Global e-security standards sought - Industry Trend or Event

CommunicationsWeek International, August 14, 2000 by Tony Morbin, David Molony

Concerns about e-commerce security are fuelled by the lack of international standards, but do regulators have the solution?

International trade and standards bodies are working towards a global framework for electronic commerce security. Service providers and users are concerned, however, that new legislation could add to existing regulatory requirements without providing complete security for transactions.

Analysts say definitions of e-commerce security should include business processes and licensing plus technical standards for encryption and authorization.

At the technical, network level, work is underway to draw up new regulations to ensure more uniform handling of secure, reliable, interoperable e-commerce.

On a pan-European level, the main regulatory concern is that standards and their enforcement differ from country to country. Consequent divergent approaches to standardization could duplicate effort and confuses users.

The International Telecommunication Union's Standardization bureau (ITU-S) is coordinating the regulatory efforts of three main standards-setting organizations: the International Electrotechnical commission, International Organization for Standardization (ISO) and the United Nations Commission for Europe (UN/CE). ITU-S director Houlin Zhou established a memorandum of understanding on e-business earlier this year.

The MoU's objective, said Yves Berthelot, executive secretary to UN/CE, is to secure the interoperability standards required by the network economy. "We have a lot of security standards [in the regulatory bodies]," said Sophie Civio, technical programme manager for the ISO and a member of the MoU group. "The problem is deciding which national standards to choose [as international base standards]."

Civio explained that the MoU is currently bolting at the security sector, adding, "There are several complex problems and you won't find many solutions right now."

In November the MoU expects to report on its first phase, encompassing initial identification of applicable standards, including such crucial issues as encryption key management and security architecture for X.509 open systems interconnection.

The second phase, identifying potential areas of overlap of standards and organizations, is under way. However, given the tortuous progress of EU regulation, the recommendations are unlikely to be in force before late 2001.

Meantime, the ISO is scheduled to release ISO 7799 on information security, which has been passed, but not yet published. "Information security looks at hardware and software, access rights and users' rights," said David Spinks, partner in Global Security Solutions at AEA Technology plc, Manchester, England. "[ISO 7799] would make sure any information coming into or out of an extranet would be to industry standard."

Need for common standards

Network users say they are looking for international business process standards which benchmark how information is managed in the global extranets increasingly used in trading exchanges.

"There's a lot of shortfalls now," said AEA's Spinks. "There's a lot of health checks going on."

Global standards cooperation could provide mutual recognition both for cross-sector licensing and business processes in e-commerce, and reinforce technical cooperation in encryption technology and certification authority.

The encryption and anti-fraud systems used by mobile operators are already powerful enough for some operators to claim that a SIM card is more secure than a credit card. Increasingly, the credit balance in a pre-pay mobile phone is being used beyond voice phone calls for data services and, most recently in the UK, instant payment of car-parking fines.

Germany's Deutsche Telekom and KPN in Holland are considering issuing their own e-cash following last month's amendment by the European Union's Council of Ministers of the Electronic Commerce Directive, broadening the definition of banks to include 'e-money institutions'.

As convergence draws the telecoms industry into the role of e-commerce service provider, the industry will find itself subject to a whole new raft of legislation.

Philip Gough, analyst at PriceWaterhouseCoopers, and author of a new report entitled Protect and Survive -- Regulation of e-commerce in the financial services industry, suggests that, where telephone companies just deliver services they should be excluded from these financial regulations. But, should they become a service provider, then they would be subject to new regulations.

Gough's report is primarily directed at service providers, calling for the adoption of minimum standards at 'a high level.' Consequently these relate more to unethical business practices than technical standards, but in security, such issues overlap. These regulations, Gough explains, "should not be so proscriptive that they will inhibit innovation, but take into account that regulation has to operate on a global basis."

Concerns

There is some concern that new legislation will add to the regulatory burden, and could even inhibit development of advanced solutions if too narrowly focussed.