Surveillance & Privacy

Privacy in the NIST Cybersecurity Framework

Paul Rosenzweig
Friday, December 13, 2013, 12:14 PM
My friend Stewart Baker has likened the privacy requirements of the draft NIST framework to a "privacy tax."  His fear, which has sound economic force, is that the imposition of privacy protective requirements on cybersecurity efforts will drive up the cost of cybersecurity and, necessarily, result in less of that good.   Of course, some might argue that this is the right result -- that privacy concerns are of value and should be accounted for in pricing cybersecurity.  But that argument begs a

Published by The Lawfare Institute
in Cooperation With
Brookings

My friend Stewart Baker has likened the privacy requirements of the draft NIST framework to a "privacy tax."  His fear, which has sound economic force, is that the imposition of privacy protective requirements on cybersecurity efforts will drive up the cost of cybersecurity and, necessarily, result in less of that good.   Of course, some might argue that this is the right result -- that privacy concerns are of value and should be accounted for in pricing cybersecurity.  But that argument begs a difficult question -- how valuable and measured against what in terms of cybersecurity lost? These thoughts came to mind when I read this letter NIST, commenting on the privacy provisions of the draft Framework.  The letter is from Professor Fred Cate, of University of Indiana, whom I think it is fair to characterize as generally much more supportive of privacy protections than Mr. Baker.  Yet his conclusions, in their moderate form, echo Stewart's in some interesting ways.   His fundamental conclusions (if I may paraphrase) are the the draft privacy protections are overbroad; apply an inappropriate standard; and  mistakenly assume that all information assurance activities will involve issues of privacy.   His solution, broadly speaking, is to recommend that NIST transition their privacy discussion to principles of "stewardship" and "accountability" that more closely speak to the types of risks to privacy involved in cybersecurity  efforts.  On the whole, the entire letter is worth a read.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare