CREATING TRUST IN CRITICAL NETWORK INFRASTRUCTURES

Just how secure are our networks?

World Cup 2002 is in its quarter-final stage as we write these lines. It is an exciting moment for those who win, and their fans. The World Cup is probably the biggest single global media event, with billions watching on television, listening to the radio, or following the results on the Internet. In the two host countries for World Cup 2002, the Republic of Korea and Japan, the main concern before and during that event is for physical security.

For football fans around the world, the main concern must surely be the reliability of the networks that broadcast the World Cup so that they can share in those moments of emotion, great joy, or disappointment.

“As more and more information is exchanged over electronic networks, they become an increasingly interesting target for malicious intrusions. On the Internet, viruses and denial of service attacks are becoming more common and virulent every day. As mobile phones become a key means of communicating, they are also vulnerable to eavesdropping,” ITU Secretary-General, Yoshio Utsumi, told participants at an ITU Strategic Planning Workshop, held in Seoul at the invitation of the Government of the Republic of Korea.

“Creating Trust in Critical Network Infrastructures” was the topic of the Seoul meeting (20–22 May 2002), which marked the eighth in a series of expert workshops carried out under the ITU New Initiatives Programme* that has been running since 1999.

The event was intended to complement a technical workshop on “Network Security”, also held in Seoul a week earlier by the ITU Telecommunication Standardization Sector (ITU–T). ITU has considerable technical expertise in many of the areas concerned by the security of info-communication networks, such as traditional telephone networks, mobile telephony and IP technology, as well as broadcasting networks .

Holding workshops away from ITU’s Geneva headquarters, at the invitation of Member States, brings ITU closer to the direct interests of its membership. The main objective of this Strategic Planning Workshop was to provide a forum for both Member States and the private sector to discuss the protection of critical network infrastructures from policy and regulatory perspectives. A further aim was to promote the international exchange of views and information, as well as to share experiences internationally.

Mr Utsumi remarked that the global reach of communication networks had resulted in a huge increase in cybercrimes of an international nature. “Vandals and criminals are no longer restricted to a single geographic location. A hacker in one country can attack a network in another country, using tools — such as user accounts — from a third country. To counter such international threats to our information security, greater international coordination and cooperation is needed”, he remarked.

Mr Utsumi went on to explain that the longer-established telecommunication community “has long had to deal with these issues” and that “generally, there are reliable security standards and procedures already in place”. He added: “The Internet, however, has gone through a less formal growth process. When problems occur in the infrastructure underlying critical applications, the Internet’s vulnerabilities are made evident. Similarly, as mobile networks are increasingly used for data communications as well as voice, a whole new set of security issues is arising.”

Seung Taik Yang, Minister of Information and Communication (Republic of Korea), remarked that the tremendous benefits of the Internet we are enjoying come at a price. “We are experiencing a rapid increase in spam mails, hacking and computer viruses brought into our lives through informatization. What is more serious is that the hostile cyberattacks on our critical network infrastructure are not only threatening the social and economic stability, but are also putting national security in danger,” he said.

“Nations worldwide, aware of the seriousness of these problems, have been making a significant effort to enact laws and regulation, and to develop technologies in order to protect themselves from this cyberterrorism,” he told participants, adding that the Republic of Korea was no exception.

Indeed, the Republic of Korea has enacted the “Information Communication Infrastructure Protection Act”, which requires mandatory protection measures for the critical network infrastructure as designated by the government. It has also established an “Anti-Hacking and Virus Reporting Centre”, where incidents of hacking and viruses can be reported round-the-clock.

“But such attacks in cyberspace often go beyond nations’ boundaries and that is why, on top of the unilateral effort by each nation to counter cyberterrorism, nations should also put a top priority to a cooperative effort such as joint development of information security technologies and sharing information gained through experience. In this sense, it is obvious that international cooperation is one of the most effective ways to solve such a problem,” added the Minister.

Some 70 security experts participated in the workshop, acting in an individual capacity, including representatives of a range of regulatory and policy-making agencies, public telecommunication operators, private sector bodies, academic institutions and others. Professor Deborah Hurley of the Harvard University Information Infrastructure Project (United States) chaired the workshop.

What exactly do we mean by critical network infrastructures?

For the purposes of the workshop, critical network infrastructures were defined as those networks, public or private, capable of transporting large quantities of data across international borders and which carry information relevant to national security and safety or information of high financial value.

Some of the questions posed for the workshop included:

• Is there anything about the architecture of the Internet that makes it more or less vulnerable when compared to other info-communication networks? Where are the weak links?

• If vulnerabilities continue to emerge, what are the costs in terms of users’ loss of confidence?

• How do we increase global awareness of the issues?

• Do we need active global security monitoring?

• Is securing network infrastructure a technology or policy problem — or a combination of both?

• Do we need an integrated risk management strategy involving prevention, detection, monitoring and response? If so, what are the respective roles of the private sector and government?

• In a world of intertwined global networks, is there a need for a coordinated, sustained and institutionalized approach to protecting critical network infrastructure?

• How can ITU help its membership in gaining access to the information required to respond to these challenges?

Three background issues documents were prepared in advance and were presented and discussed during the workshop. These dealt with:

• A general “Introduction to critical network infrastructures”, by Professor Kijoon Chae, Ewha Women’s University (see www.itu.int/osg/spu/ni/security/docs/cni.03.doc).

• A paper on “International coordination to increase the security of critical network infrastructures”, by Professor Seymour Goodman and colleagues from Georgia Institute of Technology (see www.itu.int/osg/spu/ni/security/docs/cni.04.doc).

• A “straw man” proposal on a “Collective security approach to protecting the global critical infrastructure”, by Stephen Bryen, Aurora Defense (see www.itu.int/osg/spu/ni/security/docs/cni.09.doc) .

In addition, a number of country case studies were commissioned, covering Brazil, Canada, the Republic of Korea and the Netherlands**. These were discussed along with the experiences of other countries and regional groups, notably India, Japan, Kenya, Malaysia and the Association of South East Asian Nations (ASEAN).

The Chairman’s Report and the POLICY AND STRATEGY TRENDS  highlight the discussions and conclusions of the workshop.