Patrick Donegan, HardenStance Ltd. (00:05):
Hi there. I'm Patrick Donegan with HardenStance, a perennial friend and occasional partner at TelecomTV. Many thanks to the folks at TelecomTV for giving me the opportunity to host this very special session. I'm here with Arnaud Taddei. Arnaud is global security strategist with Broadcom, but more importantly for today's conversation, he's the chair of the ITU's study Group 17, the security and trust working group of the ITU. Arnaud, it's great to be with you.

Arnaud Taddei, Broadcom & ITU-T SG17 (00:36):
Thank you, Patrick. Pleasure is mine and thank you for giving me this opportunity.

Patrick Donegan, HardenStance Ltd. (00:40):
Let's get going with some background, first of all because as we're all too aware, the World's Nation states are using the cyber domain to undermine one another, to attack one another, to penetrate one another's critical infrastructure and do all sorts of terrible things to one another. Here you are in the ITU where one of the defining characteristics of the ITU is that the single most important blocks are in fact the nation states who are coming together to apparently collaborate. Help me make sense of this collaboration at the same time as various members are making mischief and terrible things for one another.

Arnaud Taddei, Broadcom & ITU-T SG17 (01:20):
Yeah, that's a great paradox indeed. In fact, member states are like this Roman 80 called generous with two faces, and on one side they want to attack on the other side they have to defend. And these are not the same agendas. And in a way it's not different from the dual use we had from, for example, the at home people invented nuclear power to do energy, but at the same time they create the bomb. So it's no different for us in cyber. Cyber is a dual use and people use it on both sides. Now what's interesting is that the side that tries to defend realize that they have a lot to lose. And in fact, the numbers are speaking for that side because we got 6 trillion of harm worldwide in 21, we are 10 trillion of harm this year and we are going to go north to 20 trillion of harm in the next five to 10 years, maybe even accelerating.

(02:13):
So just as to remind ourselves, the global GP is a hundred trillion with a depth of 215 trillion. So now the cyber attacks are actually hitting perceived on the radar of the harm. So now when it comes to places like ITU, the IU being the oldest organization in the world for international standardization, member states had already a lot of experience to work together. And they do two things. First, they do damage control, security is a national issue and they want to make sure that one does not go too fast versus the other. That's they say the negative side of it. The positive side of it, and maybe I'm blessed in my study group, is the collaboration they do with each other. So it's not only with each other but with the industry, with academia and civil society. So what was an example at my first study group plenary, meaning I had the big pleasure to see US Canada and UK helping in good face China to establish their AI work items simply because they were good. Reversely China helped the western side on cyber threat intelligence sharing protocols to make sure that we are progressing in the right way. So maybe it's a good feminist spirit that we managed to create over there, but it's very effective and in practice I've not seen any issue at geopolitical problem in my study.

Patrick Donegan, HardenStance Ltd. (03:32):
And that collaboration in threat intel protocol sharing, you're referring I think to STIX and TAXII.

Arnaud Taddei, Broadcom & ITU-T SG17 (03:37):
Yes. For example, this is a difficult debate because there are terms here that are let's say, perceived by some parties as inappropriate for United Nations like threat actor and other things that were not perhaps done in the right way. And so for example, China helped us to create some of the things here, but at the same time, it's an interesting debate. Why do we have to discuss it when, and this is because simply this is United Nations environment. So it's interesting because this is forcing all the parties to realize the perspective of the others. And this is a great example of a consensus building. It's tough, it's hard, but this is the way it should be. It's not just an industry piece where we believe we are, right? No, it's an industry piece within all the stakeholders on the planet. And for this it USG 17 is absolutely unique.

Patrick Donegan, HardenStance Ltd. (04:28):
So you've been in the chair for I think just over a year. How would you define what is the remit of SG 17? What's its job? What's its mission?

Arnaud Taddei, Broadcom & ITU-T SG17 (04:36):
Yes, great question. So SG 17 is simply the study group for security and trust. So we were doing security for perhaps 30 more years, but now since the assembly last year, we were asked to do trust as well. So in fact, trust is a big word and in the sense it's not really standardizable, but trustworthiness is. So that's what we want to do in the 17. So we are just at the beginning of this journey, the way that we are organized. Since a couple of years we evolved step by step and we changed, we restructured data as multiple times in the past 10 years. But we cover large spectrum of broad topics in the telecommunication and ict. So very important is that our borderlines are telecommunication slash ICTs. So here what we do, we would cover 5G, six G, we would cover services, we cover identity management, we would cover cloud, we cover application ai, distributed leisure technology, gen ai, gent, ai, you name it. But as well quantum key distribution, p qc, public infrastructure. So we don't cover everything of course, but we cover a lot spectrum of things including intelligent transport systems and IOT security. But it's quite of a broad remedy that we have very detailed organized in four what so-called working parties. Each of them having three subgroups called questions and questions have numbers.

Patrick Donegan, HardenStance Ltd. (06:01):
So when you and I started our careers, the ITU in standardization for telecom was kind of the be all and end all over the course of our careers. We've seen the IATF with the internet become enormously important. We've seen 3G PP become enormously important. So I think it's fair to say that the ITU is not the central powerhouse in telecom standards that it once was. We've watched our Monty Python movies over the years. We are familiar with life of Brian, we're familiar with what have the Romans ever done for us. And a lot of folks in the telecom sector, including in the security space, ask the question, what has the ITU ever done for us from a security perspective. So what's the answer to that?

Arnaud Taddei, Broadcom & ITU-T SG17 (06:43):
Yes, you guys from the GDN front of people, yes. So in fact the ITU has done a lot of things on the security side that are still relevant today. And I would like to pick up the first thing, which is EX 5 0 9. And perhaps before that I think the ITU does not sell itself correctly. We are doing plenty of things that are of a lot of relevance, but we are not promoting it correctly. But let's come back on the story. You're right. So X 5 0 9 is the public key infrastructure. And for people who don't know what it means or how to relate to it, it's super important because all your HT TPS session, the little S which speaks about the TLS session requires exit 5 0 9 to make it work and many, many, many other things. So this was established in the context of the OSM model for network long time ago. And this is what we mean by those famous seven layers that we all know together. That was called exit 200. And at that time they did exit 200, exit 800, exit 500, exit 5 0 9. So there is a group of turnout that are really even interconnected about the communication. Now exit 5 0 9 is as which it's 34th anniversary this year. And what we do in 17, we celebrate now since four years that day.

(07:55):
And because this is 5 0 9, either we do it the 9th of May or the 5th of September, you read the date in the way you like. And this is really interesting because we are seeing a lot of people coming now to present what they do with 5 0 9 in various use cases. And some of the use cases are things that we forgot. For example, the writing thing that happens on IP networks is done with 5 0 9. Even another one that SG 17 is the home for, which is ASN one. So these standards are there to operationally behind everything we do today, they are the first foundation for security that we could provide. Now this goes in other places, the EU Cyber Resiliency Act, the EU made the choice to standardize on exit 5 0 9. So some of my people in G 17 question 11 work with the ET at the moment to make sure that the EU gets what it needs from there. Others are looking at distributed public infrastructure, how to use distributed ledger technology. So what we know as blockchain to make it simple, to reorganize the public infrastructure to make it more distributed. So there is a lot happening now and in the future, think about agent TKI when the digital identity of all these agents. We need to be organized. We need to have a way to get the certificate done. And EXO 5 0 9 could be a great example of how to use it and deploy it there.

Patrick Donegan, HardenStance Ltd. (09:17):
So suppose I decide to give you that. Suppose I decide to acknowledge, okay, Arana, you've got a point X 5 0 9, but that's

Speaker 3 (09:25):
Decades ago.

Patrick Donegan, HardenStance Ltd. (09:26):
If I look at the more recent years looking at what the output of ITU has been from a security standpoint, I don't know that there's anything much out there. Is there?

Arnaud Taddei, Broadcom & ITU-T SG17 (09:37):
Yes. So that's the misperception again, by frankly speaking simply a lack of communication that I'm trying to fix as new 30 group 17 share. I could give many example, but let me pick on something. So we all know about the security operation centers. And what was funny when I was at Symtech, before Broadcom acquired us, when we had the practice to do managed security services. And what was really, really painful was each time we are going to see customers, we had to ask them, how do you define oc? And we had the definition for each person. So because we are tired of about that, we said, why don't we give our practice our cyber defense center approach because we wanted to elevate the SOC to something more relevant for the business and hiring the chain of the chief information security officer. So we offered that to it SG 17 and this became EX 10 60.

(10:30):
But there is an interesting story in the story. What we didn't know at that time is Japan was working on the same way. So emerging, the 42 first biggest companies in Japan with the 20 biggest service providers of security in Japan working together on a similar path. And because we have a fantastic reporter from NEC, Mrs. Numa, she observed both sides because she was looking at the development of the work item. So she managed to join and convince the people from Japan to work with us. And guess what? In independently we had only 1% of the difference. That was amazing. So for IT was very simple to merge all the product together and we delivered X 10 60. So what it is, it is the first cyber defense center approach, which is in fact the way to create and evaluate and manage the cycles of a cyber defense center. So that's a normative text. And in this normative text, you can find a portfolio of 64 services that are predefined in macro processors so that you can organize as a CSO with your peers. You can say, I'm going to give the Empower the Cyber Defense center to organize the services we need and that are relevant for us. But at the same time, it is one unique language per organization across all organization. You have to actually manage the people and the organization of the people in cybersecurity.

Patrick Donegan, HardenStance Ltd. (11:57):
And I think you've had some collaboration with the first responder folks in building that together.

Arnaud Taddei, Broadcom & ITU-T SG17 (12:03):
Yes. So that's something that was the big surprise. And the good surprise is that as we were doing this, we knew about many of the forms, the stock, the c, the cer, and we realized that first, which has always been a good partner for ITU in the developing sector first is the forum for incident responders and security teams. So what they did, they coined two terms, the P CER for product security, incident response team, and the CSO for computing security incident response team. And there the difference we have between the two organizations is that they are very bottom up. It's a community of cso, head of C, and head of stock and head of search that went together to define the cso. Great work, but it's bottom up. In fact, the point is we took exactly the reverse approach of being top down. So suddenly we realized, oh, we have done a product that is top down for the CSO to organize himself or herself in his organization. And they went the bottom up approach. So we realized that we could actually collaborate together because they have a big community and have a smaller community normative. And that would help a lot of things. If you would go in the future, for example, for NIS two and others, because the key points here is imaging. When you are a big region and you want to say, let's organize a difference against a new ANA cry, massive attack against, you want

Patrick Donegan, HardenStance Ltd. (13:24):
To cry?

Arnaud Taddei, Broadcom & ITU-T SG17 (13:25):
Yes, the one RY type of attack that hit 150 countries, would we be prepared today? Probably not. Because if you think about the clinic, this is the clinic of our health system in cyber. And with this approach of this collaboration, what we want to do is promote an approach. We say, oh, I am a region. I need all my entities to defend against this Now in advance, I know what I have. I don't need to send a business card to the C-suite of France or the C-suite of Orange or whomever say, what do you have? Exactly. No. Now we know exactly what we have in advance and we don't need to do all the 64 services. We just need to put the baseline on some of them. And that's about scaling the defense now with first first comes with the practice, the community and the experience and their links. They are helping each other. So we hope to create a good path between the two. So we created a new item that is X CDC dash casar to create the mapping between the two. And we hope to develop that in the future.

Patrick Donegan, HardenStance Ltd. (14:25):
Right. You're going to have to forgive me for reigning on your parade a little bit here because don't get me wrong, what you've described sounds absolutely marvelous. It's a beautiful painting, absolutely love it. Gorgeous stuff. However, I've been covering the cybersecurity sector now for more than 10 years. I'll be brutally honest with you, I've not heard of anyone talking about adopting the ITU Cyber Defense Center normative definition of a soc. I just haven't heard of anyone using it. So does anybody even care about this?

Arnaud Taddei, Broadcom & ITU-T SG17 (14:52):
You leave too much on the western world, Patrick. Yeah, no, yeah, absolutely. So we could measure. So the first adopters that got it immediately and for good reasons were of course Japan because they believe, so in Japan, this is a big thing. It was I think translated into, it was translated in Japan and they deployed it like big time. So Japan is actually on it big time.

(15:17):
But the other regions of the world that got it very quickly, we are developing countries, especially Africa and Arab group. So in Africa, we could measure with some certainty that 30% of Africa, African countries started to adopt it because this gave them an advantage. They suddenly had something with the Africa cert. So there has a lot of relationship with Africa assert and first day, in fact, Japan paid its own GP cert to promote Cyber defense center and EXO 10 60 in Africa and Arab group. Wow. So we had people coming to actually make this happen. We have an entire SG 17 African group and Arab group that actually working on that because suddenly they, oh, this is important for our capacity building, this is a good way we can retain competency. This is a big way we can actually deep frog Europe as well because they think about it.

(16:06):
So the point for Western countries is they already have things, but the problem is the legacy they have because they can't move because it's not normative. Except that I started to see some Nordics service providers that use it. Some of my customers were actually astonished because they had no idea that I was the one who made this happen in the ITU. And they were describing us exactly how they came with asking their own constituencies, what is the definition of your so, and they were searching for something that could help them and that is exit 10 60. So now they are holding these step-by-step year by year to make it successful. So of course things take time and the more we can have adoption and promotion, the better it is. And I hope that with first help and perhaps the EU help, we will get something at some point in the book.

Patrick Donegan, HardenStance Ltd. (16:51):
Right? One of acid tests of the momentum. The success that an SDO is having is both the rate at which new members are joining, but also the rate at which members are not being merely passive but actually actively participating amongst SG 17 members. What have you seen in terms of those metrics in the last year since you've been chair?

Arnaud Taddei, Broadcom & ITU-T SG17 (17:16):
Yeah, that's the great story for me because I'm all about industry engagement and overall in the ITU, we prepared a new set of resolutions to encourage engagement, industry engagement, next generation gender balance sector members, sector members in developing countries. And I'm basically implementing the fruits of what I at another level in ITU. So the way it materialized is that I broke all the recalls in just my first meeting in terms of just participation. So just for a context, usually the ITU is mostly Asian based. So we have a lot of member states and companies from Asia, China, Japan, and Korea. And believe it or not, but for example, China, when I came on board as the chair asked me to promote SG 17 on the west because they need to have evidence that we are doing global standards. And I did and very successful. So in just six months I managed to get three new net sector members, tennis, the big French company worldwide cognisant 340,000 employees.

(18:17):
They have the chief AI officer and the CTO for AI at Cognisant Worldwide. We have Amazon that just joined. And as well, we had three sector members that were sector members doing nothing special like Google started to make their first work items and gave us all their AI security framework with the phone group came strategically just drive strategically in G 17 because they understand the value, what we can do for them and for the operator side. And Splunk started to realize that there are specific items they can work on. So these are just six names that were either net new or that have already started to produce work. Now, in addition to that, there are other records that we broke. We broke the record of at my first meeting, the record of participation to 374 members. We broke the number of member states to 57, we broke the number of contributions, 289, we broke the number of quality of contributions as we had a limited number. That's good. A limited number of new projects, 46. And we established 40 of them because they were good. So I'm super happy and this is really a journey that is incredible for me.

Patrick Donegan, HardenStance Ltd. (19:27):
Let's talk about AI because it's a fabulous opportunity, but let's use simple language. It's also potentially a kind of existential threat. So getting the security of AI right is a pretty important thing. Before we come to talk about what SG 17 is doing, let's just observe the fact that the two of the most foremost organizations in terms of standardizing AI security are Etsy and ITU, both of which hail from a telecom background or represent the telecom industry. Given all the leadership that we are seeing in AI from a commercial perspective, is all coming from the private sector having precious little to do with telecom, why is the telecom sector playing such a key role in standardizing AI and standardizing AI security in particular?

Arnaud Taddei, Broadcom & ITU-T SG17 (20:19):
Yeah, that's another great question. In fact, the telecom industry is at the forefront of a lot of what is the infrastructure of the future that has the highway of the future. If I can make a very high level view. So it's very natural that when it evolves and for example, take the self-healing networks and self-managed networks, they were looking for things that could help them automate. And it evolves very hard when you have to construct massive cloud infrastructure to get your 5G construct with S-D-N-N-V in between, you need to have a way to really automate that. And there were so many data that they started to see that machine learning AI were good. And it started to evolve, evolve, evolve with now gene ai and perhaps more importantly, agent TKI. So let me pause on agent TKI for a second. Agent, TKI is exactly your LLMs on steroids with code.

(21:13):
And this creates agents and basically you say you bunch of agent TKI are going to organize yourself. You will have a mystery agent, TKI as perhaps project manager, and it'll have specific things that we do, configuration of equipment blah or payments or deal with the customers and so on. That was one thing. The only thing was of course the customers. They are operators and network equipment providers for the operators adding with downstream customers B2C, B2B, B2B two B. So as all of them evolved to adopt ai, of course the telecom industry was at the forefront to actually get there. So they started to organize themselves to standardize AI this way. Right.

Patrick Donegan, HardenStance Ltd. (21:56):
And before we come to talk specifically about SG 17 and what you are doing in the AI security space, let's try and pause out a little bit the complementarity between what Etsy is doing from a security standardization perspective for AI doing a lot and what you guys are doing. What is the complementarity between Etsy and IT

Arnaud Taddei, Broadcom & ITU-T SG17 (22:14):
And security? Yes, that's, that's a key problem at the moment. There is a lot of tension between SDOs at the moment for all sorts of other reasons. But let me start with something a little bit different on the context. Think about ai. So AI and machine learning, nothing new. We do that since years if not decades. AI and machine learning are in products into a long time. There was nothing very specific about it. The first trigger was gene ai. Gene AI started to really change the game because it created a tsunami wave that started to raise to raise and it basically started to already fall on all of us in a completely uncoordinated manner. So all of us started to get bottom. All of these organizations are bottom up contribution driven. So we started to see new resolution in ITU about ai. It was very hard to launch because this was new and emerging technologies and it was a debate between countries as they do damage control between themselves.

(23:06):
But at the same time we started to see a creep of AI work items coming. That was the premise when agentic AI arrived. That's something that I've never seen in my life. I've seen the beginning of the web. I was on the first web server when I was at CERN 32 years ago with Tim, but something like this I've never seen. So the tsunami is even bigger. And so it took us all by surprise so we could not coordinate ourselves. So of course now we end up with difficulties between a couple of SDOs because they started work that are similar or overlapping. That's okay. And in fact, what we are doing is we're working to that and to recognize where we have overlaps and work together on that. Now, for what is different, I would say ET for example, has benefited a lot from the UK push on bringing, because the UK has a lot of advanced can CSC brought a lot of important pieces to seed.

(24:03):
That's great. And on our side, we had influence from others that came with like Conant, the newcomers, Google with the colleagues from Alibaba, from Korea. And so we started to take another path. So what we realized is that we captured the community on our side, which has a lot of advance on agent TKI. And so G 17 is working hard on security, digital identity, trust control, plane, ai, trust control plane. In fact, what we are doing, back to your previous question, what we recognize is that we are at the beginning of a new OSI model for ai.

(24:39):
The same effort we saw 40 years ago is happening on our side. So because we have this heritage that comes with us, this is what we are focusing on. And in fact, with Etsy, we started to collaborate with Scott Cazo on the SI side and we participate with them meaning, and we are going to find solutions for when we have a problem, maybe common text or something.

Patrick Donegan, HardenStance Ltd. (24:58):
Scott, who's the ETSI lead in cybersecurity.

Arnaud Taddei, Broadcom & ITU-T SG17 (25:01):
Yes, yes.

Patrick Donegan, HardenStance Ltd. (25:01):
Yeah, yeah. Very good. So just to sum up the SG 17 mission in AI security,

Arnaud Taddei, Broadcom & ITU-T SG17 (25:07):
Right? So in fact, guess what? We even have a strategy SG 17 strategy for AI that is pre consensus. That's a document of 34 pages where we released aura objectives, our swat, the analysis of the situation, what we should do, what we can do, how to reorganize our equation. So in my second preliminary, meaning if people want to come, I'm happy to give invited expert passes for zero francs if they want, but it's going to be spectacular. We're going to launch a new question for ai, gen, ai, ai. We're going to merge the questions for making it better on identity management and digital identity is a lot of things that are going to happen. Think about delegation for example, when the agents need to delegate to each other and the consent that goes with it and the data transfer that goes with it. So we have a lot at stake. I believe that we are going to move from six work items on AI in September 22 when I did my first meeting. And now we know that we have more like 10 or 12 minimum that are going to move as new projects. So we are clearly taking the lead for that part. However, we proactively made carve outs for other SDOs to develop because there is no way we're going to do that.

Patrick Donegan, HardenStance Ltd. (26:19):
Carve outs?

Arnaud Taddei, Broadcom & ITU-T SG17 (26:19):
Yes, we prepared some carve outs in our text to make sure other SDOs, we were recognizing other S ds strengths and so that we make sure that the gain of time, and in fact we are working with them like the ITF is the other one here. And the to do is liaison statements within ourselves to start to create awareness what we do and we participate towards John meaning. So I think there is a good triangle here between I-T-F-H-C and SG 17 that we could pursue, let alone SG 21, I must say in ITU that is doing another part.

Patrick Donegan, HardenStance Ltd. (26:54):
Arnaud, thanks so much for a fabulous conversation. We live in a world where there's a lot of geopolitical friction, a lot of tensions we had in mind having a conversation that would highlight the incredibly positive work that the ITU is doing to try to bridge some of those gaps in the cybersecurity domain. You've done an absolutely sensational job of advocating the work that you and your many, many colleagues around the world are doing. So thanks very much indeed for being with us and sharing some of the work that you're doing with us today has been terrific.

Arnaud Taddei, Broadcom & ITU-T SG17 (27:23):
Thank you, Patrick. It's always a pleasure working with you and thank you very much for giving me this opportunity.