12. Confidence and security are among the main pillars of the Information Society.
a) Promote cooperation among the governments at the United Nations and with all stakeholders at other appropriate fora to enhance user confidence, build trust, and protect both data and network integrity; consider existing and potential threats to ICTs; and address other information security and network security issues.
b) Governments, in cooperation with the private sector, should prevent, detect and respond to cyber-crime and misuse of ICTs by: developing guidelines that take into account ongoing efforts in these areas; considering legislation that allows for effective investigation and prosecution of misuse; promoting effective mutual assistance efforts; strengthening institutional support at the international level for preventing, detecting and recovering from such incidents; and encouraging education and raising awareness.
c) Governments, and other stakeholders, should actively promote user education and awareness about online privacy and the means of protecting privacy.
d) Take appropriatei action on spam at national and international levels.
e) Encourage the domestic assessment of national law with a view to overcoming any obstacles to the effective use of electronic documents and transactions including electronic means of authentication.
f) Further strengthen the trust and security framework with complementary and mutually reinforcing initiatives in the fields of security in the use of ICTs, with initiatives or guidelines with respect to rights to privacy, data and consumer protection.
g) Share good practices in the field of information security and network security and encourage their use by all parties concerned.
h) Invite interested countries to set up focal points for real-time incident handling and response, and develop a cooperative network between these focal points for sharing information and technologies on incident response.
i) Encourage further idevelopment of secure and reliable applications to facilitate online transactions.
j) Encourage interested countries to contribute actively to the ongoing United Nations activities to build confidence and security in the use of ICTs.

References and Contributions :

• Convention on Cybercrime
• Community Emergency Response Team (CERT)
• CISCO contribution - ( 14 may 2007 )
• Microsoft contribution - ( 14 may 2007 )
• Meeting Documents
• Proposed Terms of Reference
• List of participants
• Geneva Security Forum ( 20-21 June 2007, Geneva, Switzerland )

Audio excerpts below from the ITU audio archive ( very unfortunately in the proprietary Real Player format, which should not be considered as a very appropriate choice for ITU ... ). This particular stream was no easy to rip, and we had no time to waste, therefore we indicate the specific excerpts by time stamps on the stream. Sorry for the inconvenience. Any help whould be appreciated to rip thoses excerpts and make them more easily available in ogg format.

• Contribution underlining the need of Free Software to achieve Security and ensuing discussion ( Dr. Francis Muguet, 9 min )
• Proposal of the Terms of Reference (ToR) by ITU
• Sub-group issue and answer from ITU
• Tunisia Objection ( supporting Switzerland objection ).
• Contribution by the Message Labs company
• Contribution by the the World Federation of Scientists
• First Objection by the United States
• Second Objection by the United States
• Subsequent discusssion: India, ITU, and Conclusion by the Chairman ( 20 min )

Procedural issues :
During the 2nd WSIS Action Line C5 Facilitation Meeting , ITU proposed draft terms of reference ToR that are quite different from those from UNESCO. There is only one team, instead of the definition of sub-themes and then designation of moderators of open-ended teams for those sub-themes. As said orally, the "team" should have implemented the recommendations coming from the four working groups ( speed sessions of the first and second days ). The draft ToR was objected by Switzerland, Tunisia and latter on by the United States, followed by India. Therefore the ToR were not adopted, effectively paralyzing the implementation of C5 action line until next year. Obviously, this meeting was not a success for ITU, although its duration was the largest among all action lines meetings, and despite the fact this meeting was one of the best prepared and attended of the WSIS cluster of events. The problem is that the unique C5 "team" positionned itself ipso facto as a process in competition with existing processes, and the ITU was not perceived as a worldwide inclusive multi-stakeholder facilitator. It is our analysis that if the ITU had proposed the same ToR as UNESCO, which are proposing a more distributed structure that could accomodate existing as well as new processes, then the C5 meeting outcome would have been more practical. For example, a theme and a moderator could have correspond to an existing initiative,

Content issues :
1/ It is uncertain if the relationship between Cybersecurity and Ethics has not been really investigated in the discussions so far. This would imply insuring that

• cybersecurity measures and effectiveness are not compromised by corporate interests, and that a fair competition between providers of security solutions does exist.
• freedom of software users and developers is preserved. Cybersecurity measures should not prevent the development of Free Software.
• last but no least that Human Rights issues are not forgotten. Cybersecurity enforcement should not come at the cost of endangering Human Rights. It is a very sensitive issue that must be approached in a very balanced way.

2/ The fundamental problem, and strategic choice betwee, security through obscurity vs "security through transparency" ( ie using Open Source or Free Software ) has never been debated during the WSIS. The issue of software models has been debated in a general context, leaving users free to choose the model "that best fit their needs". Precisely, in matter of cybersecurity, the question of the determination of the model that best fit the needs of users ( governments, people, companies ) is a question that has been left unexplored ( this has nothing to do with the economical question of gratis vs commercial which was hotly debated in the context of the digital divide ). Many users are justified to feel insecure when their internet traffic is passing through closed "black boxes" ( routers, proxies, mirrors, etc... ) because they are not able to verify by themselves ( or relying on trusted independant people ) if those network equipments are not compromised and secure.

There is no dynamic coalition on CyberSecurity, just one on a specific aspect : StopSpamAlliance. However, concerning CyberSecurity, There are quite a few interesting workshops among those that have been proposed for the IGF in RIO. Security is a recognized category. but unfortunately many of the proposals are related more to content filtering ( access ) than to security.

• DNSSEC: Securing a Critical Internet Resource
• Freedom of Expression as a Security Issue ( UNESCO )
• La cybercriminalité en Afrique ( ACSIS )
• The global culture for cybersecurity ( ISC (Internet Society of China) )
• The latest emerging trends in Cyberlaw and their impact on Internet Governance
• Legislative responses to current and future cyber-threats ( CoE, Convention on Cybercrime )
• Managing security issues: authentication at the transaction level ( BASIS )
• International Cooperation on the Capacity Building of Information Security ( Nippon Keidanren )
• Protection of privacy as a component of cybersecurity
• Computer Emergency Response Teams and their contribution to national "cultures of cyber security"

• Third WSIS Action Line C5 Facilitation Meeting ( 22 May 2008 - 23 May 2008, ITU Headquarters, Rooms K1 and K2 9:30 - 13:00 and 14:30 - 17:30 )
  
  
• 2nd WSIS Action Line C5 Facilitation Meeting ( 14-15 May 2007 at ITU Headquarters (Room K) in Geneva, Switzerland from 9:30-17:30 on both days )
  ( C5 security )
  • Meeting agenda
  • Second C5 Meeting Report -
  
  
  
• Consultation meeting on action line C5: Building confidence and security in the use of ICTs (organized by ITU at: ITU Headquarters, Room B. ( Geneva,15-16 May 2006 )