Intro Map

How strong encryption supports the development of a safe and secure Internet:

an Asia–Pacific perspective

Intro Map

Introduction

A safe and secure Internet is critical in driving economic and social transformation in Asia–Pacific. Strong encryption is essential to achieving this safety and security, for consumers as well as for firms who do business online.

This study examines the role of strong encryption in supporting the development of a safe and secure Internet in Asia–Pacific, looking specifically at 11 focus countries: Australia, India, Indonesia, Japan, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand and Vietnam.

The report also examines the role of government and policy considerations associated with strong encryption.

Intro Map

Market focus

To illustrate the economic impact of strong encryption, the study reviewed revenues of five major service categories that depend on it heavily. These revenues were assessed for the 11 focus countries in the Asia-Pacific.

Service focus

Strong encryption is essential for keeping personal data and online transactions secure, enabling consumers to trust online services. It also enables firms to move from private infrastructure and networks to Internet-based services, while protecting intellectual property and business-critical functions.

Click on a service for more details
Close

E-commerce

  • Remote financial transactions require protection against fraud, and robust digital security has enabled strong growth in services such as e-commerce, online banking and mobile payments
  • Strong encryption is essential to keep personal data and payment information secure, and helps consumers to trust the websites they buy from
  • Buying online enables consumers to discover new products, compare prices, and buy from a wider range of outlets
  • E-commerce makes a large contribution to Asia–Pacific economies, but there is scope for significant growth if trust can be maintained and strengthened
Revenues (USD billion for the 11 focus countries)
Close

IoT

  • Many types of device are now being connected to the IoT, from cars, home appliances and smart wearables, to industrial machinery and electricity meters
  • Devices including smartphones collect and store wide-ranging data, including location, communications and purchases, and sensitive data such as health and financial information
  • 60% of people in a recent MEF global survey expressed some concern about privacy and security of IoT
  • Digital security supported by strong encryption is essential to alleviating these concerns and supporting the growth of IoT
Revenues (USD billion for the 11 focus countries)
Close

Public cloud

  • Cloud services allow firms to share data centres and in some cases even servers, giving them access to as little or as much computing capacity or storage as they need
  • Cloud services can provide new functionality to firms with less up-front investment, providing increased productivity and cost efficiencies
  • The ability to encrypt data that is sent to or stored in the cloud is critical to protecting corporate and customer information
Revenues (USD billion for the 11 focus countries)
Close

Corporate wide area networks (WANs)

  • Enterprise ICT is evolving from a model of dedicated private infrastructure to a more cost-efficient model of shared services and networks
  • Internet-based corporate WANs allow dedicated networks to be replaced by sharing capacity over the public Internet, with transmissions protected through encrypted virtual private networks (VPNs)
  • This approach enable substantial cost savings, and enables new business models such as remote working
Revenues (USD billion for the 11 focus countries)
Close

Business process outsourcing (BPO)

  • BPO involves contracting out certain business tasks to a third party service provider
  • This can enable cost-savings for firms in developed countries, accelerate time to market and enable firms to take advantage of external expertise
  • BPO is an important industry in countries such as India and the Philippines, and around 2.3 million people are employed in BPO in these two countries
  • Encrypted communications enable these outsourcing partners to interface directly with their customers’ systems and data securely and at limited cost
Revenues (USD billion for the 11 focus countries)

Executive summary

Introduction

Asia–Pacific is a global Internet powerhouse. India and China are the countries with the most Internet users worldwide, and many other regional markets are already very large (e.g. Japan, Australia) or growing rapidly (e.g. Indonesia, the Philippines, Malaysia, Thailand). As of the end of 2015, the ITU estimates there were over 720 million Internet users in the 11 focus countries for this study: Australia, India, Indonesia, Japan, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand and Vietnam.

The Internet is, by nature, an open, interconnected, decentralised, permission-less global network. No one controls it, and it was built from the start to be a general-purpose network of networks, which means it is highly versatile.

These characteristics enable a high degree of innovation, which has led to the Internet becoming a platform for a diverse range of applications such as personal communications, information dissemination, e-commerce, e-health, financial services, entertainment, e-government, corporate networking and cloud computing.

These benefits come at a cost however: the very openness, distributed nature and versatility of the Internet make it impossible to entirely exclude security threats, from hackers, cyber criminals or other malicious agents. The widespread and varied use of the Internet by people and firms makes it attractive for cyber criminals: for example, the spread of e-commerce and Internet banking creates opportunity for large-scale financial fraud.

Digital security measures are critical for people to trust online services

The level of reported cyber crime is very low in the region, affecting less than one in a thousand Internet users in most cases (Figure 1). Although this is likely to underestimate its incidence, the fairly low economic impact of cyber crime (Figure 2) suggests that many threats are being effectively prevented or mitigated by a range of digital security measures. These measures are now widely used by firms in every country and every sector of the economy, as well as by governments themselves to enable secure public services such as online tax payments and passport renewals. As the use of the Internet becomes broader, the scale and scope of security risks increases. For example, the increased popularity of mobile payments requires mobile devices and their interfaces with payment terminals to be highly secure.

Figure 1: Reported rates of cyber crime [Source: Analysys Mason, based on official crime statistics for most recent year available (2014 or 2015)
Figure 2: Cost of cyber crime as a percentage of GDP [Source: Intel Security, 2014]

Strong encryption is an essential foundation of cyber security. It underpins the confidentiality of communications and helps to protect the integrity of transactions (including ensuring that people and organisations are who they say they are, through digital certificates). Protecting confidentiality and integrity also helps protect systems from attacks that could threaten their availability and stop them from functioning, which is an increasingly important consideration as more and more critical systems are connected to the Internet.

The protection afforded by digital security and strong encryption is an important driver of consumer trust in the Internet. This trust is affirmed, albeit in a nuanced way, in direct surveys: in 2015, Accenture found that over 90% of the Internet users it surveyed were confident enough to share some personal data online, although a majority of those were being cautious about how much they shared.

Ultimately, the trust that people place in online services and the Internet generally is evidenced by the scale of use: over 300 million people used Facebook daily in Asia at the end of 2015 (none of them in China). The adoption of online financial services is also remarkably high, despite being an area where people are arguably very cautious: according to research by McKinsey & Company, nearly all urban bank account holders in developed countries in Asia–Pacific were using online banking in 2014. In developing countries, the proportion was lower (20–40%) but still significant and growing rapidly. The research expected over 800 million online bank accounts by 2020. The adoption of online banking supports other services, most importantly e-commerce, which over 470 million people used in the 11 focus countries by the end of 2015.

Perhaps the most important driver of use of online services is the rapid growth in smartphone adoption (60–80% of people in the developed focus countries and 15–40% in developing focus countries in 2015 based on eMarketer data). Smartphones now provide access to the vast majority of online services, including mobile payments. They also act as a hub for the collection and exchange of data, including personal data. This raises privacy issues that many people are grappling with, and strong encryption (for example in messaging applications) is vital for increasing their trust in these online services and the mobile Internet as a whole.

Connected devices do not stop at smartphones. The Internet of Things (IoT) is emerging and expected to grow very rapidly in the next few years, with billions of devices being connected to the Internet. Some of these devices are already in people’s homes (e.g. connected thermostats, security cameras), and go with them on the move (e.g. wearable technology, connected cars). People are clearly concerned about threats to the security of devices that could interact with and control their immediate environment: 60% of people in a recent MEF global survey (66% of respondents in India) expressed some concern about privacy and security of IoT. Digital security supported by strong encryption is essential to alleviating these concerns and supporting the growth of IoT.

Secure and trusted use of the Internet brings benefits to businesses

For firms in all sectors of the economy to operate successfully on the Internet, it is essential to ensure their customers trust their online services and are well-protected online. From an operational perspective, firms stand to benefit strongly from the efficiency gains that using the Internet can bring. This report focuses specifically on three types of Internet use by firms for which strong encryption is especially important: corporate networking, public cloud services, and its role in enabling business process outsourcing (BPO).

All three of these applications enable firms to reduce costs:

Internet-based corporate wide area networks (WANs) allow dedicated networks to be replaced by sharing capacity over the public Internet, with transmissions protected through encrypted virtual private networks (VPNs).

Cloud services allow firms to share data centres and in some cases even servers, giving them access to as little or as much computing capacity as they need for all sorts of applications. Again, the ability to encrypt data that is stored in the cloud is critical to protecting corporate and customer information.

In the case of BPO, the Internet allows firms to more easily interact with their outsourcing partners, many of whom are based in India and the Philippines for example. Encrypted communications enable these outsourcing partners to interface directly with their customers’ systems and data securely and at limited cost.

Services that depend on strong encryption are forecast to grow to over USD800 billion in revenue by 2020

All of the applications described above (e-commerce, Internet banking, IoT, corporate WANs, public cloud services and BPO) already generate significant value in the 11 focus countries, representing revenues of around USD400 billion in 2015 according to our estimates. They are all expected to grow strongly, exceeding USD800 billion by 2020, which illustrates the benefits these products and services bring to consumers and firms throughout the economy. See Market focus for more details.

Although current digital security measures are effective at limiting the economic costs of cyber crime, firms must keep pace with the increasing intensity and sophistication of threats. Firms are increasingly aware of the risks posed by cyber crime, as shown in a recent survey by insurance company Allianz Global Corporate & Specialty that found that 33% of the surveyed businesses believe that cyber crime is the top emerging risk for the long term. In the face of these threats, strong security and encryption are enabling firms to reduce their liability and to insure themselves against cyber-security risks.

Governments and policy makers play several important roles in promoting, using and sometimes regulating the use of strong encryption

Governments and public-sector bodies in Asia–Pacific rely on strong encryption to protect sensitive data (e.g. tax records, health data) and government systems, and to enable more efficient engagement with citizens through online public services. As well as promoting good digital security practices within the public sector, many policy-makers have taken steps to improve standards among private-sector firms.

Some governments, such as Japan and Australia, are investing in educating people and firms about digital security. In some cases, governments and public agencies go further and specify minimum standards of encryption in certain sectors, such as financial services (in India and Singapore for example). They also publish and seek to enforce rules and guidelines in the public sector, which has been a target for high-profile attacks (e.g. the Electoral Commission, Comelec, in the Philippines), although enforcement within the public sector can be challenging (not least because fines tend to deplete resources that could be more effectively used to deploy better security).

Some policy-makers also provide financial incentives for firms to invest in cyber security, for example through legislation on data breaches, which can in some cases exempt firms from fines and penalties if they are found to have taken appropriate digital security measures. Regulation can also, in some cases, place restrictions on individuals’ and firms’ use of encryption products. Import and export restrictions are common, yet are widely seen as rather ineffective because of the global nature of the encryption market. In Asia–Pacific, a recent survey identified over 70 hardware and software encryption products developed across nearly every focus country.

Although there is currently little restriction on domestic use of encryption, there has recently been renewed debate on whether measures such as mandating a maximum length for encryption keys (which would make them easier to break), forcing companies to make strong encryption keys available to the government, or introducing ‘backdoors’ into encryption products, should be considered (for example to allow lawful interception of encrypted communications).

Strong encryption is fundamental to the digital security measures which are required to make the internet safe, and there are many services used by consumers and businesses in Asia–Pacific that rely on strong encryption. This study has shown how large the markets for these services already are, and how fast they are expected to grow. This growth requires people, firms and governments to continue investing in digital security supported by strong encryption. In this context, policy-makers should consider the extent to which policy, laws and regulations are compatible with the requirements of those that use encryption.

This study provides insight into the essential role strong encryption plays in supporting the growth of online markets

A safe and secure Internet is critical in driving economic and social transformation in Asia–Pacific. Strong encryption is essential to achieving this safety and security, for consumers as well as for firms who do business online. This study examines the role of strong encryption in supporting the development of a safe and secure Internet in Asia–Pacific, looking specifically at 11 focus countries: Australia, India, Indonesia, Japan, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand and Vietnam.

Encryption allows information that transits over the Internet, and data that is stored online and on connected devices, to only be read by duly authorised people or systems. This means that even if information is intercepted or stolen, it is difficult or impossible for anyone to use it who does not have the ‘keys’ needed for decryption. In this report we are particularly interested in ‘strong’ encryption, which refers to encryption that cannot be easily broken (e.g. by determining the key) or bypassed (e.g. by obtaining the decryption key).

Digital security measures are critical for people to trust online services

The level of reported cyber crime is low in the region, and the reasonably low economic impact of cyber crime suggests that many threats are being effectively prevented or mitigated by a range of digital security measures. Strong encryption is an essential foundation of these cyber security measures.

The protection afforded by digital security and strong encryption is an important driver of consumer trust in the Internet. The trust that people place in online services and the Internet generally is evidenced by the scale of use: over 300 million people used Facebook daily in Asia at the end of 2015 (none of them in China). The adoption of online financial services is also remarkably high, despite being an area where people are arguably very cautious.

The rapid growth in smartphone adoption is seeing mobile devices used to access the vast majority of online services, including mobile payments. They also act as a hub for the collection and exchange of data, including personal data, and strong encryption is vital for protecting privacy.

Connected devices do not stop at smartphones. The Internet of Things (IoT) is emerging and expected to grow very rapidly in the next few years, with billions of devices being connected to the Internet. Some of these devices are already in people’s homes (e.g. connected thermostats, security cameras), and go with them on the move (e.g. wearable technology, connected cars). Digital security supported by strong encryption is essential to keeping these devices secure.

Secure and trusted use of the Internet brings benefits to businesses

For firms in all sectors of the economy to operate successfully on the Internet, it is essential to ensure their customers trust their online services and are well-protected online. From an operational perspective, firms stand to benefit strongly from the efficiency gains that using the Internet can bring. This report focuses specifically on three types of Internet use by firms for which strong encryption is especially important: corporate wide area networking (WANs), public cloud services, and its role in enabling business process outsourcing (BPO).

Services that depend on strong encryption are forecast to grow to over USD800 billion in revenue by 2020

All of the applications described above (e-commerce, Internet banking, IoT, corporate WANs, public cloud services and BPO) already generate significant value in the 11 focus countries, representing revenues of around USD400 billion in 2015 according to our estimates. They are all expected to grow strongly, exceeding USD800 billion by 2020, which illustrates the benefits these products and services bring to consumers and firms throughout the economy. See Market Focus for more details.

Although current digital security measures are effective at limiting the economic costs of cyber crime, firms must keep pace with the increasing intensity and sophistication of threats. In the face of these threats, strong security and encryption are enabling firms to reduce their liability and to insure themselves against cyber-security risks

Governments and policy makers play several important roles in promoting, using and sometimes regulating the use of strong encryption

Governments and public-sector bodies in Asia–Pacific rely on strong encryption to protect sensitive data (e.g. tax records, health data) and government systems, and to enable more efficient engagement with citizens through online public services. As well as promoting good digital security practices within the public sector, many policy-makers have taken steps to improve standards among private-sector firms through regulation or financial incentives.

Regulation can also, in some cases, place restrictions on individuals’ and firms’ use of encryption products. Import and export restrictions are common, yet are widely seen as rather ineffective because of the global nature of the encryption market.

Although there is currently little restriction on domestic use of encryption, there has recently been renewed debate on whether measures such as mandating a maximum length for encryption keys (which would make them easier to break), forcing companies to make strong encryption keys available to the government, or introducing ‘backdoors’ into encryption products, should be considered (for example to allow lawful interception of encrypted communications). Such measures could however have unintended consequences by weakening the digital security environment and resulting in greater levels of cyber crime.

Strong encryption is fundamental to the digital security measures which are required to make the internet safe, and there are many services used by consumers and businesses in Asia–Pacific that rely on strong encryption. This study shows how large the markets for these services already are, and how fast they are expected to grow. This growth requires people, firms and governments to continue investing in digital security supported by strong encryption. In this context, policy-makers should consider the extent to which policy, laws and regulations are compatible with the requirements of those that use encryption.

Contact

David Abecassis
Partner
Email David

Richard Morgan
Manager
Email Richard

Acknowledgements

This report was commissioned and sponsored by Google, and prepared independently by Analysys Mason, a global consultancy specialising in telecoms, media and technology.

The analysis contained in this document is the sole responsibility of Analysys Mason and does notnecessarily reflect the views of Google or other contributors to the research. Lead authors were David Abecassis (Partner) and Richard Morgan (Manager), with additional input from Paola Valenza and Oliver Kremer (Associate Consultants). The report was edited by Andrea Smith, with graphic design by Julie Bartram.

A number of interviews were conducted with firms in Asia–Pacific to discuss the local security environment and role of strong encryption. Most of these were carried out on an anonymous basis, however we would like to thank the contributors for their time and valuable inputs during our research. Thanks are also due to Toshiki Yano and other members of the Google team for their comments and feedback during the preparation of this report.