After lunch there was a panel on “Privacy Concerns in Cybersecurity Panel” which was moderated by Susan Landau a Fellow at the Radcliffe Institute of Harvard University. Ms. Landau led a discussion with a mix of participants (lawyers from the EFF, former government policy makers, and private industry). The moderation was good, except that she did cut off EFF from responding to some of the allegations by the last speaker, Dr. Joel Brenner, a former National Counterintelligence Executive, which was too bad. Right in the beginning it was asked “Can I respond?” and she said “no.” That was really too bad becasue the conversation was starting to heat up.
Attribution wouldn’t fix all of those problems: All security, no privacy. Saying there should be a balance is not actually living in the present. We are well on our way to the 3rd wave generation of computing (the computing continuum) which involved a huge diversity of devices and data, remote storage (cloud), creating unique and interesting problems to manage security in an environment for information that is important for individuals, organizations, and countries. Can you improve both privacy AND security in that future environment, instead of separating the two? The Global Digital infrastructure designed for global application –> goes against a silo oriented consumer/government environment.
Kevin Bankston a Senior Staff Attorney at EFF had a harder panel debate. I thought EFF took a bit of a beating in this panel. The EFF was accused of “selling the world stuff that they don’t really want.” The public, most of the panel stated, doesn’t want or care about the protections EFF is demanding through litigation and legislation. Is the EFF defending our rights, or telling us what to do? Should we put the burden on the individuals (public)? To his defense Mr. Bankston said that EFF cares quite a bit about the sorry state of the Internet right now. The EFF’s encryption offerings are very popular with the public at large.
Mr. Bankston is concerned with climate of exaggeration of vague definition of cyberwar. The DHS has been debating the cybersurity emergency powers bill – and pointing to the Hoover Dam as an example of a potential target of internet based attacks. The need a “kill switch” on the dam, just in case there was a cyber attack? (Would Hoover Dam just cut the power if they asked, instead of needing a federal government program?) The media spin did not state that the Hoover Dam isn’t even connected to the Internet because of security mandates and good business practice. He also claimed that the Estonian internet attacks were trumped-up a bit. They were actually easy to deal with – if the same attack happened to Amazon.com it would have been swatted away easily. (I think he missed the point on that. Estonia is not a huge multinational corporation like Amazon. The fear that some of these smaller nation-states could easily be overrun by a simple attack should be worrisome)
He did press the software issue – that we need to build and use better software (bugs). Why isn’t Microsoft asked about the bugs before a Congressional panel or a security infrastructure group? Why doesn’t the security debate focus on software? He argued for “Cyber hygiene” – better management, standardization, and budgeting.
Dr. Joel Brenner, a former National Counterintelligence Executive started his talk about personally identifiable information (PII). PII is the foundation of so much of privacy law. The California Supreme Court has ruled in Pineda v. Williams-Sonoma Stores, Inc., that ZIP codes are also “personally identifiable information” for purposes of the Song Beverly Credit Card Act (California Civil Code § 1747, et seq.). This law initially was passed to significantly restrict retailers’ ability to request or record PII in connection with processing credit card transactions. Under the Act, “personal identification information” is “information concerning the card holder, other than information set forth on the credit card, and including, but not limited to, the card holder’s address and telephone number.” He asked if there is any “real” category of PII anymore? Is nothing (or everything) PII? All of these decisions and laws boil down to hostility towards targeted advertising.
He also strongly refuted the concept that it is perfectly fine to connect the national electrical grid connected to the internet. From Dr. Brenner’s point of view the system was never intended to be connected to the internet. It’s an industrial system, and not supposed to have the communicative values that the internet has. (He talked a bit about the series of cyberattacks in Brazil: one north of Rio de Janeiro in January 2005 that affected three cities and tens of thousands of people, and another, much larger event beginning in Sept. 2007.) unfortunately, Dr. Brenner said, we don’t know how to protect the grids properly. And this is not a civil liberties issue – this is a problem that can be solved now, without privacy concerns, or litigation.
Dr. Richard Falkenrath, Principal of the Chertoff Group and former Deputy Homeland Security Advisor had some interesting comments about information sharing. Data sharing between private companies could really hep the fight against cybercrime. The private sector does a way better job at protecting themselves vs. the govt. He accuse the U.S. government of “Wanting to borrow our watch, and tell us the time.” How do we update these laws? Many laws require an update regarding real-time observation, packet inspection, private company information – but these updates start to violate privacy/ or at least concern the companies about the potential for privacy litigation. As the laws are being revised, he said we need to look at the purpose for the intervention by the government (search vs. seizure). The US is massively dependant on electronic surveillance above all for cases involving international crime, and the laws need to reflect that dependency and modernize.