Criminal Justice & the Rule of Law Cybersecurity & Tech Surveillance & Privacy

Two Reflections on the White House Cybersecurity Summit

Herb Lin
Friday, February 13, 2015, 10:27 PM
As many know, the White House held a summit on cybersecurity and consumer protection at Stanford University today.  In addition to President Obama, a number of CEOs also spoke on privacy and security issues in the context of consumer protection, and of course the backdrop for much of the summit was the Snowden revelations and the public and industry reaction to them. The summit inspired two thoughts in me, neither of them new but perhaps worth some discussion. First, several speakers argued that privacy and security were not incompatible—indeed, that better privacy required better security. 

Published by The Lawfare Institute
in Cooperation With
Brookings

As many know, the White House held a summit on cybersecurity and consumer protection at Stanford University today.  In addition to President Obama, a number of CEOs also spoke on privacy and security issues in the context of consumer protection, and of course the backdrop for much of the summit was the Snowden revelations and the public and industry reaction to them. The summit inspired two thoughts in me, neither of them new but perhaps worth some discussion. First, several speakers argued that privacy and security were not incompatible—indeed, that better privacy required better security.  I’m getting tired of hearing this claim, as it’s true but one sided. Of course, protecting privacy requires security.  If I want to protect my information, I need good security surrounding it.  That’s the true part. The misleading part is the statement omits the flip side—that sometimes privacy and security are NOT compatible.  If we want to catch bad guys after they do their dirty work, or prevent them from doing their dirty work in the first place, we need to violate their privacy.  In this case, better privacy works *against* our security. There’s a legitimate debate about which one of these goals we want to emphasize, and even a serious discussion about how both goals can be reconciled in part.  But to deny or not acknowledge the tension between them is just wrong. Second, the distrust of industry with respect to the US government has been palpable.  For much of the past, there has been a non-trivial measure of informal cooperation between the U.S. government and technology companies both large and small.  Now, technology companies are saying “we will do what is required by law, but only what is required.  And we will insist that you [government] turn square corners and cross all the “t”’s before we do anything.”  I can’t help but notice that “work-to-rule” is well-known as a slow-down tactic for disgruntled labor forces.  Indeed, it’s often the case that an organization that works to rule can’t get ANYTHING done. Whether this is a good outcome or a bad outcome depends on the observer—some people believe that an intelligence community that is less effective is a good outcome, and others believe that it’s a bad outcome.  I do know that it would be better if the industry felt it could trust the government more than it does, and it would also be better if the government did not take actions that undermined industry’s trust.   But how to get there is anyone's guess. Ideas welcome.

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare