What we have here may be a failure to communicate.
The International Telecommunications Union (ITU) is a United Nations telecommunications agency that’s been accused by several U.S. lawmakers and advocacy groups of attempting a takeover of the Internet. The critics are concerned that the ITU will give too much sway to centralized Internet governance proposals floated by Russia and China for an upcoming renegotiation of a 1988 treaty, set for December in Dubai.
The ITU has vehemently pushed back on such claims, but its leading officials have recently made several statements about the need for international cooperation and a treaty to deal with the threats of new state-sponsored malware like Stuxnet and the recently-discovered Flame.
Yet the ITU itself has played a questionable role in Flame’s discovery and publication. According to Kaspersky Labs, a Russian cybersecurity firm that was one of the first to detect and report Flame on computers in the Middle East, the ITU sought Kaspersky’s help in finding another piece of malware that was “deleting sensitive information across the Middle East.” It was in searching for this other piece of malware, nicknamed Wiper, that Kaspersky allegedly discovered Flame.
The ITU and Kaspersky are also collaborating on a cybersecurity conference scheduled for October in Dubai, raising further questions about whether Kaspersky’s work in detecting the Flame could have been politicized.
Now, though the ITU has provided TPM with a document in which it states that it never actually paid Kaspersky to find any malware. The document also reveals that the ITU does in fact want to play an important role in solving the mystery of who is behind the malware, because the agency wants to help avoid a cyber war or conventional war between nations.
As the ITU document provided to TPM states:
ITU did not commission the work by Kaspersky Lab, but the company is one of the key partners (together with others such as Symantec, Microsoft, Trend Micro, and F-secure) in the ITU-IMPACT initiative…
After the alert about Wiper was issued at the beginning of May 2012, Kaspersky Lab assisted in the technical analysis of the threat by providing services on a non-commercial, pro-bono basis.
Within the spirit of cooperation and public-private partnership, ITU is open to work with any stakeholder that is ready to invest resources towards collectively addressing the global cybersecurity agenda. ITU also has Memoranda of Understanding with Symantec, UNODC, Microsoft, and so on.
The ITU’s document, which is labeled as an internal FAQ about the Flame malware, goes on to describe many of the agency’s broader aims in dealing with the increasing emergence of cyber espionage tools and weapons.
As the ITU’s document continues:
Ensuring cybersecurity is a top priority for ITU as it concerns the safety of global telecommunications and the services that support the word’s economy. It is therefore very focused on determining exactly what is happening in cyberspace — not only concerning this current threat, but also to be better prepared for what might be encountered in future…
Flame is another stage in the discovery of cyber threats that have probably been developed with the support of a nation state. Investigating and combating Flame is an important step in understanding the nature of potential cyber warfare.
As for what the ITU hopes to avoid, the document also outlines its worst fears of the escalation of a cyber conflict:
The disruption of computers and networks can cripple critical infrastructure. In the worst case, this could lead to chaos at a local, regional or even global level, causing significant damage to economies and people’s safety…
Potentially, power grids, financial systems, transport, telecommunications and other types of infrastructure are all highly vulnerable to this type of threat. Importantly, cyber-warfare might also trigger conventional warfare, considering that a number of states have already proclaimed that cyber-attacks would be seen as an act of war requiring retaliation with conventional arms.
The claims represent a departure from the ITU’s own constitution and stated functions, which, throughout most of its 147-year-history, have been limited to the standardization of communications technologies around the globe.
“The [ITU] treaty has never had technical issues of the Internet at its core,” said Cynthia Wong, an attorney at the Center For Democracy and Technology, one of the leading advocacy groups that has criticized the ITU’s review process, “Now all of the sudden there is pressure to expand their mandate and the scope of the treaty.”
The ITU’s FAQ document addresses this criticism, stating that at two conferences in 2003 and 2005, respectively, “world leaders gave ITU the mandate as sole facilitator for ‘building confidence and security in the use of information and communication technologies (ICTs).’”
The disparate narratives and conceptions about the ITU’s role aren’t likely to get resolved any time soon, but the real question remains as to what role it will play come December, when representatives from the 193 nations that comprise its membership reconvene to hammer-out a new treaty. By then, there could easily be yet another new malware threat.