Thursday, February 17, 2011

Federal Officials Call For Better Privacy, Security Protections Online

Via Dennis Fisher at ThreatPost ...

The Obama administration's top information security officials hit the stage at the RSA Conference Tuesday, looking to drum up support for several of the president's key security and privacy initiatives, including a still-nebulous plan for protecting users' freedom and privacy on the Web.

The plea for help from the thousands of security experts and enterprise executives gathered here for RSA came from Howard Schmidt, the president's cybersecurity adviser and Philip Reitinger, the deputy undersecretary of the National Protection and Programs directorate at the Department of Homeland Security, who spoke as part of a town hall meeting on cybersecurity. Schmidt, a former top security official at Microsoft and eBay, used the Internet shutdown that accompanied the recent revolution in Egypt as an example of what President Obama wants to prevent.

"It is incumbent upon all of us to make sure that we preserve those freedoms," Schmidt said. "We're going to hold others accountable on Internet freedom and make sure that we do those same things ourselves. We need to lead by example."

Earlier in the day, Secretary of State Hillary Clinton gave a similar speech to a group of students at George Washington University in which she emphasized the need for some framework of rules to help guarantee a basic level of freedom online.

"For the United States, the choice is clear. On the spectrum of Internet freedom, we place ourselves on the side of openness. Now, we recognize that an open Internet comes with challenges. It calls for ground rules to protect against wrongdoing and harm. And Internet freedom raises tensions, like all freedoms do. But we believe the benefits far exceed the costs," Clinton said.

What's less clear in all of this is exactly what the Obama administration intends to do to achieve these goals. At RSA, Schmidt and Reitinger both said that in order to improve both security and privacy online, the government needs help from the private sector. This has been a common theme in government information security plans for more than a decade and the idea of more public-private partnerships has been dismissed by many in the industry as futile. But Reitinger said that they can work if done correctly.

"When we say public-private partnership, people don't know what we mean. Neither the government nor the private sector can solve these problems on their own," he said. "People hear this and think we're just going to walk away saying kumbaya. That's not what we're talking about. The successful ones actually are a partnership and they're real and outcome-focused."

None of the panelists offered much in the way of specifics on what the administration planned to do, aside from previously announced initiatives such as the plan to create online IDs. But Schmidt stressed that there were plans in the works that would get things moving.

"We need to ensure we have the safeguards in place to protect people," he said. "It's all about collaboration. We need new ways to work faster. It's critical to our future and having that economic engine that we all need."


Weixian Cai said...

This article called to mind for me the perennial tension between civil liberties and national security. To be sure, freedom of expression is an inalienable civil liberty, and the U.S. is right to come down on the side of its preservation. Yet security imperatives will frequently necessitate re-evaluation regarding the extent of those freedoms.

It will be interesting to see how the U.S. handles this delicate challenge, and I can't help but go back to the experience of flying in the pre- vs. post-9/11 eras in thinking of a precedent that might apply. Before 9/11, airport security checks were relatively hassle-free; yet post-9/11 and especially in recent years, security checks have become burdensome and at times even intrusive.

Should a cyber catastrophe occur in the coming years, will the internet be similarly policed and regulated, with an implied degradation of the experience for all involved?

Margot Annie Dale said...

I think this article touches on a lot of what we discussed in class the other day. Who's job is it to protect internet privacy? Many can argue that an individual is completely responsible for their own personal security. For example, protecting their computers, using privacy settings on Facebook/Twitter/MySpace, etc., as well as using discretion when giving out important information such as credit card numbers/social security numbers/phone numbers/etc. However as hundreds of examples in the past have shown, no matter how many precautions the average person takes, there is still risk for internet foul play. We have discussed the threats to internet privacy (threat to confidentiality, threats to integrity, and threat to availability). Is it completely possible for a person to protect themselves from all of these risks at all times while using the internet? The answer is probably no. So then we can argue that it is then the job of the government to step in and make some kinds of changes to the way in which people use the internet today. The mentality of the Obama administration seems to be the freer the internet the better, however this article does illuminate some of the efforts to work towards a more secure internet. Although this article doesn't mention any specific examples of ways to better protect the American people on the internet, as none have been officially put forth, it does discuss the growing awareness of the necessity for these protections to exist. Should the government go as far as to create a kill switch in order to "protect" the US people? In my opinion, no. However I definitely believe that less extreme measures must be taken by the government, in coalition with smart internet use by the American public.

Katharina said...

It is great to see that the Obama Administration is backing new baseline rules to protect users’ freedom and privacy on the Web. However, as the article points out, the problem of implementing better privacy and security protections online is that there is always a difficult balancing of values. These values include: liberty, security and the free market:
1. Liberty
Throughout history, American privacy laws have emphasized the home as the primary defense or “place of sanctity” and the state as the primary enemy. Therefore, the American “the right to privacy” online usually rests in the individual, unless the online intrusion is associated with the state. It is interesting to see that while commercial transactions are often unregulated, governmental/ federal websites are almost always required to follow strict Internet privacy laws.
2. Security
Since 9/11 concerns for national security have tended to trump concerns for online privacy and civil liberties. The American debate about Internet privacy law is often presented as a zero-sum game of security versus privacy. However, perhaps the real logic is liberty versus control.

3. Free market
American policymakers have tended to place a high value on market-based solutions to privacy issues. Their arguments are often based on the philosophy that self-regulation will accomplish the most meaningful protection of data privacy while simultaneously ensuring the greatest flexibility for profit-maximization and technological innovation. After all, there is arguably a benefit in leaving consumer data privacy unregulated. Uncontrolled trafficking of consumer data lowers search costs for businesses and makes it easier for buyers and sellers to find each other and complete transactions.

Due to the constant interplay and balancing of these core values, the United States has struggled to implement wide-ranging legislation to regulate the Internet and online privacy. It will be interesting to see whether the future will bring any changes in this balancing of values, so that policymakers can establish a truly comprehensive legal framework for the Internet.

Katie McCafferty said...

I too agree that as the article expressed, solving this issue of how to better secure users online while still maintaining the freedom and privacy of american citizens is not a simple one indeed.
While it may seem like a good solution for the government to put limits in place for security reasons, I feel that creating something as extreme as a kill switch will only prove to be a greater target for those trying to do harm. Americans are already such a target with all of the information that we put online, between social networking, online banking, shopping, etc. we are already at such a high risk for cyber attacks and everyday, information is being stolen and/or abused online, many times without people even knowing about it.
I feel that something needs to be done to educate users online in order to better secure themselves, as so many people are not even aware of the risks that are at hand. That will certainly not solve all problems, but it would definitely help. In the coming years, I feel that this problem will only continue to get worse as more and more information is put online and with the younger generations, computers and the internet are just second nature. We will need to continue to discuss ways in which to control security while still protecting our freedoms as American citizens and really come up with some solutions before some major attack occurs.