Outline of the “Toolkit for ICT-based Services Using Mobile Communications for e-Government Services”

Outline of the “Toolkit for ICT-based Services Using Mobile Communications for e-Government Services”

Introduction

1.       e-Government activities

2.       Mobile payment system concept

2.1       System participants and their roles

2.2       System architecture

2.3       Available payment means

2.4       Payment arrangements

                  2.4.1            Operations initiated by the client

                  2.4.2            Operations initiated by merchants

2.5       Arrangement of elements for international mobile payment system

3.       Mobile technology

4.       Security

4.1       Introduction

4.2       Security levels

4.3       Security implementation degree

4.4       Roles

                  4.4.1   The role of the MSSP

4.4.2               The role of the Registration Authority (RA)

4.5       Identification

4.6       Administration of keys

4.7       …

5.       Conclusion

Question 17-3/2: Progress on e-government activities and identification of areas of application of e-government for the benefit of developing countries

In accordance with the terms of reference agreed at WTDC-10 ITU-D Study Group 2 Question 17-3/2 is responsible for examining issues related to e-government activities and identifying areas of application of e-government for the benefit of developing countries. The progress on e-government activities and identification of areas of application for e-Government for the benefit of population are issues of growing concern of many developing countries. For this reason the Question seeks to compile guidelines and lessons learned on e-Government related activities, with special attention to the use of mobile and wireless platforms for the provision and payment of services in rural and remote areas.

At the recent meeting of ITU-D Study Group 2 held in September 2011 document D10-SG02-INF-0017 titled “First draft of a toolkit for ICT-based Services Using Mobile Communications” was discussed and approved as a base for the work to be undertaken within the framework of Question 17-3/2. The meeting decided to continue the work and seek the involvement of more experts in the process of developing the Toolkit.

Taking into account that ITU-T Study Group 17 is the lead group on telecommunication security, it would be beneficial to take advantage of the collaboration between ITU-T SG17 and ITU-D SG2 Question 17-3/2 in the development of the security-related aspects as a chapter of this Toolkit. ITU-T SG17 can play an important role in the development of security part of the Toolkit for ICT-based services using mobile communications. Question 17-3/2 thereore invites ITU-T Study Group 17 to contribute to the development of this section of the Toolkit. It would furthermore be useful to evaluate the practical level of implementation of relevant ITU-T Recommendations in the area of e-Government. Noting that these issues constitute part of the task assigned to ITU-D Study Group 2 Question 17-3/2.

The next Rapporteur Group meeting for Question 17-3/2 will be held in Geneva on Tuesday, 8 May 2012 and the Group would be grateful to receive the input from ITU-T SG17 for consideration at this meeting.

ITU-D SG2 Question 17-3/2 would like to thank ITU-T SG17 in advance for the information provided for the development of the Toolkit.

19 января в отеле Марриотт Аврора прошло первое заседание экспертного совета форума директоров по информационной безопасности.

19 января в отеле Марриотт Аврора прошло первое заседание экспертного совета форума директоров по информационной безопасности. Участники утвердили дату проведения (16-17 апреля), обсудили план подготовки к форуму и повестку предстоящего события. На встрече присутствовали: 
- Андрей Курило, заместитель начальника главного управления безопасности и защиты информации, Банк России; 
- Сергей Акимов, руководитель Комитета по взаимодействию с госорганами МОО АРСИБ; 
- Евгений Климов, менеджер PWC; 
- Дмитрий Костров, член Правления МОО АРСИБ, директор проектов МТС; 
- Михаил Левашов, директор по методологии,«Инфосекьюрити Сервис»; 
- Алексей Лукацкий, бизнес-консультант по безопасности, Cisco Systems; 
- Виктор Минин, председатель Правления, МОО АРСИБ; 
- Денис Персанов, руководитель по информационной безопасности, «Ашан»; 
- Артем Сычев, член Правления МОО АРСИБ, заместитель директора департамента безопасности — начальник управления информационной безопасности, «Россельхозбанк»; 
- Виктор Янко, руководитель подразделения отраслевых проектов, infor-media Russia.

New version of Rec. National IP-based public network security center for developing countries (X.ncns-1)

Source:	Q2/17 Rapporteur
Title:	New version of Rec. National IP-based public network security center for developing countries (X.ncns-1)

After the last SG17 meeting, it was recognized that discussions on X.ncns-1 were necessary.

The following is a summary of discussions and agreement.

1.      Related documents for discussion on X.ncns-1

The following documents (report and TDs) were identified to be basis of the discussion.

Issued at the previous SG 17 meeting (April 2011)

- SG17-R-0032: REPORT OF WP 1/17(NETWORK AND INFORMATION SECURITY)

- TD 1887 Rev.1: Previous Draft on X.ncns-1

Issued at this SG 17 meeting (August/September 2011)

- TD 2023 Rev.2: New Draft of X.ncns-1

- TD 2141: Analysis by Q4/17

- TD 2164: Answer from Editor for TD 2141

- TD 2177: Response from Q4/17 for TD 2164

- TD 2182R1: Report of Joint Q2/17, Q3/17, Q4/17 and Q10/17 on X.ncns-1.

2. Discussion

After the joint meeting of Q2/17, Q3/17, Q4/17 and Q10/17, TD 2164 and TD 2177 were issued to express views from the editor and from Q4/17. In order for this adhoc meeting to discuss this issue in an efficient manner, the meeting decided not to present TD 2164 and TD 2177, but to ask a rapporteur of Q4/17 to present a proposal for the summary of NCNS’s misgivings and a suggestion on a providing of the text of X.ncns-1 (TD 2286).

After presenting TD 2286 from a Rapporteur Q4/17, the following discussions occurred:

1) It was proposed in TD 2286 that X.ncns-1 should eliminate the single architecture notion and make it compatible with the distributed, autonomous architectures for security centres that exist today. The editor of X.ncns-1 explained that the draft X.ncns-1 was not intended as a single architecture, but integrations or federations that are compatible with the distributed, autonomous architectures for security centres that exist today.

2) It was also proposed in TD 2286 that the title of X.ncn-1 should be "Guidance for National Centres for Network Security" in order to remove the restrictions to only IP-based use as well as only for developing countries. However, the editor of X.ncns-1 preferred that "IP-based network" should be kept in the title because of current trends in shifting to IP-based networks. He also believed that the X.ncns-1 title should retain "for developing countries" because that phrase was used in describing ITU-T work in PP-10 Resolution 130. However, some national representatives noted that the phrase was in no way obligatory as it was within the “recognizes” section of Res. 130.

3) It was proposed in TD 2286 that X.ncns-1 should eliminate the single trust model material and make it compatible with trust models that accommodate diversity in collaboration with Q10/17, JTC1/SC27 and FIRST community. There was agreement on this proposal, including collaboration with Q10/17, JTC1/SC27 and FIRST community.

4) It was further proposed in TD 2286 to make this X.ncns-1 a supplement to X.1205. The editor of X.ncns-1 expressed to keep this as a Recommendation in this SG 17 meeting.

Additionally in December 2011 the X.ncns-1 was discussed on interim Q10/17 meeting.

New version of X.ncns-1 in Attachment.

Coordinating Activity in Cloud Computing Security

STUDY GROUP 17 – CONTRIBUTION 625
Source:	Ministry of Communication and Informatization of the Russian Federation
Title:	Coordinating Activity in Cloud Computing Security

Abstract

During its January 2012 session, TSAG appointed the ITU-T SG 13 as the lead for cloud computing. It was also noted that as per WTSA 08 definition of a lead study group (Resolution 1, item 2.1.6), other ITU-T study groups shall remain their particular lead areas of competence in cloud computing standardization activity.

TSAG additionally established JCA-Cloud, SG13 being its parent study group.

It is essential that, according to the documents on cloud computing architecture (http://ifa.itu.int/t/fg/cloud/docs/deliverable/cloud-o-0080-reference_architecture.docx) and security (http://ifa.itu.int/t/fg/cloud/docs/deliverable/cloud-o-0083-cloud_security.docx) prepared by cloud computing focus group, the issues of cloud computing security cover all levels of cloud architecture and cloud services.

Rationale

ITU-T mostly studies telecommunication standardization issues, so cloud computing security is to be treated exclusively from this point of view. ITU-T SG 17 was appointed lead study group in the area of telecommunication security. This means that it is SG 17 that shall coordinate the activities in cloud computing security, while SG 13 shall supervise over general cloud computing activities.

Today, it is common for ITU-T lead study groups performing vertical coordination in their subject areas to communicate with SG 17, which is in charge of horizontal coordination in the security area. Thus, SG13, just like other study groups, can take part in standardization activities for cloud computing security, but only upon agreement with SG 17 acting as coordinator.

To provide more clear cooperation between the ITU-T lead SGs it seems reasonable to formalize the procedures in Resolution 1. 

Proposal

The Russia proposes the following actions to be performed by SG17 in terms of coordinating the cloud computing security standardization:

·         Prepare suggestions for SG 17 and other ITU-T SGs for cloud computing security standardization activity; 

·         Recommend SG 17 representatives to act as JCA-Cloud co-conveners in security area. We kindly suggest  as a candidate for this position V.A. Kutukov who was the chairman of the ITU-T FG on Cloud Computing;

·        Send the request on behalf SG 17 to SG 13 and JCA-Cloud to report  to SG 17 on cloud computing security issues. 

Report of the Correspondence Group on COP17 (Child Online Protection/ITU-T SG17), September 2011-January 2012

The designated conveners of Correspondence Group on COP17 submitted document TD 2506 with the subject title.  It was, however, never approved as a Report by the Correspondence Group.  Indeed, TD 2506 inexplicably and arbitrarily omits most of the material that was developed as part of the Group work and provided to be part of the Report.  Conversely, the TD includes information that was never raised with the Group and was simply inserted into TD 2506 as what appear to be the convenors own views.  These concerns were raised on the CG list by several parties, and the convenors chose simply to ignore any questions or concerns and submit their own material as a TD purporting to represent the Correspondence Group.  Therefore, TD 2506 can only be regard as the views of the conveners concerning the subject matter.  In no way is it a report of the Correspondence Group or represents the view of the Group.

This contribution contains some of the important work and factual material developed by members of the Correspondence Group pursuant to its terms of reference and discussed on the Group’s list.

1. Technical work already underway related to COP (Terms of Reference clause 1)

The following Standards Development Organizations, industry forums, and intergovernmental bodies were identified as undertaking significant work related to COP that is already underway and widely implemented worldwide by industry and national administrations. 

1.1        World Wide Web Consortium (W3C)

The W3C is the principal global standards development organization for Web design, applications, and architecture including semantic content, whose specifications form the basis for essentially all network content exchange today.

Protocol for Web Description Resources (POWDER). The W3C Platform for Internet Content Selection (PICS) begun in the 1990s, was superseded by POWDER.   The POWDER reference site is at http://www.w3.org/2007/powder/.  A primer is available at http://www.w3.org/TR/powder-primer/  See, especially the section on COP and the ICRA (Internet Content Rating Association) labeling standard.  Although these efforts originated in 1994, current work was begun in 2004, and the standard was formally adopted 1 Sep 2009. 
Today, the POWDER standard is used worldwide as the principal technical platform for dealing with COP related content.  As of 10 Jan 2011, POWDER is referenced by 698,000 site URLs for COP purposes, and the standard is incorporated widely in vendor products as described on the reference site.  The standard is also broadly applicable to and interoperable with almost all ICT resources using RDF (Resource Description Framework) and OWL (Web Ontology Language).

Web Content Accessibility Guidelines (WCAG). These guidelines specify capabilities needed for persons with disabilities to use the POWDER standard, including implementations for COP undertaken by ICRA.  See the W3C WCAG site at http://www.w3.org/TR/2012/NOTE-WCAG20-TECHS-20120103/.  Ref. TSAG Doc. T09-TSAG-120110-TD-GEN-0254.

Social Web Incubator Group WG.  public-xg-socialweb@w3.org serves as a continuing forum by COP experts for extending W3C standards to new services.

1.2        Child Exploitation and Online Protection Centre (CEOP)

CEOP is a UK based organization for global public-private cooperation relating to COP.  It cooperates closely with other organizations described below to develop standards and implement COP capabilities.  Information is available at http://ceop.police.uk/.

1.3        Virtual Global Taskforce (VGT)

The VGT is a global public-private organization that seeks to build an effective, international partnership of law enforcement agencies, non government organisations and industry to help protect children from online child abuse. http://www.virtualglobaltaskforce.com/ VGT cooperates closely with INHOPE on technical standards and platforms.

1.4        International Association of Internet Hotlines (INHOPE)

INHOPE is based in Amsterdam and coordinates a network of Internet Hotlines all over the world, supporting them in responding to reports of illegal content (including child sexual abuse material).  In conjunction with this work, it develops technical standards and applications among major vendors worldwide.

Mobile online content reporting application.  INHOPE mobile is a free tool for a user to anonymously report any suspect illegal content through their mobile device. The report will then be forwarded to the hosting country’s hotline which will investigate the report according to the national legislation and, where appropriate, the relevant law enforcement agencies will be informed and the content removed. Information concerning the application which was publicly released on 18 November 2011 in Rome, as well as related standards is available at: http://www.inhope.org/gns/about-us/INHOPE_mobile.aspx.

1.5        Internet Watch Foundation (IWF)

For 15 years, IWF organization  has functioned as a public-private partnership based in the UK with a remit to minimise the availability of potentially criminal internet content that includes images of child sexual abuse hosted anywhere in the world. See http://www.iwf.org.uk/about-iwf/remit-vision-and-mission.  In conjunction with this objective, it works with organizations worldwide developing related capabilities, especially the Blocking Initiative.

Blocking Initiative.  IWF Board agreed to develop standards and procedures under which a child sexual abuse content URL list would be implemented.  Since 2004 many companies worldwide have chosen to make use of this list to protect their customers, namely, internet service providers, mobile operators, search providers, and filtering companies. National and international law enforcement agencies and INHOPE Hotlines also access the list on a mutual exchange basis. The initiative FAQ is available at http://www.iwf.org.uk/services/blocking/blocking-faqs.

1.6        Organisation for Economic Co-operation and Development (OECD)

The OECD is a Paris based 50 year old major intergovernmental organization with membership of 34 nations with a mission to promote policies that will improve the economic and social well-being of people around the world.  Its staff of 2500, outside consultants, and expert committees undertake research and the production of highly regarded reports.  In 2011, the OECD released a major report with an extensive amount of research covering the terms of reference of the ITU-T CG17 Correspondence Group on COP.  The report is provided as Annex 1.

The report concludes that “A whole toolkit of technical measures supporting the protection of children online is available, and describes on pages 71 to 75 of the report the technical and operational measures available in countries worldwide to meet their COP needs in accordance with their national policies.

1.7        ICT Coalition for a Safer Internet for Children and Young People

In mid-January 2012, a broad global coalition of twenty-five major information and communication service providers and vendors issued principles for the development of products and services to actively enhance the safety of children and young people online.

·       develop innovative ways of enhancing online safety and encouraging responsible use of the internet and internet access devices by children and young people;

·       empower parents and carers to engage with and help protect their children;

·       provide easily accessible, clear and transparent information about online safety and behaviour;

·       raise awareness of how – and to whom – to report abuse and concerns.

More details about the ICT Principles and the actions to be taken by Signatories are available at http://www.gsma-documents.com/safer_mobile/ICT_Principles.pdf.  The announcement of the coalition and its work is provided as Annex 2.

2.          Assessment of possible technical work that SG 17 is equipped to undertake (Terms of Reference clause 1)

In assessing possible technical work that SG 17 is equipped to undertake as a result of its particular mandate and expertise, it was apparent in light of the above compilation of existing work and discussions occurring on the COP17 list that:

a.      Existing highly expert global and regional SDOs and industry forums have been undertaking the relevant technical work for nearly two decades.

b.      The identified SDOs and industry forums have adopted the needed relevant standards which are widely recognized and deployed across the global infrastructures. However, one party in the Correspondence Group – the SG 17 Chair – believed that somehow there might be more needed standards work.

c.      These forums remain the principal active venues for further work, and a broad array of ITU-T members participate in them.

d.      Some of the work of these forums involves producing standards for restricting the availability of content at a national level that would be precluded from the ITU-T under Res. 130 of the ITU Final Acts of the Plenipotentiary Conference (Guadalajara, 2010).  See Annex 3 to this contribution.  However, one party in the Correspondence Group – the SG 17 Chair – believed if SG 17 undertook this same work, that Res. 130 could be somehow circumvented through devises such as changing “content control” to “access control.”

e.      Even without the Res. 130 restriction, SG 17 clearly does not possess the very significant level of specialized expertise and industry involvement that exists in the many forums already doing this work – a view supported by the ITU Members in Resolution 179 of the ITU Final Acts Plenipotentiary Conference (Guadalajara, 2010).  See Annex 3 to this contribution.  However, one party in the Correspondence Group – the SG 17 Chair – believed that despite only a handful of people in SG 17 expressing the slightest interest in this work for the past year, that some SG 17 participants could be found who could add something new.

f.        It would appear to serve no purpose to redundantly pursue the extensive work done elsewhere and be wasteful of limited ITU-T resources.  However, one party in the Correspondence Group – the SG17 Chair – believed that redundantly engaging in the same work was not an issue.

g.      SG 17 could usefully work with the TSB to develop and maintain an ITU-T website on technical and operational standards, measures, and forums for Chile Online Protection.

Attachments: 3

·       OECD (2011), “The Protection of Children Online: Risks Faced by Children Online and Policies to Protect Them”, OECD Digital Economy Papers, No. 179, OECD Publishing. http://dx.doi.org/10.1787/5kgcjf71pl28-en

·       Companies unite to launch the first industry-led Europe-wide principles to enhance online safety for children.

·       RESOLUTION 130 (Rev. Guadalajara, 2010); Strengthening the role of ITU in building confidence and security in the use of information and communication technologies.
RESOLUTION 179 (Guadalajara, 2010); ITU's role in child online protection.

NIST to Fund Pilot Projects that Advance Trusted Identities in Cyberspace

http://www.nist.gov/public_affairs/nsticpilotgrants.cfm
NIST to Fund Pilot Projects that Advance Trusted Identities in Cyberspace
For Immediate Release: February 1, 2012
Contact: Gail Porter
301-975-3392
Proposers’ Conference Set for Feb. 15
WASHINGTON - The National Institute of Standards and Technology (NIST) today announced a competition to award a total of approximately $10 million for pilot projects to accelerate progress toward improved systems for interoperable, trusted online credentials that go beyond simple user IDs and passwords. The competition will be managed by the NIST-hosted national program office for the National Strategy for Trusted Identities in Cyberspace (NSTIC), a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and others to improve the privacy, security, and convenience of online transactions.
The NSTIC vision is for individuals and organizations to have secure, efficient, easy-to-use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice and innovation.
“We’re looking for innovative approaches that can advance the NSTIC vision and provide a foundation upon which a trusted, user-centric Identity Ecosystem can be constructed,” said Jeremy Grant, NIST’s senior executive advisor for identity management. “We can help to grow the online economy by enabling the advancement of promising new privacy-enhancing identity solutions – and ways to use them – that do not exist in the marketplace today.”
According to the Federal Funding Opportunity (FFO), NIST anticipates funding five to eight projects for up to two years in the range of approximately $1.25 million to $2 million per year, though proposals requesting smaller amounts may be considered. The deadline for submitting initial proposals is March 7, 2012.
The FFO cites a number of barriers that have prevented identity solutions from being widely deployed in the marketplace including:
the need for technical standards that ensure interoperability among different identity authentication solutions;
a lack of clarity about liabilities when something goes wrong;
no common standards for privacy protections and data re-use; and
issues with ease of use for some strong authentication technologies.

NIST seeks proposals that address some or all of these barriers while adhering to the four central principles guiding NSTIC; identity solutions should be privacy enhancing and voluntary, secure and resilient, interoperable, cost effective and easy to use.
For example, the FFO notes that proposals could include, but are not limited to, technologies or approaches that:
create identity hubs to quickly validate credentials with strong authentication methods meeting agreed upon standards,
provide incentives for consumers to use trusted authentication methods in lieu of user IDs and passwords,
include improved ways to enhance consumer privacy, while simultaneously meeting business and security needs, or
demonstrate interoperability across various technologies such as smart cards, one-time passwords, or digital certificates.

To apply for funding proposers must be: accredited institutions of higher education; hospitals; non-profit organizations; commercial organizations; or state, local, and Indian tribal governments located in the United States and its territories. An eligible organization may work individually or include proposed subawards or contracts with others in a project proposal, effectively forming a team or consortium.
On Feb. 15, 2012, NIST plans to host a proposer’s conference from 9 a.m. to 12 noon at the Department of Commerce in Washington, D.C., to offer guidance on preparing proposals, explain criteria to be used in making awards, and answer questions from the public. The event will include a live Web cast. Participants my ask questions through Twitter and live tweets using the event hashtag, #NSTIC.
Details on the web cast address and registration information for the conference are available at: http://www.nist.gov/itl/nstic-pilots-grant-proposers-conference.cfm. Further information about NSTIC and upcoming related events is available at: http://www.nist.gov/nstic.
A copy of the full text of the National Strategy for Trusted Identities in Cyberspace signed by President Obama in April 2011 is available at: http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf.