Summary and Conclusions

1
Summary and Conclusions
ITU Workshop on ICT Security Standardizationfor
Developing Countries Geneva, Switzerland, 15-16
September 2014
2
Opening session conclusions

• Mr. Zhaoji Lin chaired the meeting and gave an
  opening speech which covered the following
  aspects
• Introductory information and guidance
• Defining the steering committee
• Mission/objectives of the workshop and what we
  expect to get out from the workshop
• Introduce/overview the sessions of the workshop.

3
Opening Session

• Keynote speaker
• Mr. Malcolm Johnson, ITU TSB Director
• Thanks SG17 for organizing this WS
• Around 90 people registered but participation are
  open to all
• The importance of having such event
• Participation of people from Developing Countries
  to SG17 are increasing
• Appreciates IMPACT and ITU-D role
• Threats are increasing (eg. SPAM)

4
Opening Session

• Keynote speaker
• Mr. Arkadiy Kremer, ITU-T Study Group 17 Chairman
• Thanks TSB for their support
• Focus on challenges in ICT infrastructure
  development
• Main pillars for providing confidence security
• ITU-T SG17 Standardization activities
• Develop an effective security strategy
• Developing countries participation in SG17

5
Outcome of Opening Session (1)

• ITU-T SG 17 vice-chairman Mr. Zhaoji Lin chaired
  the meeting and made an opening speech which
  covered the following aspects
• introductory information and guidance to the
  workshop including such as background of the
  workshop and facilities
• the decision of SG17 to organize this workshop
  and the steering team of the workshop
• mission/objectives of the workshop and what we
  expect to get out of the workshop
• information on the security standardization
  challenges
• highlighted the sessions of the workshop

6
Outcome of Opening Session (2)

• two keynote speeches were presented
• The first keynote speaker was ITU TSB Director
  Mr. Malcolm Johnson whose speech mainly focused
  on challenges of cyber threats to the world
  especially in developing countries, on spam
  threats to developing countries and WCIT-12
  efforts on encouraging Member States to cooperate
  to prevent spam, on efforts of ITU on dealing
  with these challenges, on collaboration of ITU
  with other SDOs on ICT security standardization
  activities.
•  
• The second keynote speaker was ITU-T SG17
  chairman Mr. Arkadiy Kremer. His speech mainly
  focused on challenges in ICT infrastructure
  development, main pillars for providing
  confidence security, ITU-T SG17 Standardization
  activities, to develop an effective security
  strategy and participation of developing
  countries in SG17.

7
Conclusion of Opening Session

• This workshop aimed to present activities and
  achievements of standardization on cybersecurity,
  data protection, trust services and cloud
  computing, focused in methodology of securing ICT
  within critical infrastructure, heard a reaction
  from security industry, addressed the interests
  and needs of users, and encouraged collaboration
  between SDOs in security standardization for the
  special needs of developing countries.
• International standards are tools offering
  exactly technical, procedural, and administrative
  defense that are internationally applicable.
• ITU-T, specifically ITU-T SG17 made great efforts
  to bridge the standardization gap between the
  developed countries and developing countries to
  build the confidence and security in the use of
  ICTs.

8
Session 1 conclusions

• Although Zambia like most developing countries
  has limited capacity in addressing security
  challenges, reasonable progress has been achieved
  in putting in place the necessary institutional
  framework.
• New security approaches are required in order to
  enable large scale deployment of IoT systems.

9
Session 1 conclusions (cntd)

• SG 17 should consider organizing a special
  session to address security challenges related to
  mobile financial services.
• Strong collaboration between ITU and UPU on
  security is vital especially in areas such as
  secure e-mail and financial transactions.

10
Session 1 conclusions (cntd)

• SG17 and IEC/TC57/WG15 should cooperate and share
  expertise on smart-grid security.
• Security should be embedded in the system design
  in order to lower operational costs.

11
Session 2 conclusions

• To identify key topics/requirements for ICT
  security (through presentations)
• Need of stepping up Authentication capabilities
  for mobile on-line trust
• Use of light weight crypto for connected cars
  and ITS security
• Critical Infra Security Energy sector
• Need for interoperability of secure enterprise
  mobility across providers
• Identity Based Attestation and Open Exchange
  Protocol (IBOPS)
• Big Data (BD) security and privacy

12
Session 2 conclusionsOutput on Objective-2(cont.)

• To explore the way to develop security standards
  in ITU-T (through the Round Table)
• The authentication landscape is changing rapidly,
  and the ID-ecosystem is also changing. A new use
  case (requirement) is authentication/identificatio
  n on demand. The work of the FIDO Alliance and
  OASIS TC IBOPS is to be looked at and
  collaboration is suggested.
• There is a need for a minimum level of security
  in the area of ITS and IoT environments. ISO/IEC
  JTC 1/SC27/WG2 is standardizing light-weight
  crypto and is seeking collaboration in terms of
  how to use such crypto.
• Critical infrastructures are to be looked at.
  There is room for cooperation and standardization
  between military and civil. Government need
  standards on electronic signatures and e-IDs.
  ITU-T should consider standardization cooperation
  with European bodies (like ENISA).

13
Session 2 conclusionsOutput on Objective-3(cont.)

• To explore the way to develop security standards
  in ITU-T (through the Round Table)
• ISO/IEC JTC 1/SC27 is doing work in data
  management and governance, and on secure data
  storage, also on data discovery, which are
  subject to standardization. Real-time security
  analytics for data management should be
  considered. ISO is doing a gap analysis on big
  data there is an opportunity for collaboration
  with ITU-T (SG17).
• TC 215 has developed several health informatics
  standards on such as on information governance,
  policy management etc., and to potentially work
  with ITU-T.

14
Session 2 conclusionsOutput on Objective-4(cont.)

• Summary
• Mobile security (Authentication) - FIDO Alliance
  and OASIS TC IBOPS
• Utilization of light weight crypto for ITS IoT
  ISO/IEC JTC1/SC27 and others
• Critical infrastructures - European bodies (like
  ENISA)
• Big Data security PII - ISO/IEC JTC1/SC27
• Health informatics - TC215

15
Session 3 conclusions

• Make standards less complex and more applicable
• Create standards for the needs
• Collaboration is the key
• Standardization is very important to be in the
  same track
• Sharing known vulnerabilities and threats make
  significant difference
• Data protection becomes more important with the
  online services

16
Session 3 conclusions

• Operational experience and demand from the field
  are very important
• ITU-D is a great opportunity for creating widely
  using standards by developing countries
• Start a joint project with ITU-D to enhance the
  business use of standards

17
Session 3 conclusions

• It will be very beneficial if the experts help
  countries to implement the standards
• Encourage governments, organizastions, companies,
  and academia to participate

18
Session 4 conclusionsSummary 1/3

• Session 4 discussed ICT role in critical
  infrastructure protection under 3 different
  perspectives, as follows
• Frameworks and international collaborationMr
  Koyabe presented Critical Information
  Infrastructure Protection (CIIP) Commonwealth
  Perspective, with insights on a cybergovernance
  model adopted by those countries, and Mr McCrum
  presented Toward a partnership-based framework
  for establishing secure ICT infrastructure in
  developing countries, with proposals on
  regulatory measures, ITU role and mutual
  recognition agreements (MRA)

19
Session 4 conclusionsSummary 2/3

• Standardization issues on CIIPMr. Zolotnikov
  presented Critical infrastructure protection
  standardization to protect critical
  infrastructure objects, with some key principles
  of secured system development to be standardized,
  including industrial control systems (ICS), and
  Mr. Strunge presented Security by Design in
  Smart Grids A Need to Rethink ICT in Power
  System Controls, including proposals
  on automated certificate handling, whitelists,
  and multiple associated parallel PKI

20
Session 4 conclusionsSummary 3/3

• Role of ICT and sector regulatorsMr. Alsamhan
  presented ICT Regulator Role on National
  Security and Critical Infrastructure Protection,
  with Saudi Arabia experiences on CIP, national
  CERT deployment, and security enforcement
  measures, and Mr. Guimaraes presented Critical
  telecommunication infrastructure protection in
  Brazil with insights on legislation,
  methodologies and an information system under
  development (SIEC).
• These perspectives were further developed during
  the final discussion panel. Some aspects
  discussed in Session 4 could be interesting to
  ITU-T Qs 2/17, Q4/17, 6/17, 7/17 and 11/17.
• In particular, ITU-D Q3/2 was highly interested
  on Mr. Koyabes presentation.

21
Session 5 summary(1/3)

• This session consists of 5 presentations
• Cloud security standardization activities in
  ITU-T Huirong Tian, China
• presenting major deliverables and activities of
  ITU-T FG on cloud computing and various existing
  work by ITU-T SG17 as well as SG13, especially
  for approved Recommendation ITU-T X.1601,
  security framework for cloud computing.
• ITU-T SG17 Identity management (IdM) Progress
  Report Abbie Barbir, ITU-T Q10/17 Rapporteur
• presenting mission and major coordinated
  activities of ITU-T SG17 Question 10 with other
  SDOs as well as current state, drivers for the
  future direction, need for better identity
  assurance and trust framework, future focus in
  the identity management area.
• X.509 in a changing world Erik Andersen, Denmark
  
• presenting ITU-T X.509, definition and role of
  PKI, changing environment for use of PKI such as
  cloud, mobile, M2M, and smart grid, future of
  Recommendation ITU-T X.509.   

22
Session 5 summary(2/3)

• National ID management system in Korea Daeseon
  Choi, Electronics and Telecommunications Research
  Institute, Authentication Research Section
  /Leader
• presenting national initiative on identity
  management system, including issues around
  national identifier, online and offline identity
  proofing, various authentication technologies
  such as PKI, SSO and attribute sharing, and
  future direction of Korean IDM.  
• Introduction to ISO 29003 - Identity Proofing
  Patrick Curry, British Business Federation
  Authority ( SC27 WG5)
• Presenting ISO/IEC 29003 Identity Proofing such
  as a need and definition for identity proofing,
  key players around identity proofing, changing
  factors that needs to be considered, and role of
  international standard.

23
Session 5 summary(3/3)

• The session has a roundtable discussion
• 6 panelist including five speakers and Frederic
  Gittler from Cloud Security Alliance are invited
  to the roundtable discussion which is devoted to
  identify potential future topic which SG 17 needs
  to consider, especially to answer the following
  questions.
• What are current major activities that other
  (standard) organizations are carrying out, which
  ITU-T SG17 needs to consider?
• What is your view about the gap of current
  standard activities of ITU-T SG17 in these areas?
• What is your perspectives about the future
  direction for ITU-T SG17 standardization
  activities in the areas of cloud and identity
  management, considering the future ICT
  environments, such as one supporting super-highly
  connected society?

24
Session 5 conclusionsMajor findings and future
directions

• Suggested topics for future study in the cloud
  security area
• trust models, security controls, best practices,
  etc.
• Topics carried out by CSA for SG17
• Cloud security and privacy
• Virtualization security
• Governance and assurance
• Incident management and digital forensics, etc.
• Three key success factors for coordination
  between SOOs provided by CSA in the cloud
  security
• Avoiding duplication/coordination,
• Having certification with maturity models,
• Ease of use and accessibility.
• Suggested topics for future study in the identity
  management area
• Business and Privacy Guidelines,
• Interoperable Products Services,
• Identity Assurance Framework Assessors for
  better Identity assurance and trust frameworks

25
Session 5 conclusionsMajor findings and future
directions

• There is a need for
• updating Rec. ITU-T X.509, considering new
  factors and meeting new requirements in the new
  ICT environment such as smart grid.
• developing guideline/implementation guides for
  PKI deployment for developing countries by SG 17
  and investigating national level initiatives on
  PKI deployment and usage, online and offline or
  combined identity proofing and various
  authentication methods as best practices for use
  or deployment by the developing countries.
• the International Standard to address the
  in-person proofing, which is very fundamental
  process for the secure e-ID system and developing
  it by SC27 WG 5, possibly in cooperation with
  ITU-T SG17.

26
Session 6Security Standardization Challenges

• Objectives
• To better understand the role of ICT security
  standardization
• A set of short presentations that highlight ICT
  security standardization efforts in 8
  international and regional bodies
• To explore ICT security standardization
  challenges
• An open roundtable discussion on challenges
  including collaboration and meeting user needs,
  especially those from developing countries

27
Session 6 Presentations

• International Organization for Standardization
  (ISO)
• Walter Fumy, ISO/IEC JTC 1/SC27 chairman
• Overview of security work in ISO new ISO TC 292,
  Security work of SC27
• Internet Engineering Task Force (IETF)
• Kathleen Moriarty, Security Area director
• IETF security working groups, emerging work
  areas, fellowships, policy programme

28
Session 6 Presentations

• European Telecommunications Standards Institute
  (ETSI)
• Charles Brookson, ETSI TC CYBER chairman
• Work of TC CYBER, cyber security coordination
  group recommendations, ETSI security activities
• Cloud Security Alliance (CSA)
• Frederic Gittler, HP
• Cloud computing and mobility as a unique
  opportunity for developing countries

29
Session 6 Presentations

• FIRST (an international confederation of trusted
  computer incident response teams)
• Damir Rajnovic, member of board of directors
• Common issues when trying to implement
  international standards in a national environment
• Organization for the Advancement of structured
  information standards (OASIS)
• Carol Cosgrove-Sacks, senior advisor
• Securing the digital frontier the need for
  robust cyber security standards

30
Session 6 Presentations

• Regional Asia Information Security Exchange Forum
  (RAISE Forum)
• Koji Nakao, co-chairman
• Challenges, objectives, current focus, projects
• International Telecommunications Union
  Telecommunications Standardization Sector (ITU-T)
• Arkadiy Kremer, Study Group 17 chairman
• Strategic goals of ITU-T SG17s efforts in
  security standardization, supporting developing
  countries, and cooperation with other bodies

31
Session 6 Roundtable

• What do you see as the key challenges for ICT
  security standardization?
• What do you see as the benefits and challenges of
  cooperation and collaboration among standards
  setting organizations?
• How do you ensure standards you develop will meet
  the needs of users, especially those in
  developing countries?
• What is the SDOs role in implementation of
  standards?

32
Session 6Roundtable Results

• Reinforced continuing need for collaboration
• Establish collaboration with ETSI TC Cyber
• Revisit/update security standards roadmap
• Need for constant feedback into standardization
  process
• Bridge gap between technology and users (e.g.,
  password problem) make standards simple to use

33
Session 6Roundtable Results

• Need ramp-up documents to support complex
  standards
• Employ innovative arrangements that facilitate
  new participants
• Essential to encourage/facilitate organizations
  in developing countries to be engaged in
  standards development
• Essential to encourage/facilitate developing
  countries to take the best of standards/best
  practices, as ICT security standards are
  essential to all

34
Provisional follow-up actions in
response to key conclusions
35

• Promote cooperation and collaboration essential
  to combating cybersecurity challenges (e.g.
  CIRTs), and recognize existing work of other SDOs
• Promote common policies and enforcement
  mechanisms recognizing the trans-border nature of
  cyber attacks
• Promote Mutual Recognition Agreements and
  conformance and interoperability (CI) testing
• Encourage developing countries to provide their
  requirements to international standardization
  work
• Fast-track successful standards from other
  standards bodies through the ITU-T approval
  process to give them international status

36

• Organise a dedicated meeting to address financial
  inclusion security issues
• Consider New ITU-T work item on Big Data security
• Investigate Critical Information Infrastructure
  Protection (CIIP) and Critical Information
  Protection (CIP)
• Evolution of ITU-T X.509
• Establish educational capacity-building project
  on X.509 certificates and the broader public-key
  infrastructure (PKI)
• Ensure that the final product of X.509rev is
  future-proofed for the evolving scenarios and
  sectors of application
• Liaise closely with other SDOs in particular IETF

37

• Consider new joint ITU-UPU project Secure
  e-mail, active monitoring, PostID, federated
  identity ecosystem, trust frameworks, two-factor
  authentication, secure cloud services, and joint
  standardization of UPU S64 postal identity
  management
• ITU-T Study Group 17 to consider the outputs and
  conclusions of each session
• Other ITU-T study groups and ITU-D Study Group 2
  to be informed of the Workshop outputs and
  conclusions
• ITU-T and ITU-D to increase collaboration on
  capacity building on security standards