Current international challenges

Numerous international security challenges have emerged in the past five years that have complicated the regulatory landscape. A “bad actors’ club” of sorts exists in several post-Soviet states and certain African countries that do little to police resident cybercriminals. In some of these regions, just keeping the power on or maintaining consistent connectivity is a challenge. In Georgia, for example, where terrestrial telecom wiring is a commodity that’s often scavenged, a 75-year-old woman severed a telecom cable in 2011 while stealing copper wiring, knocking out internet connectivity for the entire population of neighboring Armenia for five hours.

The People’s Republic of China has also been scrutinized for the role it plays in harboring cyberfugitives. Research conducted by Akamai Technologies shows that 41 percent of cyberattacks originate there, and unlike person-to-person financial fraud and phishing scams, many of the attacks are aimed at stealing intellectual property from American corporations. Tom Donilon, prior to resigning as national security advisor for the Obama administration, touched on these developments in a speech he gave to the Asia Society in New York in March, saying, “US businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyberintrusions emanating from China on an unprecedented scale.”

There are also persistent concerns that network equipment made in China is configured to permit the country’s government to spy on global communications networks. The US, the European Union (EU) and Australia have initiated investigations and placed restrictions on the use of telecom gear from Chinese manufacturers Huawei and ZTE, though the former has denied any wrongdoing, issuing a statement on its website last year that dismissed the investigations as “rumors and speculations to prove non-existent accusations.”

Unilateral regulatory action (or inaction, some would argue) by the nations of the world has led to regulatory environments that are dramatically different than before, which is partly why the European Commission (EC) is calling for a standardized, continent-wide security strategy that can be extended globally. “The big opportunities of the digital economy will not be realized if people are worried about security and do not trust networks and systems,” said EC vice president Neelie Kroes in a keynote address at the World Economic Forum in January. Similar concepts have been floated by the leaders of major CSPs, but the conflicting alliances of these global players have resulted in a lot of hot air but no movement toward a unified front.

ITU-T recommendations

When considering regulatory development and strategy, a good place to start is the ICT Security Standards Roadmap, which has been curated by the ITU-T since 2007. It consists of six categories:

• organizations that develop the security standards for information and communications technology (ICT), and the work of those organizations;
• approved standards;
• standards currently being developed;
• future needs and new standards under proposal;
• best practices;
• standards, organizations and gap analysis for identity management (IdM).

There is still considerable work to be done, and the roadmap reads like a curriculum for telecom-security researchers and students. Some of the proposed new standards that must be developed include:

• guidelines for countering cyberattacks on SIP-based services;
• a framework for a secure service platform for virtual networks;
• required IdM in cloud computing;
• a national, IP-based public-networks security center for developing countries;
• a telebiometric authentication framework.