International Telecommunication Union   ITU
عربي  |  中文  |  Español  |  Français  |  Русский
 Advanced Search Advanced Search Site Map Contact us Print Version
Home : Office of the Secretary-General : Corporate Strategy Division : Global Cybersecurity Agenda

   Return to Main Menu                                                                                                                                                        Home    Contact


Technical and Procedural Measures

ICTs are a vital tool in information societies.  However, they continue to be exploited by malevolent users and this phenomenon is becoming intrinsically linked to organized crime on the Internet.  Vulnerabilities in software applications are purposely sought out in order to create malware that will enable unauthorized access and modification, thus compromising integrity, authenticity and confidentiality of the ICT networks and systems. With the increasing sophistication of malware, these threats cannot be overestimated and they could have dire consequences if critical information infrastructures are affected.


ITU Standardization Work

ITU’s Standardization Sector (ITU-T) holds a unique position in the field of standardization: its work brings together the private sector and governments to coordinate work and promote the harmonization of security policy and security standards on an international scale.

Standards development bodies have a vital role to play in addressing security vulnerabilities in protocols. As well as many key security Recommendations, ITU has developed overview security requirements, security guidelines for protocol authors, security specifications for IP-based systems it defines (NGN, H.323, IPCableCom, etc), guidance on how to identify cyber threats and countermeasures to mitigate risks. ITU also provides the international platform for the development of the protocols that protect current and Next-Generation Networks (NGN). ITU’s work addresses security aspects in NGN architecture, quality of service, network management, mobility, billing and payment for NGN. ITU’s work on secure communication services reviews enhancements to security specifications for mobile end-to-end data communications and considers security requirements for web services and application protocols.

In the move to Internet Protocol (IP)-based services, ITU’s H.235.x series Recommendations on “H.323 Security” defines the security infrastructure and services (including authentication and privacy) for use by the H.300-Series IP multimedia systems (such as VoIP and videoconferencing) in point-to-point and multipoint applications. The H.235.x standards provide privacy to service providers and enterprises, whilst ensuring interoperability of multimedia products. The identity of users communicating through IP media is correctly authenticated and authorized using H.235.x, protecting their communications against different critical security threats.

Real-time multimedia encryption adds a further layer of security, guarding against call interception. ITU’s J.170 “IPCablecom Security Specification” defines security requirements for IPCablecom architecture enabling cable TV operators to deliver secure two-way capability in the provision of a variety of IP services, including VoIP.

ITU’s work on security covers a broad range of activities in security from network attacks, theft or denial of service, theft of identity, eavesdropping, telebiometrics for authentication, security for emergency telecommunications and telecommunication network security requirements. ITU’s X.805 Recommendation defines the security architecture for systems providing end-to-end communications that can provide end-to-end network security. This Recommendation allows operators to pinpoint vulnerable points in a network and address them. ITU’s security framework extends this with guidelines on protection against cyber attacks.

The results of ITU’s work are evident: one of the most important security standards in use today is X.509, an ITU-developed Recommendation for electronic authentication over public networks. X.509 is the definitive reference for public-key certificates and designing applications related to public key infrastructure (PKI). The elements defined within X.509 are widely used in securing connections between web-browsers and servers to agreeing the encryption key that protects the information exchanged and providing the digital signatures that enable e-commerce transactions. Public key certificates are also used to authenticate and protect e-mail – an electronic document with a digital certificate supported by an X.509 certificate is widely recognized as the most credible form of electronic document. ITU’s work on electronic authentication has helped enable jurisdictions around the world to recognize e-mail as legal documents and to accord legal status to electronic signatures.

Recently, ITU-T X.1205 “Overview of Cybersecurity” was approved. It provides a definition of cybersecurity and a taxonomy of security threats. It discusses the nature of the cybersecurity environment and risks, possible network protection strategies, secure communications techniques and network survivability (even under attack).

Currently, all ITU study groups conduct security-related activities and review security questions as part of their work, while the telecommunication standardization sector’s Study Group 17 acts as the overall lead study group on telecommunication security and identity management. In 2002, ITU agreed to cooperate with other standards development organizations in setting standards for security, monitoring security work carried out around the world and considering best practices and effective solutions. ITU hosts a regular joint security workshop inviting non-member attendees to contribute to a roadmap for future work and coordination between other standards development organizations.


ITU-T Study Group 17

Study Group 17 is the lead study group on telecommunications security and identity management. It is responsible for studies relating to security, including cybersecurity, countering spam and identity management and handles security guidance and the coordination of security related work across all ITU-T study groups. Its role as the lead study group on work related to security was confirmed by the ITU-T World Telecommunication Standardization Assemblies (WTSA) in 2000, 2004 and 2008, in close collaboration with ISO/IEC, as a tripartite joint action. WTSA-08 added to Study Group 17 the lead study group role for identity management. Study Group 17 has approved over one hundred Recommendations on security for communications, mainly in the X series of Recommendations, either by itself, or jointly with ISO/IEC or other relevant organizations. It regularly updates the manual on “Security in telecommunications and information technology” as an overview of security issues and the deployment of ITU-T Recommendations for secure telecommunications across all ITU-T Study Groups (the third manual was issued in August 2006, the fourth edition is scheduled for publication later in 2009).

Study Group 17 also electronically publishes a Security Compendium on its website containing a catalogue of approved ITU-T Recommendations related to security and presenting an extract of security definitions from ITU-T and other sources. The role of Study Group 17 was confirmed and reinforced by various Resolutions adopted at the WTSA-08 in Johannesburg:

  • Resolution 50 on “Cybersecurity” guiding ITU-T work to build Recommendations sufficiently robust to prevent exploitation by malicious parties;

  • Resolution 52 on “Countering and combating spam”, seeking to integrate the technical means to combat spam into the work of ITU-T study groups and SG 17 Recommendations.

Study Group 17 is also working on the implementation of WTSA-08 Resolution 58 on “Encourage the creation of national Computer Incident Response Teams, particularly for developing countries”.


ICT Security Standards Roadmap promoting collaboration between international standards bodies

The Roadmap was launched by ITU Study Group 17, and became a joint effort in January 2007, when the European Network and Information Security Agency (ENISA) and the Network and Information Security Steering Group (NISSG) joined the initiative. The ICT Security Standards Roadmap promotes the development of security standards by highlighting existing standards, current work and future standards among key standards development organizations. The Roadmap informs users about security standards. It contains five parts:

Part 1: ICT Standards Development Organizations and Their Work outlines the structure of the Roadmap and describes the different standards organizations, their structure and the work they are undertaking in security standards (including ITU, ISO, IEC, IETF, OAIS, ATIS, ETSI, IEEE, 3GPP and 3GPP2), complete with links to existing glossaries of security.

Part 2: Approved ICT Security Standards provides a database summarizing the catalogue of approved standards. It contains guidance on how to use the database, a taxonomy, as well as a list of acronyms and abbreviations.

Part 3: Security standards under development summarizes standards under development by ITU and ISO/IEC (rather than existing standards). It will also describe the inter-relationships between the work of standardization bodies. This catalogue is also being developed as a database.

Part 4: Future needs and proposed new security standards will outline future areas of work in security standards, where gaps have been identified or proposals made for new standards work.

Part 5: Best practices was added to the Roadmap in May 2007, as a repository of security related best practices contributed by members and stakeholders. The Roadmap will include the work of other standards organizations in future editions. It is being transformed into a database format.


ITU Radiocommunications

Radio spectrum global frequency management is increasingly important for building confidence and security and creating an enabling environment in the use of ICTs. Wireless applications, such as 3G, are becoming an integral part of daily life, and the global use and management of frequencies require a high level of international cooperation.

ITU’s Radiocommunication Sector (ITU-R) mission is to ensure, rational, equitable, efficient and economical use of the radio-frequency spectrum by all radiocommunication services, including those using satellite orbits, and to carry out studies and adopt Recommendations on radiocommunication matters. It plays a pivotal role in facilitating complex intergovernmental negotiations needed to develop legal binding agreements between sovereign states in an increasingly ‘unwired’ world.

International radiocommunication provisions are embodied in the ITU Radio Regulations (treaty status) that incorporates the decisions of the World Radiocommunication Conferences (WRCs) and in world and regional plans adopted for different space and terrestrial services. ITU Radio Regulations agreements apply to frequencies ranging from 9 kHz to 400 GHz and include information on how radio frequency is shared around the globe.

WRCs are held every 3 to 4 years to update the international treaty governing the use of the radio-frequency spectrum (where some 40 different radio services compete for allocations for spectrum) and the geostationary-satellite and non-geostationary-satellite orbits.

ITU-R specializes in developing radio standards, including spectrum identification and harmonization applicable to national, regional and international broadband network infrastructure including the capacity to countries and their citizens for new ICT-based services through satellite systems. ITU-R ensures interference-free operations of radiocommunication systems and facilitates any new developments and the continuation of satellite services in a safe way.

Safeguarding quality of service against degradation or denial of service is vital for the secure functioning of networks in data transmission and service provision and many of the Radiocommunication Sector (ITU-R)’s latest Recommendations on generic requirements and the protection of radiocommunications against interference are relevant for security.

ITU’s work in radiocommunication standardization continues, matching the constant evolution in modern telecommunication networks. ITU established clear security principles for IMT-2000 (3G) networks (Recommendation ITU-R M.1078 and Recommendations M.1223, M.1457, M.1645 are also relevant). ITU recommended early on that the security provided by mobile broadband IMT-2000 (3G) networks should be comparable to contemporary fixed networks.  ITU has also issued recommendations on security issues in network management architecture for digital satellite systems (Recommendation ITU-R S.1250) and performance enhancements of transmission control protocol over satellite networks (Recommendation ITU-R S.1711).


IMPACT Global Response Centre

As part of the ITU’s collaboration with the International Multilateral Partnership Against Cyber Threats (IMPACT), the Global Response Centre (GRC) plays a pivotal role in realizing the GCA objective of putting technical measures in place to combat new and evolving cyber-threats. The two prime highlights of the GRC are NEWS (Network Early Warning System) and ESCAPE (Electronically Secure Collaboration Application Platform for Experts). The GRC is designed to be the foremost cyber threat resource centre in the world. Working with leading partners including academia and governments, the Centre will provide the global community with a real-time aggregated early warning system. NEWS will help countries identify cyber threats early on and provide critical guidance on what measures to take to mitigate them. The GRC will also provide ITU Member States with access to specialized tools and systems, including the recently-developed ESCAPE platform. ESCAPE is an electronic tool that enables authorized cyber-experts across different countries to pool resources and collaborate with each other remotely, yet within a secure and trusted environment. By pooling resources and expertise from many different countries on short notice, ESCAPE will enable individual nations and the global community to respond immediately to cyber-threats, especially during crisis situations.


Top - Feedback - Contact Us -  Copyright © ITU 2009 All Rights Reserved
Contact for this page : Corporate Strategy Division
Updated : 2009-06-19