United Nations views Flame as cybersecurity opportunity

Representative for United Nations agency, which has taken credit for helping to discover the Flame malware, tells CNET that world leaders gave agency the "mandate as sole facilitator" for boosting Internet security.

Declan McCullagh
Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
3 min read

The United Nations has seized on the appearance of the Flame worm, which targeted computers in the Middle East, to argue that it should have more authority to deal with cybersecurity threats on the Internet.

Last week, the United Nations' International Telecommunication Union circulated a statement about Flame saying the malware "reinforces the need for a coordinated response" that could come from "building a global coalition." It took credit for Flame's discovery, saying Kaspersky Lab identified it "following a technical analysis requested by the ITU." (See CNET's FAQ.)

ITU spokesman Paul Conneally told CNET this morning that "the mandate that ITU has with regard to cybersecurity goes back to the World Summit on the Information Society, where world leaders gave ITU the mandate as sole facilitator for 'building confidence and security in the use of information and communication technologies.'" WSIS was held in Tunisia in 2005.

An excerpt from Flame, which has been named after one of the main modules it uses to spread.
An excerpt from Flame, which has been named after one of the main modules it uses to spread. Securelist

The prospect of greater ITU involvement in Internet governance and cybersecurity -- the topic of an international summit in Dubai in December and something the agency has increasingly focused on -- is not likely to be uniformly applauded.

A U.S. House of Representatives committee convened a hearing last week where Democrats and Republicans found common ground in a presidential election year on one topic: an agreement that the ITU must not be allowed greater control over the Internet. It was a sentiment shared by the Internet Society and Vint Cerf, Google's chief Internet evangelist and co-creator of the TCP/IP protocol, who warned that the upcoming ITU meeting could lead to "top-down control dictated by governments" that could impact free expression, security, and other important issues.

"If we are not vigilant," warned Rep. Greg Walden, an Oregon Republican, the Dubai summit "just might break the Internet by subjecting it to an international regulatory regime designed for old-fashioned telephone service."

Called the World Conference on International Telecommunications, or WCIT, December's summit will review a set of telecommunications regulations established in 1988, when home computers used dial-up modems, the Internet was primarily a university network, and Facebook CEO Mark Zuckerberg was a mere four years old.

In theory, the United Nations could be a reasonable place to create a cybersecurity institution for the Internet, says James Lewis, director and senior fellow at the Technology and Public Policy Program at the Center for Strategic and International Studies. U.N. agencies already serve that role for aviation and trade, he says.

"But nobody trusts the ITU," Lewis says. "That doesn't justify the hysteria we saw on the Hill, but it does justify not giving the ITU greater responsibility."

Berin Szoka, president of the TechFreedom think tank, says, referring to the ITU's statement on Flame: "It's posturing. This is clearly part of an ITU effort to advance their overall agenda of inserting themselves into Internet policy."

When asked about last week's congressional hearing, ITU spokesman Conneally replied: "Yes, we were aware, of course. The ITU Secretariat does not have the authority to interpret comments made by any member state or to speculate what the reasons for such comments may be." Instead, he said, the ITU Secretariat is charged with convening December's summit "in a fully neutral and impartial way."

Conneally apparently was referring to remarks such as those made by Russian Prime Minister Vladimir Putin, who said last year that the U.N. should establish "international control of the Internet," according to an official English language transcript of a conversation with ITU Secretary General Hamadoun Toure last year.

Last fall, China, Russia, Tajikistan, and Uzbekistan submitted a proposal to the United Nations asking for the creation of an "International Code of Conduct for Information Security." It calls for international cooperation in controlling "dissemination of information" that "undermines other countries' political, economic, and social stability" -- which appears to mean censoring political speech appearing on Web pages, social network posts, and so on.

Jim Harper, director of information policy studies at the free-market Cato Institute, says the role of governments (and intergovernmental groups including the United Nations and the ITU) in setting cybersecurity standards should be limited.

"The Flame story indicates that governments aren't cybersecurity experts," Harper says. "There are lots of cybersecurity experts. The ITU and the U.S. Congress are not two of them."