Report: 2016 Asia Forum – Cybersecurity Standards for the Cloud in the Asia Pacific Region

Opening Keynote Address | Session One | Luncheon Address | Session Two | Session Three | Key Takeaways

The fifth in a series of Asia Forums on Cyber Security and Privacy was hosted by the Cyber Law Centre on the campus of Korea University in Seoul on May 20, 2016. The conference welcomed government officials, academic experts and business leaders from Japan and Korea while also featuring international speakers from Hong Kong and Singapore. The theme of the conference was “security and privacy for cloud computing in the Digital Age,” a timely topic in light of Korea’s recent passage of a Cloud Computing Act and the important contribution of Japan in the adoption of ISO/EIC 27017, which sets standards for information security controls.

Opening Keynote Address

The conference opened with a keynote address by Commissioner Kijoo Lee (Korean Communications Commission (KCC)). He noted that he had just returned to Korea from the ITU conference that was called to consider security and privacy issues related to cloud computing, IoT (Internet of Things) and big data. Commissioner Lee remarked that what is increasingly tying these diverse technologies together is the application of AI or artificial intelligence – a reality that Korea is moving rapidly to take advantage of the rapidly growing IoST (Internet of Small Things) environment. As much as 80 percent of current available bandwidth supports IoT devices including sensors, remote readers, smartphone and healthcare equipment.

Commissioner Lee continued that the 2015 540 million dollar cloud market in Korea will more than double to 1.2 billion dollars by 2017. He pointed out that the market is very diverse, dominated in some areas by large multinationals while being the province of start ups in others. Lee stressed that “trust” is the key to the success and growth of the “smart society”, that consumers need both information and the right experience.

In this context, attention must be paid to protecting IoT from malware and guarding against large-scale attacks. This requires the attention of government and business to the assessment and testing of IoT technologies as well as collaborative work among network and service providers, manufacturers and developers.

With specific regard to the cloud, Commissioner Lee pointed out that the government would be introducing a cloud certification scheme and that the KCC would work with the Personal Information Protection Commission (PIPC) to evaluate privacy issues related to large scale data collection. This would include usage guidelines, particularly the de-identification of data. As Korea moves forward in this area, Lee pledged policy cooperation with international players.

Session One: Understanding the Technical Aspects of Cloud Computing

Keynote Presentation

Mike Mudd, (Managing Partner, Asia Policy Partners), presented on the challenges of cloud governance in a global context, with a focus on how we can engender trust and a more rapid uptake of this new technology. He stated that the process of cloud adoption is probably fastest in the banking sector, because of its low cost and security in a time when banks are moving rapidly to replace their now aging infrastructure, citing the example of outdated equipment as the likely cause of the recent theft of funds from the Bangladeshi Central Bank.

Mudd noted that the cloud greatly differs from previous data storage and analytic technologies used by businesses. Most importantly, its lacks widely agreed guidelines for security and privacy because it is multi-jurisdictional. Looking around the world, Japan leads Asia in the cloud readiness index with Korea placing sixth with the key difference being the Korean requirement that sensitive data be stored locally. He pointed out that, within Asia, only China currently has a similar requirement and noted that if data cannot move freely across borders, it will limit economic growth and isolate local SMEs from international value chains.

Mudd concluded by introducing a number of key principles conducive to yielding the maximum benefit from cloud computing. Prominent among them are system and location transparency, limitation on secondary use of data, appropriate data segregation, resilience and business continuity and agreed termination conditions so that data can be returned or erased. He concluded that the data classification problem is at the heart of the current controversy over data storage.

Panel Discussion

Professor Kyungho Lee (Korea University) served as the moderator for the session, starting the discussion by asking what the big challenges are with respect to rapid adoption of cloud computing.

Kyoung Yoon Kim (Microsoft) noted that while new server purchases in Korea are dropping quickly and movement to the cloud is gaining momentum, the big obstacle to further growth consumer trust in the technology. He noted that privacy and cyber security are top priorities for Microsoft, affirming that the company does not respond to extra-legal pressures from governments to turn over customer data. He further stated that Microsoft does not use customer data for marketing or other purposes and that this kind of transparency is important if the full potential of cloud computing is going to be realized.

Yoshihiro Obata, (CEO, BizMobile), said that, increasingly, the big challenge for cloud computing the problem of latency rather than the availability of bandwidth. He noted that new data centers are being built in cities not remote areas in order to support burgeoning consumer needs and the demand generated by machines. Obata pointed out that there is so much data now on the cloud that it is beyond the capability of humans to manage it. Deleting data is a job for machines because sensitive data goes beyond what people conventionally think of as “private.” E.g., how should we classify “likes” on Facebook or purchasing data derived online? He warned that it is necessary to clearly think about what information to protect and, frankly, if it can even be protected.

Professor Choon Sik Park (Seoul Women’s University) followed up on this argument and said that, just as a car needs “brakes”, privacy must be embedded in the Internet’s technology. He noted that cloud computing has made personal information vital as it can now be correlated and manipulated on a massive scale. Park warned that these benefits are largely going to mega-cloud providers and argued that both a new “competition policy” and business model are necessary for the cloud and cloud services. He went on to state that information sovereignty has become a central concern for national governments, that governments must demonstrate that they can protect citizen’s data which requires that they take a larger role in monitoring how companies use data.

Professor Lee responded by asking what aspect of cloud computing presents the greatest risk. Mudd replied that people are consistently the greatest risk, noting a recent incident in where a social media approach was used to breach the security of Philippine Central. He added that Alibaba’s current experimentation with using a person’s online profile to judge their credit worthiness is both a benefit and a problem. Since methods for establishing credit in China are poorly developed, using online data in this way is innovative and potentially a real boon to consumers. However, this also opens the door to misuse and error.

Microsoft’s Kim reminded everyone that no system is completely secure. Risk is tied to the investment made in protection as well as the cost/benefit ratio associated with that investment. Professor Lee further added that the most damaging data breaches are often the result of government intrusion, and the aid of the engineering community and experienced companies like Microsoft is needed to push back and make the Internet safer and more secure.

Bizmobile’s Obata observed the separate notions of conventional privacy protection versus broader systemic threats. For example, taken by themselves, smartphones and tablet are basically secure, but when they start working and interacting together with the broader system, managing privacy becomes increasingly difficult. Data can be exposed in many ways and neither the police nor the courts can respond to such breaches in a timely way. There needs to be collective mechanisms that set standards and procedures for cooperation among network providers, ISPs, content managers and others.

Professor Lee concluded the panel by raising the issue of a national cyber space – is this an inherent aspect of sovereignty and is this the correct direction to pursue? Microsoft’s Kim replied that real issue is not sovereignty but transparency. Microsoft’s trust cloud program tells its customers what they and countries are most concerned about, i.e. where their data is and how it is being protected. Mudd said ultimately it comes down to economics. Off-shore data storage permits scale and saves money. In addition, there are many safeguards to protect the integrity of data, e.g. end to end encryption and different levels of protection based on an agreed data classification scheme. Professor Park closed by saying that while it is understood that the value of the cloud is undermined by restricting what data can be stored on it, privacy is a social value and security is an economic requirement. A stronger consensus is needed on how to best address these issues.

Luncheon Keynote Address

Professor Jongin Lim (Korea University) was the luncheon keynote speaker. He began his remarks by listing three key requirements for reliable cloud computing: security (authentication, network integrity and encryption); data control (key sharing, audit, transparency); and compliance/dependability (low latency, ubiquity). He noted that “ransomware” is a major issue in Korea and that this makes working with a reliable service provider all the more important.

Professor Lim continued that diverging national requirements pose challenges for cloud service providers and that is compounded for users by larger difference amongst providers in terms of their capabilities and experience. Lim stated that the major issues for what he termed “cloud computing vol 3” are compliance, portability and efficient data center operations.

He said that, from a user perspective, what tops concerns are data process reliability (access control, data life cycle); service level reliability (large scale processing, disaster recovery); and service provider reliability (emergency response capability; financial stability). Lim noted the growing debate over operational issues, e.g. server location, and client-related issues, e.g. privacy concerns. These are overlaid with national issues related to law enforcement, espionage, e-discovery and consumer protection.

Professor Lim concluded that the big challenge stems from whether or not we will see greater divergence or convergence in cloud computing practices and if the demands for security will undercut the efficiency and scale that are at the core of cloud computing’s value proposition. He said that this debate is ongoing in Korea and is reflected in the 2015 Cloud Computing Act as well as the subsequent designation of the Korea Information Security Agency (KISA) as the certifying authority for cloud computing quality certification.

Session Two: National Law and Policy on Cloud Computing

Keynote Presentation

Professor Nohyoung Park (Korea University’s Law School) began his remarks by noting that the cloud is booming in Korea, and Microsoft and Amazon are both active in supporting this development. However, there are issues regarding the new legal framework for cloud computing passed in 2015 by the National Assembly. The Cloud Computing Act of 2015 was meant to promote both greater utilization and investment in the cloud along with the introduction of safeguards, such as reporting leakages, no sharing of information with third parties, deletion of data on request, and encouraging disclosure of data location.

Professor Park noted that no specific international standards are noted in the Act and that it does not take up the issue of data classification, now covered in a separate set of guidelines in a way that appears to discourage use of public clouds. The new Act does ease data protection requirements for big data, but the law seems to require the physical separation of facilities of data deemed sensitive for government operations. In addition, recent April 2016 guidelines set detailed requirements that may delay cloud deployment in the private sector, particularly the requirement that data should be located in Korea and that there be a physical separation of personal information, although this requirement may be waived for financial, health and educational data. This exemption for the public sector does not violate the provisions of the TPP, which only focuses on how private is handled.

Professor Park’s conclusion was that the recent flurry of legislative and administrative rulemaking in Korea with respect to the cloud reflects an intent to liberalize the use of cloud computing and big data, but that personal privacy and national security concerns still constitute a “brake” on the rapid adoption of these new technologies.

Panel Discussion

Professor Motohiro Tsuchiya (Keio University) , who served as the moderator, kicked off the session by asking panelists if there was any provision in the new legal frameworks introduced in the region that presented concerns for cloud computing and the free flow of data.

Professor Abu Bakar Munir (University of Malaya) responded that countries in ASEAN generally recognized the importance of cloud computing, but uptake is being slowed by the lack of e-commerce and electronic signature rules as well as the weakness of computer crime enforcement. He listed Malaysia, Singapore and the Philippines as leaders in this area and noted that Indonesia and Thailand are currently discussing drafting legislation.

Professor Hiroshi Miyashita (Chuo University) noted that Japan is taking a flexible, business-friendly approach to cloud regulation and that recent government directives mandate businesses to adopt business continuity plans based on the cloud by 2020. He added that all local governments will connected to the cloud by next year, resulting in up to 30% in savings. The current challenge is for ministries to better coordinate their efforts in the area of cybersecurity and to sort out different levels of protection necessary for users and platform operators.

He continued that neither the new privacy framework nor the Cyber Basic Law specifically reference cloud computing. Firms are expected to self-regulate. However, a recent government directive encourages firms to address problems relating to both the proper deletion of consumer data and the issue of data portability. Data localization is also a sensitive issue in Japan, with the discussion centering around conditionality and under what conditions Japanese law might be extended beyond national borders. There is great interest in how Microsoft’s appeal in the case of data demanded by US prosecutors while being stored in Europe will be resolved.

Henry Chang (Hong Kong Privacy Commission Chief Personal Data Officer for Policy and Research) said that Hong Kong basically takes a “hands-off” approach to the cloud, with the goal of facilitating cloud usage by both the public and private sectors. The Commission understands cloud usage as an evolution of “data outsourcing” which is a widely understood business practice. But there are new issues of scale and transparency that require attention. There also needs to be more education, particularly for small businesses, with regard to standard terms and conditions for entrusting data to third parties and a greater grasp of potential risks – which have to be linked up to criteria for liability. This is especially the case with regard to “Fintech” businesses, an area that Hong Kong wishes to promote.

Professor Munir noted that Singapore had initially taken a “hands-off” approach, but influenced by Malaysia’s new privacy framework the government moved to adopt its own legislation with the purpose of attracting business in the region through a more predictable regulatory environment. He added that the public sector is not included in the Singapore government’s framework which is focused on commercial interests.

Professor Park intervened to ask whether the government should really try to regulate the cloud computing environment. Korea, he pointed out, has a new law, but the government has not met expectations that it will lead the way in cloud computing adoption by moving the public sector rapidly to the cloud. He noted that there has also been a great reluctance on the part of the Korean ministries to cede regulatory authority in the interest of promoting cloud computing.

In his role as moderator, Professor Tsuchiya shifted the conversation and raised the question of whether IoT (which he redefined as the “Internet of Threats”) would transform the cloud into a platform for criminal activity. Heny Chang discounted this possibility, noting that technology is just a tool and that businesses can turn to a wealth of threat-reduction resources for protecting cloud platforms, such as privacy enhancing technologies, algorithms that track usage and biometric encryption techniques to confirm identities. Professor Miyashita seconded this response, noting that international conventions are increasingly focused on deterring and prosecuting both cybercrime and state-sponsored espionage. Professor Park argued that the Budapest Convention has not proved to be a sufficient framework for information exchange between enforcement authorities in this area, but that UN is now taking up the issue from the perspective of terrorism.

A question from the floor posed the issue of how governments and companies might work together to develop a data classification system. Hong Kong Commission official Chang answered that the Commission is strongly interested in defining what constitutes personal data, but has been stymied by the reality that the de-identification of data is practically impossible. Professor Munir added that in addition to technical difficulties in this area, local cultural preferences may also pose a problem. For example, marital status is a sensitive issue in both the Middle East and Indonesia while education background is a concern in the Philippines.

Professor Park noted that Korean President Park and US President Obama had pledged at a recent bilateral summit to coordinate views in this area, but the real question is whether privacy as conventionally defined can actually be protected. Yoshihiro Obata said that the fundamental issue is that the Internet was designed as a system based on open data and open api. A user can access the system from anywhere, but the accumulation of data has progressively undermined user anomynity. Chang said that the solution is for the data controller to take responsibility; that there is a need for a well developed accountability framework. Expecting the user to define and protect his or her privacy is not workable in the world of IoT. While privacy is not dead – it is challenging in that it will be different from country to country, as well as between sectors and even individuals.

Session Three: The Future Development of Cloud Computing Industries

Keynote Presentation

Director Kazuhisa Uruyu (Japanese Ministry of Trade, Economy, and Industry (METI), IT Security Policy Office) began his remarks with an overview of how cloud computing has benefited the Japanese economy overall and facilitated the utilization of new technologies and applications. The Japanese government views the cloud as a core technology, but there are also drawbacks related to the security and availability of the data stored on the cloud. The policy response in Japan is requiring audits and third party certification. Cloud security management in Japan is overseen by the Japan Security Audit Association whose mandate is to provide assurances to users of risk management adequacy through rating firms on their compliance.

Uruyu said that while IoT is a major factor driving cloud adoption in Japan and presents a significant business opportunity, it has also raised concerns about privacy and security. There is considerable “host anxiety” among users as they consider placing their data with outside cloud providers. For this reason, Japan has recently introduced an Information Security Management Guideline for industry cloud users along with a manual that defines risks and suggests countermeasures. A key element is to ensure that data deletion is done across the system in a comprehensive way.

Panel Discussion

Jim Foster,(Executive Director, The Asia Pacific Institute for the Digital Economy (APIDE)) and the panel moderator, opened the discussion by asserting that the main message from the Forum today is that cloud computing is here to stay and will provide rich benefits to providers and users alike. He noted that Japan has been a pioneer in the area of cloud computing, promulgating guidelines for cyber security in 2011 and adopting a new privacy framework in 2015 premised on the cloud. Japan also took the cyber security guidelines that it had formulated to international standard bodies and contributed substantially to the adoption of the ISO/EIC 27017 in January 2016.

As a result, there is now an internationally recognized standards framework for privacy and cybersecurity in cloud computing. Foster argued that the current challenges are for governments to enforce these standards as part of their domestic legislation, for customers to demand them as part of their contracts and for operators to implement them as part of their business models. He asked the panelists to give their views on what government and business should be doing together to promote greater reliance on the cloud.

Seongil Seo, (Director, Software Promotion Division within the Ministry of Science, ICT and Future Planning), observed that the existence of legacy systems within the government and business have proven a substantial impediment to cloud adoption in Korea, but that the new Cloud Act has helped in addressing this issue. He said that there is a strong recognition that cloud computing is essential to ICT infrastructure in Korea. However, issues remain in the public sector regarding the management of “sensitive” national security data, which involves a large part of the government’s business due to the threat from North Korea. He said that the government is currently developing a set of cloud certification guidelines for the public sector, but progress is slow. The situation is better in the private sector. For example, Seo explained that a change in the process for assessing liability in the case of data breaches resulted in liability being assumed by the service provider as part of their contractual responsibilities rather than leaving the burden of proof of damage to the user.

Wong Kyu Hong, (Vice President, Enterprise Solutions Business Unit at Korea Telecom (KT)), explained that KT had entered the cloud business in 2012, but that the revenue numbers did not really begin to grow until Amazon Web Services (AWS) entered the market in 2016. In just the past six months, the business climate of the cloud in Korea has changed dramatically. Companies are beginning to appreciate the cost savings due to the cloud and new legal framework provided by the Cloud Computing Act 0f 2015 has helped to reassure new customers. Companies in many areas, including finance, health and utilities are now outsourcing their data storage needs, and significant progress is being made to address sectorial regulations that pose an obstacle to even more cloud engagement.

Professor Jae Kyu Lee (Korea Advanced Institute for Science and Technology (KAIST)) approached the question from a different angle, outlining some of the thinking and experimentation that are going on in Korea with respect to making the cloud more secure and resilient. Professor Lee is working on the “Bright Internet” project in collaboration with a number of UN organizations and stated that the goal of the program is to develop technologies to mitigate the dangers of the “dark” Internet. “Bright Internet” involves developing tools to trace and prevent the activities of criminal elements on the Internet in order to safeguard a safe environment for individuals as well as a secure and a stable platform for businesses.

William Roth (Research Fellow on Cybersecurity at the Sasakawa USA), commented that migration to the cloud becomes easier every day. Security used to be a major concern, but now the trend is in the opposite direction with CEOs and CTOs looking actively for services that can outsourced to the cloud as a way to save money and ensure greater security for a firm’s most important data.

METI Director Uruyu added that Japan is now engaging with countries throughout the region to encourage them to take measures to better align their national frameworks with new international standards developed for cloud computing. His counterpart, Director Seo, expressed the Korean government’s appreciation for the role that Japan is playing and said that Korea is looking to support these efforts through examining how these new international standards might specifically applied in the Korean domestic context.

Foster then posed the related question of the relationship between innovation and cloud computing. Korea Telecom VP Hong replied that, so far, AWS is the major global market mover in cloud service. KT is just entering this area and is not yet in a position to make a major investment in building a global cloud business. He noted that Korean customers demand a significant amount of customization in their cloud service packages which KT is well positioned to provide through the 11 data centers that it offers in-country and that its hybrid cloud offerings that differentiate its service model from that of Amazon.

Roth observed that a flexible regulatory framework for the cloud was key to its development as a platform for innovation. He cited the NIST framework in the US as an example, pointing out that the departure point for security should be the kind of data one desires to protect rather than mandating the use of a particular technology. APIDE’s Foster underlined this insight, saying that there is a need for sectorial stakeholders and developing practical solutions in line with the risks associated with the actual use of a particular set of data.

Professor Lee from KAIST agreed, saying that this approach informs discussions of the “Bright Internet.” Policies cannot be simply mandated by governments. A key aspect of the “Bright Internet” project is to move ahead on a multi-stakeholder basis. METI Director Uruyu added that this kind of flexibility is going to be particularly important if the deployment of IOT is to go forward, noting that cloud computing is fundamentally what makes IOT possible.

The session wrapped up with a round of remarks from the participants in previous panels that had travelled to Korea from abroad. Mike Mudd from Asia Policy Partners commented that the question is no longer “what” is the cloud, but “how” do we use it and “how” do we arrive at a common regulatory framework that makes sense from both a provider and a user perspective? He noted that some of this work has been done in standards bodies and some is being looked at in APEC, but an agreed template for the region is needed since that is how the full potential of this new technology can be unlocked. Professor Abu Bakar Munir from the University of Malaya made the same point in his remarks, noting that Korea is the first country with legislation for the cloud and other countries will be looking carefully at its experience.

Professor Hiroshi Miyashita specifically drew attention to the problem of privacy and said that attention must be paid to how the landscape changes with the possible ratification of TPP. The new trade agreement addresses privacy, but leaves a great deal of discretion to national governments – and the issue is whether this provides needed flexibility or poses the risk of market fragmentation. Hong Kong Privacy Commission official Henry Chang followed up this point saying that many of the business models on the cloud do not adequately protect privacy and that building in sufficient controls and technology to make them privacy compliant is going to be expensive.

Key Takeaways

Korea is committed to promoting cloud computing but still needs to work out obstacles to greater deployment in the public sector. Private sector interest in the cloud is very strong, with a big market for custom solutions and the growing use of hybrid clouds by customers. Yet Korea lags significantly behind other players in Asia, ranking only 6th in a recent survey and it is unclear whether the recently adopted Cloud Computing Act is the complete answer to spurring quicker adoption of the cloud domestically while also providing a platform for Korean firms selling into the region.

Japan has shown leadership in supporting the development of international standards for privacy and cybersecurity controls on the cloud. It ranks 1st in regional surveys and is taking a flexible, business-friendly approach to cloud regulation. Cloud computing is an important part of Japan’s disaster preparedness plans with the government mandating the adoption of cloud-based business continuity plans by 2020. The current challenge for Japan is for government ministries to better coordinate their efforts in the area of cybersecurity and to sort out the different levels of protection necessary for users and platform operators.

Hong Kong basically takes a “hands-off” approach to cloud computing, with the goal of facilitating cloud usage by both the public and private sectors. The Commission understands cloud usage as an evolution of “data outsourcing” which is a widely understood business practice. However, new issues of scale and transparency require attention as well as the need for more education, particularly for small businesses, with regards to standard terms and conditions for entrusting data to third parties and a fuller grasp of the cloud’s potential. This particularly applies to the “fintech” businesses, an area of rapid growth in Hong Kong.

Singapore had initially taken a “hands-off” approach but was influenced by Malaysia’s new privacy framework, resulting in the government moving to adopt its own guidelines on privacy and security for the cloud. Attracting business in the region with a more predictable and certain regulatory environment to provide assistance for small businesses to move to cloud remains the goal. The public sector is not included in the Singapore government’s framework; it is focused on commercial interests, offering a possible model for Korea.

In the context of cloud computing, the issue of data sovereignty may best be addressed as an issue of transparency. Customers and governments need to know where their data is and how it is being protected. Cloud storage of data makes economic sense, because it allows for scale and reduces costs. There are many safeguards to protect the integrity of data stored in the cloud, e.g. end to end encryption and different levels of protection based on an agreed data classification scheme.

The central challenge will result from whether we will see more or less convergence in cloud computing practices within and across countries in region. The demand for security and concerns about privacy will continue, but the efficiency and scale that cloud computing offers will also grow as an attractive value proposition. At the same time, cloud computing can pose a systemic risk as it becomes more integrated into the fabric of our economy and society, especially as it becomes the de facto host for IOT and the critical infrastructure that depends on it. The mitigation of such risk requires collective mechanisms for cooperation involving governments, network service providers, ISPs, platform and application managers and others. In addition, the academic community has a role in the process of developing greater analysis and a stronger consensus on how these issues are best dealt with.