ITAC Newsletter N°5 July 2015

July 27, 2015

The Internet Technical Advisory Committee (ITAC) to the OECD brings together the counsel and expertise of technically focused organizations, in a decentralized and networked approach to policy formulation for the Internet economy.  The main purpose of ITAC is to contribute constructively to Internet-related policies developed in the OECD. It mostly contributes to the work of the OECD Committee on Digital Economy Policy (CDEP) and its specific working parties such as the Working Party on Communications and Infrastructure Services Policy (CISP) and the Working Party on Security and Privacy in the Digital Economy (WPSDE).

Table of Contents

Editorial: On the road to Mexico 2016
By Constance Bommelaer Senior Director, Global Policy Partnerships, and Nicolas Seidler, Policy Advisor, The Internet Society

Interview of Ambassador Dionisio Pérez-Jácome Frisione, Mexico’s Permanent Representative to the OECD

New Internet (and IoT) Era and the Protection of Economic and Social Activities
By Karen McCabe, Senior Director Technology Policy and International Affairs, IEEE Standards Association

Consent as a critical component for Trust in the Growth of the Digital Economy
By Mark Lizar, CISWG Co-Chair, Kantara Initiative

Investigating Whether Internet Paths Stay Within Borders
By Emile Aben, System Architect, RIPE NCC

United we stand: Protecting against cyber threats with standards for sharing
By OASIS CTI Technical Committee

Previous Newsletters

Newsletter N°1
Newsletter N°2
Newsletter N°3
Newsletter N°4

About This Newsletter

ITAC provides an avenue for new technical insights to contribute to the work of the OECD. ITAC is open to any Internet technical and research organization that meets the membership criteria listed in the Committee’s Charter.

ITAC encourages Policymakers, members of Civil Society and Businesses to submit queries regarding any of our work to Questions@internetac.org

If your organization is interested in joining ITAC and contributing with technically informed advice to the OECD’s development of Internet-related policies, we invite you to visit our website: http://www.internetac.org, to read the “Criteria for Membership” in ITAC’s Charter (Section III).

For further information on ITAC, please contact us at Membership@internetac.org

Editorial: On the road to Mexico 2016

July 27, 2015

isoc photoBy Constance Bommelaer Senior Director, Global Policy Partnerships, and Nicolas Seidler, Policy Advisor, The Internet Society

In many respects, 2015 is shaping like a defining year for the future of the Internet and its potential for development.

Over the past months, the OECD has been busy preparing for the 2016 Ministerial on the Digital Economy, to be held 24-26 June 2016 in Cancun, Mexico. This event will define priorities of OECD countries in leveraging ICTs for economic growth and social progress. Giving voice to the technical community, the Internet Technical Advisory Committee to the OECD, ITAC, will be actively engaged in preparations.

Harnessing the potential of ICTs to reach the UN Sustainable Development Goals (SDGs) will also be at the heart of the ten-year review of the World Summit on the Information Society (WSIS+10) this year. Following consultations with all stakeholders held by UNESCO and the ITU in the past two years, the United Nations in New York will be hosting a High-Level WSIS Review event in December that will take stock of progress and provide a vision for the WSIS beyond 2015.

Both the OECD and the UN streams of work highlight that ICTs and the Internet have already had a major impact on economic and social development. In a very measurable way, the development of Internet infrastructure around the globe has accelerated economic growth and social development on all continents. Today, the digital economy contributes 5 to 9 percent to total GDP in developed markets, and in developing markets, it is growing at 15 to 25 percent per year.

Governments, business, civil society and individuals have adopted them extensively. Mobile telephony, Internet access and social media have transformed communications opportunities for individuals, while governments and businesses increasingly rely on the Internet for communications and administration, delivering services and disseminating information. Many governments and development agencies have adopted strategies to leverage ICTs for development (ICT4D) and introduced programmes that take advantage of the Internet – stimulating access to information through telecentres and mobile applications; promoting business sectors such as outsourcing and software development; disseminating e-agriculture and e-health information, distance learning and mobile money; and establishing mechanisms to provide early warning of natural and man-made disasters. These impacts have grown as technology has become more sophisticated, user numbers have risen, more bandwidth has become available, and new services have been introduced. Further developments now underway – such as cloud computing and the Internet of Things – mean that ICTs will have even greater impact on development implementation and outcomes over the next fifteen years.

In light of this positive trend, the Internet technical community, in cooperation with all stakeholders, has a unique perspective to offer to tackle challenges ahead of us. This community can also help define priorities to allow the Internet reach its full development potential, such as:

  • Connectivity and access for all
  • Affordability
  • Reliability and resilience
  • An enabling legal and regulatory environment
  • Enhanced human capabilities

To tackle these priorities adequately, an open and collaborative approach to policy, standards and technology development will be crucial. A holistic approach is also critical if we want to fully harness the potential of the Internet. Indeed, there is a clear case on the importance of linking and articulating different facets that the Internet touches upon: development goals and governance of the Internet, security policies and economic objectives, global dialogues processes with bottom-up approaches.

This is clearly the spirit that we expect to find at the 2016 Ministerial in Mexico next year.

Interview of Ambassador Dionisio Pérez-Jácome Frisione, Mexico’s Permanent Representative to the OECD

July 27, 2015
Tags:
Dionisio-Perez-Jacome, Ambassador of Mexico to the OECD

Photo: OECD/Michael Dean

In the interview below Ambassador Dionisio Pérez-Jácome, Mexico’s Permanent Representative to the OECD, answers a series of questions. The answers are given in the context of the still on-going process of definition and organization of the Mexico 2016 Ministerial on the Digital Economy. Therefore, a wide array of information on the Ministerial is still under review by the relevant Committees, including the OECD Council, and is thus not yet declassified and is subject to changes.

When did Mexico join the OECD, and what has been your country’s economic and social priorities since then?

On May 18th, 1994 Mexico deposited its instruments of ratification of the Convention on the OECD. For Mexico, joining the OECD and NAFTA the same year (1994) represented a key recognition of the progress we had achieved in the preceding years. It acknowledged our efforts guided towards establishing a more efficient market economy, through our strong commitment to deep structural changes, open trade and an open economy.

During the past 21 years, Mexico has emphasized its work with the OECD to tackle a wide array of challenges, including:

  • Consolidating a stable macroeconomic environment,
  • Achieving higher levels of inclusive growth and development,
  • Ensuring a high quality of education, o Boosting competition and competitiveness,
  • Improving regulatory framework and impact,
  • Reinforcing fiscal and budgetary policies, as well as strengthening institutions, through higher accountability, transparency standards and a results-based scheme.

During the past three years, under President Peña Nieto, the OECD has been an important collaborator in the design of Mexico´s ambitious structural reform agenda. Mexico looks forward to continue its close work with the OECD in the implementation of structural reforms to achieve higher growth and productivity through a strengthened and more resilient and inclusive economy, institutions and society.

What are the objectives and hopes of Mexico for the 2016 OECD Ministerial?

The objectives and hopes for the 2016 Ministerial include:

  • Addressing the economic and social benefits of an open Internet and the policies that support its development
  • Taking advantage of the economic and social benefits from convergence to the Internet of Everything
  • Enabling greater co-operation to protect consumers and manage privacy and security risks
  • Benefitting from the new, ever-evolving labour markets

More detail on these issues can be found at
http://www.oecd.org/sti/dep-ministerial-2016.htm.

What in your opinion are the key changes in the digital economy since the last OECD CDEP Ministerial in 2008 in Seoul?

The main change in the digital economy since the Seoul Ministerial is the rapid pace at which the Internet has grown and diffused across the globe, and the deeper impact this has had on governments, businesses and societies. The very recent OECD Digital Economy Outlook 2015 sheds light on these issues:

  • World exports of manufactures ICT goods grew by 6% per year while ICT services grew by 30% yearly from 2001 to 2013.
  • There has been an overall decrease in prices, increasing mobile and internet per capita penetration. For example, mobile broad-band baskets for smartphones decreased on average in OECD countries by 52% in 2014 compared to 2012.
  • In 2014, 95% of enterprises had broadband, up from 86% in 2010.
  • In 2014, 76% of businesses had web presence and 90% were interacting with public authorities online.

This has also brought upon important changes and challenges for business through e-commerce, as well as to the job market, particularly for younger generations.

The increasing pace of technological progress, coupled with a rapid path towards the “Internet of Things” or “Internet of Everything”, poses challenges for governments, as well as important benefits for societies. Hence, governments are taking important steps to develop national digital strategies to ensure society reaps the full benefits of the digital economy.

Very detailed information on this question can be found in the 2013 OECD publication “The Internet Economy on the Rise: Progress since the Seoul Declaration”.

What do you see as the key challenges and opportunities for the digital economy in the next decade?

The key challenge is to continue to harness the benefits of the digital economy. Moving forward will include supporting even further penetration of services and making markets more accessible to all social sectors. Furthermore, trust must be enhanced in order to increase social participation, the number of enterprises participating in e-commerce (21% in 2014 on average for OECD countries, only up 2% from 2009) – particularly the need to boost SMEs – and further develop national strategies to face the impacts on skills and employment across the different social sectors: age, economic status, geographical location, etc.

The 2008 Ministerial resulted in the creation of the Internet Technical Advisory Committee (ITAC) and Civil Society Advisory Committee (CSISAC) to provide their expertise and views in the work of the OECD CDEP. How does Mexico see the value of the role of non-governmental stakeholders in the work of the OECD?

Mexico greatly values and supports the participation and work of ITAC, CSISAC and others in the OECD CDEP and other Committees. The digital economy requires collaboration amongst all stakeholders, which is an approach being sought after for the Mexico 2016 Ministerial, and is viewed by Mexico as a key element of an inclusive dialogue on these timely issues.

Photo credit: OECD/Michael Dean

New Internet (and IoT) Era and the Protection of Economic and Social Activities

July 27, 2015
Tags:

karen_mccabeBy Karen McCabe, Senior Director Technology Policy and International Affairs, IEEE Standards Association

A new Internet age is emerging which will likely lead to many significant shifts in the Internet’s future role in society—namely as we progress to a device and human hyper-connected reality. These shifts will have major implications for the future of the Internet, not only on its governance and development, but also on its use and impact. There have been dramatic transformations to Internet-enabled devices that network and communicate with each other providing unprecedented opportunities for new services, improved productivity and efficiency, real-time decision-making and innovative user experiences.

We are now poised for a revolution in which the connection goes beyond connecting only computing devices and begins to includes sensors, everyday objects and the built environment or infrastructure. Much of what we have traditionally considered to be inert and distinctly non-electronic is becoming a part of this mega-network—of what today is called the Internet of Things (IoT).

Where every device and virtually all electronic devices (and people) are connected in this new era of IoT, there is an exponential growth in collecting, transmitting and analyzing data resulting in a massive creation of a vast knowledge set that will help catalyze a knowledge society. While IoT and data analysis can lead to greater empowerment of world citizens and economic growth, the same opportunity challenges the concept of privacy and security.

The increasing rise in data capturing, linking, analyzing and using information raises concerns about individual privacy protection. Personal data is the type that has drawn the most attention from a regulatory and policy point of view. Thus, the challenge is to achieve an acceptable relationship among individuals’ right to privacy and the emerging opportunities in data innovation. Importantly, there is a paradox where the Internet and devices are used intensively and data is relinquished willingly with opposing fears that privacy is compromised. This paradox can hinder the potential unlimited growth of the new Internet (and IoT) age by users and industry that may ultimately affect the global economy.

Having guidelines and a set of global principles that focus on the protection of the economic and social activities that rely on the digital environment will serve as a strong foundation to help unencumber future development and support data innovation and usage opportunities that will benefit citizens of the world. This week at the 69th Session of OECD CDEP (Organisation for Economic Co-operation and Development Committee on Digital Economic Policy), the draft recommendation on Digital Security Risk Management for Economic and Social Prosperity—the result of a thorough review of the 2002 Recommendation of the Council Concerning Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security—will be submitted for discussion with the proposal that the draft Recommendation replace the 2002 Security Guidelines. The review was launched in 2013 by the Working Party on Security and Privacy in the Digital Economy (SPDE).

Consent as a critical component for Trust in the Growth of the Digital Economy

July 27, 2015
Tags:

Mark Lizar, Kantara InitiativeBy Mark Lizar, CISWG Co-Chair, Kantara Initiative

In a day and age where sharing personal data is increasingly central to our social practices online and a requirement for the use of many services and applications, the capacity for users to understand and manage the data they share online is more important than ever.

Key to this is the notion of consent, which means that people explicitly agree to sharing, but at this time people can’t independently track or control sharing using policies.

In this regard, Kantara Initiative’s Consent & Information Sharing Work Group (CISWG) is proud to announce our work on a Consent Receipt open standard. The Consent Receipt seeks to increase personal data control and transparency by increasing the capacity for people to track and manage data sharing relationships. We can build stronger trust in today’s digitally driven economy by upgrading the digital consent and “I agree” buttons on and off the Internet so that they provide users with a record of what personal information they have shared with a particular service.

The Consent Receipt serves people, organizations, and governments by addressing a lack of user trust. A Special Eurobarometer research report, released in June 2015, indicated a strong demand for consent, greater transparency, and more personal data control. This report is generated from a survey completed in March 2015. Approximately 28,000 respondents from different social and demographic groups were interviewed.

Sample quotes from the report reveal the current paradox: users are expected to provide consent with little or no information regarding what data they have consented to release.

  • “Nearly seven out of ten people (69%) say that their explicit approval should be required in all cases “.
  • “Yet only Only one fifth of respondents say they are always informed about the conditions of data collection and its potential uses when they are asked to provide personal information online.”
  • “Two-thirds of respondents (67%) say that they find privacy statements too long to read, while nearly four out of ten (38%) find them unclear or too difficult to understand.”

The Challenge – Usable and meaningful consent is obstructed by outdated practices and infrastructure. Policies and consent management today are having the effect of obscuring personal data control and eroding trust and innovation in the digital economy.

The Solution – A Consent Receipt is designed to solve this issue by increasing the capacity for people to manage personal information sharing. The development of a common way to record consent enables privacy policies to be layered, making them machine and human readable.

A standardized Consent Receipt effectively enables consent to be managed independently of service providers while affording the opportunity to make consent a positive customer experience.

Kantara Initiative is a participating Member of the OECD-ITAC. If you would like to learn more about the Consent Receipt work and how your organization can contribute or adopt please visit:
http://bit.ly/ciswg

Investigating Whether Internet Paths Stay Within Borders

July 27, 2015

Emile Aben - RIPE NCCBy Emile Aben, System Architect, RIPE NCC

How many of a country’s Internet paths remain within its borders? It is a question that is often asked for various reasons. Of course security plays a part in this discussion, but it is also an important factor in the reliability and cost of Internet connectivity. This is especially true in developing countries, where unnecessary detours of Internet traffic significantly increase costs.

To help provide some insight, I used RIPE Atlas, the RIPE NCC’s global Internet measurement network, to investigate the different paths that Internet traffic takes. RIPE Atlas is a global network of probes that measure Internet connectivity, providing “traffic maps” and other data that can be used to gain an understanding of the state of the Internet in real time. For the initial research, I used Sweden as an example, but the same measurements and analysis can be performed for any country in which there are enough RIPE Atlas probes.

Selecting 85 RIPE Atlas probes located within Sweden’s borders, I performed measurements that mapped the traffic between them, showing which paths it took. I found that 12% of IPv4 traffic between these probes left the country at some point along its path from probe A to probe B. For IPv6 traffic, this figure jumped to 21%.

I was also interested in how much traffic traverses Internet Exchange Points (IXPs) in order to gauge the effect that IXPs have on keeping traffic local. Specifically, I looked at how many of the paths traversed Netnod, a Swedish IXP. I discovered that 50.2% of IPv4 traffic and 51.4% IPv6 traffic traversed one of Netnod’s exchange points.

This kind of data can help provide a picture of a country’s Internet landscape, such as its connectivity infrastructure and the effect that international service providers have on its market, as well as highlight differences between countries. You can learn more about this analysis and available measurement tools on RIPE Labs.

United we stand: Protecting against cyber threats with standards for sharing

July 27, 2015
Tags:
OASIS

Richard Struse of US DHS

The CDEP Working Party on Security and Privacy in the Digital Economy has the recurring topic of ‘Developments on Cybersecurity’ on its agenda for the purpose of sharing insights and initiatives amongst its members and to identify opportunities for co-operation. New standardization efforts within OASIS are underway on the exchange of cyber threat intelligence data to help prevention, detection, and remediation.

When it comes to cyber attacks, the best defense may not be a good offense so much as a good standard–or better yet, three good standards. STIX, TAXII, and CybOX, designed to enable the automated sharing of cyber threat intelligence, have now ‘graduated’ into the international open standards process at OASIS.

“Security professionals are overwhelmed and simply don’t have time for analyzing data in disparate formats. STIX, TAXII, and CybOX streamline the process, putting the focus where it belongs—on prevention, detection, and remediation,” said Jon Oltsik, Senior Principal Analyst at Enterprise Strategy Group. “Using data converted to these standard formats can help security practitioners rapidly identify and access current threats, and determine how they act, who is responsible, and what course of action is needed.”

OASIS_2

Initiated three years ago by the U.S. Department of Homeland Security (DHS), STIX, TAXII, and CybOX are now supported by a record number of organizations from around the world which have come together in the new OASIS Cyber Threat Intelligence (CTI) Technical Committee.

The specifications can work in concert or be implemented separately. STIX (Structured Threat Information Expression) is a language for describing cyber threat information so that it can be analyzed and/or exchanged. STIX makes it possible to explicitly characterize a cyber adversary’s motivations, capabilities, and activities, and in doing so, determine how to best defend against them. TAXII (Trusted Automated Exchange of Indicator Information) defines services and message exchanges that enable organizations to share the information they choose with the partners they choose. CybOX (Cyber Observable Expression) is a language for specifying, capturing, and communicating events or stateful properties that are observable in system and network operations. Together, STIX, TAXII, and CybOX are instrumental in supporting a wide variety of applications including security event management, malware characterization, intrusion detection, incident response, and digital forensics.

“STIX, TAXII, and CybOX have reached a level of maturity where they will benefit from a more formal collaboration guided by a globally recognized standards development process that ensures transparency, international participation, stability, reciprocity, and perpetual ease of access,” said Richard Struse of the U.S. DHS Office of Cybersecurity and Communications, who chairs the OASIS CTI Technical Committee. “OASIS provides all of this and is also an authorized PAS1 Submitter to ISO, which ensures our standards will be implementable by the broadest possible stakeholder community.”

As necessary as cyber threat intelligence sharing is, it still take courage and commitment to begin the process. “Sharing confidential information has been one of the things private industry has been very leery of doing because they not sure they can share this kind of threat vulnerability information securely,” said Mark Weatherford, former DHS cyber chief and principal at The Chertoff Group. “STIX, TAXII, and CybOX developers are heroes in my book.”

Additional information
OASIS CTI Technical Committee
https://www.oasis-open.org/committees/cti/