Расширенный поиск

 

A. Introduction

Over the last decade, the Internet has gradually become an integral part of every aspect of our lives and it continues to increase in importance. At the moment, Internet users constitute over 40% [1] of the world’s population. Bringing the rest of the world online is one of ITU’s primary commitments. However, it is important for this to be achieved in a sustainable manner.

Despite its enormous benefits, the Internet also brings significant risks. As connectivity is expanding and we grow to be more reliant on the Internet, cyber-incidents are becoming more frequent, complex and with significant economic and social impact. Furthermore, their actors demonstrate strong adaptability in bypassing the different protection measures. In its Report on Economic Impact of Cybercrime 2013, McAfee estimated that the likely annual cost to the global economy from cybercrime is more than $455 billion. The growth of the phenomenon is further demonstrated in a number of different reports aiming to capture the global cyber-threat landscape. For example Symantec’s Internet Security Threat Report 2015 identified a 23% increase in data breaches from 2013 to 2014.

As most of the growth in the adoption of ICTs in the coming years will come from developing countries, their vulnerability to cyber-risks is also expected to come into a particular focus in the years to come.

B. Critical infrastructure in the digital era

Critical infrastructure comprises all sectors that are considered fundamental for the socio-economic well-being of a country. Critical infrastructure sectors rely on physical infrastructure such as buildings, roads, plants and pipes. Increasingly, these sectors also rely on cyberspace and the information and communication technologies (ICTs) that enable it, which is being classified as the critical information infrastructure (CII). The CII enables operation and control of the critical sectors and their physical assets. Therefore its security level is essential for building trust, as lack of confidence in the use of ICTs could hinder daily life as well as commercial and governmental operations [2].

Given the strong dependence of today’s industry on ICTs, cyberincidents have been affecting a broad range of critical infrastructure sectors, with mining, wholesale, manufacturing, utilities and public administration demonstrating the highest cyber-risk rates [3].

C. ITU and Cybersecurity [4]

ITU is the United Nations’ specialized agency for ICTs with a history of 150 years covering a broad range of communication and information technologies along the way. The security of telecommunications has always been one of the key activities of the ITU, however with the emergence and proliferation of information technologies, new risks arose that needed a more coordinated response.

At the World Summit on the Information Society (WSIS) held in 2003 and 2005, ITU was entrusted the role of the sole facilitator for WSIS Action Line C5 on “Building confidence and security in the use of ICTs” [5]. As a follow-up, ITU developed the Global Cybersecurity Agenda (GCA) in 2007, which is an international framework for cooperation in the area of cybersecurity. The GCA is built upon five strategic work areas (Legal Measures, Technical & Procedural Measures, Organizational Structures, Capacity Building, International Cooperation) that shape ITU’s work until today. ITU Member States further reinforced ITU’s role by adopting a number of resolutions pertaining to the development, as well as standardization work of the organization, specifically recognizing the risks imposed on critical infrastructure.

1. Relevant activities of the ITU Development Sector (ITU-D)

a. Providing guidance in the development of National Cybersecurity Strategies

In view of the growing risks in cyberspace and as part of its capacity building work ITU developed a National Cybersecurity Strategy Guide, focusing on the issues that countries should consider when elaborating or reviewing national cybersecurity strategies, especially with regard to the protection of critical national infrastructure.

As national capabilities, needs and threats vary, countries are recommended to use national values and interests as a basis for their strategies. The rationale behind this approach is that culture and national interests often influence the perception of risk and the relative success of defences against cyber-threats. In addition, a strategy rooted in national values is likely to gain support of stakeholders such as the judiciary and private sector [6].

The ITU National Cybersecurity Strategy Guide provides suggestions on specific actions to be undertaken by countries, in order to address general cyber-threats and protect critical national infrastructure. The Guide uses the five pillars of the Global Cybersecurity Agenda (GCA) as a starting point for governments to consider when taking appropriate measures.

b. Establishment of National Computer Incident Response Teams (CIRTs)

The growing sophistication, frequency and gravity of cyber-threats require formal frameworks and organizational structures for monitoring, warning and incident response. As explained in the ITU’s National Cybersecurity Strategy Guide, CIRTs are key elements in a country’s National Cybersecurity Strategy and the first line of defence against any potential threats that could present a hazard to a country’s critical infrastructures.

The role of a CIRT includes inter alia:
i. Provision of incident response support;
ii. Dissemination of early warnings and alerts;
iii. Facilitation of communications and information sharing among stakeholders;
iv. Development of mitigation and response strategies and coordinating incident response;
v. Data and information sharing about the incident and respective responses;
vi. Publication of best practices in incident response and prevention advice;
vii. Coordination of international cooperation on cyber-incidents.

Currently there are 102 national CIRTs worldwide. ITU has been working to fill the remaining gaps through its National CIRT programme, which provides assistance to its Member States in three stages:
i. Assessment: Evaluation of the preparedness of countries for the establishment of National Computer Incident Response Teams (CIRTs);
ii. Implementation: Assistance to countries with the planning, implementation, and operation of a CIRT, as well as capacity building on the operational and technical details;
iii. Cyber-drills: Organization of hands-on cyber-exercises in different regions in order to bring newly-established CIRTs up to speed, enhance their maturity and promote CIRT-to-CIRT cooperation.

To date (June 2015), ITU has completed assessments in 67 countries and two are still ongoing. CIRT implementations have been carried out in 11 countries, while they are still in progress in 4 countries. ITU has also organized 11 cyber-exercises, involving more than 100 countries, and more are planned every year.

c. Enhancing Cybersecurity in Least Developed Countries

As unconnected parts of the world go online, their exposure to cyber- risks becomes inevitable, together with the increased risk for them to become a source of cyber-attacks. However, at the same time they find themselves in an advantageous position as they have the opportunity to learn from more experienced countries and equip themselves with the necessary tools at an early stage.

ITU’s project on “Enhancing Cybersecurity in Least Developed Countries (LDCs)” focuses on assisting LDCs to enhance their capabilities, capacity, readiness, skills and knowledge in the area of cybersecurity. Apart from human capacity building, the project is also geared towards providing the appropriate enabling technologies and related tools to assist LDCs in carrying out activities with regard to securing their cyberspace.

The project, which involves a total of 49 countries, has to date (June 2015) been implemented in four countries, and is at different stages of planning/implementation in 15 more countries.

d. The Global Cybersecurity Index (GCI)

Gaps in national cybersecurity efforts imply strong risks for crucial components of the country’s vital supply networks (water, electricity, telecommunications, banking etc) and thus social and economic stability. Furthermore a country’s weak response mechanisms to cyberthreats can actually be exploited by threat actors in order to launch attacks against further countries. ITU is leading the Global Cybersecurity Index (GCI) project to measure the commitment of countries to cybersecurity in the five main areas of the Global Cybersecurity Agenda: legal, technical, organizational, capacity building, and national and international cooperation.

The overall aim of the GCI initiative is to help countries identify areas for improvement in the field of cybersecurity, as well as motivate them to take action to improve their ranking, thus helping raise the overall level of cybersecurity worldwide. Through the collected information, the GCI initiative illustrates the practices of others, so that countries can implement selected aspects suitable to their national environment, with the objective to harmonize practices and foster a global culture of cybersecurity.

The 2014 GCI results have been published together with a collection of Cyberwellness profiles [7], which are living and factual representations of measures undertaken or planned at country level to enhance cybersecurity. The purpose of this exercise is to enable countries to better assess their cybersecurity readiness and learn from their peers. The next iteration of the GCI is currently being elaborated and will encompass more partners, a wider scope and more consultations with all stakeholders.

2. Relevant activities of the ITU Standardization Sector (ITU-T)

ITU’s standardization sector contributes to the development of critical standards that enable the creation of more secure and robust ICT devices. ITU-T Study Group 17 on Security facilitates intensive work on technical standardization among industry, government administrations, academia and research establishments, as well as other entities, such as partner Standard Development Organizations (SDOs), Forums and Consortia. This enables building international consensus on the various cybersecurity standards.

ITU-T Study Group 17 has produced over 330 Recommendations, many of which are related to cybersecurity. Topics on the cybersecurity standardization agenda have included: cybersecurity, cloud computing security, online analytics, Internet-of-Things security, smart-grid security, software-defined networking security, mobile security, Intelligent Transportation System security, anti-spam technical measures, identity management, privacy/PII, public-key infrastructure, security architecture, information security management, telebiometrics, secure e-mail, and application security.

3. Partnerships and Cooperation

Bearing in mind that the multifaceted nature of cyber-attacks requires specialized knowledge and action at different levels (both virtual and physical), it is clear that cybersecurity cannot be achieved through the efforts of one actor alone. In this respect, ITU has been collaborating closely with a number of other intergovernmental organizations, private companies and academia to provide expert assistance to its Membership with regard to cybersecurity. Some examples include:

a. Global Forum on Cyber Expertise (GFCE)

During the Global Conference on Cyberspace (GCCS) held in The Hague, Netherlands on 16–17 April 2015, the Global Forum on Cyber Expertise (GFCE) was launched. This forum comprises 42 Founding Members, including ITU. Some 15 cooperation initiatives were launched within the framework of the GFCE, with ITU being the co-initiator of the “CSIRT Maturity Initiative”, along with the Netherlands, Organization of American States (OAS) and Microsoft.

The objective of the Cyber Security CSIRT Maturity Initiative is to provide a platform to GFCE members to help emerging and existing Computer Security Incident Response Teams (CSIRTs) to increase their maturity level.

b. Dissemination of cyber-threat reports to the ITU Membership

In line with its long tradition of public-private partnership, ITU has been collaborating with Symantec and Trend Micro on the provision of regular cyber-threat reports to its Member States, thus enhancing awareness on the current cybersecurity landscape and allowing countries to take proper measures.

c. UN-wide cooperation mechanisms

In November 2013, a UN-wide framework on Cybersecurity and Cybercrime was endorsed by the United Nations Chief Executives Board (CEB). This framework was developed by 35 UN agencies and bodies over the course of three years, with ITU and the United Nations Office on Drugs and Crime (UNODC) leading the coordination of the effort. The document aims to facilitate enhanced coordination among United Nations (UN) entities, in their response to concerns of Member States regarding cybersecurity and cybercrime, based on their respective roles and mandates.

Following a request by the United Nations Secretary-General, Mr. Ban Ki-moon, and building on the endorsed UN-wide framework on Cybersecurity and Cybercrime, a UN System Internal Coordination Plan on Cybersecurity and Cybercrime was formulated with the contribution of the entire UN System in 2014. This plan is designed to guide internal coordination activities of the UN system organizations in the area of cybersecurity and cybercrime.

d. Conclusion — Need for a Multi-layered approach

In order for the world to achieve an effective level of cybersecurity, it is necessary to apply a multi-layered response to cyber-challenges. This translates into a focus of action at the country level through the elaboration and implementation of effective national strategies, policies and legislation, development of the necessary response capabilities, as well as country-level capacity building and training. Such measures, however, need to be complemented by the harmonization of legislation and learning from best practices at the regional level, as well as international cooperation frameworks and exchange of information at the international level.

ITU is committed to provide all necessary assistance to countries in order to achieve a harmonized and effective cybersecurity environment, which would properly manage the risks involved in the use of ICTs and allow the national economies to grow, deprived, as much as possible, of the constant threat of cyber-challenges.

 

[1] See ITU’s ICT Facts and Figures, 2015 Edition
[2] See the ITU National Cybersecurity Strategy Guide (2011)
[3] See Symantec Internet Security Threat Report, Volume 20, April 2015
[4] For updated information on ITU’s cybersecurity activities visit the ITU website:
www.itu.int/cybersecurity
[5] See Geneva Plan of Action (2003)
[6] See the ITU National Cybersecurity Strategy Guide (2011)
[7] See ITU Website: http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx

Tomas Lamanauskas,
Despoina Sareidaki,
Preetam Maloor,
International Telecommunication Union

This speech was delivered at the 11th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 20-23 April 2015 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.

Об авторе

Tomas Lamanauskas

Heads the Corporate Strategy Division at the International Telecommunication Union, the United Nations specialized agency for information and communication technologies. His extensive ICT policy and regulatory experience includes positions of Deputy General Director, Board Member and CEO of telecommunications regulators in the Caribbean, Middle East and Europe. He also acted as Government Advisor on ICT policies in the Pacific. Mr. Lamanauskas earlier career also includes positions as legal adviser (and Head of Legal) on matters related to telecommunications regulation both in public and private sectors.

Написать ответ

Send this to a friend

Перейти к верхней панели