Obama’s Former Privacy Director Decries America’s Data Security


President Obama stands in the well of the House, demanding Congress take action on privacy and cybersecurity. Nothing happens. It has become an annual Washington ritual. One we witnessed again last night.


The state of our union’s data is insecure.


In 2009, President Obama announced the creation of a White House cybersecurity office as part of the National Security Staff, and named me its first privacy official. Two years later, the White House proposed legislation, but Congress took no action. Today, we have less privacy and our systems remain as insecure as ever.



Tim Edgar


Tim Edgar is a visiting fellow at Brown University. He served in the Obama White House as the first-ever Director of Privacy and Civil Liberties for the National Security Staff and has been a privacy lawyer for the Director of National Intelligence and the American Civil Liberties Union. He advises technology start-ups, including Virtru mentioned in this piece.



How can Congress continue to ignore what is becoming our most pressing national security issue? Bipartisan cheerleading for cybersecurity aside, there is fierce industry opposition to new security or privacy rules. Meanwhile, civil liberties and privacy activists think that panic about cyber breaches will lead to surveillance and filtering that would destroy the open Internet in the name of saving it. Accommodating these concerns should not be an impossible task, but in today’s Washington, it has been.


Last night Obama implored Congress, saying: “And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable.” Obama’s new legislative proposals include incentives for voluntary information sharing, tougher penalties for cybercrime, and consumer privacy protections. They are useful ideas, but even if Congress passed all of them—which they likely won’t— Kim Jong Un will hardly be shaking in his boots. Effective commercial privacy legislation is long overdue, but North Korean cyber-warriors are unlikely to be deterred by new rules safeguarding schoolchildren’s educational data.


North Korean cyber-warriors are unlikely to be deterred by new rules safeguarding schoolchildren’s educational data.


State-sponsored hackers are unlikely to fear American prosecutions, either. The indictments last year of members of a secret military hacking unit in China has had little discernable effect. The intrusions at Home Depot, J.P. Morgan and Sony show that threatening prosecution of hackers protected by powerful foreign governments and outside the reach of American law enforcement simply isn’t an effective deterrent.


The Answers Are Not In Washington


The best ideas I’ve heard for improving our cybersecurity have not come from inside the intelligence community or the White House, but from outside the federal government. In the past few years, privacy start-ups have flourished. Silent Circle offers secure voice and text messaging. Virtru offers a simple browser plug-in to encrypt e-mails and file attachments using existing platforms like Gmail. Big companies have also stepped up. Apple’s new iPhone offers better encryption, closing a backdoor that allowed surveillance and compromised security.


On encryption, gridlock in Washington is good news. The FBI’s push late last year for government-mandated backdoors for encrypted data has fallen flat. Now this dreadful idea has migrated across the pond, where the British government seems determined to weaken cybersecurity in the aftermath of the attacks in Paris. In fact, backdoors for encrypted communications would do nothing to prevent terrorism, but would weaken data security for everyone.


President Obama has encouraged industry to share more detailed information about cyber threats, yet the best sharing arrangements have come from the states and the private sector, not from Washington. While legislation can offer liability protection, the need for such protection as an incentive for sharing has been exaggerated. Companies can and do already share confidential threat information under the protection of nondisclosure agreements. The Advanced Cyber Security Center, based in Boston, is one such sharing arrangement. It includes companies like Pfizer, State Street, and RSA/EMC Corporation along with with the Federal Reserve Bank of Boston and the Commonwealth of Massachusetts.


Backdoors for encrypted communications would do nothing to prevent terrorism, but would weaken data security for everyone.


A fundamental failure to take responsibility for insecure systems and buggy code is at the heart of our cybersecurity woes. While data breaches do cause companies legal headaches, the massive verdicts that have prompted reforms of other defective products are absent in the case of computer intrusions. The companies that write bad code have effectively protected themselves through software license agreements, and many companies would still rather hope for the best than spend money to fix their systems.


No proposal in Obama’s State of the Union address would truly hold companies accountable for cyber insecurity. If you are looking for effective ideas on this score, you would do better to listen to students here at Brown University where I’ve lately been teaching.


One student’s idea was to build on existing “bug bounty” programs in which software companies pay researchers money for uncovering security flaws by turning the federal hacking law on its head. Today, all intrusions—even “white hat” penetrations for security research—are illegal unless the system owner consents. A company with lousy security may threaten a security researcher with a lawsuit or jail time for pointing out a gaping hole in its defenses. What if Congress reversed this perverse law, requiring companies to pay ethical hackers for demonstrating vulnerabilities?


President Obama and Congress should be working together to ensure that companies can no longer get by with insecure systems, software, and data. They should encourage, or at least not discourage, the deployment of secure messaging and the widespread use of strong encryption with no backdoors. To address state-sponsored cyber theft and attacks, they should avoid empty gestures and instead gather the best ideas from outside Washington. If our nation’s leaders continue to offer only rhetoric and half measures in the face of real threats, the state of our union’s most valuable data may remain insecure for some time to come.



No comments:

Post a Comment