Why You Should Be Worried About The ITU's Bizarre Claim To Have A Mandate Over Internet Security

from the looking-to-remain-relevant dept

So why is this ITU security history relevant today? Because its Secretary-General's new draft of an unneeded and worthless treaty instrument called the International Telecommunication Regulations mentions the word "security" no less than 36 times. Although the term "security" is never defined, the draft leaves the impression that the ITU is competent to deal with the subject of network security.



The reality today is that almost all work relating to network security occurs in myriad other public-private global bodies where it is pursued on a significant scale among expert communities. It is that array of work in other venues that is used worldwide. What purports to occur in the ITU is basically irrelevant and involves a relative handful of people who appear at meetings or workshops in ITU-T, ITU-D, or the General Secretariat for the purposes of maintaining largely website-based fictions to appear responsive to some political mandate of its conferences or leadership. Although a few knowledgeable and dedicated individuals participate in its work, the ITU as an institution has not possessed in modern history, and today does not possess the competence to deal with the subject matter of network security; and treaty mandates will not alter that reality.



Any treaty-based reliance on the ITU's network security competency would be perilous for the global infrastructure and irresponsible for nation States to recognize. I should know — I was the designated leader of the ITU-T cybersecurity work for the past four years who had to deal with these realities.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

We just recently wrote about how the UN's ITU (International Telecommunications Union) has been seeking to massively expand its mandate to take over international governance issues related to the internet, based on no real mandate other than one of its own making. Because of this, there are reasonable fears that it will end up creating dangerous rules that favor the incumbent telcos (often closely associated with certain governments) over what's actually best for the internet. Part of that analysis suggested that this was about the ITU trying to remain relevant in any way it could. After all, the core reason for the ITU existing for more than a century and a half was to deal with how different telcos would do the kinds of things that people no longer rely on telcos for. Because of that, they've basically been pretending that they should be involved in all sorts of unrelated things.For example, plenty of the recent discussions coming out of the ITU have been focused on internetissues. And you could argue that there are some significant security concerns that need attention. But is the ITU the proper body for this? Almost certainly not. Anthony Rutkowski has written up a history of the ITU's relationship to security noting that, at best, the ITU has tended to completely ignore security issues, and at worst, "treated security as a kind of vague requirement." The conclusion is pretty clear. The ITU isn't the proper body to be dealing with security at all. It has neither the mandate nor the necessary expertise.In other words, yet another overreach by the ITU to take on something it is not qualified to handle, and which will almost certainly result in a bad situation, driven by political interests, rather than actual security issues.

Filed Under: internet security, itu, un