2014 Asia Forum on Cyber Security and Privacy – Sharing Challenges, Strategies, and Best Practices

On May 30, the 2014 Asia Forum on Cyber Security and Privacy met in Seoul to address challenges and progress in data protection, cybersecurity, and Internet governance. The third annual international meeting saw participants from major Asian economies including Japan, Korea, Australia, and Malaysia highlight progress made from last year’s summit in Tokyo, and identify new challenges that government, business, and academia must address.

This year’s summit made clear that cybersecurity, data breaches, and “Big Data” technologies, are recognized as significant governance issues by the public and private sectors alike—putting pressure on policy makers to ensure continued innovation, while balancing the individual and national needs unique to each country. Korea and Japan have both demonstrated significant progress in guarding against and responding to mounting cyber-attacks on infrastructure and in dealing with large-scale data breaches. Yet the Asia region as a whole lacks a broad policy consensus on these concerns making it difficult to keep pace with the breakneck pace of technological development.

Personal Data: Overzealous Regulation Threatens the Internet Economy & Innovation

IMG_0643In his welcoming remarks, Ha-Kyung Jeong’s (Korea Personal Information Protection Commission) was unequivocal in declaring that the right to personal information has clearly evolved into the right to personal information self-determination. He argued that security and information protection go hand in hand and that discussions on potential solutions have only just begun.

This year’s forum saw significant exchanges among the Korean and Japanese participants on data leakages and privacy—despite disparate definitions of what this entailed in their respective legal systems. The threat of data loss has emerged as a significant issue in the time since last year’s discussion on Big Data and its potential for innovation and market creation. With over 130 million confirmed incidents of data leakage reported by the Korean National Police Agency in the four years between 2009 and 2013, the expanding risks of data leakage have raised significant policy questions for governments and is of concern to the private sector, which now may face significant civil and criminal penalties for failing to adequately protect personal information in Korea and potentially Japan.

Discussions on potential solutions have only just begun

The regulatory framework in Korea has recently undergone significant changes, including a requirement for mandatory disclosure of data breach incidents and the introduction of penalties as high as three percent of revenues and a suspension of operation in cases of negligence by the data controller.  There are worries that such actions could damage the Internet Economy, although Dr. Abu Bakar Munir (University of Malaya) observed from his experience that absent these pressures businesses have been reluctant to invest the money necessary to support an effective privacy framework, including the naming of a Chief Privacy Officer.

In his discussion, Professor Graham Greenleaf (University of New South Wales) noted the rapid of data privacy laws in Asia over the past several years and said that these laws were generally consistent with the European model of “minimal” collection and of placing limits on length of storage. Even so, Asia’s data protection laws lag behind emerging international standards.

Meanwhile, Japan’s privacy law is set to undergo major revisions designed to promote the use and flow of personal data while maintaining high standards of protection.  Professor Fumio Shimpo (Keio University) forecast that the revision to Japan’s personal data law will be focused on harmonizing Japan’s policies with international practices with the goal of promoting international cross-border data flow.   Key to the success of this reform will be steps to create a truly independent privacy authority that can break through the traditional sectionalism and completion among the Japanese ministries.

Asia’s data protection laws lag behind emerging international standards.

The message from the first session was clear:  a government emphasis on criminalizing privacy endangers innovation and growth. Data protection laws need to strike a balance between innovation and protecting individual privacy. Governments and businesses must work together to create an environment that protects data privacy but allows for the sharing of information.

Cyber Security is National Security

The 2014 Forum highlighted a growing understanding (made evident from continuing cyber-attacks and the Snowden revelations) that cyber security is a fundamental part of national security. While “Big Data” harbors enormous potential benefits, the explosion of mobile and soon networked embeddable devices will also lead to the “Internet of Things” creating new platforms for cybercrime and cyber terrorism.

IMG_0673In this segment, Korean and Japanese government officials discussed strategies and progress in combatting this threat, highlighting significant developments in both countries with respect to risk management and recovery strategies. Dr. Reiko Kondo (Counselor, Japan National Information Security Center) explained how Japan’s cybersecurity strategy is working to strengthen coordination among the ministries and to build human and technological capacity in dealing with the threat. She stressed Japan’s commitment to open disclosure of data breaches and commitment to international standards with regard to regulations in the cybersecurity area.

Korea’s cybersecurity efforts have been largely driven by the ever present danger of attacks on critical infrastructure originating in North Korea and China. As such, the establishment of the Committee on Information Infrastructure Protection (CIIP) has been tasked with working with private sector groups to develop a common national approach, but significant collaboration to date has been limited.

The Korean government has identified a number of key economic sectors for special attention following a recent general assessment of the threat and domestic protection and response capabilities.  In his remarks, Jinbae Hong (Director, Korean Ministry of Science, ICT, and Future Planning) stressed the need for greater attention to the supply chain and acknowledged that there are many critical areas of vulnerability. He called for renewed efforts with particular attention to human capacity building and greater private sector investment.

Korea’s cybersecurity efforts have been largely driven by the ever present danger of attacks on critical infrastructure originating in North Korea and China

The lack of private sector investment and a government emphasis on penalizing the private sector rather than cooperating with them on capacity building has slowed the Korean response to the cyber threat in the view of Korea Telecom’s Hokun Moon.  Moon called for the establishment of a new “security culture” in Korea, where security officers are given the resources and the authority to take the measures required to protect business continuity.

Moon urged that the Korean government be a partner of business in protecting the nation’s cybersecurity not an adversary focused on assessing blame.  He noted that the technology to protect business and the nation is available – what is needed is forward looking government policies and an emphasis on developing technical and managerial human resources in the cybersecurity field.

Training a New Generation of Cybersecurity Experts

IMG_0720The increasing frequency of cyber-attacks has underscored the need for training and a new commitment by universities to develop the next generation of cybersecurity experts. Professor Kyung Ho Lee (Korea University) outlined how the current majority of “cyber defense experts” in Korea are either in the military or are contractors. There is a lack of specialized expertise and general understanding of the threat at management levels.  He said that more attention to the cyber threat in secondary and university education was critical.

IMG_0722

Professor Lee’s focused on how Korean universities have launched a number of innovative courses directed to the top five percent of high school graduates, offering basic training in cybersecurity with significant funding from the government.   The hope is that this program will promote a new cybersecurity culture in government and the private sector as these graduates move into the working world.

Wan S. Yi (Vice President, Korea Internet & Security Agency) echoed the arguments made byProfessor Lee and emphasized that training is at the center of the Korean government’s response to the cyber threat.  He outlined a number of current programs that focus on providing Korean government officials with training in cybersecurity awareness and strategies.   He argued that the government must be a model for the private sector and a leader in strengthening cyber capacity more generally in the Asia region.

Assessment

This is third international meeting of the Asian Forum since its launch in November 2012.  The results underscore the importance of dialogue among the academic communities and equally the government and private sectors of the two countries with respect to cyber security and privacy. Japan is currently in the midst of revising its privacy framework and there is much to learn from the Korean experience with its new law. Korea also has much to offer Japan in terms of how to prepare and respond to major data breaches. Similarly, Korean efforts to train a new generation of cybersecurity experts skilled in dealing with present and future threats to the integrity of the Internet bears watching and imitation by Japan.

The Asia Forum will convene again next year, both in a bilateral exchange between Korean and Japanese scholars, and in an international context. In the meantime, both sides are committed to promoting less formal exchange with a number of Korean academics expected to travel to Tokyo in July to attend a conference on revision to Japan’s privacy law.