By Roger Clarke, Principal of Xamax Consultancy Pty Ltd, CSISAC member
The OECD is revisiting the Security Guidelines that it first published over a decade ago. The Security Expert Group that is helping with the review of the Guidelines includes public interest advocates, coordinated through the Civil Society Information Society Advisory Council (CSISAC). Advocates have access to documents in advance, and at least some voice. On the other hand, physical participation in meetings is hampered by a lack of budget for the time and travel costs of the professionals who represent the interests of civil society.
To understand the OECD’s current security work, it is important to appreciate that many different scope definitions exist. As explained in , security discussions can be carried on at the level of data, of an IT artefact, or of an organisation; or they can take much broader views, including those of people affected by an IT artefact, industry sectors and segments (as occurs in discussions of critical information infrastructure), a local or national or regional economy, or a society – or indeed they can reflect the needs of the biosphere (thereby encompassing carbon markets and global warming).
The OECD’s 2002 Security Guidelines addressed only the lowest level of those alternative scope definitions. The revision is intended to have broader scope “by realigning their perspective and language with the high-level economic and social objectives pursued by governments, businesses and individuals in the development of cybersecurity policies”. But is the OECD moving far enough? Will its new approach have sufficient scope to serve the world’s needs for the next decade?
A meaningful dialogue cannot be achieved if each stakeholder clings to their own perspective, and insists on their security being paramount and everyone else’s security being secondary or even illegitimate. A particular concern during discussions has been the failure of the corporate and government participants to recognise the significance of the perspective of external users and usees. That stakeholder group lacks either institutional or market power, and its interests have suffered greatly during the period of national security extremism that has followed 9/11.
If the OECD’s revision of its Security Guidelines is to satisfy social as well as economic needs, it must:
- reflect the many alternative scope definitions applicable to security discussions
- recognise the complete set of stakeholders
- recognise the legitimacy of each of their perspectives
- ensure that each stakeholder group is empowered
Further, the process, and the product, need to respect the meta-principles of evaluation, consultation, transparency, justification, proportionality, mitigation, controls, and audit. Current negotiations around the world variously fail all eight meta-principles (e.g. the Trans-Pacific Partnership process), fall badly short on most of them (e.g. the Internet Governance processes within the International Telecommunication Union), and address all or at least most of them quite well (e.g. the Internet Governance Forum).
Where will the new OECD Security Guidelines lie on that scale? Will the OECD seek to sustain the dominance of governments and corporations over policy agendas, or will it point towards a better future in which the eight meta-principles are applied, and security’s many scope-definitions and stakeholder perspectives are reflected?
 OECD (2002) ‘OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security’ Organisation for Economic Co-operation and Development, at http://www.oecd.org/dataoecd/16/22/15582260.pdf
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in Cyberspace Law & Policy at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University. He is Secretary of the Internet Society of Australia (ISOC-AU), and Chair of the Australian Privacy Foundation (APF).