ITU calls for global cybersecurity measures
The International Telecommunication Union ITU has published its proposals for harmonising global cybersecurity legislation on the periphery of a conference on the information society in Geneva. At a discussion session, ITU General Secretary Hamadoun Touré stated that the document, advertised as a "Cybersecurity Toolkit" is "no Bible and no Koran", instead offering a list of best practices from existing legislation.
Drafting of the document was entrusted to an expert group commissioned by the ITU and led by the American Bar Association's Privacy and Computer Crime Committee (PACC). In Geneva, PACC boss Jody Westby emphasised that legislation from many different countries was considered in producing the document, which is intended as a model for national legislation. In addition to the Council of Europe's 'Convention on Cybercrime', their search for model regulations also took in legislation from Australia, Canada, China and many other countries.
Certain stipulations, such as requirements on intellectual property, mean that the Council of Europe's convention is not suitable as a universal model, explained a representative from Brazil, which recently decided against acceding to the convention. Westby made clear that she does not care a jot whether or not countries sign the Convention on Cybercrime and that the aim of the ITU toolkit is the harmonisation of legislation targeted at cyber-criminality and not support for a single instrument. Touré admitted that a binding agreement on cyber-security under international law had encountered some resistance from member states. Rather than produce such an instrument, the ITU had instead chosen to put forward a toolkit of sample legislation.
Aside from the harmonisation of legislation, the ITU is also promoting its own early warning system for military attacks in cyberspace, developed by the "International Multilateral Partnership against Cyber-Threats" (IMPACT), an organisation supported by the Malaysian government. Cyber-attacks like the attack on Georgia's president by Russian hackers can already be detected at an early stage, affirmed Touré. IMPACT, which offers a news service on such attacks to all ITU member states, could provide the necessary data, he added.
Mohd Noor Amin, chairman of IMPACT's management board, reported that 18 different data sources were tapped to compile the information provided by the early warning news system and that the organisation was on the lookout for further partners. In response to questions on how it differed from organisations such as CERT-umbrella organisation FIRST, Amin stated that IMPACT sees itself as an institution which collates information from expert institutions all over the world. Partners include Symantec, Microsoft, Kaspersky and Cisco.
The coordination of all these different cyber-security data sources is nigh on impossible, stated Randy Ramusack, Microsoft's United Nations Technology Officer. Nonetheless, Ramusack suggested that it was likely that IMPACT would be entrusted with passing on information from Microsoft's special governmental programme to governments with which the US company itself had "no contact". As part of this program, Microsoft offers governments exclusive information on the function of proprietary Microsoft products where this is relevant to security issues. Ramusack expressed the conviction that if you were to take the view that a "globally networked, anonymous internet" was not possible with end devices which use "arbitrary code of unknown origin", better authentication and increased auditing on the web were urgently required.