Can You have Both Security & Privacy in the Internet Age?

Security-vs-Privacy.jpg

With threats to national and international security on the rise, all agree that security services have to be able to operate in order to address them. However, as the haystack of data necessary to do so has become an object of interest, along with the algorithms that find the needles in it, it has become clear that the traditional mechanisms used to control surveillance are inadequate.

The conundrum is how to ensure protection while retaining the critical underpinnings of our democratic systems – free speech, freedom of assembly and association, and, critically, the right to privacy. It is clear that with the acceleration of technologies, there are no easy lines to draw.  Moreover, in the internet age, almost all boundaries are being erased or redefined.

Black swans of security

Is it possible to be secure without giving up some privacy?  Theoretically yes, although in reality it is not so easy to implement. But stating this has never been so contested. The strategic environment in which state intelligence operators manoeuvre is evolving rapidly, from an increasing number and different types of intelligence consumers, to demands for faster and more efficient responses in the roiling confluence of threats. There’s also the increasing complexity of cross-border terrorism and asymmetric war, and the full-on return of interstate strategic conflict. Thus, keeping distinctions between domestic and international does not work any more.

As intelligence gathering becomes increasingly integral to national and international security, the debate has become quite heated on how the intelligence community should be equipped to anticipate and prevent the worst-case scenarios and “black swans” of security. Yet sometimes even sophisticated and comprehensive intelligence gathering cannot prevent terrorist attacks, as we have seen in the recent wave of gruesome incidents in places as far apart as Pakistan, Nigeria, Tunisia, Australia, the United States, Kuwait and France.

Today, the situation has shifted dramatically. The recently released Global Terrorism Index report (GTI) from the Institute for Economics and Peace shows that between 2012 and 2013, the number of people killed in terrorist incidents saw the largest increase in history, to 18,000 lives lost, which is a 61 percent increase from one year to the next.

global-terrorism-index-report-2014-10-638.jpg?cb=1420975583Global Terrorism Index 2014 Results Map

Mass data

 Is it problematic if government agencies collect our digital footprint, metadata, online habits and digital history for eternity? This data can potentially be used and abused – but it can also keep people safe. When reflecting on this question it is important to remind ourselves that, between the telecommunication companies, internet search engines and social media apps, you may have already consented to share a lot of your data, including your needs, preferences and dislikes.

While misguided regulation could drive intelligence operations further underground and create more uncertainty about their actions and legitimacy, the debate is stuck on the issue of intelligence gathering and surveillance infringing on the privacy rights of individuals and also the abuse of those powers to target industry competitors and political, environmental, civil-society groups; and even individuals whom current and future governments don’t like.

Do we get caught up in a discussion about where we draw the line and posture over perceived government intrusion in times of calm, or do we reflect on the fact that in times of crisis, the calm tends to be easily replaced with strong criticism of why governments and companies did not do more to protect us? How do we ensure better understanding by lawmakers of the need for, but also the challenges of, making sure mass surveillance is not abused, by both public and private actors? How can we develop oversight mechanisms and processes that are meaningful for ensuring legal compliance?

The recent decisions by the US Congress and the UK government to restrict their agencies’ intelligence gathering and surveillance has been lauded in the media (as well as in sections of academia and civil society), but there is a long way to go before the intelligence community can curb security threats in a digital age that has magnified them, made them more insidious and pushed them across international borders.

Transparency – a tool to more effective intelligence?

 For the intelligence community and the wider government apparatus, this is a matter of public image. To build trust, both groups need to be far more effective in explaining how they honour their responsibilities towards the privacy of individuals, especially in communities that feel they bear the brunt of scrutiny. This is about demonstrating accountability and practising effective oversight. It behooves agencies and the entities that are charged with overseeing them to increase transparency without compromising security, and to foster cooperation among multiple stakeholders.

On the cooperation front, there must be more clarification regarding the distinction between mass collection of information and mass surveillance. Through this clarification, there must be more knowledge among lawmakers about security implications, so that informed legislation and regulatory frameworks can be put in place. In particular, knowledge and legislation must be increased dramatically around the issue of cybersecurity.

The top-secret documents leaked by former NSA contractor Edward Snowden significantly damaged the US intelligence community’s public image and that of the bodies charged with its oversight. And, by default, they damaged that of the intelligence community worldwide. Although few would argue that the leaks directly compromised national and international security, there has been a great deal of commentary (and important legal findings in the US and elsewhere) about intelligence operators overstepping their bounds, which violated both the privacy of ordinary citizens and relationships with key sovereign allies and key companies, the latter when they are needed most.

So far, the legislative consensus on how to manage this negative image has been to dial back actions taken after the September 11 attacks in New York and broaden intelligence-gathering capabilities to reinstate the regulatory regimes that were put in place but not respected. The intelligence community is realizing that it must also act to build trust, and the best route is through accountability and transparency, and also public outreach. By way of example, the Norwegian Intelligence Services has for five years been publishing a declassified annual report on its intelligence activities. This education of the public about what intelligence services do is an important way to foster cooperation. Arguably, it is also the best line of defence for any state experiencing unconventional threats, such as highly trained and motivated foreign fighters returning to their countries of origin, or the growing trend of lone-wolf attacks, which is a nightmare for any intelligence service. Both are extremely difficult to trace and prevent, and an effective response relies upon non-traditional responses and the cooperation of local communities.

Public-private collaboration

Cooperation can also be preventative and on a larger scale. For example, in the digital world of big data, it behooves intelligence agencies to try to enlist the help of the private sector to collect and share data. This type of cooperation also serves the purpose of creating an ally in the private sector to influence legislation and regulations on a global level.  Yet, normally such information sharing only occurs when the parties truly have an incentive to do so, and for the private sector, the case has generally not been compelling. Thus most so-called public/private information sharing has produced little, if any, meaningful sharing. In reality, the private markets, including between public sector and private institutes, has dominated information sharing and collaboration efforts have been mostly meaningless in terms of impact, but served an important public-relations function.

It is thus important to move the pendulum but also recognize that this ally is a fickle one, and the perception that such a shift will respond first and foremost to market forces and growing opaque alliances between intelligence and big business needs to be well managed. (As such, partnerships of this nature need to be handled with as much transparency, accountability and open debate as possible.) In particular, a stronger alliance between the private sector and the intelligence sector could both demarcate and foster better understanding of the difference between mass collection and mass surveillance.

As intelligence agencies and the private sector cooperate, there will be a more thorough debate about whether the public will tolerate companies mining data that encroaches on privacy for commercial purposes. This will be compared with public alarm over intelligence agencies mining data for security purposes – a practice that will have credibility and utility only if driven in equal measure by intelligence agencies, business and civil society, the media and privacy activist groups. Similarly, mining and sharing data will always be a sensitive issue, but the sharing of practices and insights related to how to balance the need for increased security while respecting privacy laws should not be an issue of contention. Ultimately, trust needs to be earned through an honest, collaborative and inclusive approach.

Cybersecurity

 Where cooperation becomes essential is in the realm of cybersecurity. Keeping tabs on dangerous actors online has increased the need for a stronger dialogue between intelligence operators and companies with vast experience in mining and interpreting massive data sets. Both the intelligence community and these companies can work together to increase the understanding among lawmakers about the growing number of “digital extremists”, many of whom operate on the dark net, but most of whom are also still in the open, using social media platforms. The private sector carries a particular responsibility to put mechanisms in place to alert governments about the harmful use of their platforms or networks that compromise the security of individuals, nations and the global community. Despite agreeing that protecting public goods and security is a shared responsibility, many companies see this – commonly referred to as “digital back doors” – as posing great reputational risk and being bad for the bottom line (since the regulatory framework around where to draw that line remains unclear).

As the world becomes increasingly digital, the importance of understanding threats in cyberspace cannot be overstated. Terrorists use cyber tools for propaganda, recruitment and fundraising with such ease that intelligence agencies are truly struggling to keep pace. The common response from decision-makers has been to enact legislation and institute regulations, but these efforts have been largely reactive and uninformed, evidenced by their failure to mitigate the evolution of cyberthreats – and even contributing to increased reliance on the dark net. Decision-makers must be given more information about cyberspace and its security, and the private sector is better positioned than the intelligence community to do this.

Lawmakers in most countries are focusing mainly on businesses’ concerns about how legislation affects their competitive advantage, rather than consulting with its experts about “back doors” to networks as optimal solutions to thwarting cybercriminals. To this effect, there is an important debate about these back doors, with many arguing that they make the internet less safe. And while for their own protection some companies have become savvy in this regard, and some even cooperate with intelligence agencies, most others are concerned that competitors will not comply with the new regulations, creating an uneven playing field.

It is clear that in the field of cybercrime there has been a growing success in partnerships across countries as well as between public and private sectors. Now it is time to leverage this progress to attempt to build more and better bridges between the national intelligence community, the private sector and the wider public.

The need for agile oversight

By nature, intelligence agencies will constantly push the boundaries of legal frameworks to adapt to the rapidly changing security landscape. Such frameworks should be strong but elastic enough to adapt. Qualified decision-makers (those who can make informed judgement calls to determine the means necessary to justify security) are essential to this equation. And it is of vital importance that the authorities involved in regulations and oversight fully understand the evolving technology, tools and security issues. Educating the public to appreciate this paradox is also a necessity.

Although, to a degree, this phenomenon is already happening, it does not have strong enough support from key players to create the transparency that would foster more trust and support. The paradox is that more openness, more visibility and more engagement with other sectors are what will ultimately help intelligence agencies evolve into their role for a new security era.

The World Economic Forum, offering the largest global platform for public-private interaction, is particularly well placed to provide collaborative thought leadership on reducing global security risk. It helps key actors evolve and adapt to the changing security landscape by bringing together companies, government decision-makers and regulators, military leaders, intelligence experts and civil society.

WEF

About The Author: Anja Kaspersen is Head of Geopolitics and International Security at the World Economic Forum.

 

 

« Germany's New Infrastructure Cybersecurity Law
Stagefright: New Android Vulnerability Dubbed 'heartbleed for mobile' »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CLUSIL

CLUSIL

CLUSIL is an association for the information security industry in Luxembourg.

TechGuard Security

TechGuard Security

TechGuard Security was founded to address national cyber defense initiatives and US critical infrastructure security.

Bounga Informatics

Bounga Informatics

Bounga Informatics provides Digital Forensics, E-Discovery, and Endpoint Security software, hardware, and training in Singapore and other countries in Asia Pacific.

Cybersecurity Collaborative

Cybersecurity Collaborative

CyberSecurity Collaborative is a forum for CISOs to share information that will collectively make us stronger, and better equipped to protect our enterprises from those seeking to damage them.

XTN Cognitive Security

XTN Cognitive Security

XTN is focused on the development of security, Fraud and Mobile Threat Prevention advanced behaviour-based solutions.

ZEBOX

ZEBOX

ZEBOX is an international incubator & accelerator of innovative startups. Focus is on Transport/Logistics and Industry X.0 including technologies such as AI, Blockchain and Cybersecurity.

NDK InfoSec

NDK InfoSec

NDK InfoSec is a specialist Information Security and Cyber Security search firm. We're not just a security function in a larger generalist recruitment company.

Parameter Security

Parameter Security

Parameter Security is a provider of ethical hacking and information security services.

Aryaka

Aryaka

Aryaka’s SmartServices offer connectivity, application acceleration, security, cloud networking and insights leveraging global orchestration and provisioning.

Huntington Ingalls Industries (HII)

Huntington Ingalls Industries (HII)

Huntington Ingalls Industries is America’s largest military shipbuilding company and a provider of professional services to partners in government and industry.

Analog Devices Inc (ADI)

Analog Devices Inc (ADI)

Analog Devices is uniquely positioned to deliver security at the edge, where the data is born, because our sensor solutions convert the physical, analog world into the digital world.

CyberArmor

CyberArmor

Cyber Armor defend everyday IT and OT systems, from government agencies to critical infrastructure, from system integrators to small industries.

Green Radar

Green Radar

Green Radar is a next generation cybersecurity company which combines technologies and services together to deliver Threat Detection for Emails and Deep Threat Analytics and Response.

Nitel

Nitel

Nitel is a leading next-generation technology services provider. We simplify the complex technology challenges of today’s enterprises to create seamless and integrated managed network solutions.

Paperclip

Paperclip

Paperclip provides paperless solutions while enabling compliance and security for the exchange of critical content.

AUCloud

AUCloud

AUCloud is a leading Australian cyber security and secure cloud provider, specialising in supporting businesses and Governments with the latest cloud infrastructure.