B U I L D I N G T H E I N F O R M A T I O N S O C I E T Y
Document ALC5/2007/
Meeting Report v2.0
17 May 2007
2
nd
Facilitation Meeting for WSIS Action
Line C5 : Building confidence and
security in the use of ICTs
Original: English
Meeting Report :
2
nd
Facilitation Meeting for WSIS Action Line C5
ITU Headquarters, Geneva, 14-15 May 2007
Please send any comments you may have on the meeting report to
cybersecurity(at)itu.int
Purpose of this Report
1.
The Tunis Phase of the
World Summit on the Information Society (WSIS)
1
has nominated
the International Telecommunication Union (ITU) as the facilitator for Action Line C5,
dedicated to
Building Confidence and Security in the Use of Information and Communication
Technologies (ICTs)
2
. The
first C5 facilitation meeting
3
was held in Geneva on 15-16 May
2006. The second C5 facilitation meeting was held during the
cluster of WSIS-related
meetings
4
, taking place between 14-25 May in Geneva. Some 120 people, from different
WSIS stakeholders groups, participated in the meeting, which was held on 14-15 May 2007 at
ITU Headquarters in Geneva. Full documentation for the meeting, including the
final agenda
5
,
all presentations
6
,
meeting contributions
7
,
audio archives
8
, is available on the
event website
9
at
www.itu.int/osg/spu/cybersecurity/pgc/2007/events/index.phtml
. This Meeting Report
summarizes the discussions throughout the two days and presents the main proposals for a
way forward in WSIS C5 facilitation as well as provides a high-level overview of the sessions
and speaker presentations.
Second Facilitation Meeting for WSIS Action Line C5 on 14-15 May 2007
Session 1: Meeting Opening and Welcome
2.
The second facilitation meeting for WSIS action line C5 was opened by ITU Secretary-
General
Dr. Hamadoun I. Tour�
10
, who invited the meeting participants to focus on the issue
of international cooperation in the field of cybersecurity, including helping young people (the
focus of
World Information Society Day 2007
11
) to make more responsible use of ICTs. He
announced his intention, later in the week, to announce a new initiative,
The Global
Cybersecurity Agenda (GCA)
12
, a framework for international cooperation in cybersecurity.
3.
Professor Seymour Goodman
13
, Georgia Institute of Technology, United States, was
nominated as chairperson of the meeting. He noted that the mandate given by WSIS to ITU in
the field of cybersecurity is quite unique in its ability to bring all relevant stakeholders from
around the world together. He invited all speakers at the meeting to focus on solutions, and
to provide encouraging examples of practical actions that are being taken to make cyberspace
a safer place, and how these might be transferred and scaled to the international arena.
Session 2: The Changing Cybersecurity Threat Environment and Innovative
Solutions
WSIS Action Line C5: Building trust and confidence in the use of ICTs
1/12
4.
As data networks across the world transition from narrowband to broadband, the nature
of the cybersecurity threat is changing. Longstanding concerns, such as viruses and spam,
are being reinforced by new threats, such as botnets and phishing. Technological change is
both part of the problem and the hope for a solution, but there is a constant struggle to keep
ahead of criminals, on the one hand, and careless users on the other.
5.
Mr. Mark Sunner
14
, Chief Security Analyst, MessageLabs, United Kingdom, gave the first
keynote address
15
, providing an overview of the changing nature of the threat to
cybersecurity. As of April 2007, roughly three in every four emails is spam. Furthermore, 1 in
every 145 is a virus and 1 in every 416 is a phishing attack. Mr. Sunner mentioned that one
new development is the spread of so-called "spamthru trojans". They represent a new-level of
sophistication among the spammer community because they use mini peer-to-peer networks
(offering redundancy), offer their own "anti-virus" capability and use embedded image
messages (not text which can be more easily identified), for instance for hyping the value of
penny stocks. Phishing represents another sinister development, which is being spread
through social networking sites. Phishing messages are spam that purport to be coming from
a respected organization (e.g., banks, auction sites) and as such are harder to recognize as
being fraudulent. MessageLabs predict a continuing rise in the volume of spam, probably
based on variants of the spamthru trojan. For this reason, it would be better to move the
locus of spam interception from the endpoint to the ISP (i.e., interception within the
network).
6.
Mr. Gregoire Ribordy
16
, co-founder of ID Quantique, Switzerland, in the second
keynote
address
17
, looked at the security of today's networks, in particular those based on fibre
optics. It was originally believed that optical fibres were intrinsically secure because light
could not leak out. However, in reality, if the fibre is bent, a few percent of the light can be
tapped; hence the requirement for encryption. Traditional cryptography is based on ever-
expanding length of keys. An alternative approach can be based on quantum physics, built on
analysis of the microscopic world. Mr. Ribordy proposed a system of quantum key
distribution, which would be appropriate for high-value, critical applications. A pilot
programme is being developed under the EU-funded SECOCQ project, in Austria's Vienna
region, for completion in 2008.
Session 3: Partnerships for Global Cybersecurity � Framework for WSIS Action Line
C5 and Update on Activities
7.
Session 3 of the meeting, facilitated by
Mr. Alexander Ntoko
18
, ITU Strategy and Policy
Advisor and ITU focal point for
WSIS Action Line C5
19
, introduced the work that had been
carried out on the action line and the documents made available for the meeting. The
documentation includes:
�
The meeting agenda, which is structured according to the four focus areas agreed
at the 2006 facilitation meeting (
document ALC5/2007/02
20
);
�
The draft terms of reference for the C5 multi-stakeholder team (
document
ALC5/2007/03
21
), which covers both the mandate for C5 from the WSIS Plan of
Action and the proposed terms of reference of the facilitation team;
�
Information on how the C5 speed exchanges will be conducted (
document
ALC5/2007/04
22
);
�
ITU Resolution 130 (Antalya, 2006) on "Strengthening the role of ITU in building
confidence and security in the use of ICTs" (
document ALC5/2007/05
23
).
8.
Mr. Robert Shaw
24
, Head of the ICT Applications and Cybersecurity Division in ITU's
Development Sector (ITU-D), introduced the activities being carried out in
ITU-D in
implementation of action line C5
25
. This work includes both work within ITU-D Study Groups
and the work in implementing Programme 3 from the Doha Action Plan. A rapporteur's group
meeting on Question 22/1 was held on
30 April-1 May 2007
26
and this will be followed up with
a meeting on national strategies on cybersecurity, with speakers from the United States and
the European Union to be held on 17 September 2007 followed by the rapporteur's group on
18 September 2007.
WSIS Action Line C5: Building trust and confidence in the use of ICTs
2/12
9.
Mr. Georges Sebek
27
, Counsellor for ITU-T Study Group 17, presented
the work of this
Study Group
28
, which covers security, telecommunications and software languages. Working
Party 2 of this Study Group deals with telecommunication security and its work is wide-
ranging, from security management (Q7/17) to telebiometrics (Q8/17) to countering spam by
technical means (Q17/17). Recently approved security recommendations include X.509
(which provides the basis for security in the open systems interconnection model) and Y.2701
on security requirements for NGN Release 1 (from ITU-T Study Group 13). Work is currently
underway on 49 separate draft Recommendations, plus a further six in ITU-T SG-13. ITU-T
also works closely with other bodies, notably with Internet Engineering Task Force (IETF), The
American National Standards Institute (ANSI), World Standards Cooperation, Global
Standards Collaboration, the ISO/IEC/ITU-T Strategic Advisory Group on Security, etc.
A
roadmap for ICT security standards
29
has been published on the ITU website for comments.
10.
In the following discussions, a representative from the Syrian Arab Republic expressed
disappointment in ITU-D's work, which should be more practical in offering assistance in this
field to developing countries. Building websites and exchanging information on the related
topics is not enough. Syria, on behalf of the Arab States, would like to see a single project
developed in ITU-D on cybersecurity, in collaboration with ITU-D Study Question 22/1, and in
accordance with both WTDC Resolution 45, and ITU Plenipotentiary Resolution 130 (Antalya,
2006). A representative from Argentina also emphasized the need for regional initiatives on
cybersecurity. One of the meeting speakers, Mr. Richard Cox, Spamhaus, emphasized the
need to get different silos (e.g., telecoms, Internet, governments) to work together on an
integrated approach to combatting cybersecurity. Mr. Shaw pointed to the upcoming
ITU/UNODC/CoE workshop (28-31 August 2007), in Hanoi, Vietnam, which will attempt to
bridge the divide between these silos. It will also require bringing together work being done in
different agencies. Another speaker, Mr. Suresh Ramasubramanian, Outblaze, India
emphasised the need to move from words to action and to focus on implementation. A
representative from the United States referenced the draft cybersecurity primer for
developing countries that has been adopted in connection with ITU-D Study Question 22/1,
noting that it provides step-by-step, practical suggestions for addressing many aspects of
cybersecurity. Mr. Ntoko agreed with the need to move towards practical solutions to avoid
"losing the war" in cybersecurity. Mr. Cox noted that, in the space of a few months, the
number of new zombie botnets detected has increased from 700'000 to over a million. Only
the ITU membership can address problems of this magnitude. Furthermore, the speakers
noted that a solution to the problem must also be addressed by service providers worldwide.
Session 4: PGC Focus Area � National Strategies
11.
At the start of the 21st century, modern societies have a growing dependency on
information and communication technologies (ICTs) which are globally interconnected.
However, with these growing dependencies, new threats to information and network security
have emerged. There is a growing misuse of electronic networks for criminal purposes or for
objectives that can adversely affect the integrity of critical infrastructures within states. To
address these threats and to protect these infrastructures, a coordinated national strategy
and action plan is required � combined with regional and international cooperation. Session 4,
moderated by
Professor Seymour Goodman
30
, discussed different national approaches to
cybersecurity and critical information infrastructure protection (CIIP).
12.
The session was opened by
Mr. Manuel Suter
31
, Research Fellow from the Center for
Security Studies (CSS) at ETH Zurich, Switzerland, who
presented
32
the background paper
prepared for the meeting on "
A generic national framework for critical infrastructure
protection
33
". The generic framework is an amalgamation of existing national models, but
quite closely resembles the Swiss model, which has proven to be effective. The paper sets out
a four-pillar model including: 1. Prevention and early warning; 2. Detection; 3. Reaction; and
4. Crisis management. It is proposed that each government consider establishing a national
Critical Information Infrastructure Protection (CIIP) unit, with a minimum of ten staff. The
unit will need to interact, at the national level, with a customer base that may be "closed"
(e.g., operators of specific elements of critical infrastructure) or "open" (e.g., users of critical
infrastructure).
WSIS Action Line C5: Building trust and confidence in the use of ICTs
3/12
13.
Ms. Audrey Plonk
34
, Information Security and Privacy, Organisation for Economic Co-
operation and Development (OECD),
presented
35
the work of the OECD Working Party on
Information Security and Privacy (WPISP). Case studies of Critical Information Infrastructure
Protection (CIIP) for four countries have been carried out to date and the plan is to extend
this now to three other volunteer countries in 2007. The 2006 report, which is available on
the
OECD website
36
, finds that there are many common elements of approach to CIIP
between countries and that information-sharing is an essential element.
14.
Ms. Diana Korsakaite
37
, Deputy Director of the Communications Regulatory Authority of
Lithuania,
presented a national case study
38
. The first national survey in Lithuania was carried
out in 2004. Around 52 per cent of business surveyed had experienced disruption in their
service offerings to customers as a result of viruses and spam. However, the legal system in
Lithuania lacked a definition of cybersecurity and there was no established system for
investigation and evaluation. Work has now begun on drafting a law on the security of
electronic communication networks and information. This new law establishes a framework for
national strategy and establishes an overall national coordination commission (NCC). It is
hoped that the law will be passed in autumn 2007. A workshop on cooperation on enhancing
security in the cyber environment will be held in Vilnius, Lithuania, 20-22 November 2007.
15.
In discussion, a representative from Argentina, which is about to pass its own law on
cybersecurity, raised the issue of Computer Emergency Response Teams (CERTs), and what
level of independence should be given to them. Other issues raised included how to involve
the private sector in policing harmful content, and the liabilities of operators for transmitting
malware and viruses.
Session 5: PGC Focus Area � Legal Frameworks and Enforcement
16.
An integral component of any national strategy is the adoption of appropriate legislation
against the misuse of ICTs for criminal or other purposes, including activities intended to
affect the integrity of ICT transactions and national critical infrastructures. As threats can
originate anywhere around the globe, the challenges are inherently international in scope and
it is desirable to harmonize legislative norms as much as possible to facilitate regional and
international cooperation. This session moderated by
Ms. Betty-Ellen Shave
39
, Assistant
Deputy-Chief, International Computer Crime, Department of Justice, United States, discussed
the current international standards, principles and instruments relating to electronic crimes
and related challenges in enforcement.
17.
The session was opened by
Mr. Alexander Seger
40
, Head of Technical Cooperation,
Department of Crime Problems, Council of Europe. In his
presentation
41
, he provided a list of
minimum legal issues that any national law would need to address, in terms of both
substantive and procedural law. The Council of Europe Convention on Cybercrime deals with
some of these issues, and has a separate optional protocol on xenophobia and racism. More
detail was presented at the special
lunch session
42
on the Convention on Cybercrime, held on
Tuesday 15 May. Speakers during the lunch session included Mr. Alexander Seger ("
The
Convention on Cybercrime of the Council of Europe - A Framework for National Action and
International Cooperation Against Cybercrime
43
"), Mr. Henrik Kaspersen ("
Why the
Cybercrime Convention?
44
","
Experiences in The Netherlands
45
") and Ms. Betty-Ellen Shave
("Experiences in the Unites States"). The CoE Convention on Cybercrime currently has 19
ratifications and 24 signatures, including non-European states such as the United States.
Other non-European states are expected to sign soon (including Mexico and Costa Rica). A
regional workshop is planned to be held in Morocco, 19-20 June 2007, for cybercrime
prosecutors in the Arab States region. The next Cybercrime Convention Committee meeting
will be held in mid-June in Strasbourg, France, preceded by an open meeting on 11-12 June
2007.
18.
Mr. Demosthenes Chryssikos
46
, Crime Prevention and Criminal Justice Officer, UN Office
on Drugs and Crime (UNODC) explained in his
presentation
that the mandate of the UNODC
has expanded to cover cybercrime, especially as it relates to criminal misuse and falsification
of identity. An inter-governmental expert group has been established which has held two
meetings, most recently in January 2007. A final report was submitted in April 2007. The
study deals with both fraud and identity-related crime. The report makes a number of
recommendations: 1. Legislative measures are necessary against both fraud and identity-
WSIS Action Line C5: Building trust and confidence in the use of ICTs
4/12
related crime; 2. International cooperation is essential, including encouraging countries to
sign up to the CoE Cybercrime Convention; 3. Jurisdiction issues need to be clarified,
especially with regard to extra-territorial issues; 4. Cooperation is required between the public
and private sectors. Both CoE and UNODC can offer technical assistance to countries wishing
to develop legislation.
19.
Mr. Stein Schjolberg
47
, Chief Judge, Moss District Court, Norway, and chair of the
2006
C5 facilitation meeting
48
,
presented
49
on the need for global harmonization of cybercrime
legislation. 18 May 2007 will mark the 30th anniversary of the first initiative in this field, the
Ribicoff Bill (1977). There are now more than ten different international and national
organizations that have launched initiatives in the field of fighting cybercrime. What,
therefore, should be ITU's role? ITU could serve as a global umbrella organization for work
going on in different agencies. It could also provide guidance for ratification/accession of the
CoE Convention and could offer solutions for other regions that feel excluded from the CoE's
coverage. It could also elaborate and implement basic international principles for fighting
cybercrime. ITU could also organize a global conference on capacity-building and dedicated
regional events.
20.
In discussion, some delegations raised the question of whether it would be better work
from the basis of the CoE Convention on Cybercrime or negotiate another treaty. Although
the CoE Convention on Cybercrime is not perfect, it exists, and represents many years of
work. It is already influencing the legislation of many more countries than are direct
signatories. The convention is actually being ratified at a faster rate than other conventions.
Session 6: PGC Focus Area � Watch, Warning and Incident Response
21.
An integral part of any cybersecurity strategy is a national or regional level organization
that acts as a coordination centre to respond to and tackle any emergency computer and
network security incidents. Typical roles include handling computer security incidents and
vulnerabilities, publishing security alerts, and developing information and training on
information security. This session, which was moderated by
Professor Seymour Goodman
50
,
discussed the technical, managerial and financial aspects of establishing nationa, regional,
and/or international watch, warning, and incident response (WWIR) capabilities.
22.
Mr. Marco Thorbruegge
51
, Senior Expert in Computer Incident and Response Handling
Policy, European Network and Information Security Agency (ENISA)
presented
52
the work of
the agency, especially as it relates to the establishment and operation of CERTs. Following a
stocktaking exercise in 2005, work has focused on developing best practice guidelines. ENISA
is currently undertaking a feasibility study, based on the EU i2010 initiative, on raising
awareness of network and information security issues.
23.
Mr. Nabil Sahli
53
, Head of the CERT/TCC and CEO of the National Agency for Computer
Security, Tunisia, provided a
national case study
54
of the establishment and operation of a
CERT. The Tunisian CERT is a public agency, officially launched in 2004. It is constituted by
three teams, working respectively on awareness raising, information and alert activities, and
establishing an Information Sharing and Analysis Center (ISAC): 1. On awareness raising, one
of the most effective means is by showing computer users a simulation of a cybersecurity
attack. Workshops have also been organized in association with youth representatives and
training programmes carried out for new teachers. 2. On information and alerts, some 600
were issued during 2006. 3. The creation of the ISAC (entitled "Saher") is underway and is
part of an overall national reaction plan (called "Amen"). Mr. Sahli emphasised the important
of conducting work on cybersecurity in developing countries because of the danger that those
countries could provide a reservoir of future hackers if they feel excluded from international
cooperation. A regional approach is important, and in this context a joint meeting with ITU
and other agencies, is planned in the region for early 2008.
24.
Ms. Jody Westby
55
, American Bar Association's Privacy and Computer Crime Committee,
United States, addressed the issue of "
Governance for security and dependability
56
". She
emphasised the need to treat cybersecurity, cybercrime and privacy as an integrated issue.
The governance of incident response is a critical issue, and this will require a clear separation
of responsibilities within an overall enterprise security programme.
WSIS Action Line C5: Building trust and confidence in the use of ICTs
5/12
25.
In discussion,
Professor Seymour Goodman
57
gave the example of Rwanda as a country
which is receiving technical assistance and is making huge progress in developing a national
capacity for cybersecurity. Nevertheless, he emphasised that, worldwide, the number of "bad
guys" is a very small percentage of the total community in cyberspace, but the connectivity of
the infrastructure allows them great leverage to do harm. In the case of spam for example, it
is estimated that only about 200 people are responsible for at least � of all the spam, and
spam now makes up about 90% of all message traffic. The current reality is that at any given
level of expertise it is easier to be an attacker than a defender in this field, and it continues to
get worse.
Session 7: PGC Focus Area � Spam and Related Threats
26.
Spam is an uncomfortable reality of the Information Society. In a society that defends
freedom of expression, spam has been the price that is paid to defend the principle that
anyone can speak to anyone. But spam is increasingly being used as a bearer of viruses and
fraud, especially through phishing and pharming. There is already an armoury of tools �
technical, legal, financial, user training � that can be used against spammers, but there is a
lack of coordination at the international level and the problem is getting worse.
27.
This session on spam and related threats was chaired by
Mr. Richard Cox
58
, CIO of
Spamhaus, United Kingdom. He
argued
that the conventional approach to combatting spam is
to tackle it at the end-user side rather than in the IP "cloud" of the network itself. However,
this leads both to wasted bandwidth and extra costs for the users in maintaining filters.
Outlawing spam through legal means is growing in importance, but enforcement is sparse and
the average spam message, and related attack, involves criminal activity in at least three
countries, which makes international cooperation essential.
28.
Professor Solange Ghernaouti-H�lie
, University of Lausanne, Switzerland, spoke on the
topic "
Enhancing cybersecurity knowledge by an educational program framework
" which
pointed to the importance of user education, and gave details in particular of the francophone
initiative, including a meeting in Alger, Algeria on 22-23 January 2007.
29.
Mr. Suresh Ramasubramanian
59
, Manager, Outblaze, India provided a
brief history of
spam
60
, which dates from the late 1980s and the early response, which mainly covered
blocklisting. By the late 1990s, spammers were adapting, for instance by hijacking third party
accounts or using "throwaway" free email accounts. They also migrated to anti-spam ISPs
and started taking legal action against ISPs that tried to prevent spam. Since 2003, the
situation has become much worse as it has become the vehicle of choice for the delivery of
viruses and phishing. New "business models" for spam have also emerged, such as stock
hyping, pyramid schemes, so-called "Nigerian" scams etc. But, at the same time, anti spam
coalitions such as the StopSpamAlliance
61
, London Action Plan (LAP), Messaging Anti-Abuse
Working Group (MAAWG), Asia Pacific Coalition Against Unsolicited Commercial Email
(APCAUCE), etc. have been established. A good example in this respect is the OECD anti-
spam toolkit which identities key focus areas for possible solutions.
30.
Ms. Audrey Plonk
62
, Information Security and Privacy, OECD, provided detail on ongoing
OECD/ APEC joint work on malicious software
63
. Malware may be defined as a general term
for programs inserted into an information system in order to cause harm to that system or
other systems, or to subvert them for use other than that intended by their owners. Malware
exists because it is profitable for malicious actors. There are now numerous malware
propagation methods, including Bluetooth, Instant Messaging, peer-to-peer, etc. as well as
spam and information theft. As a result, categorization and the generation of accurate
statistics is a challenge. However, CERT/CC statistics indicate a level of up to 90'000 malware
artifacts per month. Countermeasures include protection, response and enforcement of
legislation.
31.
In discussion, the question was raised as to whether the situation is really as bad as
portrayed and whether there is still hope? It is possible to win the battle, but there is a need
for a more practical approach in applying solutions. There is a huge requirement for
awareness raising and international collaboration. There may also be a requirement for
compliance-testing for ISPs, perhaps on a voluntary basis, with regard to their handling of
spam. If certain ISPs are known to be plagued by spam, then the market will avoid them.
WSIS Action Line C5: Building trust and confidence in the use of ICTs
6/12
However, there may be legal or competition policy questions related to an alliance of
companies that may seek to lock out competitors.
Sessions 8 and 9: Speed Exchanges on PGC Focus Areas
32.
In session 8, the conference broke into small groups to allow participants to discuss
topics in a smaller roundtable format under the overall guidance of
Mr. Suresh
Ramasubramanian
64
, Manager, Outblaze, India. The groups discussed each of the four
different focus areas:
�
Group 1 on National Strategies
65
was moderated by
Mr. Tim Kelly
66
, ITU;
�
Group 2 on Legislation and Enforcement
67
was moderated by
Mr. Alexander Seger
68
,
Council of Europe (CoE);
�
Group 3 on Watch, Warning and Incident Response
69
was moderated by
Ms. Jody
Westby
70
, American Bar Association's Privacy & Computer Crime Committee;
�
Group 4 on Spam and Related Threats
71
was moderated by
Mr. Richard Cox
72
, The
Spamhaus Project.
The groups each reported back in the following session (Session 9), with the findings
summarized. Recommendations that emerged in these discussions are included in Session 10
below.
Session 10: Partnerships for Global Cybersecurity � Regional and International
Cooperation Frameworks and Ideas for Next Steps
33.
The final session of the meeting, facilitated by
Mr. Alexander Ntoko
73
, ITU Strategy and
Policy Advisor, posed questions about what future strategies, solutions, partnerships,
frameworks and what focus areas need to be put into place. A number of suggestions were
made by participants.
34.
Specific ITU related recommendations from meeting participants included:
�
ITU should make a clear statement on the seriousness of the cyber-threat situation. This
could include a "state of emergency" statement about the global level of spam, viruses,
malware, etc.;
�
ITU should focus on the tasks represented in the WSIS Tunis outcome documents,
including:
�
Awareness-raising;
�
Consensus-building, especially on harmonization of legal frameworks;
�
Create, and strengthen public momentum for fighting cybersecurity threats;
�
Sharing of information and experiences, for instance through the
Cybersecurity
Gateway
74
;
�
ITU should consider the adoption of additional Recommendations on cybersecurity,
including, but not limited to, one dealing with the harmonization of cybercrime legislation;
�
In providing assistance to developing countries, ITU-D should hold regional workshops on
how to set up and manage Computer Security Incident Response Team (CSIRTs)
Computer Emergency Response Teams (CERTs).
35.
The ITU Secretary-General in his opening remarks also brought participants' attention to
a new ITU cybersecurity initiative,
The Global Cybersecurity Agenda (GCA
)
75
, aimed at
developing a framework for international cooperation in cybersecurity.
36.
Suggestions for continuing the C5 facilitation process (in no particular order) are listed
below:
�
Proposed terms of reference for the multi-stakeholder team to be created under WSIS
action line C5 (see
document ALC5/2007/03
76
for the proposed terms of reference).
WSIS Action Line C5: Building trust and confidence in the use of ICTs
7/12
�
The draft terms of reference for the C5 action line, in particular the use of the word
"team", will be reviewed further by the group so that it can reflect a consensus opinion. It
was emphasised that the members of the WSIS action line can continue their work
through virtual means as well as through the annual face-to-face meetings.
�
ITU in its role as the facilitator for C5, should produce an annual report on what is being
done by stakeholders in the field of cybersecurity (see, for instance, chapter five in the
2007 ITU/UNCTAD World Information Society Report, available at
www.itu.int/wisr
).
�
The usefulness of and need for a comprehensive calendar of C5-related events worldwide
on the C5 website, to which stakeholders could provide updates, was expressed by some
of the meeting participants.
�
The C5 multi-stakeholder team to call on all stakeholders to contribute towards building a
Global Culture of Cybersecurity.
�
The need for a variety of means of international cooperation, depending on the
participants, the region, etc. was brought forward by meeting participants, and speakers.
�
The role of the private sector in developing technical means to counter cybersecurity
threats should be acknowledged, including ITU-T Study Group work on the development
of Next Generation Networks (NGNs). The need to further define the role of
industry/private sector in cybercrime prevention and enforcement was also brought up. In
building enforcement capacities, the participants also discussed the need to make
information available on public and private sector resources and training available
worldwide.
37.
It was recognized that developing countries still do not have the adequate skills or
resources to deal with cybercrime, spam and related threats. In responding to this,
deliverable solutions are needed, incorporating funding, training and recognition of
achievements made.
38.
Specific proposals for the C5 work programme including the development of a "Cyber
Security Readiness Assessment Toolkit", were made by
Ms. Jody Westby
. It was proposed
that this Toolkit include the following assessment areas and factors: 1. Legal Framework, 2.
Infrastructure & Information Security, 3. Organizational Structure (CERT, ISACs, law
enforcement), 4. Critical Intrastructure Protection, 5. Education, Awareness & Training, 6.
Public-Private Sector Interaction and Coordination, 7. International Coordination and
Cooperation. It was further noted that the methodology needs to developed to enable it to be
used independently to guide toward consistent approach and response and output. The
Toolkit could be used as: a checklist to guide country activities; to guide in the development
of national strategies; as a survey tool to assess global state of cyber security, identify
regional or country deficiencies; to guide educational programs and security curriculum
development; to guide donor activities. In addition, there was also a need expressed to
establish a mechanism for a 24/7 point of contact network with public and private sector
participation that can serve as an intermediary point or vehicle for warnings and alerts. The
representative from the Unites States, in this context, drew the group's attention to the
cybersecurity primer adopted under ITU-D Study Question 22/1, since it addresses most of
the elements cited by Ms. Westby and is open for additional contributions.
39.
At the close of the meeting, a
specific proposal to the C5 meeting
77
was made by a
representative from Tunisia. This proposal included: 1. a recommendation to launch regional
initiatives with the purpose of promoting CERT models and other cybersecurity approaches in
developing countries to contribute in building capacities in these fields; 2. to ask ITU to
involve these initiatives in the implementation of both the Doha Action Plan and Resolution
130 (Antalya, 2006) and to allocate appropriate resources to support them as well as to help
in mobilizing complementary resources from other partners for these purposes; and, 3. to
establish a multi-stakeholder coordination group with the mandate of identifying in
coordination with ITU-D the best ways of promoting successful developing country
experiences in these fields.
40.
The chairperson,
Professor Seymour Goodman
78
, concluded the meeting with the
observation that security is largely a matter of changing the behaviour of actors (both
attackers and defenders). This can be done through law and regulation, through economics,
WSIS Action Line C5: Building trust and confidence in the use of ICTs
8/12
or through technology. As an example he mentioned the importance of addressing software
vulnerabilities which are being expoited by cyber-criminals to gain unauthorised access to
systems and data. A number of steps that could be taken to improve the usefulness of this
series of C5 meetings:
�
One of the purposes of this second facilitation meeting for WSIS action line C5 was to
identify a number of scaleable solutions that could be transferred from one country to
another. A focus on solutions should also be a key feature of future meetings.
�
The need to improve meeting participation, for instance by making fellowships available to
assist participation from developing countries.
�
The C5 forum should provide specific ideas for work items that can be taken up, either by
ITU directly or in partnership with other stakeholders. This group can validate such ideas
for the future work programme.
�
The need to give further consideration to an international convention more oriented
towards building capacity to protect the critical information infrastructures, rather than
dealing explicitly with cybercrime.
41.
This draft Meeting Report is currently open for the comments. The email address for
comments on the draft report, or for other issues relevant to the WSIS C5 action line, is
cybersecurity(at)itu.int
79
. All meeting participants will be added to the C5 mailing list (pgc-
discuss(at)itu.int mailing list). If you are not already on the mailing list and interested in
participating in the C5 discussions through the mailing list, please send an e-mail to
cybersecurity(at)itu.int.
Additional Meeting Notes
42.
In the invitation letter to the second facilitation meeting for WSIS Action Line C5,
interested stakeholders were asked to submit written contributions on their cybersecurity-
related activities. Acknowledgement is also made of the following written contributions to the
meeting and the overall C5 implementation process:
�
Contribution from Cisco Systems:
Examples of Mechanisms for Enhanced Cooperation on
Cybersecurity and Combating Spam
80
�
Contribution from Microsoft:
Critical Information Infrastructure Protection - Insights on
Strategic FFrameworks for Partnerships and Risk Management
81
�
Contribution from North American Consumer Project on Electronic Commerce (NACPEC):
The Legal Framework on Cybercrime and Law Enforcement in Mexico
82
WSIS Action Line C5: Building trust and confidence in the use of ICTs
9/12
1
http://www.itu.int/wsis/
2
http://www.itu.int/wsis/implementation/c5/
3
http://www.itu.int/osg/spu/cybersecurity/2006/
4
http://www.itu.int/wsis/implementation/cluster2007.html
5
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/agenda.phtml
6
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations.phtml
7
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/contributions.phtml
8
http://www.itu.int/ibs/sg/spu/200705wsisc5/index.html
9
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/index.phtml
10
http://www.itu.int/net/ITU-SG/biography.aspx
11
http://www.itu.int/wisd/
12
http://www.itu.int/cybersecurity/gca/
13
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#goodman
14
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#sunner
15
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session2-sunner-C5-
meeting-14-may-2007.pdf
16
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#ribordy
17
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session2-ribordy-C5-
meeting-14-may-2007.pdf
18
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#ntoko
19
http://www.itu.int/pgc/
20
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/agenda.phtml
21
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/docs/c5-proposed-terms-of-reference-14-
may-2007.pdf
22
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/docs/c5-speed-exchange-information-
document-14-may-2007.pdf
23
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/docs/c5-itu-resolution-130-14-may-
2007.pdf
24
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#shaw
25
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session3-shaw-14-may-
2007.pdf
26
http://www.itu.int/ITU-D/study_groups/SGP_2006-2010/events/2007/RG-Question22_1/index.html
27
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#sebek
28
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session3-sebek-C5-
meeting-14-may-2007.pdf
29
http://www.itu.int/ITU-T/studygroups/com17/ict/index.html
30
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#goodman
31
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#suter
32
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session4-suter-C5-meeting-
14-may-2007.pdf
33
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/docs/background-paper-suter-C5-
meeting-14-may-2007.pdf
WSIS Action Line C5: Building trust and confidence in the use of ICTs
10/12
34
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#plonk
35
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session4-plonk-C5-meeting-
14-may-2007.pdf
36
http://www.olis.oecd.org/olis/2006doc.nsf/linkto/dsti-iccp-reg(2006)15-final
37
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#korsakaite
38
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session4-korsakaite-c5-
meeting-14-may-2007.pdf
39
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#shave
40
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#seger
41
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session5-seger-C5-meeting-
14-may-2007.pdf
42
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/agenda.phtml#lunchsession
43
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/lunch-session-seger-C5-
meeting-15-may-2007.pdf
44
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/lunch-session-kaspersen1-
C5-meeting-15-may-2007.pdf
45
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/lunch-session-kaspersen2-
C5-meeting-15-may-2007.pdf
46
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#chryssikos
47
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#schjolberg
48
http://www.itu.int/osg/spu/cybersecurity/2006/index.phtml
49
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session5-schjolberg-C5-
meeting-14-may-2007.pdf
50
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#goodman
51
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#thorbruegge
52
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session6-thorbruegge-C5-
meeting-14-may-2007.pdf
53
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#sahli
54
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session6-sahli-C5-meeting-
14-may-2007.pdf
55
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#westby
56
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session6-westby-C5-
meeting-14-may-2007.pdf
57
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#goodman
58
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#cox
59
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#ramasubramanian
60
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session7-
ramasubramanian-c5-meeting-15-may-2007.pdf
61
http://StopSpamAlliance.org
62
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#plonk
63
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session7-plonk-C5-meeting-
15-may-2007.pdf
64
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#ramasubramanian
65
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/docs/Summary-from-Speed-Exchange-on-
National-Strategies.pdf
WSIS Action Line C5: Building trust and confidence in the use of ICTs
11/12
66
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#kelly
67
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/docs/Summary-from-Speed-Exchange-on-
Legislation-and-Enforcement.pdf
68
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#seger
69
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/docs/Summary-from-Speed-Exchange-on-
Watch-Warning-Incident-Response.pdf
70
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#westby
71
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/docs/Summary-from-Speed-Exchange-on-
Spam-and-Related-Threats.pdf
72
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#cox
73
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#ntoko
74
http://www.itu.int/cybersecurity/
75
http://www.itu.int/cybersecurity/gca/
76
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/docs/c5-proposed-terms-of-reference-14-
may-2007.pdf
77
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/contributions/proposal-to-C5-meeting-
from-tunisia-15-may-2007.pdf
78
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/speaker_bios.phtml#goodman
79
[email protected]
80
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/contributions/contribution-to-C5-from-
cisco-systems-14-may-2007.pdf
81
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/contributions/contribution-to-C5-from-
microsoft-14-may-2007.pdf
82
http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/contributions/contribution-to-C5-from-
nacpec-14-may-2007.pdf
WSIS Action Line C5: Building trust and confidence in the use of ICTs
12/12