It may seem odd to look to the CIA for viewpoints in this area but in in many ways they are just as concerned as we are. After all, in aggregate, widespread identity theft and hacking both internally and by foreign nationals, theft, electronic ransom and other illicit acts are as much a threat to the security of the country as they are to us personally.
Recently Wired magazine interviewed the chief information security officer at the non-profit venture arm of the CIA. I found the interview a bit directionless and not always helpful in proposed solutions but a number of important points emerged.
One comment was on the dangers of data fusion; I also commented on this in an earlier post on privacy. Small subsets of personal data don’t seem to pose much of a threat and where we feel data is particularly sensitive (medical records for example) we are promised that if data is to be used for wider access, it can be “de-identified”, replacing personal fields with generalized values, for example replacing an address with a zip-code. The problem is that between big-data gathering and simple JOIN operations, it really isn’t difficult to assemble detailed personal profiles on individuals, making current attempts at de-identification (if applied at all) pointless – as a prior governor of Massachusetts discovered.
EDPS Symposium: Cyber Security Workshop
SemiWiki-EDPS2016 promo code for a $50 savings
There was a comment on the EU “Right to be forgotten”. This sounds good on the surface but is difficult to square with freedom of speech standards in many countries and the likely impracticality of imposing country-specific standards on global data searches (which is why Google is at the center of most of these debates). The most useful point from this part of the discussion was a definition of privacy and secrecy: privacy is something others give to you whereas secrecy is something you take for yourself. Which is why there’s so much interest in encryption now – if I can’t be guaranteed privacy, then I want to be able hide what I do not want others to know.
One suggesting on dealing with hacking is to counter with the most efficient machine we know – capitalism. Of course we do this today in one sense – lots of companies selling security products, but this is only one angle of attack. It doesn’t necessarily address security holes in other products and where it might, whatever is or is not corrected often remains a product company secret. The suggestion is that the US government should pay a bounty on vulnerabilities for whoever wants to find them, in whatever products they choose to hack (maybe the government can claim the bounty back from the offending product companies). If the potential impact is high perhaps the problem is widely publicized, otherwise maybe the government gives the product company a few weeks to fix it, then goes public. Either way, product companies are motivated through public embarrassment and possible loss of business unless the hole is plugged.
Finally, the CIA guy made a point I strongly support – over many, many years (going back at least to the Industrial Revolution in my view) we have demonstrated that we are extremely adept at building things we cannot manage without going through a painful learning curve. He thinks this amply applies to Internet technologies, which is why he has no cell phone and only carries a pager. That a senior executive for a CIA venture fund feels this way has to give you pause for thought.
To read the interview, click HERE.
EDPS Symposium: Cyber Security Workshop
SemiWiki-EDPS2016 promo code for a $50 savings
Next Generation of Systems Design at Siemens