Why You Should Be Worried About The ITU's Bizarre Claim To Have A Mandate Over Internet Security
from the looking-to-remain-relevant dept
For example, plenty of the recent discussions coming out of the ITU have been focused on internet security issues. And you could argue that there are some significant security concerns that need attention. But is the ITU the proper body for this? Almost certainly not. Anthony Rutkowski has written up a history of the ITU's relationship to security noting that, at best, the ITU has tended to completely ignore security issues, and at worst, "treated security as a kind of vague requirement." The conclusion is pretty clear. The ITU isn't the proper body to be dealing with security at all. It has neither the mandate nor the necessary expertise.
So why is this ITU security history relevant today? Because its Secretary-General's new draft of an unneeded and worthless treaty instrument called the International Telecommunication Regulations mentions the word "security" no less than 36 times. Although the term "security" is never defined, the draft leaves the impression that the ITU is competent to deal with the subject of network security.In other words, yet another overreach by the ITU to take on something it is not qualified to handle, and which will almost certainly result in a bad situation, driven by political interests, rather than actual security issues.
The reality today is that almost all work relating to network security occurs in myriad other public-private global bodies where it is pursued on a significant scale among expert communities. It is that array of work in other venues that is used worldwide. What purports to occur in the ITU is basically irrelevant and involves a relative handful of people who appear at meetings or workshops in ITU-T, ITU-D, or the General Secretariat for the purposes of maintaining largely website-based fictions to appear responsive to some political mandate of its conferences or leadership. Although a few knowledgeable and dedicated individuals participate in its work, the ITU as an institution has not possessed in modern history, and today does not possess the competence to deal with the subject matter of network security; and treaty mandates will not alter that reality.
Any treaty-based reliance on the ITU's network security competency would be perilous for the global infrastructure and irresponsible for nation States to recognize. I should know — I was the designated leader of the ITU-T cybersecurity work for the past four years who had to deal with these realities.