The discussion in Seoul

How to better cover standardization on security

The open and panel discussion sessions of the workshop provided an opportunity to exchange views on the aspects of security that need to be covered better in standardization, and how this should be done. Participants, panellists and speakers alike made the following suggestions:

• Reinforce liaison with other standards development organizations (ISO/IEC JTC 1/SCs 6 and 27, IETF, OASIS, ISO/TC 68…) working on security in general.

• Monitor work carried out on security everywhere, consider best current practices and adopt effective solutions or complete limited specifications.

• Take advantage of the unique nature of ITU–T, its openness, its ability to discuss policy and regulatory matters, its ability to cover regional specificities and work for its recognition as an umbrella organization by the numerous and diverse organizations specifying security requirements and bring value to their activities.

• Draw on local experience (for example that of the Republic of Korea, which has a large base of broadband infrastructure and has developed various national security mechanisms).

• Consider human factors in standardization — security needs to be convenient.

What should be covered better?

Participants focused on a number of security matters, some of which are listed here:

• Provision of international guidance/awareness on security threats and prevention.

• Development of guidelines to help countries in implementing their security solutions.

• Privacy and security issues. It was questioned whether “privacy” was sufficiently covered in IMT-2000. Anonymity was considered as an important problem on the Internet (may lead to criminality). Privacy is required but we should make sure that it is provided by pseudonymity rather than anonymity.

• “Privacy and security” was preferred to “secrecy and security”. Personal information may be private but not anonymous or secret.

• Trace-back technologies. A large demand has been identified.

• The need for global certification of security products/solutions.

• The need to further develop authentication, in particular in the field of emergency telecommunications.

• Provision of support for the transition from a traditional network environment to IP-based networks.

• Intrusion. How to avoid attacks (including security problems such as illegal content, viruses, spamming…). Solutions may exist but are not well implemented.

• Definition of criteria and specifications for a critical network infrastructure.

• Provision of tools for national security agencies (for example, lawful interception).