Representatives from over 170 governments and industry, nongovernmental organizations, and civil society organizations have descended upon Busan, Korea, for the 19th Plenipotentiary (PP-14) meeting of the International Telecommunication Union (ITU). For the next few weeks over 1500 participants are gathering to consider and debate a wide range of issues. Cybersecurity is one issue, in particular, garnering intense attention.
PP-14 is an opportunity for participants to discuss cyber-related issues that are important to both the public and private sectors, and help build global communities of informed stakeholders who can work together to tackle current and future cybersecurity challenges.
However, some proposals floating around the conference are proving quite problematic, such as one to expand the scope of the ITU's work in cybersecurity to areas such as privacy and technical coordination. If adopted, these proposals will create policy confusion and waste precious resources by unnecessarily duplicating and possibly conflicting with work already taking place elsewhere.
While the ITU has considerable expertise and competence in telecommunications, we believe matters related to cybersecurity policy and technical cooperation are best addressed in other organizations, of which there are many.
Fortunately, resolutions being discussed in Busan would limit the ITU's work in cybersecurity by expressly defining crime, national security, and content as outside of the scope of the ITU's mandate. Some key things that should not emerge from this conference are:
- The Plenipotentiary should not initiate or authorize a treaty-making process or otherwise develop binding agreements on international security or cybersecurity. The ITU has played an important role in supporting the interoperability of international telecommunications networks and has become a trusted venue for many Member States to discuss related issues of interest. While the ITU can play a convening role on some matters, it lacks the expertise to deal with many technical and legal matters, including cybersecurity and cybercrime.
- The Plenipotentiary should not take actions that reduce flexibility in responding to cybersecurity challenges, such as adopting technical mandates for security-related products or mandated processes for the operation of telecommunications or information and communications technology (ICT) infrastructure. With the rapidly changing cybersecurity threat landscape, all players in the ecosystem, including owners and operators of telecommunications networks and ICT systems, must have sufficient flexibility to adapt and adopt innovative new technologies that can reduce cybersecurity risks. Locking specific technologies or processes into place only weakens the infrastructure and presents a fixed target for malicious actors.
- The Plenipotentiary should oppose expansion of ITU-T’s focus into new areas of cybersecurity standardization. Consistent with industry’s ongoing concerns around duplication of standardization activities globally, the ITU’s Standards Bureau (ITU-T) must not further draw resources away from existing and productive forums for cybersecurity standardization.
- The Plenipotentiary should avoid actions or positions that will increase ITU-T’s partnership with other SDOs. To meet the needs of the marketplace, self-organizing and developing groups of stakeholders develop technical standards in various global standards development organizations (SDOs). This natural specialization ensures communities of experts develop as needed, and in a timely manner. The ITU-T’s current attempt to take responsibility for all cybersecurity-related standards is well outside of the scope of the institution, duplicates work in other SDOs, and seeks to place the ITU-T above other SDOs.
Clearly, cybersecurity is a critical issue worldwide. Threats are growing and evolving exponentially, requiring a rapid and steady commitment of expertise and resources. The ITU lacks both. ITI would welcome the opportunity to engage with ITU Member States to share best practices and other recommendations for establishing appropriate and effective cybersecurity frameworks to increase confidence and trust in the internet.
- ITI's Ken Salaets contributed to this blog.