Commissioner, U.S. Federal Trade Commission
"Realizing the Potential of the Global Digital Revolution"
OECD - APEC Forum on the Digital Economy
January 15, 2003
Aloha and good morning. Thank you, Mr. Sam Young Suh. It is good to see again and thank our conference chair, Dick Beaird. And, certainly, we thank our hosts here in beautiful Hawaii.
It is a pleasure to be with you in Hawaii, where I lived for eight years prior to becoming a Commissioner at the FTC. I am delighted that you have met Governor Linda Lingle. She is an incredibly talented and dedicated public servant, and a dear friend. She will do so much good for Hawaii. Please visit us again in the future, and you will see a remarkably improved Hawaii.
I am one of five Commissioners at the Federal Trade Commission. My remarks today are personal views and not necessarily those of the Commission or any of my fellow Commissioners.
Why I Am Here Today
The Federal Trade Commission is the principal federal authority in the United States working to enhance consumer welfare by promoting a truthful, competitive marketplace. Today, I want to share with you some of our experiences and efforts directed toward protecting consumers and contributing to the fulfillment of all that information and communications technology offers.
Over the past year, I was privileged to lead the U.S. government team working with the OECD’s Experts Group revising the Guidelines for Information Systems and Network Security. We continue to work on this important initiative and its implementation. This effort demonstrates how the OECD can be extremely relevant in focusing international attention on a problem that demands solutions. The OECD has highlighted how crucial it is to build a Culture of Security in today’s rapidly advancing world of information communications technology and our growing reliance on interconnectivity. The OECD’s important message is endorsed by APEC and is truly a global undertaking.
I would like to acknowledge my colleague and fellow FTC Commissioner, Mozelle Thompson, who will be addressing you later in this forum.
Commissioner Thompson’s work and leadership within the OECD is admirable, and he has led the way on international consumer trust issues in his role as Chairman of the Consumer Policy Committee. His work is fundamental to the FTC’s international consumer protection mission, and his participation adds an important dimension to the dialogue of this forum.
Road Map of My Remarks
My remarks today will principally focus on the theme of consumer trust and confidence as fundamental pillars in the global digital economy structure.
In the context of consumer protection, privacy and a Culture of Security, I will briefly address the following issues:
First, the vast potential of information technology;
Second, the potential benefits this technology presents to societies worldwide; and
Last, the necessity to foster consumer trust and confidence to fully realize the potential of the global digital revolution.
In addition, I will briefly address the United States’ National Strategy to Secure Cyberspace.
Vast Potential of Information Technology
Today, we are increasingly interconnected by advanced communications technology, complex information systems and networks, and powerful personal computers in the hands of millions of people.
This technology has changed our lives dramatically, and we have only just begun to reap the benefits. The Internet has had possibly the greatest impact of all -- an impact seen not only in the most developed nations, but in every region of the world.
Continued growth and use of information systems and technology seem certain. However, adequate and appropriate user accessibility and developing the necessary infrastructure to fully exploit this technology are costly. Individuals, societies, and governments worldwide must confront the complex challenges that remain.
Potential Societal Benefits
Digital technology offers potentially wonderful benefits for people all over the world, such as distance learning, economic development, greater health care availability, broader availability of goods and services from business and government, improved productivity, building human capital, and greater citizen empowerment.
These possibilities are vast and desirable. The costs, complexities, and public policy issues, however, are also vast, and they are often not so easily resolved.
At this forum you will hear from many experts about the opportunities represented by this technology and its potential.
As Professor L. Jean Camp has suggested in her book, Trust and Risk in Internet Commerce, "An open Internet has trust implications ... Reliability, security and privacy are critical ... "
Achieving reliability, security, and privacy is no small undertaking.
So, how do we approach this daunting task? Having been engaged in these discussions for several years now, I have concluded that no new law or regulation (as some advocate), no new government agency, new technology, and no new initiative by industry or government will by itself instill this trust and confidence so critical to a digital economy and advancing the digital revolution.
We must realize that all of us are involved. We all have a stake in this. Therefore, it will take all of us working together to minimize the negatives and optimize the positives.
Consumer fraud, deceptive practices, denial of service attacks, viruses, faulty software, and failed business transactions do major damage to consumer and user trust and confidence and threaten the further evolution of digital technology.
I would also suggest to those here today who represent so many countries, consumer groups, governments and industry, that we need to think carefully about how we can best promote trust and confidence in the digital economy. I think there is a real need for us to focus on the practical rather than the theoretical. And, by all means, let us express ourselves with brevity in "user- friendly" language that consumers can and will understand and heed. We really don’t need more wordy, academic, bureaucratic, technical, and legalistic documents that so often result from such gatherings.
What are some practical initiatives that businesses can take to enhance consumer trust and confidence in the digital marketplace?
What are practical steps that law enforcement can take in focusing on specific areas where consumers actually experience harm?
How can we build a new way of thinking -- a Culture of Security -- that will encourage safe practices in computing and facilitate the growth of the global digital economy?
Building Consumer Trust and Confidence
Certainly, electronic commerce creates new opportunities for consumers and businesses, but it also creates new tests for consumer confidence.
A consumer in Japan cannot easily evaluate the credibility of a merchant in Honolulu. I can’t ask my local friends and neighbors for references about e-commerce merchants in Paris. And if I have been a victim of Internet fraud, I’ll think twice about using the Internet again to do business with someone I don’t know. If I have no recourse for faulty products or failed purchases agreements, I will quickly lose interest in electronic commerce.
Unaddressed, these concerns about e-commerce can cause consumers to shun this new way of doing things. Consumer protection is essential to a healthy e-commerce environment.
OECD and APEC Efforts to Promote Consumer Protection
Both the OECD and APEC have recognized the need to protect consumers and build consumer confidence in global electronic commerce, and have taken action in this area.
The OECD issued Guidelines on Consumer Protection in December 1999, and APEC issued Guidelines on Consumer Protection just last year. These Guidelines, though not binding, can educate consumers on fair business practices, encourage private sector initiatives, and encourage government enforcement of consumer protection laws and policies. But these concepts need to be implemented, not just talked and written about.
Private Sector Consumer Protection Initiatives
The private sector also has a critical role to play, and it is responding to the challenge. Several industry and consumer groups have done important policy work in the consumer protection area. There are significant efforts underway to educate consumers about e-commerce.
Industry, government and consumer advocacy groups are engaged in serious dialogue to seek the best means of protecting consumer privacy and securing sensitive information, while at the same time ensuring the free and appropriate flow of information so important in dynamic economies. Work is being done to develop alternative dispute resolution programs to help resolve disputes arising between businesses and consumers in electronic commerce.
These initiatives will help to build consumer confidence.
Combating Internet Fraud
As these efforts progress, however, the Internet and electronic commerce present a "target rich environment" for those who would engage in fraud and deceit and those with destructive goals in mind.
If the promise of the global online marketplace is to be fully realized, governments and industry must assure consumers that they are working to build trust and confidence and punish those who harm others.
At the FTC, we have an aggressive Internet fraud enforcement program in which we have brought over 250 law enforcement actions against 785 defendants.
OECD and APEC Efforts to Combat Cross-Border Fraud
Both the OECD and APEC have recognized the need to build consumer confidence by keeping online consumers safe from fraud, particularly cross-border fraud, each stressing that international cooperation will assist in "preventing, stopping, and deterring cross-border fraud."
In addition to confronting fraud, there are the complex, challenging, often controversial issues of protecting personal privacy and ensuring the security of sensitive information.
The FTC works closely with many countries in our efforts to minimize cross-border fraud, and we will conduct a workshop on cross- border fraud on February 19-20, 2003.
Consumer Trust Through Privacy and a Culture of Security
Enhancing consumer confidence in the global digital economy also depends on effective online privacy protection practices and building a Culture of Security.
Concerns for personal privacy and information security have been with us for many years, but these concerns have taken on new meaning in our interconnected digital world. As we become more and more dependent upon information systems in our critical infrastructure as well as our personal activities, it is clear that a new way of thinking about privacy and security must evolve. This effort must involve all of us: industry, government, and the general public.
The Federal Trade Commission focuses on cases that emphasize the importance of good security practices to safeguard consumers’ privacy and the security of sensitive personal information. The FTC’s recent and notable settlements with Microsoft and Eli Lilly, in addition to a host of other cases, reflect our commitment.
Our approach to privacy and security enforcement focuses on enforcement of our existing laws and the harmful consequences of misusing personal information, both in the online and offline environments.
Protecting the privacy and security of personal information and of information systems is also part of our national focus on securing our critical national infrastructure.
The National Strategy to Secure Cyberspace
Let me speak briefly about the incredibly complex effort in the United States to develop a National Strategy to Secure Cyberspace.
Developing this Strategy is absolutely critical. Cyberspace is the thread that runs through all of our nation's critical infrastructures. Protecting cyberspace is necessary for the continued functioning of our economy and for our national security. Unfortunately, there are many vulnerabilities in cyberspace and many actors seeking to exploit them.
What is the Strategy? It is a part of our overall effort to protect the nation, and a framework for organizing and prioritizing efforts. The Strategy objectives are in parallel with the National Strategy for Homeland Security, specifically:
- prevent cyber attacks against our critical infrastructures,
- reduce our national vulnerabilities to cyber attacks,
- and minimize the damage and recovery time for those attacks that do occur.
There are five priorities within the Strategy. They include:
- A National Response System featuring a government/ industry partnership to perform analysis, warning, and coordinated response.
- A National Vulnerability/Threat Reduction Program designed to reduce vulnerabilities and threats through system assessments, research, and interdependency analysis.
- A National Awareness and Training Program to promote a comprehensive national awareness program and develop professional cybersecurity certifications.
- Securing Government so that government leads by example, securing its own corner of cyberspace, which in turn creates a market for more secure technologies.
- International Cooperation to facilitate partnerships and promote a global "culture of security"; foster establishment of international watch and warning networks; and encourage all nations to accede to the Council of Europe Convention on Cybercrime.
Millions of us are linked through information systems, networks and powerful personal computers. This technology provides us with wonderful benefits, but it also makes us vulnerable.
Consumers and home users are usually not thought of as part of the critical infrastructure. However, once connected to the Internet by telephone modem or high- speed access, our home computers become part of the network and then can be used to attack our critical infrastructure.
Home computers, especially those with "always on" high-speed connections, can become targets for people with malicious intent. Our home computers can be invaded, captured and then used essentially as weapons to launch denial of service attacks on the Internet and our critical infrastructure -- without our even knowing it.
Security incidents cost businesses, organizations, and consumers billions of dollars every year.
Yet recent evaluations indicate that the average consumer is not instinctively aware that we have a problem. We need enhanced national and international awareness to promote security of information systems and networks.
Our perceptions must change. A new way of thinking -- a Culture of Security -- is going to be essential if we are to minimize risks.
This challenge is really not about options. A Culture of Security is an imperative.
OECD and APEC Action to Promote a Culture of Security
Last summer the OECD issued a set of nine principles entitled "Guidelines for the Security of Information Systems and Networks: Towards A Culture of Security." The nine principles are an excellent, common-sense starting point. Collectively, they are about awareness, accountability, and action. They can be incorporated at all levels of use among consumers, government policy makers, and industry. You will be hearing more on this during our Forum from a superb panel led by my good friend, Peter Ford of Australia.
APEC, through the APEC-TEL, is also focusing on how to promote Information System and Network Security as one of its chief priorities.
And most recently, on December 20, 2002, the United Nations General Assembly unanimously adopted a resolution calling for the creation of a global culture of cybersecurity.
Notwithstanding these efforts, developing a Culture of Security will be a challenge. Changing the way we think will be demanding. It will require understanding the problems, a substantial investment of time and energy, a great deal of education, and, most important, leadership from all aspects of society.
The FTC and other government agencies have a role to play, but the government can’t do this alone, nor should it try. We are working with consumer groups, small businesses, big businesses and trade associations to instill this new way of thinking.
I am often reminded of being taught as a child to always look to the left and the right before crossing the street. I instinctively do this every day of my life. We must get to that point where we all intuitively look "both ways" as we approach the cyberspace superhighway. We need to make safe computing a good habit. Good habits do indeed last a lifetime.
The FTC has made a priority of information security and the necessity for security on-line. I encourage you all to take a look at our security website available at www.ftc.gov/infosecurity.
Common-sense, consumer-friendly actions by government, businesses, and other organizations as well as all participants will go a long way to help us be more secure in computing and in using information systems and network.
Building consumer trust-- featuring consumer protection, responsible and effective privacy practices, and a Culture of Security-- is a pragmatic way to ensure safe computing and to help the global digital economy to flourish.
Let’s make sure that our work is imaginative, thorough and very consumer friendly, and then let’s sell it to all involved in the digital revolution -- from big business to government to students and home users.