proceedings of the oecd workshop: “information … · developments affecting the security of...

1

PROCEEDINGS OF THE OECD WORKSHOP:

“INFORMATION SECURITY IN A NETWORKED WORLD”

Tokyo, 12-13 September 2001 Conference jointly organised by

The Organisation for Economic Co-operation and Development (OECD) andthe Government of Japan (GOJ)

with support from the Information-Technology Promotion Agency (IPA), Japan

2

ACKNOWLEDGEMENT

The OECD would like to thank the participants, and in particular the Chair, moderators and speakers at theWorkshop and the hosts who made this Workshop possible with their generous support, namely, theGovernment of Japan and Information-Technology Promotion Agency of Japan. We would also thank ourRapporteur, Mr. Lorenzo Valeri for his assistance in the preparation of these proceedings.

Copyright OECD, 2001

Applications for permission to reproduce or translate all or part of this material should be made to:

Head of Publications Services, OECD, 2 rue André-Pascal, 75775 Paris Cedes 16, France.

3

PROCEEDINGS OF THE OECD WORKSHOP:“INFORMATION SECURITY IN A NETWORKED WORLD”

TABLE OF CONTENTS

CHAIRMAN’S STATEMENT.......................................................................................................................4

AGENDA OECD WORKSHOP: INFORMATION SECURITY IN A NETWORKED WORLD ...............6

WORKSHOP REPORT................................................................................................................................13

ANNEX I SPEAKERS’ BIOGRAPHIES...................................................................................................31

ANNEX II FINAL PARTICIPANTS LIST.................................................................................................45

ANNEX III KEY NOTE ADDRESSES .......................................................................................................66

4

CHAIRMAN’S STATEMENT

Background

1. With the generous support of the Government of Japan, an OECD Workshop entitled“Information Security in a Networked World” was successfully held on 12 and 13 September 2001 inOdaiba, Tokyo.

2. This Workshop was jointly organised by the OECD and Government of Japan with support fromthe Information-Technology Promotion Agency (IPA) of Japan.

3. The objectives of the Workshop were to assess developments affecting information security inthe Internet era and explore the roles of the stakeholders, both national and global, in creating a securecyberspace environment for all users of information and communication technologies.

4. The Workshop brought together a wide range of representatives from government, enterprisesand society at large as well as from both within and outside the OECD membership. About 250 peoplegathered from 24 countries around the world. As well as government and business representatives,consumers, user groups and security experts were also represented.

5. The Workshop was held back-to-back with the GBDe (Global Business Dialogue on ElectronicCommerce) at the same venue on Friday 14 September, to improve synergy between nationaladministrations and the business sector.

The current position

6. In the decade since the adoption in 1992 by the Council of the OECD of a Recommendationregarding Guidelines on the Security of Information Systems, the economies and societies of the OECDMember countries have become increasingly dependent on the availability, reliability and security ofinformation and communication systems and networks.

7. Network technologies, typified by the Internet, and changing business practices, includingelectronic commerce, have transformed the economic and social importance of information andcommunication systems since the security guidelines were last formally reviewed in 1997. Viruses,hacking, computer crime and other cyber-threats have become high priority policy concerns. Co-operationbetween governments and private sector entities is crucial.

8. Completion of the current review is therefore becoming increasingly urgent.

5

The Workshop outcome

9. The government, private sector representatives and other stakeholders exchanged and sharedinformation, knowledge and opinions through the Workshop. The focus was on current and potentialdevelopments affecting the security of information systems in a world characterised by global ubiquitousnetworks, notably the Internet. Recent evolution in the perceived threats to information security and theirimplications for strategies and government policies was taken into account. Mobile communications andother technological trends that may affect our society were also considered. Valuable progress was madeby the participants towards a common understanding on the nature of the threats, policies and approachesto be taken.

10. The results of the Workshop are expected to influence policy thinking in many fora concernedwith this issue. In particular the discussions are expected to contribute significantly to the review of the1992 OECD Guidelines currently being undertaken by the Working Party on Information Security andPrivacy, for completion in 2002 with the interests of all the stakeholders kept very much to the fore.

Peter Ford

Chairman

13 September 2001

6

AGENDA

OECD WORKSHOP: “INFORMATION SECURITY IN A NETWORKED WORLD”

Tokyo, 12-13 September 2001 Conference jointly organised by

The Organisation for Economic Co-operation and Development (OECD) andthe Government of Japan (GOJ)

with support from the Information-Technology Promotion Agency (IPA), Japan

DAY 1: Wednesday, 12 September 2001

12.00-13.00: REGISTRATION

13.00-13.30: Opening Address

Opening Mr. Peter Ford, the Chair of the OECD Working Party on Information Security andPrivacy (WPISP)

Opening Addresses

Mr. Keiji Furuya, Vice Minister, Ministry of Economics, Trade and Industry, Japan

Mr. Michael Oborne, Deputy-Director, DSTI, OECD

13.30-15.00: Plenary Session 1

The Shape of the Next-Generation Internet: New Threats and Issues

Chairman: Mr. Peter Ford

Keynote addresses

Mr. Peter Ford, Chair of the WPISP

Mr. David Gross, Special Advisor,US Department of State

Mr. Michio Naruto, Special Representative, Fujitsu Limited

Mr. Vinton Cerf, Senior Vice President, WorldCom, Inc., (Video Presentation)

7

Followed by open discussion

What kind of information society should the OECD Security Guidelines address? Whatdevelopments should we focus on in the future?

How do we assess current threats to the information society? What qualitative and quantitativechanges do we need to take into account with regard to threats in the future when theenvironment surrounding societies changes with information technology, such as increasingreliance on the Internet, mobile communication and electronic media?

What are the problem areas in the role of the OECD Guidelines and the issues to be addressed bythe OECD Security Guidelines in the coming information society?

15.00-15.20: Coffee break


Information System: New Threats, New Responses

Panel Discussion


Panellists

Mr. Thomas Longstaff, Manager, CERT

Ms. Betty Shave, US Department of Justice

Mr. Alexey Scherbakov, The First Deputy Minister, Ministry of Communication andInformatization, Russia

Mrs. Cindy Rose, Managing Director, Walt Disney International, UK

Prof. Suguru Yamaguchi, Nara Institute of Science and Technology, Japan

Mr. Detlef Eckert, Head of Unit, European Commission


Do we really understand the new threats? Are our responses adequate?

What is the current status of threats and vulnerabilities of information systems with regard totheir impact on economics and society? Have we defined current threats properly? Are they onlyviruses and attacks to computer systems, or should we address threats against infrastructure,procedures and organisation, confidence etc.? Can we combat these problems with our existingresources?

How can we ensure protection of essential infrastructures from such attacks in a society that ishighly dependent on the Internet, telecommunication and data processing devices?

How can we ensure IT governance with appropriate economic effectiveness?

8


Electronic Commerce: Infrastructures for Reliability and Security

Panel Discussion


Panellists

Mr. Shuichi Inada, Director, Ministry of Public Management, Home Affairs, Posts andTelecommunications, Japan

Mr. Alessandro Luciano, the Commissioner of the Authority for Communications of Italy

Ms. Tuire Saaripuu, Population Register Center, Finland

Mr. Peter Lübkert, OECD ITN

Mr. Peter Ferguson, Industry Canada

Followed by open discussion.

How can we construct a reliable global information society and facilitate electronic commerce?

Ensuring information security and establishing reliable electronic services

How can specific technologies/schemes of authentication such as PKI contribute to the pattern ofglobal information society?

How will we promote reliable information transmission as we approach an era when largevolumes of important data such as personal information will be transmitted?

Who are the main players in information transmission (ISP, network operators, public authoritiesusers etc.) in the de-centralised networks and what are their respective roles and responsibilities?How can we establish a symmetry of information among stakeholders?

19.00: Networking cocktail party (buffet)

9

DAY 2: Thursday, 13 September 2001

9.00-12.30: Parallel Tracking Sessions (sectional meetings, panels)

Participants will consider the factors that contribute to information security in two concurrenttracking sessions. Each of the tracking sessions will consist of three panellists. The discussionwill be interactive.

Track A Moderator: Mr. Mikael Kiviniemi, Ministry of Finance, Finland

09.00-10.00: [Technology trends in Information Security]

Panellists

Mr. Peter Harter, Vice President, Securify

Mr. Chester Soong, International Information Systems Security Certification Consortium (ISC)²

Mr. Yuji Inoue, Senior Vice President, NTT Data Corporation

10.10-11.20: [Management & human factors]

Panellists

Mr. Akira Saka, Director, National Police Agency Japan

Mr. Peter Lübkert, OECD ITN

Mr. Koji Nakao, Senior Manager, KDDI R&D Laboratories Inc.

Prof. Chris C. Demchak, University of Arizona, U.S.

11.30-12.30: [Role of Technical Standards]

Panellists

Prof. Kenji Naemura, Keio University, Japan

Mr. Oiva Karppinen, Nixu

Mr. Bernhard Reiter, Intevation GmbH

10

Track B Moderator: Prof. Masao Horibe, Chuo University, Japan

09.00-10.00: [Security and education/ethics]

Panellists

Ms. Kimberley Claman, Vice President for Global Affairs, Information Technology Associationof America

Ms. Jungran Suh, Deputy Director of Information Ethics & Privacy Protection Division,Ministry of Information and Communication, Korea

Mr. Brooke Holmes, US Department of State

Mr. Maximillian Dornseif, Security Expert, Germany

10.10-11.20: [Policy & legal issues including privacy protection]

Panellists

Ms. Anne Carblanc, Principal Administrator, OECD

Mr. Masami Muromachi, Lawyer, Tokyo Marunouchi Law Office

Mr. David Fares, Director, Electronic Commerce, USCIB and BIAC

Ms. Naja Felter, Policy Officer, Consumer International

11.30-12.30: [Exchange of Information on Best practices]

Panellists

Mr. Dave McCurdy, President, Electronic Industries Alliance US

Mr. Holger Reif, TeleTrust Deutschland

Mr. Jonathan Doherty, Chubb Corp

Mr. Adzman Musa, Prime Minister’s Department, Malaysia

12.30-14.30: Lunch

11


Action for Information Security: The Roles of the Stakeholders

Panel Discussion

Moderator Mrs. Patty Sefcik, Director, US Department of Commerce

Panellists

Mr. Bertrand Cousin, Vivendi Universal

Mr. Hidetoshi Ohno, Director, Ministry of Economics, Trade and Industry, Japan

Ms. Betty Shave, US Department of Justice

Mr. Katsumi Hoshino, Professor, Tama University, Japan

Mr. John Dryden, Head of Information, Computer and Communications Policy Division,OECD


What are the respective roles of the government, business, the community, individuals andinternational fora? What is the role that the OECD Security Guidelines should play? What shouldthe OECD concentrate on?

What should each of the players do in order to build a reliable information society? What are theimplications for privacy protection?

Is there a need for international collaboration and co-operation? What, concretely, should thisconsist of? What are the prerequisites for achieving effective international co-operation?

What international or multilateral instruments are needed?

16.00-16.20: Coffee break

12


The OECD Security Guidelines in the Networked World

Panel Discussion

Chaired by Mr. Peter Ford, the Chairman of the Workshop

Panellists

Mr. Takaya Ishida, Vice-Chairman of the Business and Industry Advisory Committee to theOECD (BIAC), ICCP Committee

Mr. Peter Harter, Vice President, Securify

Mr. David Herson, OECD consultant

Prof. Masao Horibe, Chuo University, Japan

Mr. Mikael Kiviniemi, Ministry of Finance, Finland

Mrs. Patty Sefcik, Director, U.S. Department of Commerce

What are the important issues in the review of the OECD Security Guidelines?

What inputs are needed for future work?

Chairman’s Statement

17.40: Release of Chairman’s Statement to the Press

13

WORKSHOP REPORT

Day One 12 September 2001

Opening Address

Chair: Peter Ford, Chair of the OECD Working Party on Information Security and Privacy (WISP)

Opening Address:

− Keiji Furuya, Vice Minister of Japan’s Ministry of Economy, Trade and Industry (METI)

− Michael Oborne, Deputy-Director of the Directorate for Science, Technology and Industry(DSTI), OECD

11. Mr. Peter Ford opened the Workshop calling upon the delegates to mask a minute of silence tocommemorate the victims of the terrorists’ attack in the US. Following his appreciation for the supportprovided by the Japanese government and Japan’s Information Technology Promotion Agency (IPA) inhosting this meeting, Peter Ford highlighted the goals of this workshop. He asked participants to identifythe stakeholders and the human, social and technical challenges related to information security. Heremembered that the society as a whole has been moving toward paperless environments. This situationshould be kept always in mind when addressing information security, the Internet and information societyas a whole.

12. The floor was then taken by Mr. Keiji Furuya. He began by highlighting how information andnetwork technologies have been so beneficial to individuals and organisations, as exemplified by tele-medicine and electronic government. He then moved on to examine the growing success of business-to-business (B2B) and business-to-consumer (B2C) electronic commerce. In Japan, he emphasised, electroniccommerce was already estimated at around 22 billion JPY. He warned, nevertheless, that these new socio-political and commercial developments could not be sustained without trust and confidence, whichcomputer viruses, hacking, and other malicious activities were undermining. Information security,consequently, was to be a major factor for the socio-political and economic developments brought by thenew information and communication technologies.

13. Mr. Furuya then moved on to review the activities of the OECD in the information securitydomain. He recalled the importance of the Guidelines for the Security of Information Systems in 1992, aswell of the Guidelines for Cryptography Policy in 1997. These documents highlighted OECD’s historicaland pivotal role, which is set to continue in the future. One of the OECD’s main achievements, he argued,has been the ability to sponsor open debates and discussions involving not only government officials, butalso industry and other stakeholders. This aspect is fundamental in light of the need for industry and

14

governments to co-operate and work together. As the need for this private-public interaction continues togrow, the OECD is expected to play a pivotal role.

14. The last part of the presentation provided an overview of Japan’s actions related to informationsecurity. He assured the audience of Japan’s keen interest in the security and reliability of its informationinfrastructures for the country’s economic and social well being. In the recent months, a national plan hadbeen introduced, as well as a set of specific information security guidelines. Japan is also concerned aboutits citizens’ online privacy. The Diet, Japan’s parliamentary assembly, is presently considering legislationin this domain. Nevertheless, specific guidelines have been issued to safeguard citizens and direct publicand private institutions.

15. Mr. Michael Oborne delivered the second opening address. He briefly touched upon some ofthe previous speaker’s points. He then moved on to emphasise that the OECD has a membership of 30countries, with whom it is in constant consultation to reach consensus. The new socio-economicconditions, however, have led the OECD to open its activities also to businesses and several non-governmental organisations, other international institutions, such as the Asian Pacific EconomicCommunity, and non-member governments. These constituencies were represented at the Workshop.

16. Mr. Oborne then clarified the Workshop’s objectives. He believed that the large array ofexpertise among the audience boded well for discussions and analysis. The Workshop, in particular, was toexplore the new frontiers of information security by looking at issues such as technological innovation,new threats, countermeasures, as well as the role of governments, industry and other stakeholders. Thesedebates would feed directly on the more formal process concerning the future of the Guidelines for theSecurity of Information Systems.

Plenary Session 1: The Shape of the Next-generation Internet: New Threats and Issues

Chairman: Peter Ford, Chair of the OECD Working Party on Information Security and Privacy (WPISP)

Keynote Addresses:

− Peter Ford

− Michio Naruto, Special Representative, Fujitsu Ltd.

− David Gross, Special Advisor, US Department of State

− Vint Cerf, Senior Vice Present, WorldCom, Inc

17. Peter Ford opened this session by detailing the main issues confronted by the OECD’s WorkingParty on Information Security and Privacy (WPISP) in assessing the viability of the Security Guidelinesand considering possible modifications. He started by detailing the privacy-security relationship from aconsumer’s perspective by arguing that, while an individual considers the latter as his or her right and thuscalls for regulation, security is seen as part of the contractual arrangement with an e-business. Thesediscrepancies, argued Peter Ford, highlighted the major difficulty of devising regulations addressing bothissues.

18. Notwithstanding the previous general difficulties, information security presented specificproblems in light of the Internet’s global nature and the difficulty to assess threats and risks. This varietyhas created confusion as governments struggle to assign responsibilities within national administrations.

15

WPISP has been looking at these difficulties when considering how to address the Guidelines. First, theWorking Party has been looking at ways to foster public-private partnerships and address informationsecurity concerns. Particular attention has been directed also to tracking the obstacles to informationexchanges about threats, risks and serious failures. There have also been considerations about how toconfront the chronic lack of information security expertise and, at the same time, sustain research anddevelopment. Finally, there was the need to balance privacy concerns and security requirements.

19. Peter Ford concluded with some personal views on the role of governments and industry.Governments are expected to provide leadership, policy co-ordination, and expertise in national securityand law enforcement, while working on a global scale to curb cyber crimes. They should also act as rolemodels by protecting their own systems, while raising awareness and sponsoring education and research.Industry, argued Peter Ford, has a major responsibility in this domain since it includes main owners andoperators of information infrastructures. Companies have been called upon to invest in research anddevelopment and provide users with new technologies and solutions to match new risks and threats. Thetwo sides, nevertheless, were strongly invited to co-operate and exchange information since they bothwould benefit from more trust and confidence towards the Internet and information society as a whole.

20. David Gross was the next speaker. He apologised about having to limit his remarks under thecircumstances. Still, he invited the audience to keep in mind these major points when examininginformation security policy responses. First, it is extremely complicated to predict Internet’s future sincetechnologies and processes dynamically change. It was important, therefore, to identify the principles. ITand network technologies and services are flexible, but still it is necessary to try to build security directlyinto them instead of resorting to post-facto patches. Industry, therefore, should lead while governments areto facilitate, not to impose, information security processes. Nevertheless, no one nation can do this alone. Amultinational effort is strongly required, which implies the sharing of information and best practices.

21. Michio Naruto addressed some of the overall industry’s concerns and needs in the field ofinformation security. He began by listing the characteristics of a cyber society and suggested a definition of“info-security”, which combines national security/law enforcement concerns with the security in anindividual’s private life and in general economic activities. He then moved on to define the stakeholdersand, more importantly, the relationship among them. Governments are to devise policies, address lawenforcement concerns and provide support for education, research and standards. The main beneficiaries ofthese initiatives are industries, which are to repay with research and development and correct securitymanagement. Industry, nevertheless, is also to devise products and tools whose functionality matchconsumers’ need, the third major stakeholder in a cyber society. Consumers should use these tools and, ifnecessary, resort to governments for guidance and education. They should also interact with industry toexpress their concerns and needs and receive appropriate support. These three stakeholders, finally, shouldjoin forces in sharing information. Mr. Naruto suggested looking at the activities of computer emergencyresponse teams (CERTs) and information sharing and analysis centres (ISACs).

22. The final part of the presentation focused on detailing his views on the OECD’s role. The OECDshould provide guidelines for policy making and support these initiatives with solid economic analysis.Moreover, it should act as a co-ordinator among the stakeholders and with other international initiativeslaunched under the aegis of the G8 and other bodies.

23. The session closed with a video presentation by Vint Cerf. He began by congratulating theOECD on its work and efforts and confirmed WorldCom’s support for its cyber security activities. He thendefined the term “cyber security” as the combination of technical measures and policy decisions aimed atsupporting consumer confidence in the Internet. Nevertheless, this focus on consumer confidencepresented a series of policy considerations and dilemmas for governments, industries and individuals. Hedeveloped his arguments by highlighting some concerns and issues related to certification and cyber crime.

16

24. Concerning certification, he warned about the impact on consumers’ confidence of too maycertificates due to different technical and legal requirements. This proliferation of certificates is bound toconfuse consumers. Afterwards, there was the issue of certificates’ interoperability. He called for mutualrecognition or cross certification processes. The OECD, argued Vint Cerf, could assist in bridging theinformation gap between governments, industries and individuals and support standardisation activities.

25. Concerning cyber crime, Vint Cerf emphasised the difficulty of balancing law enforcement needswith the protection of consumers’ privacy and the obligations imposed on Internet service providers. Inparticular, he discussed three specific areas where the OECD can contribute. First, there was the issue oftechnical difficulties and costs associated with legislative measures. The second area of contention was theneed to find consistency, both among jurisdictions and within existing standards, to comply with lawenforcement needs and requirements. Finally, he addressed the need to find equilibrium between the twingoals of due process for end-users and immunity for intermediaries, which duly follow law enforcement’sinstructions.

26. Finally, Vint Cerf invited the OECD to foster education and awareness about the risks ofbroadcasting data as well as to catalogue international and national activities since many national activities“may very well be too far divergent to lead to effective solutions to what it is truly a global problem”.

27. After the presentation, a question and answer session began. A general comment from theaudience was made about the need to involve consumers’ interests. It was remarked that consumers areconfused about technologies and, therefore, have limited trust and confidence. Particular concerns havebeen raised about online privacy.

28. The panel responded by agreeing with these comment. Consumers should be made aware of therisks of the online world through appropriate education and awareness initiatives. However, whenexamining privacy concerns, it is also necessary to look at several cultural and social factors. Still, privacyand security have very strong similarities.

Plenary Session 2: Information System: New Threats, New Responses

Chairman: Peter Ford

Panellists

− Thomas Longstaff, Manager, CERT, US

− Betty Shave, Computer Crime and Intellectual Property Section, US Department of Justice

− Alexey Scherbakov, First Deputy Minister, Ministry of Communication and Informatization,Russia

− Cindy Rose, Managing Director, Walt Disney International, UK

− Suguru Yamaguchi, Nara Institute of Science and Technology, Japan

− Detlef Eckert, European Commission

29. Thomas Longstaff opened this session by providing a detailed overview of what he consideredto be the new trends and responses. He started by stating that the number of incidents and vulnerabilities

17

has been steadily rising over the years. Meanwhile, limited technological knowledge allows intruders toperform more complex attacks against information and networks systems. More importantly, newtechnology allow for better offensive and intrusive tools to be developed.

30. Notwithstanding these developments, he cautioned the audience about the fact that new threatsare not just hacking or intrusions. While ten years ago systems were the main target, malicious actors arenow using hacking tools to carry out sophisticated and co-ordinated attacks. More importantly, motivationshave changed to include also specific political objectives, as confirmed by an analysis of several sets ofdata collected and analysed by CERT/CC.

31. During the last section of the presentation, Longstaff presented his views on the future ofinformation security. Although risks are increasing, he remarked that only a limited number of people arelooking at the Internet and, in particular, information security. This was confirmed by the fact that the ratioof incident response capability per single Internet user has been declining. This state of affairs does notbode well for the future. More importantly, it may affect the capability of protecting critical informationinfrastructures, which are increasingly under attack. These risks are then augmented by the fact thatsoftware is undergoing less stringent development and testing processes before being sold into the market.

32. Betty Shave started by introducing her institution, which prosecutes cyber crimes and providesassistance to the FBI national field offices, as well as police forces around the world. The activities haveplaced Betty Shave in a good position to examine new trends and risks. She started by emphasising thatcyber crime is not only more international, it is also becoming more professional and politically motivated.Although there has been a significant increase in awareness, Betty Shave remarked that companies are stillfar from being ready to tackle online risks. They still look for new functionality with security as a post-facto requirement. In order to curb these risks, she called for a stronger involvement of the accounting,insurance and legal industry, as well the need for public-private partnerships and information exchanges.

33. Alexey Scherbakov introduced Russia’s perspective on information security. He opened hisremarks by emphasising Internet’s growing popularity in Russia. Information security, nevertheless, is amajor concern for the Russian government. In 2000, the President of the Russian Federation has approvedthe Information Security Doctrine listing the political aims, objectives and trends in this area. Still,information and telecommunication networks have not yet been protected sufficiently from the mainthreats of information security.

34. Due to the global nature of the Internet and cyber crime, Alexey Scherbakov called for strongerinternational co-ordination. The international community, first, should prohibit the development,proliferation and application of so-called “information weapons”, while fostering the informationexchanges about new risks and trends. There should be also stronger co-ordination against cyber crimesand unauthorised accesses to confidential information in international banking, commercial and lawenforcement networks. He called then for threats classification and legislative harmonisation.

35. He concluded by pledging Russia’s support to these international efforts. The country has thetechnical capabilities as exemplified by the fact that several Russian information security tools are on a parwith other products. However, a global effort is needed and, consequently, Russia is ready for constructiveengagement in the framework of the OECD.

36. Cindy Rose presented the security concerns of her company, which are similar to those whosebusiness model is centred on the content development and diffusion. These companies fully appreciate therisks of operating over the Internet and, thus, the need for information security. Nevertheless, she remarkedthe lack of appropriate solutions to protect the theft or misuse of copyright materials distributed online. Shecalled for open and flexible standards to address these issues. Governments should support them, since

18

industry is not yet ready to go down this road. Similar activities should also be directed to devise commonlegal responses. As a first step, countries should implement the World Intellectual Property Organisation(WIPO) treaty.

37. Cindy Rose concluded by voicing her disappointment at the fact that the recent communicationon network security from the European Commission did not address copyright violations. Cyber crime isnot only about the protection of critical infrastructure. It involves the stealing or misappropriation ofcopyrighted material. Privacy, finally, was also a primary concern for Walt Disney and the company isready to support the development of initiatives in this area.

38. In his presentation Prof. Suguru Yamaguchi called upon governments and industry to tap intothe expertise of the academic community. Since technology is at the heart of today’s information society,academia can provide guidance. Still, the Internet is changing and so are its technologies. Consequently, heinvited participants to look at ways to modify some of Internet’s fundamentals. For example, betteroperating systems may permit tackling some repetitive risks and failures, such as buffer overflows.

39. Prof. Yamaguchi remarked on the limited security consciousness of users and softwaredevelopers. Industry was still looking for more functionality instead of tackling security issues andconcerns. It is time, argued Prof. Yamaguchi, that industry put security at the heart of IT technical andmanagerial solutions, although this might raise prices. However, improved general trust and confidencewill allow recouping these price increases.

40. He concluded his presentation by calling on governments to increase investments in education,research and development and devise reasonable regulations. He emphasised again that academia can assistin explaining the technology and the new trends.

41. Detlef Eckert was the last speaker of this session. He started by providing an historical overviewof the activities of his institution in the area of information security. Several research and developmentprogrammes have received large financial support to examine issues directly related to informationsecurity. He then detailed the Commission’s present objectives by listing several official documentsdealing with data protection, electronic commerce, electronic signature and security evaluations.

42. He focused the last slides of his presentation to depict the recent communication on network andinformation security. This document, which highlights the Commission’s present approach, focuses onissues such as awareness raising, early warning and information sharing and research and development. Hestated that the Commission is planning to devote over EUR 40 million for security and is stronglysupporting market-led standardisation processes. His organisation is also looking at ways to fosterinformation security inside government organisations, as well as harmonising Europe’s legal framework inthis area. He concluded that they would like to present concrete actions at the next meeting of EuropeanTelecommunication Council in December 2001.

43. Following the presentations, a Q&A session started with comments concerning software liability.The panellists seemed to agree that liability rules would not help to address all of these issues. Concernswere raised on how to predict possible cyber-attacks or vulnerabilities and, if so, several delegates asked ifan international organisation was needed. CERTs and other bodies provide some detailed information,argued the panellists, although it is impossible to predict or control “script-kiddies”. Finally, a participantasked about the balance between copyright restriction and the need for free information by presenting thecase of the Russian programmer arrested for copyright violation. Panellists responded that the arrest shouldnot be seen as an attempt by industry to curb the free flow of information. His arrest was related to the factthat he had developed a software tool whose only purpose was to violate copyrights. Industry wants totackle these issues, although it recognises the need for international standards.

19

Plenary Session 3: Electronic Commerce: Infrastructures for Reliability and Security

Chair: Peter Ford

Panellists

− Shuichi Inada, MPHPT, Japan

− Alessandro Luciano, Commissioner of the Authority for Communications in Italy

− Tuire Saaripuu, Population Register Centre, Finland

− Peter Lübkert, ITN-OECD

− Peter Ferguson, Industry Canada

44. Following some introductory remarks by Peter Ford, Shuichi Inada opened this session. Hestarted by stating that electronic commerce was rapidly developing in Japan. However, there was a needfor additional trust and confidence, as suggested by several statistics presented in the 2001 White Paper onTelecommunications. New technologies such as public key infrastructures (PKI) and encryption mightprovide pivotal assistance in accomplishing this objective. Japan had launched several initiatives in thissense, as exemplified by the number of certification authorities for central and local governments,corporations and individuals. Still, these initiatives were not deemed sufficient. Shuichi Inada presented aset of specific strategies to promote reliable electronic commerce. He called for the extension of reliablechains, the utilisation of new technologies such as PKI and Ipv6, better standards and more research.

45. Nevertheless, the Internet is not stable but dynamic as new devices get connected. A set ofspecific IT security measures in info-communications was introduced. They provide guidance forindividuals, telecom operators and ISP and government institutions involved in e-government programmes.Shuichi Inada concluded suggesting actions to enhance security. He called for information sharingmechanisms and the strengthening of systems security through various technical and managerial processes.He then invited to raise general awareness, training and education. Finally, particular emphasis was placedon to standards.

46. Alessandro Luciano introduced how Italy was addressing issues of information security andreliability. He began by stating his country was fully aware of the risks and crimes associated with theInternet and the need for appropriate responses. There was also a common vision concerning the need tostrengthen online trust and confidence.

47. Although actions have been taken at the European level, Italy has also tackled these issues at thedomestic level. Together with the Italian Society of Authors and Editors (SIAE), the Authority has createda unit to address copyright violations over the Internet. In terms of digital signatures, Luciano recalled thatItaly is one of the first countries to introduce national legislation in this area. Presently, guidelines for theestablishing and running of a certification authority have been issued by the AIPA, the Italian Authority forInformation Technology in the Public Administration. He concluded his remarks by emphasising the needto devise better technical standards and evaluation processes.

48. Tuire Saaripuu described how her country has exploited the potentialities offered by public keyinfrastructures. She began by describing the Finnish Electronic Identification initiative, which wasdeployed in December 1999. Particular attention was devoted to the functionality offered by the electronicID card, as well as the many technical and legal requirements that needed to be resolved. She then

20

presented the audience with some of the lessons learned from this programme. The programme highlightedthe need for interoperability, international collaboration and basic software/hardware solutions. It isimportant also to devise appropriate measures to support the use of this electronic ID card by managingcard readers’ delivery and other services.

49. In the second part of the presentation, Tuire Saaripuu described the Trailblazer programme,which is examining ways to tackle European issues related to public identity through smart cards. Thereare three main objectives for this initiative. First, the project is looking at minimum requirements forelectronic public identity tokens. Second, it will recommend how public identity certificates should becompiled. Third, it provides options concerning secure data interchanges.

50. Peter Lübkert discussed the complexities of managing information security inside organisations.He started by highlighting the main dilemma for many organisations: how to allow and manage access fora large array of services and providers and, at the same time, maintain security. In order to address thisconcern, organisations should devise appropriate strategies based on the business and operationalrequirements. It is important, moreover, to get management buy-in, appropriate technologies, whileengaging users and devising contingency plans. However, organisations should remember that theenvironment is constantly changing and new threats and risks are always on the horizon.

51. He concluded highlighting the main strategic information security issues. He emphasised theneed to educate users about the risks of operating online. He invited organisations to work with softwareand hardware vendors. He suggested also the need to establish communities to which security classificationcould be applied.

52. Peter Ferguson was the last speaker of this session. He presented APEC and its activities in thearea of electronic commerce. APEC started to get involved in this area in 1997 as government leaderscalled for a formal work programme. An agenda, afterwards, was developed inside theTelecommunications and Information Working Group (TEL), which eventually led to a Blueprint forAction on Electronic Commerce and the creation of an Electronic Commerce Steering Group. A securityagenda was also drafted aiming to determine business requirements, devise models and standards, andconsider education and security packages. Particular attention has been devoted to promoting reliableinformation transmission by raising awareness, providing examples, exchanging information and fosteringinternational co-operation with other fora such as the OECD.

53. The last presentation was followed by some questions from the audience. Participants askedabout other initiatives similar to those presented by Tuire Sarripuu. She replied that several pilots arepresently being carried out by several European and Asian states with some difference in relation to herproject. Peter Ford indicated that Australia was also undertaking similar initiatives. Meanwhile, in Japansome government departments are trying to use PKI to secure transactions.

21

Day 2 13 September 2001

Parallel Tracking Sessions (sectional meetings/panels) (based on the notes from David Herson)

Track A Moderator, Mikael Kiviniemi, Finland

Session 1: Technology Trends and Information Security

Panellists:

− Peter Harter, Securify, Inc

− Chester Soong, International Information Systems Security Certification 2

− Yuji Inoue, Senior Vice President, NTT Data Corporation

54. Peter Harter opened this session highlighting the complexity of managing information securityin today’s Internet environment. It is difficult for organisations to have a detailed understanding of whichresources are utilised and how the data is managed and accessed. It invited companies to solve theirsecurity requirements in an integrated business-drive perspective. Information security policies,consequently, should combine rules, application requirements and network implementation to reflectcustomer requirements. The goal is to provide organisations with an overall understanding of the securityof the entire network.

55. Chester Soong built upon several of the points of the previous speaker. His professionalexperience convinced him that corporations tend to field fragmented information security solutions basedon threads and no business objectives. New risks and threats, nevertheless, are on the horizon with thegrowing popularity of mobile commerce. Companies will have to deal with issues such as mobilecertificates, identification and authentication. There is also a growing concern that developments likebroadband will create risks individuals are not able to manage. Most security tools, argued Chester Soong,are too difficult to use or understand for the average Internet user.

56. Yuji Inoue closed this first session with an overview on research and development onunauthorised access point-of-origin tracking technology. Following some interesting remarks about thedifficulties in preventing an authorised access, he argued that there are on the market products andsolutions to block external access or eliminate and patch vulnerabilities. However, there seems to be a lackof solutions aimed at launching a warning to intruders attempting unauthorised access. He presentedseveral activities and products developed by NTT to address this issue and foster online trust andconfidence.

Session 2: Management and Human Factors

Panellists:

− Koji Nakao, Senior Manager, KDDI R&D Laboratories, Ltd.

− Akira Saka, Director, National Police Agency, Japan

− Pete Lübkert, ITN, OECD

22

− Chris Demchak, University of Arizona, US

57. Koji Nakao opened this session by describing the growing openness and flexibility provided bythe Internet and wireless technology. The expression “everywhere, anytime, anything” is becoming areality. However, new risks and threats are also rising. Consequently, information security managementand technical controls are necessary. In order to implement them, organisations are invited to look atseveral international standards devised by the ISO.

58. The second part of his presentation was devoted to examining the activities of Subcommittee 27,which is part of the Joint Technical Committee 1 at ISO. He focused, in particular, on IS 17799-Information Security Management. This standard, which was developed in the United Kingdom, is set toassist companies and organisations to manage their information security by providing a detailed list ofcontrols. Nevertheless, he invited organisations to look on information security as part of theirmanagement activities and structures.

59. Akira Saka started by presenting an overview of the current status of cyber crime in Japan bydescribing cases of violations of the country’s law on unauthorised computer access. He moved on toassess the number of cases examined by the Japanese police. They included network-related incidents,illegal and harmful contents, defamation, spam and many others.

60. The second part of the presentation was devoted to examining how management failures andhuman factors have caused cyber crimes. They run from dissemination of false information to unauthorisedaccess. He then provided an overview of the status of information security in Japan. A very large numberof Japanese companies do not have an information security policy, although recent data seem to confirmthat the tide is changing.

61. The presentation concluded with an overview of Japanese’s initiatives aimed at fostering cybersecurity. Particular attention was devoted to the Action Plan for Building Foundation of InformationSystems Protection from Hackers and other Threats released in January 2000, Guidelines for IT SecurityPolicy and the Special Action Plan on Countermeasures to Cyberterrorism of Critical Infrastructure,which were released between July and December 2000. Other programmes, such as the UnauthorisedComputer Access Law and the National Policy Agency’s IT Security Policy, paralleled these initiatives.Particular attention was directed to raising general public awareness about information security.

62. Peter Lübkert detailed the human resources and management complexities of informationsecurity. Building upon some of the comments he introduced the previous day, he emphasised again theimportance of management buy-in on information security and the need for constant review to address newthreats and risks. He reminded the audience that networks develop at different speeds. He concluded byemphasising the need for raising information security awareness and defining the responsibilities. Hecalled also for standards and better information security agreements.

63. Prof. Chris Demchak closed this session. She began her remarks by warning the audience aboutthe interconnected paths among Internet security, human self-interests and the overall economy. Today’sInternet empowers many individuals, although business perspectives drive future paths. More importantly,today’s Internet anarchic arrangement is increasingly fragile. There is a growing tendency towards the riseof a Grid. This is a set of force stronger fortress walls, although more surprises are expected especially inlarge-scale systems due to the lack of controlled nodes. Nevertheless, devising appropriate redundancy tocontrol ripple effects can avert the negative implications of this situation.

23

Session Three: The Role of Technical Standards

Panellists:

− Kenji Naemura, Keio University

− Oiva Karppinen, Nixu Ltd.

− Bernhard Reiter, Intenvation Gmbh

64. Prof. Kenji Naemura started detailing the commercial and technical positive functionalitiesprovided by standards in terms of interoperability, usability and accessibility. Nevertheless, informationsecurity standards faced the dilemma that their vulnerabilities have overall impact. In any case, manyorganisations are trying to develop IT security standards, ranging from the OECD, the Internet EngineeringTask Force (IETF) and the International Office for Standardisation (ISO). The presentation concluded withsome remarks about the future. The speaker called for more collaboration and harmonisation betweenstandard setting organisations, as well as international collaboration for co-ordinate incident reporting andresponses. He invited the audience to reflect on ways to accommodate national restrictions in managementrelated standards and to handle exposed vulnerabilities.

65. Oiva Karppinen introduced similar concepts by looking at the difference between de jure and defacto standards. More importantly, he examined cases where de facto standards can become de jurestandards as in the case of Kerberos and SSH. He concluded his talk by recalling that the need forharmonised global technical standards was directly considered by the Guidelines. He called on the OECDto look at ways through which it is possible to differentiate between good and poor standards and toencourage their use for privacy protection.

66. The last speaker of the session was Bernhard Reiter. His presentation started by indicating thefact that free software is at the heart of today’s Internet success. Their outstanding functionalities aremostly due to the fact that this software undergoes strong peer reviewing by local experts, which allows forquick fixes. He concluded his presentation by detailing the GNU Privacy Guard-Email Security. Itsdevelopment is supported by the German Ministry of Economics and involves the implementation ofOpenPGP specifications. It includes patent-free encryption, secure mechanisms for attachments and publickey handling.

Track B Moderator: Prof. Masao Horibe, Chuo University, Japan

Session 1: Security and Education/Ethics

Panellists:

− Kimberly Claman, Vice President for Global Affairs, Information Technology Association ofAmerica

− Jungran Suh, Deputy Director of Information Ethics and Privacy protection, MIC Korea

− Brooke Holmes, US Department of State

− Maximilian Dornseit, Security Expert

24

67. Kimberly Claman opened this session by looking at the issues of cyber-ethics and informationsecurity awareness. He began by noticing that kids and teenagers do not perceive as illegal stealing onlineinformation, while being a hacker is viewed as a good thing. This is completely at odds with the real worldwhere cyber-crimess are illegal. There is, consequently, a strong need for cyber-ethics among individualsand inside organisations through extensive marketing and public relations campaigns to promote it andevaluate it. The latter part of the presentation was devoted to describe the Cybercitizen Partnership, whichinvolves the ITAA, US Department of Justice and several non-profit organisations. The objective is todevelop and distribute educational materials for parents, teachers and students about the responsible andbetter user of information and network technologies. By recognising the global nature of the Internet, theCybercitizen Partnership acts as a point of contact for other international efforts. Moreover, thispartnership carries out qualitative and quantitative opinion and attitudinal measurements to improve theeffectiveness of its messages.

68. Following on from Kimberly Claman, Jungran Suh presented her country’s initiatives in thearea of cyber-ethics. Similar to other countries, Internet access and use is rapidly growing inside Korea.New dangers and threats are also surfacing, such as illegal and harmful contents, child pornography,defamations and copyright infringements. Consequently, cyber-ethics is a major concern. The Republic ofKorea has developed a strong legal framework aimed at promoting information and telecommunicationnetworks and also protecting minors. Jungran Suh pointed to the case where information providers areexpected to indicate sites that may be unsuitable to young viewers. The legal framework has alsostrengthened the responsibility of entrepreneurs and Internet users concerning the diffusion ofinappropriate material and cyber-defamation.

69. The last section of the presentation focused on examining the activities of the ICEC, anorganisation established in 1995 under the Telecommunications Business Act. This non-governmentalinstitution aims to protect youth from harmful information and foster a proper use of the Internet. Amongits many awareness activities, ICEC monitors and specifies harmful contents according to the YouthProtection Act, develops filtering software and maintains a database of unsafe sites. It also recommendssites that are suitable for minors. Finally, an Internet Contents Rating Service has been developed. This is avoluntary control system without censorship and is open to all information service providers.

70. Brooke Holmes introduced several US government led initiatives aimed at fostering informationsecurity awareness and education. He began by discussing the Federal Cyber-services Training andEducation Initiative designed to ensure an adequate supply of highly skilled government securityspecialists. He then introduced the Scholarship-for-Service initiative, which is expected to supportindividuals through their undergraduate and advanced studies in exchange for US federal services.

71. The US Federal government initiatives are also directed towards high school students. AnAwareness and Outreach Programme has been introduced, in conjunction with the Federal InformationAssurance Campaign. There are also activities aimed at fostering international outreach. The United States,together with Canada and Australia, has obtained approval of a project entitled Critical InformationProtection Awareness Raising and Education Requirements in the APEC context. This initiative providesfree-of-charge education modules to run information security courses.

72. The session was closed by Maximilian Dorseif. His presentation listed the benefits provided bybenevolent hackers. He began by depicting the difference between hackers, who have benevolent goals,and crackers, whose objectives are criminal. He continued by providing a sociological profile. In the lastsection of the presentation, Maximilian Dorseif highlighted the benefits to business, governments andconsumers brought by hackers. Governments can benefit from hackers by having a third-party assessmentof software vendors’ claims and unbiased assessment of future technological trends. They also assist indrafting appropriate legislation and fostering security education and knowledge. Consumers benefit from

25

hackers since the latter provide unbiased advise on software and hardware solutions and products, as wellas trusted privacy enhancement and security technology. Finally, businesses can benefit from the fact thathackers offer innovative and highly productive services, goods and advice. The speaker concluded byinviting governments, industry and consumers not to punish hackers for their unusual use of technology.Hackers should not be considered criminals.

Session 2: Policy and Legal Issues Including Privacy Protection

Panellists

− Anne Carblanc, Principal Administrator, OECD

− Masami Muromachi, Lawyer, Tokyo Marunouchi Law Office

− David Fares, Director, Electronic Commerce, USCIB and BIAC

− Naja Felter, Policy Officer, Consumer International

73. Anne Carblanc opened this session with detailed analysis of the relationship between privacyrights and security requirements. This analysis led her to state that security and privacy are not the same,but they complement and enhance each other. Therefore, it is safe to state that they are interrelated but“distinct and overlapping”.

74. Notwithstanding this interrelationship, there can be strong tensions between security needs andprivacy requirements. There are certain security solutions whose use may lead to violations of individuals’privacy. Similarly, there are certain privacy through anonymity techniques whose functionality may beused to carry out malicious activities. Anne Carblanc called for the need to find a balance between the twosituations. She then stated that the principles of the OECD security guidelines and those about privacy, aswell as other OECD initiatives, aimed at fostering this balance.

75. She concluded by inviting the audience to consider the fact that privacy should be considered asof the technical, legal and policies issues to be addressed while assessing the future of the OECDGuidelines for the Security of Information Systems. She then provided possible options such as thecompletion of a privacy impact analysis of security measures or the possibility of inserting privacy-enhancing technologies as part of software and hardware solutions. Another alternative would be for policymakers and other stakeholders to support technologies and processes that jointly address security andprivacy concerns.

76. Masami Muromachi spoke on similar issues. He opened his remarks by taking the audiencethrough a brief but insightful analysis of the recent technological changes involving the Internet. Attention,afterwards, moved to enlisting a set of specific technologies affecting security and privacy, such asencryption, virtual private networks and IEx. Similar to the previous speaker, he called on the need to finda balance between security and privacy.

77. The second part of the presentation focused on IT security audit standards. Masami Muromachiemphasised the fact that the implementation of the principles listed in the OECD guidelines require betterevaluation and audit standards and procedures to make results available without undermining non-disclosure requirements. He concluded by calling for a common lexicon of terms since terms likeauthentication have a different meaning in a legal technical setting.

26

78. David Fares then took the floor. Similar to his two predecessors, he underlined the fundamentalfunctions of privacy and security and the OECD’s pivotal role in this context. He also recognised thatsecurity technologies and processes may affect privacy and vice versa. A competent example of this stateof affairs is network-monitoring tools that collect traffic data. The mere collection of this data and/or itssharing may lead to privacy violations. However, these activities are essential in countering cyber-crimesand fostering information security. Similar concerns arise when organisations need to comply with lawenforcement requirements. He concluded by calling on governments to move away from contradictoryrequests on businesses and foster dialogues to find solutions to the dilemmas caused by privacy rights andsecurity requirements.

79. Naja Felter gave the last presentation of the session. Having introduced the activities ofConsumers’ International, she called on the audience to reflect on the results of a recent multinationalsurvey measuring trust and confidence perceptions about electronic commerce. She emphasised thatconsumers are still very wary of the Internet and the online world and require assurances. They are mostlyconcerned about data privacy, as well as redress, authentication and frauds. A possible solution would be tolook at software product liability. She also called upon the need to insert inside these products anonymity,security and privacy functionalities.

80. She concluded her presentation by stating that her organisation fully supports the democracyprinciple of the Guidelines. She also looked forward to getting involved in multi-level and multi-statedialogue in order to bring forward consumers’ interests.

Session 3: Exchanges of Information and Best Practices

Panellists

− David McCurdy, President, Electronic Industries Alliance, US

− Holger Reif, TeleTrust Deutschland

− Jonathan Doherty, Chubb Corporation

− Adzman Musa, Prime Minister Department, Malaysia

81. David McCurdy opened this session by discussing how the Internet has been empoweringorganisation through increased communications, electronic commerce and access to a large variety ofinformation. However, these new functionalities have led also to new risks and threats. The USgovernment has undertaken several initiatives to address these concerns, argued David McCurdy.However, there was the need for specific industry responses, which has led to the establishment of InternetSecurity Alliance.

82. The exchange of best practices is one of the Alliance’s main objectives. Other tasks are advancedwarning for security threats, vulnerability assessments and research support. The association, which hasamong its founding members several leading US and other international industry players, aims to foster theuse of standards like ISO 7799 for information security management. The Internet Security Alliance,argues David McCurdy, is set to foster national and international dialogue to exchange information andany other tools in order to preserve the security of information systems and the overall online trust andconfidence.

27

83. Industry co-operation and the exchange of best practices were also at the heart of the presentationby Holger Reif. He began by providing some background about the origins of TeleTrust and its activities,which aim at fostering the use of best practices, developing standards and influencing German andEuropean information security policies.

84. He then moved on to detail the Bridge CA initiative that aims to provide secure transactionsfunctionalities to small and medium enterprises. This project is supported by the German government andinvolves the T7 group, which reunites several local trust centres. The development of this initiativeprovides some useful practices for others who want to follow the same path. First, Holger Reif indicatedthat the available specifications are not always sufficient. Still, it is sensible to apply internationalstandards. Moreover, it is important to increase consumers’ willingness to exploit the potentialities of thesenew tools and establish a mutual basis for the use of digital signatures and encryption mechanisms inprocesses and applications.

85. Jonathan Doherty engaged the audience through insights and best practices on addressinginformation security based on his professional experience. He called on organisations to devise proactivemeasures aimed at assessing risk, design countermeasures and monitor traffic to spot malicious activities.Companies should also define a reactive strategy to intrusions or any other online malicious activity bycreating appropriate investigative processes and computer emergency response teams. Finally,organisations should carry out a post-facto analysis to define the lessons learned to get ready to tacklefuture events. These initiatives, nevertheless, require full management support. Directors, argued JohnDoherty, should always question the overall commercial, legal and operational viability of their onlineoperations.

86. Adzman Musa presented an overview of how his organisation has been tackling informationsecurity inside the public sector. He started by introducing the audience to the complex administrativestructures and the available budget to deliver them online capabilities and functionalities. A detailed list ofproject milestones was also described confirming Malaysia’s strong commitment to this overarchingprogramme.

87. Adzman Musa went on to examine the security management process to protect these operationsand activities. He first detailed the central level efforts involving incident response capabilities, awarenessand training, security posture assessment, business resumption plans and auditing. He then looked at theoperational requirements and various management processes to put information security strategies intoplace. Particular attention was devoted to security education and awareness. He concluded by stating thatthe infosec plan for the Malaysian public sector confirmed the need for proactive and recovery strategies,as well as regular management monitoring and assessment.

Plenary Session 4: Action for Information Security: The Roles of the Stakeholders

Moderator: Patty Sefcik, Director, US Department of Commerce

Panellists:

− Bertrand Cousin, Vivendi Universal

− Hidetoshi Ohno, Director, Ministry of Economy, Trade and Industry, Japan

− Betty Shave, Computer Crime and Intellectual Property Section, US Department of Justice

28

− Prof. Katsumi Hoshino, Tama University, Japan

− John Dryden, Head of Information, Computer and Communications Policy Division, OECD

88. Bertrand Cousin opened the fourth plenary session by describing the large array of threats andrisks faced by the organisation he represents. Vivendi is a global company operating in various marketsand providing multiple services and goods. In order to address these risks, Vivendi has devised a corporatesecurity policy structured along two lines: one addressing primarily IT systems and a second one, called“cyber security” targeted to protect the many services delivered over and through the Internet.Notwithstanding these specific initiatives, Bertrand Cousin emphasised the fact that Vivendi’smanagement is fully involved in devising and implementing both of them by providing operational supportand staff responsibilities.

89. He then depicted Vivendi’s “cyber-security” policy. Its goal is to foster consumers’ trust andconfidence towards their services by focusing on the security of personal data and enhancing theconfidentiality of private messages. It also concentrates on making sure that their exchanges andtransactions are fully secure. Bertrand Cousin concluded by saying that Vivendi understands the globalnature of these risks and threats and the need for appropriate international responses. This is the reason forits direct involvement in international fora like the OECD and the European Union.

90. Hidetoshi Ohno focused his presentation primarily on defining the various stakeholders and theirresponsibilities based on Japanese practices. Particular attention was devoted to highlighting the role ofgovernments. They range from setting rules and standards and fostering awareness and research anddevelopment, to protecting the critical infrastructure through information sharing mechanisms.

91. He then examined the relationship between the stakeholders. Businesses are seen to work withgovernments in protecting the critical infrastructure, training and consulting in policy development.Academics are to join forces with governments and industry to raise awareness and provide the necessaryeducation and skills to the individuals. This last category of stakeholders, argued Hidetoshi Ohno, could bedirectly involved in certain policy developments concerning information security. As the Internet continuesto develop and provide additional services and functionality, this co-operation among stakeholders is set toincrease.

92. His last remarks focused on the role of the OECD and the OECD’s guidelines. The role of theOECD is to show the fundamental directions through such activities as setting best practices. The OECD’sguidelines are pivotal in setting the rules for the respective stakeholders by providing guiding principles.Nevertheless, stronger international co-operation was necessary in areas like information sharing on threatsand accidents, international standardisation, interoperability, training experts and bridging digital divide.

93. Betty Shave was the third speaker of the session. She began her remarks by emphasising the roleof the individual consumers and small business, which often do not have the resources and knowledge totackle information security. Governments and industry should assist them. She then invited them toevaluate their own information security posture to set the example. She continued by inviting thestakeholders to exchange information and, more importantly, understand their reciprocal interests.

94. Betty Shave concluded by recalling the importance of international co-operation. There is theneed for global responses to match cyber crime’s global nature. She called for harmonised legal measures.A first step is the forthcoming cyber crime convention of the Council of Europe, although it will benecessary to assess how this document will be implemented.

29

95. Prof. Katsumi Hoshino took the floor. He presented his research and expertise on theimportance of trust and confidence in an Internet economy. Particular attention was devoted to electronicmarketing and customer relation management. Security and privacy are essential elements if companieswant to build a “cyber-brand”. He called upon companies to establish a “privacy protection strategy”,which involves a chief privacy officer, a compliance programme, education and a certified seal.

96. He concluded by describing the case of the Japanese Engineers Federation (JEF). Through theauspices of this organisation, the US privacy seal, Trust-E, was licensed to Japan. The role of this seal ispivotal since it pushes individual companies or organisation to devise an effective and efficient “privacyprotection strategy”. In conclusion, marketing strategies based on fostering online trust and confidencepermit to conquer consumer reliance and satisfaction.

97. John Dryden concluded the session by focusing primarily on defining the stakeholders. Asindicated in other presentations, each one of them has a particular role and responsibility. Particularattention was devoted to the individuals, experts and so-called gurus, who look at the different facets ofinformation and provide interesting insights. Intelligence and military organisations were also called uponin light of their long-lasting expertise in specific areas of information security, such as cryptography. Heconcluded the first part of his presentation by trying to engage the audience to meditate on how to fosterinformation sharing and analysis of threats, as well as best practices.

98. The last section of his presentation was devoted to highlighting the OECD’s role. Thisorganisation may assist in fostering political coherence and discussing issues such as the balance betweensecurity and privacy. It reminded of the fundamental role of the guidelines as a tool for soft-law.Nevertheless, the strength of the OECD resides in the analysis of the technological, legal andadministrative environment and the support for discussions among the interested stakeholders.

Plenary Session 5: The OECD Guidelines in the Networked World

Chairman: Peter Ford

Panellists

− Takaya Ishida, Vice-chairman of the Business and Industry Advisory Committee to theOECD

− Peter Harter, Securify, Inc

− David Herson, OECD Consultant

− Masao Horibe, Chuo University

− Mikael Kiviniemi, Finland

− Patty Sefcik, Director, US Department of Commerce

99. Takaya Ishida opened the final session of the Workshop. He began by stating that theexplanatory memorandum of the guidelines should be modified to reflect new technological andoperational changes. He then reminded the audience that information security involves three different butinterrelated areas: national security, public safety and economic stability. He concluded by indicating thatthe OECD should encourage governments to establish information sharing mechanisms with the private

30

sectors, apply best practices, enforce cyber-crime laws and support pre-competitive research on security.Other OECD activities, argued Takaya Ishida, are the removal of export controls on civilian encryptiontechnologies and the support for awareness and education campaigns. He concluded by warning the OECDto move away from the temptation of “one-size-fits-all” conduct and concentrate on supporting “thedevelopment of voluntary private best practices by industry for context-specific information securitysolutions”.

100. Peter Harter emphasised some of the same points raised by the previous speaker. He argued thatwell-defined information security policies create better management. More importantly, he suggested thatsecurity improves the overall “information economy” by ameliorating operational performance. Hefinished by asking the OECD to corroborate this point by devising ways and means to measure theeconomic impact of information security.

101. David Herson presented the audience with some issues and thoughts about the nine principleslisted by the Guidelines. He believed that this analysis was necessary to assess the viability andeffectiveness of this document in today’s Internet world. More importantly, he challenged the audience byasking if all the information security concepts proposed and discussed during the workshop are included ornot in the guidelines. More importantly, he wanted to know if these concepts are appropriately allocatedwithin the aims, objectives and principles of the Guidelines. He concluded by inviting the audience toexamine the activities of the audit community, that is regularly addressing issues like effectiveness andperformance requirements.

102. Peter Ford asked Prof. Masao Horibe, Mikael Kiviniemi and Patty Sefcik to summarise thediscussion of the previous tracks. They seemed to concord on the fact that the presentations called for moreawareness and education programmes, technical standards and, more importantly, active dialogue amongall the stakeholders. There was also a specific encouragement to invest on research and development andexamine the dilemma of how to balance privacy rights with the requirements and needs of informationsecurity. Patty Sefcik closed by expressing gratitude to the government of Japan and the secretariat foroverall organisation of the Workshop.

103. Peter Ford, as chairman of the workshop, attempted to summarise the topics of the Workshop.The presentations and discussions confirmed the risks associated with the increasing socio-political andeconomic dependence on the availability of information and network systems. Still, as the OECD examinesthe future of the Guidelines, he asked the audience to reflect and provide comments and suggestions onthese issues: is there technology neutrality in the principles, what is the role of the stakeholders, what dowe mean by the term security and what is the relationship between security and privacy?

31

ANNEX I: SPEAKERS’ BIOGRAPHIES

Anne CARBLANC

Anne Carblanc is Principal Administrator in the Information, Computer and Communications PolicyDivision of the OECD where she has been responsible for policy issues concerning the protection ofpersonal data and privacy since 1997.

She was previously a judge in charge of criminal investigations (juge d’instruction) at the Tribunal of Paris.From 1992 to 1996 she was Secretary General of the CNIL, the French data protection authority, and from1985 to 1992 Head of the criminal legislative unit in the Ministry of Justice. From 1983 to 1985, she was ajuge d’instruction at the Tribunal of Orléans.

Anne Carblanc has a degree in modern languages and literature and a Master's degree in Law. She is also agraduate (Promotion 1981) of the Ecole Nationale de la Magistrature.

Vinton G. CERF

Vinton G. Cerf is Senior Vice President of Internet Architecture and Technology for WorldCom. Cerf'steam of architects and engineers design advanced networking frameworks including Internet-basedsolutions for delivering a combination of data, information, voice and video services for business andconsumer use.

Widely known as a "Father of the Internet," Cerf is the co-designer of the TCP/IP protocols and thearchitecture of the Internet. In December 1997, President Clinton presented the U.S. National Medal ofTechnology to Cerf and his partner, Robert E. Kahn, for founding and developing the Internet.

Prior to rejoining MCI in 1994, Cerf was Vice President of the Corporation for National ResearchInitiatives (CNRI). As Vice President of MCI Digital Information Services from 1982-1986, he led theengineering of MCI Mail, the first commercial email service to be connected to the Internet.

During his tenure from 1976-1982 with the US Department of Defense's Advanced Research ProjectsAgency (DARPA), Cerf played a key role leading the development of Internet and Internet-related datapacket and security technologies.

Vinton Cerf serves as Chairman of the Board of the Internet Corporation for Assigned Names andNumbers (ICANN). Cerf served as founding president of the Internet Society from 1992-1995 and in 1999served a term as Chairman of the Board. He completed his term as founding Chairman and continues toserve as a member of the Internet Societal Task Force and its steering group that focuses on making theInternet accessible to everyone and analysing international, national and local policies surrounding Internetuse. In addition, Cerf is honorary chairman of the IPv6 Forum, dedicated to raising awareness and speedingintroduction of the new Internet protocol. Cerf has served as a member of the U.S. Presidential InformationTechnology Advisory Committee (PITAC) since 1997. Cerf is a principal for the Global Internet Project(GIP), and he sits on the Board of Directors for the Endowment for Excellence in Education, Folger

32

Shakespeare Library, Gallaudet University, the MCI WorldCom Foundation, Nuance Corporation, AvanexCorporation, CoSine Corporation, 2BNatural Corporation, B2B Video Networks, the Internet PolicyInstitute and the Hynomics Corporation. Cerf is a Fellow of the IEEE, ACM, and American Associationfor the Advancement of Science, the American Academy of Arts and Sciences, the InternationalEngineering Consortium, the Computer History Museum and the National Academy of Engineering.

Cerf holds a Bachelor of Science degree in Mathematics from Stanford University and Master of Scienceand Ph.D. degrees in Computer Science from UCLA. He also holds honorary Doctorate degrees from theSwiss Federal Institute of Technology, Zurich; Lulea University of Technology, Sweden; University of theBalearic Islands, Palma; Capitol College, Maryland; Gettysburg College, Pennsylvania; George MasonUniversity, Virginia; and Rovira i Virgili University, Tarragona, Spain.

Kimberley CLAMAN

Kimberley Claman is Vice President of Global Affairs for the Information Technology Association ofAmerica (ITAA), the leading US information technology industry association. ITAA encompasses over26 000 direct and affiliate members, from America’s largest corporations to the entrepreneurs building theblockbuster IT companies of the future. The Association plays a leading role in public policy issues ofconcern to the IT industry including human resources, information security, telecommunications,intellectual property, and privacy.

Kimberley is also the Executive Director of the World Information Technology and Services Alliance(WITSA). WITSA is a consortium of 41 information technology associations representing economiesaround the world. WITSA is the global voice of the IT industry and is dedicated to advocating policiesthat advance the industry’s growth and development; facilitating international trade and investment in ITproducts and services; strengthening WITSA’s national industry associations through the sharing ofknowledge, experience, and critical information and will hold the XIII World Congress on InformationTechnology in Adelaide, Australia in March 2002.

Prior to joining ITAA, Kimberley was a Foreign Affairs Officer at the US Department of State in theEconomic Bureau's Multilateral Trade Affairs Office. Kimberley worked with a small team to leadnegotiations in the World Trade Organization, North-American Free Trade Agreement, Free Trade Area ofthe Americas and the Asia-Pacific Economic Cooperation. Kimberley received her undergraduate degreefrom the George Washington University and holds a masters degree in international economics from TheElliot School of International Affairs at the George Washington University.

Bertrand COUSIN

Since 1998, Bertrand Cousin has been Special Adviser to Jean-Marie Messier, Chairman and CEO ofVivendi Universal, the recently merged second global group in media and communications (Universal,Canal+, Vivendi Universal Publishing, Cegetel, …) and world leader in environmental services. VivendiUniversal has earned revenues of EUR 40 billion in 2000.

After beginning his career as a Senior Member of the French Council of State and then Head of the FrenchPrime Minister’s Communications Directorate, Mr. Cousin became Chief Operating Officer of the HersantPress Group in 1984.

In 1986, he was elected Member of the French Parliament.

In 1997 he became Chief Operating Officer of Havas, recently renamed Vivendi Universal Publishing. In1998, he was appointed Special Adviser to Vivendi Universal’s Chairman and CEO.

33

Chris C. DEMCHAK

Chris C. Demchak is an associate professor at the University of Arizona. Focusing on the implications ofnew organisational structures/capabilities given new information warfare (IW) and networked complexsystems, she has published a book and a number of articles on comparative militaries and policies. A USArmy Reserve officer, Demchak also has regional expertise in Europe, Africa and the Middle East, andspeaks five languages. Dr. Demchak is also cofounder of the Cyberspace Policy Research Group, atransnational scholarly organisation funded by the US National Science Foundation to comprehensivelyand empirically chart and analyse the spread of the Internet into national level public agencies across theworld. Currently she is studying the emerging Arab-Israeli electronic war or "e-jihad" as a naturalexperiment in IW applied against a society and its allies. In the next major manuscript, Dr. Demchakintends to apply the emerging organisational and policy lessons to military modernisation plans of majorNATO and non-NATO nations.

Jonathan DOHERTY

Jonathan Doherty is The Chubb Corporation’s Director and Asia Regional Manager for FinancialInstitution Products resident in Hong Kong. He has had a long career in insurance risk underwriting and indeveloping insurance programs to meet the needs of banking and investment clients throughout Asia andthe United States. Mr. Doherty graduated from Oklahoma State University, US in 1986 with a bachelor’sdegree in Finance. Chubb, known as Federal Insurance Company in some locations in Asia, is one of theleading insurance underwriters of financial institutions and director's and officers in the world. Chubbrecently introduced its new CyberSecurity product in several Asian cities.

Maximillian DORNSEIF

27 years, is post-graduate researcher at the University of Bonn (Germany) Lawschool in the field ofcomputer crime. He is also founder of the IT security consulting firm 'c0re GmbH' located in Bonn.Mr. Dornseif has an extensive knowledge of the so called 'computer underground' and the surroundingcyber culture. He deals with computer security and has kept in contact with the German hacker scene formore than 10 years.

John DRYDEN

John Dryden has been the Head of the Information, Computer and Communications Policy Division of theOECD Directorate for Science, Technology and Industry since January 1993. He joined the Directorate in1987, and has held a number of other senior positions, including Head of the Science, Technology andCommunications Policy Division, Head of the Economic Analysis and Statistics Division, and Head of theScientific, Technological and Industrial Indicators Division. Between 1980 and 1987, Mr. Dryden workedin the Economics and Statistics Department of the OECD. Before joining the OECD, he worked in theCabinet Office of the UK government. A United Kingdom citizen, Mr. Dryden was educated at OxfordUniversity and the University of Wales.

34

Detlef ECKERT

Detlef ECKERT was born on 15/10/53 in Gelsenkirchen, Germany. University degree in Economics atUniversity of Siegen, 1979; Doctor in Economics. From 1979-1985: Assistant professor at University ofSiegen; From 1985-1988: civil servant with the “Bremen Ministry for Economic Affairs, Technology andForeign Trade” as Head of Unit; and since 1988 he is a civil servant with the European Commission wherehe is currently head of unit responsible for analysis and policy planning in Directorate General InformationSociety. Priority topics at the moment are eEurope initiative, information security, e-commerce and otherinformation society related issues.

David FARES

As Director of Electronic Commerce at the United States Council for International Business (USCIB),David Fares is responsible for managing USCIB’s electronic commerce policy program and services.USCIB is the US affiliate of the International Chamber of Commerce, the Business and Industry AdvisoryCommittee to the Organisation for Economic Co-operation and Development and the InternationalOrganization of Employers.

Before joining USCIB David served as a Project Manager for the Electronics Business Connection at theNew Jersey Institute of Technology; an international legal consultant at SCOR Reinsurance in Paris,France; and a staff attorney at the Franklin County, Ohio Court of Common Pleas.

David is a graduate of the European Union Today and Tomorrow Programme at the Institut d’EtudesPolitiques de Paris, the School of International and Public Affairs at Columbia University (MIA), CapitalUniversity Law School (cum laude, J.D.) and the University of Notre Dame (B.A.).

Naja FELTER

Naja Felter works as Trade and Economic Issues policy officer for Consumers International, Office forDeveloped and Transition Economies, in London. Consumers International supports, links and representsconsumer groups and agencies worldwide and strives to promote a fairer society through defending therights of all consumers.

Ms. Felter manages Consumers International’s projects on privacy and Internet shopping and co-ordinatesthe organisation’s network on e-commerce. She represents Consumers International in e-commerce andtrade issues at the OECD and other fora and has recently been invited to serve on the Advisory Committeeof the American Bar Association E-commerce and ADR Task Force. She also manages a research andcapacity building project on trade issues in Eastern Europe and a regional network for consumerorganisations on corporate social responsibility.

Previously, she worked for the Danish central government in the Ministry of Research and IT and in theNational Telecommunications Agency.

Ms. Felter has a Master’s degree in law from Copenhagen University, Denmark (1995).

35

Peter FERGUSON

Peter Ferguson is Deputy Director-General of the Information Policy and Planning Branch, IndustryCanada (IC) and a member of IC’s Electronic Commerce Task Force. He is responsible for co-ordinatingthe development of policy positions on electronic commerce related issues such as privacy and security,access, digital signatures and certification authorities.

From 1994 to 1997, Mr. Ferguson was a Director of the Secretariat for Canada’s Information HighwayAdvisory Council, responsible for developing policy recommendations for the Council addressing a varietyof information highway issues.

Peter FORD

Peter Ford is the First Assistant Secretary, Information and Security Law Division of the AustralianAttorney-General’s Department. The Division was formed in February 1997 and is responsible for policyrelating to privacy, freedom of information, intellectual property, legal aspects of electronic commerce andsupport to the Attorney’-General on national security and electronic surveillance aspects of lawenforcement policy. He chairs the OECD Working Party on Information Security and Privacy.

Keiji FURUYA

Keiji Furuya is the Senior Vice Minister of Economy, Trade and Industry (METI) and has been an activemember of the House of Representatives since 1990.

Prior to joining the METI as the Senior Vice Minister, he was appointed Director of CommunicationsDivision, Policy Research Council of the Liberal Democratic Party (LDP) in 1996.

As the Chairman of Y2K Problem Working Group of LDP, he greatly contributed to a smooth transition tothe new millennium without any major social disturbance. He was also assigned Chairman of the LDPProject Team for Information and Telecommunications.

David GROSS

In August 2001, David A. Gross was named Deputy Assistant Secretary of State for InternationalCommunications and Information Policy. In that position, Mr. Gross is the "Coordinator" for the USGovernment regarding International Communications and Information matters.

Mr. Gross began his career in communications about 20 years ago. After graduating from the Universityof Pennsylvania in 1976 (BA in Economics) and receiving his law degree from Columbia University in1979, Mr. Gross joined the law firm of Sutherland, Asbill & Brennan. While at Sutherland, Asbill firm, hebecame a partner specializing in communications and telecommunications issues. He remained at theSutherland, Asbill firm until 1994, when he was named Washington Counsel for AirTouchCommunications. AirTouch was the world's largest wireless telecommunications company, with extensiveinterests in the United States, Europe, Asia, and elsewhere.

In 1999, Vodafone Plc, a very large UK-based wireless telecommunications company, acquired AirTouch.In 2000, Vodafone merged its US wireless interests with Bell Atlantic and GTE Corporation to createVerizon Wireless. At that time, Mr. Gross joined the Bush-Cheney presidential campaign as NationalExecutive Director of Lawyers for Bush-Cheney.

36

For many years, Mr. Gross has been active with various bar associations, including the FederalCommunications Bar Association (in which he has twice been elected to be an officer, and has often servedas co-chair of various committees) and the International Bar Association (in which he has been vice-chairof the Communications Committee).

Peter HARTER

Peter F. Harter, Vice President for Internet Protection and Policy, represents Securify’s global publicaffairs activities with governments, industry, and standards bodies. Peter also serves on the boards ofseveral start up firms and non-profit organisations.

Prior to Securify Peter was Vice President of Global Public Policy & Standards for EMusic.com, Inc., aleading e-retailer in the digital music industry. Peter served as President of the Digital Media Association(DiMA) and represented EMusic in the Secure Digital Music Initiative (SDMI) standards activity.

Previously, Harter served as Global Public Policy Counsel for Netscape Communications Corporation. Hewas responsible for Netscape’s government affairs, and became a noted authority on international law andpolicy issues regarding the Internet - such as encryption, antitrust, copyright, privacy, and governance.While at Netscape Harter was Chairman of the Technology Network’s Public Policy Committee. TheTechnology Network (TechNet) is the leading high technology political organisation aimed at lobbyingFederal and State officials on public policy issues that cut across all sectors of the New Economy.Through TechNet Harter worked with CEOs, venture capitalists, government officials, and representativesof hundreds of industry firms.

Prior to joining Netscape, Harter helped form a government affairs group in the spirit of the InternetEngineering Task Force (IETF): the Internet Law and Policy Forum (ILPF). The ILPF develops open draftlegal standards for a variety of Internet law and policy matters. Previously, he served as the ExecutiveDirector and General Counsel to the National Public Telecomputing Network (NPTN) in Cleveland, Ohio.

In its July 1998 issue, Business 2.0 called Harter one of “The 25 Most Intriguing Minds of the NewEconomy.” He received a J.D. from Villanova Law School, and holds a B.A. in Rhetoric & Governmentfrom Lehigh University.

David HERSON

David Herson is an independent consultant in Information and Telecommunications Security specialisingin International Cryptography Policy. His Infosec career began in the UK, at CESG, where he headed theComputer Security Certification Branch shortly after its creation in the mid 1980s. During that time, hewas part of the international team that developed the ITSEC and also participated in Infosecstandardisation activities both in ISO and NATO.

For six years during the 1990s, David was head of the Information Security Unit within DirectorateGeneral XIII of the European Commission in Brussels. He was part of the group that developed the OECDCryptography Policy Guidelines and was responsible for the EU Infosec and ETS Programmes.

David was educated at the Universities of Sussex and Edinburgh. As well as supporting the OECD'scurrent work on revising the 1992 Security Guidelines, he writes regularly on Cryptography PolicyDevelopments and advises companies on Infosec policy matters.

37

Brooke C. HOLMES

Brooke C. Holmes is a retired United States Foreign Service Officer. Since December 2000, he has servedas an expert consultant on international science and technology co-operation with the Bureau ofVerification and Compliance in the Department of State. Prior to retirement, he was the Director of theOffice of Science and Technology Co-operation in the Bureau of Oceans and International Environmentaland Scientific Affairs (OES). He also served as US Delegate to the OECD Committee for Scientific andTechnological Policy (CSTP) in 1998-2000.

During his diplomatic career, Mr. Holmes served in Italy, Vietnam, the Bahamas, Greece, Canada, Nigeria,and the Dominican Republic. In Washington, he also held positions in the Bureau of Consular Affairs, andthe Bureau of International Organization Affairs. While serving in the latter organization, he managed theUNESCO-affiliated U.S. Man and the Biosphere Program, an interdisciplinary, applied science researchprogram.

Masao HORIBE

Dr. Masao HORIBE is Professor of Law at Chuo University, Tokyo, Japan and Professor Emeritus atHitotsubashi University. He is a Vice-Chairperson of the Working Party on Information Security andPrivacy set up under the Information, Computer and Communications Policy Committee of the OECD. Heis a member of the Science Council of Japan.

He taught comparative law, information law, etc. for more than 30 years at Hitotsubashi University, one ofthe oldest national universities in Japan. He has been a member or chairperson of many committees andstudy groups in some Government Departments and local governments. He was a member of the Sub-committee on Disclosure of Administrative Information of the Administrative Reform Committee,Japanese Government (1995—1996), and a chairperson of the Working Group on Personal Data Protectionof the Information Technology (IT) Strategy Headquarters (formerly the Advanced Information andTelecommunications Society Promotion Headquarters) headed by the Prime Minister (1999—2000).

He has written extensively in the area of information and privacy law.

Katsumi HOSHINO

Hoshino Katsumi is Professor of School of Management & Information Sciences at Tama University. Healso serves as Director of Japan Engineers Federation (JEF) and is a special advisor to “The JapanTRUSTe Privacy Seal Program”, jointly promoted by TRUSTe in the USA and JEF.

He specialises in eMarketing and eBusiness. He developed the method of “Knowledge ManagementSystem for eBusiness Model Planning”, which is widely recognised in the eBusiness communities.

38

Shuichi INADA

Shuichi Inada is a Director of the Advanced Information Systems and Software Division in the Ministry ofPosts and Telecommunications in Japan. He has also held the position of Director in the following:Multimedia Mobile Communications Office (MPT); Engineering Office (MPT); Land MobileCommunications Division (MPT); Information Planning Division (MPT).

He has a Bachelor and Master of Engineering in Computer and Communication Engineering from KyushuUniversity and Master of Arts in Economics from the University of Colorado at Boulder.

Yuji INOUE

Yuji Inoue is the Co-operate Senior Vice President and serving as the Senior Executive Manager of R&DHeadquarters, together with the role of Chief IT Partner at the NTT Data Corporation. He received BS, MEand Ph.D. degrees from Kyushu University, Fukuoka, Japan, in 1971, 1973 and 1986 respectively. Hejoined NTT (Nippon Telegraph and Telephone Corporation) Laboratories in 1973, where he was engagedin the development of digital network synchronization and in the planning of network digitalization,including ISDN, and then in the standardization of these fields in the international standard organization,ITU-T. He also conducted the next generation software architecture called TelecommunicationInformation Networking Architecture, TINA. Dr. Inoue joined NTT Data Corporation as the DeputySenior Executive Manager of Research and Development Headquarters in 1999. He is a member of IEICEand a senior member of IEEE. He co-authored several books such as “ISDN”, “Broadband ISDN andATM Technologies”, “Network Architecture”, “The TINA Book” etc.

Takaya ISHIDA has been a Senior Chief Researcher at Corporate Research & Development of MitsubishiElectric Corporation since 1996.

He has been a Vice-Chairman of the Committee for Information, Computer and Communications Policies(ICCP) of the Business and Industry Advisory Committee to the OECD (BIAC) since 1998, and a Directorin charge of international affairs of the Information Processing Society of Japan (IPSJ) since 2000.

Oiva KARPPINEN

Mr. Karppinen has been the Managing Director of Nixu Oy since 1996, where he has developed andmarketed Internet Management Software, Internet Technology & Security Consulting.

Mikael KIVINIEMI

Mr. Kiviniemi is currently a Senior Adviser (IT) in the Ministry of Finance, Finland. Before this he wasPlanning Manager (data administration) and before that Chief Analyst (data administration), NationalBoard of Taxation. From 1989 to 1991 he was Systems engineer (Industry division) and before that aProject Manager, IBM Finland.

Mr. Kiviniemi has international experience in data administration since 1989.

He has a Master of Science degree from the Helsinki University of Technology.

39

Thomas LONGSTAFF

Dr. Longstaff is a senior member of the technical staff in the Networked Systems Survivability (NSS)Program at the Software Engineering Institute (SEI).

He is currently managing research and development in network security for the NSS Program. Publicationareas include information survivability, insider threat, intruder modelling, and intrusion detection. As amember of the CERT Coordination Center (an incident handling team at SEI), Tom has daily access to themost up-to-date information on Internet security, product vulnerabilities, and intruder profile in existence.Since 1997, Tom has been investigating topics related to information survivability and critical nationalinfrastructure protection.

Prior to coming to the Software Engineering Institute, Longstaff was the technical director at the ComputerIncident Advisory Capability (CIAC) at Lawrence Livemore National Laboratory in Livemore, California.He completed a PhD in 1991 at the University of California, Davis in software environments.

Peter LÜBKERT

Peter Lübkert is an IT professional with over 15 years of professional experience in systems design andimplementation. He is Head of Division within the OECD Directorate for Information Technology andNetwork Services, responsible for the development and support of large IT solutions. In previous positionshe managed many significant IT projects, including the development of the OECD’s global informationnetwork, and was involved in policy related work. Mr. Lübkert studied Informatics at the University ofHamburg, Germany. Throughout his career he has also had various research and development assignments.

Alessandro LUCIANO

Commissioner for the Italian Authority for Communications.

Dave McCURDY

Dave McCurdy was elected president of EIA in October 1998. As the Alliance’s chief executive, heoversees the activities of the national trade organization representing the full spectrum of USmanufacturers representing more than 80% of the USD 550 billion electronics industry. The Alliance is apartnership of electronic and high tech associations and companies committed to shared knowledge andshared influence. The EIA mission is promoting the market development and competitiveness of the UShigh-tech industry through domestic and international policy efforts. Comprised of more than 2 100member companies whose products range from the smallest electronics components to the most complexsystems used by defense, space and industry, including the full range of consumer products, and providetwo million jobs for American workers. EIA is headquartered in Arlington, Virginia. Mr. McCurdy wasrecently profiled in Washingtonian Magazine as one of the top 50 most influential association executives.

Mr. McCurdy came to EIA after a distinguished career in the US House of Representatives, and asChairman and Chief Executive Officer of the McCurdy Group L.L.C., a successful business consulting andinvestment practice. The Group provided business strategies and solutions for high technology andhealthcare business clients. Services included: business and organizational planning, assistance in start-upoperations, examined and prepared options for private placement and strategic partnering. The Group alsoprepared business, marketing and development plans. Corporate clients included a number of Fortune 100,start-up and small high-growth companies.

40

McCurdy was recently named as a member of the Board of Visitors of the Carnegie Mellon University,Software Engineering Institute; a Department of Energy Board of Visitor; a Distinguished CongressionalFellow with the Center for Strategic and International Studies; and a member of the In-Q-Tel BusinessAdvisory Board.

McCurdy was counsel to the Washington, D.C. law firm of Patton Boggs. He is a member of theOklahoma, District of Columbia and American Bar Associations. He is also a member of the PublicContract Law and Health Law Sections.

Masami MUROMACHI

Masami Muromachi (LLM of Waseda University) practices law at Tokyo Marunouchi Law Offices, inTokyo. He was a lecturer at Kokugakuin University teaching Electronic Commerce from April 1989 toMarch 2000 and at the Graduate School at Waseda University teaching Media Legal Policy from April1999 to March 2001.

He was a member of research committees for electronic commerce, electronic signature and related areas.

Mohd Adzman bin Haji MUSA

Mr. Musa is the Director of the ICT Security Division at the Malaysian Administrative Modernisation andManagement Planning Unit (MAMPU), in the Prime Minister’s Department.

He has a Bachelor of Economics (University Malaya) and a Diploma in System Analysis (ITM).

From October 1997 to August 2000 he was the Director of the Public Sector IT Development Division, inthe Malaysian Administrative Modernisation and Management Planning Unit (MAMPU), Prime Minister’sDepartment, and previously held several positions within this department.

Kenji NAEMURA

Kenji Naemura is a Professor of Keio University, Graduate School of Media and Governance and Facultyof Environmental Information at its Shonan Fujisawa Campus, Kanagawa Prefecture, Japan. Previously hewas with NTT, engaged in R&D in various fields related to computers and networking.

He currently serves as Chairman of the Japanese National Committee for ISO/IEC JTC1/SC27 and as amember of the Board of the Engineering Academy of Japan.

Koji NAKAO

Koji Nakao is the Senior Manager of KDDI R&D Laboratories Inc. and has been an active member of theISO/IEC SC27/WG1 since 1999.

He has been working in the area of Information Technology research and development focusing on officecommunications and information & computer security, and was a special rapporteur (chair) for ITU-Tregarding Open Document Communications. Further, he is a convenor of the national body for ISO/IECSC27/WG1, and is a Vice President of the Information Security Engineering Committee (ISEC) in theInstitute of Electronics, Information and Communication Engineers (IEICE) in Japan.

41

Michio NARUTO

Michio Naruto is Special Representative of Fujitsu Limited. He is also over-all Co-Chair of GlobalBusiness Dialogue on electric commerce (GBDe). The GBDe annual conference was held on13-14 September 2001 in Tokyo.

In addition, he serves as Chairman of Fujitsu Research Institute, Chairman of ICL, Chairman of CelesticaJapan and Chairman of TOYOTA InfoTechnology Center Co. Ltd. He currently holds numerous otherpositions in industry; Asia Co-Chair of GIIC Forum, a member of Global Internet Project (GIP), a memberof APEC Business Advisory Council (ABAC), a member of Advisory Committee on Infocomms ofIreland, a member of US-Japan Business Council, a member of EU-Japan Business Dialogue Round Tableand a member of OECD Advisory Committee of Japan Federation of Economic Organizations(KEIDANREN).

Michael W. OBORNE

Since 1993, Dr. Oborne has been OECD’s Deputy Director for Science Technology and Industry, withspecial responsibilities for science and technology policy developments in the biosciences, biotechnologyand innovation. He is Chairman of the OECD’s ICGB, an Organisation-wide body that co-ordinates workon biotechnology, including trade, science, industry, environment and agricultural aspects of developmentsin the biosciences. He is also responsible for OECD work on electronic commerce and informationtechnologies including telecommunications and infrastructure policies; and IT work on privacy, security,consumer policies and recent policy developments in Member countries. He has published three books andnumerous articles on subjects relating to economic development, China, as well as works of history.Dr. Oborne has lectured extensively in Europe, Africa, Latin America, Asia and the United States. Heholds degrees from the University of California at Berkeley, the University of Paris X, and the Ecole desHautes Etudes in Paris.

Hidetoshi OHNO

Hidetoshi Ohno has been the Director of the IT Security Policy Office of the Ministry of Economy, Tradeand Industry (METI) of Japan since 2001. He is responsible for making policies and rules regarding ITsecurity for e-commerce and e-government such as promoting PKI and evaluating IT products andcryptography for procurement. Before joining METI, he worked in the Ministry of Transport of Japan.

He is a member of the Management Committee for IT Security Evaluation and Certification Scheme, thesteering group of the Cryptography Research and Evaluation Committee, and the steering group of the ITSecurity Promotion Committee in the Cabinet Office.

Komain PIBULYAROJANA

Mr. Komain Pibulyarojana is the Head of National Security Section at ThaiCERT

He is a Doctor of Philosophy, Computer Engineering, 2000 at the University of Tsukuba, Japan and alsohas a Master of Engineering, Computer Engineering, from the University of Tsukuba, Japan.

42

Cindy ROSE

Cindy Rose was recently appointed Senior Vice President and Managing Director of Walt DisneyInternational UK Prior to this appointment, she served for three years as Vice President, GovernmentRelations Europe for The Walt Disney Company, prior to which she served for three years as SeniorCounsel for The Walt Disney Company. Ms. Rose has, among other things, chaired the IntellectualProperty Rights Working Group of the Global Business Dialogue on E-Commerce for the last two years.

Holger REIF

Holger Reif received a Msc from the Technical University of Ilmenau, Germany in 1994. Later he becamea member of staff at the Department of Applied Computer Science in Distributed Computing Group. Aswell as lecturing, he worked in several nationally or state founded research projects. His areas of interestincluded E-Commerce application scenarios, digital payment systems and computer and network security.He was publishing both at scientific conferences and in major computer magazines, and he is also the co-author of a study text book. In 1998 he joined the company SmartTrust, where he had positions in researchand development of PKI based security solutions for mobile and fixed networks. Since April 2001 he iswith TeleTrust Deutschland e.V. and principal co-ordinator of the Bridge-CA project (www.bridge-ca.org).

Bernhard REITER

Bernhard REITER graduaded in Applied Systems Science from the University of Osnabrück in 1998 andgained a Master of Science in Geography from University-Wisconsin Milwaukee in 1999 He foundedIntevation GmbH in 1999, and is which he is Managing Director.

Bernhard is a member of the Foundation for a Free Informational Infrastructure FFII and a foundingmember of the Free Software Foundation Europe.

Akira SAKA

Akira Saka has been Director of the Security System Planning Office, National Police Agency (NPA),Japan since August 2000.

His office is responsible for formulating policies regarding information security, especially preventingcyber crime. The office is also in charge of executing “Unauthorized Computer Access Law” with theMinistry of Public Management, Home Affairs, Posts and Telecommunications and the Ministry ofEconomics, Trade and Industry (METI.) According to the law, the police is to investigate unauthorisedaccess to network computer systems and give assistance to the victims. Akira co-ordinates those policeactivities with other divisions of NPA.

Patricia M. SEFCIK

Ms. Sefcik is the Director of the Office of Electronic Commerce in the International Trade Administration(ITA), US Department of Commerce. She currently represents ITA at international and interagencymeetings on electronic commerce issues and promotes trade development by creating partnerships withemerging economies, connecting US businesses to global digital opportunities, and fostering the rightpolicy environment.

Formerly, Ms. Sefcik was the Director of the Information Technology Controls Division in the Bureau ofExport Administration, where she was a key player in developing and implementing the Clinton

43

Administration’s most high-profile initiatives on encryption and high performance computers exportcontrol policy. Ms. Sefcik was awarded a gold medal from the Secretary of Commerce for heraccomplishments in this area. Having 18 years of government experience with the Commerce Department,Ms. Sefcik has represented Commerce at international forums on a broad range of issues from electroniccommerce and international trade policy to export controls and non-proliferation issues. Furthermore, Ms.Sefcik also conducted over 100 compliance reviews at both the U.S. exporter and foreign company siteswho were required to maintain Internal Control Programs on highly sensitive dual-use items.

Ms. Sefcik holds a Masters degree in Public Administration from San Diego State University and aBachelor of Science degree in Business Administration (Accounting) from Youngstown State University.

Tuire Marjut SAARIPUU

Ms. Saaripuu has worked at the Population Register Centre, Data Services, FINEID-project since 1998.Her main responsibilities are: certificate policy, PKI further development, contract negotiations, especiallyIT-branch, preparing jurisdiction and statements, certificate services.

Previously, she worked as Chief of Magistrate, at a local census-authority, on family law, corporate law,law of real estates, registering of foreigners, and as a Notary Public.

Betty SHAVE

Betty-Ellen Shave is the Associate Chief for International Matters in the Computer Crime and IntellectualProperty Section (CCIPS) of the Criminal Division of the US Department of Justice. She supervisesCCIPS' international assignments, including the international issues arising from CCIPS’ criminal caseloadand CCIPS’ activities in numerous regional and multilateral fora. Ms. Shave headed the US delegation tothe High-Tech Crime Subgroup of the countries of the G8 for three years and has been active in thenegotiations of the draft Cyber-crime Convention at the Council of Europe from its beginning in 1997.

Alexey SCHERBAKOV

First Deputy Minister for Communications and Informatization of the Russian Federation, Mr. Scherbakovwas born on 20 May 1941 in Moscow. In 1964 he graduated from Mosow Bauman Highest TechnicalSchool. From 1964 to 2000 he was with the state security service and ended his service at the rank ofColonel-General. He is the author of several scientific papers including some on information security. Hewas decorated with several highest orders of Russia. Since October 2000 he is First Deputy Minister forCommunications and Informatization of the Russian Federation.

Chester SOONG

Chester Soong returned to Hong Kong from California in 1993 after graduating from California StateUniversity, Fullerton with double majors in Management Information Systems and Finance. After thatChester worked for Citibank N/A before founding his own ISP and consulting business, GlobalInformation Networks Ltd. in 1995. In GIN, he is mainly responsible for development and management ofthe company, and provides pre-sales and after-sales security consulting services. Mr. Soong is a frequentspeaker at various seminars and conferences on the subject of e-commerce and Internet security. He is alsoa lecturer on Internet security for City University of Hong Kong, Hong Kong Management Association,and ISC2 (International Information System Security Certification Consortium).

44

Jung-ran SUH

Ms. Suh is currently the Deputy Director of the Information & Privacy Division at the Ministry ofInformation Communication in Korea. Previously he was a researcher at the HanHwa Economic ResearchInstitute.

Suguru YAMAGUCHI

Suguru Yamaguchi received M.E. and D.E. degrees in computer science from Osaka University, Osaka,Japan, in 1988 and 1991, respectively.

From 1990 to 1992 he was an Assistant Professor in the Education Center for Information Processing,Osaka University. From 1992 to 1993, he was with the Information Technology Center, Nara Institute ofScience and Technology, Nara, Japan, as an Associate Professor. From 1993 to 2000, he was with theGraduate School of Information Science, Nara Institute of Science and Technology, Nara, Japan, as anAssociate Professor. Currently, he is a Professor with the Graduate School of Information Science, NaraInstitute of Science and Technology, Nara, Japan. He has been also a member of WIDE Project, since itscreation in 1988, where he has been conducting research on network security systems for wide areadistributed computing environments. His research interests include technologies for information sharing,multimedia communication over high-speed communication channels, network security and networkmanagement for the Internet.

45

ANNEX II: FINAL PARTICIPANTS LIST

Mr. Yasuo ABE ManagerTohmatsu & Co.Enterprise Risk ServicesJAPAN

Mr. Ariffudin AIZUDDIN ManagerNational ICT Security Emergency Response Centre (NISER)Kuala Lumpur, MALAYSIA

Mr. Filip AMELOOT Government Affairs CounselNEC Europe Ltd.Brussels OfficeBrussels, BELGIUM

Mr. Masazumi ANDO Senior ManagerStrategic PlanningMitsui & Co.Tokyo, JAPAN

Mr. Hiroharu ASAHI Senior ChiefHitachi Ltd.Systems SolutionTokyo, JAPAN

Mr. Kinjyu ATARASHI Executive Managing DirectorJapan Information Processing Development CorperationTokyo, JAPAN

Mr. John AYOADE Doctoral ScholarUniversity of Electro-CommunicationsTokyo, JAPAN

Mr. Yoshihiro BABA Program ManagerIBM JapanTokyo, JAPAN

Mr. David BARNES Vice PresidentIBM Asia PacificTokyo, JAPAN

Ms. Ciara BATES Administrative OfficerCommunications (Development) DivisionDepartment of Public EnterpriseIrish GovernmentDublin, IRELAND

46

Ms. Anne CARBLANC Principal AdministratorOECDDirectorate for Science, Technology and IndustryInformation, Computer and Communications Policy DivisionParis, FRANCE

Mr. Vinton G. CERF Senior Vice President, Internet Architecture and TechnologyWorldCom Inc.Virginia, UNITED STATES

Mr. Chin Yin Stanely CHAN Senior Systems ManagerInformation Technology Services DepartmentHong Kong, CHINA

Mr. Jean-Christophe CHOUVET Deputy Director General of the Direction of the Economic and FinancialAffairsMinistry of Foreign AffairsParis, FRANCE

Ms. Kimberley CLAMAN Vice President for Global AffairsInformation Technology Association of America (ITAA)Virginia, UNITED STATES

Mr. Scott COOPER

Mr. Giuseppe CORASANITI DirectorAnti-Hacker UnitItalian Communications AuthorityCopyright and Computer crimesRome, ITALY

Mr. Bertrand COUSIN Special Advisor to the CEOVivendi UniversalParis, FRANCE

Mr. Otavio Carlos CUNHA DA SILVA Engineer, Representative of the Institutional Information Security CabinetInstitutional Information Security Cabinet of BrazilBrasilia, BRAZIL

Ms. Judith CURRIE Export Policy AnalystInformation Technology Controls DivisionUS Department of CommerceBureau of Export AdministrationOffice of Strategic Trade and Foreign PolicyWashington, DC, UNITED STATES

Mr. Shinnosuke DATE General ManagerFujitsuInt’l Relations,External Affairs GroupTokyo, JAPAN

Mrs. Katarina DE BRISIS Senior AdvisorMinistry of Trade and IndustryOslo, NORWAY

47

Ms. Chris DEMCHAK Associate ProfessorCyberspace Policy Research GroupSchool of PA and Policy, College of Business and PAUniversity of ArizonaArizona, UNITED STATES

Cunba DESTIUN

Mr. John DRYDEN Head of DivisionOECDDirectorate for Science, Technology and IndustryInformation, Computer and Communications Policy DivisionParis, FRANCE

Mr. Shinichi EBARA DirectorNational Police AcademyCommunity Safety Training DivisionTokyo, JAPAN

Dr. Detlef ECKERT Head of UnitEuropean CommissionBrussels, BELGIUM

Mr. Tomohiro EKUBO Assistant ManagerNEC Soft, Ltd.Security Solution DepartmentInformation Technologies Solution DivisionTokyo, JAPAN

Mr. Carter ELTZROTH Senior Vice President, Global Public PolicyMIH GroupWashington, DC, UNITED STATES

Mr. Bin Xing FANG Deputy DirectorChief-EngineerNational Computer Network and Information Security Administration CenterBeijing, CHINA

Mr. David FARES Director, Electronic CommerceU.S. Council for International BusinessNew York, UNITED STATES

Ms. Naja FELTER Policy OfficerConsumers InternationalLondon, UNITED KINGDOM

Mr. Peter FERGUSON Director, Electronic CommerceIndustry CanadaOntario, CANADA

Mr. Yury FONTANOV Deputy Director General of DepartmentMinistry for Communications and Information of the Russian FederationMoscow, RUSSIA

48

Mr. Peter FORD Chair of the Working Party on Information Security and Privacy, OECDAttorney-General’s DepartmentAUSTRALIA

Mr. Envir FRASER Senior General ManagerDpt. of CommunicationsPretoria, SOUTH AFRICA

Mr. Atsushi FUJIOKA Senior Research ScientistNTTInformation Sharing Platform LaboratoriesTokyo, JAPAN

Mr. Takahiro FUJISHIRO ResearcherSystems Development LaboratoryHitachi Ltd.Tokyo, JAPAN

Mr. Masahiro FUJITA Executive EngineerT.D.I Co. Ltd.Technology Planning & Supports Dept.JAPAN

Mr. Tatsuo GOTO Chief ManagerNec CorporationExternal Relation DivisionTokyo, JAPAN

Mr. David GROSS Special Advisor, Deputy Assistant Secretary-designateEB/CIPUS Department of SateWashington, DC, UNITED STATES

Mr. Patrick GRÜTER Vice President, European Government Relation’s OfficeThe Walt Disney CompanyBrussels, BELGIUM

Mr. Yasunori HARA ManagerNomura Securities Co. Ltd.Systems planning DepartmentTokyo, JAPAN

Mr. Peter HARTER Vice President, Internet, Protection & PolicySecurify, Inc.California, UNITED STATES

Mr. Hidekazu HASEGAWA DirectorMinistry of Economics, Trade and IndustryInformation Project OfficeTokyo, JAPAN

49

Mr. Toshimichi HASEGAWA Section ChiefMinistry of Public Management, Home Affairs, Posts andTelecommunicationsInternational Economic Affairs DivisionInternational Affairs DepartmentTelecommunications BureauTokyo, JAPAN

Mrs. Rubaiah HASHIM Principal Assistant SecretaryMinistry of Energy, Communications and MultimediaKuala Lumpur, MALAYSIA

Ms. Ayesha HASSAN Senior Policy Manager, Internet, Protection & PolicyInternational Chamber of Commerce (ICC)Paris, FRANCE

Mr. Akihiro HAYAKAWA NTT DataSystems Technology GroupTokyo, JAPAN

Mr. David HERSON Consultant to the OECDUNITED KINGDOM

Mr. Koichiro HIGASA DirectorJapan Quality Assurance OrganizationIT Dept.JAPAN

Mr. Yuichi HIRAMATSU PresidentECSEC: The Electronic Commerce Security Technology ResearchAssociationJAPAN

Mr. Yoshiyuki HIRANO Technical Standards ExpertNEC CorporationTechnical Standard DepartmentIntellectual Property DivisionTokyo, JAPAN

Mr. Brooke HOLMES Expert ConsultantUS Department of StateBureau of Verification and ComplianceWashington, DC, UNITED STATES

Mr. Charles HOOKER International Trade SpecialistUS Department of CommerceInternational Trade AdministrationWashington, DC, UNITED STATES

Mr. Masao HORIBE ProfessorChuo UniversityTokyo, JAPAN

Mr. Kentaro HOSHI Section Chief, Office of IT Security PolicyMinistry of Economics, Trade and IndustryTokyo, JAPAN

50

Mr. Katsumi HOSHINO ProfessorTama UniversitySchool of Management & Information SciencesTokyo, JAPAN

Mr. Shigeru HOTTA DirectorCabinet OfficeConsumer Policy DivisionQuality-of-life Policy BureauTokyo, JAPAN

Mr. Masayuki IDA ProfessorAoyama Gakuin UniversityGraduate School of International ManagementTokyo, JAPAN

Mr. Isao IDOTA Secretary GeneralJapan Engineering FederationJAPAN

Mr. Yoshinori INABA DirectorJIC Quality Assurance, Ltd.Registration DepartmentJAPAN

Mr. Shuichi INADA Director, Advanced Information Systems and Software DivisionInformation and Communications Policy Bureau,Ministry of Public Management, Home Affairs, Posts andTelecommunicationsTokyo, JAPAN

Mr. Yu INAMURA Senior ConsultantInternational Network Security Inc.Technology DivisionJAPAN

Mr. Kazushi INOUE Assistant DirectorNational Police AgencySecond International Affairs DivisionTokyo, JAPAN

Mr. Yuji INOUE Senior Vice PresidentNTT DATA CorporationTokyo, JAPAN

Mr. Takaya ISHIDA Senior Chief ResearcherVice-Chairman of the BIAC ICCP CommitteeCorporate Research & DevelopmentMitsubishi Electronic CorporationTokyo, JAPAN

51

Ms. Hiromi ISHIGE ChiefNational Institute of Technology and EvaluationTesting Laboratories Accreditation DivisionConformity Assessment CenterJAPAN

Mr. Naoyuki IWAI AttorneyMinistry of Foreign AffairsHuman Right and Humanitarian Affairs DivisionTokyo, JAPAN

Mr. Ryohei JOKI ResearcherIT Security CenterInformation-Technology Promotion Agency (IPA)Tokyo, JAPAN

Mr. Yasushi KAKEHI ManagerBank of JapanSecretariat of the Policy BoardTokyo, JAPAN

Mr. Masanori KAMITA Research DirectorElectronic Commerce Promotion Council of JapanAuthentication & Notary Working GroupJAPAN

Mr. Akiteru KAMOSHIDA Information Security EngineerNRI Secure Technologies, Ltd.Tokyo, JAPAN

Mr. Yuji KANAZAWA Section Chief, Office of IT Security PolicyMinistry of Economics, Trade and IndustryTokyo, JAPAN

Mr. Oiva KARPPINEN Vice President, Business Development, Member of the BoardNixu Ltd.Helsinki, FINLAND

Mr. Kenji KATO Technical Evangelist/NET Technology Dept. Developer Marketing GroupMicrosoft Co. Ltd.Tokyo, JAPAN

Mr. Yoshifumi KATO Chief ManagerNEC CorporationNetwork and Services Planning DivisionTokyo, JAPAN

Mr. Masato KATSUMATA Deputy DirectorMinistry of Economics, Trade and IndustryStandardization Office for Information Technology and ElectrotechnologyStandards Development and Planning DivisionIndustrial Science Technology Policy and Environment BureauTokyo, JAPAN

52

Mr. Tetsuro KAWABERI Senior ManagerThe Japan Accreditation Board for Conformity AssessmentManagement Systems Accreditation DepartmentJAPAN

Mr. Yasuhiko KAWAI Senior ManagerJapan Electronics & Information Technology Industries AssociationIT Security CenterJAPAN

Mr. Naoya KAWAMURA Research DirectorElectronic Commerce Promotion Council of JapanJAPAN

Mr. Shinichi KAWAMURA Senior Research ScientistToshibaR&D CenterTokyo, JAPAN

Ms. Junko KAWAUCHI Japan IT Services Industry Association (JISA)International Affairs Dept.JAPAN

Mr. Brian KELLY Senior Vice PresidentElectronic Industries AllianceVirginia, UNITED STATES

Mr. Tatsuo KIDO DirectorMinistry of Economics, Trade and IndustryStandardization office for Information technology and ElectrotechnologyStandards Development and Planning DivisionIndustrial Science Technology Policy and Environment BureauTokyo, JAPAN

Mr. Shingo KINOSHITA Chief researcherNTTInformation Sharing Platform LaboratoriesTokyo, JAPAN

Mr. Junichi KISHIGAMI DirectorNTTR&D Globalozation StrategyTokyo, JAPAN

Mr. Naomichi KITSUWA PresidentSystems Auditors Association of JapanJAPAN

Mr. Mikael KIVINIEMI Senior Advisor (IT)Ministry of FinanceHelsinki, FINLAND

53

Mr. Tomoe KIYOSADA ResearcherMinistry of Education, Culture, Sports, Science and TechnologyScience and Technology Foresight CenterNational Institute of Science and Technology PolicyTokyo, JAPAN

Mr. Seiji KOBAYASHI President & CEOJapan Certification Services, Inc.JAPAN

Mr. Masahiko KOBAYASHI JAPAN

Mr. Yukiharu KODAMA PresidentJapan Information Processing Development CorporationJAPAN

Mr. Akihiko KOMASE Director, Member of the BoardAsgent Inc.Technical Dept.JAPAN

Mr. Shigeru KONDO Ministry of Foreign AffairsIT Co-operation DivisionEconomic Affairs BureauTokyo, JAPAN

Mr. Takahiko KONDOU Vice Chairman,Information-Technology Promotion Agency (IPA)Tokyo, JAPAN

Mr. Leonard KOSINSKI ResearcherNeoteny Co., Ltd.Tokyo, JAPAN

Mr. Noboru KOTANI NECTokyo, JAPAN

Mr. Yoshio KUBOTA Senior AdvisorTokyo Electric Power CompanyJAPAN

Mr. Takashi KUME Deputy Director, Office of IT Security PolicyMinistry of Economics, Trade and IndustryTokyo, JAPAN

Mr. Hiroshi KURITA EngineerHitachi, Ltd.Network and Security Software DepartmentJAPAN

Mr. Kunio KUROIWA General ManagerNTTInformation Strategy Planning Section Department IITokyo, JAPAN

54

Dr. Kyunghwa LEE OperatorInformation Communication Ethic CommitteeSeoul, KOREA

Mr. Gian Nico LETTER Interperter and Press OfficerEmbassy of Italy in JapanITALY

Mr. Lucas LIM ASOCIO Secretary GeneralAsean-Oceanian Computing Industry Organization (ASOCIO)International Dept.JAPAN

Mr. Thomas LONGSTAFF Manager, Survivable Network TechnologiesCERTPennyslvania, UNITED STATES

Ms. Carolina LORENZON Head of International Media PolicyMEDIASET S.P.A.Milan, ITALY

Mr. Peter LÜBKERT Head of DivisionOECDInformation, Technology and Networks ServicesSystems Development and SupportParis, FRANCE

Mr. Alessandro LUCIANO CommissionerCommunications AuthorityRome, ITALY

Mr. Tsukasa MAEDA V.P.RSA Security Japan Ltd.Technical Support & EngineeringJAPAN

Mr. Kazuyoshi MAEKAWA Fujitsu LimitedPlanning DivisionExternal Affairs GroupTokyo, JAPAN

Mr. Adrian MAKESHIN Deputy Director General of DepartmentMinistry for Communications and Information of the Russian FederationMoscow, RUSSIA

Mr. Toru MARUHASHI Manager, Internet & E-CommerceFujitsu LimitedLegal Planning Dept.JAPAN

Mr. Mitsuhiko MARUYAMA ManagerTohmatsu & Co.Enterprise Risk ServicesJAPAN

55

Mr. Shigeyuki MATSUDA Senior ManagerNTT DataSystems Technology GroupTokyo, JAPAN

Mr. Dave McCURDY PresidentElectronic Industries Alliance/Internet Security AllianceVirginia, UNITED STATES

Mr. Yasuo MIYAKAWA ResearcherIT Security CenterInformation-Technology Promotion Agency (IPA)Tokyo, JAPAN

Mr. Kiyoshi MIYAKE Specialiste-Net EngineeringDept. 2Tokyo, JAPAN

Mr. Masahiro MIZUMOTO ManagerKDDI CorporationSolutions DevelopmentJAPAN

Mr. Yoshitsugu MIZUNO General ManagerINTEC inc.Security Business Dept.JAPAN

Mr. Teruyasu MURAKAMI Senior Manager DirectorNomura Research InstituteTokyo, JAPAN

Mr. Masayasu MURANO ResearcherIT Security CenterInformation-Technology Promotion Agency (IPA)Tokyo, JAPAN

Mr. Toshihiko MURANUSHI NRI Secure TechnologiesJAPAN

Mr. Masami MUROMACHI Attorney at LawTokyo Marunouchi Law OfficesTokyo, JAPAN

Mr. Mohd Adzman Bin HJ. MUSA Director, ICT Security DivisionMalaysian Administration Modernisation and Management Planning Unit(MAMPU)Prime Minister’s DepartmentPutrajaya, MALAYSIA

Mr. Kenji NAEMURA ProfessorKeio UniversityKanagawa, JAPAN

56

Mr. Osamu NAITO DirectorIT Security CentreInformation-Technology Promotion Agency (IPA)Tokyo, JAPAN

Mr. Satoshi NAKADA Program ManagerIBM JAPAN, Ltd.e-business Infrastructure ServicesIBM Global ServicesJAPAN

Mr. Masayuki NAKAGAWA Information Security Training ManagerBSI Japan K.K.Tokyo, JAPAN

Mr. Shiro NAKAHARA Senior ManagerNTTDepartment VTokyo, JAPAN

Mr. Toru NAKAMURA ManagerINES corporationTechnical DivisionJAPAN

Mr. Koji NAKAO Senior ManagerKDDI R&D Laboratories Inc.Network Management System LabSaitama, JAPAN

Mr. Taizo NAKATOMI Principal AdministratorOECDDirectorate for Science, Technology and IndustryInformation, Computer and Communications Policy DivisionParis, FRANCE

Mr. Masaki NAKAYAMA Group LeaderIT Security CenterInformation-Technology Promotion Agency (IPA)Tokyo, JAPAN

Mr. Michio NARUTO Special RepresentativeFujitsu LimitedTokyo, JAPAN

Mr. Shuichi NISHIO ManagerNTT DATA CorporationIT Security CentreKanagawa, JAPAN

Mr. Michael OBORNE Deputy DirectorOECDDirectorate for Science, Technology and IndustryParis, FRANCE

57

Mr. Hisayoshi OGURA DirectorFISC-The Center for Financial Industry Information SystemsSecurity&Audit Research Dept.JAPAN

Mr. Masahide OHBAYASHI Deputy DirectorJapan information processing Development Corporation (JIRDEC)Information Security OfficeJAPAN

Mr. Eijiroh OHKI PrincipalIBM JapanBusiness Innovation ServicesJAPAN

Mr. Hidetoshi OHNO DirectorMinistry of Economics, Trade and IndustryTokyo, JAPAN

Mr. Takehiro OKOSHI Deputy ManagerMitsubishi ElectricInformation SecurityJAPAN

Mr. Hiroyuki OOSUGA Deputy DirectorMinistry of Public Management, Home Affairs, Posts andTelecommunicationsTelecommunications Consumer Affairs OfficeTelecommunications BureauTokyo, JAPAN

Mr. Viacheslav ORANZHEREEV Director General of DepartmentMinistry for Communications and Information of the Russian FederationMoscow, RUSSIA

Mr. Kazukuni OSAKA Managing DirectorJapan Information Processing Development Corp.JAPAN

Mr. Mitsuru OSUGI General ManagerMatsushita Electric IndustrialInt’l Affairs DepartmentJAPAN

Ms. Pamela PASSMAN Associate General CounselMicrosoft Asia Ltd.Tokyo, JAPAN

Mr. Manuel PEDROSA DE BARROS Director of Equipments and StandardsInstituto das Comunicações de PortugalBarcarena, PORTUGAL

58

Mr. Komain PIBULYAROJANA Head of National Security Section (THAICERT)National Science and Technology Development AgencyMinistry of Science, Technology and EnvironmentBangkok, THAILAND

Mr. Roberto POMPILI Assistant to CommissionerCommunications AuthorityRome, ITALY

Mr. Holger REIF Project ManagerTeleTrusT Deutschland e.VFrankfurt, GERMANY

Mr. Bernhard REITER German Representative of the FSFE, Vice-President of the FFII, ManagingDirector of IntevationFree Software Foundation Europe (FSFE), Federation for a Free InformationalInfrastructure (FFII), Intevation GmbHOsnabrück, GERMANY

Mr. Joseph RICHARDSON DirectorOECD and APEC Telecommunications and Information PolicyUS Department of StateWashington, DC, UNITED STATES

Mrs. Cindy ROSE Senior Counsel, European Legal and Government AffairsThe Walt Disney Company (Benelux) S.A.Brussels, BELGIUM

Ms. Tuire SAARIPUU Senior SupervisorCertificate Services, Population Register Centre FinlandHelsinki, FINLAND

Mr. Motonori SAEKI DirectorGeneral ManagerMitsui & Co.Tokyo, JAPAN

Mr. Toshiaki SAISHO Chief SpecialistTOSHIBA CorporationSystems Integration Technology CenterTokyo, JAPAN

Mr. Akira SAKA Director, Security Planning OfficeNational Police AgencyTokyo, JAPAN

Mr. Kozo SAKAI ChiefNational Institute of Technology and EvaluationTesting Laboratories Accreditation DivisionJAPAN

Mr. Atushi SAKUMA Research AssociateFuji Research Institute Corp.Information and Communication Group Social SystemsTokyo, JAPAN

59

Mr. Ryoichi SASAKI ProfessorTokyo Denki UniversitySchool of EngineeringTokyo, JAPAN

Mr. Yoshiyuki SATO Senior Research AssociateFuji Research Institute Corp.Information and Communication Group Social SystemsTokyo, JAPAN

Mr. Yujiro SATO ChairmanJapan Information Technology Service Industry AssociationJAPAN

Mr. Yoshihiro SATOH ResearcherIT Security CenterInformation-Technology Promotion Agency (IPA)Tokyo, JAPAN

Mr. Alexey SCHERBAKOV The First Deputy MinisterMinistry for Communications and Information of the Russian FederationMoscow, RUSSIA

Mrs. Patricia SEFCIK Director, Office of Electronic CommerceInternational Trade AdministrationUS Department of CommerceWashington, DC, UNITED STATES

Ms. Keiko SEKIGUCHI OfficialCabinet OfficeGeneral Affairs Division Quality-of-life Policy BureauTokyo, JAPAN

Mr. Yutaka SEKIGUCHI Senior ManagerJapan Electronics & Information Technology Industries AssociationStandards and Engineering DepartmentJAPAN

Mr. Noboru SEKINO Senior ManagerBank of Tokyo MitsubishiResearch OfficeTokyo, JAPAN

Mr. Shamsul Jafni SHAFIE Senior ExecutiveMalaysian Communications and Multimedia CommissionKuala Lumpur, MALAYSIA

Ms. Betty-Ellen SHAVE Associate Chief for International MattersComputer Crime and Intellectual Property SectionUS Department of JusticeWashington, DC, UNITED STATES

Mr. Takaaki SHIGEMATSU Research DirectorElectronic Commerce Promotion Council of JapanJAPAN

60

Mr. Naoshi SHIMA Vice PresidentNECBusiness Development Int’l Business Development OfficeTokyo, JAPAN

Mr. Tadahide SHIMAMURA Itochu CorporationInformation Technology & Telecommunicaiton DivisionJAPAN

Mr. Ryoshin SHIMIZU Section Chief, Office of IT Security PolicyMinistry of Economics, Trade and IndustryTokyo, JAPAN

Mr. Nobuhiko SHIMIZU ManagerNTTInformation Strategy Planning Section Dept. IITokyo, JAPAN

Ms. Kana SHIMODA ResearcherNeoteny Co., Ltd.Tokyo, JAPAN

Mr. Takeshi SHINOHARA Chief ConsultantNomura Research InstituteCenter for Knowledge Exchange & Creation Research & ConsultingJAPAN

Ms. Pernilla SKANTZE Head of SectionMinistry of Industry, Employment and CommunicationsStockholm, SWEDEN

Mr. Geoffrey SMITH Head of Information Security Policy GroupDepartment of Trade and IndustryLondon, UNITED KINGDOM

Mr. Chester SOONG Director of Certification Services for the Asia-Pacific RegionGlobal Information Networks Ltd.(ISC)2Hong Kong, CHINA

Mr. Hubertus SOQUAT Senior OfficialGerman Federal Ministry of Economics and TechnologyBerlin, GERMANY

Ms. Christina SPECK Senior Communications Policy SpecialistNational Telecommunications and Information Administration (NTIA)US Department of CommerceWashington, DC, UNITED STATES

Mr. Hugh STEVENSON Associate DirectorDivision of Planning and InformationBureau of Consumer ProtectionUS Federal Trade CommissionWashington, DC, UNITED STATES

61

Mr. Takao SUGAWARA Project ManagerToyota Motor CorporationIT&Telecom Business DivisionJAPAN

Mr. Toshihiko SUGURI Security ConsultantNRI Secure TechnologiesTokyo, JAPAN

Ms. Jungran SUH Deputy DirectorInformation & Privacy Protection DivisionMinistry of Information CommunicationSeoul, KOREA

Mr. Salavat SULTANOV Trade Representation of the Russian Federation in JapanRUSSIA

Mr. Takao SUNAMI General Managere-Mitsui DivMitsui & Co.Tokyo, JAPAN

Mr. Seiichi SUSAKI ReseacherHitachi Ltd.Tokyo, JAPAN

Mr. Hitoshi SUZUKI Deputy DirectorMinistry of Economics, Trade and IndustryManufacturing Industries BureauBio-industry DivisionTokyo, JAPAN

Mr. Yuichi SUZUKI Director CTOEntrust JapanJAPAN

Ms. Asako TAKAHASHI AssistantOECDDirectorate for Science, Technology and IndustryInformation, Computer and Communications Policy DivisionParis, FRANCE

Mr. Katushige TAKAHASHI Deputy DirectorCabinet OfficeConsumer Policy DivisionQuality-of-life Policy BureauTokyo, JAPAN

Mr. Yoshiaki TAKAHASHI Deputy DirectorCabinet OfficeConsumer Policy DivisionQuality-of-life Policy BureauTokyo, JAPAN

62

Mr. Eisaku TAKEDA ManagerMitsubishi Electric Corp. Information Technology R&D CenterInformation Security Technology DepartmentJAPAN

Mr. Yuichiro TAKENAMI DirectorMinistry of Economics, Trade and IndustryInformation Systems OfficeMinister’s SecretariatTokyo, JAPAN

Mr. Kazutaka TAKESHITA Group ManagerIT planningToshiba CorporationTokyo, JAPAN

Mr. Takefumi TANABE Deputy Director, Office of IT Security PolicyMinistry of Economics, Trade and IndustryTokyo, JAPAN

Mr. Hideyuki TANAKA Associate ProfessorInstitute of Socio-Information and Communication Studies, The Univ. ofTokyoTokyo, JAPAN

Mr. Tatsuo TANAKA PresidentJapan Electronics and Information Technology IndustriesJAPAN

Mr. Toshikazu TANIDA Senior ManagerStrategic AffairsCommunications Industry Association of Japan (CIAJ)Representing also the Japan Multimedia Association (JMA)JAPAN

Mr. Shuichi TASHIRO Senior ResearcherNational Institute of Advanced Industrial Science and TechnologyInformation Technology Research InstituteJAPAN

Mr. Toshio TATSUTA Program AdviserIBM JAPAN, Ltd.Standards OperationJAPAN

Mr. Masao TATSUZAKI Deputy DirectorNational Police AgencyCommunity Safety Planning DivisionCommunity Safety BureauTokyo, JAPAN

Mr. Masao TERASAWA Hewlett-Packard Japan, Ltd.JAPAN

63

Mr. Hideharu TOKANOU Team LeaderIT Security CenterInformation-Technology Promotion Agency (IPA)JAPAN

Mr. Akinobu TOMINORI ManagerNECTokyo, JAPAN

Mr. Takaki TOMITA Research AssociateFuji Research Institute Corp.Information and Communication Group Social SystemsJAPAN

Mrs. Ferda TOPCAN MSc. EE Engineer/Senior ResearcherTUBITAK-BILTENAnkara, TURKEY

Mr. Naoya TORII Research FellowFujitsu Laboratories Ltd.Computer Systems laboratoriesJAPAN

Mr. Robert TRITT Director, International Trade & RegulationBell CanadaQuebec, CANADA

Mr. Kazuhiko TSUBOUCHI ManagerHewlett-Packard Japan, Ltd.Government AffairsJAPAN

Mr. Kenichi TSUKIOKA Senior ManagerIT Telecommunications PolicyNEC CorporationExternal Relations DivisionTokyo, JAPAN

Mr. Yukiyasu TSUNOO Principal ResearcherNEC CorporationInternet Systems ResearchTokyo, JAPAN

Mr. Katsunori UMEMURA Fujitsu Social Science Laboratory, Ltd.Kanagawa, JAPAN

Mr. Lorenzo VALERI Consultant to the OECDLondon, UNITED KINGDOM

Mr. Thomas VEST Senior Network Operations Manager, Asia Pacific RegionAmerica Online, Inc.Tokyo, JAPAN

64

Mr. Ichiro WAKITA PartnerTohmatsu & Co.Enterprise Risk ServicesJAPAN

Mr. Nobufumi WATANABE Senior ResearcherF.I.S.CSecurity & Audit Dept.JAPAN

Mr. Shinji WATANANABE ResearcherNTT DATA CorporationReseach and Development HeadquartersTokyo, JAPAN

Mr. Masao WATARI ResearcherMinistry of Education, Culture, Sports, Science and TechnologyScience and Technology Foresight CenterNational Institute of Science and Technology PolicyTokyo, JAPAN

Mr. Douglas WORTH Secretary GeneralBusiness and Industry Advisory Committee to the OECDParis, FRANCE

Mr. Kenichi YADA ResearcherIT Security CenterInformation-Technology Promotion Agency (IPA)Tokyo, JAPAN

Mr. Asahiko YAMADA Senior SpecialistToshibaSystems Integration Technology CenterTokyo, JAPAN

Mr. Kazuhiko YAMADA PresidentJapan Information Technology Service Industry AssociationJAPAN

Mr. Koji YAMADA ManagerSharpInternational Affairs Dept.JAPAN

Mr. Shigeru YAMADA ManagerKPMG Business Assurance Co. Ltd.Information Risk ManagementJAPAN

Mr. Yuji YAMADORI Managing DirectorJapan Information Processing Development CorporationJAPAN

65

Mr. Suguru YAMAGUCHI ProfessorNara Institute of Science and TechnologyNara, JAPAN

Mr. Tomohiko YAMAKAWA Senior ResearcherNTT DATA CorporationTokyo, JAPAN

Mr. Hidemi YAMAMOTO ManagerJapan Information Technology Service Industry AssociationInternational AffairsJAPAN

Mr. Mondo YAMAMOTO Deputy Director, Office of IT Security PolicyMinistry of Economics, Trade and IndustrlyTokyo, JAPAN

Mr. Katsuhiro YAMASHITA Vice President & CSOToshibaIvalue CreationJAPAN

Mr. Yoichi YAMASHITA Associate ManagerNTTInformation Strategy Planning Section Dept. IITokyo, JAPAN

Mr. Nao J. YASUDA Vice-Secretary-GeneralJapan Network Security AssociationSecretariatJAPAN

Mr. Kenichiro YOSHIDA AdvisorJapan Quality Assurance OrganizationIT Dept.JAPAN

Mr. Hiroshi YOSHIKURA Director-GeneralNational Institute of Infectious DiseasesJAPAN

Mr. Chi-Tsung YOU DirectorNational Information and Communication Initiative (NICI)Executive YuanCHINESE TAIPEI

Mr. Myron ZLOTNICK M-Web Head OfficeCape Town, SOUTH AFRICA

66

ANNEX III: KEY NOTE ADDRESSES

Mr. Peter Ford’s Keynote Address

Slide 1

SECURITY IN THEINFORMATION AGE

Peter FordPeter FordChairWorking Party on InformationSecurity and Privacy

Slide 2

Consumers

See privacy as a ‘right’ and expect someSee privacy as a ‘right’ and expect somelevel of regulationlevel of regulation

See security as part of their ‘contract’See security as part of their ‘contract’and expect it to be the responsibility ofand expect it to be the responsibility ofthe E-businessthe E-business

67

Slide 3

Regulation

EffectiveEffective for some problems for some problems

LessLess effective for others effective for others

DifferentDifferent levels of cultural acceptability levels of cultural acceptabilityin different societiesin different societies

TechnologicalTechnological environment may have environment may havebearing on appropriate approachbearing on appropriate approach

Slide 4

Problems for public policyGlobal natureGlobal nature• no one country can solve problems in isolation

Threats cannot be readily differentiated asThreats cannot be readily differentiated as• ‘threats to national security’

• ‘crimes’

• ‘threats to e-commerce’

Difficulty in assigning policy responsibilitiesDifficulty in assigning policy responsibilitieswithin national administrationswithin national administrations

Slide 5

“Our IT networks are an integral part of ourcritical infrastructure. They will becomeever more critical as e-commerce becomesa more and more common way of doingbusiness, and as more and moregovernments move to provide electronicaccess to services and programs.”

Margaret PurdyAssociate Deputy Prime Minister

Office of Critical Infrastructure Protection and Emergency Preparedness

National DefenceCanada

68

Slide 6

“I don’t think the need to identify andaddress the vulnerabilities within thesesystems can be over-stated, nor can weover-state the need to develop responseplans to deal with disruptions in thesesystems and their associated service,whatever the cause.”

Margaret PurdyAssociate Deputy Prime Minister

Office of Critical Infrastructure Protection and Emergency Preparedness

National DefenceCanada

Slide 7

WPISP considerations

Establish partnerships between publicEstablish partnerships between publicsector and companies operating essentialsector and companies operating essentialservices to develop flexible and dynamicservices to develop flexible and dynamicmechanisms for mutual exchange ofmechanisms for mutual exchange ofinformation between companiesinformation between companies

Slide 8WPISP considerations (cont.)

Develop mechanisms for sharingDevelop mechanisms for sharinginformation oninformation on

• incidents• threats• serious cases of system failure

– enabling parties to rapidly warn each otherand exchange information

Establish security professional networksEstablish security professional networks

• to develop and maintain expertise

69

Slide 9WPISP considerations (cont.)

Strengthen and coordinate research andStrengthen and coordinate research anddevelopmentdevelopment

Find means to secure critical informationFind means to secure critical informationinfrastructures from both electronic andinfrastructures from both electronic andphysical threatsphysical threats

ReviewReview legal frameworks for information legal frameworks for informationservices to ensure appropriate balanceservices to ensure appropriate balancebetween individual freedom and culturalbetween individual freedom and culturalprotectionprotection

Slide 10

OECD Security Guidelines

Ideas under consideration include:Ideas under consideration include:

• update Explanatory Memorandumaccompanying the principles to supportevolution in information security since 1992

• revise or augment principles to addresstoday’s environment

Slide 11

APECAPEC also focussing on criticalAPEC also focussing on criticalinfrastructure issuesinfrastructure issues

• E-Security Task Group meeting to discuss measures to protect information systems

– follows preliminary exchange of viewsearlier this year

• OECD Guidelines form basis for that discussion

• will also inform discussions with OECD

70

Slide 12

How government sees its role

AgenciesAgencies provide leadership provide leadership

CoordinationCoordination of policy development of policy development

FosterFoster partnerships partnerships

ProvideProvide expertise on national security expertise on national securityand law enforcement aspectsand law enforcement aspects

Slide 13 Industry expectations ofgovernment

ActAct as role model as role model

Protect public awarenessProtect public awareness

Encourage and support security educationEncourage and support security education

Provide incentives for business to developProvide incentives for business to developand offer consumer security toolsand offer consumer security tools

Support the development of mechanisms forSupport the development of mechanisms forthe verification of standardsthe verification of standards

Provide effective law enforcementProvide effective law enforcement

Slide 14 Industry expectations ofgovernment (cont.)

WorkWork with foreign jurisdictions to address with foreign jurisdictions to addressglobal threats to consumers’ confidenceglobal threats to consumers’ confidencearising from security arising from security threatsthreats

Aware of expense and difficulty of securityAware of expense and difficulty of securitypoliciespolicies• content filtering• record keeping• non-repudiation

71

Slide 15

How industry sees its roleMain owners and operators of informationMain owners and operators of informationinfrastructureinfrastructure

Continually improve technologicalContinually improve technologicalapplicationsapplications

Develop innovative solutionsDevelop innovative solutions

Take lead through competition and ability toTake lead through competition and ability todistributedistribute in global market place in global market place

Slide 16Government expectations of industry

DoDo not wish to impose regulation not wish to impose regulation

SeekSeek willingness to share information willingness to share informationand report incidentsand report incidents

IndustryIndustry expertise and ownership of expertise and ownership ofinformation infrastructure accepted andinformation infrastructure accepted andwelcomedwelcomed

EssentialEssential services are not regarded as services are not regarded asless secure because of private ownershipless secure because of private ownership

72

Remarks by Mr. David Gross, US Coordinator Office of International Communications andInformation Policy, US Department of State

For Plenary Session I:“The Shape of the Next-Generation Internet: New Threats and Issues”

At the OECD Workshop “Information Security in a Networked World”Wednesday, September 12 2001

Tokyo, Japan

INTRODUCTION

On behalf of the United States Government, my sincere thanks for this invitation to address you today.

Information security is a key challenge of the new millennium. The revolution in information technologytouches all of our lives on a daily basis in ways that range from the mundane to the profound. It is ’callwaiting’ for a simple phone call, and it is the complex system that puts the space shuttle into the correctorbit. And though we take them for granted, our economies, our governments and every vital service wedepend on – our water supply, transportation, energy, banking and finance, telecommunications, and publichealth systems – require the constant and reliable functioning of complex networked systems.

However, the problem we face is that the modern networked systems are as vulnerable to disruption asthey are essential to the functioning of our modern societies. In the United States, for example, dependenceon information technology is so widespread that the potential for serious disruption of key criticalinfrastructures is now substantial. Even more troubling is the fact that one doesn't have to be a skilledinformation-warrior to cause significant damage to an information infrastructure. The tools needed tocause massive disruptions are readily available to anyone who wants to find them. So the threat can comefrom anywhere: the recreational hacker, the terrorist, or the nation-state bent on achieving some strategicadvantage.

The importance of assuring the security of these critical IT-dependent infrastructures cannot be overstated.What is at stake for each of our nations is nothing less than our capacity to deliver to our citizens thecritical services essential to their well-being and to their way of life.

To protect ourselves from cyber threats requires new thinking "outside of the box." The U.S. governmentis actively seeking innovative solutions both at home and through multilateral fora like the OECD. Ourpolicies on information security are shaped by three guiding principles:

1. The Internet is dynamic and ever-changing – no one knows exactly how its future will look.Our security solutions and legal structures must therefore be flexible and adaptable if they areto succeed. They must also be incorporated into new technologies from the beginning --effective security measures cannot be a mere afterthought.

2. Innovative security solutions require private sector leadership. Governments must play anintegral role by illuminating the scope of the threat and passing laws to criminalize computersecurity violations. But those at the forefront of creating the technology must also be at theforefront of creating information security strategies to protect it -- and that means the privatesector.

73

3. The Internet is unfettered by national boundaries. The security and other public policy issuesit raises must take this nature into account. Therefore, national approaches to informationsecurity must be similar in focus and scope, taking into account not only technical solutionsbut also policy issues including education, awareness and the criminalization of misuse ifthey are to be effective.

I would like to spend a few moments talking about how these three principles inform U.S. national policy,and where the Administration is currently focusing its information security efforts both domestically andinternationally.

Next Generation Internet

The Administration recognizes that the need for effective information security is growing more critical asthe Internet and its users become more sophisticated. The Next Generation Internet promises to be a faster,more versatile, and more powerful medium that will demand even greater attention to information security"up front" -- not as an afterthought. As a broadband medium offering high-speed access to its users, theNext Generation Internet will become a melting pot for most of today’s existing media forms, includingtelevision, cinema, radio, and the existing Web. The result will be the emergence of hybrid mediums, neverbefore possible, that will inform virtually every aspect of our daily lives and revolutionize entertainment,retail, business-to-business transactions, health care, and education. With the Next Generation Internetcome opportunities to spur economic growth and improve living standards around the world -- but we mustprotect these opportunities with equally advanced security measures.

National Policy

The Administration takes very seriously its responsibility to protect American citizens from increasinglysophisticated security threats posed by the Next Generation Internet and other new technologies. Our effortto combat these threats centers on the development of a National Plan for Critical InfrastructureAssurance. This plan has at its heart an ongoing, dynamic process of integrating the strategies ofgovernment and industry in partnership toward the goal of achieving national critical infrastructureassurance.

In this plan of public-private partnership, the United States Government has the direct responsibility toensure that it can deliver essential services -- such as public safety and national defense -- to the Americanpeople. These services range from the effective projection of U.S. military forces to advance vital foreignand national security interests, to timely warnings of natural disasters, to the delivery of the Social Securityretirement checks on which many elderly Americans depend. We will fulfill this responsibility by requiringin our National Plan close coordination among all government agencies at both the federal and state levels.

By necessity, however, the U.S. Government will play more of a general, supporting role in ensuring theavailability of critical infrastructure services to maintain a smoothly functioning economy. This can onlybe done in collaboration with private industry, in a partnership that is unprecedented in United Stateshistory. Our preferred approach here is to promote market solutions to the problems of informationsecurity, rather than to regulate.

All our preparations notwithstanding, our government and the private sector know that there may wellcome a time when our collective efforts at prevention will not be enough -- when we will be called upon torestore and reconstitute critical infrastructures that have been disabled. We must be prepared to respondimmediately to such a crisis. This too requires a public-private partnership in planning and execution.

74

The International Dimension

Even as we take these steps domestically to address possible threats to critical infrastructures, we areacutely aware of the fact that, where information technology is concerned, national boundaries and nation-state distinctions are almost inconsequential when assessing the requirements for critical infrastructureprotection.

The global interdependence of United States’ interests and infrastructures with those of friends and alliesacross various sectors -- finance, trade, energy, communications, defense -- means that the success of ourefforts to safeguard our critical infrastructures will depend increasingly on the integrity and reliability ofthe infrastructures of our foreign partners.

Our infrastructure interdependence has physical dimensions, such as the interconnections betweentelecommunications networks, transportation systems, and delivery of energy resources such as fossil fuels.We are also connected by large-scale information networks through which massive data exchanges flow.It would be foolhardy for us to discount the potential threat of cascading infrastructure failures acrossseveral closely allied countries.

From the United States’ perspective, this aspect of the threat is only increasing. With the growingemphasis on electronic commerce and corporate consolidation have come the loss of proprietary networksand processing systems, and a greater utilization of shared infrastructures and off-the-shelf, out-sourcedsolutions. The effect is to heighten vulnerabilities everywhere.

At the same time, the growing sophistication of computer attack tools available to intruders is permittinggreater damage to be done with lower risk of detection. Even if detected, such attacks can be carried outwith a substantial degree of impunity. Law enforcement efforts are often hindered by the difficulties oftransnational investigation and the lack of criminal penalties in many foreign jurisdictions.

This new international environment demands new, thoughtful collaboration within the internationalcommunity that will enable us to find ways to reduce the risks to each of our vital infrastructures andnetworked information systems. Our goal should be to create a synergy among our individual efforts thatenhance our collective capacity to deter, detect, and identify the perpetrators of an attack -- as well as toenhance our abilities, working together, to respond to and deal with the consequences of an attack.

This new international environment also requires us to reach out to other governments and regionalorganizations to promote greater awareness of critical infrastructure protection issues. We must emphasizethe need for vigilance in security practices, and the need to enhance law enforcement cooperation as thefoundation for a sound information security policy.

The United States already has a history of positive collaboration with many countries on these issues. Weactively participated in the development of the 1992 OECD Guidelines. More recently, our work in theG-8 High Tech Crime Group led to innovative, path-breaking work that can be a model for other countries.We were joined by several OECD members last year in an effort to raise the general awareness of theUnited Nations membership through an important resolution on combating the criminal use of informationtechnology, derived from the principles developed in the G-8 context.

However, we all recognize that governments ultimately are limited in what they can achieve bythemselves. The success of any effort will hinge on our ability to develop cooperative government-industryinitiatives that contribute to the survivability and reliability of critical interdependent networks and controlsystems. A good example of the kind of dialogue needed was the G-8 Government-Private Sector High-Level Meeting on High Tech Crime hosted here in Tokyo in May.

75

Conclusion

The OECD also continues to provide an excellent forum for government and industry to work together toforge cyber-crime solutions. Since establishing Guidelines for the Security of Information Systems in1992, the OECD has been a leader among multilateral institutions in this arena. I commend theInformation, Communication and Computers Committee (ICCP) -- in particular its Working Party onInformation Security and Privacy -- on its impressive list of accomplishments. The U.S. government isproud of its membership in the Working Party and remains strongly committed to the work of the ICCP. Itis right and appropriate that OECD member states join together with their private sectors to review the1992 guidelines now, in the new millennium. The U.S. government welcomes the opportunity to workwith our OECD colleagues to conduct this review.

The Administration believes that, despite the seriousness of the threat, the international community can usethe OECD and other multilateral fora to formulate effective strategies against attacks on our criticalinfrastructures and other networked systems. We must keep three guiding principles in mind as wedevelop these strategies:

1. The Internet is ever-changing, and our information security solutions must be flexible if theyare to be effective.

2. The private sector must be the primary architect of those solutions.

3. The nature of the Internet technology demands that national information security policies besimilar in focus and scope if they are to be effective.

Each of us in government and the private sector has a role to play in meeting the unique challenges ofinformation security -- one that requires fresh, innovative thinking and a true spirit of cooperation. Welook forward to working with our OECD colleagues toward this common goal.

End speech.

76

Mr. Michio Naruto’s Keynote Address

Slide 1

OECD Info-Security Workshop

Info-Security Policy- Business Perspective -

September 12, 2001

Michio NarutoSpecial Representative

Fujitsu Limited

Slide 2

- Content -• What’s happening?

• Information on Networked World

• Real Society & Cyber Society

• Info-Security - Definition

• Who/what shall be protected/why/how

• Technology/Policy Development

• Stakeholder’s Role;Global collaboration

• OECD’s contribution in the past decade

• OECD as Front runner

• Conclusion] - OECD’s Role -

Slide 3

What’s happening?

■ CODE RED

GET/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

■ W32/SIRCAM “Hi! How are you? I send you this file in order to have your advice. See you later. Thanks.”

77

Slide 4

Information on NetworkedWorld

• High-speed � low of mass information

• All human activity in civil society Includingcommerce and communication

=> on the network=> with broadband/mobile capability/environment=> over decentralized/open architecture=> connected each other via IPv6

�Slide 5

Real Society & Cyber Society

Time-consuming Space Cultural Diversity

EducationEthics

Tort/infringementReal Crime

Government

InstanteneousNo distanceGlobal Convergencee-EducationCyber-ethicsCyber TortCyber Crimee-Government

v.v.v.v.v.v.v.v.

Slide 6

Info-Security - Definition

• National Security

• Public Safety; Law Enforcement

• Security in

– private life

– economic activity

78

Slide 7

Who/what shall be protected/why/how?• Who:citizen, consumer, business

• What:privacy/property/trade

• Why: development of trustworthy cyber-society

• How:- Education/Public Awareness

- Rules: ethics, self-regulation, best practice, civil law, penal law, procedural law (How shall we deal with cultural differences?)

- Market based Technology/Standard

- Policy/Guiding principles

<<< practical, cost effective rules and policies required >>>

Slide 8Technology Management

Infrastructure• Discovery/Disclosure of Threat/Vulnerability

• Protection policy/technology (PKI, Securitymanagement system)

• Early warning/emergency response to minimizedamage� (e.g. CERTs, ISACs)

<=> Trade secret/Privacy

• Interoperability among:– Technology standardization

– infrastructure (e.g.mutual recognition of PKI)

– Security Policy

Slide 9Stakeholder’s Global collaboration

InformationSharing

Policy making / Law Enforcementinter/intra Governmentsecurity management

Liberalization ofexport controlGovernments

ConsumersCitizens

BusinessAcademics

Support/promote:R&D/Standard

Training

EducationRaising Awareness

CERT ISACs

Security Products/ Services Education/Raising Awareness

R&DMarket-based standard

Security Management

79

Slide 10

OECD’s contributionin the past decade

• Business activities

• Personal living

• Government’s role

=> Privacy

=> Tax

=> Encryption

=> Security

Slide 11

OECD as Front runner

• Guidelines for Policy making

• Facilitator of Self-regulation/Best Practice

• Economic theory plus legaltheory (through analyses ofeconomic and legal effect)

• Development of society withimprovement of economy

Slide 12

Conclusion� - OECD’s Role -

• Focus on security policy in economic activity=> Based on Economic Theory

• Global coordination among various fora– inter-governments– government-business dialogue

– consumers

80

Keynote Address of Vinton G. Cerf

Senior Vice President

for Internet Architecture and Technology

before the

OECD Cyber-Security Workshop: Information Security

in a Networked World

Hotel Nikko, Tokyo, Japan

September 12, 2001

81

Hello, my name is Vint Cerf. I’m Sr. Vice President for Internet Architecture and Technology atWorldCom.

I thank the OECD for the opportunity to address this distinguished audience. In turn, I would be remiss if Idid not thank our gracious host, the Japanese government. I regret that I am unable to be in Tokyo with youto enjoy both a lively discourse and the hospitality of a great city. If this were the Academy Awards, Iwould now say that "I am thrilled to be there with you, live via-satellite." Unfortunately, that’s not thecase. But, I am pleased that the conference organizers have allowed me to address such important issueswith you from sunny Ashburn, Virginia - while my duties with WorldCom have kept me elsewhere. Underthe auspices of the Committee on Information, Computer and Communications Policy, chaired by DickBeaird, and its Working Party on Information Security and Privacy, chaired by Peter Ford, we are heretoday to discuss a subject that is very important to WorldCom and the Internet community as a whole:cyber-security.

We at WorldCom strongly support the excellent work that the OECD is doing to ensure that industry,academia, regulators and law enforcement authorities are made aware of cyber-security concerns. And, wewelcomed the establishment of the Guidelines for the Security of Information Systems, which have gone along way towards helping all stakeholders in the process work together to find common ground. Finally,we look forward to our continued active work in the USCIB, the U.S. affiliate of the Business and IndustryAdvisory Committee, toward a successful review of the Guidelines to ensure their robust effectiveness inan ever-changing technical and legal landscape.

That being said, first, let me pose a question: this "cyber-security" thing - what is it? With apologies to myco-presenters, the benefit of videotape is that I can ignore a show of hands and simply answer a rhetoricalquestion without seeming too presumptuous. The answer to that question is deceptively simple. In onevery good definition, "cyber-security" represents that combination of technical measures and policydecisions we collectively take to advance the cause of consumer confidence in the Internet. The means bywhich we facilitate that answer as an end-result - ah, now that is truly where the challenge lies.

I will focus my remarks today on two ways to facilitate the "consumer confidence" we all seek. First, I’lldiscuss the merits of a pro-active technical measure, certification, and how it might be effectively - whichis to say "uniformly" - advanced. Second, I’ll address the technical and cost problems associated with thecurrent push for industry cooperation with national legal authorities in cyber-crime investigation andenforcement. This latter area is where I see utility for the OECD in its current Guideline review process.Finally, I’ll conclude by framing an issue towards which the OECD should be "looking ahead."

CERTIFICATION

I know you have precious little time on your agenda, so let's jump right in. I’ll begin with the moretechnical certification issues and move to the broader policy implications of cyber-crime. Legalframeworks for digital signatures and corresponding certificate infrastructures - the means forauthenticating these signatures - are already in place or being developed in many countries. Certificationservices, for which Public Key Infrastructure technology is used in many cases, are predominantlyprovided in two styles:

First, in some instances, a public entity - sometimes the government itself - provides certification servicesto facilitate an administrative function, for instance, tax payments or patent applications. Examples of thisinclude both the Japanese PKI and the U.S. Federal PKI.

82

Second, legislation can foster a framework for the marketplace to take the lead. For instance, businessesare often empowered to provide certification services in accordance with policies that differ according tothe context of use, the type of industry or application.

Now, to take advantage of the benefits of this technology and ensure its recognition, many governmentshave enacted digital signature and certification acts. One of the most recent examples is Brazil’s presentdraft law on digital signatures and electronic invoicing. However, whether legal frameworks endorsegovernment-administered standards or foster certification services in the market - and I won’t get into themerits of either strategy, a topic for another day - there remains the problem of mutual recognition. Manydifferent kinds of certification service providers have been established in the wake of national legalframeworks. Consumers, whether they be corporate or individual end-users, may be soon dealing withmyriad different certificates. Too many certificates - where there once were none - could presenttremendous operational difficulties in a market where consumers are already confused about their optionsand adequate protections. If we are not careful, an attempt to foster added security can contribute todecreased confidence in the medium itself.

How do we deal with the interoperability issues raised by certifications? Again, the answer soundsdeceptively simple. First, certificate security providers can seek to mutually recognize the certificationpolicies of the authorities that set them. By implementing mutual recognition agreements, certificateservice providers can establish cross-certification with each other. Or in the alternative, it is also possibleto declare the root certificate of another domain as "trusted" without issuing an actual certificate. Now,such mutual recognitions and cross-certifications can be put into practice between business entities,between governments and business entities or between governments themselves.But, regardless of the pairings, the goal of mutual or cross-certification is for industry to take the lead and"bridge the interoperability gap," if you will, among nationally implemented regimes that do not presentlyoperate on the basis of a uniform standard.

What can OECD do in this environment? Well, recognizing that many governments and businessassociations have already begun this discussion, OECD can assist in bridging the information gap.Achieving interoperability means understanding the disparate technical cross-certification techniques thatare presently being debated and fostering an industry-government dialogue toward a standard solution.Likewise, each model mutual recognition agreement, as it is being developed in the industry level, can beimproved by understanding which national digital regimes are actually open to recognition of foreignsignatures. At present, many national laws simply do not recognize foreign certifications. Eventually,these national restrictions and the reasons why they were drafted that way will have to be addressed in aneducated way, according to the needs and capabilities of national systems. However, helping the technicalexperts understand the policy-based impediments to effecting interoperability will improve both speed andefficiency in promoting the best possible international solutions for recognition in the short-term. To use avery simple analogy: If we are all going to begin "quilting" cross-certification together, let us firstunderstand what stitching we will be using where and why.

Before I move on to the next issue area, cyber-crime, I would be remiss if I did not address oneoverarching facet of the security interoperability issue. The original version of Internet Protocol was notimplemented with security in mind, and now that the Internet can chronically be a hostile environment,perhaps something fundamental needs to be done to counteract this. I was an early proponent of IPv6rollout, in part because cyber-security is an area where this new version would have obvious benefits

83

CYBER-CRIME

Now, let me move from the micro to the macro and address a broad-based policy issue, cyber-crime. It isan issue in which the debate suffers from lack of technical understanding - something that the OECD canassist to remedy. All over the globe, legal and policy issues are confronting Law Enforcement and theInternet community - providers and users alike - as we attempt to strike the right balance among thelegitimate needs of law enforcement, consumer protection and privacy, and obligations imposed onInternet Service Providers.

In the near-term, the OECD can assist in this effort by seeking to catalogue both member and non-memberlegislative approaches to cyber-crime and its corollary issue, the interception of communications. I wouldnot recommend that an impartial body like OECD become mired in a policy debate. However, this purecataloguing effort will assist us, in industry, to objectively assess the successes and failures of legislativeinitiatives. Where has industry worked with government to foster an effective but economically efficientplatform for cooperative investigation and enforcement? Where has such cooperation not taken place?And, which tack has been implemented successfully? Without getting too far into the policy debate - butwanting to underscore the issues that the ISP community faces today - let me briefly discuss what we mayfind.

First, the technical and cost issues associated with legislative measures

The state of existing technology is such that the oft-desired surveillance of ISP traffic will not besubstantially effective. Traditional interception capabilities employed today were developed to apply tothe opening of letters and tapping of telephones. However, the Internet is designed and implemented witha layered architecture of protocols. Depending on the desired information, successful interception mayrequire capture and interpretation of multiple layers of protocol. Moreover, except very close to the sourceor sink of traffic, the flows in the network are dynamically routed so that the interception must occur closeto either source or destination to have a chance of capturing all that might be of interest. Interception in themiddle of the network is unlikely to produce the desired result. One would hope that such interception, ifdone at all, would be strictly pursuant to the order of a qualified court. A further complication arises if theintercept targets are making use of end-to-end cryptography as the intercepted data will then need to becryptanalyzed for content. Some court-ordered intercepts are limited to source and destinationidentification information rather than content and to follow these rules will require care to avoid capture ofinformation that is not covered in the court order.

Further, there are substantial differences between the interception of stored e-mail and the interception ofcommunications in raw data streams. Although interception of incoming e-mail that is stored andforwarded by an ISP is straightforward assuming that the email service computer is accessible, senders caneasily falsify return addresses and it is frequently impossible to prove who sent the e-mail.

But, perhaps of even greater harm than technical issues in existing legislation is blindness to bottom-linerealities. Apart from the technical uncertainties associated with Internet surveillance, ISPs should notalone bear the cost of assisting law enforcement in combating computer-related crime. Any proposedlegislation should include provision for reimbursement of costs involved with data interception or otheractivities mandated by order of law enforcement. Without a mechanism for facilities and equipmentreimbursement, the cost burden of complex search and seizure requirements could put smaller ISPs atsubstantial financial risk. All ISPs would also additionally incur the opportunity cost of having to divertresources and technical expertise from further development and improvement of services. This, in turn,would lead to both higher cost Internet services and decreased availability of innovative services to thepublic.

84

For example, the Association of Netherlands Internet Providers, NLIP, has stated that - to address the real-time interception of e-mail and data to users without some form of facilities cost-reimbursement to ISPs - itestimates a total financial burden on the Dutch ISP market of approximately Euro 30 million. Admittedly,the ISP market in the Netherlands is small - the equipment costs for a medium-size access provider there tocomply with mandated interception capabilities have been estimated at 1.5 million guilders, or aboutUS$600,000 or about Euro 800,000. In many cases, smaller ISPs might have to invest more in interceptionequipment than they would for ISP-functional hardware, equating to a near-term increase in customer ratesof 20-25%. According to the NLIP, many ISPs cannot afford this burden and would face a loss for longerthan their business plans permit or be forced to consolidate, decreasing the number of competitors in themarket.

Some governments have introduced laws concerning lawful interception of ISP traffic. However we areunaware of any country that has been able to fully implement lawful interception without reimbursementdue to both costs and unfeasibility concerns. For example, recognizing this same conclusion, on December20, 2000, the French Constitutional Council concluded that it would be unconstitutional for telecomoperators to directly bear the costs of interception as such interceptions contribute to maintain publicsecurity and the general welfare of the population.

Second in this list of areas for common ground is the need for consistency, both among jurisdictionsand with the existing standards

The basic starting point for any discussion on cyber-crime legislation is the need for a harmonizedapproach to prevent a patchwork of laws that will make a hash of the global Internet. Nationally developedstandards for interception of communications have not proven to be satisfactory in today’s globalcommunications environment. In this regard, the European Technical Standards Institute - ETSI -developed a standard in 1999 for the interception of traffic from network operators, telecom providers andaccess providers. This standard is being adopted in a number of countries around the world and provides aclear mechanism for intercepting circuit-switched communications.

By contrast, ETSI is also addressing packet-switched communications, but acceptance of a relevantstandard is still an open issue. It is recommended that governments do not introduce any purely nationalstandards for lawful interception as they are difficult to maintain, difficult to implement and are frequentlynot supported by manufacturers of the necessary equipment. At a minimum, any proposed legislation oncomputer-related crime should be consistent with existing law and with developing international standards.Consistency is important to avoid impeding the delivery of innovative e-commerce services, while at thesame time protecting consumer confidence in the medium.

Third and finally, key components of this balance should be the twin goals of due process for endusers and immunity for intermediaries that follow the instructions of law enforcement

Apart from pure cost issues, reimbursement would also serve to safeguard the privacy rights of individuals.If law enforcement agencies are held accountable for the costs of interception and investigation, it is likelythat they will be deterred from abusing investigative requests, seeking over-inclusive requests or targetingindividuals inappropriately. The protection of industry and fundamental human rights are uniquely linkedin this instance.

Further, it would be extremely difficult for a service provider to rely on anything less than a court orderwhen intercepting communications for law enforcement. Service providers have a stake in assisting lawenforcement to keep the Internet a secure place to conduct business. However, without the pertinent detailand authority of a clear court order, Internet users would be subjected to surveillance of theircommunications based upon varying levels of substantiation, further eroding consumer confidence in the

85

Internet. It is for this reason that policy makers in the US have taken particular pains to debate the qualityand specificity of substantiation necessary for an intercept order in an Internet environment. The conflictwith privacy principles is onerous, the stakes high and the debate in the US continues as a result, despite aconcerted effort last year to apply ’pen register’ ’trap and trace statutes’ to the Internet. Packetized networkinformation reveals more than the conceptual equivalent of a telephone number, and legislators must andfrequently have realized that.

And, without the detail and authority of a court order, service providers would expose themselves topotential liability for the results of interception requests, whether legitimate or not. To this end, serviceproviders and other private parties should be exempted from liability to third parties when they have reliedin good faith upon a legal order for assistance.

FOR THE FUTURE

Finally, let me briefly address an issue for the future. The use of wireless technology is burgeoning:computer users of all types are rushing to install wireless networks because they offer ease of use andconvenience. However, for many, the present lack of security in these networks will not be a temporaryissue. In fact, many do not even know to turn on the encryption system included in wireless networksoftware to protect data traffic from electronic eavesdropping. As businesses shore up their wirelesssecurity, consumers - who can set up wireless networks at home for a few hundred dollars - are likely torealize that they need to follow suit.

In some places, like neighborhoods and college campuses, part of the idea has been to share or even giveaway wireless Internet access as a kind of high-tech gesture of good will. Most do not realize that if thosenetworks are not protected, the result could be a security disaster for the institution, despite the best ofintentions. As pointed out in a recent New York Times report, most of these networks are still wide open.Imagine, for instance, the sensitive patient data entered by nurses via the wireless-equipped laptops theycarry from room to room.

New versions of 802.11, the current access point standard for wireless networking, are on the way that willinclude stronger security measures. But, standard versions of those security technologies will not be readyuntil next year at the earliest. This will likely mean extending the Internet protections that manybusinesses and individuals already use, including firewalls - personal ’’virtual private networks’’ - to helpensure that people gaining access to a company’s systems are authorized to do so. However, the mostimportant point is that companies and individuals must become aware of the security risks inherent inbroadcasting data. And, that is certainly an area where the work of the OECD can play a role.

CONCLUSION

I am here representing industry, and particularly, the interests of WorldCom. And, I know that the cyber-crime debate is a vigorous one, with wide-ranging views on the issues I’ve discussed. Nevertheless, theinterests of law enforcement in investigating and prosecuting crime are deeply shared by WorldCom andby all ISPs. Put very simply, crime is bad for business. We are direct victims of cyber-crime whenhackers attack our networks and bring them down. And, we are all indirect victims to the extent that actualand potential customers perceive surfing the Internet as the electronic equivalent of "walking down a darkalley on the bad side of town." If cyber-crime is not effectively contained, the lack of consumerconfidence may well lead to the marginalization of the Internet as a communications medium. But, wewant to ensure that applicable legislation is efficient, effective and proportional. And, we want to avoid asituation in which government surveillance becomes so pervasive that law abiding citizens and businesses

86

are driven away from the Internet for fear that "Big Brother" is watching their every move. A balanceneeds to be struck.

It is important that the OECD assume a needed role by cataloguing international legislative initiatives - topromote consistency. It is vital, for instance, that the OECD take into account such legislative initiatives asare occurring in Belgium, the UK, the Netherlands and Italy, for example, when considering how cyber-crime-related laws can be coalesced to both an effective and economically efficient end. The initiativesbeing pursued in these countries may very well be too far divergent to lead to effective solutions to what istruly a global problem.

The issues I have spoken about today echo key components of the OECD Guidelines, including facets ofboth the Awareness and Democracy principals. But more importantly, both issues - the highly technicalneed for certificate recognition and the cross-cutting issue of cyber-crime investigation and enforcement -emphasize the emerging pre-eminence of the Integration and Proportionality principals. In turn,recognizing the key role of Integration and Proportionality comes with the concomitant need to bear inmind that a global shift that has taken place. Since the OECD Guidelines were first approved in 1992, ashift has occurred in the Internet from closed to open networks. Few could have anticipated the speed ofthis shift in nine short years, or even the rapid development of wireless networks, for that matter. But,recognition of this seed change will be crucial in further developing the OECD Guidelines and explanatorymemorandum as useful tools for the future.

The OECD has appropriately determined that any effective measures to address cyber-security will requirea consultative effort involving all stakeholders in the Internet community. Together, we are optimistic thatthe existing models to advance cyber-security can grow and evolve in a flexible and harmonious way sothat legislation can be adapted to new technological challenges. Contrary to what the title of thisconference might imply, we will never be absolutely "cyber-secure." But, with our risk managementefforts aimed at safeguarding consumer confidence in the Internet, we will not only be securing industrysuccess in this environment, but also will be serving to secure the future of the emerging virtual economy.

In that spirit, let me thank you for your attention this morning. And again, my thanks to the organizers forallowing me to speak on these crucial issues. There is much work to be done, and I hope my remarks havebeen of some service. My best wishes to all of you for a constructive two-day session and a safe journeyhome. See you on the net!

proceedings of the oecd workshop: “information … · developments affecting the security of...

Documents