The Cloud & Big Data Policy Challenges for Asia

Transcription

1 The Cloud & Big Data Policy Challenges for Asia May Conference Report Keio International Center for the Internet and Society Korea University Cyber Law Centre

2 KICIS Keio International Center for the Internet & Society Keio University S202 Delta Building, Shonan Fujisawa Campus 5322 Endo, Fujisawa City Kanagawa Prefecture Japan 2

3 The Keio International Center for the Internet and Society in collaboration with the Korea University Cyber Law Centre was pleased to welcome to Tokyo May 30-31, 2013 a distinguished group of government and private sector representatives and academics from around the region for a conference devoted to the exploring the challenges in Asia stemming from the emergence of two and new and disruptive technologies the Cloud and Big Data. Over the two-day session, the implications for privacy and security of these technologies and the policy responses of the Japanese and Korea governments were discussed in a number of highly interactive keynote presentations and panel discussions. The final session of the conference was devoted to examining how countries in the region were dealing with these issues and what opportunities existed for mutual learning and deeper collaboration. Summaries and findings from the conference are presented below. Our goal is to encourage further discussion and cooperation on these many concerns in an effort to build a body of best practices in the Asia region from which to encourage further innovation in technology and its applications to society. 3

4 Introducing the Cloud & Big Data Wide scale adoption of Cloud Computing coupled with the ability to aggregate and analyze huge amounts of previously unavailable data (Big Data) can lower costs and improve decision-making in many critical development sector such as health care, education, employment, economic productivity, public safety, and natural disaster and resource management. Yet there remain many legitimate concerns about the Cloud and Big Data, most notably in the privacy and security areas for businesses and consumers. which could further complicate long-standing challenges, including inadequate technological infrastructure and economic and human resource bottlenecks. Professor Jiro Kokuryo, Dean of the School of Policy Management at Keio University, delivered a keynote presentation entitled, Social Capitalism: A Connected Civilization. He began with the observation that we are moving from an anonymous mass market to a connected services economy with the advent of social networks that remember everything. The business model is changing from ownership to rights licensing and sharing. Fixed prices are giving way to a The nature of privacy is changing. dynamic peak sensitive model. In this new environment, the nature of privacy is changing with a public domain balanced by a strictly private domain and a new community domain, where selected information can be shared. More study needs to go as to the norms and kinds of interaction within this community domain along with consideration of how to create social platforms that can gain trust and provide incentives for collaboration. Symantec Korea CEO Kyung-Won Chong addressed the issues of security in the cloud and privacy in big data from the viewpoint of a private company offering security solutions to governments, enterprises and consumers. In his keynote, Chong introduced the new trends that are driving new concerns for security and 4

5 privacy: the proliferation of personal information on the Internet, increasing use of private devices within the workplace, the soon to be commonplace emergence of wearable computing, the advent of facial recognition, the growth of social curation services that personalize the web for individuals, the rapid growth of M to M communications (the Internet of Things), and the concomitant threat from cyber crime. Responding to these trends requires three levels of information protection: identity and access control (for inbound traffic), information security (for outbound traffic) and information management (for 360 degree visibility). Most importantly, there needs to be a single point of control for all applications and services, users and devices and for compliance purpose. Cloud security is based on painstaking information collection about potential threats and the delivery of realtime analysis. Thus, while big data presents security and privacy challenges, it also enables sophisticated analysis and response to threats. Symantec alone collates intelligence from its 135 million clients and tests the reliability of 3.6 million files and 100 million URLs and domains every six hours. Key Takeaways & Topics for Future Research Traditional market structures and practices are giving way to the emergence of a new space between the public and the private, where information is shared under defined conditions. Delineating and defending this space is a new focus for research. Success will require a 360 degree approach to the problem, i.e. the service provider and the consumer share a common interest with respect to privacy and security. The technologies, e.g. big data, that are driving these changes, can also help manage and solve privacy and security challenges. 5

6 Privacy, Cloud Computing There are both new and old privacy concerns associated with services and product offerings residing on the Cloud and employing Big Data. At issue is the distinction being made between big and personal data, the conditions under which these differently sourced data are used and mixed, and ultimately who owns the new product? How is the arrival of the Cloud and Big Data era changing the debate with regard to privacy in Japan and Korea? Is a common approach possible and/or desirable between Japan and Korea. Can they server as an example for others in Asia, given their position as the most technologically advanced countries in Asia with vibrant civil societies and respect for individual rights? What might be the key elements of such an approach? Keio University Professor Fumio Shimpo opened the session with a review of the current data protection system in Japan. He explained that discussions with regard to data protection began with the Administrative Agency Personal Protection Laws in the late 1980s, which applied only to information held by the government. In 2003, this arrangement was expanded to enterprise held data under the Act on the Protection of Personal Information. Since then privacy rules in Japan have evolved through guidelines developed by different government ministries and enforced in their sectors of responsibility. Unfortunately, this has resulted in a confusing and overlapping web of regulation covering areas from finance, land transport, education, health, and credit information. The government and private sector are currently seeking ways to address the challenge to provide more predictability and consistency in the application of the guidelines. Professor Nohyoung Park, Dean of the School of Law at Korea University, provided an overview of legal developments with respect to the transfer of data internationally. He cited data protection as one of the most developed areas of cloud regulation and noted that security and purpose limitation appeared to be the most common restrictions required in different jurisdictions. Enforcement, however, is another matter since data in many cases is always on the move. He suggested that a legal approach based on already existing understandings 6

7 of what outsourcing entails might be a fruitful approach. Less clear was how separate national approaches and disputes might be handled. Professor Park discussed what might be possible under the International Services Agreement now being negotiated at the WTO. Other models could be found in the language used in the Korea-US FTA and the Korea-EU FTA discussions. APEC also might provide a vehicle and a framework for data transfers within the Can the WTO provide a framework for securing the privacy of cross-border data transfers? through its Binding Corporate Rules (BCR) on data transfers. Asia Pacific region, specifically the Cross-Border Privacy Rules announced in November Professor Park observed that this could offer an opening to harmonize rules in Asia with those now being implemented in the EU SafeGov.org representative Jeff Gould focused on the privacy challenges presented by data mining, offering compelling evidence demonstrating how big data and big computing power make prediction and identification a surprisingly easy process. He used this analysis to pose the question of how can large amounts of data and the powerful analytic tools associated with them be safely managed when data mining is used for profit. This is a particularly important question in the context of young people and the schools, given the inroads that companies offering free services in return for access to information are making in education institutions. 7

8 Key Takeaways & Topics for Future Research Japan is currently considering the introduction of a data protection law, with a key consideration being how it is to be enforced. The US and the EU have significantly different approaches to data protection, but they both have created strong independent authorities that define and enforce privacy regulations in the case of the EU and voluntary multstakeholder codes of conduct in the US. To date, creating an independent enforcement mechanism has proven difficult in Japan. The lack of a central authority and an established dispute settlement mechanism has hindered international cooperation on privacy for Japan. A question deserving further research is whether privacy might be treated as a trade issue under the WTO or does it require a different institutional setting and process? The challenge of privacy needs to be addressed urgently in the light of the rapid growth of the technology and its penetration into all aspects of our lives, including the education of our children. Research is showing that consumers are increasingly concerned about the exploitation of their personal privacy for commercial reasons. Since trust is the glue that holds together the Internet, this concern is fundamental to its future. 8

9 9

10 Japan & Korea: Government Perspectives The Cloud does not respect borders. Data sharing between countries can be an important catalyst for economic growth and greater economic interdependence, but it can also cause tensions if managed poorly. What are the points of convergence and difference in the government policies toward the promotion of the Cloud and Big Data in Japan and Korea? Is there an opportunity for greater cross-border cooperation and, if so, how might it be structured? Japan MIC Information and Communications Deputy Director General Yasuhiko Taniwaki began his keynote presentation by outlining Japan s steady decline in the competitiveness of its ICT sector over the past ten years. He explained this with reference to the change from a device centered market, where Japan excelled, to a service centered market where Japan faced strong external competition. Another important change was the emergence of the user community, which added a further layer of complexity to the traditional four-layer model of ICT service delivery (infrastructure, network, platform, and applications/content). In this schema, data has been transformed into a service and that recognition is driving the need to make more government data accessible for secondary usage. Data has been transformed into a service, which is driving the need to make more government data accessible for secondary usage. This makes it all the more important that the Japanese government carry out its plans to successfully introduce a national ID system by 2016 and to give the newly appointed CIO the mandate to develop a national ICT plan. Japan must also estab- 10

11 lish a workable privacy framework, based on a privacy commission with a legal mandate rather than relying on privately administered codes of conduct. Steps also are required to train the next generation of software engineers and to find ways to encourage more innovation and risk taking. Finally, a growing portion of Japan s future ICT investment will be going to cope with its aging population and to develop a more efficient healthcare system. Korean MSIP Director General of Convergence Policy Seong Ju Kang declared in his keynote remarks that the Internet is the path to Korea s future growth. Government policy is to lay the basis for a creative economy through a partnership with the private sector, focused on promoting new ventures, streamlining laws and regulations and developing a creative economy index. Key elements include: 1. The education of talent in critical areas and government support for the commercialization of new ideas 2. The promotion of government and private investment in R&D, with the goal of making software a core component of the Korean economy 3. Achieving 90% penetration of one-gigabit network service by Securing Korean leadership in global Internet governance 5. Targeting global markets for exports and investment 6. Greater use of ICT in addressing social issues from aging to food safety 7. Creating a safe online environment and strengthening Korea s cyber security industry. 11

12 Key Takeaways & Topics for Future Research Professor Kilnam Chon, who moderated the session, challenged the speakers and the audience with his remark that Asia now represents the majority of Internet users it is time for us to tell the world where we want to go. In this context, the two presentations were excellent snapshots of where the Japanese and Korean governments are going in terms of developing their ICT strategies and industry. Japan still faces the need for significant institutional development to strengthen its regulatory framework in the ICT area and to develop strong central direction over its ICT policies. Korea has completed much of this reform, with the recent creation of the Ministry for Science, ICT and Future Planning (MSIP) and with the adoption of a strong privacy framework. Korea s focus is therefore appropriately on next tier issues, such as promotion of the software industry and developing a stronger voice on international Internet governance concerns. The Korean government s commitment to 90% penetration of one-gigabit internet service by 2017 is symbolic of its determination to nurture a strong Internet economy domestically. 12

13 13

14 Security, Cloud Computing, There is a major shift underway in how organizations use and share data that will require new approaches to security while distinguishing and continuing to address existing issues for enterprises and consumers. The scale of operations and the remote access that the Cloud makes possible are also its greatest vulnerabilities. What are the threats and what are the tools we need to manage and ultimately defeat them? What is the situation in Japan and Korea? What best practices might be shared? Is there a need for greater cooperation and information sharing between the private sectors of the two countries perhaps in conjunction with US partners? Keio University Professor Motohiro Tsuchiya gave a comprehensive overview of the security challenges in the era of big data in many ways foreshadowing the revelations that came the following week with news of the US National Security Agency PRISM program. Professor Tsuchiya provocatively asked which agency in the Japanese government is the counterpart for the NSA and whether Japan is prepared to deal with the increasing vulnerability of its cyber space to a potential attack. He urged scholars to join governments and industry in building a legal framework for dealing with this new international commons. Korea University Professor Jae Chul Suh, who is on-leave from the Korea Internet and Security Agency, provided a brief on how Korea perceives the increasingly threatening cyber security environment, particularly in the wake of the attack (likely from North Korea) on Seoul s banking system and broadcast companies. He described the trend of cyber attacks globally, which appear to be moving from simple monetary scams and amateur hacking to large-scale, systematic attacks supporting terrorism and targeting national infrastructure. He noted that Korea is the number one target for malicious code attacks and that these increased 400 percent from 2011 to The trend of cyber attacks appear to be moving from simple monetary scams and amateur hacking to large-scale, systematic attacks supporting terrorism and targeting national infrastructure. 14

15 Dr. Suh also outlined the details of the March 20, 2013 cyber-attack and the countermeasures taken by the Korean government, including issuance of a nationwide alert, analysis of the malicious code, creation and delivery of a vaccine to affected users, intensive monitoring to prevent follow up attacks, and increased efforts to engage and educate users. On lessons learned, he listed the need for greater investment in cyber security, including personnel and technology; the development of in depth defense (firewalls, keyboard security and vaccine development capability), the requirement for continued monitoring and vigilance, including audits and regular drills; and greater education and awareness of the threat. Korea is the number one target for malicious code attacks, increasing 400% from 2011 to 2102 Dr. Reiko Kondo from the Japan National Information Security Center (NISC) gave a comprehensive overview of Japanese cyber security history and policy. She described the pillars of information security as confidentiality, integrity, and availability and said that these elements are also relevant when big data security is discussed. She also outlined the increasing scale of attacks that Japan has experienced in recent years, including the 2010 DDOS on Japanese government agencies, the 2011 leak of 77 million customer identities resulting from an attack on the Sony Corporation, and the 2012 virus attacks at the Japan Aerospace Exploration Agency (JAXA) and Mitsubishi Heavy Industries. Dr. Kondo explained that information security and privacy are as much concerns for big data as they are for currently existing services. She further warned that these risks are magnified in a cloud computing environment with its remote processing. Dr. Kondo concluded that the Japanese government has established guidelines for cloud computing and that this effort will continue with attention paid to the need for international harmonization. 15

16 Key Takeaways & Topics for Future Research The speakers were unanimous in highlighting the increasingly problematic environment with respect to cyber security and the mounting urgency of the threat. These issues will only grow in the new era of cloud computing and big data. Both governments appear to be taking the right steps from a technical and organizational standpoint and in promoting public education awareness. There also is recognition that international cooperation and harmonization is essential no country can manage this threat alone. One goal for this conference was to increase dialogue on security between professionals in the field and academic experts. Clearly, the exchange of information needs to be continued and deepened. One issue that requires follow up is where the appropriate points of contact are within and without the two governments on cyber security so that counterpart relationships can be identified and secure channels for the exchange of information created. US cooperation with its European allies through NATO may offer some instructive examples for Asia and should be a topic for future research and discussion. 16

17 17

18 The Cloud & Big Data in Asia Currently, a broad discussion on the implications of these new technologies and services is occurring within APEC and ASEAN, as well as in bilateral contexts. Yet progress is slowed by the diversity of economic and political systems in the Asian region. What mechanisms and tools are available to foster greater collaboration within Asia? Is there an opportunity or risk - for an emerging Asian consensus that will differ in some respects from that in the US and Europe or will the region follow trends and policies established elsewhere? Professor Jun Murai, the Dean of the Faculty of Environment and Information Studies at Keio University and the father of Japan s Internet, began his keynote address by outlining the value proposition of the cloud and citing numerous practical examples where its deployment in Japan has saved money, time and, in the case of the 2011 earthquake/tsunami lives. Professor Murai headed the advisory committee that developed the just released draft recommendations outlining new directions for Japan s ICT policy. The plan has the twin goals of recovery from the devastation of the 2011 natural disaster and of the forging of a world class IT society in Japan focused on innovation, emergency planning and delivering public Cloud deployment in Japan has saved money, time and, in the case of the 2011 earthquake/tsunami lives. services using IT. Professor Murai provided a list of practical initiatives that Japan will be undertaking: the promotion of big data, development and delivery of new content online, deployment of IT in local governments, support for Japanese agriculture, new tools for energy management, teleworking, cloud-first e-government and enhanced government-wide IT planning. Supporting these initiatives will be longer term efforts to support human resource development in the IT field, attention to cyber security challenges, investment in research and development, the creation of an index rating system for Asia to benchmark progress and the development of an internationally harmonized privacy framework. 18

19 Professor Abu Bakar Munir from the University of Malaya highlighted the recent surge of policy attention to the issue of privacy in Asia, with China, India, Indonesia, Thailand, Taiwan, Korea, the Philippines, Hong Kong, Singapore and Australia all introducing variants of privacy legislation. His presentation featured an original chart comparing the privacy regimes of Korea, Malaysia, Taiwan, Singapore and the Philippines across 18 dimensions. No one country has developed a framework addressing all privacy concerns and time did not No country in Asia has developed a framework addressing all privacy concerns permit a full elaboration of each point, but this chart (which is available on the website as part of this presentation) offered a thought-provoking roadmap for discussion and research. Professor Hong Xue from Beijing Normal University in China provided an overview of cloud computing and the legislation of privacy in China. Despite significant differences in political and economic systems, many of the issues in China proved to be quite similar to those experienced elsewhere, e.g. the recent adoption of new regulations governing the collection and use of personal data and new ministerial guidelines for commercial transactions on the Internet. Professor Xue reported that there is interest in China in supporting a harmonized Asian framework for facilitating crossborder data flows, although there remain domestic restrictions with regard to server location. Professor Edmon Makarim from the University of Indonesia introduced in his presentation the competing concepts of privacy and security in Indonesia, beginning with how these issues are referenced in Indonesia s constitution. He highlighted the tensions between these principles in practice, especially in establishing a balance between the privacy of the individual and the security interests of the state. He stressed political culture as an intermediating variable Despite significant differences in political and economic systems, many of the issues in China have proven to be quite similar to those experienced elsewhere and discussed the differing foundations of the OECD Privacy Guidelines and the APEC Privacy Framework. Overall, his presentation underscored the diversity within Asia and the a priori need to develop common definitions as a first step in developing a pan Asia privacy and security framework. Professor Youn Jung Park from SUNY Korea started her presentation with a set of practical questions, asking who owns cloud data and who is in a position to set guidelines for cloud computing. She noted that the answer may depend on where the data is located and that a number of countries, Germany and Canada among them, have passed laws restricting 19

20 their corporations from storing data outside the country. One reason for this is the lack of common, interoperable standards, which that makes it difficult for consumers to move data from one cloud provider to another. This is especially true in Asia where regional cooperation through the Asia Pacific Privacy Authorities (APPA), APEC and ASEAN is still in its initial stages. Korea has been a pathfinder in this area. Since 2009, Korea has been working on a legal framework for cloud computing. A draft of the new legislation became available in May and it will be presented to the Assembly in September This national initiative could be both a spur and an obstacle to the larger global conversation on cloud computing that has been taking place in the IGF, the ITU and ICANN but a resolution is still far off. The lack of common, interoperable standards in Asia makes it difficult for consumers to move data from one cloud provider to another Key Takeaways & Topics for Future Research There is a yet no consensus in dealing with the privacy issues associated with the cloud and big data, despite the recent spurt of legislation in a number of key Asian countries. Differing political cultures, political systems and histories are important intervening variables. A possible next step is for Asian nations to develop an agreed set of indices that could support common perspectives in addressing issues related to Internet policy. Universities in Asia can play a potentially catalytic role in supporting efforts of governments and the private sector to nurture a common framework for the cloud and its companion, big data, in the Asia region. 20

21 KICIS Keio International Center for the Internet & Society Keio University S202 Delta Building, Shonan Fujisawa Campus 5322 Endo, Fujisawa City Kanagawa Prefecture Japan 21