Cybersecurity: what’s the ITU got to do with it?

In the seventh instalment of the FOC Working Group 1 (WG1) blog series, guest author Sheetal Kumar from Global Partners Digital explores the work and mandate of the ITU as it relates to cybersecurity and reflects on recent and future opportunities for civil society engagement.

“It is clearly essential to protect the right of the freedom of expression; the right to communicate; and the right to privacy. But we must recognize that none of these freedoms can exist without security — especially in the online world.”

Hamadoun Toure, previous Secretary-General of the ITU

This blog aims to assist civil society in engaging in ITU processes and activities related to cybersecurity. It first explains the connections between the broader mandate of the ITU and its cybersecurity-related activities, situating these within the organizational structure of the ITU. Then, through the example of two ITU high level events where cybersecurity featured on the agenda, it illustrates how the ITU and its mandate have recently presented an arena for the confrontation of different states’ contesting models of internet governance, expressly relating to the roles and responsibilities of different stakeholders. Finally, recent opportunities and challenges for civil society engagement are examined.

Responsibility and context

The ITU is a specialized agency of the UN, responsible for information and communication technologies. As a standard-setting body, which was historically among the first to coordinate international telecommunications standards among states, the work of the ITU continues to play a role in preserving and shaping the underlying telecommunications infrastructure on which global communications depend. For example, it established telephone numbering and addressing systems, including the international calling codes that enable people to communicate across the world, despite the use of different networks or devices. In addition, it maintains standards that ensure the interoperability of satellite systems which offer broadband voice, data, video, mobile communications, and high speed internet access. The ITU also regulates the spectrum radio bands which determine how radio spectrum frequency, including its uses for wireless and mobile telephony, is divided and allocated.

The ITU’s work is generally understood to impact the “infrastructural layer” of the internet (or layers 1 and 2 as opposed to the “content” layer, or layer 3). However, the unique characteristics of the internet mean that distinctions between “technical”, “regulatory”, “commercial” and “policy” issues are not always clear-cut and are subject to different interpretations by different actors. For example, spam and malware have the potential to damage networks (and their underlying infrastructure) and are thus generally understood to be “cybersecurity” related issues. Yet, spam and malware are also content-related issues; regulation to combat spam could increase censorship and thus impact freedom of expression through the guise of “protecting networks from the distribution of malicious content”. Therefore, in practice these layers may overlap.

As in other UN bodies, which are fundamentally intergovernmental in nature, civil society engagement is traditionally limited at the ITU. All binding decisions, for example, are made solely by member states. At high level meetings where changes to treaty-level documents can be made, civil society members must apply to participate through their national delegations and, therefore, are not independently represented in negotiations. For this reason, civil society input into ITU processes depends in part on the openness of a country delegation to multi-stakeholder engagement. However, as is discussed in the final section, a number of recent changes have been made in improving the transparency of ITU procedures as well as openness to stakeholder groups beyond government and industry.

The ITU and cybersecurity

The relation of cybersecurity to the work of the ITU may, on the outset, seem relatively straightforward as cybersecurity is closely related to the security of the networks and the infrastructure that the ITU helps to shape through the technical standards it develops and maintains. Yet, the ITU’s remit within the field of cybersecurity, and in the wider framework of internet-related public policy issues, has recently proven contentious. The reasons for this relate to the disruptive and unique nature of the internet. These unique characteristics are also situated within a particular regulatory and economic context, stemming from the liberalization of telecommunications in the 1980s. Consequently, as an intergovernmental body, the ITU’s role has not always sat easily within this highly integrated, telecommunications landscape where the governing roles and responsibilities are multifaceted and distributed among a wide variety of both public and private actors.

The work of the ITU falls into three sectors: radio-communication (ITU-R), telecommunications standardization (ITU-T) and telecommunication development (ITU-D). Depending on the sector’s remit, sector members set technical standards, implement capacity-building programs and promote policies with the aim of ensuring interoperability or the coordinated functioning of the world’s telecommunications infrastructure. Cybersecurity is a cross-cutting issue addressed by the ITU, although for the most part its cybersecurity related activities are carried out within the remit of the ITU-T and ITU-D sectors.

The ITU defines cybersecurity as “the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurances and technologies that can be used to protect the cyber environment and organization and users assets” [1]. As Jan-Frederik Kremer identifies, this definition focuses on “risks” rather than threats, implying a need for proactive strategies or the implementation of long-term risk management strategies, reflected through its capacity-building initiatives [2].

Much of the current cybersecurity work of the ITU draws from its key role as a facilitator of the objectives of the United Nations Summit, the World Summit on the Information Society (WSIS). The ITU was authorized to take a leading role in the preparations and follow-up of the WSIS, which took place over two phases (in 2003 in Geneva and 2005 in Tunis). Apart from its organizational role, the ITU is also tasked with facilitating action line 5, “building confidence and security in the use of ICTs”, the action-line which underpins most of its cybersecurity activities. However, the ITU’s work program on cybersecurity predates the 2003/2005 WSIS; the main ITU resolution related to cyber-security is Res. 130 “Building confidence and security in the use of ICTs”, which was first endorsed by ITU members at the 2002 ITU Plenipotentiary in Marrakesh.[3]

Drawing from the responsibilities contained within action line 5, the ITU launched its Global Cybersecurity Agenda (GCA) in 2007, which defines the cybersecurity ‘areas of work’ on which it collaborates with other stakeholders: legal measures, technical and procedural measures, organizational structures, and capacity building and international cooperation. Central to the implementation of the GCA is the initiative “IMPACT”, which is “tasked with the responsibility of providing cybersecurity assistance and support to ITU’s 193 Member States and also to other organizations within the UN system”.

Other current ITU cybersecurity related activities include: The Global Cybersecurity Index, a project to measure the cybersecurity capabilities of nation states by ranking their level of ‘cybersecurity development’; Enhancing Cybersecurity in Least Developed Countries, a capacity building project which includes the production of guidelines on cybersecurity legislation, regulation and technologies, equipment and solutions distribution and capacity building; CIRTs: A capacity building programme to assist countries in establishing their National Computer Incident Response Team (CIRT); and a child online protection (COP) initiative.

In addition to this development and capacity building work within the ITU-D, the standardization sector of the ITU, ITU-T, is tasked with security-related technical standardization or “producing standards with the aim of facilitating secure network infrastructure, services and applications”.[4] In this way, the work of the ITU-D as described above in measuring cybersecurity capabilities and building the capacity of countries is also complemented by the work of the ITU-T.

Processes & structures

The ITU is an intergovernmental organization composed of 193 member states as well as 700 public and private sector companies. Its day-to-day work is carried out by sector members through study groups within each sector, the ITU-D, ITU-R and ITU-T. Although sector membership is open to member states and non-governmental organizations, the latter are usually drawn from private industry, regional organisations [5], other technical organizations as well as academic organizations [6].

Civil society input remains limited as membership fees are expensive [7] and working documents are closed to sector members. Sector members are provided access to ‘TIES’ accounts, without which consultation of working or meeting documents such as those of the security-specific Study Group 17 is not allowed. Study Groups produce standards or “recommendations” which have non-binding status unless incorporated into national law [8].

Overall governance of the ITU is provided by the Plenipotentiary, a three-week meeting which takes place every four years. At the Plenipotentiary, any changes to the ITU Constitution and Convention which have ‘treaty’ status and are binding on signatory member states, are decided upon [9]. As the ITU website describes, “the Plenipotentiary Conference is the supreme organ of the Union. It is the decision making body which determines the direction of the Union and its activities”.

Conferences which relate more specifically to the mandates of the different sectors, that is the World Radiocommunication Conference (WRC) and World Conference on International Telecommunications (WCIT) , amend administrative regulations (e.g the Radio Regulations and the International Telecommunications Regulations, respectively). Taken together, the Constitution, Convention and Administrative Regulations are binding on member states.

The ITU Council, on the other hand, acts as the Union’s governing body in the interval between Plenipotentiary Conferences and facilitates the implementation of the provisions of the ITU Constitution, the ITU Convention, and the Administrative Regulations. In addition, Council working groups (CWGs) are established as a result of resolutions during high-level meetings to take forward discussion of particular issues. CWGs are open to member states only although the Terms of Reference (ToR), which define the mandate and scope of the CWG’s activities are publicly available. For example, the Council Working Group on International Internet-related Public Policy Issues’ mandate is to “identify, study, and develop matters related to specific international Internet-related public policy issues” and it recently amended its ToR to include open consultations with all stakeholders.

WCIT 2012 & Plenipotentiary 2014

In 2012, the ITU convened the WCIT (WCIT 2012) to review the International Telecommunications Regulations (ITRs). The ITRs, one of the ITU’s four treaty documents, establishes principles “relating to international telecom by facilitating global interconnection and interoperability and promoting efficiency and availability of international telecom services”. As the ITRs are binding on member states, any changes to increase the regulatory capacity of the ITU relating explicitly to network security, would have spelled a greater role for the body in addressing cybersecurity. Furthermore, because the ITU remains an intergovernmental body, any changes in this regard would have left civil society with little bargaining power in any decision-making related to an expanded regulatory remit.

Both at the WCIT 2012 and the Plenipotentiary 2014, a number of countries, including Russia, Saudi Arabia and the UAE tabled proposals to broaden the scope of the ITU in governing the administration of the internet by, for example, making the currently voluntary ITU sector recommendations binding or by establishing the ITU as a forum for the coordination of internet-related public policy. These proposals were framed as a means to “correct historical imbalances” resulting from the perceived “dominance of the US” over the internet. On the other hand, some of the countries which tabled the proposals also simply promote strong state-centric control over internet use and see the ITU as a vehicle through which they can push for this greater state-centric regulation.

Some of the main sources of contention relating to cybersecurity proposals at the WCIT 2012 related to proposals on Articles 6 (protecting the security and robustness of networks) and 7 (on spam “or the unsolicited bulk electronic communications”) of the ITRs.

At the Plenipotentiary 2014, India tabled a proposal for a new resolution entitled “ITU’s role in realizing Secure Information Society” relating to Internet resource allocation to “promote better security” by allowing for “local routing of domestic traffic and address resolution” and by establishing “sovereign monopolies over Internet resource allocation” [10]. Although India’s proposal did not receive enough support from other delegations and was struck down, it may be re-tabled in the future. In fact, many of the questions relating to cybersecurity that surfaced at the WCIT and the Plenipotentiary will not “disappear”. Proposals for resolutions which seek to use the ITU as a means by which to enhance greater state control over the internet and to do so in the name of “promoting greater security” are almost guaranteed to crop up again.

So far, despite the attempt by some states to push again for revisions and to expand the role of the ITU, currently, all ITU resolutions related to cybersecurity, the role of the ITU and member states are limited to “pursuing dialogue”, “promoting greater cooperation”, or “encouraging further study” [11].

Ultimately, the outcomes of the WCIT 12 and the Plenipotentiary 2014 could be perceived as “a lot of hot air” because no drastic changes were made to the ITU’s binding documents. Yet, both provide an example of states’ increased perceived importance of control over information flows through the internet and its underlying infrastructure.

Civil society engagement: new opportunities and ongoing challenges [12]

A number of recent changes have been made in improving the transparency and openness of ITU procedures:

At the 2014 Plenipotentiary:

  • Member states agreed to revise Resolution 102 to allow online and in person consultations open to all stakeholders prior to each meeting of the ITU Council Working Group on the Internet although actual meetings of the Working Group remain closed to member states only.
  • National delegations decided to open access to all input documents (e.g proposed revisions from member states and regional organizations) and output documents (final changes to texts). Although there was no decision on a final policy for access to documents it was recommended that all input and output documents from ITU conferences and assemblies should be publicly available from 2015 even if there remain “differing opinions about how the policy should work in practice” [13].
  • As in the plenary and substantive sessions of PP 2010 and WCIT 12, a space was created on the Plenipotentiary webpages to broadcast all plenary sessions as well as sessions of substantive committees.
  • A coalition of civil society groups issued an open letter to the ITU calling for greater openness and transparency. The letter solicited a generally positive and supportive response from the Secretary General, which could help reinforce civil society calls on ITU members for greater openness and transparency of ITU processes. During the Plenipotentiary, a coalition of civil society groups also issued a series of recommendations to the ITU on its roles and responsibilities. The statement highlighted a number of the draft proposals, providing recommendations that outlined the positions of the civil society group signatories, including a recommendation on cybersecurity.
  • The Secretary General hosted consultations with civil society. Although the consultations could be seen simply as a way to detract from broader and more in-depth participation of civil society, it could also be seen as a sign of willingness of the ITU for more diverse multi-stakeholder engagement.

In addition:

  • In 2014, civil society were invited to participate in the ITU-facilitated WSIS+10 Multi-stakeholder Preparatory Platform which informed the WSIS+10 Statement on Implementation of WSIS Outcomes and the WSIS+10 Vision for WSIS Beyond 2015.
  • ITU membership has been open to the academic community since 2014.
  • A group of civil society members were part of the multi-stakeholder Informal Group of Experts (IEG) who negotiated six draft opinions which were then forwarded to the World Telecommunication/ICT Policy Forum (WTPF) 2013 for consideration at the plenary session.

In order to provide well-argued and comprehensive inputs into deliberations through membership of national delegations or through informal discussions with national delegations at high-level meetings, civil society will need to remain informed of the ITU’s cybersecurity-related activities as well as proposed changes to the extension of its mandate. More broadly, capacity building, including the building and strengthening of cross-country and cross-regional civil society networks remains important. These networks provide a means by which to voice civil society concerns as well as to advocate for greater openness and transparency, through joint statements such as the civil society joint statement to the ITU at the 2014 Plenipotentiary.

The next ITU high-level meeting is the World Radio-communication Conference (November 2015), where the Radio Regulations, the international treaty governing the use of the radio-frequency spectrum and the geostationary-satellite and non-geostationary-satellite orbits will be reviewed and may be amended. Although most preparatory documents remain locked to those with TIES accounts, the agenda is publicly available. As with other high-level meetings, public consultations take place at the regional level and may also take place at the national level; most will conclude at least a few months before the conference is held. If no public consultation is held, members of civil society organizations can request to attend the meeting as part of the official delegation, and notwithstanding attendance in person, can also engage members of the relevant Ministry (a list of ITU Member State contacts is made publicly available), build a relationship with Ministry officials and can request to see the proposals and resolutions of the meeting, as member states can share member-state only documents at their prerogative [14].


The ITU’s organizational role and its role as facilitator of action line 5 of the WSIS has acted as an important impetus to its cybersecurity activities, which remain within the remit of the ITU-T and ITU-D sectors and relate mainly to capacity building activities. However, the WSIS has been from the outset a “multi-stakeholder process”. Once the review of the WSIS concludes in 2015, it remains to be seen how the ITU will define its cybersecurity agenda and retain any multi-stakeholder modalities of engagement. The ITU’s role as intergovernmental body that has historically played an important role in ensuring the interoperability of international telecommunications infrastructure, means that it will continue to develop standards, promote policies and implement capacity building programs related to cybersecurity [15].

Yet, the impact and the scope of the ITU’s cybersecurity related activities will be determined by the mandate given to it by states, which shapes the day to day work of its sectors. Any attempt by certain states for it to take a stronger regulatory or policy role in cybersecurity have so far been thwarted. Yet, this does not mean that attempts will not be made again in the future to reshape, extend or limit its mandate. Civil society should thus remain engaged in the work of the ITU, continue to advocate for greater openness and transparency in ITU decision making processes while using existing avenues to build networks that promote human rights respecting policy and regulation.

The views expressed in this blog represent the views of individual authors, and do not represent the views of the Freedom Online Coalition or its members.