Speech from Dr Hamadoun I. Touré, ITU Secretary-General

Pontifical Academy of  Sciences
Cyber Conflict and Cyber Defence in the Framework of the Global Cybersecurity Agenda:
An Invitation to the Global Negotiating Table
Vatican, Rome
17 December 2008

H.E. Mons. Marcelo Sánchez Sorondo,
Ambassador Henning Wegener,
Professor Antonino Zichichi,
Ladies and Gentlemen,

I thank Professor Zichichi, His Excellency Mons. Marcelo Sánchez Sorondo. I congratulate al the laureates who received the recognition today. I know many of them have received very high recognition in the past but I believe the Erice Science for Peace Prize is a recognition of your Colleagues Scientists, hence is even more significant.

I am honoured to be with you today to discuss the critical issue of combating cybercrime and cyberterrorism. I am specially honoured to be with a panel of world well known specialists in the area, people who have a common passion in defending basis human right, the right to communicate. I have come here to discuss some of ITU’s recent activities in the field of cybersecurity, but also to put forward some ideas for reflection on how best we might combat cyber-conflict and cyber-crime and how we can strengthen our cyber-defences.

I think we all agree that the Internet is a wonderful resource. It provides access to a vast store of information at the click of a mouse. It allows us to make connections across space and time. It empowers people with disabilities, and cuts across cultural and linguistic barriers.

But with cyberspace, comes cybercrime.

Highly-organized criminal gangs are now actively targeting companies, individuals, and – increasingly – children. The dark side of the Net is home to a host of illicit activities including identify theft, fraud, illegal gambling and pornography.

Independent agencies estimate that there are over 40,000 viruses in circulation at this present time. Spyware programmes are believed to infect over 80% of all business computers. And spam, which now accounts for over 90% of all email traffic, is estimated to cost business 100 billion US dollars a year.

While many criminal activities target individuals or organizations, the borderless nature and anonymity of the Internet open the door to significant threats. Using botnets and other forms of malware, individuals or criminal groups can arm themselves with sufficient resources to launch attacks on national infrastructure that threaten the economic and even the military security of sovereign states. We’ve already seen a small-scale example of this kind of cyberterrorism in the wave of Denial of Service attacks directed at government, media and business sites in Estonia last year.

Just last week, we also saw a Commission directed by the United States Center for International and Strategic Studies declare cybersecurity to be one of the foremost national security challenges facing the US. It’s no secret that some of that country’s best-protected sites have fallen victim to cyberattacks, with hackers successfully breaking into systems at the Pentagon and the White House, as well as international organizations such as the World Bank.

Of even greater concern is how the Internet can be protected against large-scale virus attacks like the Backbone Denial-of-Service attack launched in February 2007, which hit three key servers at the very heart of the Internet.
Distinguished colleagues,

ITU recognizes the gravity of these threats, whereby a small well-organized group could wreak havoc on a system that underpins a huge range of critical services.

That’s why our 2006 Plenipotentiary Conference, with representation from the 191 sovereign nations who are ITU Member States, endorsed Resolution 130.

This Resolution stresses – and I quote:
the need to effectively confront challenges and threats resulting from the use of ICTs for purposes that are inconsistent with objectives of maintaining international stability and security and may adversely affect the integrity of the infrastructure within States, to the detriment of their security”.

Through this Resolution, we resolved to take action to prevent the abuse of ICTs for criminal and terrorist purposes, while ensuring strict respect for human rights.

In support of our role as sole Facilitator of Action Line C5 of the World Summit on the Information Society (WSIS), the Resolution also mandates ITU to take action to build confidence and security in the use of ICTs. The Internet cannot flourish as a resource for learning, as a platform for e-health, and as a global communications channel, if users lack faith in the safety and security of the online world.

The WSIS recognized that the global nature of the Internet creates worldwide threats that can only be dealt with at the global level. That’s why Paragraph 40 of the WSIS Tunis Agenda stresses the importance of the prosecution of cybercrime – including cybercrime committed in one jurisdiction, but having effects in another.

The WSIS outcomes emphasize the necessity of effective tools and actions at the international level to promote international cooperation among law enforcement agencies. They also call on governments and other stakeholders to develop the necessary legislation for the investigation and prosecution of cybercrime.

As the UN organization charged by the international community with developing an effective response to this growing menace, ITU understands the importance of presenting a united front to cybercriminals. A fragmented approach creates chinks in our defensive armour that cybercriminals and cyberterrorists are all too quick to exploit. In cyberspace, no country can hide behind its geographic borders, so any vulnerability puts us all at risk.

That’s why, in May 2007, ITU launched our Global Cybersecurity Agenda (GCA). As a framework for international cooperation and response, the GCA focuses on forging partnership and leveraging collaboration between all relevant parties in the fight against cybercrime.

To set priorities and develop clear strategies for a coordinated global approach, my first action was to convene a special High-Level Experts Group (HLEG) which brought together more than 100 top-level representatives from around the world as a thinktank to advise me.

This group comprised cybersecurity experts from national administrations, from enforcement agencies such as Interpol, from international organizations including the UN and the Council of Europe, from academic and research organizations, and from the ICT industry itself.

You may be surprised to learn that this was the first time that many of these key organizations had ever collaborated – clear evidence, I think, of the very urgent need for a global approach led by a representative and inclusive global organization like ITU.
Ladies and gentlemen,

ITU is unique among UN agencies in having both public and private sector membership. In addition to 191 Member States, we count more than 600 Sector and Associate Members – many of them corporate rivals who put aside their competitive interests to work cooperatively with us to develop new technical standards and regulations governing the equitable use of shared ICT resources.

Since the delivery of the High-Level Experts Group’s final report and proposals last month, the GCA continues to gain momentum worldwide.

As we now move from preparation to implementation, I am pleased to report that the Agenda has already won the support of leaders around the world, including the Nobel Peace Laureate, Dr Óscar Arias Sánchez, President of the Republic of Costa Rica, and President Blaise Compaoré of Burkina Faso.

In September, ITU signed a key MoU with Malaysia’s IMPACT – the International Multilateral Partnership Against Cyber-Threats – that will see IMPACT’s state-of-the-art global headquarters in Cyberjaya, Kuala Lumpur, become the physical home of the GCA.

Under the terms of the MoU, IMPACT provides a broad portfolio of services to support the GCA. Its state-of-the-art Global Response Centre has been designed to serve as the foremost cyberthreat resource centre in the world. The Centre provides the global community with a real-time aggregated early warning system that will help member countries quickly identify cyberthreats and provide critical guidance on effective counter measures.

It also provides nations with a unique electronic tool that will enable authorized cyber-experts in different countries to pool resources and collaborate with each other remotely and securely, to help the global community respond immediately to cyber-threats, especially during crisis situations.

In the area of capacity-building, IMPACT conducts high-level briefings for the benefit of representatives of ITU Member States, along with training and skills development delivered in collaboration with leading ICT companies and institutions. Such high-level, cross-industry briefings represent an unprecedented opportunity for Member States to gain invaluable information and privileged private sector insight about the latest trends, threats and emerging technologies.

IMPACT’s Centre for Security Assurance & Research works with leading ICT experts to aggregate and develop global best practice guidelines, creating international benchmarks relevant to governments around the world.

On request, the Centre is empowered to conduct independent ICT security audits for government agencies or critical infrastructure companies, such as national utility and telecommunication companies.

IMPACT’s Security Assurance Division also functions as an independent, internationally-recognized voluntary certification body for cybersecurity.

Finally, under ITU leadership, IMPACT’s Centre for Policy & International Cooperation will work with partners including UN agencies, Interpol, the Council of Europe, the OECD and others to formulate new policies on cybersecurity and help promote the harmonization of national laws relating to cyberthreats and cybercrime.

ITU’s agreement with IMPACT clearly represents a major advance in the battle to stamp out cybercrime and cyberterrorism. In the one month since ITU hosted a demonstration of the ITU GCA-IMPACT alliance, thirteen countries have approached us to become a part of this initiative, along with key industry partners and international crime fighting organizations including Interpol. In addition, ten major security companies are now working on ways of improving information-sharing as part of their early warning systems.

But the GCA does not stop there.

Because children are increasingly targeted by cybercriminals, who seek to exploit their natural affinity for technology and their vulnerability to manipulation, ITU recently launched its global Child Online Protection initiative. At ITU, we believe that children everywhere have the right to a safe environment. Even though the connection may be virtual, online dangers are very real.

Through its Child Online Protection initiative, ITU will be working with policy-makers, educators, industry, the media, NGOs, and with children themselves, to promote awareness and develop effective strategies to protect young people from the predations of cybercriminals of all kinds.
Ladies and gentlemen,

In today’s globalized, interconnected world, none of us can do it alone. More than ever, we need to work together, to build multi-stakeholder consensus on effective strategies to tackle this powerful threat.

I maintain that the best way to win a war is to avoid a war. The GCA provides a means of effectively disarming cyberterrorists, by removing their access to ‘cyber weapons of mass destruction’ and robbing them of their power to intimidate.

After an intensive one year analysis by the High Level Experts Group which brought together a number of key elements in the five work areas of the GCA, I thought it necessary to bring to your attention the idea of an international Protocol Against Cyber-Threats (or PACT).

This PACT could provide us with a clear guildeline, common code of conduct and a clear set of principles within which as a global community, we can have a foundation through which we can begin to effectively combat cyber-threats, prosecute cybercriminals and stamp out their activities. Criminals will no longer be able to hide behind legal loopholes and regulatory inconsistencies. Nations with less well-developed ICT legislation will no longer unwittingly find themselves host to nefarious online activities. And even the world’s most disadvantaged states will at last have an effective shield with which to safeguard themselves.

ITU is uniquely well-placed to serve as the broker and coordinating agency for this international Protocol. We have a long and successful history of forging multi-stakeholder consensus on globally-shared ICT resources such as satellite orbits and radiofrequency spectrum. And we are a truly globally representative body whose mandate has always been based on cooperation and partnership.

It is time for us to stand united in our determination to defeat cyber-threats. If we do not, the potential of the Internet to enrich and enhance our lives can never be fully realised. And it is my duty, as Secretary-General of the ITU, to ensure that the true benefits of ICTs are available to all. I believe that this PACT could be a key step that can help us reap the full benefits and capabilities of ICTs.

Thank you.