EIGHTH INTERNET GOVERNANCE FORUM
BUILDING BRIDGES-ENHANCING MULTI-STAKEHOLDER COOPERATION
FOR GROWTH AND SUSTAINABLE DEVELOPMENT
OCTOBER 24, 2013
OECD OPEN FORUM
POLICY FRAMEWORKS FOR TRUST IN THE INTERNET ECONOMY: UPDATING OECD GUIDELINES ON PRIVACY AND SECURITY
The following is the output of the real-time captioning taken during the Eigth Meeting of the IGF, in Bali, Indonesia. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> THE MODERATOR: Good afternoon, everyone. I think that we are not ready to start yet. We find ourselves in a room in -- it's quite some walking distance from where the coffee is, so I propose that we wait just another couple of minutes to allow people to get up here.
>> THE MODERATOR: So good afternoon, everyone. Does the mic work?
Well, okay. I want to welcome you all to this open forum organized by the OECD, and thank you for walking a long distance from the main hall up to this floor of the building to the very far end of this floor.
My name is Jorn E. Poulus (phonetic). I've been regulated in Denmark for 21 years. Right now I'm chairing the OECD's ICCP committee. I have been doing this since autumn, 2009. You may wonder what ICCP stands for. It stands for Information Computer and Communications Policy. It's very complicated, and we are working very hard of finding way of changing the name to be a little more modern. And one idea which seems to gain support from many OECD members is the Committee for the Digital Economy. This sounds more modern. So this is what you can expect.
Together with me I have what I would consider a dream team of panelists, the best panel of all panels here at the IGF. I have to my left Audrey Plonk from Intel, where Audrey is doing global security and internet policy as a specialist. Audrey leads global policy efforts on topics such as cybersecurity, critical infrastructure, encryption and internet governance. On top of this I can inform you that Audrey has done a lot of good work in OECD. Audrey has been helping Anne Carblanc.
To the left of Audrey we have Joe Eldahoff (phonetic), who is chairing the advisory committee, BIAC. Joe is all over the world all of the time. Where ICT is on the agenda, Joe is there. I think no one within the ICT world has been has more miles on his account than Joe has. He is flying all the time. And when you want to know about the features of new airplane types, just go to Joe. On top of this is a real expert in ICT issues.
To my right I have Anne Carblanc, head of division for consumer policy at the OECD Secretariat and my principal aide in chairing the committee. Anne is assisted by Laurent Bernat, in charge of cybersecurity issues. So there, ladies and gentlemen, is the dream team of ICF 2013.
Today's forum here is dedicated to two important policy recommendations, the privacy guidelines and the security guidelines. Before we turn to these two items, just a quick couple of words about the OECD as an organization and the broader context for these recommendations. OECD stands for Organization for Economic Cooperation and Development. There was an evil OECD ambassador who once said it stands for Organization for Easing, Chatting and Drinking. This is not true, I can assure you. I have been around four years now, and I can assure you it is an organization with a lot of professional, very, very competent good work. People are working very hard, and the Secretariat also in the committee. And some very prominent results are coming out of this hard work. Security guidelines, privacy guidelines.
I can mention also of interest for this community the internet policymaking principles, which I think are well-known all over the world.
OECD is an intergovernmental body gathering 34 members, 34 countries, member countries, across the world, north and South America, Latin America, Europe, but also the Asia Pacific region, developed economies, large economies, but also the emerging economies in the developing countries, countries like Mexico and Chile and Turkey, countries with amazing growth rates these years. The objective of OECD is well-defined by its name. It's Economic Cooperation and Development, and the work is mainly concentrated on helping governments adopt policies which will improve economic and social well-being of people around the world. So this is why the mission statement is "Better Policies for Better Lives."
The OECD operates as an international forum for dialogue and sharing of experience where governments are seeking solutions to common problems and challenges. On top of the organization is the OECD Council. That's where the ambassadors are seated. Underneath in the organizations there are many, many committees dealing with different issues, trade, education, tax and agriculture, and the committee which I am chairing is dealing with, as I mentioned, the digital economy internet policies from the perspective of economic and social development. This is the main perspective. And although this is the main perspective, from time to time the committee is also dealing with other related issues, human rights, national security, when appropriate.
Just a couple of points regarding the broader perspective of the work we are doing. The OECD work on ICT policy, internet policy, has many years of history, and already in the mid-'70s the OECD identified ICTs as being drivers for productivity and growth. Accordingly, the initial privacy guidelines were adopted in 1980, and the first security guidelines came in 1992. So you could say that OECD started very early to work on trust, recognizing that trust is essential to ICTs to fully realize their economic and social potential.
Since the mid-'90s the success of the internet in bringing about economic benefits, bringing about innovation, jobs and growth, has been astounding and has confirmed the vision. Just to remind you about a few facts in that context, when we talk about growth, I would like to use Europe as an example of the enormous growth related to ICTs. In Europe, as an example, 50 percent of productivity growth can be related to ICTs and the internet, and 25 percent of the growth of GDP can be related to the internet.
McKenzie carried out a study a couple of years ago stating that internet has created as much growth in the last 15 years that the industrial revolution created in 50 years. 15 years, 50 years. Amazing. And in the past five years the internet has created 2.6 new jobs for every job displaced by the internet. So the internet is also a job generator. Enormous source of growth, enormous source of innovation, enormous source of new jobs. That is the internet. And all this revolution coming out of the internet mainly has come over the last say 20 years. So you could say that the environment in this area has changed dramatically over recent years and that means that we have to look into the privacy guidelines, which has been created or adopted 30 years ago, more than 30 years ago, and the security guidelines which are from 1992.
So let me now turn to the panelists, the dream team. It's a very timely moment to discuss the issues we have before us, and not because of the challenges raised by the revelations this summer. We all know what I'm talking about, about the scale of national security activities in relation to the internet. For the OECD we have just completed the first ever revision of the 1980 OECD privacy guidelines, which is one of the real landmarks in this space. On the security side, we are now deep into a review of the 2002 guidelines for the security of information systems and networks. So these two instruments are fundamental for trust-building.
We welcome the opportunity to open this discussion to the broader IGF community. We would like this forum to be as interactive as possible. We have among us this dream team of four panelists with an extensive knowledge of the OECD and the guidelines, and I will start by asking them questions one by one and then turn to the audience as often as possible to ask for your questions to stimulate a discussion here.
So I will start my long introductory remarks which became long because then maybe I expected myself, excuse me for that, and turn to Anne and I would ask, Anne, could you tell us a few words about what an OECD recommendation is in general and why OECD recommendations are useful. Why do we make OECD recommendations, and how do they impact the real world, so to speak?
>> ANNE CARBLANC: Thank you, Chair. In general, OECD recommendations are nonbinding instruments. They reflect a consensus of OECD membership on specific issues. They also represent a political commitment to implement them by members. The characteristics include the fact that they stem from multistakerholder process, whether it's consultation and no co-decision, but consultation. The instruments are generally flexible. OECD respects the different cultures and different styles of governments and legal regimes, and they tend to focus on what works, what drives economic and social development. They are not ideologic or political in that sense.
Finally, they are often pioneering instruments, and in the area of privacy and security, we can see that the privacy guidelines inspired many laws around the world and other international instruments, and likewise the security guidelines inspired the UN Security Resolution, where adopted by APEC and AZM.
>> THE MODERATOR: Thank you very much, Anne, and I took the last words as a sign that we have seen the reflection of the work so we can say also beyond OECD the thinking behind the recommendations actually is taken onboard in other organizations in the global community.
I would now like to turn to you, Joe, and I would like you to elaborate a little bit on what you see is the value of the guidelines for businesses within the OECD countries, but also in businesses beyond OECD.
>> JOE: Thank you. Well, the one thing I'll state, perhaps to just slightly supplement your opening comments related to the OECD, is one of the things that's of value to business, and it's important to an organization like -- a forum like the IGF, is that the OECD, too, is a multistakerholder group. There are representatives from industry, from civil society, from the technical community, and from the trade union community through TUAC, as well as observer countries that are not OECD members. So it's a very inclusive process within the OECD, as well as a very interactive process. So from a business perspective, the guidelines help in two ways.
Today we are situated in a world where there is not global consistency of laws, especially in things like privacy, because of the fact that while the principles of privacy may be very similar if you look at the OECD guidelines, Treaty 108, APEC framework, the practice principles in the United States, they all draw on very similar principles. But at the level of detail they adapt to the legal framework and the culture of the society in which they operate. And therein lie the differences.
But the OECD that was able to put forth, for instance, the transborder guidelines, privacy guidelines, help bridge across nations to make sure that that uniformity of principles was committed to by countries and respected by them as they were drafting their national laws. And that helps business that by definition operates globally and has to think about how to move data across jurisdictions. It helps create the responsible frameworks on how to manage data as it crosses borders.
It's also very important to remember that one of the great topics of currency in data protection at the moment is the concept of accountability, and accountability is in fact one of the principles within the OECD guidelines. So it foreshadowed long before it was a topic of currency the importance of the concept of accountability.
The last thing is for those of you who have not had the chance to read the OECD guidelines in a while, I commend very highly to you the explanatory memorandum that went with the data protection guidelines. The explanatory memorandum was a document that was way ahead of its time. In many ways, it foretold many of the issues that we see today, even if it couldn't exactly identify the technology that would be used related to them. But even in the terms of the technology, it foresaw some of them as well.
And in fact that document was so valuable that as we looked at the review of the guidelines, we decided not to revise the document, but rather to supplement it because the document in its original form is a tremendously valuable document for people to think of and to consider, and it allows us to also see the evolution of the concepts and the applications of the solutions over time.
>> THE MODERATOR: Thank you very much, Joe. As I said in my initial remarks, we will be very open for inviting you to give us your comments while we move forward in this, and I wonder whether you have any questions at this stage or comments related to the first two interventions. Please go ahead. We also have remote participation, and there might be questions from remote participants at this stage.
But if there are not questions at this stage, maybe I should move on then and ask Anne if you could briefly tell us the background for what motivates the OECD to update the privacy guidelines. I've already touched a little bit upon it in my introductory remarks, but what led to the modification? I remember I was part of the celebration of the 30th anniversary of the privacy guidelines, and everybody talked a lot about that the guidelines were perfect and good work has been done. Why did we do the changes? And could you also maybe tell us a little bit about what you consider as the main modifications of the guidelines compared to the original ones?
>> ANNE CARBLANC: Thank you. 30 years without modifications, that's the time that the period during which these guidelines lasted, but eventually ICTs, the internet, the globalization, the change that personal data play in our economy and daily lives, the volume and global availability of personal data collected and used, the number and variety of actors, the value of societal and economic benefits that can be enabled by new personal data users, the expanding role, the complexity of transactions and the difficulty for individuals to protect their own privacy, all of this was noted by ministers in Seoul in 2008, and they called for a review.
There was then this report and this anniversary that you mentioned, and that was followed by the creation of a large group who was a multistakerholder and chaired by the Privacy Commissioner of Canada, and that group provided a number of proposals to the bodies as to what changes could be made to the guidelines.
I would like to note that the OECD is not the only organization which has undergone a process of review of its instrument. The European Commission, the European Union and the Council of Europe are also conducting these exercises, and there are a number of initiatives in the private sector as well.
In terms of the main modifications of the guidelines, perhaps the first thing to highlight is that the modernization took a pragmatic approach. There's a focus on pragmatic, practical implementation. And you can see this through two new elements in the guidelines. The first one is the risk management approach. This is new, not new to security, but new to privacy. And the goal is to determine what other safeguards are necessary to protect personal data through a process that identifies and evaluates the risks to individuals' privacy, and then there is an incident response planning which is needed and that's in fact an integral part of an effective risk management approach.
The second practical modernization is the global -- the stress on the reliability of the framework that is needed to deal with the globalization of our world and also with a change in scale. We have the safe harbor, which was, I would say, a pioneering instrument in its time. There are other initiatives, one which is permitting -- and apologies because I'm French and I'm citing a French initiative, is the initiative by the French authority, to see whether the European Union can interface with the APEC privacy rules.
There are also a number of other changes, and these are not, I would say, trivial. The first one is a call for national -- for the development of national privacy strategy. This is something that we don't have in this area. We begin to see that in the security area. But in the privacy area, no, because privacy has long been seen as either a human right or a consumer right and as well as a technical issue, an expert issue, when in fact and in the current context that our chair referred to, you see that it's really important that government at the highest level, in fact, begin to develop national strategies to indicate the main objectives at the national level with respect to the protection of personal data. And there's a need for cross-department or cross-government coordination, and there is also a need to consult with all stakeholders. So the call for national privacy strategies in the guidelines, at least to my view, is not something which is trivial.
Other key concepts include privacy management programs for organizations, whether they are public or private, security bridge notification, which covers both notice to authority and notice to the individuals, and there's a new provision which calls for complementary measures, including education, wellness, development and so on.
I could perhaps say two more words. There is an elaboration of what it means to be accountable. There is a modernization and clarification, I would say, of the transporter data flow section.
And if you let me say a few more words on this, I think it's important. This time in the revised guidelines it's clear that among the parties, among the members who are implementing the guidelines, if there is a respect of the principles and the level of protection, then the transporter flows are free. Of course, you have the exception of the European Union, which still requires more protection.
But what is also clear is that if you are a country with no law on privacy, you can have organizations providing an equivalent level of protection to the one provided in the guidelines, and in that case the flow should be free, too.
Something also which is important is the call for establishing privacy enforcement authorities, which was not in the original guidelines. This is an update. It's not an overall, this modification of the guidelines. The proposals, which have been taken onboard and are now in the recommendation, have left intact the basic principles, as well as the scope which applies to the public and private sector, and they have left intact the key definitions. So there may be work in the future to be continued.
>> THE MODERATOR: Thank you very much, Anne.
In the beginning of your intervention you mentioned how these guidelines have been elaborated, have been worked out, and I think you mentioned the words "multistakerholder process," and Joe was also very kind in his intervention to emphasize that the work of the ICCP committees is multistakerholder-driven. I'm very happy that you say that because you are one of the prominent stakeholders taking part in this multistakerholder model. The reason for talking a little bit about this is, as we all know, in particular in the ITF context, multistakerholder processes, that is a very positive word, and I can assure you that we are very well-aware that a very important condition for us to be successful in the work we carry out is that we maintain this multistakerholder approach to everything we do.
And you will find also in the so-called internet policymaking principles from December, 2011, there was a recommendation on the internet policymaking principles that one of the 14 principles is about multistakerholder-driven approaches. So thank you, Joe, for mentioning this, and I can only echo what you said. I think you were very right in underlining that.
So Audrey and Joe, you follow the revision process for privacy guidelines. I would like to ask you how you would describe the process. Was it a good process? Was it a process which could have been different, better in a different way? And what do you think are the most important take-aways from the revision of the guidelines seen from your perspective.
And, Audrey, may I start with you?
>> AUDREY PLONK: Thank you.
Well, I want to start by commending Anne and her team for running a really amazing process, multi-year process, difficult, challenging topic among the multistakerholder community that participated. So I think I mostly have positive things to say about the process and its inclusiveness. The OECD often works with groups of experts to gain as much knowledge about the issue as possible, and I think that, as Anne indicated, following the Seoul ministerial there was a significant level of interest in updating the guidelines in light of technological developments, so really do commend an excellent policy run by the Secretariat.
In terms of the modifications, I think, you know, it's really telling -- and we'll get to the security guidelines in a minute -- that the basic principles have been -- are so solid that they are still relevant, and it seems like the focus of the discussions over the years -- and I think even now that the guidelines have been released, the focus in the future is how to continue to evolve their implementation into the new business models and technological developments that we see online.
So I want to commend a few of the focuses Anne mentioned, the first on accountability. This has been an area that the private sector and Joe has also been very involved in. Looking at in terms of how to make organizations accountable for how personal data is used and the fact that there was more collaboration, a discussion to really see the guidelines demonstrates in the more complicated and more rich environment in which data live today that more burden on the user is not necessarily a reasonable expectation to set and that expecting the business holding the data to act in a responsible and accountable way in terms of how the data are used is, I think, a huge advancement in the community's thinking about privacy.
And so, you know, I don't want to take all the time, and I'll let Joe talk, but the other principles, I think, you know, when we think about where we are and rethinking how these apply, I'm pretty confident that this revision of the guidelines -- I don't know whether it will last 30 more years, but I think it's certainly -- it's put a stake in the ground, you know, in a way that has made it -- has made them continue to be current in our environment, but also aspirational in the way that they think about how we treat transborder data flows.
Just on the topic of the transborder issue, because it is such a current issue and one that is playing out in light of current events, it's very helpful to recognize that the principles -- you know, the principles articulated in the guidelines, that if they can be implemented in a way that is cross-border harmonized, the data can flow. It's a win/win situation where you have cohesion, but you can still have the data flow across borders because we all need that for the internet and for the technologies that we know and love to operate well. So I commend specifically a focus on that, given the challenges in that area that we face.
>> JOE: Perhaps I'll do a little more focus on the specific aspects of the process. So the process was useful because it was inclusive. It was inclusive across the stakeholders, but it was also geographically inclusive.
The process was taken on the road. We had various meetings in various places related to the guidelines. There were meetings on the margins of the data protect commissioner's meeting in Israel and other places, so there were workshops related to that. There was an ability to have input from across nonmember economies to the OECD. So it really was a process where we tried to talk about the relevance of the guidelines, the context of the guidelines in today's world.
So when you think about the basic principles of the guidelines which Anne mentioned weren't really changed, the answer was they weren't changed, but the concepts of how you apply them were, because the concept of consent -- while the concept hasn't changed dramatically, but the concept of consent on this device versus consent on that device versus consent on something that might be smaller, something that may be -- your watch, something that may be a tag, those concepts change in terms of how you apply the idea of consent to those.
We now find ourselves in a world of big data, where we start to say maybe consent also has to be in the context of a use base model, so other things that are being explored. But all of these issues are things that were considered, and then the guidelines, the explanatory text of the guidelines was also supplemented to actually take into account some of these implementation and application questions that arise in the context of the principles.
So I think it's been a fairly useful process because, you know, we talked about consequences, unintended consequences, and I think the draft reflects what's a useful compromise across stakeholders in this process that reflects the realities of today and puts the guidelines well-positioned to be relevant going on into the future.
>> THE MODERATOR: Thank you, Joe. This was a little bit about the background and the take-aways from the process in drafting the revised privacy guidelines, and thank you for your comments.
Are there anybody who has -- is there anybody who has questions to the panelists at this stage or comments related to the privacy guidelines before we move on to the security guidelines? Anybody who have comments, questions? Remote participants? No? Everything is clear, yes. Thank you for your support.
Let's move on then to the security guidelines. I think, Laurent, everybody agrees that the 2002 security guidelines can be considered a landmark. They are now being reviewed, and the process is not finished yet, but you're heavily engaged in the work. Can you maybe reveal a little bit about what is not secret, but maybe is open to the public? Could you tell us something about what can we expect?
>> LAURENT BERNAT: I can reveal everything. Nothing is secret. It's a good thing about the process. I don't know what the outcome of that process will be. I cannot reveal that because I don't know. I'm not sure anyone knows. But I can give you some indications of the direction the process is taking and some of the concepts that are being -- attracting a lot of attention for possible changes in the guidelines.
I would say we can expect some important new elements in terms of new, completely new recommendations in the guidelines, but at the same time as well a mix of stability and change regarding the principles that existed in the 2002 guidelines. You've highlighted that the security guidelines were a landmark, are a landmark. I think we can talk about a paradigm shift in 2002 when they were adopted. They set the principles for how to address security in an open and interconnected environment.
And to understand where we are today and where we are heading to, let's go back to 1992. The original initial guidelines were adopted in 1992. There were guidelines for the security of information systems. And 1992, a long time ago, information systems were closed environment. They were actually expensive to make them talk to each other. It was expensive to open the environment. And it was free to keep it closed. These siloed systems were -- the way to secure them was about keeping them closed to prevent the threat from outside to get inside, and there was not -- compared to now, not too hard because they were closed.
That meant at the time that the responsibility for protecting the system could be delegated to someone with the responsibility of keeping the systems closed. But ten years later, when we revised these guidelines in 2002, the internet was there and in the course of being what it is today. The internet, if you look at it from a security perspective, the internet is an universe where systems are incomparable by default, and this openness by default is deriving us, as the chair mentioned, huge economic and social benefits. Therefore, the security in that environment has to come from a different mindset, a difficult concept, because it's not possible anymore to say we are going to have the system secure by keeping them closed. The benefits -- the systems have to be open because this openness drives benefits.
Therefore, what's the alternative model? In 2002 the alternative model for security of information systems and networks was identified as being risk management. There was the recognition that we are never going to fully secure the system because of openness, because we need that openness. Some risk will inherently be there, but we can reduce the level of risk to a level that is acceptable. And that means in that in terms of responsibility, you cannot delegate to someone the responsibility. Everybody, all participants in that environment, share some responsibility for the security.
So this paradigm shift and the thinking in 2002 led to nine principles. I'm not going to go through them. Four principles are awareness raising, you have to be aware that there is a risk. Otherwise nothing will happen. You'll have problems. Responsibility, ethics and democracy and five principles which relate to risk management.
So where are we now in that -- with that in mind? Well, this is still true today. We are not going in the direction of saying we have to change that paradigm again. This is still true. However, we do have serious difficulties, "we" being, actually, everybody, difficulties to get the mindsets right. This paradigm shift of 2002 is far from being understood by everybody, by all participants, from the top to the bottom in all stakeholder groups, which should be what we need.
For example, when we use the word "security" alone or "security of information systems and networks," the meaning is that it is possible to achieve security through security. Security is binary. You're secure or you're not secure. But in an open world you're never fully secured. Actually, in life nothing is pretty secure. There is also a level of risk. So this is ambiguous, and that's not really the meaning of the guidelines.
Today when we talk about security, some may understand national security, and that's also not the context of the guidelines. When we talk about information systems and networks, it sounds like a technical issue. At some level there is technology involved, but the risks faced are economic and social.
So all this ambiguity in the terms we have to fix, and this is one key element of the change in the current revision of the guidelines, making the principles clearer, more direct, less ambiguous, using terms that remove ambiguity.
Now, the other big possible change or anticipated change is the inclusion in the guidelines of principles, recommendations on how to implement these principles and, in particular, how governments should implement these principles through national policies.
In 1992, there was a section on government implementation, but this was gone in 2002, for many reasons, not mature yet to know what governments should do to implement the principles and today we see it has changed. We've worked on comparative analysis of national cybersecurity strategies a couple years ago and showed that we are at the turning point in government policymaking in this area, and we have enough material to start thinking about what kind of recommendations could be made to governments.
And some of the key concepts, I won't go through all the brainstorming that's going on in the process of the review, but just some quick concepts here. The first one is the need for a strategy by governments. Governments should have a strategy for addressing. So I don't know what to say, security of information systems and networks, cybersecurity. We don't exactly know yet what terms we will use, but something along perhaps security risk, cybersecurity risk. They need a clear strategy and a vision.
And we see that these strategies tend to be holistic, comprehensive, addressing all the facets of cybersecurity from the economic and social aspects to the legal, technical aspects, but also aspects related to sovereignty, national security, international stability, et cetera. This is a strong trend, and likely to be a point -- being a strong point in the current discussions.
Then there are three other interrelated concepts. The first one is multistakerholders. We've talked about it in the OECD process, but it is an important element of internet governance. As we know in particular here as the IGF, but how to do that in the context of developing cybersecurity strategies and implementing cybersecurity strategies. It raises some specific challenges that have to be overcome. The multistakerholder process is indispensable in that area, too, in particular because the infrastructure is owned and operated by private sector, and it's also used by private sector, whether business or individuals. It's also used by governments, so a true multistakerholder process is needed.
Another key word is cooperation, and it's cooperation across all directions, cooperation from governments to private sector, publish/private cooperation. But also we tend not to think about that enough, cooperation within the government across the various government silos. It's cooperation inside the private sector across different firms or across sectors, and it's cooperation with civil society. It's also cooperation between the policymakers and the technology crowd, and it's also cooperation at national level and at international level. So we really have -- it's a very strong -- it's a very strong concept in this review.
Another important element is the need for a national level for governance framework. It's not anymore possible to have scattered initiatives across the government. There should be a holistic, national cybersecurity strategy, but it should create a governance framework where the responsibilities are clearly defined within the government.
Another point is metrics, the need for measuring, and I won't qualify it. It's across the board. We have metrics. There are metrics in this space, but they have flaws, one being they are not comparable internationally, another being that they may not be sufficient for assessing the risk and for informing the policymaking policy, but also for fitting the need for understanding the markets and potential economic developments.
Another one is skills. Awareness is a very important theme. It is still there, raising awareness of all stakeholders, but it is extended to the notion of skills. There is a serious skills shortage in the area of cybersecurity. The problem is increasing, but there are not enough skilled people to address it. That's becoming really a front-and-center in this area.
And another one is the need to have the right frameworks to ensure that the cybersecurity policies respect fundamental values. And here comes notions like transparency and trust in the government. So, as I said, as you noted, the process is not over, but this is the direction. We aim to have -- well, just going toward the end of the first step, which is a multistakerholder concept of stakeholders, and the goal is to draft guidelines and reach something perhaps the end of next year.
>> THE MODERATOR: Thank you very much for this quick overview, for the work of the revision of the security guidelines.
I now turn to Audrey and Joe, and I would like to ask you, do you agree that the security guidelines are up for revision? Is it a good idea? I take it that you do. And if you can confirm that this is a good idea, what do you consider to be the most pressing changes to implement?
And, furthermore, I would also like to hear your views about do you see an alignment or lack of alignment among stakeholders on the revision work and on the points up for revision?
Audrey, you're first.
>> AUDREY PLONK: Thank you. So, yes, I personally and I think the broader business community has come to a consensus that it's timely to review the security guidelines. I think that the question of whether they should or shouldn't be reviewed has largely, I think, been put to bed, and everyone pretty much agrees it's time.
In terms of what the big issues are, I mean, Laurent did a great job of outlining what's already there, and I think, you know, I know Joe and I have spent a long -- and through the business community and others, a lot of time thinking about these guidelines and what role they might play in the future, and so what I see is that security has become this central force in policymaking about technology and the internet.
And while the 1992/2002 guidelines were very instructive and to some degree ahead of their time, I would argue, at the risk of being a bit controversial, that perhaps they haven't had as great of an impact on influencing the government policy environment as the privacy guidelines have, in the sense that I think that they have been extremely important and they've been relevant, but it's been a little bit harder to translate them into the variety of policy issues that cross the security realm. And I think that's even more apparent today with some of the national security context that we see.
And so while these are all very relevant principles, and I think hard to argue against any of them, to me the question has always been how can we refine them further and add to them so that they are more applicable to the policy struggles that governments are actually undertaking? And I know from spending time with the secretariat that that's also their intent. And what do they mean in this environment, you know. And so I think there's a few concepts from a business perspective that I see governments struggling with when they make policy around security that are not necessarily reflected here that I think should be part of the discussion, and has been, I should say.
The Secretariat held a meeting in April where the experts' group convened. We held a meeting in conjunction with APEC a few weeks ago in Honolulu, so we've had great discussions about this. A few of the topics that I would highlight is specifically the role of economic and societal values in security policies. There's often this desire to focus so much on security that we forget the broader context in which technology operates, and I know that it's an area that the OECD is particularly well-placed to provide guidance to governments on how to think about those issues, how to quantify them, how to make trade-offs in policymaking.
The other one is standards and the role of technical standards and global standards in policymaking. Many of the security policies that are being developed are very reliant on the standards environment to demonstrate the security robustness of something, and we see -- I said this on the last panel, so I'll say it on this panel, too, be consistent, that the standards environment is at risk of breaking apart, at least the global standards environment, because governments want to, from a security perspective, hold on to their own piece of the pie. So principles around cooperation, relying on global standards, are very important to industry, and I think there's concepts like that that we are discussing, and we hope that can be infused in the next revision of the guidelines.
And then to your question of what are the -- the third question, I think the biggest challenge in the context of the experts' group that keeps getting raised is how do we divide up the world of national security issues from the world of economic security issues so that we can, you know, focus on economic and societal values issues without trying to make principles around national security? And it's an area that we, frankly, -- I would say it continues to come up in conversation. It's a struggle in almost every country that's working on security policy, which is pretty much every country. So I think that will continue to be a challenge in the current context, but I'm very hopeful and confident in the fact that the OECD has taken this up because of their deep expertise in looking at economic and societal values. And so I'm hoping we can advance those goals.
>> JOE: Thank you.
As Laurent took us through the history of the guidelines from 1992, which in technical and internet terms is somewhere in the glacial beforetime, we look at what was a document written for systems going to a document that's written for systems and networks to really a document -- and I'm using this word because my colleagues at the OECD would be disappointed if I didn't -- a document going to ecosystems.
And so realistically -- and the ecosystem means you're also thinking of privacy and security. It's a holistic way forward of thinking of all of these issues because they're all moving parts, and if you hold only one moving part, you forget about the effect you're having on all the other moving parts. So it has to be something where you're thinking of it.
You're also thinking in a more global dimension than you ever have before, so the fact that there's an exploit in a country 13 hours displaced from you means if you can get information about that, you may prevent it from becoming a harm to your system. That's where some of the concepts of how information-sharing works can be tremendously useful, because we see these exploits cruising across the globe. Sometimes they hit all at once in many places, but sometimes they also go kind of as a wave. And the more you can share information, the better that is, especially when you come to the context of now having zero day exploits, where you don't have really any catch-up time related to these exploits.
So we're looking at an area that has changed, and it doesn't mean that the principles of the previous set of guidelines don't hold anymore. What it means is they need to be supplemented with other concepts that weren't addressed in the first set of principles. The concept of each according to his own -- his or her or its own role is still a very valid and appropriate context, and in fact I raised it at the high-level meeting that was held just before the IGF because it was completely relevant to their discussion of what a culture of security might be. In fact, the OECD guidelines -- I won't say it was the first to use that, but it certainly popularized the concept of culture of security in the context of needing to be aware and each person needing to take a role in the concept of security.
So I think we're at a point where we do have a concept that they are ripe for review and ripe for supplementing. The issues are pressing. They are more global. They are across all stakeholders, because security is an issue whether you have a small phone, whether you have a laptop, whether you still have a desktop. Whatever your device is, security is an issue and there is a role. It's a systems issue. It's a networks issue. It's a supply chain issue. It's a value chain issue. It's a governmental issue. It's a societal issue. All of these are now coming to the fore, and different stakeholder groups bring different issues into the mix.
And the guidelines are written at a level where each of those stakeholder groups can take something away from them. Some of the principles or explanations may be directed more to one stakeholder group than other, but they have a broad applicability, which makes them very useful in this time when all of us need to consider concepts of security.
So it's something I can commend people to look for and try to look at. I think on a number of issues there is an alignment across the stakeholder groups. You want to create and maintain independent autonomy, yet you have to have transparency, you want to enable security. I think the points where Audrey highlighted concepts of conflict are places where it's a question of people draw the line in different places. We also have to consider in terms of the OECD what is its basic competence and role, which usually isn't in national security policymaking, which is one of the reasons why it focuses significantly more on economic security. But, again, these are the concepts that are always discussed, especially when you go across stakeholders and it's a very useful discussion that helps inform the guidelines going forward.
>> THE MODERATOR: Thank you very much, Audrey and Joe.
I now turn to the audience. Are there any questions or comments on the background of these last interventions? Yes. There is a question behind. Who is managing the microphone? Please say your name and where you come from.
>> CHRIS BUCKRIDGE: Chris Buckridge from the RIPE NCC. I also work with ITAC, and I'm in the CISP working. One of the things that's been interesting for us that we've been trying to engage with a little bit in recent months is the European Commission's proposal on NIS directive, and given there are many EU member states, they're also members of the OECD.
I was wondering if -- not to sort all of you out to make any specific comments, I guess, but if there was any comment on the relationship you see between -- I guess there's obviously the timeliness that this review is happening at the same time that that's happening in the European Commission, but also whether there was any relationship you can see or comment on between the guidelines as they exist and how the process or regulation has been drawn up in the European Commission instance.
>> THE MODERATOR: Thank you very much. Who will comment on this? Laurent?
>> LAURENT BERNAT: I can make the general comment that the level at which the guidelines are written or will be written is different from the level of the directive, which has much more detail and is aimed at creating legal obligations, laws, legislation. The guidelines is a policy instrument. Some aspects in there may lead to legislation. But the flexibility of the drafting level implied by the drafting level can enable each country or region or the EU to implement it in a way that may or may not be legislation.
Now, in addition to that, many aspects of the guidelines address points which are -- which don't go in the direction of having legislation. So that's the main difference.
Now, I would say, having read the directive, the draft proposal for directive, I would not see strong inconsistency for us, since we have many OECD members who are in the European Union, but we are not -- that's it.
>> THE MODERATOR: So Laurent is comfortable. Are there other comments?
>> AUDREY PLONK: There are elements that embody OECD principles like response and awareness, so there are elements of the directive that are trying to raise the level of response capability across EU member states, and so it calls for the creation and development of certain capabilities. And so you could think of that as falling under the guideline of response today.
I think there are other elements of the directive, and they're not like tied together in any way officially. If you looked across the world and the number of countries that are writing cybersecurity policies and strategies, you would not be surprised -- I mean, you'd come up with -- I don't have a number. I should. But it's everywhere, right? So from that point of view, it's just sort of maybe a happy coincidence or a sign of the times or whatever.
But the other OECD instrument that is also, I think, overlapping with what the directive is trying to do is the Recommendation on Critical Information Infrastructure Protection from 2008? I got that right. And so the other half of what the directive is doing is trying to define critical infrastructure protection across the EU, and that's, I think, proposed -- that's created another set of challenges and difficulties where you see parts of the directive that are maybe less difficult to define, at least if you're not a member state, and then there are other areas that are more challenging to design.
But the CIPP directive that OECD did tries to -- I think we actually drew on it a lot, at least in my conversations in Brussels the last year or two, have leveraged the work of that recommendation to try to help define the scope of what the commission is trying to do within the scope of critical infrastructure protection. So I think it's informative.
In the future, there are elements in the directive and in the communication that I think would be instructive for the guidelines in the future, and I go back to my comment about standards earlier, because there's a focus on standardization in the directive, and having some broader guidelines on how governments should develop standards might help inform this kind of legislative instrument in the future.
>> JOE: The commission is also actually an observer at the OECD, so they are not surprised by what is in the guidelines, and they are more than able to articulate themselves when they think there's something they need to add or wish to suggest. So that's always useful. And since we're talking about security, I must commend the people who have security of the water because they have done an amazing job.
>> THE MODERATOR: I share the same experience, Joe.
Coming back to the interrelation between the OECD and the European Union, the European Commission is actually comment at the ICPP meetings, and in particular when we talk about the OECD privacy guidelines, they were extremely active. And so there is a very good interrelationship between what is going on in the UN, in the OECD.
Are there other questions, comments at this stage? One in the back? Please? Yeah.
>> AUDIENCE: I'm with Unesco. Very interesting discussion, very interesting presentation, so thank you.
And then I have a question which I would like to have clarification. You spoke about culture of security. What is it exactly you mean? Is it really like illiterate behavior in cyberspace or much more behind? So it was a term used.
>> ANNE CARBLANC: Just before I give the microphone to Laurent, first line on privacy and security, and I worked on the 2002 security guidelines, as well as on the guidelines for the protection of critical information infrastructures. I have to say that the culture of security -- you said, Joe, you don't know who invented it, but what was his first name? No. No. That's not a U.S.-created term. It's Australian. Sorry. It's Australian this time. Well, anyway, there's a dispute going on.
The culture of security was in fact something that tried to explain that each of us in our different capacities as citizens, as working in organizations, in government and so on, should begin to think of security as -- in a routine manner. And one of the examples that was given by them to try to pass on the message was when you enter a plane, you are asked to switch off your cell phone and other devices, although that may change in the future, by the way, but -- and that was the goal, that people become aware that it's a chain, an end-to-end chain, and when you're not secure, you may put in danger others because of this relation.
>> THE MODERATOR: I want to comment on the question, but also maybe to comment on what happened at the Seoul cyberconference, where there was a discussion about the need for establishing international norms of behavior. Maybe you could include that in your answer.
>> LAURENT BERNAT: I was not born in 2002, so I do not know what the original is. The concept of culture is seen, I think, by most of the experts that we are talking about, talking to as essential, still valid today. We could use other words like mindset, state of mind, whatever. But the idea that we should all share the same concepts regarding how we address security is very important.
Now, what has changed today is that the term security is more misleading than it was in 2002, and when we say culture of security, it could mean many different things to many different people and probably not for many of them what was the intention in 2002. That goes back to the question of security versus risk.
What we are really aiming to is managing risk and through a number of security measures. But security's not the goal. Management of the risk is the goal, and you manage the risk to maximize the -- to reduce the uncertainty in order to increase the likelihood of economic and social success. That's the full thinking.
But that leads to your question on norms of behavior, because actually when we look -- and that's a personal brainstorming. We are not yet to where -- at the stage where there is anything agreed. So actually when you look at the principles, and even some of the possible recommendations to government, there is a lot that has to do with behavior, how you approach all of this. Being responsible, yeah, you can have that in law, but before having that in law, it's a culture. It's a state of mind. It's a behavior, feeling responsible. And spreading that across all participants, again, I mean, law can help, but it's not the starting point.
So perhaps one idea -- and the concept of norms of -- international norms of behavior in cyberspace, which is very much in the debate of the conferences and that we hear elsewhere in other contexts as well, it is used probably with different facets. But with respect to the economic and social facet, what would be these norms of behavior, perhaps we have in the guidelines or in the future guidelines some of these flexible, high-level norms that reflect the will, hopefully reflect a consensus across all stakeholders and that could represent part of these international norms of behavior that is being discussed.
I would like to just take that opportunity to highlight one more thing, because the Seoul conference is related to the international debate, and I forgot to mention that the international aspects are also essential, an essential driver in the review and revision of the guidelines. That's another dimension which was not mentioned.
We could -- we see a capacity-building as an essential concept which should be somewhere. It's becoming really important because all -- it's a global issue and perhaps there should be a minimum level in all countries to address cyber risks. But we could -- we could look at all the principles of the guidelines and try to imagine what they mean in an international context and what would that mean for international cooperation?
Take, for example, the responsibility principle. What would that mean on a scale of a country if you bring it at an international level? We could look at the democracy principles, look at awareness and see what do they mean to address the international dimension of this problem. We talk about governments having national strategies and a governance framework, but how does that work internationally? Perhaps they should take a holistic approach and, if they succeed in having a quality nation process across their agencies and ministry, to make that coordination point an international point of contact. So these are the kind of ideas that could more concretely feed the new guideline.
>> THE MODERATOR: Thank you very much. This discussion about norms and behavior reminds me about other sectors where norms and behavior are discussed and where you could draw a parallel line through this sector. My wife is medical doctor. She's a surgeon. And she always told me that one of the first lessons she learned in university was always wash your hands between patients. And I think that this norm for behavior could be rephrased also within this area. But, Joe.
>> JOE: Well, it goes along the lines exactly to your story, because I remembered a different example than Anne remembered. And the example I remembered was look both ways before you cross the street. And the concept was it kind of became innate knowledge. It really wasn't something you had to be tremendously schooled in. And the concept was how do we get security to be that concept, whether it's an organization that's securing a system, whether it's a person that's updating their virus protection, what have you. How do you have that reflexive almost behavior of look both ways before you cross the street?
That being said, I will also say that Laurent said there really wasn't any misunderstanding of security at the time. That's a little not true. Because you weren't born yet in 2002, I'll forgive you for that. He's amazingly well-preserved for his age. The concept was that there was a general understanding of the culture of security, but there was a little discomfort that somehow the culture of security might be read by some to have an implication of big brother. But I can assure you that was not the implication that was meant by the culture of security. It was that kind of how do we get security to be ingrained in the culture of those on the internet so that it's a reflexive concept as opposed to something you have to be told to do. It becomes your natural course of behavior.
>> THE MODERATOR: Thank you very much, Joe. I think there was another question behind. Please. Microphone.
>> AUDIENCE: Thank you. My name is [undiscernible] from UNESCO as well. If I understood correctly, I hear you mentioned that OECD internet policymaking principles, really what I'm interested in, I think I have been in contact with you on that. You know, UNESCO is also exploring sort of a holistic conceptual framework. We are presenting tomorrow morning, talk about fundamental norms and values of governance being human rights-based, open, accessible by all and multistakerholderism. And I want to know about the -- is OECD internet policymaking principles, how is the implementation situation? How is it -- has it been followed in your member states, and what have you encountered any challenges or any good practices to share? This is the first question.
I am also impressed OECD has done quite extensive work on the intermediaries and the guidelines. Could you also share more in this regard? Thank you.
>> THE MODERATOR: Thank you very much for this broad, but relevant question.
We had, as I mentioned in my introductory remarks, adopted a set of internet policymaking principles, 14 principles which have been adopted into the OECD Council, meaning that all 34 countries are behind the principles. Also an additional number, I think three other countries, have endorsed the principles. I forgot right now the names of the countries, but maybe I could ask Anne to comment further on this issue. Anne?
>> ANNE CARBLANC: Thank you, Chair. For the countries which have endorsed the internet policymaking principles, we have Latvia, Columbia and I think Lithuania. So it's in good progress.
So your first question was to make a connection between the internet making principles and the current work you are doing and will present tomorrow. And Egypt. Thank you. Egypt also endorsed. Sorry. Did I forget something? No? It's okay?
>> ANNE CARBLANC: Yes. Absolutely. You can find them on the internet, either in the legal instruments of the OECD or on our web pages.
So you are talking about implementation. It's a very recent instrument, end of December, 2011, and usually we have a cycle of three to five years before we review the implementation because they are so high level. Nevertheless, we have a working group of member governments, but not only member governments, other countries and private sector, civil society and internet technical community, which has started a few months ago to look at and to discuss areas where the implementation could be, let's say, facilitated. Because what I need to say about these principles is, first of all, they build on very different instruments that have been produced in this area. There is a reference to security. There is a reference to privacy. There is a reference to broadbands and to consumer policy, to enforcement. In all those areas we have instruments, so in fact we could say it's a compilation of best practices. It's a compilation of work -- policy work already done in other areas.
In addition to that, to reflecting this experience, it has new principles which are not only reaffirming, but calling for maintaining the internet, call for transparency and fair process, due process, which we didn't have specifically up to now. And it has also reference to multistakerholderism. Sorry. Multistakerholder approach. I'm tired.
So in terms of implementation, it's early, but we have started. And what we want to do, in fact, is demonstrate, if possible with evidence, that if you do policymaking in a coherent way, it is good for the economy, it is good for the society. So it is a practical implementation with economic evidence that we are looking for.
>> THE MODERATOR: Just to give you an example of the last point made, we have seen some example of countries which have not applied the principle of an open internet, where you see dramatic negative consequences of, for example, imposing a tax on internet traffic. There are some countries in Africa who has used this means of getting high yield in their government budget or supporting the government budget, and we have seen that immediately after the imposition of such a tax, you see a dramatic decrease of traffic, to the disadvantage of the growth of the economy. So this is just one example of why it is important to apply the principle of an open internet in the country, and we'll try to provide similar examples regarding the other 14 or the other 13 principles.
>> JOE: Yeah. I just wanted to give another example. If you think about -- and it also applies to the concept of security norms, which was part of the discussion before, because if you think about if every country says, well, you know, I'm going to localize data to my country, and every country says I'm going to have a different set of security standards, you've broken any concept of end-to-end anything. You don't have global information flows. You don't actually have the ability to deploy a global system.
And we are looking at a more globalized world than ever before. We have to think about how to be responsible across global systems, and that's a very important part of what the dialogue of IGF brings to the table, but we have to recognize that those systems have to exist in order for actually allowing how the internet works, how social interaction works, because it's now a global family that's having a conversation, that's doing business, that's having societal dialogue.
So it's important when we keep these things to also think about how to avoid the fragmentation of the internet that everyone seems to be against correctly.
>> THE MODERATOR: Thank you very much, Joe.
I look at my watch, and I see that we are exceeding the time slot allocated for this open forum slightly, but when you act as a moderator in a session like this, you have a challenge, how to finalize the session in an appropriate manner. And I decided to try to finalize this session by asking the panel one last question. And this last question -- I don't know whether the panel is actually able to or willing to answer this particular question, but I would like to ask the question, having now the revised privacy guidelines on the table and having the security guidelines in process, the revision of the security guidelines in process, what do you consider to be the most prominent challenge we are facing in the next coming two, three, four, five years? If you should pick one particular challenge.
Don't feel obliged to answer the question. It's a very comprehensive question, and I know in particular ladies want to get back to their hotel rooms and change to the gala dinner dress, but if we could make just a quick cross the panelists.
Would you agree, Joe?
>> JOE: I think one of the largest and most difficult concepts to come to grips with, whether it's privacy or security, is how to apply principles in context. That's been a challenge throughout the whole time. And I think the fact that we're going to more risk-based analysis helps it apply in context more easily. I think that we're thinking about how they work with a lot of other moving parts helps it apply.
So I think the application of the -- because these one-size-fits-all solutions really don't work. But the concept is the principles were written at the correct level so that they're flexible in application and can actually be applied in context. The challenge is for member states as they may move those principles into regulatory environments to also make the regulation applicable in context.
And I'll apologize for having to leave quickly.
>> AUDREY PLONK: I think the biggest challenge is trust, both to revise the security guidelines, and I think that takes will power on the part of the government, intergovernmental, NGOs, the entire multistakerholder community to try to address some of the issues that we see and rebuild trust.
>> THE MODERATOR: Thank you, Audrey. Anne?
>> ANNE CARBLANC: I fully concur with Audrey. Trust is really the issue. And to be a little bit more specific with respect to privacy, we are currently working on big data, use of data analytics, and there are many benefits that can be derived from the use of these techniques, thinking of in the area of health, of how to prevent Alzheimer's, to benefits in the environment, transportation research and science and more general. But there are more concerns of privacy, and these concerns need to be addressed. And it's not easy, but it's absolutely necessary to find ways to do that so that our society has the benefits of the evolution of technologies in this area.
>> LAURENT BERNAT: Yeah. I really think trust is really the key word we should keep in mind for the coming years. Perhaps to highlight one particular area in security that we face a challenge that's going to be with us, I would say the notion that governments have to manage two facets that are not necessarily always fully aligned, the protection, fostering economic and social development, at the same time protecting national security, and how to do that without one harming the other is a big challenge.
But I don't want just to highlight governments here in that context. I think we hear more and more the idea that business could -- when they're attacked by whoever, could retaliate. We hear the concept of active defense used by governments to do a number of things. Actually, some businesses are offering services to retaliate, to actually address attacks, but also strike back in order to give a lesson to the attacker. And that's, I think, a serious challenge that has economic and social consequences in terms of increasing the overall level of risk. I'm thinking here, again, of both the government and behaviors also in private sector that are challenging and not easy to address.
>> THE MODERATOR: Thank you very much. There seems to be agreement about the importance of trust, and I can only echo that myself. And I might add that trust and transparency as a means to establish trust is very, very important for -- in this area.
I want to thank the dream team around me, Joe, who has left, but I also want to thank my dream audience, who at this late stage of the day have been true to us and have stayed in the room and you have had a long day. You deserve to have a nice dinner tonight, and I want to close this session by wishing you a nice gala dinner, nice IGF gala dinner. Thank you for coming, attending the OECD open forum. Thank you.
[ Applause ]
This text is being provided in a rough draft format.
Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.