OCSF is a work item in formal international standardisation at the International Telecommunication Union (ITU)

[taddhar]

Recognising that I am sharing this information very late for a vast number of well justified reasons and circumstances, the fact is that OCSF is a work item in formal international standardisation at the International Telecommunication Union (ITU).

This discussion point provides some background information, shares some learnings and seeks for feedback.

Some historic background

Indeed, at the time that Symantec created the ICDx schemas, it was agreed at the highest level of the company, back in 2019 to offer the ICDx schemas for international standardisation at the ITU, to be precise in the ITU-T sector, in the Study Group 17 (Security) in Question 15 in what is called the incubation queue. Symantec presented a contribution to establish X.icd-schemas and was successful at SG17 meeting in September 2019. The work item was developed in a few iterations until the Broadcom acquisition forced a pause.

Why the ITU?

Perhaps few people know the ITU but everybody knows X.509 as the Recommendation of the world wide Public Key Infrastructure. X.509 and its companions X.500, X.508, X.510, as well as ASN.1 are all developed at the ITU-T in the Question 11 of SG17.

The ITU, is by large the oldest international standards body and it is owned by all the administrations of the world. This is the place where all the key constituencies of this world: Administrations, Business, Academia and Civil Society work and negotiate on vast spectrum of objects in particular standards called Recommendations.

There are a few key benefits of having standards at the ITU, e.g. world wide exposure through a global membership, translated in 6 languages, free of charge, and seen by all the Regulators in the world, increasing chances for a standard to be picked in a Regulation through the so-called Harmonisation process (when regulator picks a certain set of standards for a given Regulation).

Symantec has a good experience of SG17 and has Vice Chairmanship level under the UK Delegation.

The move to OCSF

When OCSF was launched it gave the signal to continue the work at the ITU and some considerations led to new iterations to this work. SG17 looked at the new situation and had consensus that:

• At this stage it is too early to change X.icd-schemas into X.ocsf
• OCSF is not a legal entity so there is no way to establish formal agreements between OCSF and ITU
• There is value in keeping the development of X.icd-schemas through Symantec by Broadcom
• SG17 can provide good feedback to OCSF

How to overcome the difficulty to keep the schemas in JSON in Github into a Word format

One difficulty though was on how to keep the schemas in JSON in Github into the ITU format … based on Word. No need to mention that given the welcomed dynamicity of OCSF development, it became close to impossible to synchronise changes in a Word format with a regimentary procedure on revision marks.

Fortunately in the vein of developing what is called SMART standards as both Human and Machine readable, a markdown format was developed called metanorma. The latter allows to create ‘adoc’ formatted files and then to render them in ITU, ISO, IETF, etc. formats. This is very convenient because it allows to script texts as input texts to produce on the fly a format.

This is how we proved that it was possible to create a GitHub repo with metanorma, and we tested how to keep the OCSF dictionary in sync with its ITU format. This is developed as open source by the company Ribose . This could actually participate in a much bigger change over time at the ITU but for the moment:

• An experimental revision of the text with a script to synchronise the JSON format in metanorma and then render it in ITU format worked successfully on the dictionary section of OCSF
• SG17 agreed to pursue the experiment and a) create an ITU level GitHub repo and b) extend the test to the whole of OCSF c) generate the next new baseline text with this solution

However some problems on the horizon

Whilst developing successfully this path, something happened in parallel that STIX and TAXII, 2 OASIS standards were brought for ratification at the ITU but faced an unexpected significant issue. Indeed Russian Federation opposed their determination based on the fact that the text contains words that are thought by RF as inappropriate for a United Nations organisation such as the ITU, e.g threat actors labels such as Religious, Human Rights, Nation States, Spy, etc. which is causing 2 issues for OCSF at the ITU:

• The web-category lists many tags that will create emotion ‘pornography’, etc.
• The concept of threat actor could in itself be questioned.

Which formally Russian Federation opposition couldn’t block the determination, it simply promises a very complicated last call.

The second issue is a matter of judgment, as some critical OASIS standards are being brought and will continue to be brought at the ITU, this paused the question of whether it is wise to make a straight synchronisation of OCSF as Github to the ITU OR shall we, as the overall concerned parties, consider for OCSF to make ‘a step’ in another SDO, e.g. OASIS. The big advantage is that

• This would allow an ‘immersion’ of OCSF in a bigger context and seek for harmonisation with other standards: STIX, TAXII, CACAO, OpenC2
• This would make the overall outcome even more ‘exposed’ and improved
• This would not stop anything at the ITU

Conclusions

So this discussion point is to

• Disclose an important fact that OCSF is already under international standardisation at the ITU
• This will bring many benefits to OCSF
• An elegant solution was found to technically synchronise the standards
• SG17 can provide good feedback to OCSF
• And some feedback arrives already with the sensitivity of some concepts and labels in the ‘much much bigger world’ of the ITU
• As well some steps could be envisioned for little complications and even greater benefits

This discussion point seeks for feedback