Can You have Both Security & Privacy in the Internet Age?

Uploaded on 2015-08-03 in NEWS-Cybersecurity News, FREE TO VIEW

Security-vs-Privacy.jpg

With threats to national and international security on the rise, all agree that security services have to be able to operate in order to address them. However, as the haystack of data necessary to do so has become an object of interest, along with the algorithms that find the needles in it, it has become clear that the traditional mechanisms used to control surveillance are inadequate.

The conundrum is how to ensure protection while retaining the critical underpinnings of our democratic systems – free speech, freedom of assembly and association, and, critically, the right to privacy. It is clear that with the acceleration of technologies, there are no easy lines to draw.  Moreover, in the internet age, almost all boundaries are being erased or redefined.

Black swans of security

Is it possible to be secure without giving up some privacy?  Theoretically yes, although in reality it is not so easy to implement. But stating this has never been so contested. The strategic environment in which state intelligence operators manoeuvre is evolving rapidly, from an increasing number and different types of intelligence consumers, to demands for faster and more efficient responses in the roiling confluence of threats. There’s also the increasing complexity of cross-border terrorism and asymmetric war, and the full-on return of interstate strategic conflict. Thus, keeping distinctions between domestic and international does not work any more.

As intelligence gathering becomes increasingly integral to national and international security, the debate has become quite heated on how the intelligence community should be equipped to anticipate and prevent the worst-case scenarios and “black swans” of security. Yet sometimes even sophisticated and comprehensive intelligence gathering cannot prevent terrorist attacks, as we have seen in the recent wave of gruesome incidents in places as far apart as Pakistan, Nigeria, Tunisia, Australia, the United States, Kuwait and France.

Today, the situation has shifted dramatically. The recently released Global Terrorism Index report (GTI) from the Institute for Economics and Peace shows that between 2012 and 2013, the number of people killed in terrorist incidents saw the largest increase in history, to 18,000 lives lost, which is a 61 percent increase from one year to the next.

global-terrorism-index-report-2014-10-638.jpg?cb=1420975583Global Terrorism Index 2014 Results Map

Mass data

 Is it problematic if government agencies collect our digital footprint, metadata, online habits and digital history for eternity? This data can potentially be used and abused – but it can also keep people safe. When reflecting on this question it is important to remind ourselves that, between the telecommunication companies, internet search engines and social media apps, you may have already consented to share a lot of your data, including your needs, preferences and dislikes.

While misguided regulation could drive intelligence operations further underground and create more uncertainty about their actions and legitimacy, the debate is stuck on the issue of intelligence gathering and surveillance infringing on the privacy rights of individuals and also the abuse of those powers to target industry competitors and political, environmental, civil-society groups; and even individuals whom current and future governments don’t like.

Do we get caught up in a discussion about where we draw the line and posture over perceived government intrusion in times of calm, or do we reflect on the fact that in times of crisis, the calm tends to be easily replaced with strong criticism of why governments and companies did not do more to protect us? How do we ensure better understanding by lawmakers of the need for, but also the challenges of, making sure mass surveillance is not abused, by both public and private actors? How can we develop oversight mechanisms and processes that are meaningful for ensuring legal compliance?

The recent decisions by the US Congress and the UK government to restrict their agencies’ intelligence gathering and surveillance has been lauded in the media (as well as in sections of academia and civil society), but there is a long way to go before the intelligence community can curb security threats in a digital age that has magnified them, made them more insidious and pushed them across international borders.

Transparency – a tool to more effective intelligence?

 For the intelligence community and the wider government apparatus, this is a matter of public image. To build trust, both groups need to be far more effective in explaining how they honour their responsibilities towards the privacy of individuals, especially in communities that feel they bear the brunt of scrutiny. This is about demonstrating accountability and practising effective oversight. It behooves agencies and the entities that are charged with overseeing them to increase transparency without compromising security, and to foster cooperation among multiple stakeholders.

On the cooperation front, there must be more clarification regarding the distinction between mass collection of information and mass surveillance. Through this clarification, there must be more knowledge among lawmakers about security implications, so that informed legislation and regulatory frameworks can be put in place. In particular, knowledge and legislation must be increased dramatically around the issue of cybersecurity.

The top-secret documents leaked by former NSA contractor Edward Snowden significantly damaged the US intelligence community’s public image and that of the bodies charged with its oversight. And, by default, they damaged that of the intelligence community worldwide. Although few would argue that the leaks directly compromised national and international security, there has been a great deal of commentary (and important legal findings in the US and elsewhere) about intelligence operators overstepping their bounds, which violated both the privacy of ordinary citizens and relationships with key sovereign allies and key companies, the latter when they are needed most.

So far, the legislative consensus on how to manage this negative image has been to dial back actions taken after the September 11 attacks in New York and broaden intelligence-gathering capabilities to reinstate the regulatory regimes that were put in place but not respected. The intelligence community is realizing that it must also act to build trust, and the best route is through accountability and transparency, and also public outreach. By way of example, the Norwegian Intelligence Services has for five years been publishing a declassified annual report on its intelligence activities. This education of the public about what intelligence services do is an important way to foster cooperation. Arguably, it is also the best line of defence for any state experiencing unconventional threats, such as highly trained and motivated foreign fighters returning to their countries of origin, or the growing trend of lone-wolf attacks, which is a nightmare for any intelligence service. Both are extremely difficult to trace and prevent, and an effective response relies upon non-traditional responses and the cooperation of local communities.

Public-private collaboration

Cooperation can also be preventative and on a larger scale. For example, in the digital world of big data, it behooves intelligence agencies to try to enlist the help of the private sector to collect and share data. This type of cooperation also serves the purpose of creating an ally in the private sector to influence legislation and regulations on a global level.  Yet, normally such information sharing only occurs when the parties truly have an incentive to do so, and for the private sector, the case has generally not been compelling. Thus most so-called public/private information sharing has produced little, if any, meaningful sharing. In reality, the private markets, including between public sector and private institutes, has dominated information sharing and collaboration efforts have been mostly meaningless in terms of impact, but served an important public-relations function.

It is thus important to move the pendulum but also recognize that this ally is a fickle one, and the perception that such a shift will respond first and foremost to market forces and growing opaque alliances between intelligence and big business needs to be well managed. (As such, partnerships of this nature need to be handled with as much transparency, accountability and open debate as possible.) In particular, a stronger alliance between the private sector and the intelligence sector could both demarcate and foster better understanding of the difference between mass collection and mass surveillance.

As intelligence agencies and the private sector cooperate, there will be a more thorough debate about whether the public will tolerate companies mining data that encroaches on privacy for commercial purposes. This will be compared with public alarm over intelligence agencies mining data for security purposes – a practice that will have credibility and utility only if driven in equal measure by intelligence agencies, business and civil society, the media and privacy activist groups. Similarly, mining and sharing data will always be a sensitive issue, but the sharing of practices and insights related to how to balance the need for increased security while respecting privacy laws should not be an issue of contention. Ultimately, trust needs to be earned through an honest, collaborative and inclusive approach.

Cybersecurity

 Where cooperation becomes essential is in the realm of cybersecurity. Keeping tabs on dangerous actors online has increased the need for a stronger dialogue between intelligence operators and companies with vast experience in mining and interpreting massive data sets. Both the intelligence community and these companies can work together to increase the understanding among lawmakers about the growing number of “digital extremists”, many of whom operate on the dark net, but most of whom are also still in the open, using social media platforms. The private sector carries a particular responsibility to put mechanisms in place to alert governments about the harmful use of their platforms or networks that compromise the security of individuals, nations and the global community. Despite agreeing that protecting public goods and security is a shared responsibility, many companies see this – commonly referred to as “digital back doors” – as posing great reputational risk and being bad for the bottom line (since the regulatory framework around where to draw that line remains unclear).

As the world becomes increasingly digital, the importance of understanding threats in cyberspace cannot be overstated. Terrorists use cyber tools for propaganda, recruitment and fundraising with such ease that intelligence agencies are truly struggling to keep pace. The common response from decision-makers has been to enact legislation and institute regulations, but these efforts have been largely reactive and uninformed, evidenced by their failure to mitigate the evolution of cyberthreats – and even contributing to increased reliance on the dark net. Decision-makers must be given more information about cyberspace and its security, and the private sector is better positioned than the intelligence community to do this.

Lawmakers in most countries are focusing mainly on businesses’ concerns about how legislation affects their competitive advantage, rather than consulting with its experts about “back doors” to networks as optimal solutions to thwarting cybercriminals. To this effect, there is an important debate about these back doors, with many arguing that they make the internet less safe. And while for their own protection some companies have become savvy in this regard, and some even cooperate with intelligence agencies, most others are concerned that competitors will not comply with the new regulations, creating an uneven playing field.

It is clear that in the field of cybercrime there has been a growing success in partnerships across countries as well as between public and private sectors. Now it is time to leverage this progress to attempt to build more and better bridges between the national intelligence community, the private sector and the wider public.

The need for agile oversight

By nature, intelligence agencies will constantly push the boundaries of legal frameworks to adapt to the rapidly changing security landscape. Such frameworks should be strong but elastic enough to adapt. Qualified decision-makers (those who can make informed judgement calls to determine the means necessary to justify security) are essential to this equation. And it is of vital importance that the authorities involved in regulations and oversight fully understand the evolving technology, tools and security issues. Educating the public to appreciate this paradox is also a necessity.

Although, to a degree, this phenomenon is already happening, it does not have strong enough support from key players to create the transparency that would foster more trust and support. The paradox is that more openness, more visibility and more engagement with other sectors are what will ultimately help intelligence agencies evolve into their role for a new security era.

The World Economic Forum, offering the largest global platform for public-private interaction, is particularly well placed to provide collaborative thought leadership on reducing global security risk. It helps key actors evolve and adapt to the changing security landscape by bringing together companies, government decision-makers and regulators, military leaders, intelligence experts and civil society.

WEF

About The Author: Anja Kaspersen is Head of Geopolitics and International Security at the World Economic Forum.

 

 

« Germany's New Infrastructure Cybersecurity Law
Stagefright: New Android Vulnerability Dubbed 'heartbleed for mobile' »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Panda Security

Panda Security

Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions.

MaxMind

MaxMind

MaxMind is an industry-leading provider of IP intelligence and online fraud detection tools.

CyberPilot

CyberPilot

CyberPilot ApS is a Danish cybersecurity company. We work with all types of companies and organisations, both large and small, who want to achieve effective cybersecurity.

Nation-E

Nation-E

Nation-E offers innovative cyber security solutions for industrial installations, critical infrastructure and smart grids.

Network Integrity Systems

Network Integrity Systems

Network Integrity Systems is a leader in network infrastructure security and offers solutions specifically developed for Government and Private Enterprise.

Awen Collective

Awen Collective

Awen Collective develops software-based tools for performing Digital Forensics, Incident Response and Cyber-Crime Investigation.

Cyber Discovery

Cyber Discovery

Cyber Discovery, the UK Government's Cyber Schools Programme, is a learning programme designed to give young people the opportunity to learn the skills needed to enter the cyber security profession.

Certis

Certis

Certis is a leading advanced integrated security organisation that develops and delivers multi-disciplinary security and integrated services.

ComCERT

ComCERT

ComCERT SA is an independent, private consulting company focusing in the assistance of its customers facing the dangers of cyber threats and security incidents.

Bangladesh Association of Software & Information Services (BASIS)

Bangladesh Association of Software & Information Services (BASIS)

BASIS is the national trade body for Software & IT Enabled Service industry of Bangladesh.

Wizlynx PTE LTD

Wizlynx PTE LTD

Wizlynx PTE LTD is the Singapore branch of Wizlynx Group located in Singapore, offering Information and Cyber Security Services throughout the entire Asia Pacific (APAC) region.

CounterFind

CounterFind

CounterFind is turnkey technology that allows brands to find and remove counterfeit and infringing merchandise from online marketplaces and social media sites.

ThriveDX

ThriveDX

ThriveDX, the world’s premier EdTech provider (formerly HackerU), champions digital transformation training as a means of empowering individuals to thrive in the age of digital disruption.

BlockAPT

BlockAPT

BlockAPT, empowering you with an advanced, intelligent cyber defence platform. We protect our customers digital assets by unifying operational technologies against advanced persistent threats.

Encova Insurance

Encova Insurance

Encova’s cyber liability coverage protects you and your customers in case of a security breach in your company's data.

Paragon Cyber Solutions

Paragon Cyber Solutions

Paragon Cyber Solutions provides specialized security risk management and IT solutions to protect the integrity of your business operations.