Guest Post: A Busy Time For Privacy and Security

The following is a guest post by David Hoffman, Director of Security Policy and Global Privacy Officer at Intel and FPF advisory board member.

Check out A Busy Time For Privacy and Security and other posts by David on the Intel Policy Blog.

A Busy Time For Privacy and Security

The past two weeks have included a number of important events for privacy and security. At the top of my mind have been the protests in Egypt, as I worry about the welfare of the Egyptian people and the many non-Egyptians in the country. One of the more disturbing aspects of the developments in Egypt, was the Egyptian government’s actions to require local internet service providers to disconnect from the global internet. The internet has become an integral component of individuals’ lives. Disconnecting a country from the global internet is an extreme and unfortunate reaction.

The Egyptian government had a solid record of assisting the private sector in making the internet available to its citizens. That record made the government’s decision to take down the connections more impactful, as local internet infrastructure suppliers appear not to have had plans to deal with the government decision.

In an interesting coincidence, the Egyptian government’s actions took place while many around the world were recognizing Data Privacy Day. Intel has been one of the core supporters of Data Privacy Day since its inception. Intel embraces Data Privacy Day’s goal of educating individuals on how they can use technology to provide benefits for their lives, while still having their personal date protected. Intel has been working in several areas to provide recommendations on how we can continue to foster technology innovation, while improving cybersecurity and privacy.

The Egyptian government’s actions call attention to the need of providing strong protections for individuals and companies so they can depend upon technology. Efforts to allow government access to, or control over, private components of the global digital infrastructure have been finding their way to light in many countries. These government attempts to control technology, include providing government the right to take down all, or a portion of, a private network. Any such government ability to impact technology in such a manner, creates substantial privacy concerns for individuals and industry. National security and law enforcement are fundamental obligations of government, but reasonable due process is necessary before government should take steps to access communications or take down private networks.

Several organizations have proposed alternative mechanisms to address government concerns. One example of these efforts are the Cybersecurity Principles authored by the Information Technology Industry Council, which were finalized on January 31st. The ITI Principles focus on building off of existing public-private partnerships and fostering the development of standards, best practices and international assurance programs.

Also distributed on January 31st, was the Center for Strategic and International Studies (CSIS) Cybersecurity Commission report “Cybersecurity Two Years Later.”    I have been honored to sit on the Commission and to take part in some of the discussion that led to this report. The Commission operates as a body to provide input to the Project Director and Co-chairs. By its nature and size the Commission does not endeavor to create a report that all Commission members agree with fully. Not surprisingly, there are elements of the report with which I disagree. However, the document is an important piece of work assembled by some of the best minds in cybersecurity policy.

The report aptly calls for investment in cybersecurity education, more focus on the international implications of a patchwork of differing national regulations of the global digital infrastructure, improvements in the area of authentication and the fundamental importance of meeting the privacy expectations of individuals. Conversely, I do have concern about extending cybersecurity regulations to the private sector component of the “critical infrastructure”, when the report does not define the term. I also find the report too critical of existing public-private partnerships, as many of these activities have focused on building needed trust, while still providing transparency of operation. The Egyptian government’s actions highlight the danger of moving away from structures which create trust between government and industry.

Many companies, like Intel, are investing significantly in privacy and security to make certain individuals will be able to reasonably trust their use of technology. This busy time for privacy and security policy both brings some of these issues to the forefront, and provides useful fodder for debate on how we should move forward.