XSTR.epoch

Why this document exists

The 2036–2038 cluster has been visible to the technical community for decades. The 2038 problem in particular has been well-documented since at least the 1990s. What has not previously existed is an institutional document of substantive depth that maps the cross-sector exposure, develops the analytical framework for thinking about the cluster as a coordination problem rather than as a collection of discrete engineering problems, and articulates what response options are available given the timeline remaining.

XSTR.epoch was written to be that document.

The decision to develop the work through ITU-T reflects a specific institutional judgment call: that international coordination on a problem of this scale requires a forum with the standing to convene member states, the institutional weight to engage with adjacent standards bodies and regulatory authorities, and the structural mandate to address risks that cross sectoral and jurisdictional boundaries. ITU-T is one of a small number of institutions positioned to do this work.

The Technical Paper format was chosen because it permits substantive analytical development without the consensus-formation requirements of an ITU-T Recommendation. The document does not establish new technical standards; it provides the analytical groundwork on which subsequent standards work, regulatory engagement, and operational planning can rest.

The document sits within the institutional frame established by the expert report When Digital Systems Fail, co-published 5 May 2026 by ITU-T, the United Nations Office for Disaster Risk Reduction (UNDRR), and Sciences Po Paris School of International Affairs, with a foreword by the ITU Secretary-General. That report identified non-intentional digital disruption as a distinct risk category that current cybersecurity and resilience frameworks address only partially, and surfaced invisible cross-sector substrate dependencies as the foundational structural condition. XSTR.epoch develops the calendar-deadline-specific instance of that broader category.

Who it is for

The document is written for multiple audiences engaging at different layers:

• Standards bodies and regulators developing technical guidance or regulatory frameworks that touch on the 2036–2038 cluster — including national CERTs, sector-specific regulators, and international coordination forums.
• Critical infrastructure operators across the thirty-one sectors surveyed in §10, who need to understand the cluster’s exposure characteristics for their own sector and the adjacent sectors their operations depend on.
• Researchers and academics working on adjacent problems in distributed systems, resilience engineering, safety-critical systems, and the broader study of complex socio-technical infrastructure.
• Journalists and policy analysts seeking to understand the structural conditions of the cluster as a coordination problem, beyond the engineering-puzzle framing that the popular treatment of the 2038 problem has historically used.

The document is not written for a general audience and does not assume general-audience reading. It assumes familiarity with technical infrastructure vocabulary and with the institutional context of standards bodies. Readers approaching it for the first time are directed to the Reader’s Guide in §4, which provides a sectioned overview of what each major part of the document develops and how to navigate the cross-references.

The §10 cross-sector exposure survey is the document’s primary empirical contribution. It maps thirty-one sectors against an established taxonomy of industrial infrastructure (Hayes, 2005/2014), with each sector’s regulatory, lifecycle, and supply-chain conditions developed as the basis for understanding why 2036–2038 exposure is structurally distinctive in that sector. Five sectors are fully developed in prose in the current revision; the remainder are stubs anticipated for development in Revision 2. Readers in specific sectors may want to begin with the section relevant to their own work and follow cross-references outward.

The thirty-one sectors

The §10 cross-sector exposure survey maps the following sectors against the Hayes (2005/2014) infrastructure taxonomy, with the regulatory, lifecycle, and supply-chain conditions distinctive to each. Five sectors are fully developed in prose in the current revision; the remainder are stubs anticipated for development in Revision 2.

1. Telecommunications Networks
2. Financial Systems
3. Defense and Munitions
4. Electric and Connected Vehicles
5. Implantable and Hospital Medical Devices
6. CSIRT/PSIRT/CERT Coordination
7. Emergency Services Operations
8. ICS/OT Environments
9. Cloud and ICT Infrastructure
10. GNSS-Dependent Services
11. Space Infrastructure
12. Broadcasting and Emergency Alerting
13. Government Services and Public Administration
14. Insurance and Reinsurance
15. Epistemic Coordination Layer
16. Buildings and Built Environment
17. Manufacturing and Industrial Production
18. Logistics and Distribution
19. Mining and Extraction
20. Water and Wastewater
21. Food and Farming
22. Oil and Gas
23. Power Plants
24. Power Grid
25. Vehicles and Traffic Infrastructure
26. Railroad
27. Bridges and Tunnels
28. Aviation
29. Shipping
30. Wastes and Recycling
31. Biological Research and Pharmaceuticals

The §10.31 placement of Biological Research and Pharmaceuticals at the end of the survey reflects editorial expedience under late-cycle reviewer engagement, not analytical priority. Future revisions are anticipated to relocate the section to the position its substantive importance warrants.

How it was written

XSTR.epoch is collaborative work undertaken across the ITU-T Study Group 17 community and the broader Forum of Incident Response and Security Teams (FIRST) Time Security Special Interest Group. The work has been carried, in some form, for over a decade by the FIRST community and by adjacent researchers who recognised early that the 2038-class events would require coordinated response.

The document grew from a 30-page work-item proposal approved at the December 2025 SG17 plenary to its current 100-page form across approximately five months of editorial development and reviewer engagement. The growth reflects substantive contribution from a community of practitioners who showed up to do the work voluntarily, on their own time, because the work mattered to them.

The work is being done. The work continues.

The longer-arc work of which XSTR.epoch is one component includes the development of the Sharla Perrine Memorial Internet Resiliency Study (a research programme in scoping), the formation of the Stichting Horus Foundation (a Dutch public-interest foundation, in formation), and the continued maintenance of the FIRST Time Security Special Interest Group. Information on those efforts will be published as they progress.

What happens next

Revision 1 was submitted to SG17 on 18 May 2026 and will be reviewed at the SG17 plenary scheduled for 1–10 June 2026 in Geneva. Revision 2 is anticipated for the December 2026 SG17 plenary, incorporating:

• Further development of the sector stubs in §10
• Translation into other ITU official languages
• Additional diagrams to support the analytical framework
• Refinements based on reviewer engagement across the intervening months

Substantive reviewer engagement before December 2026 can be incorporated into Revision 2. Engagement is welcomed from the institutional audiences listed above, particularly from sector practitioners in domains where the current revision’s treatment is stub-form and would benefit from sector-specific expertise.

The editors can be reached via the FIRST Time Security Special Interest Group or directly through Proper Tools.

A note on handling

The document is currently in pre-publication state under ITU-T review. Drafts shared with external reviewers are circulated under TLP:GREEN handling pending formal publication by ITU-T. This background page is TLP:CLEAR and is offered as a public artefact for readers who need orientation before deciding whether to engage with the document itself.

Information on access to the document can be requested through the channels above.