Information and Communications (ICT) infrastructures rely on many globally shared critical resilience information resources for diverse essential functions such as identifiers, routing, and cyber security. However, this ICT ecosystem has rapidly become significantly less stable and collaborative with dramatically diminished respect for legal norms and values because of the new USA national Administration. The instability includes the vicarious, wholesale removal of essential public safety and scientific databases, as well as global collaboration with multiple global UN public safety bodies. One result is the scaling of Digital Sovereignty initiatives. An additional development now being accelerated is the restructuring of globally shared critical ICT information resources.

The need historically has existed since the inception of global ICT network and service international agreements in 1850. In 1868, the Swiss government offered its jurisdiction and resources as a permanent venue for sharing essential global ICT resources arguing that its long stability, neutrality, and administrative care in an unstable world was essential for global cyber resilience. A Swiss civil servant in Berne set up the bureau which has persisted to this day after moving to Geneva in 1950 under the International Telecommunication Union (ITU) following World War II.

During the past 35 years, as the ICT ecosystem became much more complex and diverse, a significant array of essential cyber resilience information resources became concentrated in one country, the USA. The dependencies occur with government agencies, government contractors and private industry bodies incorporated and headquartered in the USA. Recent USA events have resulted in urgent restructuring of the venues for hosting and control of numerous critical global cyber resilience information resources by moving or replicating them and their information resources in stable venues respecting global legal norms and values such as Europe.

In most cases, this change can be accomplished by amending the place of incorporation and secretariat headquarters of the relevant organisation together with moving its information hosting site and associated specification activities. Alternatively, a mirror of the organisation can be established outside the USA. Some especially stable global-oriented jurisdictions such as Switzerland, the United Kingdom, and France have historically catered to this need through special support mechanisms. The CCIF Secretariat for international telephony existed in Paris until it was moved to Geneva in 1950. Two broad classes of resources are implicated.

Digital Identifier Resources

Digital identifier resources typically consist of three components: a defining specification, an associated registry, and a network-based means for “resolving” the identifier into some essential network, service, or cyber security information. The existence of the third component depends on the need for real-time information and may be implemented in diverse mechanisms and hierarchical architectures that can include local caching. This queried information is used for a wide array of purposes including traffic routing, trust levels, network or service access and billing.

Digital identifier resources were once maintained entirely by the ITU in Switzerland and often employing nation state distributed architectures that distributed the responsibilities and information among them. The emergence of mobile networks saw the responsibilities undertaken largely by the GSMA in the UK in cooperation with ITU-T. The instantiation of Ethernet and TCP/IP networks saw that responsibility include private sector bodies such as the IETF/IAB/IANA and IEEE in the USA and maintain ultimate control over a substantial ensemble of network identifiers and control over vital cyber resilience identifier resources..

The stewardship role for digital identifier resources necessitates the responsible organisation’s existence in a national jurisdiction that supports that stewardship on a global scale with assured neutrality and respect. Current events that adversely impacted the global digital resilience ecosystem have resulted in an urgent need to migrate all global digital identifier responsibilities and resources to jurisdictions that are stable and demonstrably committed to global cooperation and rule of law rather than openly abolishing it.

Cyber Security Resources

Global cyber security information resources developed by NSA and other national security agencies were originally instantiated in the ITU-T in the 1980s and intended under the 1988 Melbourne Treaty to reside there. These included combinations of identifier and trust mechanisms—some of which like OIDs and X.509 certificates—persisted and become widely used over the decades. The formal exchange of digital telecommunication network incident information was considered by the ITU in 1991 but not acted upon.

However, as incidents and vulnerabilities attributed to TCP/IP network and device use began to scale in the 1990s following the 1988 Morris Worm incident, the information was primarily circulated via standards and practices developed by the FIRST organisation incorporated and headquartered in the USA that is now serving a global constituency. Toward the late 1990s, critical cybersecurity information was structured and captured for dissemination by what is known as the [USA] National Vulnerability Database (NVD) using a Common Vulnerability Expression specification and MITRE issued identifiers.

During the 2009-2012 ITU-T Plenary period, the USA national security community sought to enhance global cyber resilience by transposing all of the key cybersecurity information sharing platforms into published ITU-T specifications known as the CYBEX initiative which I led. With the exception of the Russian Federation, every country supported the work. The specifications remain there in multiple languages for further development in conjunction with efforts to reduce USA dependencies.

Over the past 25 years, alternative and improved versions of the NVD began to emerge together with alternative vulnerability identifiers—first with the augmented CN NVD, then the EUVDB, and recently among the open-source community, the OSV repository and schema. The European Union Agency for Cybersecurity (ENISA) is tasked with establishing and maintaining an EU vulnerability database (EUVDB) to support EU cybersecurity efforts, including the implementation of the NIS2 Directive and the Cyber Resilience Act. The EU and many other nations are quickly moving to reduce their cyber security information dependencies on the USA.

Vulnerability repositories are one of an array of specification-based, global operational cybersecurity databases that are essential mechanisms in the cyber security ecosystem. These critical global information resilience resources are now at risk in the emerging zero trust world.

Cyber Resilience in a Zero Trust World

The EU and countries around the world, including the open-source communities and ITU-T, are taking defensive steps for a world of USA isolationism and hostility toward global cooperation and the rule of law by replicating critical operational ICT information resource capabilities and related technical specification collaboration. U.S. government agency cyber security programmes and resources are already being curtailed or eliminated. The responsive actions by other nations and institutions ironically significantly assist USA user cyber security because in the cyber security domain, everyone gains by sharing techniques and information.

There is a fundamental incongruity between an organization serving an essential global digital resilience stewardship role and a presence in a national jurisdiction that disavows such stewardship and the rule of law. At any moment, a vicarious tweet, Executive Order or government agency action could end or severely curtail the availability of resources and roles. It represents a clear and present danger to their mission. Private sector organisations in the USA that enjoy substantial, operational cyber resilience stewardships have the option of corporate emigration to more suitable, safer national jurisdictions.

Eighty years after the end of World War II, Europe, the Commonwealth nations and U.N. specialized agencies are providing assistance and upholding global legal norms once manifested by the United States.

NOTE: The author for 60 years has been a globalist supporter of the rule of law, democracy, human rights, DEI, CRT, European Values, vaccination and mitigation of xenophobia, racism, antisemitism and misinformation—studying in law school under the sages who helped set up the norms after World War II. This article is dedicated to colleagues at Perkins Coie who played significant roles in bringing about important cyber security legal and institutional platforms and now being attacked for their much admired works.