Thirteen countries from the United Nations, along with hundreds of US high-tech executives, gathered in New York last week in an effort to foster greater co-operation on global information security.
The second annual UN Global InfoSec Conference, sponsored by the UN Working Group on Informatics and AIT Global, a New York-based IT industry association, discussed the urgent need for information sharing on virus and worm threats and the question of why the world's differing views of security and privacy remain a tough obstacle to overcome.
"Most developing countries today are as technology-dependent as developed countries," said June Clarke, ambassador to the UN from Barbados and the interim chairwoman of the UN Working Group on Informatics.
"In a number of countries, including my own, governments are seeking to promote a viable and sustainable IT services sector," she added. As a result, security and privacy issues are "as significant and important for developing countries as they are for a Fortune 500 company".
Clarke said this year's onslaught of viruses and worms, such as the Slammer, Blaster and Sobig, has taken its toll on many developing countries.
"For developing countries, the increasing cost of security caused by these attacks has resulted in a diversion of resources away from maintaining and expanding existing networks and systems.
"This is a major concern that needs to be addressed at the highest levels."
However, the one question for which few answers were offered was if the world can forge common security and privacy laws that would remain effective and enforceable.
"There hasn't been a thorough public discussion on privacy yet," acknowledged Vance Hitch, chief information officer at the US Department of Justice.
Hitch, whose speech to the UN came at a time of increasing concerns about the Justice Department's pursuit of additional electronic surveillance powers under the controversial US Patriot Act, tried to allay the fears of some in the audience by saying the department is "trying to prevent witch hunts" in cyberspace.
He added that a privacy impact study must be conducted for every new system or application deployed by the Justice Department before it is rolled out.
"My experience has been that the US is an 'opt-out' society and Europe is more an 'opt-in' society" when it comes to privacy laws and regulations, said Ken Watson, president of the US Partnership for Critical Infrastructure Security and director of critical-infrastructure protection at Cisco Systems.
In Europe, personal data is the property of the individual, whereas in the US there are laws which allow companies to exchange customer data, Watson said. "In the US, we have self-regulation, and in Europe we have government regulation. I don't think there's any way to tell right now which approach is better."
However, before any common approach can be agreed upon, a series of policy discussions will have to be held at the highest levels of government, Hitch said. "It's not clear what the bounds of privacy are."
Many questions remain to be answered. "How far can we go? How far should we go? And how much are we willing to pay in privacy for better security?" Hitch asked. "How can you put a price on preventing something like 9/11? That's the kind of discussion you need to engage in."
Dan Verton writes for Computerworld
Read more on IT risk management
EU court opinion finds EU-US data transfers lawful but raises questions over Privacy Shield
Facebook: Legality of EU-US data sharing to be decided by Court of Justice
UN resolution ignores special rapporteur’s call for halt to spyware sales
Facebook: US government does not engage in mass and indiscriminate surveillance