ITU Workshop on “ICT Security Standardization
for Developing Countries”
Geneva, Switzerland, 15-16 September 2014
Session Chairmen’s Reports
Geneva, Switzerland, 15-16 September 2014
Opening session conclusions
Mr. Zhaoji Lin chaired the meeting
and gave an opening speech which
covered the following aspects:
Introductory information and guidance ;
Defining the steering committee;
Mission/objectives of the workshop and
what we expect to get out from the
workshop;
Introduce/overview the sessions of the
workshop.
Geneva, Switzerland, 15-16 September 2014
2
Opening Session
Keynote speaker
Mr. Malcolm Johnson, ITU TSB Director
Thanks SG17 for organizing this WS
Around 90 people registered but participation
are open to all
The importance of having such event
Participation of people from Developing
Countries to SG17 are increasing
Appreciates IMPACT and ITU-D role
Threats are increasing (eg. SPAM)
Geneva, Switzerland, 15-16 September 2014
3
Opening Session
Keynote speaker
Mr. Arkadiy Kremer, ITU-T Study Group
17 Chairman
Thanks TSB for their support
Focus on challenges in ICT infrastructure
development
Main pillars for providing confidence & security
ITU-T SG17 Standardization activities
Develop an effective security strategy
Developing countries participation in SG17
Geneva, Switzerland, 15-16 September 2014
4
Outcome of Opening Session (1)
ITU-T SG 17 vice-chairman Mr. Zhaoji Lin chaired
the meeting and made an opening speech which
covered the following aspects:
introductory information and guidance to the workshop
including such as background of the workshop and
facilities ;
the decision of SG17 to organize this workshop and the
steering team of the workshop;
mission/objectives of the workshop and what we expect
to get out of the workshop;
information on the security standardization challenges;
highlighted the sessions of the workshop;
Geneva, Switzerland, 15-16 September 2014
5
Outcome of Opening Session (2)
two keynote speeches were presented:
The first keynote speaker was ITU TSB Director Mr. Malcolm
Johnson whose speech mainly focused on challenges of cyber
threats to the world especially in developing countries, on
spam threats to developing countries and WCIT-12 efforts on
encouraging Member States to cooperate to prevent spam, on
efforts of ITU on dealing with these challenges, on
collaboration of ITU with other SDOs on ICT security
standardization activities.
The second keynote speaker was ITU-T SG17 chairman Mr.
Arkadiy Kremer. His speech mainly focused on challenges in
ICT infrastructure development, main pillars for providing
confidence & security, ITU-T SG17 Standardization activities,
to develop an effective security strategy and participation of
developing countries in SG17.
Geneva, Switzerland, 15-16 September 2014
6
Conclusion of Opening Session
This workshop aimed to present activities and achievements of
standardization on cybersecurity, data protection, trust services
and cloud computing, focused in methodology of securing ICT
within critical infrastructure, heard a reaction from security
industry, addressed the interests and needs of users, and
encouraged collaboration between SDOs in security
standardization for the special needs of developing countries.
International standards are tools offering exactly technical,
procedural, and administrative defense that are internationally
applicable.
ITU-T, specifically ITU-T SG17 made great efforts to bridge the
standardization gap between the developed countries and
developing countries to build the confidence and security in the
use of ICTs.
Geneva, Switzerland, 15-16 September 2014
7
Session 1 conclusions
Although Zambia like most
developing countries has limited
capacity in addressing security
challenges, reasonable progress has
been achieved in putting in place the
necessary institutional framework.
New security approaches are
required in order to enable large
scale deployment of IoT systems.
Geneva, Switzerland, 15-16 September 2014
8
Session 1 conclusions (cnt’d)
SG 17 should consider organizing a
special session to address security
challenges related to mobile financial
services.
Strong collaboration between ITU
and UPU on security is vital
especially in areas such as secure email and financial transactions.
Geneva, Switzerland, 15-16 September 2014
9
Session 1 conclusions (cnt’d)
SG17 and IEC/TC57/WG15 should
cooperate and share expertise on
smart-grid security.
Security should be embedded in the
system design in order to lower
operational costs.
Geneva, Switzerland, 15-16 September 2014
10
Session 2 conclusions
To identify key topics/requirements for
ICT security (through presentations)
Need of stepping up “Authentication
capabilities” for mobile on-line trust
Use of “light weight crypto” for connected
cars and ITS security
Critical Infra Security – Energy sector
Need for interoperability of secure
enterprise mobility across providers
Identity Based Attestation and Open
Exchange Protocol (IBOPS)
Big Data (BD) security and privacy
Geneva, Switzerland, 15-16 September 2014
11
Session 2 conclusions
Output on Objective-2(cont.)
To explore the way to develop security
standards in ITU-T (through the Round Table)
The authentication landscape is changing rapidly, and the
ID-ecosystem is also changing. A new use case
(requirement) is authentication/identification on demand.
The work of the FIDO Alliance and OASIS TC IBOPS is to be
looked at; and collaboration is suggested.
There is a need for a minimum level of security in the area
of ITS and IoT environments. ISO/IEC JTC 1/SC27/WG2 is
standardizing light-weight crypto and is seeking
collaboration in terms of how to use such crypto.
Critical infrastructures are to be looked at. There is room
for cooperation and standardization between military and
civil. Government need standards on electronic signatures
and e-IDs. ITU-T should consider standardization
cooperation with European bodies (like ENISA).
Geneva, Switzerland, 15-16 September 2014
12
Session 2 conclusions
Output on Objective-3(cont.)
To explore the way to develop security
standards in ITU-T (through the Round Table)
ISO/IEC JTC 1/SC27 is doing work in data management
and governance, and on secure data storage, also on data
discovery, which are subject to standardization. Real-time
security analytics for data management should be
considered. ISO is doing a gap analysis on big data; there
is an opportunity for collaboration with ITU-T (SG17).
TC 215 has developed several health informatics standards
on such as on information governance, policy management
etc., and to potentially work with ITU-T.
Geneva, Switzerland, 15-16 September 2014
13
Session 2 conclusions
Output on Objective-4(cont.)
Summary:
Mobile security (Authentication) - FIDO Alliance and OASIS
TC IBOPS
Utilization of light weight crypto for ITS & IoT – ISO/IEC
JTC1/SC27 and others
Critical infrastructures - European bodies (like ENISA)
Big Data security & PII - ISO/IEC JTC1/SC27
Health informatics - TC215
Geneva, Switzerland, 15-16 September 2014
14
Session 3 conclusions
Make standards less complex and more
applicable
Create standards for the needs
Collaboration is the key
Standardization is very important to be in
the same track
Sharing known vulnerabilities and threats
make significant difference
Data protection becomes more important
with the online services
Geneva, Switzerland, 15-16 September 2014
15
Session 3 conclusions
Operational experience and demand
from the field are very important
ITU-D is a great opportunity for
creating widely using standards by
developing countries
Start a joint project with ITU-D to
enhance the business use of
standards
Geneva, Switzerland, 15-16 September 2014
16
Session 3 conclusions
It will be very beneficial if the
experts help countries to implement
the standards
Encourage governments,
organizastions, companies, and
academia to participate
Geneva, Switzerland, 15-16 September 2014
17
Session 4 conclusions
Summary 1/3
Session 4 discussed “ICT role in critical infrastructure
protection” under 3 different perspectives, as follows:

Frameworks and international collaboration:
Mr Koyabe presented “Critical Information Infrastructure
Protection (CIIP): Commonwealth Perspective”, with
insights on a cybergovernance model adopted by those
countries, and Mr McCrum presented ”Toward a
partnership-based framework for establishing secure ICT
infrastructure in developing countries”, with proposals on
regulatory measures, ITU role and mutual recognition
agreements (MRA);
Geneva, Switzerland, 15-16 September 2014
18
Session 4 conclusions
Summary 2/3
Standardization issues on CIIP:
Mr. Zolotnikov presented “Critical infrastructure
protection: standardization to protect critical
infrastructure objects”, with some key principles
of secured system development to be
standardized, including industrial control systems
(ICS), and Mr. Strunge presented “Security by
Design in Smart Grids – A Need to Rethink ICT in
Power System Controls”, including proposals
on automated certificate handling, whitelists, and
multiple associated parallel PKI;
Geneva, Switzerland, 15-16 September 2014
19
Session 4 conclusions
Summary 3/3
Role of ICT and sector regulators:
Mr. Alsamhan presented “ICT Regulator Role on National
Security and Critical Infrastructure Protection”, with Saudi
Arabia experiences on CIP, national CERT deployment, and
security enforcement measures, and Mr. Guimaraes
presented “Critical telecommunication infrastructure
protection in Brazil” with insights on legislation,
methodologies and an information system under
development (SIEC).
These perspectives were further developed during the final
discussion panel. Some aspects discussed in Session 4
could be interesting to ITU-T Qs 2/17, Q4/17, 6/17, 7/17
and 11/17.
In particular, ITU-D Q3/2 was highly interested on Mr.
Koyabe’s presentation.
Geneva, Switzerland, 15-16 September 2014
20
Session 5 summary(1/3)
This session consists of 5 presentations:
Cloud security standardization activities in ITU-T:
Huirong Tian, China :
presenting major deliverables and activities of ITU-T
FG on cloud computing and various existing work by
ITU-T SG17 as well as SG13, especially for approved
Recommendation ITU-T X.1601, security framework
for cloud computing.
ITU-T SG17 Identity management (IdM) Progress Report
: Abbie Barbir, ITU-T Q10/17 Rapporteur :
presenting mission and major coordinated activities
of ITU-T SG17 Question 10 with other SDOs as well
as current state, drivers for the future direction, need
for better identity assurance and trust framework,
future focus in the identity management area.
X.509 in a changing world: Erik Andersen, Denmark :
presenting ITU-T X.509, definition and role of PKI,
changing environment for use of PKI such as cloud,
mobile, M2M, and smart grid, future of
Recommendation ITU-T X.509.
Geneva, Switzerland, 15-16 September 2014
21
Session 5 summary(2/3)
National ID management system in Korea: Daeseon
Choi, Electronics and Telecommunications Research
Institute, Authentication Research Section /Leader :
presenting national initiative on identity management
system, including issues around national identifier, online
and offline identity proofing, various authentication
technologies such as PKI, SSO and attribute sharing, and
future direction of Korean IDM.
Introduction to ISO 29003 - Identity Proofing: Patrick
Curry, British Business Federation Authority (& SC27
WG5)
Presenting ISO/IEC 29003 Identity Proofing such as a
need and definition for identity proofing, key players
around identity proofing, changing factors that needs to
be considered, and role of international standard.
Geneva, Switzerland, 15-16 September 2014
22
Session 5 summary(3/3)
The session has a roundtable discussion:
6 panelist including five speakers and Frederic
Gittler from Cloud Security Alliance are invited to
the roundtable discussion which is devoted to
identify potential future topic which SG 17 needs to
consider, especially to answer the following
questions.
What are current major activities that other (standard)
organizations are carrying out, which ITU-T SG17 needs to
consider?
What is your view about the gap of current standard activities of
ITU-T SG17 in these areas?
What is your perspectives about the future direction for ITU-T
SG17 standardization activities in the areas of cloud and identity
management, considering the future ICT environments, such as
one supporting super-highly connected society?
Geneva, Switzerland, 15-16 September 2014
23
Session 5 conclusions
Major findings and future directions
Suggested topics for future study in the cloud security
area:
trust models, security controls, best practices, etc.
Topics carried out by CSA for SG17:
Cloud security and privacy
Virtualization security
Governance and assurance
Incident management and digital forensics, etc.
Three key success factors for coordination between
SOOs provided by CSA in the cloud security:
Avoiding duplication/coordination,
Having certification with maturity models,
Ease of use and accessibility.
Suggested topics for future study in the identity
management area:
Business and Privacy Guidelines,
Interoperable Products & Services,
Identity Assurance Framework & Assessors for better Identity
assurance and trust frameworks
Geneva, Switzerland, 15-16 September 2014
24
Session 5 conclusions
Major findings and future directions
There is a need for:
updating Rec. ITU-T X.509, considering new factors
and meeting new requirements in the new ICT
environment such as smart grid.
developing guideline/implementation guides for PKI
deployment for developing countries by SG 17 and
investigating national level initiatives on PKI
deployment and usage, online and offline or
combined identity proofing and various
authentication methods as best practices for use or
deployment by the developing countries.
the International Standard to address the in-person
proofing, which is very fundamental process for the
secure e-ID system and developing it by SC27 WG
5, possibly in cooperation with ITU-T SG17.
Geneva, Switzerland, 15-16 September 2014
25
Session 6
Security Standardization Challenges
Objectives
To better understand the role of ICT
security standardization
A set of short presentations that highlight
ICT security standardization efforts in 8
international and regional bodies
To explore ICT security standardization
challenges
An open roundtable discussion on challenges
including collaboration and meeting user
needs, especially those from developing
countries
Geneva, Switzerland, 15-16 September 2014
26
Session 6 Presentations
International Organization for
Standardization (ISO)
Walter Fumy, ISO/IEC JTC 1/SC27
chairman
Overview of security work in ISO; new ISO
TC 292, Security; work of SC27
Internet Engineering Task Force
(IETF)
Kathleen Moriarty, Security Area director
IETF security working groups, emerging work
areas, fellowships, policy programme
Geneva, Switzerland, 15-16 September 2014
27
Session 6 Presentations
European Telecommunications
Standards Institute (ETSI)
Charles Brookson, ETSI TC CYBER
chairman
Work of TC CYBER, cyber security
coordination group recommendations, ETSI
security activities
Cloud Security Alliance (CSA)
Frederic Gittler, HP
Cloud computing and mobility as a unique
opportunity for developing countries
Geneva, Switzerland, 15-16 September 2014
28
Session 6 Presentations
FIRST (an international confederation of
trusted computer incident response teams)
Damir Rajnovic, member of board of
directors
Common issues when trying to implement
international standards in a national
environment
Organization for the Advancement of
structured information standards (OASIS)
Carol Cosgrove-Sacks, senior advisor
Securing the digital frontier – the need for
robust cyber security standards
Geneva, Switzerland, 15-16 September 2014
29
Session 6 Presentations
Regional Asia Information Security
Exchange Forum (RAISE Forum)
Koji Nakao, co-chairman
Challenges, objectives, current focus, projects
International Telecommunications Union –
Telecommunications Standardization Sector
(ITU-T)
Arkadiy Kremer, Study Group 17 chairman
Strategic goals of ITU-T; SG17’s efforts in
security standardization, supporting
developing countries, and cooperation with
other bodies
Geneva, Switzerland, 15-16 September 2014
30
Session 6 Roundtable
What do you see as the key challenges for
ICT security standardization?
What do you see as the benefits and
challenges of cooperation and
collaboration among standards setting
organizations?
How do you ensure standards you develop
will meet the needs of users, especially
those in developing countries?
What is the SDO’s role in implementation
of standards?
Geneva, Switzerland, 15-16 September 2014
31
Session 6
Roundtable Results
Reinforced continuing need for collaboration
Establish collaboration with ETSI TC Cyber
Revisit/update security standards roadmap
Need for constant feedback into
standardization process
Bridge gap between technology and users
(e.g., password problem) – make standards
simple to use
Geneva, Switzerland, 15-16 September 2014
32
Session 6
Roundtable Results
Need ramp-up documents to support
complex standards
Employ innovative arrangements that
facilitate new participants
Essential to encourage/facilitate
organizations in developing countries to be
engaged in standards development
Essential to encourage/facilitate developing
countries to take the best of standards/best
practices, as ICT security standards are
essential to all
Geneva, Switzerland, 15-16 September 2014
33
Provisional follow-up actions in
response to key conclusions
Geneva, Switzerland, 15-16 September 2014
34
Promote cooperation and collaboration essential to
combating cybersecurity challenges (e.g. CIRTs), and
recognize existing work of other SDOs
Promote common policies and enforcement mechanisms
recognizing the trans-border nature of cyber attacks
Promote Mutual Recognition Agreements and conformance
and interoperability (C&I) testing
Encourage developing countries to provide their
requirements to international standardization work
Fast-track successful standards from other standards
bodies through the ITU-T approval process to give them
international status
Geneva, Switzerland, 15-16 September 2014
35
Organise a dedicated meeting to address financial inclusion
security issues
Consider New ITU-T work item on Big Data security
Investigate Critical Information Infrastructure Protection
(CIIP) and Critical Information Protection (CIP)
Evolution of ITU-T X.509:



Establish educational capacity-building project on X.509 certificates
and the broader public-key infrastructure (PKI)
Ensure that the final product of X.509rev is future-proofed for the
evolving scenarios and sectors of application
Liaise closely with other SDOs in particular IETF
Geneva, Switzerland, 15-16 September 2014
36
Consider new joint ITU-UPU project: Secure e-mail, active
monitoring, PostID, federated identity ecosystem, trust
frameworks, two-factor authentication, secure cloud
services, and joint standardization of UPU S64 postal
identity management
ITU-T Study Group 17 to consider the outputs and
conclusions of each session
Other ITU-T study groups and ITU-D Study Group 2 to be
informed of the Workshop outputs and conclusions
ITU-T and ITU-D to increase collaboration on capacity
building on security standards
Geneva, Switzerland, 15-16 September 2014
37