Threat analysis of the WCIT part 4: The ITU and Cybersecurity

Previous blogs about the ITRs emphasized the importance of interconnection agreements and flows of funds in driving the WCIT agenda. These articles, while correct, may have underestimated the degree to which bringing cyber-security into the ITRs is also a central arena for conflict and negotiation.

I have argued that the securitization of the Internet constitutes one of the main dangers to its freedom. Just as an appeal to patriotism was once described as the “last refuge of a scoundrel,” all kinds of scoundrelly proposals to stifle free expression, invade privacy, abolish anonymity, restrict new businesses and elevate state power invoke cyber security as the rationale. At the same time, who can oppose efforts to improve the security and privacy of digital services and the Internet infrastructure? The problems of cybercrime, botnets, DDoS attacks, rampant unauthorized surveillance, cyber-espionage and state-sponsored attacks are real. Thus, discussions of cyber-security must be careful and measured in their approach. They should be grounded in an awareness that there is a legitimate need for action, but mindful of the abuses and manipulations that can masquerade under the banner of security.

It is clear that the ITU has seized on cyber-security as an arena in which it can assert its relevance. But that is not surprising; such a strategy for gaining attention, participation and funding mirrors that of numerous Washington DC policy institutes and various US government agencies. Furthermore, most of what the ITU does around cybersecurity is basically education and capacity building. ITU Plenipotentiary Resolutions 130 and 146 are typical of the kind of approach the ITU takes; if you can make your way through the bureaucratese, they involve providing assistance on request to developing countries.

Aside from its X.509 standards for public key infrastructure, which many applications have found extremely useful, the ITU-T has not won for itself a strong role in setting standards that are relevant to the full panoply of cyber-security issues. ITU has little regulatory capacity and relies almost entirely on member states for policing and enforcement of whatever rules it passes.

Thus it is hard to imagine the ITU as a powerful or uniquely threatening player in computer and Internet security. The U.S. government, which is powerful and (sort of) well-funded, has had enormous troubles changing the network security practices of its own departments and agencies. The idea that the ITU can serve as the nexus for dictating and strongly shaping the security and identification practices of thousands of public operators, tens of thousands of private networks, and billions of devices worldwide lacks credibility.

In reality, the greatest cyber-security-related threats to Internet freedom come from national governments, not from the ITRs. National sovereignty and claims of national security already allow states to do all kinds of repressive, warlike things to all forms of international (and domestic) communications, such as block and filter content, ban or regulate devices, and restrict access. Articles 34, 35 and 37 of the ITU constitution already recognize the right of sovereigns to promote their own national security and to cut off communications in various ways. Quite apart from those ancient rules, in a basically anarchic international system a sovereign state has a de facto right to do whatever it wants in matters of national security until and unless other states gang up on it. So it is difficult to see how modifications to the ITRs could dramatically increase the threat of kill switches and the like.

Canadian scholar Dwayne Winseck emphasizes the degree to which current ITU treaties are based on the sovereigntist model. As he puts it, perhaps a bit excessively, the ITU treaties have been authorizing “Intercepting, Suspending and Blocking the Flow of Information since the 1850s.” But even as it enables repressive action, sovereignty also serves as a check and balance. Each state has a high degree of autonomy, shielding them from regulations and practices adopted by other states. The national interests of different states can cancel each other out.

Thus, the most significant political drivers of law and public policy toward cyber-security are to be found at the national level. (In the private sector, in contrast, the perspective and scope of action tends to be transnational, contractual and operational.) Indeed, reading the relevant proposals in TD-62, one can only be impressed with how broad, unfocused, uninformed and sometimes naïve the cyber-security related proposals can be. Most of them ask member states to do generic things like “stop spam,” “protect data and network integrity,” or “supervise enterprises operating in their territory” to ensure that they “use ICTs in a rational way.” Then there’s my favorite: “ensure Internet security and stability.” The African countries’ proposal for a new Article on Security is almost lifted verbatim form a March 2010 US Presidential Declaration entitled “Cyberspace Policy Review.”

At their worst, the ITR proposals try to prevent international communications that “interfere in their internal affairs,” or undermine their “sovereignty, national security, or territorial integrity.” Those proposals, which focus on “subversive content,” sound quite reactionary in today’s global public sphere, which was created by the borderless information flows of the Internet. But it is hard to see how they authorize anything that national governments cannot already do. We seem to forget that such proposals are not much of a departure from the legal and normative status quo. Current international communications, both legally and in operational reality, are already formed around the sovereigntist/national security model. That’s why Bradley Manning is in jail and Wikileaks is persecuted; that’s why China constructed the Great Firewall; that’s why South Korea censors Internet access to North Korea and vice versa; that’s why France prosecuted Yahoo for displaying Nazi memorabilia.

And that leads to our next point. The big push for cyber-security regulations in the ITRs is led by Russia. This may reflect Russia’s inability to get the U.S. engaged in cyber-security treaty negotiations in other venues. Since 1998, Russia has supported – and the U.S. has opposed – the development of a treaty that would ban the use of cyberspace for military purposes. Although the U.S. position has changed under Obama and some new forms of cooperation are underway,[1] the Russians still see themselves as the weaker party in the cyber-warfare game and would like a treaty similar to the chemical weapons agreements, which prohibit the use of certain technologies as weapons. The recent leaks about the US role in developing Flame and Stuxnet should make it clear why the US has been unwilling to bind itself to any such limitations. Coupled with its superior technical capabilities, its globally strong Internet industries and its control of the DNS root, the U.S. probably appears as a significant cyber-security threat to many other countries.

Similarly, the strong support of Arab states for some of the Russian cyber-security proposals stems not only from the fact that many of them are dictatorships uncomfortable with the free flow of information, but also from their concerns about Israel‘s technological superiority in network surveillance and monitoring technologies and its cooperation with the US in the joint development of cyber weapons.

So it is predictable that the Russians and other semi-hostile states would try to insert as many guarantees of cyber-security and cyber-sovereignty into the ITRs as possible. It is the vehicle most available to Russia and other countries who feel threatened by the cyber capabilities of other nations.

But this reliance on the ITRs is in many respects a sign of weakness. The ITRs are a fairly lame instrument with which to attempt shielding oneself from global information flows and cyber-attacks, much less for comprehensive regulation of computer and internet security. The ITRs are fundamentally about the relationships among public telecommunication network operators. While there are attempts to extend its definitions to include international Internet termination, as noted previously those definitional adjustments are contested by powerful states. Even if the definitions were broadened, it is unlikely that the ITRs can ever have a lot of teeth in the cyber-security arena. The Internet is a network not just of a few hundred public carriers but of tens of thousands of private networks, millions of applications and billions of heterogeneous devices. Technical standards are set by a diverse set of private, usually voluntary associations. Most of the relevant standards in the cyber domain are set by device, software and application providers over whom the ITU has little leverage. The ITU lacks a compulsory standard-setting capability even in its own realm, though there are proposals to make a few ITU-T recommendations “requirements.”

The bottom line is that the biggest threats posed by the ITRs’ proposed forays into network security can be reduced to the definitional issue. If definitions are expanded to include Internet as an international telecommunication service and cyber-security as part of the ITRs’ remit, we have a problem. The problem is not as epic as some make it out to be, and not as significant to end users as the threats posed by unilateral actions by their own national governments. But it would be troublesome indeed to mix telecom regulation with cybersecurity and Internet regulation, in an already complex ecosystem. And it would be a truly bad sign if a critical mass of governments wanted to regulate Internet security through the ITRs badly enough to alter the definitions over the objections of the U.S. and the Internet technical community.

On the other hand if the definitions are not expanded, there is little harm the ITRs can do to Internet security governance.Thus, civil society should insist that: a) ITU standards remain recommendations, not requirements; b) the ITRs and their definitions stick closely to their original mission regarding layers 1 and 2 of the infrastructure.

I will review a few of the specific proposals in the known WCIT documents. The proposed amendments include many references to spam, some of them poorly defined.  Some have argued that these references open the door to internet content regulation. Here I agree with Winseck’s analysis: the spam-related proposals seem anodyne in content, merely urging countries to adopt “national legislation” (many already have), “to cooperate to take actions to counter spam” (many already do), and “to exchange information on national findings/actions to counter spam” (what’s wrong with that?). There is no evidence that spam references constitute the thin edge of a wedge that will lead to ITU jurisdiction over Internet content. Yet still, hewing to a hard line on the definitional issue, I would not want to see any mention of spam in the ITRs, because it is an information services issue rather than a telecommunications issue.

Another proposal says that

A Member State shall have the right to know through where its traffic has been routed, and should have the right to impose any routing regulations in this regard, for purposes of security and countering fraud.

This proposal, a bad one, probably reflects the Arab states worrying about routing through Israel. (Interestingly, according to a March 2012 summary by a US law firm, the US did not initially object to this proposal, but later joined the Uk, Sweden and CEPT in opposition.) At any rate, the import of this proposal hinges on what kind of traffic we are talking about. If the Internet and its information services are not part of the definition of international telecommunication services, its references to routing apply only to telecommunication circuits. If Internet services are included, such a regulation might legitimate interference with BGP and Internet routing. Even so, I fail to see what such a provision accomplishes that could not already be accomplished by national regulation of their Internet service providers or telecom companies. The same is true of the references to “Originating Identification” in the proposed revisions. If you think this applies to the Internet (which it does not and cannot) it sounds troublesome. If it applies to calling line identification (CLI; i.e., caller ID) made possible by the SS7 telecommunications circuit-switched environment, it’s routine stuff.

At the end of a reasonably sane overview, Winseck suddenly turns gloomy. He apparently feels that proposals to add a new section 8A containa raft of threats that, in their entirety, would usher in the foundation of controlled and closed national internet spaces that are subordinate to the unbound power of the state in every way.” The proposal that seems to have inspired those dark musings was this Russian contribution:

Member States shall ensure unrestricted public access to international telecommunication services and the unrestricted use of international telecommunications, except in cases where international telecommunication services are used for the purpose of interfering in the internal affairs or undermining the sovereignty, national security, territorial integrity and public safety of other States, or to divulge information of a sensitive nature.

I just don’t see that much of a threat. First, it should be pointed out that this is only one of about five different proposals for the same paragraph, and none of the others contain the bad language. The existence of other proposals indicates that there is no consensus on this one. One could also point out that all of the Russian proposals to enlarge the role of the ITU in Internet governance made at the 2010 Plenipot failed.

Of course it is true that many national governments would wish to have controlled and closed national Internet spaces, but it is also true that many national governments don’t. Most businesses, engineers and civil society activists will strongly agitate against such closure. But governments that want to do this can accomplish the goal much easier by acting unilaterally; they don’t need the ITRs. Remember my fundamental premise: the biggest threats to Internet freedom come from the actions of national governments with effective control over their territories.

If, contrary to my premise, someone asserts that the ITRs provide an opportunity to lend legitimacy to repressive actions at the national level, I would partly agree, partly disagree. Assuming that civil society remains vigilant and observant, as it now is, any attempts to establish new, restrictive norms via the ITR process will lead to public debates that are more likely to discredit such assaults on the free flow of information than legitimize them. Furthermore, a mere assertion in an international regulation that one will block incoming information “of a sensitive nature” does not automatically create the means to do so. In a world of ubiquitous tablets and mobile devices, that’s not easy to do.

So yes, civil society and internet freedom advocates should mobilize around the WCIT to promote Internet freedom norms. But they should not blow the ITRs out of proportion. Similar policy issues around cyber-security, privacy and freedom of expression arise in ICANN, in intellectual property treaties masquerading as trade agreements, in European Commission Directives and in the exercise of extraterritorial jurisdiction by superpowers. There is nothing especially momentous about the ITR negotiation, in my opinion. Threat assessment should be based on an understanding of the implementation requirements of the policy proposals and the likelihood that they will garner the needed political support, not just on reading words and assuming that such words can be instantly translated into operational practice across 190 nation-states.

Equally important, civil society should not begin by conceding that the ITRs are even applicable to the Internet. The definitional issue remains the crucial one. And it is still open.



[1] A group of cybersecurity specialists and diplomats representing the United States, Belarus, Brazil, Britain, China, Estonia, France, Germany, India, Israel, Italy, Qatar, Russia, South Africa and South Korea agreed on a set of recommendations to the United Nations secretary general for negotiations on an international computer security treaty. See NYT: http://www.nytimes.com/2010/07/17/world/17cyber.html


6 comments

  1. Pingback: Fogo de palha ou rastro de pólvora? ONU, UIT e governança da Internet - Observatório Brasileiro de Políticas Digitais
  2. Pingback: Former CIA, DHS Officials Want to Remove Wiretap Restrictions on Cybersecurity – The Netizen Project
  3. Pingback: La cyberguerre froide » OWNI, News, Augmented
  4. Pingback: The Cyber Cold War » OWNI.eu, News, Augmented
  5. Pingback: WCIT : la conférence mondiale qui va décider dans l’ombre de la gouvernance d’Internet ! « La société solidaire des hommes et durable pour la planète
  6. Pingback: La cyberguerre froide