Widening the flows of information between the private sector and the government was a central theme at today’s White House Summit on Cybersecurity and Consumer Protection. The topic was an issue of contentious debate both informally and formally through panels at the event.
Phyllis Schneck, Deputy Under Secretary for Cybersecurity and Communications at the Department of Homeland Security spoke to The Daily about some of the administration’s policy goals.
“First of all the reason we worry so much about info sharing is about connecting the dots,” she said.
Schneck talked about the importance of taking information from government and private sector resources and connecting the dots. She mentioned two interfaces, the NCIC (National Cybersecurity Communication Integration Center) and the CTIC (Cyber Threat Integration Center).
“The NCIC is the main interface for cybersecurity information sharing for the private sector,” Schneck said.
She also explained that the CTIC is a space for the intelligence community to work and combine information from multiple sources.
Not all of the attendees were as optimistic on information sharing, however. Nuala O’Connor, President and CEO of the Center for Democracy and Technology (CDT), addressed potential issues posed by this increased information flow.
“I am very concerned about sharing [information] with the government,” she said. “Once you’ve got data in the hands of any government agency, the chances that it will flow to other government agencies for other purposes is quite high.”
O’Connor explained that the CDT was calling for improved collaboration in the private sector to allow for better threat and risk analysis but was wary of the government connection.
“To have it end up permanently in the hands of the federal government in any wholesale manner is a huge civil liberties risk,” she added. “We need to be very leery of those kinds of solutions.”
One of the more concerning issues with large amounts of metadata, O’Connor explained, was the risk of metadata being de-anonymized. She cited Jonathan Mayer’s recently publicized research in the subject.
“Trend analysis, pattern analysis, that’s all good,” O’Connor said. “Your and my personal information about our transactions and our daily lives – that has a level of privacy associated with it that I think we really want to keep on the commercial side of the house.”
O’Connor also discussed the risks behind large amounts of metadata.
“When you look at it across different platforms, you can re-identify people; you can do trend analysis that could lead you to certain assumptions and judgments about people,” she said.
“I think metadata should be treated like data,” she concluded.
Apple CEO Tim Cook’s comments about the development of Apple Pay earlier in the day spoke to O’Connor’s point.
“Security was part of the reason we developed the technology for [Apple Pay],” he said. “It starts with the premise that your credit card purchases are personal to you, and they should stay that way. For every payment, we create a unique one-time code for that individual transaction.”
Schneck assuaged fears that increasing government interest in cybersecurity would dampen the burgeoning growth of network-enabled devices, the so-called “Internet of Things.”
“The innovators and the researchers are going to hold those reins [of control],” Schneck said. “I think you’re going to push the laws of physics even further, and you’re going to control how they are used. I think the role of government is to enable that.”
Schneck emphasized the fact that one of the Department of Homeland Security’s new missions is to be a front for cybersecurity information exchange.
Arthur W. Coviello, President of the RSA Division of EMC, expressed his issues with new government initiatives for information sharing. Coviello explained that policy should take the perspective that privacy should reinforce security instead of conflicting with it. RSA was acquired by EMC in 2006.
“Having an active debate on how we can secure the privacy and freedoms of us as individuals while still being able to determine who is trying to violate that privacy in the form of criminals and nation-states and hacktivists that would do us harm – that’s the issue that really needs to be discussed from a policy standpoint,” Coviello said.
Like O’Connor, Coviello emphasized the need for information flow but cautioned about open information flow to the government.
“The problem that we’ve had with the government in the past is a lack of transparency,” he said. “A big problem with the Snowden disclosures is that the National Security Agency was viewed to have not been transparent and going over the line in terms of the kind of data they were collecting.”
“I think that set the trust between private individuals and companies and the government a long way,” he added.
Scheck acknowledged the issue of maintaining a balance between data privacy and the protection of individuals but also emphasized that it is an important and current issue of policy debate.
“We want to be able to provide the most privacy we can for people’s data, and we also have to make sure that we can track bad guys,” she said. “I think the discussion is going to be very challenging.”
Advice and suggestions for students
The setting of the summit at Stanford encouraged attendees and panelists to emphasize the importance of cybersecurity issues to the current generation of students.
“[The] big scary advice people give is to be very aware of what is posted online in your profiles,” O’Connor told The Daily. “You will be seen by potential employers. My number one piece of advice is be wary of how you set your privacy settings and understand that what you have posted will be used to judge you.”
O’Connor expressed that there were some advantages to the surge of ephemeral communication technologies.
“We need better ephemeral systems and technologies – I can see some benefits from Snapchat,” she added, laughing.
Coviello expressed that students need to maintain caution while being online and discussed how the current generation of students live in an entirely new environment.
“You guys eat, drink, sleep, breathe technology,” he said.
“If anything I would caution you all to be careful about what kind of information you put out there and make sure you understand where it’s going and where you go wherever you are on the internet,” he concluded.
Schneck spoke to the importance of new minds entering into and learning about the field of cybersecurity.
“It is so important that we bring the best people into government,” she said. “I think [that in] the future you’ll find careers being a mix of the government and private sector, creating a hybrid of skills.”
Echoing remarks about the importance of education from President Obama and the morning session’s panelists, Schneck talked about nurturing technical skills.
“We need to start nurturing these skills from the high school level itself,” she said.
Schneck advised students to look at building technical understanding.
“It’s always helpful to understand how something works when you are deciding the policy around it,” Schneck said. “Even if you choose not to go into a purely technical field, the background will help you make better decisions.”
Contact Nitish Kulkarni at nitishk2 ‘at’ stanford.edu.
Victor Xu contributed to this article.