Cybersecurity is a top-of-mind issue with calls for individual vigilance, national legislation, and international treaties to address gaps that are exploited causing significant harm and financial loss on a daily basis. The vast majority of these calls are well-intentioned though even among the best-intentioned, some are poorly directed.

Such is the case with all of the proposals that would introduce security into the International Telecommunication Regulations (ITRs) of the International Telecommunication Union (ITU).

The ITU

The ITU is a venerable institution dating to 1865 with the establishment of the International Telegraph Union. Since then it has added radio and telephony to its remit, become an agency of the United Nations, and adopted and modified a set of International Telecommunication Regulations. Its primary members are 193 Member States (nations) that adopt through consensus Resolutions, Decisions, and Regulations. They are assisted by some 700 industry Sector Members that may participate in certain Conferences, Fora, Assemblies, meetings, etc. but have no formal vote.

In the coming months, a multi-year preparatory process will conclude in a two-week December World Conference on International Telecommunication (WCIT) in Dubai where Member States will decide how to modify a set of international regulations. The decisions made could impact industry in meaningful ways and the potential exists to significantly expand regulation beyond traditional telecommunication (telegraphy and telephony). This expansion has not been well-advertised and possibly impacted industries may have little or no representation at this conference or other fora where their fate will be discussed and decided.

The ITRs

The International Telecommunication Regulations is a treaty level instrument negotiated between nations within the context of the ITU. The regulations address telecommunication, defined by the treaty signatories as:

Any transmission, emission or reception of signs, signals, writing, images and sounds or intelligence of any nature by wire, radio, optical or other electromagnetic systems.

On the one hand, this definition is broad covering virtually every form of human communication, including intelligence (though as I previously pointed out, this is likely a reference to an 1840 definition of that term). On the other, it is decidedly narrow and limits telecommunication to, “transmission, emission or reception ... by wire, radio, optical or other electromechanical systems”; the means.

Form and means are addressed by the definition of telecommunication in the ITU’s Constitution, Convention, and Regulations. But not content. This is almost certainly a well-considered and very deliberate omission, and one that should be maintained.

Proposals to Introduce Security into the ITRs

As I mentioned in Landmark Decisions, the ITU has taken the unprecedented (for it) step of making available to the public the WCIT “main conference preparatory document”. This is a difficult to understand document containing a confusing array of sometimes overlapping proposals for changes to the ITRs. Amidst the confusion, one thing becomes clear, (cyber)security will be a topic of conversation at the upcoming WCIT conference.

Security, including cybersecurity, is mentioned 37 times in the WCIT preparatory document whereas in the current ITRs, it is not mentioned at all. In fact, security occurs just three times in the ITU’s Constitution, Convention, and Regulations the basic and defining documents of the ITU itself. In each case, security is used in reference to national security and the sovereign right of a nation state to interrupt its telecommunication service or to stop transmission of individual private telecommunications. As an ITU term of art, security is easy to understand, unambiguous, and notably enables a nation state to solely determine when its security is in jeopardy and to unilaterally act to mitigate what it perceives as a threat.

How might a nation state determine that an individual private telecommunication endangers its security? The most likely answer is by examining the content. Another reason might be to limit communication between specific sources and destinations, fearing what might be contained in any telecommunication between the parties. Finally, a nation state might determine that it’s security was best assured by interrupting all telecommunication service, again concerned about content.

It would seem that security, as an ITU term of art, is reserved for nation states and their right to examine private telecommunications, prohibit their transmission or interrupt all telecommunications. Security then, is a sovereign issue and is clearly and unambiguously addressed in the ITU Constitution obviating the need to address it in he ITRs. In fact, introduction of the term there might lead to ambiguity, confusion, and controversy when the ITRs are applied in practice.

Use of an alternate term, perhaps cybersecurity from other related proposals, could reduce or eliminate this ambiguity by clearly differentiating between the sovereign national security issues of the Constitution and telecommunication security issues that might be addressed in the ITRs. To minimize confusion, a definition of cybersecurity should be developed and agreed upon. Helpfully the ITU has just such a definition, found in its Recommendation X.1205:

Cybersecurity

The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.

Cyber environment includes users, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks

Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment.

Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following:

• Availability
• Integrity, which may include authenticity and non-repudiation
• Confidentiality

n.b. The definition above has been reformatted and includes a referenced definition for clarity.

Other definitions exist for cybersecurity covering cyber-warfare, -terrorism, -espionage, and -crime. Regardless of the specific definition, cybersecurity is a broad concept like that expressed in X.1205 and encompasses considerably more than transmission, emission, or reception—the scope of the ITRs.

Including cybersecurity in the ITRs necessarily expands their scope far beyond their original and updated intent. This burdens the ITU itself and the national administrations charged with effecting the implementation of the regulations within their respective national borders. No study or analysis has been conducted to determine the scope, cost, benefit, or impact of such burdens that would apply to some 193 nations around the globe and untold corporate entities that could be subject to expanded regulation.

Is this the “light touch” regulation the ITU claims the world needs?

Conclusion

As pointed out earlier, security when applied to telecommunication, requires examination of content. As a consequence, inclusion of even the most benign (cyber)security proposals in the ITRs could require or at least encourage Member States to perform inspection of telecommunications. While such inspection might, enhance security, it unquestionably would impinge on an individual’s right to privacy, especially when arbitrarily applied to all telecommunications. This would be in contravention to article 12 of The Universal Declaration of Human Rights and article 17 of The International Covenant on Civil and Political Rights as reinforced by the recent United Nations Human Rights Council Resolution.

Cybersecurity, as defined by the ITU and others, is a broad concept covering far more than telecommunication. It is a global concern, deserves attention of global scale, and requires that the full breadth of its issues be addressed. A treaty limited to international telecommunication, while global in scope, can not and should not attempt to address that full breadth. Rather it should remain silent and recognize that cybersecurity must be addressed when and where subject matter experts can devote proper attention to the complexity of the issues, and nation states express their desire to fully cooperate in specific areas.

The Council of Europe’s Convention on Cybercrime is an excellent example of such attention and cooperation. It concretely addresses a complex set of issues and establishes a framework within which the various actors involved in the prevention, mitigation, and prosecution of cybercrime can cooperate. Though imperfect, it demonstrates how we should address other aspects of cybersecurity.

The Convention on Cybercrime is principled, but goes beyond principles. In 25 pages it details provisions for criminal law, procedural law, jurisdiction, and international cooperation. Warrants, preservation of evidence, disclosure of traffic data, expedited requests, and confidentiality are comprehensively addressed.

The ITRs by their nature and definition, are “general principles”; high-level statements that facilitate international cooperation related to telecommunication. They are limited to the means of such communication, whatever form it might take. Introduction of a few sentences or paragraphs into the ITRs cannot begin to address an issue as broad and complex as cybersecurity. We do a disservice to ourselves and to the world believing that such a casual treatment of so complex an issue could have any measurable impact

Cybersecurity is an important issue that should be addressed deliberately, comprehensively, and willfully. It deserves attention and consideration by a range of experts that will not be found at a two-week conference on telecommunications.

We can do better.

Previously posted on my personal blog.