Global Platform for Cybersecurity Sought Through Standards

A Global Cybersecurity Information Exchange Framework will be proposed for approval at a September study group meeting. The framework may incorporate European Telecommunications Standards Institute specifications on lawful interception and ITU-T specs on deep-packet inspection.

Significant steps were taken “to bring about the global platform for cybersecurity” in the recent White House cybersecurity report, said Tony Rutkowski of Yaana Technologies. The work is globalizing open, best-of-breed platforms developed by the U.S. government and with significant industry use, said Rutkowski who chairs the work. “We're not inventing any new protocols,” he said.

A structure for exchanging cybersecurity information requests and data is the aim, participants said. Cybersecurity information is defined as the “state” of equipment, software or networks as well as incident forensics, analysis and signatures, and other characteristics, draft text said. The recommendation was proposed by Little eArth Corporation, Japan’s Nara Institute of Science and Technology, Mitre Corporation, Cisco, the CERT Coordination Center, Yaana Technologies and the U.S. Department of Defense.

Fast-spreading viruses, worms and botnets impose financial costs while network administrations work online to figure out vulnerability patches and plugs, a draft text said. One motivation for the ITU-T work is to expand the number of experts and systems using exchanged data and information, Little eArth said. Technical specifications on an interoperable platform for exchanging security-related information between trusted parties are the ultimate goal, the company said.

Other perspectives should be consulted for developing collaboration models, Little eArth said, referring to national CERTs and others, the company said. The ITU-T should work with the Forum of Incident Response and Security Teams to spur information exchange, participants said. A 2008 World Telecommunication Standardization Assembly resolution called on ITU-T to encourage developing countries’ Computer Incident Response Teams, a meeting document said.

A rapidly growing number of national CIRTs are emerging independently of each other, participants said. Information exchange is somewhat unstructured, but many larger CIRTs have developed platforms, participants said. Initial action following the WTSA resolution should focus on developing a coherent approach to structuring CIRTs and related organizations, a proposal said. The draft recommendation on information exchange is designed to structure information exchange and provide a comprehensive set of capabilities for CIRTs, a proposal said. The ITU Telecommunication Standardization Bureau, FIRST and others should maintain an authoritative global namespace for CIRTs and cybersecurity information exchange organizations in a dedicated domain, it said.

The group also gave a preliminary nod to a global Object identifier-based domain using the worldwide alert model to facilitate identification of organizations and information for exchange, especially between CIRTS, Rutkowski said. The OID namespace preceded DNS and is widely used for all kinds of distributed object labeling, he said. The approach allows for organizational autonomy, while providing for global discovery and interoperability, Rutkowski said. The guidelines for identifier domain assignment and implementation will also be submitted for approval to the September study group meeting.

The meeting last week also tackled related matters. South Korea wants to expand work on a trace-back mechanism on network events. This refers to processes for reliably identifying the source of IP packets, which may or may not be spoofed. The proposal defines the traceback framework and mechanisms for globally interoperable systems. South Korea also floated text on a new framework for countering cyberattacks in Session Initiation Protocol-based services like VoIP, instant messaging, videoconferencing and others. Session hijacking, denial of service, service misuse and brute force attacks can hurt SIP-based services, South Korea said. Detecting cyberattacks on SIP-based services requires capturing, monitoring and inspecting signaling and media channel packets. Deep-packet inspection is needed for inspecting messages at the application layer, South Korea said.

South Korea also offered text on a framework for botnet detection and response. Botnet masters can send spam, make distributed denial of service attacks, capture personal information, and threaten Web site owners. Enterprise networks detecting Botnet traffic should pass information to CERTs or other security authorities and domains, South Korea said.

New standards will be developed for an evidence exchange file format, a meeting document said. A South Korean proposal floated in February said computers and other electronic devices used for crime may contain evidence. Interoperability of digital forensic systems is the main purpose of the digital evidence exchange format, the proposal said. Sending digital evidence across a network risks interception, however the format doesn’t include a protection scheme, the proposal said. The security of digital evidence relies on whatever is the network or national policy or regulation, South Korea said.