 (Johannesburg, 2008), carried out many studies in order to improve cybersecurity;

  11. WSIS outputs in both Geneva 2003 and Tunis 2005 called for building confidence and security in the use of ICTs;

  12. that Resolution 45 [(Hyderabad, 2010)] of the World Telecommunication Development Conference supported the enhancement of cybersecurity amongst interested Member States;

  13. that consistent with its mandate, ITU should play a role in bringing together Member States, Sector Members and other experts to share experiences and expertise for securing ICT networks;

  14. the excellent results of Question 22/1 entitled "Report on Best Practices for a National Approach to Cybersecurity: Building Blocks for Organizing National Cybersecurity Efforts", in its final report for the period 2006-2009, as shown in Document 1/249(Rev.1) for this Question 2009, justified the continuation of this Question for another new cycle with different orientations taking into consideration the needs of developing countries;

  15. that there have been various efforts to facilitate the improvement of network security, including the work of Member States and Sector Members in standards-setting activities in ITU-T and in the development of best practices reports in ITU-D; by the ITU Secretariat in the Global Cybersecurity Agenda (GCA); and by the ITU Development Sector in its capacity-building activities in Programme 3;

  16. that developing countries' governments, service providers and end-users face unique challenges in developing security policies and approaches appropriate to their circumstances;

  17. that Member States and infrastructure operators would benefit from additional reports detailing the various resources, strategies and tools available to build confidence in the use of ICT networks and the role of international cooperation in this regard.

2 Question or issues for study

  1. Update the output of the past cycle taking into consideration the needs of developing countries and reflecting the results achieved by the ITU as a whole (the relevant outputs of ITU-T SG 17/T and SG 13/T, the relevant output of the specialized programme for cybersecurity in the BDT, the General Secretariat activities as a follow-up to Action Line C5 and the output of the High Level Expert Group (HLEG) which was supported by all developing countries experts) as well as progress achieved on the subject by ISO/IEC. This revision shall take into consideration also the progress achieved by the project "IMPACT", FIRST, and similar projects where many developing countries are member now.

  2. During the next study period, to expand upon the information contained in the Best Practices Report Phase I dealing with: 1) developing a national strategy for cybersecurity; 2) developing public/private partnerships; 3) creating national cyber incident management capability developing incident watch, warning and response and recovery mechanisms; 4) developing a culture of awareness; and 5) identifying best practices to protect against spam malware and other cyberthreats:

  1. With respect to developing a national strategy for cybersecurity, a) to develop models for national cybersecurity management; b) to identify organizational models that countries have followed and techniques they have used in developing a national strategy, with lessons learned, in particular of these models used by OECD, or any recommended model by Europe as a whole.

  2. With respect to public/private partnerships, to elaborate on 1) the principles for sound public/private partnerships; 2) various structural models for achieving sound public/private partnerships; and 3) the concept of risk mitigation with respect to public/private partnerships and the relative roles of each.

  3. With respect to creating national cyber incident management capability, to elaborate on the development of watch, warning and response and recovery mechanisms, and the establishment of national computer security incident response teams.

  4. Taking into consideration the existing studies in ITU-T SG 17 on enlarging these national centres to cover all matters related to cybersecurity in general and not to be limited to the Internet only, as well as the product of the relevant ITU-D programme regarding CIRT, preferably responding to regional needs of the six existing BDT regions, not forgetting that a single model for all developing countries might be the best practice in this domain.1

  5. With respect to developing a culture of cybersecurity awareness, to collect ideas from all sources on how countries, businesses and expert groups are educating and encouraging individuals and entities on the subject of cybersecurity, including child online protection, and the cybersecurity needs of persons with disabilities.

  6. With respect to identifying best practices and strategies to protect against spam and malware: 1) to examine and identify national consumer and business education efforts to help build user confidence through the prevention and mitigation of spam and malware; 2) to examine the role that governments and non-governmental organizations have in promoting the prevention of spam and malware, including consideration of their respective best practices, guidelines and codes of conduct; 3) to examine the methods used to educate end-users of the risks associated with phishing schemes, botnets, viruses and other malicious content that may be contained in spam, as well as preventative measures employed; and, 4) to examine perspectives on mechanisms used to improve cybersecurity, and to identify what information, capabilities, tools and mechanisms are available to businesses and other end users.

  7. To conduct surveys, as appropriate, in the areas identified above, in order to identify steps taken by countries, businesses and expert bodies.

  8. As a result of the surveys conducted, create a compendium of all relevant national and/or regional practices in this domain, including all responses and relevant information.

  9. To conduct a benchmarking study/stocktaking exercise to provide Member States with information to allow them to contrast and compare various current policies that are in implementation in ITU Member States.

  10. To consider all available information on these topics from a variety of sources, including relevant stakeholders.

  1. Use the Best Practices Report, plus other relevant material, to develop course materials on the topics identified in 2b) i)-v) above to assist in the analysis of national cybersecurity strategies and the planning of hands-on training programmes. Such course materials could be used on their own or as part of expert workshops and other forums.

  2. Based on contributions submitted, to assemble a volume of country case studies for informational purposes describing the current status of countries' cybersecurity efforts, and their cybersecurity policies.

  3. Develop a framework to be pursued and implemented under Programme 2 in BDT for increasing awareness by developing countries regarding cybersecurity, covering all levels, national, regional and international in particular:

the role of the government(s), including the national centre for cybersecurity;

the role of the intergovernmental groups for national, regional and international;

the role of the non-governmental groups for national, regional and international;

etc.

In order for the BDT to carry out a plan of action for raising awareness of cybersecurity on all levels in developing countries.

  1. this Question may take a partial role on the implementation of the new revised Resolution 45.2

3 Expected output

  1. Reports to the membership on the issues identified in section 2b) i)-v) above. The reports in question will reflect that secure information and communication networks are integral to building of the information society and to the economic and social development of all nations. Cybersecurity challenges include potential unauthorized access to, destruction of, and modification of information transmitted on ICT networks. However, the consequences of such challenges can be mitigated by increasing awareness of cybersecurity issues and sharing successful best practices employed by policy-makers and businesses and through collaborating with other stakeholders. In addition, a culture of cybersecurity can promote trust and confidence in these networks, stimulate secure usage, ensure protection of data and privacy while enhancing access and trade, and enable nations to better achieve the economic and social development benefits of the information society.

  2. Educational materials for use in workshops, seminars, etc.

4 Timing

This study is proposed to last four years, with preliminary status reports to be delivered on progress made after 12, 24, and 36 months.

5 Proposer

ITU-D Study Group 1, CITEL, Arab States.

6 Sources of input

  1. Member States and Sector Members.

  2. Relevant ITU-T and ITU-R Study Group work.

  3. Relevant outputs of international and regional organizations, including ISO and OECD.

  4. Relevant non-governmental organizations concerned with the promotion of cybersecurity and a culture of security.

  5. Surveys, online resources.

  6. Other sources, as appropriate.

7 Target audience

 

Developed countries

Developing countries3

Telecom policy makers

Yes

Yes

Telecom regulators

Yes

Yes

Service providers/ operators

Yes

Yes

Manufacturers

Yes

Yes

 

a) Target audience

National policy-makers and Sector Members, and other stakeholders involved in or responsible for cybersecurity activities, especially those from developing counties.

b) Proposed methods for the implementation of the results

The study programme focuses on gathering information and best practices. It is intended to be informative in nature and can be used to raise awareness for Member States and Sector Members of the issues of cybersecurity and to draw attention to the information, tools and best practices available, the results of which may be used in conjunction with BDT-organized seminars and workshops.

8 Proposed methods of handling the Question or issue

The Question will be addressed within a study group over a four-year study period (with submission of interim results), and will be managed by a Rapporteur and Vice-Rapporteurs. This will enable Member States and Sector Members to contribute their experiences and lessons they have learned with respect to cybersecurity.

9 Coordination

Coordination with ITU-T, in particular Study Group 17 or its successor. Given the existing level of technical expertise on the issue in ITU-T Study Group 17, all documents (questionnaires, interim reports, draft final reports, etc.) should be sent to SG 17 for comment and input prior to being submitted to the full ITU-D Study Group for comment and approval.

10 BDT Programme link

ITU-D Programme 2.

_______________________

[1] NOTE Pending approval by the WTDC Hyderabad 2010 on the proposed new resolution which encourages developing countries to create national computer incident response teams (CIRT), this Question shall assist in addressing this resolution if approved.

[2]   NOTE This clause depends on the outcome on WTDC Hyderabad revisions to Resolution 45.

[3]   This includes the least developed countries (LDCs), small island developing states (SIDS), landlocked developing countries (LLDCs) and countries with economies in transition.

Word 2007  -  Adobe PDF

___________