A United Nations telecommunications agency is denying allegations that it is trying to take over regulation of the Internet following vocal concerns from U.S. lawmakers, tech journalists, companies and advocacy groups.
“There has been some breathless news coverage recently of a supposed UN Plot to Control the Internet,” wrote blogger Mark Leon Goldberg in a post on the website U.N. Dispatch on Monday, “This is false.”
But recent pronouncements by the agency in question, the International Telecommunications Union, indicate that it does in fact see its role evolving in the fact of increasingly public cyber threats, specifically malware like Stuxnet and the recently-discovered Flame, which are said to be state-sponsored espionage programs (a joint U.S.-Israeli project, in the case of Stuxnet, according to a recent report in The New York Times).
After three cyber security firms in late May announced the discovery of the Flame malware — a Windows-based espionage tool found on hundreds of computers in the Middle East capable of capturing and transmitting everything from keystrokes to screenshots to audio conversations near a computer using its built-in microphone — the ITU quickly responded by sounding the alarm to its 193 member countries.
“This is the most serious (cyber) warning we have ever put out,” ITU cybersecurity chief Marco Obiso told Reuters at the time.
Indeed, the ITU posted an official news release on May 31 calling for a “global collaboration to tackle cybersecurity threats.”
As ITU Secretary-General Hamadoun Touré put it:
“Flame is a prime example of why governments and industry must work together to tackle cybersecurity at the global level. Early warning of new threats is vital and it is critical that best practice on required corrective steps is shared in order to best protect the global information society. This is the value in building a global coalition”.
The timing of the ITU’s pronouncements is thought not to be a coincidence, coming ahead of two important ITU events later this year, both set to take place in Dubai: First up is the ITU’s second-ever industry conference on October 14 through October 18, a conference that will feature cybersecurity as a prominent theme. It’s backed by Kaspersky Labs, a Russian cybersecurity firm that the ITU contracted to look into data-wiping malware on Iranian oil sector computers. It was while looking for this data-wiping malware that Kaspersky first stumbled across the Flame malware.
Kaspersky did not answer questions about its connection with the ITU conference in time for the publication of this piece. The ITU earlier told TPM that it would issue a “Q&A” on Flame this week, but has yet to publish this.
The second ITU event coming up is even more important: Called the World Conference on International Telecommunications, the meeting amounts to a formal review and renegotiation of the current international telecommunications regulations, last revised in a 1988 treaty, before the advent of many modern technologies including the commercial Internet, widespread cable television, and mobile devices.
On Monday, the ITU announced that its working group would host a “final meeting” to plan the revisions that would take place in Geneva on June 20 to June 22.
It’s precisely these negotiations that worry U.S. lawmakers and advocacy groups, even prompting a new U.S. bill that would codify that the U.S. stance going into the negotiations will be “to promote a global Internet free from government control.”
The concern comes from that countries that make up the ITU membership, including all of those in the U.N., such as the United States, Iran, Russia and China. The ITU has been accused in the past by U.S. officials of giving too much weight to Russia and China in those countries’ efforts to impose higher prices and tighter controls on global Internet traffic.
But the ITU denied that any country or consortium of countries would be able to hijack the discussions. That said, the ITU does recognize that any renegotiation of international telecom regulations should respect those countries that censor the Internet and impose other restrictions on it. In a statement provided to TPM, an ITU spokesperson wrote:
“As you know, all countries impose some restrictions on various forms of speech, including telecommunications, for example to protect copyright owners and to prevent defamation. Some countries go further and restrict the use of telecommunications for areas such as pornography, gambling, hate speech, negation of genocide, and even certain types of political speech. Such restrictions are permitted by article 34 of the ITU’s Constitution, which provides that Member States reserve the right to cut off, in accordance with their national law, any private telecommunications which may appear dangerous to the security of the State or contrary to its laws, to public order or to decency. And the treaty that will be negotiated in Dubai cannot contradict that provision.”
Whether those types of countries are having any undue sway or not, the stance taken by the ITU on Flame represents a marked change in the agency’s mission and self-conception. The ITU, which was founded 147 years ago (predating the U.N. itself) as the “International Telegraph Union,” an effort to standardize telegraph communications, has since its inception essentially limited its ambitions to coordinating new telecom standards, such as establishing the guidelines for what can be considered 3G and 4G wireless network service.
The ITU’s own website states its goals are to “allocate global radio spectrum and satellite orbits, develop the technical standards that ensure networks and technologies seamlessly interconnect, and strive to improve access to ICTs to underserved communities worldwide,” but says nothing about cybersecurity.
Even the ITU’s constitution, last revised in 2010, makes no mention of cyber security per se, although it does note that it will strive to “harmonize the actions of Member States and promote fruitful and constructive cooperation and partnership” and “promote the use of telecommunication services with the objective of facilitating peaceful relations.”
When asked about how the ITU envisions its own role going forward, a spokesperson told TPM that “various ITU members have made various proposals regarding the role that ITU may take in the future. It is important to distinguish the ITU, which is comprised of its members, from the ITU Secretariat, whose role is to assist the members in sharing their views and discussing them with a view to achieving consensus.”
Some though, would welcome the idea of the ITU taking a more active role in setting up an international cybersecurity structure. Aside from Kaspersky Labs’ CEO Euguene Kaspersky, who on Wednesday said at a cyber security conference in Israel that only a global effort could stop cyber war, a group of ethics and computer science professors published a lengthy piece in the Atlantic calling for “international agreements” to establish a framework for “just” cyber espionage and cyber attacks.
