Better privacy for better security
Government must do better at protecting privacy to achieve better security, experts say
The failure of the government in general and the Homeland Security Department (DHS) in particular to adequately ensure the privacy of personal data undermines the nation's cybersecurity, a panel of privacy experts and advocates said Wednesday at a congressional forum.
Speakers cited problems in multiple programs for gathering and sharing data by DHS. 'All of the initiatives at DHS have privacy issues,' said Carol DiBattiste, senior vice president for security at LexisNexis Group.
'We need to draw some lessons from experience with DHS programs where attempts to solve one problem created others,' added Marc Rotenberg, executive director of the Electronic Privacy Information Center.
The panel on cybersecurity and privacy was part of a daylong forum hosted by the House Homeland Security Committee to sharpen its agenda in overseeing DHS in the coming year. Other panels addressed data mining, disaster response and domestic intelligence-gathering.
Although the speakers at the privacy panel were advocates for privacy, they did not ignore the legitimate needs of security. They pointed out that privacy and security are two sides of the same coin.
If people do not have confidence that personal information will be properly handled it will undermine efforts to gather and use the data, said Fred Cate, director of the Indiana University Center for Cybersecurity Research. 'Privacy is an essential condition for security.'
At the same time, 'We can't have privacy without cybersecurity,' said Tom Kellermann, vice president of Security Awareness. 'America needs to demand higher levels of security from their government and the companies they do business with.'
Although the two complement each other, it is not easy to provide both security and privacy because using data for security can expose it. This means that the two concerns have to be balanced. To pursue one end at the expense of the other is self-defeating, the experts said.
'When you introduce one kind of solution in the security realm there are ultimately some costs' at the expense of privacy, Rotenberg said. 'And these costs have to be understood.'
Rotenberg cited the Einstein 2 program for packet inspection of network traffic, which would expose huge amounts of data to government sensors. He predicted that ensuring that the program does not become a privacy risk would be a major challenge for the oversight committee in the coming year. He said that the misuse or exposure of sensitive data from such a program could undermine the security argument for surveillance. His comments were 'not an argument against intrusion detection,' he said, but against mission creep and unwarranted use of data.
The speakers did not blame DHS completely for the missteps they were concerned about. They said the problem was the reactionary nature of large security programs that are rushed into production with time for the department to get its arms around the issues being created. Security efforts need to be proactive rather than reactive, Cate said.
'The impetus to do something should not be stronger than the impetus to do something right,' he said. 'A little thought might go a long way here.'
The speakers generally agreed with incoming president Obama that cyber security should be directed from within the White House rather than by DHS.
'We do need a cyber security czar,' said DiBattiste, and that official will have to work closely with the private sector to see that privacy and security elements are built into products and systems from the beginning.
Kellermann said security service level agreements are needed with government contractors to ensure security of systems.
'Most of our systems have been back-doored by nation states or organized crime,' he said.