The discussion in Seoul
How to better cover standardization
on security
ITU 020132/PhotoDisc
|
The open and panel discussion sessions of the workshop
provided an opportunity to exchange views on the aspects of security that need
to be covered better in standardization, and how this should be done.
Participants, panellists and speakers alike made the following suggestions:
• Reinforce liaison with other standards development
organizations (ISO/IEC JTC 1/SCs 6 and 27, IETF, OASIS, ISO/TC 68…) working on
security in general.
• Monitor work carried out on security everywhere, consider
best current practices and adopt effective solutions or complete limited
specifications.
• Take advantage of the unique nature of ITU–T, its
openness, its ability to discuss policy and regulatory matters, its ability to
cover regional specificities and work for its recognition as an umbrella
organization by the numerous and diverse organizations specifying security
requirements and bring value to their activities.
• Draw on local experience (for example that of the
Republic of Korea, which has a large base of broadband infrastructure and has
developed various national security mechanisms).
• Consider human factors in standardization — security
needs to be convenient.
What should be covered better?
Participants focused on a number of security matters, some of
which are listed here:
• Provision of international guidance/awareness on security
threats and prevention.
• Development of guidelines to help countries in
implementing their security solutions.
• Privacy and security issues. It was questioned whether
“privacy” was sufficiently covered in IMT-2000. Anonymity was considered as
an important problem on the Internet (may lead to criminality). Privacy is
required but we should make sure that it is provided by pseudonymity rather than
anonymity.
• “Privacy and security” was preferred to “secrecy
and security”. Personal information may be private but not anonymous or
secret.
• Trace-back technologies. A large demand has been
identified.
• The need for global certification of security
products/solutions.
• The need to further develop authentication, in particular
in the field of emergency telecommunications.
• Provision of support for the transition from a
traditional network environment to IP-based networks.
• Intrusion. How to avoid attacks (including security
problems such as illegal content, viruses, spamming…). Solutions may exist but
are not well implemented.
• Definition of criteria and specifications for a critical
network infrastructure.
• Provision of tools for national security agencies (for
example, lawful interception).
|