Developing a Policy Understanding on Information Security: Glocal (Global and Local) Perspective


IGF 2010
VILNIUS, LITHUANIA
15 SEPTEMBER 10
SESSION 116
1415

********

Note: The following is the output of the real-time captioning taken during Fifth Meeting of the IGF, in Vilnius. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

********


>> Good afternoon.  Good afternoon ladies and gentlemen.  Welcome to this workshop on developing a policy understanding on information security, global and local security.  In this panel today we have two speakers at the moment.  I'm not sure whether there are more who will be joining.  The first one will be Mr. Tracy from Trinidad and Tobago and the second one is Mr    Microsoft India.  This workshop is focusing on a couple of issues like how to identify workable implementing mechanism so arrest loopholes within the information system    security issues globally, identifying a way forward and also trying to find out key questions that can lead to a meaningful discussion on how to develop comprehensive understanding of security issue in global context.  Policy bottle necks and information security, best practices different countries perspectives, and similar issues such as this.  To begin with, I would like to call upon the first speaker, Mr. Tracy, to give his views on this topic.  And followed by Mr    subsequently I will give some thoughts about the global context of following policy perspectives in the information security area.  Mr. Tracy.

>> TRACY HACKSHAW:  Thank you very much.  My name is Tracy Hackshaw.  I am Internet Society ambassador, I represent Trinidad and Tobago, and the government of Trinidad and Tobago.  What I'm going to do today is give a perspective from eye small island developing state.  This is not going to be a technical presentation for those who are looking for that.  This is going to be a presentation focusing primarily on a best practice support to IS policy and what we can do from here.  I have a presentation, so I'm going to direct you to the monitor there.  I guess it's not showing up so well, but    we will try and get it bigger    I am trying to be remote moderator here.  All right.  Well, nonetheless, the small developing states there are 50 of them in the world in the Caribbean, African and the Pacific region.
My slide had the whole list, however, it's not showing up on the web ex moderation.  I will switch in a moment.  I will show it to you.  For those who don't know, the number from 14 million people in smaller developing states and there are approximately GDP of $267 billion.  So while they are small and while they are many in terms of small numbers, they do have a pretty significant population to treat with and the GDP does factor significantly in the world's GDP.  Where are they located?  They are scattered throughout the world generally off the continents, as you can see from this diagram.  I was using an upside down map.  Generally in the wide ocean, generally speaking.  And as per my next slide, the challenges are many in terms of how they are really supposed to move forward.  They are very vulnerable states, vulnerable to disasters, to climate change, to international issues, economic trade imbalances, embargoes as the case may be.  They are very much abstract economies and we have to look at them in a different context.  The security challenges are many.  Their issues of confidence and trust.  Generally speaking, the legacy information silos in the end country, and now that they are moving forward, governments require electronic data sharing in order to function effectively in today's world.  So with the issue of manual data locked away in ministries or in government departments, whether in old main frame for legacy environment for whether in people, international requirements as well as within their own country require data to be shared.  It should be shared throughout the world, within the country, external to the country, how do they intend to do that with their data as it is.  In country as well, the banks and institutions are now moving towards electronic data and the end country as their principles are based internationally, and yet again most data was stored either in old silos or manual paper form.  So now we have a challenge in that regard as well.
The multinationals in those countries, the oil company, the iron, steel and extractive economy countries also have to basically are being regulated through the Sarbanes Oxley Act on one hand and    previous use with Exxon and so on.  They have many more IT    IS requirements that need to be dealt with.  As I said before, there are very many issues in the climate change and disaster susceptible as Haiti shows recently, we are very much affected and half the population can be wiped out in some cases with the tsunami the whole population can be wiped out in effect.  So it's not as simple if an earthquake hit a country, it can survive easily.  It take a long time n Haiti, for example    aid was promised to Haiti.  It's now September and they have received $2 billion of aid, and the entire country in effect is still living in tents post the earthquake, the entire city of Port au Prince, I should say.  We also have the exclusion of well computing, well computing as many of you know in developing countries is the way of the future.  Access via a PC or additional internet is very difficult.  So the mobile net and mobile internet and SMS and MMS are where the citizens of the country are heading.  That poses significant challenges both for security as well as for general data protection issues.
And finally, we have the what I would call the unexpected and extremely attraction of social media and cloud computing.  The mobile web has created fundamental challenges in security in small and developing states and we do need to look at that carefully.  All right.  I will briefly go to a case study in Tobago.  Publicizing information security.  In Tobago which is a small developing state off the coat of the Venezuela in South America, part of the Caribbean region, we are very very much behind for structure for information security.  There are two acts that currently exist that treat for this area.  One is a computer misuse act, which was enacted in 2000, and the freedom of information act in 1999.  However, several other bills need to be enacted that will complete the package.  Two of them in particular are the electronic transactions bill, and the data protection and or privacy bill that will still be enacted.  It is currently in parliament for the last two or three years.  Coupled with that, the government of Tobago has embarked on an eGovernment initiative whereby there is an expectation there will be heavy use of electronic data and heavy retention of data.  Given what I said before about where data exists and where it lies in people, that poses a significant challenge for security, and as you will imagine for things such as authentication and for sharing the data between agencies to enable property government to happen.
>
>> there is a lot of challenges that having chatted with colleagues in the Pacific region in particular, there is the same chance that I share across, how do we continue to progress and evolve if there are significant basic ICU challenges and basic ISSU's, one is legislative, one is capacity building another of which is institutional strengthening.
We also expecting increased review manipulation, assessment, evaluation of data from not only in country but stakeholders internationally.  The U.N. bodies are looking for data from us, the World Bank, the IDB, all require data from small and developing state.  Again, it will be a challenge, one sometimes is it doesn't exist and the other is it is hard to access securely.  We are looking at one to one laptop programs, we are looking at increased broad band access, cheap broad band, free broad band in some cases.  All of these will inspire and hopefully lead to increase IC internet access, yet, again, it appears to be a sufficient challenge with weakened structure.  In development states IC investment is required to make things work.  BPU and ITES industries are expected to be set up in the countries within parks and so on and these companies that come expect robust IS infrastructure and robust IC infrastructure and most countries are challenged in that regard.  The last country I would consider a small and developing state is Singapore and they have been very quick to move ahead of that and now are considered to be a favorable investment port of entry.  Formation of security legislation such as data protection would assure the clients of the small developing states who are investing in that country that their data is protected and that they can operate safely.  Our data protection is based on several principles, local principles, and thinking globally, acting locally, modeled African after   Canada.  And use limitation, security safeguards, openness, individual participation and accountability, and our entire legislative    is available on the web site for you to look.  The challenge of it not being passed is based on a lack of what we call local thinking.  The policy must be grounded in some form philosophy and based on a real world and country specific context.  So we can't just fake IS policies from other parts of the world and let's drop them in.  We have to insure that it matches our current scenario, our current freedom work and our journey has been hampered by that problem.  We have imported some legislation from Canada, for example, with some tweaking, but once it arrived at the parliament, the context was not there, so it's been blocked by the parliamentary system given the attempt to elect a privacy commissioner and that is not viewed with very much acceptance by our government or our government system, I should say.  Without proper monitoring and evaluation, it is a toothless tiger.  So we have had a lot of policies and security, we have had some Acts appear but they have not been properly monitored, evaluated or definitely not enforced.  So we have a challenge in small developing states and in particular with moving forward with our IS agenda.  On the good side we look at public private partnerships.  We have been chatting with IBM, Google and so on to see how best we can work together to forge a partnership within these islands and regions that could better benefit the countries themselves.  The capacity in the country to do this effectively is quite low.  And there are just a few individuals, in effect most are employed in the private sector, regional multilateral partnerships.  Again, most of the economies in the region are supported by the international development agencies, anywhere from the UNDB to the African development band.  First and forward, we need that support and we looking to those agencies as well for that support.  Again, efficient security is everybody's business.  And lastly, governments must have the political will to act and enforce legislation even if they don't like it, and in spite of the big brother perceptions.  We must consider what the implications of not implementing legislation and policy to treat for these issues are, and we must look to stop squabbling and fighting about it, assuming the context is there, and to take it forward and move forward from there.  Thank you.

>> Thank you very much.  If there are any questions at this moment, we can take it.

>> CARLEEN FRANCIS:  Yes.  Good afternoon.  My name is Carlene Francis and I am from the Organisation of Eastern Caribbean States.  I would just like to support what has been said by the presenter, but also to add some perspective from my working experience with the IDB and also working with    at a regional level with as well as CTU.  In terms of developing agencies there is harmonization in terms of the procurement procedures and also reporting requirement and need for statistics.  What we are finding  is in the developing countries we are not ranked very highly in terms of our eGovernment ranking and our ICT ranking because we do not have reliable data.  So Caricom has established an ICT statistics task force that is looking at this area, but there is funding from other agencies as well.
With regards to policy formulation, there are several entities which are responsible.  We have the Caribbean Telecommunication Union, which is the regional body that is with telecommunication and at that level we deal with policy issues.  We also have several projects, one of them is the hip car project, which is a joint project between the ITU and the CTU, which is looking at harmonization of policies as well as legislation.  And there are other projects that deal with policy formulation, but I want to just say that policy formulation within its    whether at the national or regional level or even in an international setting such as this is a very protracted process because there are multiple stakeholders with multiple interests.  So even at the local level, where there is a smaller stakeholder group, you can find if the stakeholder group lobbies well enough, the policy can take a very long time to be developed.  What we have found is that for politicians, what is important at the national and regional level, is to speak to specifically the national impact, and especially as it relates to telecommunications.  Time is money and we are trying to position the CARICOM reek on as an investment location.  For ITC formulation that is important.  Just one last point, I am here as a diplo fellow, and I did an on line foundation course and one point that was raised in the course is whether we should have an internet governance policy, which is separate and apart from an IDCT policy.  And at the national level, I know that we have contemplated that.  We still most countries have an ICT policy, or they may have an eGovernment policy, and very few have eGovernment policies.  So the focus now is whether or not we should augment the existing policies to include more information on both internet governance or to have a separate internet governance policy, and perhaps persons from other developing or developed countries can provide some feedback on that.  Thank you.

>> Thank you very much for your views.  I can respond on my one, on behalf of my country, we have a comprehensive IT act which was first formulated in the year 2000, and later on it was amended in 2008, which has come into effect on October 27, 2009.  And this act covers a very broad spectrum of issues and aspects related to information technology.  The issue of eGovernance, the eGovernance activities need to be managed in our countries have been articulated and facilitated.  That's one approach we have been taking.  And we have in our experience    we have learned in our experience that this particular way of dealing with the intercompetency act is serving the issue well.  I'm not sure if there are any other countries that would like to respond, I would welcome their response.

>> I support clean, and I believe in Barbados is and I'm not sure about Jamaica.  The IC policies are including government but I don't consider it separate.  In Tobago we are looking to include internet governance in our IC policy, but it's not going to be separate.  I don't think they have seen it as a separate distinct level, one on ITC and two from telecoms     which is highly unfortunate, but I guess understandable because most of the infrastructure is used with internet governance based on telecoms, telephone IXP, domain TTLD, et cetera, haven't really reached into the realm of IG really means.  So we have that quantum leap to make.  Again, speaking to people in the Pacific region, I think that along the same lines, having been to several academy things, people who go are telecoms people, and not government people either so it's less than we can believe.  So we still haven't reached a point where we can separate the internet from a telecom issue from an ITSSU, and certainly not an ISSU so we are challenged in that regard and I would suggest that some of the world can help in directing or mandating or setting a standard that here is the way that we should separate things.  And based upon that, the United Nations is a good example.  Use that model to move forward from there.

>> Thank you very much.  If there are no other questions, then I will request the representative from Microsoft India to take the floor and make his presentation.

>> Thank you.  And thanks, Tracy, for your initial comment.  My name is Deepak Mishi, I have been involved in the internet policy integration for 13 years now.  In India and in some cases in    also.  When we are looking at this whole scenario of information security, I think what we need to look at is the information itself is becoming more of a global nature as the title of the workshop itself mentions.  So internet is a global hierarchal system.  So there is a physical part of it.  The devices also are different types which keep on coming here and there, and they do connect with each of them.  So, of course, we do have the system of IP addresses there to identify the devices and the other identifiers also of the devices like Mac address in case of mobile phones it could be an IME code type of thing, but beyond that when we are looking at information security, ultimately it's about two things.  One is whatever is the information which has been digitized, it is addressed.  That is stored somewhere, so it could be in a laptop, in a mobile phone, it could be in a data serve everybody and the second aspect is when the information is in transit.  And just like any other thing, whenever something is in transit, whenever something is dynamic position, that is a place where something    things are more vulnerable for security type of thing.  That does not mean, however, that things which are stored in a locking vault, the scenario when you have data stored that cannot also be hacked.  But the fact is that the data in transit is something which is much, much more important, and Tracy was just mentioning whether you look at cloud computing or any other type of scenario, all of these types of scenarios are becoming much and more important from that angle.
Now, when we are looking at information security ultimately, the whole issue comes up this way, that different countries have different legislative frameworks and they have    so in the information technology act that Mr. Shinad mentioned, although the legislation is often there, but outreach is actually global in terms of what is written in the law.  It's a different thing that in terms of the practice there may be some other challenges, for example, in terms of getting the cyber terminals or somebody else from another country to put them to bring them to the book.  But the fact is that the law itself does provide and does empower the government to have an oversight for any computer or any user that is in India and if there is an impact from outside India, the law does cover it comprehensively.  That's something which he had just mentioned.  Now, within this context, ultimately it's about the cooperation between those who are providing the network services, the governments, the law enforcement agencies, but also I would say importantly the users themselves.  What happens is the users themselves are not made aware of the security challenges.  The users are not aware of the safety challenges and a whole lot of thing which the user themself can take care of, unfortunately those things are also getting in the, as a responsibility of other entities, whether the government or elsewhere.  So user awareness is I will say one major area of focus, and although there are a whole lot of these practice that's we have seen in the IGF village and the internal practices about how to use certain devices and what to do, those messages are there, but how do you contextualize and update in different parts of the world.  In India, Microsoft and Sarten and a few trade associations, we have launched a PC.IN a couple of years, about 1.5 years back which is targeted at user awareness.  Many other places are required and much more awareness is needed at the user level itself.  The second thing is the associate logical aspect of the ICT's.  If you look at any other type of technologies, so whether it's about driving, or about something else, it is typically the address who are teaching the children about how to ease these type of technologies.  However, with ICT it's becoming the other way, the children adopt those technologies and then only the adults are actually learning so you are a level behind them.  So whether you have a child lock on a TV or things like that, usually at times a child lock is actually turned, so it could be a parental lock that parents can go to CNN news or something like that when the child wants to actually watch a cartoon.  And that's something which we keep seeing all around.
One other important thing which is happening in the country, for, I would give some perspective on the Indian context.  So there is a very massive transformational project that the government has taken up.  So it this is at a central level but also at the state level and at the local level.  When I'm saying level it is not local at the level of the a city.  It's right up to the visible.  So there is a multitiered programme which is going on and there are 25 projects under way at different phases of implementation right now.
One of the important things that becoming as a competent in terms of providing services to the citizens and to this particular programme, is to establish national data centers.  A police department or food supplies department, they may also have their own ICT systems, but those departments may not have enough band width in terms of manpower as well as shear physical band width in terms of connectivity.  Do provide those types of things.  The woman you bring all of these types of services in a single place, so all of the government service that's the state government doesn't want to provide you with put servers in a single place and you can have competent and professional people to manage the information there.  So it is not only about the security of the information itself, but ultimately it is also about the availability of the services to end users, the citizens of the country and for the state for that matter in that sense.  The other thing which is happening is that a whole lot of devices are becoming convergent devices there are tablet computers, mobile computers, small laptops and other things.  A single device itself could function as multiple streams and here what is happening  is that instead of using only one type of content, you are actually in a position to consume many type of contents.  For right now, we would be doing an email, watching a video, they could be listening to something else.  So on a single station, so there are mull tame stations going on in parallel on a single device.  And many times the single devices are getting connected with the single network which is ultimately an IP to IP type network.  The next level of security, as I mentioned in terms of the data in transit is when there is a transit from an analogue to digital or for from one particular network to any other network.  Let's say you have a network with one particular system, and then it goes from one and as an IXP point or something like that, and those are the specific places where you have higher chances of vulnerability.  And this is very similar to the physical world otherwise.

>> If you see more accidents happen on the cross roads rather than on the street roads because that is where you have to imagine the routing and everything else much, Butch meter than otherwise.

>> The other thing we observed is although there are a lot of guidelines, we have EPS guidelines, Global Network Initiative, GNI and many of those, the fact is that most of the countries still have their own legislation which attempts to have significant differences from the other countries.  And what one level, yes, some of these things are very important in terms of context.  But at some level there is an opportunity for harmonization.  So one is at the legislative programme work and the second is at the level when one law enforcement agency in country wants to interact with a law enforcement agency in another country.  A lot of times there are also multitip scenarios.  And in those situation if there is any sort of mechanism that things can be spread, that would be something that would be extremely beneficial.  So we have been working with the law enforcement agencies around the world including the India, so we worked with them like Tracy mentioned earlier.  We also provided several forensic tools which have been exclusive for the law enforcement agencies, but also we have developed for the council of Europe guidelines for cooperation between law enforcement and service providers.  Basically it's like this, that you have one person let's say in a law enforcement agency and another person in a service writer scenario, how do they contact each other?  What are the veracity of the people who are asking this information or providing this type of information?  Because ultimate emails that things can be speeded up match faster and if you can communicate much meter that way it is always much better for information security.
So the last thing I would like to say is there's also a strong correlation with information security with the use of operated software.  A lot of times we have seen that if the software is non genuine or in a scenario had where it is not updated properly, there is a much more vulnerability in terms of security in those scenarios.  So one other thing that I would, tell the user from this platform is whatever software one is using, please be sure it is updated, please insure that you are using a properly licensed software.  So whatever technology or any application for that matter.
Another thing is in terms of public policy I would say that the comments do need to sort of reach out and develop some sort of framework.  I don't know how long it will take, but I think somewhere the beginning has to be made.  So Council of Europe's cyber time is already there which is open to even non members of the Council of Europe.  So of the countries may consider did.  That's a different instrument, but those are the types of things that will actually help a lot in terms of handling this whole thing about the cross border scenarios.  Then we have this opportunity of using IP version 6 and any other type of technologies, and in that scenario once we start using IPV6, it is built in the tack is self, it provides an opportunity for bitter security.  The phishing, spam and other factors, factors, it's like more than 95% of the email that actually comes to our networks is spam.  So that gets filtered quite a lot using filters, but the fact is if you look at it as a user, you will still feel and find that there is a lot of spam going through.  But what we have observed is that there is a strong correlation across the spam, people who are engaged in spamming.  People who are engaging in spread of the bot net and people who are engaged in fishing.  So that's other idea for a lot of work across the country is that people need to cooperate in breaking these chains of internation cyber crimes which are required a menacing quantum, and so that's something where we need a lot of focus especially in terms of the users also.  Because if the users are more aware and alert, to a great information security challenges can be met with.  As far as the governments, I would say the governments need to have a fine balance between information security, also in terms of security context and also balancing the same with privacy of the users.  So there are people who have concerned around, let's say, any thought of collection of data by the governments or by the businesses or by somebody else, and also how do you allow that data to be shared, et cetera, in that type of context.  So, for example, if you go to watch a movie, and if that particular movie is dated in a particular way, so all    somebody in the hall needs to prove is what are the age of that particular person who is going to watch that movie because that could be the rating criteria, however, when you go on line at times people may seek much more than that information, for example, the name, the place, et cetera, which may not be required in that context.  So I think what is needed is to develop a framework which is based often a claim based identity that, yes, this is the bare minimum, what is establish to establish identities other than whatever is possible.  So can we do more with less information and how do we set the time lines and determine explanation of any information which has been collected for any such purposes and how do you deal with the practices of anybody who is collecting a whole lot of information and then, of course, correlating that, so let's say with a picture of a student at a school function, you may have a picture of that same boy with his family photograph, maybe with a family, and things like that, the moment you put this together, you will have a much richer profile of that person which a lot of times that particular person may not be aware of or think of.  So in some I would say that ultimately in terms of information security, what we need is, we do need some technology consultation, but what we also is strong major    also ultimately across all torts of people including the users and last but not least the process themselves in terms of how do you reply to in technology?  How do you store information in the form mat and how do you share.  Thank you.

>> TRACY HACKSHAW:  Thank you very much.  I would ask if there are any questions or comments.

>> Okay.

>> Carlene Francis for OACS.  I want to explore your policy framework as it relates to the use of mobile devices.  Given that mobile penetration is now higher than penetration in developing country and we are moving towards access devices versus computers.  How do you insure that you have a legal framework which is robust enough to protect citizens using mobile devices and taking into consideration what is currently happening in other countries where in India as well, the recent attempt, I don't know if it was successful, to ask the Blackberry maker to give you access to people who are doing instant messaging.  What is legal framework around it, and how do you protect all of the citizens as well as insure that government gains access to critical security information.

>> I will respond to this in a different manner.  The policy considerations on information security, they vary from level to level    I am part of NISB ecosystem.  As a corporate user I am part of the corporate ecosystem.  The a corporate ecosystem is part of the national ecosystem and the national ecosystem is part of the global ecosystem, but each of these levels they have their own policy considerations to deal with.  So corporate would be dealing with at their levels, countries are dealing at their level.  Shame thing is happening at the interesting level also.  United Nations had formulated a team of government experts from 14 countries to examine the development of information communication technology, and come up with suitable recommendations as to how do we make sure that there are acceptable norms of behavior in the cyberspace where ICTs are not abused.  The ICT's of information states.  I would articulate a couple of concern that's each Sovereign country would have which would cover the issue that you raised as well.
The security conscience at the national level, we see there are five different types of concerns.  The first western is cyber attacks against ICT and cross structure, especially critical systems by sources that are    to our interest for wrongful purposes and to pass their agenda.  The second concern is the technical and legal inability to clearly identify the perpetrators and source of attacks.  Attack retribution is very difficult.  In the absence of clear attack retribution mechanism it is possible that is given enough freedom for the pirates to carry out acts without fear of    the fourth one is lack of adequate trust and confidence in the commercial available IT products for employment in critical sectors.  We can't trust the devices, the products that are deployed in the sector.  Without that they will be functioning the way they have been or they do something else, we do not know.  So there are some    a deficit in relation to software, bugs, malicious codes and back doors.  Lastly, use of technology in a way that seeks to influence, interfere potentially and remind nation states the ability to safeguard its interest    this is a classic case of Blackberry where our loss at this point in time would be in    because encryption policies, and whatever laws that we would have, it would be an    to deal with these kinds of use of technology.  There is nothing wrong with use of technology but we have our own    so we need to find out way out, how do we deal with these kinds of tricky situations.  Similarly, at the international level, there are two types of concerns, one is ICT can be used in contribution to the spirit of coexistence in international peace and security because any abuser by the city can leave a Sovereign state in a state of helplessness.  Because activation is difficult, complete anonymity is there, you cannot know and determine positively how it and been done.  It can be done anywhere from the world.  It is very difficult for a nation state to determine what could be an appropriate response.  And this is about response.  We belief cyber security measures taken by a nation state to protect its ICU, might be capable of providing some level of assurance and confidence but will definitely prove an    to deal with potential and hostile use of ICT or undermine ability to nation state.  This has been the context which the community is look at.  Especially there is an inclination to look at ICT as dual use technology.
The one that can support tremendous growth and development includes the growth and all of the possibilities out there with the user ICT.  On the other hand, there is the kind of destruction potential that ICU has gone.  So we have to deal simultaneously these two aspects, where, these two potentials are, appropriately, in their own perspective.  Because information technology can be a target for trouble, a source for trouble, and also a means for trouble.  It is simultaneously it can be all the three.  So in that scenario, it is a challenge for coming up with policies, response policies, all policies put together which is comprehensive to deal with how a nation state should be having a global ecosystem of cyber security.  So at this point this is what I had to say.  And are there any questions, we can take up?  It looks as if there are no questions.  Thank you very much for all of the speakers, and those who have been listening on the net.  Thanks very much for everybody's participation, and bye and take care.