Two Reflections on the White House Cybersecurity Summit

As many know, the White House held a summit on cybersecurity and consumer protection at Stanford University today.  In addition to President Obama, a number of CEOs also spoke on privacy and security issues in the context of consumer protection, and of course the backdrop for much of the summit was the Snowden revelations and the public and industry reaction to them. The summit inspired two thoughts in me, neither of them new but perhaps worth some discussion. First, several speakers argued that privacy and security were not incompatible—indeed, that better privacy required better security.  I’m getting tired of hearing this claim, as it’s true but one sided. Of course, protecting privacy requires security.  If I want to protect my information, I need good security surrounding it.  That’s the true part. The misleading part is the statement omits the flip side—that sometimes privacy and security are NOT compatible.  If we want to catch bad guys after they do their dirty work, or prevent them from doing their dirty work in the first place, we need to violate their privacy.  In this case, better privacy works *against* our security. There’s a legitimate debate about which one of these goals we want to emphasize, and even a serious discussion about how both goals can be reconciled in part.  But to deny or not acknowledge the tension between them is just wrong. Second, the distrust of industry with respect to the US government has been palpable.  For much of the past, there has been a non-trivial measure of informal cooperation between the U.S. government and technology companies both large and small.  Now, technology companies are saying “we will do what is required by law, but only what is required.  And we will insist that you [government] turn square corners and cross all the “t”’s before we do anything.”  I can’t help but notice that “work-to-rule” is well-known as a slow-down tactic for disgruntled labor forces.  Indeed, it’s often the case that an organization that works to rule can’t get ANYTHING done. Whether this is a good outcome or a bad outcome depends on the observer—some people believe that an intelligence community that is less effective is a good outcome, and others believe that it’s a bad outcome.  I do know that it would be better if the industry felt it could trust the government more than it does, and it would also be better if the government did not take actions that undermined industry’s trust.   But how to get there is anyone's guess. Ideas welcome.