Can You have Both Security & Privacy in the Internet Age?

Security-vs-Privacy.jpg

With threats to national and international security on the rise, all agree that security services have to be able to operate in order to address them. However, as the haystack of data necessary to do so has become an object of interest, along with the algorithms that find the needles in it, it has become clear that the traditional mechanisms used to control surveillance are inadequate.

The conundrum is how to ensure protection while retaining the critical underpinnings of our democratic systems – free speech, freedom of assembly and association, and, critically, the right to privacy. It is clear that with the acceleration of technologies, there are no easy lines to draw.  Moreover, in the internet age, almost all boundaries are being erased or redefined.

Black swans of security

Is it possible to be secure without giving up some privacy?  Theoretically yes, although in reality it is not so easy to implement. But stating this has never been so contested. The strategic environment in which state intelligence operators manoeuvre is evolving rapidly, from an increasing number and different types of intelligence consumers, to demands for faster and more efficient responses in the roiling confluence of threats. There’s also the increasing complexity of cross-border terrorism and asymmetric war, and the full-on return of interstate strategic conflict. Thus, keeping distinctions between domestic and international does not work any more.

As intelligence gathering becomes increasingly integral to national and international security, the debate has become quite heated on how the intelligence community should be equipped to anticipate and prevent the worst-case scenarios and “black swans” of security. Yet sometimes even sophisticated and comprehensive intelligence gathering cannot prevent terrorist attacks, as we have seen in the recent wave of gruesome incidents in places as far apart as Pakistan, Nigeria, Tunisia, Australia, the United States, Kuwait and France.

Today, the situation has shifted dramatically. The recently released Global Terrorism Index report (GTI) from the Institute for Economics and Peace shows that between 2012 and 2013, the number of people killed in terrorist incidents saw the largest increase in history, to 18,000 lives lost, which is a 61 percent increase from one year to the next.

global-terrorism-index-report-2014-10-638.jpg?cb=1420975583Global Terrorism Index 2014 Results Map

Mass data

 Is it problematic if government agencies collect our digital footprint, metadata, online habits and digital history for eternity? This data can potentially be used and abused – but it can also keep people safe. When reflecting on this question it is important to remind ourselves that, between the telecommunication companies, internet search engines and social media apps, you may have already consented to share a lot of your data, including your needs, preferences and dislikes.

While misguided regulation could drive intelligence operations further underground and create more uncertainty about their actions and legitimacy, the debate is stuck on the issue of intelligence gathering and surveillance infringing on the privacy rights of individuals and also the abuse of those powers to target industry competitors and political, environmental, civil-society groups; and even individuals whom current and future governments don’t like.

Do we get caught up in a discussion about where we draw the line and posture over perceived government intrusion in times of calm, or do we reflect on the fact that in times of crisis, the calm tends to be easily replaced with strong criticism of why governments and companies did not do more to protect us? How do we ensure better understanding by lawmakers of the need for, but also the challenges of, making sure mass surveillance is not abused, by both public and private actors? How can we develop oversight mechanisms and processes that are meaningful for ensuring legal compliance?

The recent decisions by the US Congress and the UK government to restrict their agencies’ intelligence gathering and surveillance has been lauded in the media (as well as in sections of academia and civil society), but there is a long way to go before the intelligence community can curb security threats in a digital age that has magnified them, made them more insidious and pushed them across international borders.

Transparency – a tool to more effective intelligence?

 For the intelligence community and the wider government apparatus, this is a matter of public image. To build trust, both groups need to be far more effective in explaining how they honour their responsibilities towards the privacy of individuals, especially in communities that feel they bear the brunt of scrutiny. This is about demonstrating accountability and practising effective oversight. It behooves agencies and the entities that are charged with overseeing them to increase transparency without compromising security, and to foster cooperation among multiple stakeholders.

On the cooperation front, there must be more clarification regarding the distinction between mass collection of information and mass surveillance. Through this clarification, there must be more knowledge among lawmakers about security implications, so that informed legislation and regulatory frameworks can be put in place. In particular, knowledge and legislation must be increased dramatically around the issue of cybersecurity.

The top-secret documents leaked by former NSA contractor Edward Snowden significantly damaged the US intelligence community’s public image and that of the bodies charged with its oversight. And, by default, they damaged that of the intelligence community worldwide. Although few would argue that the leaks directly compromised national and international security, there has been a great deal of commentary (and important legal findings in the US and elsewhere) about intelligence operators overstepping their bounds, which violated both the privacy of ordinary citizens and relationships with key sovereign allies and key companies, the latter when they are needed most.

So far, the legislative consensus on how to manage this negative image has been to dial back actions taken after the September 11 attacks in New York and broaden intelligence-gathering capabilities to reinstate the regulatory regimes that were put in place but not respected. The intelligence community is realizing that it must also act to build trust, and the best route is through accountability and transparency, and also public outreach. By way of example, the Norwegian Intelligence Services has for five years been publishing a declassified annual report on its intelligence activities. This education of the public about what intelligence services do is an important way to foster cooperation. Arguably, it is also the best line of defence for any state experiencing unconventional threats, such as highly trained and motivated foreign fighters returning to their countries of origin, or the growing trend of lone-wolf attacks, which is a nightmare for any intelligence service. Both are extremely difficult to trace and prevent, and an effective response relies upon non-traditional responses and the cooperation of local communities.

Public-private collaboration

Cooperation can also be preventative and on a larger scale. For example, in the digital world of big data, it behooves intelligence agencies to try to enlist the help of the private sector to collect and share data. This type of cooperation also serves the purpose of creating an ally in the private sector to influence legislation and regulations on a global level.  Yet, normally such information sharing only occurs when the parties truly have an incentive to do so, and for the private sector, the case has generally not been compelling. Thus most so-called public/private information sharing has produced little, if any, meaningful sharing. In reality, the private markets, including between public sector and private institutes, has dominated information sharing and collaboration efforts have been mostly meaningless in terms of impact, but served an important public-relations function.

It is thus important to move the pendulum but also recognize that this ally is a fickle one, and the perception that such a shift will respond first and foremost to market forces and growing opaque alliances between intelligence and big business needs to be well managed. (As such, partnerships of this nature need to be handled with as much transparency, accountability and open debate as possible.) In particular, a stronger alliance between the private sector and the intelligence sector could both demarcate and foster better understanding of the difference between mass collection and mass surveillance.

As intelligence agencies and the private sector cooperate, there will be a more thorough debate about whether the public will tolerate companies mining data that encroaches on privacy for commercial purposes. This will be compared with public alarm over intelligence agencies mining data for security purposes – a practice that will have credibility and utility only if driven in equal measure by intelligence agencies, business and civil society, the media and privacy activist groups. Similarly, mining and sharing data will always be a sensitive issue, but the sharing of practices and insights related to how to balance the need for increased security while respecting privacy laws should not be an issue of contention. Ultimately, trust needs to be earned through an honest, collaborative and inclusive approach.

Cybersecurity

 Where cooperation becomes essential is in the realm of cybersecurity. Keeping tabs on dangerous actors online has increased the need for a stronger dialogue between intelligence operators and companies with vast experience in mining and interpreting massive data sets. Both the intelligence community and these companies can work together to increase the understanding among lawmakers about the growing number of “digital extremists”, many of whom operate on the dark net, but most of whom are also still in the open, using social media platforms. The private sector carries a particular responsibility to put mechanisms in place to alert governments about the harmful use of their platforms or networks that compromise the security of individuals, nations and the global community. Despite agreeing that protecting public goods and security is a shared responsibility, many companies see this – commonly referred to as “digital back doors” – as posing great reputational risk and being bad for the bottom line (since the regulatory framework around where to draw that line remains unclear).

As the world becomes increasingly digital, the importance of understanding threats in cyberspace cannot be overstated. Terrorists use cyber tools for propaganda, recruitment and fundraising with such ease that intelligence agencies are truly struggling to keep pace. The common response from decision-makers has been to enact legislation and institute regulations, but these efforts have been largely reactive and uninformed, evidenced by their failure to mitigate the evolution of cyberthreats – and even contributing to increased reliance on the dark net. Decision-makers must be given more information about cyberspace and its security, and the private sector is better positioned than the intelligence community to do this.

Lawmakers in most countries are focusing mainly on businesses’ concerns about how legislation affects their competitive advantage, rather than consulting with its experts about “back doors” to networks as optimal solutions to thwarting cybercriminals. To this effect, there is an important debate about these back doors, with many arguing that they make the internet less safe. And while for their own protection some companies have become savvy in this regard, and some even cooperate with intelligence agencies, most others are concerned that competitors will not comply with the new regulations, creating an uneven playing field.

It is clear that in the field of cybercrime there has been a growing success in partnerships across countries as well as between public and private sectors. Now it is time to leverage this progress to attempt to build more and better bridges between the national intelligence community, the private sector and the wider public.

The need for agile oversight

By nature, intelligence agencies will constantly push the boundaries of legal frameworks to adapt to the rapidly changing security landscape. Such frameworks should be strong but elastic enough to adapt. Qualified decision-makers (those who can make informed judgement calls to determine the means necessary to justify security) are essential to this equation. And it is of vital importance that the authorities involved in regulations and oversight fully understand the evolving technology, tools and security issues. Educating the public to appreciate this paradox is also a necessity.

Although, to a degree, this phenomenon is already happening, it does not have strong enough support from key players to create the transparency that would foster more trust and support. The paradox is that more openness, more visibility and more engagement with other sectors are what will ultimately help intelligence agencies evolve into their role for a new security era.

The World Economic Forum, offering the largest global platform for public-private interaction, is particularly well placed to provide collaborative thought leadership on reducing global security risk. It helps key actors evolve and adapt to the changing security landscape by bringing together companies, government decision-makers and regulators, military leaders, intelligence experts and civil society.

WEF

About The Author: Anja Kaspersen is Head of Geopolitics and International Security at the World Economic Forum.

 

 

« Germany's New Infrastructure Cybersecurity Law
Stagefright: New Android Vulnerability Dubbed 'heartbleed for mobile' »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

NISC was established as a secretariat of the Cybersecurity Strategy Headquarters in collaboration with the public and private sectors to create a "free, fair and secure cyberspace" in Japan.

Proofpoint

Proofpoint

Proofpoint provide the most effective cybersecurity and compliance solutions to protect people on every channel including email, the web, the cloud, social media and mobile messaging.

Xcitium

Xcitium

Xcitium (formerly Comodo) is and industry leading provider of state-of-the-art endpoint protection solutions. Our Zero threat platform isolates and removes all ransomware & malware infectictions.

Skkynet Cloud Systems

Skkynet Cloud Systems

Skkynet is a leader in real-time data systems for the secure management and control of industrial processes (SCADA) and embedded devices (M2M).

Centre for the Protection of National Infrastructure (CPNI)

Centre for the Protection of National Infrastructure (CPNI)

CPNI works with the National Cyber Security Centre (NCSC), Cabinet Office and lead Government departments and agencies to drive forward the UK's cyber security programme to counter cyber threats.

Nuvias Group

Nuvias Group

Nuvias Group is a specialist value-addedd IT distribution company offering a service-led and solution-rich proposition ready for the new world of technology supply.

Arete

Arete

Arete is a global cyber risk company whose mission is to transform the way organizations prepare for, respond to, and prevent cybercrime.

CybeReady

CybeReady

CybeReady’s Autonomous Platform offers continuous adaptive training to all employees and guarantees significant reduction in organizational risk of phishing attacks.

Zamna

Zamna

Zamna (formerly VChain Technology) is an award-winning software company building GDPR compliant identity platforms for the aviation industry.

BluescreenIT (BIT)

BluescreenIT (BIT)

BluescreenIT is an IT Security Consultancy and IT and Cyber Security Training company supporting industry, local authorities, MoD and governmental IT departments.

SharkStriker

SharkStriker

SharkStriker is a US based managed security services provider with SOCs and offices across the globe.

Cyber Ranges

Cyber Ranges

Cyber Ranges is the next-generation cyber range for the development of cyber capabilities and the validation of cyber security skills and organizational cyber resilience.

Lansweeper

Lansweeper

Lansweeper is an IT Asset Management platform provider helping businesses better understand, manage and protect their IT devices and network.

Amplifier Security

Amplifier Security

Amplifier Security are on a mission to empower security teams to modernize their practice by connecting the dots between their security stack and their people.

Rebellion Defense

Rebellion Defense

Rebellion Defense is a technology company developing advanced software to ensure mission-critical organizations stay ahead of emerging threats.

OryxAlign

OryxAlign

OryxAlign offer managed IT and cyber security, cloud and digital transformation, and tailored professional and consulting services.