Security experts define new priorities for security standardization

Standardization of security aspects of Information and Communication Technologies (ICT) continues to be a topic that needs careful balance, according the findings of the latest annual ETSI Security Workshop. Nearly 100 security experts (plus numerous others participating by webcast) agreed that the current key issues were:

• prioritization of ICT standardization efforts: what areas should be (or should not be) addressed by
• standardization, especially in the face of the current global economic downturn;
• the need to better address citizens’ security and privacy in current and emerging standards;
• the need for better evaluation of the use of standards and the need to assess the effectiveness of their implementation.

The workshop enabled experts from around the world to review and re-define standardization priorities within the ICT security sector. Delegates agreed that, whilst there are already many security-related standards available (from ETSI and other organizations), the choice of which security aspects to standardize is critical, as is the need for good co-ordination between standards organizations. Areas where systems interconnect or interact, including networked critical infrastructures, public safety communications and areas that include the electronic storage or exchange of personal information, were all judged to be of vital importance.

Ultimately, standards need to be appropriate to real needs, so consultations with, and participation by, users and other stakeholders were also considered vital. The workshop reiterated that standardization must never be viewed in isolation but rather as part of a process that includes research, development, implementation and maintenance.

The delegates also agreed that the ability to demonstrate compliance with standards was of fundamental importance if the effectiveness of security measures in the implemented products using the standards is to be assured. Standards-makers were therefore encouraged to ensure that the standards can be validated and feedback from standards users integrated into the ongoing standards-making process. This implies also the need to enhance testing efforts in terms of standards conformity and interoperability. The possibility for some sort of “seal of approval” for products, services and processes was also thought to be desirable.

Workshop discussions indicated that standards currently suffer from insufficient attention to the issue of privacy. For example, while the work done so far on identity management is beginning to address some of the issues of managing personally identifiable information, it does not yet address the broader implications for the privacy of the citizen. Concern was expressed that there is considerable potential for information to be collected inappropriately or unnecessarily. Identity brokers holding large amounts of private information, maybe aggregated from a variety of sources, could become prime targets of attack, and such information may be held in jurisdictions that are beyond the reach of existing privacy legislation.

At the same time it was pointed out that many people do not pay enough attention to their own privacy e.g. by providing personal information too freely and without considering how it will be used. Nevertheless, information collected is, in many countries, covered by privacy laws and regulations. Governments should continue to adopt measures to protect the privacy of their citizens, as the average user cannot realistically be considered to have the technical knowledge and expertise to manage his/her own privacy effectively. Delegates declared that ICT standardization can help to resolve these concerns, firstly by clearly recognizing the need to address privacy aspects, and then by embedding them into standards from the very beginning.