|Building confidence and security in cyberspace
|International Telecommunications Union (ITU)
Houlin Zhao was elected 19th Secretary-General of ITU at the Busan Plenipotentiary Conference in October 2014. He took up his post on 1 January, 2015.
Prior to his election, he served two terms as ITU Deputy Secretary-General (2007-2014), as well as two terms as the elected Director of ITU’s Telecommunication Standardization Bureau (1999-2006).
He is committed to further streamlining ITU’s efficiency, to strengthening its membership base through greater involvement of the academic community and of small- and medium-sized enterprises, and to broadening multi-stakeholder participation in ITU’s work.
In view of the growing risks in cyberspace and the increasing sophistication, frequency and gravity of cyber-threats, ITU advises and assists countries on strengthening their national cybersecurity.
Over the last decade, the Internet has become an integral part of every aspect of our lives and it continues to increase in importance. Currently, Internet users constitute over 40 per cent of the world’s population. One of ITU’s primary commitments is to bring the rest of the world online. However, it is important for this to be achieved in a sustainable manner.
Along with its enormous benefits, the Internet also brings significant risks. As connectivity expands and we grow to be more reliant on the Internet, cyber-incidents are becoming more frequent and more complex, with significant economic and social impact. Furthermore, the criminals are adept at bypassing the different security protection measures, despite growing awareness and ever increasing investment in the latter. The growth of this phenomenon is demonstrated in a number of different reports on the global cyber-threat landscape. For example, Symantec’s Internet Security Threat Report 2015 identified a 23 per cent increase in data breaches from 2013 to 2014.
Anyone can be a victim of cyber attacks. In fact, according to Symantec, the retail sector is among the top five sectors breached during 2014 and with the highest exposure of identities (205 Million). Given the strong dependence of today’s industry on ICTs, cyber-incidents have been affecting a broad range of industry sectors, with wholesale, utilities and finance demonstrating the highest cyber-risk rates. A lack of confidence in the use of ICTs could hinder commercial operations and slow down innovation and entrepreneurship.
Increasingly, with the advent of wearable technology, the coming of age of the Internet of Things, and a proliferation of embedded ICTs, cyber-related threats will no doubt become more frequent and have greater impact. The threat is no longer just about money and data theft, important as these are. It is now about survival.
Furthermore, with the constant expansion of broadband to unconnected parts of the world, most of the growth in the adoption of ICTs in the years ahead is expected to come from developing countries. Newly connected countries have the opportunity to leverage the potential of ICTs to generate wealth and boost their socio-economic development, and to achieve this, robust, reliable, and trustworthy systems are needed to create a solid foundation for businesses to operate and evolve.
It is therefore clear that cybersecurity is an essential component of human activity in our interconnected environment. However, its high-level of complexity requires concerted action in both the virtual and physical arenas by key actors from governments, the private sector, civil society, and intergovernmental organizations engaging at the national, regional and international levels.
The United Nations plays an important role in this regard as a global convener and facilitator for different stakeholders to come together to discuss, identify and implement solutions towards building a universally available, open, secure and trustworthy cyberspace.
Following the World Summit on the Information Society (WSIS), held in 2003 and 2005, ITU was entrusted with the role of facilitator for the specific Action Line on “Building confidence and security in the use of ICTs”. As a follow-up, ITU developed the Global Cybersecurity Agenda (GCA) in 2007, which is an international framework for cooperation in the area of cybersecurity. The GCA is built upon five strategic work areas (Legal Measures, Technical & Procedural Measures, Organizational Structures, Capacity Building, and International Cooperation).
In view of the growing risks in cyberspace and the increasing sophistication, frequency and gravity of cyber-threats, ITU advises and assists countries on strengthening their national cybersecurity. As part of its capacity building work, ITU helps countries establish formal, consolidated and harmonized national frameworks, as well as physical capabilities for watch, warning and incident response. To this end, Computer Incident Response Teams (CIRTs) with national responsibilities are key elements in building a national cybersecurity strategy and the first line of defence against any potential threats to national networks.
Currently, there are 102 national CIRTs worldwide. ITU has been working to fill the remaining gaps through its National CIRT programme, which provides assistance to its Member States in three stages:
i. Assessment: Evaluation of the preparedness of countries for the establishment of CIRTs.
ii. Implementation: Assistance to countries to facilitate planning, implementation, and operation of CIRTs. This includes specialized training provided to the team members.
iii. Cyber-drills: Organization of hands-on cyber-exercises in different regions in order to improve operations of existing and newly established CIRTs, and facilitate CIRT-to-CIRT cooperation.
ITU contributes to the development of critical standards that enable the creation of more secure and robust ICT devices. Bringing together administrations, industry, academia and research establishments as well as other entities, such as other Standard Development Organizations (SDOs), Forums and Consortia. ITU builds international consensus on the adoption of various cybersecurity standards (known as ITU-T Recommendations) which aim to create a more integrated and reliable ICT Industry for the benefit of its consumers.
ITU also collaborates with a number of entities, including those from the private sector, to provide expert assistance to its membership with regard to cybersecurity and encourage public-private partnerships.
In cooperation with ABI Research, ITU has established the Global Cybersecurity Index (GCI), which measures the commitment of countries to strengthen cybersecurity. Its evaluation is based on the main pillars of the Global Cybersecurity Agenda: legal, technical and procedural measures, organizational structures, capacity building, and international cooperation. The overall aim of the GCI initiative is to help countries identify areas for improvement in the field of cybersecurity, as well as motivate them to take action to improve their ranking, thus helping raise the overall level of cybersecurity worldwide. The GCI initiative illustrates best practices, encouraging countries to implement aspects most suitable to their national environment, with the objective to harmonize practices and foster a global culture of cybersecurity.
In line with its long tradition of forging public-private partnerships, ITU has been collaborating with Symantec and Trend Micro on the provision of regular cyber-threat reports to its Member States, thus enhancing awareness on the current cybersecurity landscape and allowing countries to take appropriate measures.
ITU joined the Global Forum on Cyber Expertise (GFCE), which was launched at the Global Conference on Cyberspace (GCCS) held in The Hague, Netherlands in April 2015, as one of its 42 Founding Members. Some 15 cooperation initiatives were formed within the framework of the GFCE, with ITU being the co-initiator, along with the Netherlands, the Organization of American States (OAS) and Microsoft, of the “CSIRT Maturity Initiative”. The initiative is intended to help emerging and existing Computer Security Incident Response Teams (CSIRTs) to increase their maturity level.
We believe it is necessary to apply a multi-layered response to cyber-challenges in order to achieve an effective level of cybersecurity worldwide. This translates into a focus of action at the country level through the elaboration and implementation of effective national strategies, policies and legislation, development of the necessary response capabilities, as well as country-level capacity building and training. Such measures need to be complemented with regional and international cooperation – through efforts that include the development of international standards, harmonization of legislation, and exchange of information at the international level.
ITU is committed to strengthening cybersecurity worldwide. We must help foster a global culture of cybersecurity. We must build trust and confidence in our networks to ensure that online trade and commerce continue to flourish. An open and secure Internet is a pre-requisite to delivering social, economic and environmentally sustainable development in the post-2015 era. It is a key component in empowering people with information and knowledge to ensure they achieve their full potential and meet their social, cultural and economic aspirations. International cooperation is the bedrock for securing a resilient, open and trustworthy Internet that enables people everywhere to create, access, utilize and share information and knowledge.