|
|
Session 1: Introduction and opening comments
Arkadiy Kremer, Chairman of ITU-T Study Group 17
Good afternoon Ladies and Gentlemen,
It is my pleasure to welcome you to this ITU-T Security Workshop “Addressing
security challenges on a global space” which is focused on how the ITU and
other standard-development organizations address the main challenges of
information and communication security.
First of all, I would like to express our gratitude to the TSB Director
Malcolm Johnson for his insightful remarks and kind words about the SG 17.
Over the last 20 years, consumers, businesses and governments around the
world have moved online to conduct business, and access and share the
information. This shift to the digital world has revolutionized personal
interactions, education, commerce, government, healthcare, communications,
science, entertainment and the arts, etc. It has delivered unprecedented
efficiencies, and it will continue to yield immense benefits to our global
society. However, as opportunities expand, so do the number of risks.
Consumers, businesses and governments face a variety of online threats,
which can undermine trust in the digital environment - the single greatest
platform for commerce and sharing information. The freedom of expression and
the free flow of information, ideas and knowledge are essential for today’s
information society and beneficial to its development. That is why,
confidence and security while using the ICT are among the main pillars of
the information society. It is about secure communication between people,
devices, computers, and machines interacting with each other: “always
connected, any device, anywhere, anytime”.
The initial development of the ICT infrastructure architecture has been
driven more by considerations of interoperability and efficiency rather than
security. It is therefore the fundamental responsibility of each security
expert to address strategic vulnerabilities in the ICT infrastructure, to
build security as essential part of ICT infrastructure. There were a number
of very interesting and important discussions on security as an essential
part of the ICT infrastructure during the ITU Plenipotentiary Conference
2010. The main results are published in the amended Resolution 130
“Strengthening the role of the ITU in building confidence and security in
the use of ICT” and in the new Resolution 181 “Definitions and terminology
relating to building confidence and security in the use of ICT”. We need to
use these two Resolutions as the strategic guidelines.
From a security standpoint, ICT continues to face continued, persistent and
new and innovative challenges. Many, possibly most, attacks rely on
telecommunications as the conduit.
Attacks are motivated by one or more of the following:
- Dishonesty (e.g. theft of goods, services, identities etc);
- Economic considerations (cyber espionage or attacks on competing interests);
- Political/military considerations (e.g. cyber espionage and warfare);
- Malice (e.g. disgruntled employees);
- Rowdiness, disruptive behavior
National laws are oftentimes inadequate to protect against attacks. They are
insufficient from the timing perspective (i.e. laws cannot keep up with the
pace of technological change), and, since attacks are often transnational,
national laws may well be inapplicable anyway. What this means is that the
defenses must be largely technical, procedural and administrative i.e. those
that can be addressed in standards.
The ITU-T (and the SG 17, in particular) is addressing a serious and
persistent problem that is not going to dissolve. It is an accepted good
practice that security should be “built-in” into products, applications and
services, rather than retrofitted. In order to ensure consistency in the
design and application of security countermeasures, we need standards, and
those standards must be effective i.e. they must adequately address and
counter the threats. The development of standards in an open forum that
comprises international specialists from a wide variety of environments and
backgrounds provides the best possible opportunity to ensure relevant,
complete and effective standards. SG 17 provides the environment in which
such standards can be, and are being, developed.
The primary challenges are the time it takes to develop a standard (compared
to the speed of technological change and the emergence of new threats) and
the shortage of skilled and available resources. We must work quickly to
respond to the rapidly-evolving technical and threat environment but we must
also ensure that the standards we produce are given sufficient consideration
and review to ensure that they are complete and effective. The resource
shortage problem can be addressed by:
- Avoiding duplication of effort and competing standards;
- Collaborating to the maximum practical extent with other SDOs and industry consortia; and
- Ensuring that the available resources are focused on issues of the
greatest potential impact and the highest priority (i.e. avoid dissipating
resources on narrowly-focused topics and the development of standards that
may never be used).
We must recognize and respect the differences in developing countries
respective environments: their telecom infrastructures may be at different
levels of development from those of the developed countries; their ability
to participate in, and contribute directly to the security standards work
may be limited by economic and other considerations; and their needs and
priorities may be quite different. Most of the security threats we see today
are directed against the technologically-developed countries and the
economic giants. Although it is critical that we press ahead with developing
high-priority countermeasures to the potential attacks that threaten our
societies and economies, we must be careful to avoid confusing the needs and
priorities of the developing countries with those of the developed states.
The ITU-T can help the developing countries by fostering awareness of the
work we are doing (and why we are doing it), by encouraging participation in
the work particularly via the electronic communication facilities now being
used (e.g. Web based meetings and teleconferencing), and, most particularly,
by encouraging the members from the developing countries to articulate their
concerns and priorities regarding the ICT security. The members from the
developed nations should not confuse their own needs with those of the
developing countries, nor should they make assumptions about what the needs
and priorities of the developing countries may be.
If ITU-T is going to be generally regarded as “the place” to develop and
publish security standards, it is essential to get the priorities right and
to demonstrate our ability to deliver timely, relevant and effective
standards. Our future credibility depends on this. There are few areas that
will be particularly important in the near future for developing ICT
infrastructure and building confidence and security for it. They are
IP-communications and IP-services, IdM and personal digital identity, cloud
computing and smart grid, information critical infrastructure protection,
emergency and disaster information and relief systems and of course big
multimedia information public screens. All this issues are under
responsibility of the ITU in accordance with the WSIS Action Line C2 and C5.
However, there is extensive work already underway on these topics at
national and international levels. The ITU-T will need to identify those
particular sub-areas it is best equipped to address and then demonstrate
that it can lead the work in these areas and produce timely results that
have the support of the other participants in this work.
For on-going credibility, we need performance measures that provide some
indication of the effectiveness of our standards. In the past there has been
too much focus on quantity (i.e. how many standards are produced) than on
the quality and effectiveness of the work. Going forward, we really need to
know which standards are being used (and which are not being used), how
widely they are used, and how effective they are. This is not going to be
easy to determine but it would do much more to the ITU-T’s credibility if it
could demonstrate the value and effectiveness of standards that have been
developed rather than simply saying “we produced X number of standards”. The
number of standards produced is irrelevant: what counts is the impact they
have.
During these two days we will discuss very practical issues on the ICT
industry perspectives, Identity and privacy in ICT, ICT and cloud security,
Creation of national ICT security infrastructure for developing countries,
Global Cyber security exchange framework , Telebiometrics technology,
applications, benefits and standardization, SDOs activity and collaboration
in ICT security. We kindly invite all workshop participants to take part in
the reception this evening. I would like to use this opportunity to thank
all our distinguish speakers, panelists, session chairs, program committee
members, TSB staff (and especially Judith) for their hard efforts in
preparing this workshop. I would like to wish all of us a very interesting
and productive discussion, new ideas and new collaboration.
Thank you very much for your attention. |
|
|
