cyber – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 Experts say retaliation over OPM cyber attacks may be misguided http://nationalsecurityzone.medill.northwestern.edu/blog/2015/09/03/experts-say-retaliation-over-opm-cyber-attacks-may-be-misguided/ Thu, 03 Sep 2015 23:59:43 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=23117 Continue reading ]]> WASHINGTON — With cyber attacks grabbing the public’s attention, calls for retaliation, especially against suspected state-sponsored intrusions, have escalated.

Critics argue that a passive approach by the U.S. government only emboldens perpetrators. Draw a red line, they urge; the massive Office of Personnel Management breach, in particular, warranted a decisive response by the government.

But on the other side, some experts warn that retaliation, in any form, would be shortsighted, simplistic, and unrealistic, potentially undermining America’s interests. The rules of engagement, even informal guidelines, have yet to be written, they say.

Those advocating hacking back say the OPM breach should have been the final straw. But where to strike? The Obama administration has not openly accused the Chinese government,or any government, of being behind the OPM cyber attack.

The OPM, which handles security clearance for federal government employees, discovered in June that the agency had been hacked. The latest figures reveal that records of 22 million workers were compromised.

But Robert Knake, former head of cybersecurity policy at the National Security Council, said those advocating for hacking back are overreacting.

“It’s bad. But it’s not devastating,” said Knake of the names and Social Security numbers exposed by the breach. “The reason it’s not devastating is that we know about it.”

Speaking at an Atlantic Council panel last week debating the consequences of retaliating for cyberattacks, Knake said identifying the breach offers the opportunity to mitigate the damage. Once armed with this knowledge, the government can use the hack to its advantage, he argued.

For example, in the unlikely event that China uses information gleaned from the breach to identify Americans involved in sensitive activities, Knake said the U.S. could respond with misdirection by changing personnel.

Knake said the leaking of classified National Security Agency information by NSA contractor Edward Snowden, changed the norms in cyberspace.

“We are in the post-Snowden period where the whole world knows the U.S. engages in this kind of [surveillance] activity,” said Knake. “That we have a very strong program. And we got through all those disclosures without … Angela Merkel or anyone else declaring that it was an act of war.”

Fighting cyber espionage requires a different skillset than defending against pre-Internet, traditional Cold War espionage, said Austin Berglas, former head of the FBI’s New York Cyber Branch. “Whatever country is trying to steal our state secrets or international property doesn’t have to have a physical body. They can do it from their own home. There is a cloak of anonymity that people can hide behind to deny the actions.”

Unlike the Cold War when the adversary was clear, there are many more nations engaged in cyber espionage. China, Russia North Korea and Iran have all been suspected as culprits.

Jason Healey, senior fellow, at the Atlantic Council’s Cyber Statecraft Initiative, said that in the Cold War, there was a set of unwritten “Moscow rules” illuminating red lines that would not be crossed.

“It wasn’t a treaty, but there was this sense of where each side could go and if they overstep that, than there might be repercussions,” Healey said at the Aug. 19 panel discussion. “We would never kill a Russian. They will never kill an American spy.”

In contrast, Healey said no set of unifying standards exist for resolving cyber espionage conflicts.

“We have had some cyber espionage cases going back to 1986 where the KGB was spying,” said Healey.

In a telephone interview, Daniel Garrie, founder and editor in chief of the Journal of Law and Cyber Warfare, said countries’ varying attitudes towards cyber warfare make it harder to establish standards between the U.S. and other countries.

“Not only is there no playbook for countries and companies looking to respond to a cyberattack,” said Garrie, “but there are arguably a hundred different play-books, for each country, making the appropriate and permissible response all the more challenging, assuming your legal team understands what sort of action you are seeking to take,”
In some countries, Garrie said hacking is “not per-se illegal and it is certainly not taboo or shameful, in fact, it appears in some countries that such activity is encouraged.”

While it would seem tempting to fighting back against perpetrators aggressively, a tit-for-tat approach in the OPM affair, risks giving rise to many more problems than it would solve.

]]>
People are generally clueless when it comes to cybersecurity http://nationalsecurityzone.medill.northwestern.edu/blog/2015/08/26/people-are-generally-clueless-when-it-comes-to-cyber-security/ Wed, 26 Aug 2015 17:54:22 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=23032 Continue reading ]]> WASHINGTON – The scariness of cyber attacks seems like something straight out of the Twilight Zone. Think about it: The world revolves around computers and personal information can be stolen with one click of a mouse. The problem is that most people do not think about cyber threats.

Dr. Marshini Chetty, an assistant professor of Human-Computer Interaction at the University of Maryland, said that people don’t tend to think about cybersecurity unless they are actually in the industry or in some situation where they have to be aware of security.

“We find that if they haven’t heard about it in some big news story or someone hasn’t informed them that there’s been like a big credit card breach or something like that,” Chetty said, “They aren’t really aware of security on a daily basis.”

Chetty said that the media plays a huge role to raise awareness about cybersecurity issues to the general public. “The more educated the public is, the better it is for everyone,” she said.

She noted that the U.S. government is taking great measures to educate people about their online safety. Her government-funded research, which focuses on evaluating people’s behaviors when it comes to completing software updates, is required to have a component that makes educational materials available to the public.

Antoinette Isama, a 23-year-old student from Silver Spring, Md., knows that security threats loom. “I definitely take it seriously, even in regards to online shopping. I don’t save my credit card information. I think it should be taken more serious because it’s easier and easier for someone to steal your information.”

Although individuals can take measures to protect themselves from hackers, there is only so much that can be done. “If you’ve entrusted your data to a third party….it’s up to them to make sure their systems are secure.” Chetty said. She warned of a possible cyber attack that could be targeted at the network system of a company that is not properly protected or equipped to handle a large-scale breach, which could possibly put millions of people’s personal data at risk of being stolen.

“Generally when people are not aware of privacy and security issues they can easily get themselves into trouble,” Chetty said, “Whether that’s sharing information that they didn’t intend to share or having machines that are not protected.”

According to Chetty, individuals can take steps to keep their personal information safe in cyberspace. Making sure personal machines are always up to date, securing passwords and not staying logged in to public computers are all measures that can be taken to protect against a cyber attack.

Isama said that worrying about cyber attacks is wasting time.

“I don’t [worry] because attempts are already happening. It’s a reality now. Now it’s about being preventative.”

 

]]>
Opportunity for tech companies after OPM data breach http://nationalsecurityzone.medill.northwestern.edu/blog/2015/08/03/opportunity-for-tech-companies-after-opm-data-breach/ Mon, 03 Aug 2015 17:42:16 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22837 Continue reading ]]> WASHINGTON – In the wake of the huge data breach at the Office of Personnel Management, tech companies are in a competition to provide cheaper, more reliable cybersecurity service to the federal government.

The Defense Leadership Forum, an organization specializing in defense issues, sponsored a summit Tuesday offering details and insights related to landing contracts with the Department of Defense.

Sylvia Burns, chief information officer of the Interior Department, which provides cybersecurity service to OPM and other federal agencies, said that centralizing data protection service – the model in place when the OPM data breach occurred in April – is affordable and efficient, but has a big downside. When the OPM data was compromised, the hacker also had access to the data center at Department of Interior.

As a consequence, the Defense Department wants tech companies, including small businesses, to propose cheaper, yet still reliable ways of protecting the Pentagon’s vast storehouse of sensitive information. The government still needs a competitive environment for cost reduction purposes, said Kenneth Bible, deputy chief information officer of the United States Marine Corps.

Shawn McCarthy, research director of International Data Corp., a company that provides advisory services on information technology, said the Defense Department’s information technology budget has actually decreased by 12 percent since 2006. That budget includes hardware and software development and IT service. But money spend on IT service – data hosting, data encryption and the like – has seen a significant increase, compared to the other two areas, McCarthy said.

The reason behind that is the emergence of the so-called 3rd platform era, which has cloud as its core. In the coming 3rd platform era, hackers may be able to reach trillions of IP-addressable devices, monitors, and sensors of billions of users through new applications. That’s why government is paying more attention to cybercrime.

It is going to be a big business opportunity for tech companies when the Pentagon’s budget on cloud service reaches to $21.1 billion next year. In order to have a win-win relationship with the government, “IT vendors need to keep a close eye on price points while government is becoming increasingly sophisticated when it comes to comparing price and functionality,” McCarthy said.

]]>
Experts: Commercial airliners need air gap for cyberprotection (video) http://nationalsecurityzone.medill.northwestern.edu/blog/2015/06/11/commercial-airliners-need-air-gap-for-cyberprotection-experts-say-video/ Thu, 11 Jun 2015 16:28:56 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22476 Continue reading ]]> WASHINGTON – At a time when cybersecurity is at the forefront of many Americans’ minds, that manufacturing companies are producing commercial planes that experts say are more likely to be hacked than previous versions.

Recently a cybersecurity expert was pulled off a United Airlines flight after tweeting that he had the ability to access the plane’s systems, such as control of the oxygen masks on board.

The expert, Chris Roberts, was then taken into FBI custody and questioned for hours.

While Roberts says he was not attempting to harm anyone on board, the event drew attention worldwide to possible gaps in security onboard commercial flights with in-flight Wi-Fi.

According to a recent report by the Government Accountability Office, there is more connectivity in the Boeing 787 and Airbus A350 between cockpit and cabin Wi-Fi systems than in previous models.

Aaron Rinehart, CEO of cybersecurity company Testbed Inc. and a former security expert for the U.S. Transportation Security Administration, says that this is a step backward in terms of security and safety.

 

Rinehart says cockpit systems should be air gapped, meaning that the system is physically isolated from all unsecured computer networks, including the in-flight entertainment system onboard. This disconnects the cockpit from outside systems to prevent hackers from accessing it.

“It doesn’t seem to me either logical or rational to combine in-flight Wi-Fi with the avionics systems,” Rinehart said.

Why anyone would combine these systems and take the extra risk isn’t clear.

“My guess would be they want to combine the signal and maybe just either save money or save the amount of power because all those antennas require power,” he said.

“If there’s multiple antennas [putting off] separate signals, it may require more power for that… which to me represents a considerable threat.”

In its report, the GAO found that firewalls are currently protecting avionics systems on planes from hacks, but, like any software, firewalls don’t always prevent attacks on networked systems.

Rinehart says the systems should remain completely separate to avoid problems, including downed airliners.

What do the airlines say about this, especially United, since they’re the ones that pulled Roberts off the plane?

Although the argument can be made that it is difficult to hack into a plane’s avionics system and launch such an attack, experts say the threat of malicious activities grows along with increased connectivity.

For example, Macworld recently reported that American Airlines’ fleet of Boeing 737 aircrafts experienced a glitch in an iPad app used by pilots in their cockpits. This caused all of the fleet’s iPads to go dead at once and leaving passengers delayed for hours at airports across the country.

According to Rinehart, if it were decided that all systems needed to be air gapped, planes can be retrofitted with these systems, but it is easier to design with air gapping in mind in the beginning while factoring in the cost.

“We’ve already had enough [problems] in the past two years,” he said. “Our regulatory authorities don’t need to contribute to that.”

]]>
Cracking the code: Workshop gives journalists a crash course in encryption http://nationalsecurityzone.medill.northwestern.edu/blog/2015/04/08/cracking-the-code-workshop-gives-journalists-a-crash-course-in-encryption/ Wed, 08 Apr 2015 16:41:46 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21300 Continue reading ]]>
  • TestBed's Aaron Rinehart lectures to seminar attendees prior to the hands-on portion of the day on April 3, 2015. (Jennifer-Leigh Oprihory/MEDILL NSJI)

WASHINGTON — The minds behind TestBed, Inc., a Virginia-based IT consulting firm specializing in IT planning, analytics, testing, prototyping and business advice for the public and private sectors, gave journalists a crash course in digital safety and encryption techniques at an April 3 seminar in Washington.

The daylong event, “Cyber Security Skill Workshop for Journalists: Sending Secure Email,” was co-sponsored by the Medill National Security Journalism Initiative and the Military Reporters & Editors Association, and held in the Medill Washington newsroom.

The seminar began with an introductory lecture on cybersecurity basics and common misconceptions about online privacy and security. Security-related superstitions, such as the idea that browsing in so-called “incognito” or “invisible” modes will keep your digital whereabouts truly hidden, were promptly dispelled.

TestBed’s Aaron Rinehart and David Reese then transformed the event into a hands-on lesson in PGP – an acronym for “Pretty Good Privacy” – as well as understanding other aspects of digital fingerprints (including how to create a public key, how to register it in the Massachusetts Institute of Technology’s PGP directory so that you are more widely contactable by those in the encryption know and how to revoke (or deactivate) a key for security reasons.

The program also included a brief introduction to the Tor network, a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor, originally developed by the U.S. Navy, hides the route taken from a computer’s IP address to its eventual browsing destination.

Learn how Tor works via Medill reporter William Hicks’ helpful primer and infographic here.

When asked for the top three lessons he hoped attendees would take away from the event, Rinehart emphasized the importance of “good key management,” or not sharing your private PGP key with anyone, operating “under good security practices”(such as updating software and antivirus programs) and making email encryption a regular habit.

“Don’t compromise convenience for security,” Rinehart said in a post-workshop interview. “Try to make this something you can use everyday.”

The event drew a mix of reporters, security experts and students, which included military veterans and defense journalists.

Northwestern University in Qatar journalism student James Zachary Hollo attended the event to research encryption resources available for foreign correspondents and to report on the workshop for the Ground Truth Project in Boston, where he is currently completing his Junior Residency.

Hollo said the seminar gave him a better understanding of how to use PGP.

“I had sort of experimented with it before I came here, but this gave me a much better and deeper understanding of it, and I got to sort of refine my ability to use it more,” he said.

Hollo said he was surprised that many attendees came from military service or military reporting backgrounds, since, in his view, “one of the blowbacks against the NSA story [involving whistleblower Edward Snowden] was that it’s like reporting is like betraying your country.”

 

]]>
Private sector remains wary of government efforts to increase cybersecurity collaboration http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/private-sector-remains-wary-of-government-efforts-to-increase-cybersecurity-collaboration/ Thu, 19 Mar 2015 14:49:28 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21085 Continue reading ]]> WASHINGTON– President Barack Obama and lawmakers have announced plans to increase information sharing between the government and the private sector following data breaches at major companies. But companies are hesitant to join these initiatives because of liability and privacy concerns – and sharing information could put them at a competitive disadvantage.

Experts agree information sharing is essential in preventing and responding to cyber attacks, but the government and private sector bring different perspectives and strategies to mitigating the threats.

Companies need to take the approach that there is “strength in numbers,” said Greg Garcia, executive director of the Financial Services Sector Coordinating Council.

“To the extent that we can have what amounts to a neighborhood watch at a national scale, then were going to be better aware of the adversaries and what they’re up to and what they’re trying to do,” Garcia said.

One area where progress has been made is in the sharing of cybersecurity threat indicators, which identify the source of cyber attacks, said Mary Ellen Callahan, former chief privacy officer at the Department of Homeland Security. These indicators can include bad IP addresses, malware that’s embedded in emails or specific coding in software, she said.

DHS and the Mitre Corporation have developed programming languages to improve communication about cyber threat information between the government and the private sector. Structured Threat Information Expression and Trusted Automated Exchange of Indicator Information, known as STIX and TAXII respectively, are used in tandem to quickly share the information.

“It’s one thing to have these executive orders and things, but it’s another to have the technical enablers to make it easy for these companies to do it,” said John Wunder, lead cybersecurity engineer at Mitre. “You want to make it easy to share threat information in a way that you share exactly what you want.”

Yet, these programs haven’t fully developed and more participation is needed to make them effective, said Judith Germano, a senior fellow at New York University School of Law’s Center on Law and Security.

“I hear from companies that they are often less concerned about where the threat is coming from, but what is the threat and what can they do to stop it,” she said. “That’s the valuable information. Some of that is being shared and is very helpful, but it needs to be expanded.”

Last month, Obama announced an executive order promoting cybersecurity information sharing. The order encouraged the development of information sharing and analysis organizations to spearhead collaboration between the private sector and government. He tasked DHS with creating create a nonprofit organization to develop a set of standards for ISAOs.

Despite these efforts, robust information sharing is still lacking.

“Everyone wants information. Nobody wants to give information,” said Mark Seward, vice president of marketing at Exabeam, a big data security analytics company.

Companies fear sharing information with the government could reveal corporate secrets or consumers’ private information, said Martin Libicki, a senior management scientist at the RAND Corporation. He added sharing information with the government could also pose legal risks if the information shows companies did not follow federal regulations.

Germano, who also runs a law firm focused on cybersecurity issues, says cybersecurity collaboration comes down to a matter of trust. The private sector, she said, is weary of the government.

“On one hand [the government is] reaching out as a friend and collaborator to work with companies,” she said. “On the other hand, the same government has an enforcement arm outstretched with the FTC, the SEC that if you do not comply, there can be repercussions, possible lawsuits and other regulatory action taken against you.”

Therefore, only information that is directly related to a threat should be shared and stored, said Callahan, now a partner at Jenner & Block. Further, she said when companies share a large amount of information at once it slows down the process of assessing the threat and they often share more information than is necessary.

The U.S. also lacks “an intelligent and forceful deterrence strategy” for cyber attacks, said Matthew Eggers, senior director of the U.S. Chamber of Commerce’s national security and emergency preparedness department, at a Congressional hearing earlier this month. He also said the government needs to provide more assistance to companies who have suffered from hacks.

“U.S. policymakers need to focus on pushing back against illicit actors and not on blaming the victims of cybersecurity incidents,” Eggers said. 

To address some of these concerns, Sen. Tom Carper, D-Del., introduced in February the Cyber Threat Sharing Act of 2015, which looks to provide liability protections for companies when they share cyber information with the government.

The bill would prohibit the government from using shared cyber threat data as evidence in a regulatory action against the company that shared the information. It also strengthens privacy protections and limits how shared data could be used. The bill has been referred to the Committee on Homeland Security and Governmental Affairs.

In February, Obama also called on the Director of National Intelligence to create the Cyber Threat Intelligence Integration Center, a national intelligence center aimed at “connecting the dots” on cyber threats. The center will “collect intelligence, manage incident response efforts, direct investigations” among other responsibilities.

However, experts remain skeptical about the center.

“What concerns me about that is if you read the president’s memoranda on [the Cyber Threat Intelligence Integration Center], it says that it’s consistent with privacy and civil liberties protections as relevant to that agency,” said Callahan, the Jenner & Block lawyer. “Well, the intelligence community, as you know, has reduced private protections.”

The center’s framework will be similar to that of the National Counterterrorism Center, which is a concern for Libicki, of the RAND Corporation.

“The last cyber attack had elements of terrorism in it. Does that mean we should look at this entire problem purely through the lens of counterterrorism?” Libicki said. “Why are you duplicating a methodological framework that culminates in a set of actions, like predator drones, which are totally inappropriate for cyber?”

Kathleen Butler, a spokesperson for the Office of the Director of National Intelligence, did not have any additional comment beyond the president’s announcement of the center as she said initial planning is still underway.

While experts say it will take time for the private sector to fully engage in the information sharing initiatives, the government’s efforts have been mostly positive.

“This is about enabling people to share what they know and get access to what others know such that protection can be more pervasive,” said Bobbie Stempfley, Mitre’s director of cybersecurity implementation. “That’s really a powerful concept.”

]]>
Internet currency Bitcoin lacks privacy protections http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/internet-currency-bitcoin-lacks-privacy-protections/ Thu, 19 Mar 2015 14:46:41 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21110 Continue reading ]]>

WASHINGTON — Bitcoin lacks the anonymity that many users have come to expect and desire, especially for a currency advertised as “cash for the Internet.”

All transactions made using the online currency is logged in a public ledger to ensure their validity.

“It’s inherent in the system to have it be transparent,” said Jim Harper, a senior fellow at the libertarian Cato Institute and a member of the board of directors at the Bitcoin Foundation. “You could have greater privacy if it was a system that one party controlled, but that would have costs relying on that party to get it right.”

Bitcoin is a digital currency that has no central authority and can be used, in many ways, like cash. Many businesses, from restaurants to WordPress, have begun to accept bitcoin as payment. To get started, it only takes a few minutes to go online to set up a Bitcoin wallet.

“It is fast and free,” said David Barrett, the CEO of Expensify, a company that supports Bitcoin use for international transactions. “It’s secure. And I would say it works everywhere in the world. And it is a very powerful technology for moving money around the world.”

Bitcoin offers an “acceptable level of privacy,” according to Bitcoin.org, which is managed by its developers. And for many Bitcoin users, any potential loss of privacy is an acceptable trade-off to circumvent traditional financial institutions.

“The idea of having this flexible payment system where you can pay someone on the other side of the world without having to turn to Western Union or something, that is quite an appealing concept,” said Sarah Meiklejohn, a lecturer at University College London who has done research on the currency.

Because this cybercurrency is not tied to any country or bank, it can be a relatively stable option for those in developing countries, where the local currency is often unreliable.

But, because of Bitcoin’s transparency, it is relatively easy to track a user’s entire transaction history. The public ledger shows the location of the Bitcoin user who is making a transaction as well as the history of the Bitcoin they are spending.

The public ledger shows a Bitcoin's transaction history and the user's location.

The public ledger shows a Bitcoin’s transaction history and the user’s location.

“It is kind of anonymous, but the second that you do any transaction with Bitcoin, every transaction is there,” said Barrett. “Once you pay me a bitcoin, basically I can look at the log and see every transaction you’ve made.”

Bitcoin.org claims no responsibility for any “losses, damages or claims,” for invasions of privacy or thefts, according to its terms and conditions. It suggests encrypting Bitcoin wallets and using secure connections to avoid thefts.

There are ways to improve the anonymity of the currency, but they require a concerted and technology-intensive effort that many do not even know is an option.

“There’s a thing called mixing, which is a process where you commingle your bitcoins with the bitcoins of others and the output of those transactions is harder to trace back to individuals,” said Harper, the Cato fellow. “It might make it a probabilistic calculation rather than drawing a direct line.”

This process is the equivalent to moving funds through banks in countries like the Cayman Islands and Panama which have strict bank-secrecy laws.

Today, some experts are cautious in accepting Bitcoin as a widespread currency. However, many see the Bitcoin concept as one that will remain.

“It’s actually a good alternative to a currency if there is inflation,” Barrett said. “In Venezuela and Africa, it is getting larger adoption. Russia also has a big growth in bitcoin. It’s a safer and less volatile way to keep your currency. Over time, Bitcoin will, in certain parts of the world, become a daily occurrence.”

Bitcoin and its supposed anonymity gained prominence in its role with the Silk Road, an online black marketplace known for selling illicit drugs and weapons. Buyers and sellers were able to connect virtually and use the cybercurrency to conduct anonymous transactions.

“This perception of anonymity might be driving groups towards Bitcoin, but then the transparency is giving law enforcement or anyone interested in these illicit transactions this beautiful view of all of these types of illicit transactions,” said Meiklejohn, the Bitcoin researcher. “Instead of going to somewhere like Western Union and wiring cash over to the Islamic State or whatever, if you’re doing it with Bitcoin then you are creating this paper trail that is never going to go away, literally ever.”

What may scare off more potential Bitcoin users, however, is not its lack of anonymity, it’s the volatility of the currency. In the last 12 months, the value of the currency has fallen by nearly half.

“Maybe I’m just cynical, but it’s hard to see why Bitcoin, as it is now, would achieve widespread adoption, which ultimately is what you would need to have any kind of stable currency,” Meiklejohn said. “So, as long as Bitcoin is this niche market, it is going to remain pretty volatile.”

]]>
Privacy: Then and now http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/privacy-then-and-now/ Thu, 19 Mar 2015 14:39:03 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21138 Continue reading ]]> Americans value privacy. We close and lock our doors when we get home at the end of the day. We close the blinds when we change clothes so the neighbors can’t peek. If someone wants to visit, they don’t just come over unannounced–they call or text first. In terms of technology, we set passcode locks on our computers and smartphones.

A 2014 Pew Research poll asked people to define “privacy” in one word. The most popular answers were security, secret, personal, alone, information and business.

But today, it’s possible to follow your Internet searches, see who you email, text and call, track your geographical location at all times, monitor your purchases and even track your credit card and phone bills.

The trackers include everyone from family and friends to companies, marketing agencies, the government and law enforcement. From basic information posted on social media, to GPS tracking on your smartphone, people around the world can learn a lot about you from your Internet activity — even when you aren’t intentionally on the Internet. Combining these various components gives them a pretty good idea of what you do, your likes and dislikes, and who and where you are.

You know that nightmare where you’re standing naked in front of an audience? Well, this is the very real 21st century equivalent.

Nearly every app on the modern smartphone is programmed with GPS. Whenever you walk by a WiFi-enabled store, café or home with your Wi-Fi turned on, it registers your device– creating a virtual path of your movement. Do you ever search Google for something, and minutes later see advertisements for it on your sidebar or Facebook? That’s not a coincidence.

In 1965 Gordon Moore, co-founder of Intel, made a prediction known as Moore’s Law: computing power doubles every two years. In other words, computers process large amounts of data faster than ever before. That’s why those Google searches turn into ads so quickly.

Further, the price of data storage is steadily dropping. In 1991, one-gigabyte hard drives cost around $2,700. In 2007, one terabyte (1000x GB) hard drives cost $375. Currently, one terabyte drives cost around $60.

What happens when infinitely faster processing meets infinitely cheaper storage?

“It starts to infringe upon privacy,” said Paul Rosenzweig, cyber and homeland security expert.

So what right do Americans have to privacy?

The Founding Fathers wrote the Fourth Amendment to the Constitution in 1791. It grants citizens the right to be “secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” Obviously they didn’t have Internet security in mind. Instead, it was a response to Britain’s “general warrant” allowing soldiers total access to search American colonials and their homes.

Let’s translate this to cybersecurity: without a warrant, the government cannot keep surveillance on devices for which individuals have a reasonable expectation of privacy. It also cannot physically take these devices to later use as evidence in court.

Fast-forward nearly 200 years to the Privacy Act of 1974. This legislation came after concerns about the government’s collection, retention and use of personal data. The federal government has a number of databases with information on individuals, both citizens and noncitizens.

The Privacy Act of 1974 set four basic restrictions on the government regarding these databases. First, it required government agencies to show individuals all records kept on them if requested. Second, it set “fair information practices” that agencies must follow when collecting and saving data, such as giving notice that it is collecting the information, how it is storing it and how it is protecting privacy. Third, it restricted the ways information can be shared with other people and agencies. Fourth, it allowed people to sue the government if it violates these regulations.

Even though the Privacy Act was meant to increase government transparency, it contains many exceptions and loopholes.

For example, nongovernment entities, like email and phone providers and app developers are barely restricted when it comes to information collection. They are legally required to disclose in privacy agreements the information they collect (yes, those long, size five-font agreements that very few people bother to read), but that’s about as far as regulation goes. Further, these companies are required to provide government agencies with these user records whenever requested, leaving virtually no choice.

That’s why privacy advocates like Amie Stepanovich encourage companies to only collect information completely pertinent to the functioning of the business.

Stepanovich is senior policy counsel at Access Now, an international digital rights organization.

Stepanovich also urges further safeguards for personal privacy, such as encrypting emails, turning off smartphone app location services and creating secure passwords for online accounts. While these precautions–ranging from simple to very skillful–can certainly aid in Internet security, there’s no surefire way to be anonymous online.

Privacy professionals know that it’s impossible to function in 21st century society without being active online. They also know that, though it means being tracked, keeping location services turned on for some apps can make life easier and, honestly, more fun. Who wants to carry around–and decipher– a map when a GPS provides voice activated turn-by-turn directions? Similarly, think about apps like Starbucks’ that send alerts and coupons every time you’re near a store.

We’re okay with giving Starbucks our location, and maybe even letting Google track our searches, if it means we’ll be notified of sales. But when did we consent to give our purchase histories to credit companies, address histories to data aggregation companies, or travel habits and telephone records to the government?

Americans have mixed feelings about digital surveillance. Many are willing to sacrifice some privacy in exchange for stronger national security. Wouldn’t we all rather the government use cyber tracking to identify and stop terrorists through before they attack?

But specifically after the Snowden leaks, many Americans have become skeptical of the government’s digital surveillance. The Pew Research poll found that 80 percent of adults believe Americans should be concerned about the government monitoring their phone and Internet activity.

Even more are concerned with company surveillance. That same poll showed that 91 percent of adults “agree” or “strongly agree” that consumers have lost control over how companies collect and use their personal information.

While 61 percent said they would “like to do more” to protect their anonymity online, 76 percent consider that a difficult feat.

Others don’t find any reason for online anonymity.

The “I have nothing to hide” argument is a popular one. But critics say no one wants their entire life exposed, no matter how “good” of a person they are.

Too much privacy may enable corrupt behavior. Too little privacy may bring Orwell’s Big Brother to reality. People act differently when they know they’re being watched, and Americans are being watched now more than ever before.

In 1999, SUN Microsystems CEO and founder Scott McNealy famously said, “You have zero privacy anyway. Get over it.” We may be moving that way.

]]>
Should corporations give the government information after a hack? http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/should-corporations-give-the-government-information-after-a-hack/ Thu, 19 Mar 2015 13:57:07 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21119 ]]> Private sector advises Obama’s cybersecurity proposal http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/10/private-sector-advises-obamas-cybersecurity-proposal/ Tue, 10 Mar 2015 19:00:32 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=20966 Continue reading ]]> WASHINGTON —President Barack Obama’s cybersecurity information sharing proposal – with its focus on sharing only targeted threat information between private firms and the government is a better approach than “ill-advised” widespread sharing, a former top privacy official for homeland security said Wednesday.

The Committee on Homeland Security’s Cybersecurity, Infrastructure Protection and Security Technologies subcommittee heard from industry, privacy and academic experts regarding what they think cyber threat information sharing should look like. The previous week, Department of Homeland Security representatives went before the entire committee to explain how this legislation could protect Americans from increasing cybersecurity threats.

Obama’s three-part proposal includes increased sharing among private sector companies and between them and the government. It also encourages the formation of Information Sharing and Analysis Organizations and creates certain guidelines for both the private and federal sectors regarding personal information retention and sharing.

Under the legislation, businesses would share information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which would pass it onto relevant federal agencies and ISAOs. Participating businesses would receive targeted liability protection in return.

Mary Ellen Callahan, former Department of Homeland Security chief privacy officer, agreed with this targeted sharing approach, calling immediate widespread sharing of threats “ill-advised.” According to Callahan, private sector threats–usually IP addresses and URLs–are reported to the DHS, and then distilled to remove any personal information.

In the end, government security professionals only have information on the threat, its source and target, and how to combat it.

Subcommittee Chairman John Ratcliffe, R-Texas, referred to recent breaches at companies such as Anthem, Sony Pictures, Target and J.P. Morgan as examples of why the legislation is needed. “We need to pass legislation that facilitates the sharing of cyber threat indicators and contains robust privacy protections to improve collaboration between federal civilian agencies, like DHS, and the private sector,” he said.

Many companies choose not to share cyber threat indicators or breaches with one another or the government for fear of legal liability, or having their names in the media as companies with poor cybersecurity. Without this sharing of information, hackers can use the same tactics repeatedly with multiple companies.

Private companies want to see a bill that would allow them to voluntarily share cyber threats with other organizations, but have flexibility in what they share with the government, according to Matthew Eggers, senior director of National Security and Emergency Preparedness for the U.S. Chamber of Commerce.

“This is a bill trying to convince them to participate in a voluntary program that makes their lives more difficult. For folks like me saying ‘I’m not fond of government being in my cell or ERP (Enterprise Resource Planning–software for data management),’ that’s going to be a neat trick,” Eggers said.

The key will be convincing companies that Obama’s proposal would better protect everyone in the long run.

“We need a federated sharing community, not a competitive one,” Greg Garcia,
executive director of the Financial Services Sector Coordinating Council, said. “Withholding info to get ahead… Balkanizing or siloing information–that defeats the purpose.”

This is not the first time Obama has proposed legislation to safeguard America from cyber attacks. In 2011, he rolled out his Cybersecurity Legislative Proposal in an effort to give the private sector and government the tools they need to combat cyber threats. In 2013, he issued the Executive Order on Improving Critical Infrastructure Cybersecurity, which established cybersecurity framework standards that were developed in tandem with the private industry.

]]>