Year: 2013

By Verena Weber OECD Economist/Policy Analyst

During the past two decades, the Internet has become a key platform for innovation and economic growth. By fostering the free flow of information, it has increased transparency, opened new territories and, as a consequence, lowered entry barriers to markets and created new business opportunities. Its open nature has also facilitated inclusion – anyone can develop new applications and services that, in turn, can be used anywhere in the world.

The OECD has a long history and expertise in analysing how to best promote the dynamic nature of the Internet while, at the same time, protecting privacy, security and intellectual property. Against this background, the OECD Council adopted the Recommendation for Internet Policy Making Principles in 2011. It contains a set of 14 principles that call for a holistic approach to Internet policy making along the entire Internet economy value chain from investments in high-speed networks and services to the promotion of creativity and innovation on the application layer while protecting privacy and security.

Importantly, the Recommendation puts forward three overarching principles to guide the further development of the global Internet economy: (i) the promotion of the global free flow of information, (ii) the preservation of the open, distributed and interconnected nature of the Internet and finally, (iii) the adoption of a multi-stakeholder approach to developing Internet policies which guarantees transparency and effectiveness. During the past years, discussions and policy making processes in the OECD Committee for Information, Computers and Communication Policy have greatly benefitted from input from various stakeholder groups including the Internet technical community, civil society, and business.

Pursuing this multi-stakeholder approach to policy making is crucial to the future of the Internet economy. The OECD is currently setting up a multi-stakeholder voluntary expert group to develop a roadmap for the implementation of the OECD Recommendation. We welcome the active participation of the Internet technical community to this group and its contribution to developing policies that support and promote a dynamic, open and inclusive Internet economy.

 

By  Christine Runnegar, Director, Public Policy,  and Robin Wilton, Technical Outreach Director for Identity and Privacy, Internet Society

Thanks to some substantive comments submitted by ITAC to the OECD that were principally authored by colleagues from the ISOC Trust & Identity team, ITAC was invited by the OECD Working Party on Information Security and Privacy (WPISP) to lead the organisation of a roundtable during WPISP34 on developments in Cryptography Policy.

A great piece of distributed collaboration between Robin Wilton, Gershon Janssen (OASIS) and Michael Donohue from the OECD Secretariat, with the help of BIAC, CSISAC and OECD members, pulled together a very good set of speakers who were able to provide both a technical context and topical examples of the economic and social impact of cryptography policy.

Bob Griffin (Chief Security Architect at RSA), sharing his experiences in the field, made a compelling case for governments to encourage the use of encryption technologies to protect the confidentiality of data, particularly in case of theft or loss – as part of a defence-in-depth strategy. How many privacy breaches caused by lost USB sticks and stolen laptops could have been mitigated had the data been properly encrypted? Bob also expressed his confidence that crypto-capable mobile devices have a growing role to play as enablers of strong authentication.

Matthew Scholl (Deputy Chief, Computer Security Division, NIST) emphasized that governments cannot, and should not, try to “corner the market” on cryptography. The NIST model today is to foster private sector open and transparent development of candidate algorithms, and to evaluate them as possible US government standards. A case in point is the AES algorithm, which was developed outside the US.

Just as important as using encryption, is ensuring that the tools being deployed are not using vulnerable, or “out-of-date” algorithms. When widely-deployed algorithms (such as SHA-1) come to need replacing, governments and enterprises alike are faced with the challenge of migrating safely to new ones.

Masahiro Uemura (Director of the Office of IT Security Policy, METI) cited several examples of Japanese projects in the crypto domain, and technical areas in which work is either planned or under way concerning: authenticated encryption; identity-based encryption; and “signcryption” (algorithms that combine signing and encryption capability).

Suso Baleato (CSISAC) pointedly asked a rhetorical question: “Why are electronic messages sent as postcards?” and encouraged all stakeholders to foster end-to-end encryption by default.

Robin Wilton (ISOC), who moderated the roundtable, remarked in conclusion:

• economic and social activity depend on sound cryptography policies
• governments and business need to pay attention to the evolution of cryptography technologies
• even the most careful deployment of cryptography can be flawed, can suffer from attack
• cryptography achieves the widest adoption when mechanisms are hidden from the user, because the less the user has to do, the more likely they are to use it.

All in all, this was a fascinating insight into the world of cryptography policy.

Finally, let us make a brief call out to some of the crypto-related work being undertaken by ITAC members:

• W3C – Web Cryptography WG [1]
• IETF – JavaScript Object Signing and Encryption (JOSE) [2]
• OASIS – Enterprise Key Management Infrastructure (EKMI) TC [3] and PKCS #11 TC [4]

For more information regarding cryptography, please contact Robin at [email protected].

Find out more about the OECD Working Party on Information Security and Privacy (WPISP) at www.oecd.org/sti/security-privacy.

_________________________

[1] http://www.w3.org/2012/webcrypto/

[2] https://datatracker.ietf.org/wg/jose/charter/

[3] https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi

[4] https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11

 

By Chris Buckridge, External Relations Officer for the RIPE NCC

The RIPE NCC was one of the key founding members of the Internet Technical Advisory Committee when it launched in 2008. With Internet governance already gaining prominence in many inter-governmental settings, it was clear that the OECD could be an important venue for producing authoritative analyses of the economic and political impact of developments in the Internet industry.

The core business of the RIPE NCC and its fellow Regional Internet Registries (RIRs) is the management and distribution of Internet number resources, including IP addresses (IPv4 and IPv6) and Autonomous System Numbers, and the five RIRs represent distinct regional communities involved in the bottom-up development of policy governing the management of those resources. While the issues relating to IPv4 depletion and IPv6 deployment have long been understood in the Internet technical community, in the years since ITAC was formed, these issues have increasingly become the subject of scrutiny and discussion by governments, regulators and other Internet stakeholders. Participation in ITAC ensures that when these discussions take place in the OECD context, the perspective of the RIRs and their communities (those who build and operate networks) is part of the conversation.

The RIPE NCC’s focus in the OECD has been primarily in the Working Party on Communication Infrastructures and Services Policy (CISP, for which the RIPE NCC serves as ITAC issue leader) and the Committee for Information, Computer and Communications Policy (ICCP). This participation has allowed the RIPE NCC to contribute to the production of important studies in areas such as IPv6 deployment and Internet interconnection, and to highlight these issues and offer technical expertise in forums such as the 2008 OECD Ministerial Meeting and the 2011 High Level Meeting on the Internet Economy.

With much attention currently focused on further defining Enhanced Cooperation and assessing the effectiveness of multi-stakeholder Internet governance models, the RIPE NCC sees the OECD and ITAC example as an important success story in how different stakeholder groups can work together, sharing expertise to achieve positive outcomes for all sides to ensure a stable and evolving Internet.

By Kurt Erik Lindqvist, CEO of Netnod

Internet Exchange Points (IXPs) have recently gained increased interest in Internet Governance discussions, as well as among governments. IXPs have played an important role in the development of the Internet, and especially in driving down connectivity costs, increasing resilience of the network and in improving the end-user experience.

Europe today is the region of the world with perhaps the most IXPs in the world. This density of interconnects has served Europe well, and has contributed to among the highest broadband speeds to the lowest cost. IXPs and interconnects were established early in the European Internet as a means to save on expensive transatlantic costs (at a time when 80% of all traffic went to content located in the US), as well as saving on expensive intra European circuits. IXPs and interconnects allowed the new and emerging Internet Service Providers (ISPs) to compete with the larger and often incumbent operators. This competition followed the deregulation of the European telecommunication markets in the early 1990s, and this led to a build out of access networks as well as price erosion in the end user charges. The importance of deregulation in creating a competitive European market can’t be overstated, and this was also instrumental in creating the dynamic interconnected ecosystem that still exists today. Another reason for the success of the IXPs in Europe is that they are almost all membership owned and driven. This was possible through the emergence of the cooperative environment that exists still today. This is reflected in the recent OECD study  of interconnection agreements, which showed that 99.5% of agreements are made on a handshake, and not in written agreements. OECD is continuing to do work in this area with more studies supported by the Internet Technical Advisory Committee.

So why is the existence of IXPs and interconnects important? First of all, IXPs still can save on costs, although the cost for circuits and Internet transit in large parts of Europe today has fallen sharply and tends to be at or below the cost for connecting to an IXP. More importantly however, IXPs also helped to improve the end user experience over time. In the early days of the European Internet, traffic between operators in the same country could go via the US and back. This changed gradually and initially traffic stayed in Europe and over time traffic stayed inside countries, and today the trend is for more and more IXPs inside each European country, further keeping traffic local, improving the end-user experience and lowering the cost for handling traffic overall. This gradual localization of traffic drove the development of new IXPs, while at the same time new IXPs enabled the localization of traffic. This mutual benefit led to a dense network of interconnects. Today, this localization is furthered with the deployment of content delivery platforms (from companies such as Google, Akamai, Limelight etc) both located in many IXPs, but also inside operators’ networks and close to the end users. This is driven by the advent of high bandwidth applications such as video, which puts greater requirements on performance between content and end users.

Source:  Euro-IX

Lastly, IXPs and the dense interconnection network that were developed have  increased the resilience of the European Internet. This density has helped the European Internet work through major events such as 9/11 and large scale outages in operators, which has allowed the network and content to continue to function. This is an aspect often overlooked but IXPs and interconnects play a crucial role in securing the Internet and all the applications that depends on it.

Many other parts of the world today find themselves at a similar state of Internet development as Europe was at in the early and mid 1990s. There are many important lessons to be learnt from what happened in Europe and what the driving factors were. Other regions can learn from the factors that created the enabling environment that fostered the growth of IXPs and interconnects, such as the deregulation of the telecom markets and the trust and cooperation between the operators. The European experience has been a success with high bandwidth broadband at low cost for the benefits of the end users. This in turn has acted as a platform for the development of new services and ecommerce that has driven the growth of the digital economy.

_____________________________

[1] http://oecdinsights.org/2012/10/22/internet-traffic-exchange-2-billion-users-and-its-done-on-a-handshake/