An increasingly connected world may, if left insecure, become a highly vulnerable one. As ITU has frequently pointed out, cybersecurity could be the biggest challenge in the online world of the future. As communications networks and services have proliferated, so has the potential for abuse. Insecurities and vulnerabilities in networks and services expose users to unexpected threats: identity theft, cybercrime, spam, malware, online trafficking, exploitation and harm to children and other at-risk groups.

The potential also exists for increasingly serious and high level threats including cyberterrorism and cybercrime. As a critical infrastructure, disruption of ICT can mean catastrophic nationwide disruption of essential services.  Across this spectrum, there are common factors:  cyberthreats are a risk to everyone, everywhere. They know no borders, and even the best-protected countries have proved themselves vulnerable. What’s more, crimes and attacks can be committed in one country – or even several countries simultaneously – while the perpetrator is somewhere else entirely.

ITU has been at the forefront of providing technical and policy solutions to combat cybersecurity problems, and has been formally mandated to do so through its work in the World Summit on the Information Society (WSIS). ITU has responsibility for three Action Lines under the WSIS outcome documents, with sole facilitation for Action Line C2 – ICT infrastructure, and Action Line C5 – building confidence and security in ICTs.

This status – together with the unique position of being intergovernmental, but multi-stakeholder and competent in evaluating the technical relationships involved– has given ITU special, high level responsibilities. ITU was explicitly tasked by the ITU Plenipotentiary Conference in Antalya (PP-06) ¹ to take ‘all necessary measures’ to curb security problems in cyberspace to satisfy these Action Lines, in addition to specific responsibilities under its own Strategic Plan. ITU was asked to give cybersecurity initiatives a ‘high priority’ by the Plenipotentiary resolution, while a complementary PP-06 resolution instructed the ITU to develop a set of commonly agreed definitions.

Implementation work within ITU to meet these requirements has been vigorous. ITU has responded with a targeted combination of top-down/bottom-up initiatives, because although the problem is global, many solutions are necessarily local ones.

As its overall strategy, in the high level international policymaking sphere, ITU has developed The Global Cybersecurity Agenda (GCA), an international framework for co-operation. The GCA is built on five strategic pillars, known as work areas, including the development of legal measures, technical and procedural measures, organizational structures, capacity building, and international co-operation.
Within the GCA framework, to provide concrete global solutions and be operationally viable, ITU is currently coordinating two main initiatives:

• Collaboration with IMPACT, the International Partnership Against Cyber Threats, to facilitate the deployment of technical and information resources and toolkits to combat emerging problems to all ITU Member States. The IMPACT Global Response Centre (GRC) is configured to operationalize the GCA goals of putting the technical measures in place to combat cyberthreats, and is positioning itself to be the foremost cyberthreat resource centre in the world. Currently, around 60 countries are part of the collaboration.
  
  
• The Child Online Protection (COP) initiative. Part of the GCA, COP is designed to identify risks and vulnerabilities to children in cyberspace, create awareness, share resources and develop practical tools to help minimize risk. More than 20 international partners from governments, the private sector, civil society and international organizations are working together to achieve the COP goals.

The ITU is also able to bring technical expertise and special focus to cybersecurity issues through its three Sectors, with increased coordination in this area stipulated as part of the Union’s Strategic Plan. ITU has developed security Recommendations for IP and NGN standards, and all ITU Study Groups now routinely review security related questions as part of their work, specifically with ITU-T Study Group 17 acting as the lead study group on telecommunications security and identity management. Study Group 17’s work in the area of cybersecurity was also further strengthened by Resolutions adopted at the World Telecommunication Standardization Assembly 2008 ².

In the wireless space, ITU has ensured clear security principles for 3G and satellite service operation.

In development, ITU-D has provided substantial capacity building resources such as the ITU National Cybersecurity/CIIP Self-Assessment Tool to enable Member States to design their own national approach to cybersecurity and critical information infrastructure protection. ITU has also provided a guidelines toolkit to raise cyberthreat awareness among users, especially in developing countries.

Going further will require increasing international consensus, because cybersecurity exposes another challenge: there are few internationally-agreed definitions of what constitutes criminality in cyberspace. Put simply, there is a startling lack of international harmonization regarding cybercrime legislation. Definitions and legal structures – if they exist – may be quite different from jurisdiction to jurisdiction. As part of the GCA, ITU engaged a multidisciplinary group of experts and developed a toolkit to provide countries with sample legislative and reference material that could assist in developing a harmonized legal framework for cybersecurity. But with so much diverse national legislation implicated, the task is monumental.

Cultural issues are also evident in the relationship of security to privacy and to freedom of expression – and these may be in frequent contention. “The bigger picture is that cybersecurity ultimately means you are dealing with content, and that potentially politicizes the entire subject,” says ITU Secretary-General Dr Hamadoun Touré.

ITU, under the leadership of Dr Touré, has forged the beginnings of international consensus using the protection of children as a starting point and template that could be replicated for other cybersecurity-related initiatives. ITU’s 2010 Plenipotentiary Conference will examine the desirability of further international consensus and commitment to fight cybercrime.