Trust & Security as key Challenges to

Promoting ICT and Economic Growth

Presentation by
Nobuo Tanaka
Director for Science, Technology and Industry
OECD
at the
APEC-OECD Workshop on Security of Information Systems
And Networks
Seoul, Korea
September 5-6, 2005

Winners
and
Losers

2
Source: OECD’s Growth Report, “The New Economy: Beyond the hype” 2001.
 Reason was ICT use: Pick-up in MFP growth and increase in
ICT use
C hange in PC intensity per 100 inhabitants,
1992-99
50 Greenspan
noticed US
U nited States productivity
40 growth in
Sweden
late 1990s
Norw ay D enm ark
came from
A ustralia
30
Netherlands
ICT use.
Finland
N ew Z ealand Canada
U nited K ingdom
20
Japan
G erm any Ireland
France B elgium

10
Spain Italy

0
-2 -1.5 -1 -0.5 0 0.5 1 1.5
C hange in M FP grow th corrected for hours worked

Note: Change in multi-factor productivity growth corrected for hours worked, average 1990s minus
average 1980s.
Source: OECD
3

The main thrust of my presentation

focuses on four areas
Q Firstly, Information Communication Technologies has
played a pivotal role in economic growth and productivity.
Q Secondly, ICT will continue to play its role but it is under
several challenges: globalisation, technological changes
and Trust.
Q Thirdly, governments should design policies that enable
ICT to fulfil its potential, and the OECD helps its Members,
as well as its key non-members partners do just that.
Q Fourthly, what OECD and APEC can do together in the
area of Security and Trust.
4
 U
ni
P te
d

0
10
20
30
40

0.0%
0.1%
0.2%
0.3%
0.4%
0.5%
0.6%
0.7%
0.8%
0.9%
or St
tu at
ga es
l Sw

%
ed
Fr en
an
ce Fi
nl
an
d
Fi Au
nl s
an U tr a

90-95
ni li a
d te
d
G Ki

95-2001*
er ng
m do
an m
y Be
l gi
um
D
Ita en
ly m
ar
k
S C
an
pa ad
in N a
et
D he
en rla
U m nd
s
ni ar
te k
d
1985

Ko
K re
a
in
gd G
er
om m
an
y
1995

S
w
ed Ita
en ly

Sp
a
2003

Ja in
capital formation

pa Fr
n an
ce
Ire
la Ja
nd pa
n
A Po
us r tu
tra N ga
l

substantial in some countries

ew
N lia Ze
et al
he an
d
ICT investment has been uneven …

rla
nd Au
s st
r ia
C N
an or
U w

The contribution of ICT investment to GDP is

ad ay
ni a

6
5

te G
d re
Investment in ICT 1985-2003; as a percentage of gross fixed

S e ce
ta
te
s Ir e
la
n d
 Contribution to Productivity by ICT-using services
Contribution to labour
productivity growth
1990-95 1996-2000
(%)
1.4
Countries where productivity Countries where productivity
1.2 growth deteriorated
growth improved
1.0

0.8

0.6

0.4

0.2

0.0

-0.2
s

om

a
y

k
nd

nd

ce
um
in
K en

ly
ea
te

nd
an

ar
ad

pa

Ita
pa

an
a
ed
la
ta

or
gd

m
gi
rla
m

an

Ja
nl
Ire

S
S

K
en

Fr
w

el
in

er

Fi

he

C
S

B
d

D
G
te

et
d
ni

7
N
te
U

ni
U

ICT and e-commerce continue to spread

estimated quarterly US retail e-commerce sales

20 2
E-commerce Retail Sales (left-hand scale)
18 1.8
16 E-commerce as a percent of total retail sales 1.6
14 (right-hand scale) 1.4
billions of USD

12 1.2
10 1
%

8 0.8
6 0.6
4 0.4
2 0.2
0 0
Q Q Q t d Q Q d Q Q d Q Q
h tQ Q d th 1s 2n d th tQ 2n d th tQ 2n d th tQ
4t 1s 2n 3r 4r 01 3r 4r 1s 3r 4r 1s 3r 4r 1s
99 00 20 02 03 04
19 20 20 20 20

Source: OCED Information Technology Outlook, 2004 8

 D Sw

0
20
40
60
80
100

0
20
40
60
80
100
%
en ed
m e

%
ar Ic n
k e
Ja D lan
en d
pa m
n N a rk
Fi or
nl w
an Sw ay
d i tz F in
Sw er la
ed l a nd
en n
Au Ja d (3
pa )
N st
ra
ew li a Ko n ( 4
Ze L u r ea )
al
an U xe (
ni m 5)
d te bo
d
Au Ki u r g
st ng
r ia G do
No er m
N rw U Ca m a
ni
et ay te nad ny
he d
r la St a (6
nd Au a te )
2001

s st s (
r 7
N ali a )
It a et
ly he ( 8
2003

Po rl a )
r tu n
ga Au d s
C l st
r ia
an
2004

ad Sp
a ai
U

Businesses using the Internet

Fr n
ni Sp an
te
d ai c
n Ir e e
As a percentage of all adults

Ki lan
ng
d

Businesses ordering over the Internet

Lu do
Access by Households and Individuals increases

xe m Ita
m Po l y
bo la
ur C
g ze Po nd

Businesses receiving orders over the Internet

but real business use still low
Access to the Internet is high,
G ch r tu
re R ga
ec ep l
e u
H bli
un c
ga
G ry
M ree
ex ce
9

T u ic o

10
rk (9
Individuals using the Internet from any location, 2001-2004

ey )
(1
0)
 However ICT is NO panacea and many other
factors require policy actions:

Q Results from ICT are linked to investment in skills. Hunt for high-skilled
workers is getting tougher.
Q Organisational and Management change is needed to make ICT work.
( firms that are already productive and innovative often get the best returns.)
Q The impact of ICT depends on accompanying innovations (co-
invention). Innovation-friendly system is needed.
Q Scope for experimentation – ease of entry and exit allow firms to test
markets and business models.
Q Competition in ICT markets and throughout the economy. Global
competition and service economy creates complex issues like off-
shoring.
Q Demand has been held back by lack of security & trust. TRUST is
becoming a major issue.
11

Key Policy Messages

To better realise benefits of ICT, Governments should:

Q Strengthen competition in ICT goods and services.

Q Foster a business environment for effective use of ICT (org. change,
skills, innovation, competition).
Q Spread the benefits of ICT across the economy.

Q Boost security and trust to enhance usage of ICT.

Q Policies for ICT diffusion and infrastructure development are no longer

sufficient; they need to be complemented with policies to remove
barriers to demand and effective use of ICT.

12
 Trust & Security are among the 6 OECD
Priorities for international co-operation in ICT
areas

Six OECD priorities areas:

Q Information Security: OECD Guidelines for the Security of Information
Systems and Networks, revised in 2002
Q Privacy: Privacy Online: OECD Guidance on Policy and Practice up-
dated 2003
Q Cross-border fraud: the OECD released guidelines for more effective
co-operation in enforcement of laws on cross-border fraud, particularly
on the Internet in 2003
Q SPAM: Today, 60% of e-mail is Spam! a Task Force on Spam to
devise a comprehensive response by government, business and civil
society to the problems posed by spam

Q Broadband: OECD Recommendation on Broadband Development

2004
Q Digital content: work ongoing to identify analytical, policy and
measurement issues in this complex new area

13

Trust & Security: what is the size of the

problem?
Q What are the data ?
Q OECD work on "Indicators for Trust" aims at
measuring the importance of trust online, evaluate
the impact of OECD policy in this area, and guide
further action.
Q An OECD report to be declassified in the coming
weeks reviews available official and private/semi-
official statistical resources on ICT and Trust and
concludes:
"The direct economic costs of phenomena related to trust,
such as security and privacy, are growing rapidly. The
available evidence all point towards a large increase in e-
crime, such as identity theft or online fraud, as being
inextricably linked to the rise in ICT use."
14
 Security problems are widespread in
enterprises
Percentage of enterprises with Internet access having encountered security problems in 2004
Percentage of enterprises with ten or more employees
60 unauthorised access blackmail or threats computer virus attack

50

40

30

20

10

%
ly
ria

nd

n
m

Ge d

ce

ay

nd

en
k

ia
l
s

ga
De ic

an
ar

ai
ar
an

Ita

nd

ak
iu

bl

rw
ee

la
st

la

ed
Sp
rtu
nm

ng
g

rm
nl

la
pu
Au

Ire

Po

ov
No
Gr
l

Sw
Be

Fi

Hu

Po
er
Re

Sl
th
Ne
h
ec
Cz

Source: Eurostat, Community Survey on ICT Usage in Enterprises, 2003, February 2005.
15

And among individuals

Percentage of individual Internet users having encountered security problems in 2004
Percentage of individuals who used the Internet within the last year
60 Fraudulent payment Abuse of personal information Computer virus

50

40

30

20

10

0
%
y
y

ry

en
ria

nd
lic

nd

Sw n

ey
l

m
k

ga
wa
an
ar

an

an
ec

ai
ur
ga

do
ub

rk
ed
Lu ela

la
st

Sp
rtu
m

bo
re
m
nl

el

or
z e Au

Po

Tu
un

ng
ep

en

Ic
er
Fi

Ir
G

Po
m

N
H

Ki
R

G
D

xe
ch

d
ite
Un
C

Source: Eurostat, Community Survey on ICT usage in households and by individuals, February 2005.

16
 Explosion of malware
70000

60000 All Pests Counts by Year

(Pest = any unwanted software)
50000

40000

30000

20000

10000

0
1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003

Cumulative number of pests categorized as "All Pests".

Source: http://research.pestpatrol.com/Trends/All_Pests_Counts_by_Year.asp
17

Bot infected computers per 100

% 4.2
broadband subscribers
2,5

2,0

1,5

1,0

0,5

0,0
ch N o rk D

J a iu m
Z e la y
i tz Staand
re a l

T u EC k

n
Au a n n d

N Mal a n d
G tu g m

I tr a a
eda in

m d

rl a ic o
R r w ey

lg a
S l x em u s t r y

ub y
Lu Aung ce
F la s

B e o r es
Swted inl li c
SwSp ce

ew I It lic
C ol a n

D c el li a

R rm ar g
ov G b r ia

he ex nd
U epu ay

H ra nnd
O ar

r e al

pa
s ad
en an

ep n

K nd
e r te
P e
r o

a
ni F b

a k e ou
e
Pongd
Ki

et
d
te

N
ze
ni
U

Publication : OECD STI Scoreboard 2005 (forthcoming)

Data Source: OECD, OECD calculations based on OECD and Symantec data, May 2005 18
 Still a long way to go before full adoption of
security software by users
Businesses' security measures in 2001-02 and 2002-03 (Australia)
Percentage of businesses with a computer reporting on security measures in place
100 2001-02 2002-03

80

60

40

20

0
Physical Anti virus Firewall Authentication Intrusion Network Written IT No IT security
% security software or software or detection sniffer security policy measures
virus scanner hardware system software

Source: Australian Bureau of Statistics , Business Use of Information Technology, 2001-02 and 2002-03,
Cat. no. 8129.0.

19

Online fraud is growing

Consumer Sentinel, Internet-related fraud complaints,

2001-2003
180 000 166 617

150 000

120 000 110 288

90 000
55 727
60 000

30 000

0
2001 2002 2003

internet-related fraud complaints

Source: www.consumer.gov/sentinel/states03/internet_related_trends.pdf, September 13, 2004.

20
 As a result: trust is a barrier to
individuals buying online…
Reasons for not buying over the Internet in EU countries
(individuals with Internet access), 2003
30

25

20

15

10

0
Not interested Do not trust Buying over Internet is too Don't have Other reasons Using Internet Don't Don't know
in buying the Internet the Internet is complicated credit cards is too understand the
anything on too expensive language well
the Internet complicated enough

Source: European Commission, Special Eurobarometer survey on European Union public opinion on issues
relating to business to consumer e-commerce (Reference: 201 EB60.0), March 2004.
21

Security is concern #1 for enterprises doing

online business, including for large firms

Barrier Small Medium Large

2001 2002 2003 2001 2002 2003 2001 2002 2003

Security concerns 13 17 17 13 20 19 11 18 22
Customers not ready 9 10 9 12 16 16 10 19 20
Suppliers not ready 5 6 4 7 9 8 6 12 14
Lack of skilled employees 9 11 11 8 12 8 5 13 8

Concerns about competitors analysing 5 7 7 9 12 10 5 9 11

information
Available Internet is too slow 4 5 5 7 7 6 4 3 2

Uncertain about the benefits 8 9 8 7 7 6 3 5 2

Development and maintenance costs too 11 14 13 10 15 16 6 13 17

high

Secondary Barriers to E-Commerce, by size of firm, 2001-2003, percent (Canada)

Source: Peters, Catherine and Anthony Nice, 2005, “Barriers to Electronic Commerce in Canada: A Size of Firm and Industry Analysis,”
Industry Canada, mimeo, presented at OECD WPIE June 2005)
22
 Beyond e-commerce, the lack of security
impacts the economy & the society at large

The migration of business, government, and

individual’s activities to IP-based systems and
networks, the technical evolution towards
anytime anywhere instant access to systems
and networks, and the growing risks to the
global IT infrastructure make “that
infrastructure itself critical and in the national
interest to safeguard”.

23

Q The economy in general, including critical infrastructures

(communications, energy distribution, financial transactions) rely
on the seamless functioning of information systems and
networks.
– In January 2003, the Slammer Worm infected 90% of vulnerable
computers worldwide within 10 minutes of its release on the
Internet, and severely degraded Bank of America's ATM network ($
billions damages)
– In the US, a hacker released intentionally hundreds of thousands of
gallons of putrid sludge from the wastewater system
– 17% of the 100 companies surveyed reported being the target of
some form of cyber extortion

Q "The IT infrastructure of the US is highly vulnerable to terrorist

and criminal attacks" (President's Information Technology Advisory Committee
"Cyber Security: A Crisis of Prioritization", Feb. 2005, United States)

24
Governments need policies. The OECD is assisting them.

Q Security & Trust has been a constant strategic priority on the agenda of the
OECD since the OECD Turku Conference in 1997

Q After 9/11, the OECD adopted the "2002 Guidelines for the Security of
Information Systems and Networks: Towards a Culture of Security"

Q The Guidelines:
– Promote a “Culture of Security” as a way of thinking about, assessing and
acting on the operation of information systems and networks.
– Provide a general frame of reference to help participants understand security
issues.
– Stress that preserving important societal values such as privacy and individual
freedom is essential to achieving a culture of security.
Q They call on:
– Other countries to adopt a similar approach to security.
– Businesses to build security into the design and use of their systems and
networks and to provide security information and updates to users.
– All individual users to be aware, and to act in a responsible manner by taking
preventive measures.

Q Other policy work related to trust: 1980 Privacy Guidelines, 1997 Cryptography
Guidelines, 1998 Ministerial declaration on Authentication for Electronic Commerce,
25
2003 Cross-Border Fraud Guidelines

The Security Guidelines had an impact at the

regional and global levels…
Q The Council of the European Union adopted a resolution "on a
European Approach towards a Culture of Network and Information
Security” in February 2003.

Q At the global level, the OECD Security Guidelines have also

served as the basis for the Resolution A/RES/57/239 for “Creation
of a Global Culture of Cyber Security” adopted by the United
Nations General Assembly in December 2002 and were
recognized by the APEC Council of Ministers.

Q The ASEM Cyber Security workshop held here in Seoul in June

2005 invited ASEM members to adopt the Security Guidelines as
guiding elements for the development of national and international
policies.

26
 …and at the national level

Q Most countries who replied to the OECD survey have adopted a

national policy for information security and use the guideline as a
basis for their national framework

Q OECD promotes the exchange of best practices and dialogue

between governments and with business and civil society. The ICCP
WPISP:
– Organised a OECD Global Forum on Information Systems and Networks
Security (Oslo, 2003) with participation from non-member economies
– Issued two reports on the implementation of the Guidelines in member
countries (2003, 2005 - to be declassified in the coming weeks).

Q Among the main themes that have emerged from two surveys:
– International cooperation is key and is pursued in various regional fora,
facilitating dialogue and exchanges of best practices.

27

Global co-operation is needed

Q The information systems and networks to be secured are global by

nature. Co-operation is essential for realising a truly global culture
of security for information systems and networks.
Q APEC Cybersecurity Strategy is a very important step forward. Like
the OECD, APEC remains active in its subsequent work for the
implementation of the Cybersecurity Strategy.
Q The OECD-APEC Global Forum on Policy Frameworks for the
Digital Economy (Honolulu, Hawaii, January 2003) concluded that:
– Advancing the creation of a global culture of security was a priority
– OECD and APEC would co-operate in this area.

Î This workshop is the first joint event dedicated to security of

information systems and networks.

28
 APEC-OECD future co-operation

Q Co-operation could come in different forms. Mutual

endorsement or promotion of the other group’s
achievements may be a constructive way forward
that would make best use of the limited resources of
the two organisations.

Q It is hoped that this workshop will contribute to the

exchange of information between the OECD and
APEC communities, and be the basis for further co-
operation in the area of security of information
systems and networks.

29

Conclusion

Restructuring or Boneyard:
The Need for Speed

While restructuring our Company in the 1980s, we spent much of our

time talking about the accelerating pace of change: in world politics, in
technology, in product introduction and in the increasing demands of
customers. We don’t have to do that anymore. Change is in the air.
Newspapers and networks hammer it home daily. GE people today
understand that pace of change, the need for speed, and the absolute
necessity of moving more quickly in everything we do, from inventory
turnover, to product development cycles, to a faster response to customer
needs. They understand that slow-and-steady is a ticket to the boneyard in
the 1990s.

“To Our Share Owners” (1990 Annual Report ) of GE

30