Can You have Both Security & Privacy in the Internet Age?

Security-vs-Privacy.jpg

With threats to national and international security on the rise, all agree that security services have to be able to operate in order to address them. However, as the haystack of data necessary to do so has become an object of interest, along with the algorithms that find the needles in it, it has become clear that the traditional mechanisms used to control surveillance are inadequate.

The conundrum is how to ensure protection while retaining the critical underpinnings of our democratic systems – free speech, freedom of assembly and association, and, critically, the right to privacy. It is clear that with the acceleration of technologies, there are no easy lines to draw.  Moreover, in the internet age, almost all boundaries are being erased or redefined.

Black swans of security

Is it possible to be secure without giving up some privacy?  Theoretically yes, although in reality it is not so easy to implement. But stating this has never been so contested. The strategic environment in which state intelligence operators manoeuvre is evolving rapidly, from an increasing number and different types of intelligence consumers, to demands for faster and more efficient responses in the roiling confluence of threats. There’s also the increasing complexity of cross-border terrorism and asymmetric war, and the full-on return of interstate strategic conflict. Thus, keeping distinctions between domestic and international does not work any more.

As intelligence gathering becomes increasingly integral to national and international security, the debate has become quite heated on how the intelligence community should be equipped to anticipate and prevent the worst-case scenarios and “black swans” of security. Yet sometimes even sophisticated and comprehensive intelligence gathering cannot prevent terrorist attacks, as we have seen in the recent wave of gruesome incidents in places as far apart as Pakistan, Nigeria, Tunisia, Australia, the United States, Kuwait and France.

Today, the situation has shifted dramatically. The recently released Global Terrorism Index report (GTI) from the Institute for Economics and Peace shows that between 2012 and 2013, the number of people killed in terrorist incidents saw the largest increase in history, to 18,000 lives lost, which is a 61 percent increase from one year to the next.

global-terrorism-index-report-2014-10-638.jpg?cb=1420975583Global Terrorism Index 2014 Results Map

Mass data

 Is it problematic if government agencies collect our digital footprint, metadata, online habits and digital history for eternity? This data can potentially be used and abused – but it can also keep people safe. When reflecting on this question it is important to remind ourselves that, between the telecommunication companies, internet search engines and social media apps, you may have already consented to share a lot of your data, including your needs, preferences and dislikes.

While misguided regulation could drive intelligence operations further underground and create more uncertainty about their actions and legitimacy, the debate is stuck on the issue of intelligence gathering and surveillance infringing on the privacy rights of individuals and also the abuse of those powers to target industry competitors and political, environmental, civil-society groups; and even individuals whom current and future governments don’t like.

Do we get caught up in a discussion about where we draw the line and posture over perceived government intrusion in times of calm, or do we reflect on the fact that in times of crisis, the calm tends to be easily replaced with strong criticism of why governments and companies did not do more to protect us? How do we ensure better understanding by lawmakers of the need for, but also the challenges of, making sure mass surveillance is not abused, by both public and private actors? How can we develop oversight mechanisms and processes that are meaningful for ensuring legal compliance?

The recent decisions by the US Congress and the UK government to restrict their agencies’ intelligence gathering and surveillance has been lauded in the media (as well as in sections of academia and civil society), but there is a long way to go before the intelligence community can curb security threats in a digital age that has magnified them, made them more insidious and pushed them across international borders.

Transparency – a tool to more effective intelligence?

 For the intelligence community and the wider government apparatus, this is a matter of public image. To build trust, both groups need to be far more effective in explaining how they honour their responsibilities towards the privacy of individuals, especially in communities that feel they bear the brunt of scrutiny. This is about demonstrating accountability and practising effective oversight. It behooves agencies and the entities that are charged with overseeing them to increase transparency without compromising security, and to foster cooperation among multiple stakeholders.

On the cooperation front, there must be more clarification regarding the distinction between mass collection of information and mass surveillance. Through this clarification, there must be more knowledge among lawmakers about security implications, so that informed legislation and regulatory frameworks can be put in place. In particular, knowledge and legislation must be increased dramatically around the issue of cybersecurity.

The top-secret documents leaked by former NSA contractor Edward Snowden significantly damaged the US intelligence community’s public image and that of the bodies charged with its oversight. And, by default, they damaged that of the intelligence community worldwide. Although few would argue that the leaks directly compromised national and international security, there has been a great deal of commentary (and important legal findings in the US and elsewhere) about intelligence operators overstepping their bounds, which violated both the privacy of ordinary citizens and relationships with key sovereign allies and key companies, the latter when they are needed most.

So far, the legislative consensus on how to manage this negative image has been to dial back actions taken after the September 11 attacks in New York and broaden intelligence-gathering capabilities to reinstate the regulatory regimes that were put in place but not respected. The intelligence community is realizing that it must also act to build trust, and the best route is through accountability and transparency, and also public outreach. By way of example, the Norwegian Intelligence Services has for five years been publishing a declassified annual report on its intelligence activities. This education of the public about what intelligence services do is an important way to foster cooperation. Arguably, it is also the best line of defence for any state experiencing unconventional threats, such as highly trained and motivated foreign fighters returning to their countries of origin, or the growing trend of lone-wolf attacks, which is a nightmare for any intelligence service. Both are extremely difficult to trace and prevent, and an effective response relies upon non-traditional responses and the cooperation of local communities.

Public-private collaboration

Cooperation can also be preventative and on a larger scale. For example, in the digital world of big data, it behooves intelligence agencies to try to enlist the help of the private sector to collect and share data. This type of cooperation also serves the purpose of creating an ally in the private sector to influence legislation and regulations on a global level.  Yet, normally such information sharing only occurs when the parties truly have an incentive to do so, and for the private sector, the case has generally not been compelling. Thus most so-called public/private information sharing has produced little, if any, meaningful sharing. In reality, the private markets, including between public sector and private institutes, has dominated information sharing and collaboration efforts have been mostly meaningless in terms of impact, but served an important public-relations function.

It is thus important to move the pendulum but also recognize that this ally is a fickle one, and the perception that such a shift will respond first and foremost to market forces and growing opaque alliances between intelligence and big business needs to be well managed. (As such, partnerships of this nature need to be handled with as much transparency, accountability and open debate as possible.) In particular, a stronger alliance between the private sector and the intelligence sector could both demarcate and foster better understanding of the difference between mass collection and mass surveillance.

As intelligence agencies and the private sector cooperate, there will be a more thorough debate about whether the public will tolerate companies mining data that encroaches on privacy for commercial purposes. This will be compared with public alarm over intelligence agencies mining data for security purposes – a practice that will have credibility and utility only if driven in equal measure by intelligence agencies, business and civil society, the media and privacy activist groups. Similarly, mining and sharing data will always be a sensitive issue, but the sharing of practices and insights related to how to balance the need for increased security while respecting privacy laws should not be an issue of contention. Ultimately, trust needs to be earned through an honest, collaborative and inclusive approach.

Cybersecurity

 Where cooperation becomes essential is in the realm of cybersecurity. Keeping tabs on dangerous actors online has increased the need for a stronger dialogue between intelligence operators and companies with vast experience in mining and interpreting massive data sets. Both the intelligence community and these companies can work together to increase the understanding among lawmakers about the growing number of “digital extremists”, many of whom operate on the dark net, but most of whom are also still in the open, using social media platforms. The private sector carries a particular responsibility to put mechanisms in place to alert governments about the harmful use of their platforms or networks that compromise the security of individuals, nations and the global community. Despite agreeing that protecting public goods and security is a shared responsibility, many companies see this – commonly referred to as “digital back doors” – as posing great reputational risk and being bad for the bottom line (since the regulatory framework around where to draw that line remains unclear).

As the world becomes increasingly digital, the importance of understanding threats in cyberspace cannot be overstated. Terrorists use cyber tools for propaganda, recruitment and fundraising with such ease that intelligence agencies are truly struggling to keep pace. The common response from decision-makers has been to enact legislation and institute regulations, but these efforts have been largely reactive and uninformed, evidenced by their failure to mitigate the evolution of cyberthreats – and even contributing to increased reliance on the dark net. Decision-makers must be given more information about cyberspace and its security, and the private sector is better positioned than the intelligence community to do this.

Lawmakers in most countries are focusing mainly on businesses’ concerns about how legislation affects their competitive advantage, rather than consulting with its experts about “back doors” to networks as optimal solutions to thwarting cybercriminals. To this effect, there is an important debate about these back doors, with many arguing that they make the internet less safe. And while for their own protection some companies have become savvy in this regard, and some even cooperate with intelligence agencies, most others are concerned that competitors will not comply with the new regulations, creating an uneven playing field.

It is clear that in the field of cybercrime there has been a growing success in partnerships across countries as well as between public and private sectors. Now it is time to leverage this progress to attempt to build more and better bridges between the national intelligence community, the private sector and the wider public.

The need for agile oversight

By nature, intelligence agencies will constantly push the boundaries of legal frameworks to adapt to the rapidly changing security landscape. Such frameworks should be strong but elastic enough to adapt. Qualified decision-makers (those who can make informed judgement calls to determine the means necessary to justify security) are essential to this equation. And it is of vital importance that the authorities involved in regulations and oversight fully understand the evolving technology, tools and security issues. Educating the public to appreciate this paradox is also a necessity.

Although, to a degree, this phenomenon is already happening, it does not have strong enough support from key players to create the transparency that would foster more trust and support. The paradox is that more openness, more visibility and more engagement with other sectors are what will ultimately help intelligence agencies evolve into their role for a new security era.

The World Economic Forum, offering the largest global platform for public-private interaction, is particularly well placed to provide collaborative thought leadership on reducing global security risk. It helps key actors evolve and adapt to the changing security landscape by bringing together companies, government decision-makers and regulators, military leaders, intelligence experts and civil society.

WEF

About The Author: Anja Kaspersen is Head of Geopolitics and International Security at the World Economic Forum.

 

 

« Germany's New Infrastructure Cybersecurity Law
Stagefright: New Android Vulnerability Dubbed 'heartbleed for mobile' »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Brookings Institution

Brookings Institution

The Brookings Institution is a nonprofit public policy organization. Cyber security is covered within the various study areas.

AppRiver

AppRiver

AppRiver is a global provider of cloud-based email and web security solutions that protect businesses worldwide from today's ever-changing online threats.

eScan AV

eScan AV

eScan develops Information Security solutions that provide protection against current and evolving cyber threats.

Infiltrate

Infiltrate

INFILTRATE is a deep technical conference that focuses entirely on offensive security issues.

Uniken

Uniken

Uniken REL-ID is a safe, simple, and scalable security platform that tightly integrates your identity, authentication, and channel security.

Vysk Communications

Vysk Communications

Vysk is an award-winning mobile security firm that has developed the world’s most secure system for voice communication.

Cyber Security Malta

Cyber Security Malta

Cyber Security Malta is part of Malta's National Cyber Security Strategy which aims to combat cybercrime, strengthen national cyber defence and provide cyber security awareness and education.

Cytomic

Cytomic

Cytomic is the business unit of Panda Security specialized in providing advanced cybersecurity solutions and services to large enterprises.

Concentric

Concentric

Concentric Data Risk Monitoring and Protection. Deep Learning to discover, monitor and remediate risks to sensitive data on-premises and in the cloud.

Foundries.io

Foundries.io

Foundries.io have built a secure, open source platform for the world's connected devices, and a cloud service to configure this to any hardware and any cloud.

Realsec

Realsec

RealSec is an international company and is a developer of encryption and digital signature systems and Blockchain for the Banking and Methods of Payment sectors, Government and Defense and Multisector

IntelliDyne

IntelliDyne

IntelliDyne is a leading information technology consulting firm enabling better mission performance through innovative technology solutions.

Spotit

Spotit

Spotit offers a wide-ranging portfolio of technologies and services, from consultancy, assessments and pentesting to the set up of completely new security and network infrastructures.

UNS Inc.

UNS Inc.

UNS is a top services partner for multiple leaders in the global cybersecurity industry – we do business in 40 countries, including the United States, Canada, Chile, and Colombia.

Campus cyber

Campus cyber

A project initiated by the President of the Republic, the Cyber Campus is the totem site of cybersecurity that brings together the main national and international players in the field.

JustunSecure

JustunSecure

JustunSecure is dedicated to promoting information technology and cybersecurity in Africa.