Newsletter Newsletter N°2:

Review of the OECD Security Guidelines: is the OECD Capable of Addressing Civil Society Concerns?

By Roger Clarke, Principal of Xamax Consultancy Pty Ltd, CSISAC member

The OECD is revisiting the Security Guidelines[1] that it first published over a decade ago. The Security Expert Group that is helping with the review of the Guidelines includes public interest advocates, coordinated through the Civil Society Information Society Advisory Council (CSISAC). Advocates have access to documents in advance, and at least some voice. On the other hand, physical participation in meetings is hampered by a lack of budget for the time and travel costs of the professionals who represent the interests of civil society.

To understand the OECD’s current security work, it is important to appreciate that many different scope definitions exist.  As explained in [2], security discussions can be carried on at the level of data, of an IT artefact, or of an organisation;  or they can take much broader views, including those of people affected by an IT artefact, industry sectors and segments (as occurs in discussions of critical information infrastructure), a local or national or regional economy, or a society – or indeed they can reflect the needs of the biosphere (thereby encompassing carbon markets and global warming).

The OECD’s 2002 Security Guidelines addressed only the lowest level of those alternative scope definitions. The revision is intended to have broader scope “by realigning their perspective and language with the high-level economic and social objectives pursued by governments, businesses and individuals in the development of cybersecurity policies”. But is the OECD moving far enough? Will its new approach have sufficient scope to serve the world’s needs for the next decade?

A meaningful dialogue cannot be achieved if each stakeholder clings to their own perspective, and insists on their security being paramount and everyone else’s security being secondary or even illegitimate. A particular concern during discussions has been the failure of the corporate and government participants to recognise the significance of the perspective of external users and usees. That stakeholder group lacks either institutional or market power, and its interests have suffered greatly during the period of national security extremism that has followed 9/11.

If the OECD’s revision of its Security Guidelines is to satisfy social as well as economic needs, it must:

  • reflect the many alternative scope definitions applicable to security discussions
  • recognise the complete set of stakeholders
  • recognise the legitimacy of each of their perspectives
  • ensure that each stakeholder group is empowered

Further, the process, and the product, need to respect the meta-principles of evaluation, consultation, transparency, justification, proportionality, mitigation, controls, and audit[3]. Current negotiations around the world variously fail all eight meta-principles (e.g. the Trans-Pacific Partnership process),  fall badly short on most of them (e.g. the Internet Governance processes within the International Telecommunication Union), and address all or at least most of them quite well (e.g. the Internet Governance Forum).

Where will the new OECD Security Guidelines lie on that scale? Will the OECD seek to sustain the dominance of governments and corporations over policy agendas, or will it point towards a better future in which the eight meta-principles are applied, and security’s many scope-definitions and stakeholder perspectives are reflected?

[1] OECD (2002) ‘OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security’ Organisation for Economic Co-operation and Development, at


[2] Clarke R. (2013) ‘Whose Security? The Politics of Alternative Scope Definitions’ Xamax Consultancy Pty Ltd, 2013, at

[3] APF (2013) ‘Meta-Principles for Privacy Protection’ Australian Privacy Foundation, April 2013, at



Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in Cyberspace Law & Policy at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University.  He is Secretary of the Internet Society of Australia (ISOC-AU), and Chair of the Australian Privacy Foundation (APF).


Newsletter Newsletter N°2:

ITAC Member Spotlight: InternetNZ

By Jordan Carter Chief Executive of InternetNZ

InternetNZ[1] is a membership based non-profit organisation with a number of roles: it manages the .nz ccTLD, it advocates for an open and uncapturable Internet in New Zealand and around the world; it provides a platform for debate where New Zealanders can help shape the Internet’s development, and it provides community funding through grants and partnerships with others.

Established in 1995, the organisation has several hundred members. The .nz ccTLD is managed through two subsidiary organisations: the Domain Name Commission (the regulator and policy agency), and NZ Registry Services (the registry and DNS operator).

A major focus for InternetNZ is policy and advocacy work. The work we do contributes to public policymaking and Internet Governance matters in New Zealand and through global forums such as ICANN and the IGF.

Our policy perspectives are founded on a desire to protect and promote the open Internet, and ensure it is not captured by any particular sector or economic interest. Policy principles[2], which were developed with reference to the OECD’s Principles for Internet Policy-Making, guide all our work. The transparency this provides is welcomed by our partners and those interested in our work.

Policy matters discussed in recent years include analysis of the economic benefits of the Internet; advocacy for transparency and intelligent IP law in ACTA and the Trans-Pacific Partnership; pro-consumer regulation of telecommunications infrastructure; support of IPv6 rollout in New Zealand.

In developing its views, InternetNZ includes major Internet stakeholders, and often brings together a wide range of interests to debate and develop positions on topical matters. We do this with our members, and more broadly through NetHui, New Zealand’s national Internet Governance Forum. InternetNZ organises the event and substantially funds it. Along with other subject specific workshops and events, this provides a way for the public to help shape the Internet’s development.

Through community funding initiatives – grants for Internet projects and research, and strategic partnerships for like-minded organisations (for example, the NZ Network Operators Group, or NetSafe), we support the development of the local Internet ecosystem.

By participating in ITAC, InternetNZ aims to contribute its wide range of perspectives and expertise in the work of the  Committee for Information, Computer and Communications Policy (ICCP), and contribute to the work of the OECD on Internet issues.

[2] Available at



Jordan Carter was appointed as Chief Executive of InternetNZ in August 2013. His background as an Internet policy expert was developed at InternetNZ in previous roles (most recently as Policy Director 2009-2011), and as a private consultant in Wellington New Zealand up until 2013. His main specialist expertise is in telecommunications regulation, while his focus at InternetNZ is understanding and sharing the gains the Internet can offer to the country’s and the world’s economic, social and cultural life.