Report : 2015 Asia Forum – Cybersecurity Standards for the Cloud in the Asia Pacific Region

logo_main_2The importance of the Internet in supporting cross-border data and trade flows in Asia is widely recognized. This trend has further been accelerated by the emergence of new technologies, such as cloud computing, big data and the Internet of Things. These data and trade flows, however, are increasingly under threat from the growing problems of cybercrime, cyber terrorism and unilateral national assertions of cyber sovereignty. The response to this challenge has generally come through a patchwork of national cybersecurity strategies and rules that themselves present a problem for the flow of data and commerce in the region. International standards bodies and regional groupings (such as APEC) are attempting to develop a coherent regional framework that can balance the conflicting needs of protecting and sharing information across borders.

The 2015 Asia Forum took place on June 12 on the Mita Campus of Keio University and brought together academic, government and business experts from Japan, Korea, China, Australia, and Singapore to share their respective national strategies for dealing with cybersecurity threats as well as identifying related obstacles to the cross-border flow of data in the region. The final session assayed the prospects for stronger regional cooperation on cybersecurity including with China.

This was the fourth meeting of the Asia Forum since its launch in 2012 in Seoul Korea. The Asia Forum is a collaborative project between Keio University and Korea University and sponsored by a generous grant from the Microsoft Corporation.

Keynote Addresses

saitoThe Forum was kicked off by twin keynote addresses from the Cybersecurity Advisor to the Cabinet Office, William Saito, and his counterpart in Korea, Dr. Jong In Lim, Cybersecurity Advisor to the President.

Saito outlined how the Japanese government has been working to elaborate a cybersecurity management framework, based on the recognition that economic growth and cybersecurity closely interrelated. He said that building cybersecurity human and engineering capacity was an essential first step. He also emphasized that cybersecurity at its roots is less an IT problem than a management issue. Saito argued that Japanese companies in particular have to develop a stronger prevention and deterrence mind-set with regard to cybersecurity.

DSC01611Dr. Lim stressed in his remarks the importance of international cooperation in fighting cybercrime and terrorism, but underscored that jurisdictional and technical issues made this cooperation difficult.

cybersecurity at its roots is less an ICT problem than a management issue

He noted that Korea has been plagued by major cyber incidents almost every year since 2003 – with many of these attacks apparently originating in China, although North Korea was likely behind the attacks. Most worrisome was the December 2014 “hack” of a South Korean nuclear power plant.

Dr. Lim related that this attack, coupled with the now infamous Sony Pictures breach, prompted a major reorganization of the national security function in Korea to deal with cyber threats. Internationally, he said that strengthening the role of applicable United Nations agencies and developing an agreed upon framework for global cyber norms is an urgent task. He urged expanded efforts to secure state ratification of the Convention on Cybercrime – which as of June 2015 has only been ratified by 46 states.

Session One: National Cloud Strategies in the Asia Pacific Region

The first panel was chaired by Keio University Professor, Motohiro Tsuchiya and featured presentations by Dr. Hing Yan Lee, Director of Singapore’s National Computing Office, Dr. Jonghyun Baek from the Korea Internet Security Agency (KISA), Kenji Kamitsubo from METI’s IT Security Office, and Professor Shen Yi of Fudan University. The panelists discussed contrasting government approaches to managing the cyber threat posed to cloud computing, with Singapore developing its own standards framework, Korea adopting new legislation, and Japan establishing “guidelines” for industry.

leeDr. Hing Yan Lee introduced Singapore’s “multi-tier” cybersecurity standard (MTCS) adopted in 2013. He described the process of building this new standards framework based on ISO/EIC 27001 and discussed how provisions for specific industries, such as financial services and healthcare, were incorporated into the Singapore scheme. He explained that the new standard was developed in close consultation with the business community and reflected Singapore’s ambitions to attract new industry and become a cloud computing and data center for the region.

Dr. Jong Hyun Baek described a similar effort in Korea to provide a framework for cloud computing security – but one that took a different path. In March of this year, Korea adopted the “Cloud Computing and Protection Law,” the first such legislation adopted globally. Provisions in the new law include government investment in research and pilot projects, support for small businesses locally and for Korean companies offering cloud services globally, and promotion of quick uptake of the cloud for government services. Of special note in the law are Article 23, which sets standards for service quality and performance, protection of information, and notification of security incidents, and Articles 27 and 28, which set rules for repurposing information and for corporate liability.

Kenji Kamitsubo from METI outlined an administrative centered approach to cybersecurity regulation in Japan. He described the METI Cloud Security Guideline released in 2011 and based on ISO/IEC 27002.

cybersecurity in China is closely associated with national security. But the Mindset is changing

The measure contains implementation guidance for both users and service providers, including steps to assure the complete deletion of information that is no longer needed. A new set of guidelines promulgated in March 2014 focused on incident response procedures – clarifying arrangements for backup and requirements for redundancy and resource management. More recently, METI provided additional guidelines, including the establishment of outside auditing procedures.

yiProfessor Shen Yi begin his presentation by noting that cybersecurity in China is closely associated with national security. Nonetheless, this mindset is changing, prompted by the transition of the administration of domain name services from United States to “international” oversight, which may offer opportunities for new kinds of cooperation on cyberspace.  He summed up the approach that China is taking internationally as “C4.”  The acronym stands for confidence building, capacity building, strengthened coordination, and a code of conduct. In his view, it is important that “geographic” representation on Internet governance bodies such as ICANN be improved, and collective efforts to “contain and monitor” cyberattacks are extended.

In the panel discussion following the presentations, Professor Tsuchiya posed two key questions to the participants: what are the biggest obstacle to the further development of cloud services in your country and what national limits exist as to the kinds of data that can be sent or stored abroad. The answers reflected the divergent perspectives on, and varying levels of development of, cloud services in the four countries.

For Japan, the biggest obstacle is the slow uptake of new technology by government and the corporate sector despite the existence of first-rate infrastructure. Korea remains focused on the twin issues of privacy and security of cloud systems – driven by a history of massive security breaches. Singapore remains focused on getting vendors to work with small business and the consequent need for a flexible tiered approach to cybersecurity. In China, the emphasis is on levels of technological and economic development as well as government control of the Internet.

On the second question: for Japan, there are currently no legal prohibitions related to locating data abroad, although this may change with the implementation of new revisions to the personal information protection act. Korea appears to be in the same position, but this also could change. Meanwhile, Singapore has restrictions in the healthcare and financial services areas and in China, the transfer of government-related data is strictly controlled.

Key Takeaways

  • There is no one model in Asia for guarding cybersecurity. Standards are desirable, but applied too rigidly could threaten innovation and growth.
  • Singapore’s multi-tier approach offers both flexibility and security and regulators in formulating the MTCS drew on the expertise of the business community in the region.
  • Korea’s legislative and Japan’s administrative approaches to the implementation of national rules and guidelines assigns a larger role to the government in managing cybersecurity challenges.
  • China appears to be increasingly aware of the international dimension to cybersecurity, although it still considers cybersecurity fundamentally a national security concern.

Session Two:  Promoting Cross Border Data Flows in Asia

This panel was moderated by Korea University Professor Nohyoung Park and featured the chair of the ISO/EIC JTC1 SC27/WG1 Satoru Yamasaki (Kokugakuin University). He was joined by Toshinori Kajiura from Hitachi, who is the co-chair of the Japan-US Internet Economy Industry Forum and chair of the cybersecurity subcommittee at Keidanren, and Youn Jung Park, a professor at SUNY NY and the chair of the Korea Internet Society.

Professor Park opened the session by reminding everyone that data has now joined goods, capital, services and people as one of the building blocks of a modern economy.   He said finding ways to better promote the free flow of data in Asia is the key to future innovation and growth in the region. Security is an important part of this. He noted currently that work on international standards for data security is supplemented by EU Binding Corporate Rules and the APEC Cross Border Privacy Rules as well as diverse national standards and regulations.

DSC01714Professor Yamasaki presently chairs the international working that is finalizing the text of cloud security control standard 27017, which is expected to be published in January. His presentation provided a detailed overview of the current work and discussions within the working group. The standard is based on ISO/EIC 27002, which specifies general security controls for cloud service. Much of its new content come from the Japanese METI guidelines issued in 2011.

We are now contending with the enormous amounts of personal data created by the Internet of Things

Basically, the new standard will provide guidance to the cloud service customer in how to evaluate the security framework of potential vendors. At this point, it does not cover developers, auditors and brokers, but will nonetheless be a major step forward in providing a common set of benchmarks for cloud services and increasing consumer confidence in the reliability and trustworthiness of service providers.

Dr. Kajiura observed that cybersecurity continues to gain in importance as the scale of computing increases. We are now contending with the enormous amounts of personal data created by the explosive growth of social media, but this will soon be overtaken by the Internet of Things, as machines will create and use data with little or no human intervention. Cross-border data flow are an essential part of this new emerging reality.

In this context, Dr. Kajiura observed that data localization and other measures to restrict the flow of data are matters of great concern to the Japanese business community. He noted that Japanese business had played an active role in the October 2014 ITU conference and that it expects to be active in the decisions related to the IANA transition. Keidanren is on record as calling for more information sharing with the business community on the cyber threat and supports government investment in new technologies and human resources to better protect the flow of data in and out of Japan. He called for the US and Japan to play a leading role building awareness and cooperation in Asia on cyber concerns.

Professor Youn Jung Park began her presentation by observing that cybersecurity may be looked upon as an economic issue in forums such as APEC and the OECD, but the problem also touches on basic human rights. She noted that solving this challenge requires a better understanding of who the stakeholders are. There are several organizations engaged with cyber issues ranging from the OSCE, NATO, IETF and UNHCR. The problem for the Asia region is that Asian representatives are not actively involved in many of these organizations. While Asian governments may be present, corresponding representatives civil society and academia do not have the resources needed to be players.

Professor Park also addressed the question of how international standards developed in the ISO context can be diffused throughout the region. The issue essentially comes down to national governments like Japan and Korea and the extent to which they are ready to create a certification and accreditation process within their national systems. She expressed interest in the emergence of more independent “think tanks” in Asia as means for civil society to engage with government and business as equals in the policy process especially as they continue to address the lack of credibility they have within the region.

Key Takeaways

  • Data is now a recognized as a building block for a modern economy. Promoting the free flow of data needs to have equal priority with national security and law enforcement concerns with cybersecurity.
  • International standards bodies have a critical role to play in countering the cyber threat though their ongoing work to codify a common set of benchmarks for evaluating cloud services.
  • Governments need to invest more in cyber technologies and training human resources to counter the threat and support a trustworthy framework for sharing information on the threat with business and users.
  • If Asia is to have a larger voice in the global effort against cyber threat, attention must go to strengthening the capacity of civil society in the region to join constructively in the discussion.

Session Three:  Building Security in an Asian Regional Cloud Network

Session Three was moderated by KICIS Executive Director Jim Foster, and included Malcolm Crompton from Information Integrity Solutions, Ryuichi Hirano from the National Infrastructure Readiness and Strategy for Cybersecurity (NISC), Jin Kyu Lee of the NAVER Corporation, and Sang Beom Ham of Microsoft Korea. Professor Shen Yi was also asked to join this discussion to follow up on his comments in Session One regarding the role of China in the region on resolving cybersecurity concerns.

cromptonMalcolm Compton was a former privacy commissioner in Australia and he opened the session by stating that simply “stopping” a problem is not sufficient. One needs to find ways to create “benefits.” Cybersecurity requires an understanding of what problem is and some agreement on the need to solve it. He used the APEC work on privacy as an example of how an approach to dealing with cybersecurity might be developed. Crompton argued that the timing for action appears to be right – work on ISO/EIC 270017 is nearly completed.

Japan is investing in strengthening regional cybersecurity

What is needed is a core group to drive solutions and for governments to recognize this as a priority. He concluded that just as in the environmental area government actions based on solid evidence and science can successfully address the issues of Internet security.

hiranoRyuichi Hirano began his presentation by outlining the new authorities and functions of the NISC office in Japan: specifically, coordinating cybersecurity policies within government and coordinating the protection of public and private critical infrastructure. He indicated that the Japanese government recognized the importance of cloud computing for growth and innovation and understood its dependence on the free flow of information. For this reason, Japan is investing in strengthening regional cybersecurity. Since 2009, Japanese and ASEAN representatives have met annually to discuss measures to strengthen technical capacity in the region and to conduct joint cyber exercises. Hirano pointed out that one practical output of this cooperation has been the development of critical infrastructure protection guidelines, which were adopted at the seventh Japan-ASEAN meeting in Tokyo in 2014.

jinkyuJinkyu Lee, who is responsible for privacy issues at NAVER in Korea, made the point about how cloud computing is enabling companies to be all things to all users, citing the example of Amazon’s recent decision to offer email services. He observed that the Korean government has recently passed a new law to regulate cloud computing – and worried that this might introduce government oversight into all aspects of business online as the “cloud” replaces the formerly open Internet. He said that to safeguard data and operations on the cloud, while keeping government regulation to a minimum, a certain number of agreed standards are needed.

China is interested in closer dialogue and cooperation with Korea and Japan on cybersecurity

These include an authentication standard for accessing the cloud, and an overseas data transfer standard for providing a clear statement of responsibilities for the safekeeping of data. He added that government transparency in its regulation of the cloud is also essential, noting a recent increase in Korean government demands for access to user information from service providers for reasons of national security and law enforcement.

Sang Beon Ham from Microsoft Korea noted how the elasticity and scalability of cloud computing is transforming business. In order for cloud computing to grow, issues related to interoperability, portability and security need to be solved. He pointed out that widely agreed standards, such as ISO/EIC 270018 (privacy), offered a way forward to strengthening user trust and moving companies to the right level of compliance.

Professor Shen Yi of Fudan University stated that China is concerned about the problem of cybersecurity in the region and that it is looking to build “mature channels of communication” to exchange information. In this regard, China is interested in closer dialogue and cooperation with Korea and Japan on cybersecurity and in participating more actively in regional Internet governance organizations such IETF and ISOC. On the other hand, China does have a clear “red line.” Cybersecurity is an important element of China’s national security — in that sense the “Great Firewall” can be thought of as part of a national cyber defense system. Professor Yi said that the path to improved dialogue with China on cybersecurity is strengthened engagement with China by Asian regional actors. He argued that this was the path to “changing minds” domestically in China and taking cybersecurity out of the current “zero-sum” discussion that China has with the United States in the cyber policy area.

Professor Foster thanked the panelists for their presentations and asked if the group agreed that further development and adoption of international standards are the answer to the problem of cybersecurity in Asia.

Malcolm Crompton answered that the standards bodies need to continue their work, but that it is now incumbent on governments to codify these standards in law so that it is clear to companies and users what the rules are and what the consequence are for ignoring them. Ryuichi Hirano noted that countries are emphasizing different aspect of the cybersecurity issue and that has made dialogue and agreement difficult.  He said that Asian nations need to step up to the challenges and play a larger role in the setting of global standards. Jinkyu Lee was cautious about standards, noting that they can raise costs for small business and slow innovation. Seong Boem Ham was more open to the role of standards in creating a favorable environment for business. Professor Shen Yi reported that standards do impact on Chinese law – in the sense that standards are sometimes serve as the “final word” among contending groups within the domestic political process. In general, he explained that the foreign and commercial ministries within the Chinese government favor international based standards, but the technical ministries and many state owned enterprises tend to be more nationalistic and in favor of protecting domestic economic interests.

Key Takeaways

  • We may have arrived at the moment for concerted regional action on cybersecurity.  ISO/EIC 270017 is nearly complete and may open the door to a broader dialogue.
  • Japan-ASEAN discussions on cybersecurity issues since 2009 can offer a useful model for building a regional “consensus” on common challenges, such as the protection of critical infrastructure.
  • In developing new cybersecurity measures, the costs of compliance for business need careful attention. Government enforcement of rules in the cyber area need to be transparent and not discriminate between service suppliers within and outside national jurisdictions.
  • China has to be part of any solution to cybersecurity issues in the region and efforts need to go to developing “mature channels of communication” with the world’s largest Internet Economy.

Wrap-Up Session: What is the Way Forward in the Asia-Pacific?

DSC01947Korea University Professor Kyung Ho Lee, Keio University Professor Fumio Shimpo, and Microsoft Asia Internet Policy Director John Galligan helped to close the conference on a positive note by offering concluding thoughts with respect to the way forward in creating a regional approach to the problem of cybersecurity.

Professor Kyung Ho Lee endorsed Fudan University Professor Shen Yi’s concept of a “C4” framework for bringing disparate national policies into closer alignment. On the question of how to better promote and protect cross border data flows, he called for better risk analysis management rather than prescriptive government regulation and stressed the need for capacity building among civil society so that risks are better understood by users.

Trust needs to be at the heart of any workable system along with predictable and balanced enforcement.

He concluded that the region needs a multifaceted approach to cooperation on cybersecurity, including a mixture of shared norms, agreed standards, government regulation and reliance on markets.

Professor Shimpo said the discussions at the conference highlighted the continuing need for an evidence-based approach to cybersecurity policy, focusing on three dimensions: in what areas are new rules needed; what are the cost/benefits of different solutions; and what might be the unintended consequences of any decision. He said that the OECD would be taking up the issue of cybersecurity management, looking specifically at five areas:

  1. Capacity (what are the capabilities of national cyber emergency response teams (CERTs) and how can these be increased).
  2. Risk environment (what are the problems and what threats do they pose).
  3. Incident response measures (what has proven effective and why).
  4. Impact (what are the financial and social costs of security breaches).
  5. Awareness (what is the current state and how can it be improved). He indicated that these might also be areas around which to build a better dialogue in Asia.

galliganJohn Galligan offered his view that broader and deeper dialogue among all regional stakeholders (regulators, service providers and users) is essential to building awareness and trust. He urged continued efforts to clarify the issues and to prioritize the problems we need to solve. First steps in this process include better identifying shared principles as a foundation for cooperation and working to solve small problems before moving to more difficult issues. He concluded that creating an air-tight system of accountability for data flows is challenging. Trust needs to be at the heart of any workable system along with predictable and balanced enforcement.

Presenters Slides Are Available To Download:
Jong In Lim – Cyber Security Advisor to the President (Korea)
Hing Yan Lee – Singapore Infocomm Development Authority
JK Lee – Naver Corporation
Jonghyun Baek – KISA
Ryuichi Hirano – NISC
Sang Beom Ham – Microsoft Korea
Satoru Yamasaki – Kogakuin University
Shen Yi – Fudan University
Toshinori Kajiura – Hitachi Systems