How strong encryption supports the development of a safe and secure Internet:

Introduction

Asia–Pacific is a global Internet powerhouse. India and China are the countries with the most Internet users worldwide, and many other regional markets are already very large (e.g. Japan, Australia) or growing rapidly (e.g. Indonesia, the Philippines, Malaysia, Thailand). As of the end of 2015, the ITU estimates there were over 720 million Internet users in the 11 focus countries for this study: Australia, India, Indonesia, Japan, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand and Vietnam.

The Internet is, by nature, an open, interconnected, decentralised, permission-less global network. No one controls it, and it was built from the start to be a general-purpose network of networks, which means it is highly versatile.

These characteristics enable a high degree of innovation, which has led to the Internet becoming a platform for a diverse range of applications such as personal communications, information dissemination, e-commerce, e-health, financial services, entertainment, e-government, corporate networking and cloud computing.

These benefits come at a cost however: the very openness, distributed nature and versatility of the Internet make it impossible to entirely exclude security threats, from hackers, cyber criminals or other malicious agents. The widespread and varied use of the Internet by people and firms makes it attractive for cyber criminals: for example, the spread of e-commerce and Internet banking creates opportunity for large-scale financial fraud.

Digital security measures are critical for people to trust online services

The level of reported cyber crime is very low in the region, affecting less than one in a thousand Internet users in most cases (Figure 1). Although this is likely to underestimate its incidence, the fairly low economic impact of cyber crime (Figure 2) suggests that many threats are being effectively prevented or mitigated by a range of digital security measures. These measures are now widely used by firms in every country and every sector of the economy, as well as by governments themselves to enable secure public services such as online tax payments and passport renewals. As the use of the Internet becomes broader, the scale and scope of security risks increases. For example, the increased popularity of mobile payments requires mobile devices and their interfaces with payment terminals to be highly secure.

Strong encryption is an essential foundation of cyber security. It underpins the confidentiality of communications and helps to protect the integrity of transactions (including ensuring that people and organisations are who they say they are, through digital certificates). Protecting confidentiality and integrity also helps protect systems from attacks that could threaten their availability and stop them from functioning, which is an increasingly important consideration as more and more critical systems are connected to the Internet.

The protection afforded by digital security and strong encryption is an important driver of consumer trust in the Internet. This trust is affirmed, albeit in a nuanced way, in direct surveys: in 2015, Accenture found that over 90% of the Internet users it surveyed were confident enough to share some personal data online, although a majority of those were being cautious about how much they shared.

Ultimately, the trust that people place in online services and the Internet generally is evidenced by the scale of use: over 300 million people used Facebook daily in Asia at the end of 2015 (none of them in China). The adoption of online financial services is also remarkably high, despite being an area where people are arguably very cautious: according to research by McKinsey & Company, nearly all urban bank account holders in developed countries in Asia–Pacific were using online banking in 2014. In developing countries, the proportion was lower (20–40%) but still significant and growing rapidly. The research expected over 800 million online bank accounts by 2020. The adoption of online banking supports other services, most importantly e-commerce, which over 470 million people used in the 11 focus countries by the end of 2015.

Perhaps the most important driver of use of online services is the rapid growth in smartphone adoption (60–80% of people in the developed focus countries and 15–40% in developing focus countries in 2015 based on eMarketer data). Smartphones now provide access to the vast majority of online services, including mobile payments. They also act as a hub for the collection and exchange of data, including personal data. This raises privacy issues that many people are grappling with, and strong encryption (for example in messaging applications) is vital for increasing their trust in these online services and the mobile Internet as a whole.

Connected devices do not stop at smartphones. The Internet of Things (IoT) is emerging and expected to grow very rapidly in the next few years, with billions of devices being connected to the Internet. Some of these devices are already in people’s homes (e.g. connected thermostats, security cameras), and go with them on the move (e.g. wearable technology, connected cars). People are clearly concerned about threats to the security of devices that could interact with and control their immediate environment: 60% of people in a recent MEF global survey (66% of respondents in India) expressed some concern about privacy and security of IoT. Digital security supported by strong encryption is essential to alleviating these concerns and supporting the growth of IoT.

Secure and trusted use of the Internet brings benefits to businesses

For firms in all sectors of the economy to operate successfully on the Internet, it is essential to ensure their customers trust their online services and are well-protected online. From an operational perspective, firms stand to benefit strongly from the efficiency gains that using the Internet can bring. This report focuses specifically on three types of Internet use by firms for which strong encryption is especially important: corporate networking, public cloud services, and its role in enabling business process outsourcing (BPO).

All three of these applications enable firms to reduce costs:

Internet-based corporate wide area networks (WANs) allow dedicated networks to be replaced by sharing capacity over the public Internet, with transmissions protected through encrypted virtual private networks (VPNs).

Cloud services allow firms to share data centres and in some cases even servers, giving them access to as little or as much computing capacity as they need for all sorts of applications. Again, the ability to encrypt data that is stored in the cloud is critical to protecting corporate and customer information.

In the case of BPO, the Internet allows firms to more easily interact with their outsourcing partners, many of whom are based in India and the Philippines for example. Encrypted communications enable these outsourcing partners to interface directly with their customers’ systems and data securely and at limited cost.

Services that depend on strong encryption are forecast to grow to over USD800 billion in revenue by 2020

All of the applications described above (e-commerce, Internet banking, IoT, corporate WANs, public cloud services and BPO) already generate significant value in the 11 focus countries, representing revenues of around USD400 billion in 2015 according to our estimates. They are all expected to grow strongly, exceeding USD800 billion by 2020, which illustrates the benefits these products and services bring to consumers and firms throughout the economy. See Market focus for more details.

Although current digital security measures are effective at limiting the economic costs of cyber crime, firms must keep pace with the increasing intensity and sophistication of threats. Firms are increasingly aware of the risks posed by cyber crime, as shown in a recent survey by insurance company Allianz Global Corporate & Specialty that found that 33% of the surveyed businesses believe that cyber crime is the top emerging risk for the long term. In the face of these threats, strong security and encryption are enabling firms to reduce their liability and to insure themselves against cyber-security risks.

Governments and policy makers play several important roles in promoting, using and sometimes regulating the use of strong encryption

Governments and public-sector bodies in Asia–Pacific rely on strong encryption to protect sensitive data (e.g. tax records, health data) and government systems, and to enable more efficient engagement with citizens through online public services. As well as promoting good digital security practices within the public sector, many policy-makers have taken steps to improve standards among private-sector firms.

Some governments, such as Japan and Australia, are investing in educating people and firms about digital security. In some cases, governments and public agencies go further and specify minimum standards of encryption in certain sectors, such as financial services (in India and Singapore for example). They also publish and seek to enforce rules and guidelines in the public sector, which has been a target for high-profile attacks (e.g. the Electoral Commission, Comelec, in the Philippines), although enforcement within the public sector can be challenging (not least because fines tend to deplete resources that could be more effectively used to deploy better security).

Some policy-makers also provide financial incentives for firms to invest in cyber security, for example through legislation on data breaches, which can in some cases exempt firms from fines and penalties if they are found to have taken appropriate digital security measures. Regulation can also, in some cases, place restrictions on individuals’ and firms’ use of encryption products. Import and export restrictions are common, yet are widely seen as rather ineffective because of the global nature of the encryption market. In Asia–Pacific, a recent survey identified over 70 hardware and software encryption products developed across nearly every focus country.

Although there is currently little restriction on domestic use of encryption, there has recently been renewed debate on whether measures such as mandating a maximum length for encryption keys (which would make them easier to break), forcing companies to make strong encryption keys available to the government, or introducing ‘backdoors’ into encryption products, should be considered (for example to allow lawful interception of encrypted communications).

Strong encryption is fundamental to the digital security measures which are required to make the internet safe, and there are many services used by consumers and businesses in Asia–Pacific that rely on strong encryption. This study has shown how large the markets for these services already are, and how fast they are expected to grow. This growth requires people, firms and governments to continue investing in digital security supported by strong encryption. In this context, policy-makers should consider the extent to which policy, laws and regulations are compatible with the requirements of those that use encryption.