ITU Workshop on creating trust in critical network infrastructures: “Straw-man” model
Outline of a Possible
“Straw-man” Model for International Coordination on the Protection of Critical Infrastructures
This “straw-man” model has been prepared by Mike Harrop, President of the Cottingham Group and former Senior Project Officer with the Canadian Treasury Board Secretariat: <>. The model was developed during the ITU New Initiatives Workshop ‘Creating Trust in Critical Network Infrastructures’, held in Seoul, Republic of Korea from 20-22 May 2002. The opinions expressed in this study are those of the author and do not necessarily reflect the views of the International Telecommunication Union or its membership.
This straw-man model is intended to serve as a basis for discussion on how international cooperation in the area of critical infrastructure protection might be approached.
1. Introduction
The following outline describes a possible model for an international body with the role of coordinating international cooperation in the area of network security. The possible functions, structure, mandate, constituent parts and suggested roles of such a coordinating body are included in this outline, which it is hoped will form the basis for further discussions and collaboration at international level.
2. Functions of coordinating body
a. Recognize, coordinate and leverage efforts of existing diverse groups;
b. Coordinate internationally to minimize duplication of efforts;
c. Identify and address gaps in the work and the knowledge base.
3. Requirements for coordinating body
a. Must be agile and highly responsive (with minimum bureaucracy and bureaucratic processes);
b. Must be authoritative (with international backing at the highest political level);
c. Must be effective (must achieve visible results. M and ust avoid “turf wars”).
4. Requirements for the pParticipating in dDevelopment and dDelivery gGroups
(Note: the various organizations that could participate in and contribute to CIP activities in some form are referred to here as Development and Delivery Groups.)
a. Must be multinational;
b. Must be multi-sectoral.
5. Possible sStructure
a. Respected, competent leadership (Secretary General) under the auspices of an international body;
b. One representative of from each dDevelopment/dDelivery gGroup (or possibly one representative from each participating organization body within each Development/Delivery Ggroup);
c. Necessary administrative support plus technical and policy advisors.
6. Constituent pParts
7. Information fFlows
a. Maximum free flow of information within groupings;
b. Necessary and appropriate information exchange between groupings (while avoiding information overload);
c. Sensitive information may be exchanged within and between groupings as necessary. Highly sensitive data would to be exchanged only within Group 3’s constituent organizations and with the coordinating body as necessary.
8. Possible rRoles & pParticipation in dDevelopment and dDelivery gGroups
Group/Role / Possible pParticipation / Possible cContribution / Observations1. Policy & LLegal / OECD / Security gGuidelines / Group 1 participation will is likely be mostly predominantly made up offrom public sector organizations
G8 / High tTech cCrime (Lyons Group)
ASEAN/APEC
2. Technical & SStandards / ISO/IEC / Security standards work, SC27 & TC 68
ITU-T / Telecommunications & security standards. SG 17, SG 2, etc. Possible clearinghouse for CNI information.
IETF / Internet issues
Consortia / e.g. ATM forum
Sectoral groups / Financial services, public utilities, etc.
3. Security & Law enforcement / Interpol / Cooperation in identifying and containing attacks and threats.
Exchange of information on nature of vulnerabilities, threat agents and counter measures. / Some information would be highly sensitive.
Are there any formal alliances of CIP or national security agencies? (There are informal groups of contacts)
NATO
International CIP & security agency associations
Metrics / No known groups / Identifying/developing quantitative assessment measures. / (QoS work has been done carried out in ISO and ITU).
Others / TBD / TBD / To be identified as needed.
9. Acronyms
ASEAN Association of South East Asian Nations
APEC Asia Pacific Economic Community
CIP Critical Infrastructure Protection
CNI Critical Network Infrastructure
G8 Group of 8 (Canada, the European Union, France, Germany, Italy, Japan, Russia, the United Kingdom and the United States)
IETF Internet Engineering Task Force
Interpol International Criminal Police Organization
ISO International Standardization Organization
ITU International Telecommunication Union
ITU-T International Telecommunication Union Standardization Sector
OECD Organization for Economic Cooperation and Development
NATO North Atlantic Treaty Organization
QoS Quality of Service
SC Sub committee (within ISO)
SG Study Group (within ITU-T)
TC Technical Committee (within ISO)
5/5