Photo Credit: Torkild Retvedt
Last week was pretty interesting for cyber policy issues. On Tuesday, Assistant to the President for Homeland Security and Counterterrorism Lisa O. Monaco spoke at the Wilson Center and announced the formation of the Cyber Threat Intelligence Integration Center (CTIIC). It will operate as part of the Director of National Intelligence office. She stated the justification for setting up yet another government cyber security organization was:
Currently, no single government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing Cyber Centers and other elements within the government, and supporting the work of operators and policy makers with timely intelligence about the latest cyber threats and threat actors. The CTIIC is intended to fill these gaps.
On Friday, President Obama met with tech CEOs in Silicon Valley to discuss the necessity of government/industry partnerships in dealing with cyber threats. He apparently had his hands full because according to press reports fallout from the Snowden leaks continue to sour the relationship between government and industry. According to a report from The New York Times:
Upset about the lack of reforms to those practices, the CEOS of Google Inc, Facebook Inc and Yahoo Inc are not attending the Stanford conference. But Apple Inc’s chief executive, Tim Cook, will give an address.
A long roster of other CEOs will attend, including those from Bank of America, American International Group and Visa.
President Obama also signed an executive order during the conference requesting better information sharing between industry and the government. In a fact sheet released ahead of the event the White House stated:
Cybersecurity is a shared responsibility. The Federal government has the responsibility to protect and defend the country and we do this by taking a whole-of-government approach to countering cyber threats. This means leveraging homeland security, intelligence, law enforcement, and military authorities and capabilities, which respectively provide for domestic preparedness, criminal deterrence and investigation, and our national defense. Yet much of our nation’s critical infrastructure and a diverse array of other potential targets are not owned by the Federal government. The Federal government cannot, nor would Americans want it to, provide cybersecurity for every private network. Therefore, the private sector plays a crucial role in our overall national network defense. To that end, both the Federal government and the private are announcing key commitments today.
This brings me to what I’d like to blog about, and that is more insights discussed at the cyber symposium I attended a couple of weeks ago. As I mentioned in my last blog, the theme of the symposium was “Protecting Cyberspace: Policy, Partnerships, and Practical Solutions.” What we saw from the Obama administration last week were attempts to solve many of the problems discussed at the symposium. Three themes come to mind.
First, several speakers mentioned there are still no commonly agreed upon terms and definitions when dealing with cyber issues. Why is this important? How can you be on the same page on controversial issues like privacy concerns, if you don’t understand and know what the other person is talking about?
For example, my definition of “privacy” differs from that of the younger members of my family. I’m not a very active member of social media because I don’t want to take pictures of meals I eat in restaurants or post pictures of all of my activities. (Unless the photos make me look skinny!) I also resent and wonder who in the world gave three financial institutions the right to monitor all of my financial transactions, including credit card debt and how much money I have in the bank, only to then have future employers. car dealerships, and banks (when I apply for house or car loans) use that same data for or against me? Without exception, every time I’ve made a major purchase, I had to do the paperwork and correct some of the mistakes those three institutions made on my credit record. I don’t hear groups advocating privacy discussing or even apparently concerned with those issues. I can only assume it’s because they don’t consider it a privacy issue. The end result is you have situations where people discussing privacy and other cyber issues are talking past each other because they fail to comprehend the others definitions and view point on the topic.
Here’s a real world example. I’ve mentioned in earlier blogs that my last active duty military assignment was determining the role intelligence would play in cyber defense. It involved working with over 30 Department of Defense commands and numerous three-letter Washington intelligence agencies to build teams to solve the problem. In one of my initial discussions with the FBI, I asked why they were only sharing about 40 percent of cyber incidents they were working on with the intelligence community. They reminded me of existing laws prohibiting the intelligence community from spying on U.S. citizens and also said they didn’t want to endanger their law enforcement cases. I reminded them that a lot of cyber incidents that appeared to be coming from computers of U.S. citizens were actually originating overseas. I also told them I did not need any personal details on the suspected incident, just verification that an attack happened and the nature of the attack and the location. Say, for example, several banks in New York City had been hacked. Maybe these attacks weren’t by individual criminals but instead carried out by a nation-state or transnational group. In that case, there could be similar incidents going on across the country; however, if I didn’t know it was happening I couldn’t do the intelligence analysis needed to halt a potential, or even ongoing, major cyber attack against the U.S.
The second theme I kept dwelling on was the gap between technological developments and policymaking. Cyber technology is changing at the speed of thought, while policies, authorizations and laws are moving much slower.
The third theme was the concept of information sharing, which is related to the first and the second. One of the complaints industry participants kept bringing up was the government was not sharing enough intelligence on cyber threats. They felt they were giving more than they were getting in return and were concerned about violating the privacy of their customers.
In reference to my first theme of commonly agreed upon definitions, retired Lieutenant General Robert Allardice opened up and was the keynote speaker for the second day of the event. He made some points, bringing up important questions like, what is defense in the digital age? It should be causing us to think differently but he isn’t sure that our military joint warfighters get it. We have to have a better understanding of what defense means in a digital age. He says the lessons we learned from the ancients is that victory does not go to people with the biggest weapons but to those who comprehend the strategic environment and apply the right weapons.
The general also stated that industry feels the Pentagon doesn’t move fast enough to help them with cyber issue, a theme I’ve heard repeated in a number of other forums. The general and several other speakers also talked about the need to have a better understanding of what a partnership (I assumed he was referencing industry) means in this digital age. He added as part of his closing thoughts that cyber defense without the commercial sector isn’t defense. I would add that at the core of the disconnect between industry and the government, as well as the broader debate about privacy, is the lack of understanding of the others definition of cyber defense and exactly what is needed to do it.
Right now, I’m personally far more concerned about violations of my privacy from industry than government. In a recent article, Paul Gilster speaking about the Internet of Things (IoT) wrote:
We keep making the same tradeoff we have been making since entering the Internet era.
To use a free service, we hand off information, slowly at first, but after a time, as a matter of course. We get a freebie (think Facebook), but big companies get to learn all about us. As the adage goes, when you can’t figure out what the product is, the product is you.
Samsung has just created a stir by offering voice recognition on new televisions.
The problem is Samsung’s statement that if you say something that might be sensitive or personal, “that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.” It’s a feature you can turn on or off, but better check to see that the little microphone icon isn’t on before you start saying bad things about your in-laws.
Privacy concerns
Samsung’s TVs may or may not turn out to be a problem, but the larger point is that Net-connected objects of the kind heading for us at the speed of digital marketing are capable of offloading information about us to third-party servers for analysis.
Think I’ll end here. I’ll conclude this series in the next week or so. As always my views are my own.
