President Barack Obama – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 Obama promotes deal as the best alternative to war http://nationalsecurityzone.medill.northwestern.edu/blog/2015/08/11/obama-promotes-deal-as-the-best-alternative-to-war/ Tue, 11 Aug 2015 14:12:25 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22884 Continue reading ]]>

President Barack Obama defended the Iran Deal at American University in Washington, D.C. Wednesday. “Now, we have before us a solution that prevents Iran from obtaining a nuclear weapon without resorting to war,” he said.

]]>
Obama to wounded warriors: ‘We’ve got your back’ http://nationalsecurityzone.medill.northwestern.edu/blog/2015/04/22/obama-to-wounded-warriors-weve-got-your-back/ Wed, 22 Apr 2015 19:56:45 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21504 Continue reading ]]>
  • President Barack Obama speaks with spectators after the cyclists have set off on the Soldier Ride. (Nick Kariuki/MEDILL)
    President Barack Obama speaks with spectators after the cyclists have set off on the Soldier Ride. (Nick Kariuki/MEDILL)

WASHINGTON — Under clear skies, President Obama blasted an air horn Thursday to start the Wounded Warrior Project’s Soldier Ride from the White House’s South Lawn.

Speaking before the bikes rolled out, Obama said the event was “a chance to say to all the returning heroes that you’re not alone. That we’ve got your back. We’re going to be with you every step of the way.”

The nationwide, annual ride offers wounded service members and veterans the chance to salve the physical, mental and emotional wounds they may have suffered through cycling and the common bond of military service.

Over 50 riders from all branches of the armed forces signed up for the three-day, 60 mile challenge, many riding on adaptive bicycles.

Obama was joined by Vice President Joe Biden and Veterans Affairs Secretary Bob McDonald. This year marked the sixth time that the event was welcomed to the White House.

The first Soldier Ride was in 2004 when Chris Carney, a Long Island, New York, bartender, biked across the country to raise money for the Wounded Warrior Project, an organization that supports injured troops.

The WWP claims over 68,000 alumni and more than 10,500 family members involved, as of April 1.


Published in conjunction with Military Times Logo

]]>
FAA backed away from proposing privacy regulations for drones – but that might be a good thing, experts say http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/20/faa-backed-away-from-proposing-privacy-regulations-for-drones-but-that-might-be-a-good-thing-experts-say/ Fri, 20 Mar 2015 15:03:20 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21201 Continue reading ]]> WASHINGTON—When the Federal Aviation Administration released its proposed “framework of regulations” for governing the commercial use of small unmanned aircraft systems last month, people were surprised. After years of failing to act on a 2012 congressional order to develop regulations, the FAA’s proposal seemingly fell from the sky – unexpected, and as it turns out, an unexpected gift to the drone community.

But noticeably missing from the proposed regulations? Privacy.

And the FAA owned up to it. In a privacy impact assessment issued along with the proposed framework, the agency stated that it “acknowledges that privacy concerns have been raised about unmanned aircraft operations. … These issues are beyond the scope of this rulemaking.”

That makes sense, according to Matt Waite. Privacy is not in its wheelhouse.

“The FAA has said all along that it is not a privacy organization – It is an aviation safety organization. They don’t have the experience or the skill[set] to be in the privacy business,” Waite added.

A professor of journalism and founder of the Drone Journalism Lab at the University of Nebraska-Lincoln, Waite said that the FAA more or less intentionally walked away from building privacy regulations into its proposal. “They had been talking about it and had been claiming that that was the reason it was all being delayed [as] they were considering privacy regulations … But ultimately, nothing.”

Waite said that the implications of that choice suggest that states are going to have to make up the difference.

“The FAA has wisely backed off all privacy issues [because] there’s no need for a new federal privacy bureaucracy [when] states already have protections in place,” said Charles Tobin, a privacy rights lawyer and partner at Holland & Knight.

“The laws that are on the books are all technology agnostic. They apply to computers, they apply to still cameras, they apply to wireless microphones, they apply to video cameras … and there’s no reason that they can’t be applied – as already written – to UAVs,” Tobin added.

He said he understands why people are concerned, but suggests we look to history for any insight we might need. “Since the turn of the century, people have expressed concerns about every single new phase of technology [that has been] developed to allow people to gather information in public places and private places, and so over the decades, states have developed a strong series of statutes and precedents in the courts that deal with electronic surveillance, eavesdropping, trespassing and just about any other concern for invasion of privacy.”

To add additional statutes would be more than redundant, Tobin said. It would be confusing for everyone involved. It also leaves the possibility that one law could potentially violate the other.

While recognizing that the FAA made the appropriate call when it chose to step aside, Tobin said the baton has simply been passed on down the line. A presidential memorandum issued the same day as the FAA’s proposed regulations relays the responsibility to “develop a framework regarding privacy, accountability, and transparency for commercial and private UAS use” to the Department of Commerce. The memo states that the department must initiate a “multi-stakeholder engagement process” within 90 days of the memo’s release – so it must begin work by mid-May. According to Tobin, “the development of private industry best practices” by the Department of Commerce is a positive step – but it should avoid stepping further.

Government trying to involve itself in the regulation of a specific piece of technology is just a terrible idea, Waite said. “As we are already seeing, the government lags way behind technology when it comes to laws that would deal with that technology. It’s taken the FAA a long time to come up with rules for these drones and they’re flying around right now. They’re being used for commercial purposes even though the FAA says, ‘No, you can’t do that.’” Law will forever lag behind technology, he said.

“So if that’s the case, then legislatures and policymakers need to acknowledge and accept that and begin to craft rules that are technology agnostic,” Waite added. Because therein lies the solution to any concerns that privacy might be invaded.

Waite said that the key is deciding what we don’t want people to do – what we need to prevent from happening. “We need to start thinking about what we consider a reasonable expectation of privacy in our modern times. And if that’s not allowing [me to] photograph [someone] streaking in their backyard, then that’s great. We can say I can’t do that. But it shouldn’t matter how I do that, [just that] you don’t want me to do it.”

It’s about understanding what we’re offended by. And then realizing that if privacy was violated, then how it was done is unimportant, he added.

The drone-related privacy concerns of the average American are actually pretty obvious, Waite said. They’re afraid of a drone operator peering into their windows like a 21st Century peeping tom, or using them to stalk and harass people. And they’re also afraid that someone might gather information about them and their behaviors.

Amie Stepanovich, senior policy counsel for privacy advocacy group Access Now, said these concerns are genuine because drone technology is in a league of its own. “Drones have [the] capacity to bring a bunch of different surveillance technologies onto a singular platform and to reach into areas that other vehicles have not been able to get to. For example, up into very high buildings or into inside spaces.”

But many of the acts people are fearful of are actually crimes, Waite said. They’re already illegal. “It is illegal for you to fly up and peer in[to] someone’s window, those peeping tom laws already handle that.” He admitted that some states aren’t as advanced as others because they require that an offender physically be on the property to be prosecuted as a peeping tom. “[But] that doesn’t take a great leap of mind to fix that real quick,” he added.

Gathering information through surveillance is a different issue, however, one steeped with potential for abuse. Stepanovich said that limitations should be put in place to restrict the ways in which government agencies can use drone technology. “It’s highly advanced and gives them a great deal [of] increased capability and can be used to collect a great deal of information,” she said.

“We need things that will, for example, protect users’ location information from being collected and tracked. … It comes back to tracking people over time without a warrant and being able to pinpoint their exact location. And this is true with drones but … there are several other different kinds of technologies that are coming out. And we need to make sure that that information is adequately protected.”

The presidential memo issued in conjunction with the FAA’s proposal states that agencies must “comply with the Privacy Act of 1974, which, among other things, restricts the collection and dissemination of individuals’ information that is maintained in systems of records, including personally identifiable information.”

The White House’s assurance that government agencies will be held accountable to legacy privacy standards is a good thing, Stepanovich said, but she recommends further attribution and transparency.

“The FAA has a publicly accessible database of who is able to fly airplanes in any specific geographic area in the United States. But they haven’t made a similar commitment to do that for drone operators,” Stepanovich said. She calls that a double standard.

People won’t know which agency, company or person is behind the remote of the drone flying over their homes. They’re already fearful, so that’s not the best way to go about this, Stepanovich added.

“And so the FAA definitely has a role to play in protecting privacy,” and she recommends the agency operate a full registry. “We’re talking about transparency, requiring that drone users register what technology they are deploying on their drones, and what capacity these drones will have. This just gets at making sure people are aware of what’s going on in their own area,” she added.

“But it should be up to Congress and other agencies to ensure that users don’t violate one another’s privacy rights.” That requires a separate law, but Stepanovich said it would be a mistake to make a new law for a singular piece of technology.

Like Waite and Tobin, she advises technology agnosticism when it comes to lawmaking. Because technology changes frequently. And for that same reason, Stepanovich said the drone privacy debate is an important one: “It will definitely be worth paying attention to because it’s really deciding the future of this technology in the U.S.”

All three agree that the next 24 months will be very exciting. “We’re sort of in the early years of the Wild West stage here, where the rules and the court cases [haven’t happened] yet,” Waite said. “But things are going to happen and they’re going to be tested in court and they’re going to be squared to our constitutional values and when they are, we’ll actually have a fairly stable system.”

“But until then you’re going to have some crazy stuff going on,” Waite added. “You’re going to see people doing things that were never envisioned and you’re going to see [drones] being used in ways that we hadn’t thought of yet. And some of that’s going to be cool and neat and some of it’s going to be kind of ugly.”

One thing is guaranteed: The waiting game has just begun.

]]>
White House pushes for student data regulations http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/white-house-pushes-for-student-data-regulations/ Thu, 19 Mar 2015 21:32:07 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21196 Continue reading ]]> WASHINGTON — When the educational company ConnectEDU filed for bankruptcy about a year ago, it tried to do what any business would — sell off its most valuable asset: student data.

Millions of students submitted personal information such as email addresses, birth dates and test scores to the college and career planning company.

The Federal Trade Commission eventually stopped any transactions involving the data after noting that they violated ConnectEDU’s privacy policy.

Some student educational records are protected through the Family Educational and Privacy Rights Act, or FERPA. Originally signed into law in 1974, FERPA essentially protects the records schools collect on students and gives parents certain oversight and disclosure rights.

The growing influence of technology in classrooms and in administrative data collection, though, is making FERPA out-of-date.

Teachers, students and parents now routinely submit information to educational services companies, such as ConnectEDU. FERPA does not regulate how these companies use that data. And there is no other federal law that does. The companies’ own privacy policies are the only limit to what the companies can do with the information users provide.

The concern is that ConnectEDU may not be the only education technology company that is trying to sell its data to third parties.

ConnectEDU’s databases, for example, were filled with students’ personally identifiable information including names, birthdates, email addresses and telephone numbers. The sale of that information to other companies is not regulated.

In order to make FERPA up-to-date, President Barack Obama, in conjunction with partners in the private sector, called for a legislation to establish a national standard to protect students’ data in January.

“It’s pretty straightforward,” Obama said in a speech at the Federal Trade Commission. “We’re saying the data collected on students in the classroom can be used for educational purposes — to teach our children, not to market to our children. We want to prevent companies from selling student data to third parties for purposes other than education. We want to prevent any kind of profiling about certain students.”

Dubbed the Student Digital Privacy Act, the White House’s plan is loosely based on a 2014 California law that prohibits third-party education companies from selling student information. While other states have laws regulating and increasing the transparency, regulation and collection of student data, the California law seems to be the most far-reaching.

Because FERPA doesn’t cover third-party use, some private sector leaders have taken a vow to establish clear industry standards for protecting student data through the Student Privacy Pledge.

Created by the Future of Privacy Forum and the Software and Information Industry Association in the fall of 2014, Obama mentioned the pledge as an encouraging sign for the protection of student information.

“I want to encourage every company that provides these technologies to our schools to join this effort,” Obama said. “It’s the right thing to do. And if you don’t join this effort, then we intend to make sure that those schools and those parents know you haven’t joined this effort.”

So far, 123 companies have signed the pledge, including tech and education giants such as Apple, Microsoft, Google and Houghton Mifflin Harcourt.

“There was a lack of awareness, information and understanding about what school service providers did and didn’t do with data and what the laws required and allowed,” Mark Schneiderman, senior director of education policy at SIIA, said. “Rather than waiting for public policy and public debate to play itself out, we figured, let’s just step in and make clear that the industry is supporting schools, is using data only for school purposes, not selling the data, not doing other things that there was a perception out there that maybe [companies were doing].”

The National Parent-Teacher Association and other groups support the pledge, according to Schneiderman.

“It is imperative that students’ personal informational formation is protected at all times,” the National PTA wrote in a statement.

The companies that signed the pledge are not subject to any policing body, but by signing the pledge they show consumers their commitment to student privacy, Schneiderman said.

But many notable educational technology companies, like Pearson Education, have not signed the pledge. Pearson was recently the subject of a POLITICO investigative report that revealed that the company’s use of student data was unmonitored.

According to the report, Pearson claims it does not sell the students’ data it collects.

The College Board, ACT and Common Application are often viewed as integral to the college admissions process, but are also not included in the pledge.

Instead, these education companies point consumers to their privacy policies, which can often be difficult to understand because of the legal jargon and ambiguous terms.

Some groups such as the Parent Coalition for Student Privacy think the pledge and the privacy policies aren’t enough.

“We also need strong enforcement and security mechanisms to prevent against breaches,” Leonie Haimson, one of the group’s co-chairs, said in a statement responding to Obama’s speech. “This has been a year of continuous scandalous breaches; we owe it to our children to require security provisions at least as strict as in the case of personal health information.”

Out of the 12 commitments listed in the pledge, only one deals with preventing leaks or breaches.

The signees must “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks,” the pledge states.

Haimson said the policies are a decent start, but do not go nearly far enough in protecting educational data.

Regardless, a bill for a comprehensive national standard has yet to be introduced despite the White House’s push.

In early February, though, the White House said that it had been working closely with Republican Rep. Luke Messer of Indiana and Colorado Democrat Rep. Jared Polis to introduce a bipartisan bill to Congress.

The bill’s release is expected by the end of the month, according to Messer’s office.MINTZERPRIVACY (9) 2

]]>
Private sector remains wary of government efforts to increase cybersecurity collaboration http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/private-sector-remains-wary-of-government-efforts-to-increase-cybersecurity-collaboration/ Thu, 19 Mar 2015 14:49:28 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21085 Continue reading ]]> WASHINGTON– President Barack Obama and lawmakers have announced plans to increase information sharing between the government and the private sector following data breaches at major companies. But companies are hesitant to join these initiatives because of liability and privacy concerns – and sharing information could put them at a competitive disadvantage.

Experts agree information sharing is essential in preventing and responding to cyber attacks, but the government and private sector bring different perspectives and strategies to mitigating the threats.

Companies need to take the approach that there is “strength in numbers,” said Greg Garcia, executive director of the Financial Services Sector Coordinating Council.

“To the extent that we can have what amounts to a neighborhood watch at a national scale, then were going to be better aware of the adversaries and what they’re up to and what they’re trying to do,” Garcia said.

One area where progress has been made is in the sharing of cybersecurity threat indicators, which identify the source of cyber attacks, said Mary Ellen Callahan, former chief privacy officer at the Department of Homeland Security. These indicators can include bad IP addresses, malware that’s embedded in emails or specific coding in software, she said.

DHS and the Mitre Corporation have developed programming languages to improve communication about cyber threat information between the government and the private sector. Structured Threat Information Expression and Trusted Automated Exchange of Indicator Information, known as STIX and TAXII respectively, are used in tandem to quickly share the information.

“It’s one thing to have these executive orders and things, but it’s another to have the technical enablers to make it easy for these companies to do it,” said John Wunder, lead cybersecurity engineer at Mitre. “You want to make it easy to share threat information in a way that you share exactly what you want.”

Yet, these programs haven’t fully developed and more participation is needed to make them effective, said Judith Germano, a senior fellow at New York University School of Law’s Center on Law and Security.

“I hear from companies that they are often less concerned about where the threat is coming from, but what is the threat and what can they do to stop it,” she said. “That’s the valuable information. Some of that is being shared and is very helpful, but it needs to be expanded.”

Last month, Obama announced an executive order promoting cybersecurity information sharing. The order encouraged the development of information sharing and analysis organizations to spearhead collaboration between the private sector and government. He tasked DHS with creating create a nonprofit organization to develop a set of standards for ISAOs.

Despite these efforts, robust information sharing is still lacking.

“Everyone wants information. Nobody wants to give information,” said Mark Seward, vice president of marketing at Exabeam, a big data security analytics company.

Companies fear sharing information with the government could reveal corporate secrets or consumers’ private information, said Martin Libicki, a senior management scientist at the RAND Corporation. He added sharing information with the government could also pose legal risks if the information shows companies did not follow federal regulations.

Germano, who also runs a law firm focused on cybersecurity issues, says cybersecurity collaboration comes down to a matter of trust. The private sector, she said, is weary of the government.

“On one hand [the government is] reaching out as a friend and collaborator to work with companies,” she said. “On the other hand, the same government has an enforcement arm outstretched with the FTC, the SEC that if you do not comply, there can be repercussions, possible lawsuits and other regulatory action taken against you.”

Therefore, only information that is directly related to a threat should be shared and stored, said Callahan, now a partner at Jenner & Block. Further, she said when companies share a large amount of information at once it slows down the process of assessing the threat and they often share more information than is necessary.

The U.S. also lacks “an intelligent and forceful deterrence strategy” for cyber attacks, said Matthew Eggers, senior director of the U.S. Chamber of Commerce’s national security and emergency preparedness department, at a Congressional hearing earlier this month. He also said the government needs to provide more assistance to companies who have suffered from hacks.

“U.S. policymakers need to focus on pushing back against illicit actors and not on blaming the victims of cybersecurity incidents,” Eggers said. 

To address some of these concerns, Sen. Tom Carper, D-Del., introduced in February the Cyber Threat Sharing Act of 2015, which looks to provide liability protections for companies when they share cyber information with the government.

The bill would prohibit the government from using shared cyber threat data as evidence in a regulatory action against the company that shared the information. It also strengthens privacy protections and limits how shared data could be used. The bill has been referred to the Committee on Homeland Security and Governmental Affairs.

In February, Obama also called on the Director of National Intelligence to create the Cyber Threat Intelligence Integration Center, a national intelligence center aimed at “connecting the dots” on cyber threats. The center will “collect intelligence, manage incident response efforts, direct investigations” among other responsibilities.

However, experts remain skeptical about the center.

“What concerns me about that is if you read the president’s memoranda on [the Cyber Threat Intelligence Integration Center], it says that it’s consistent with privacy and civil liberties protections as relevant to that agency,” said Callahan, the Jenner & Block lawyer. “Well, the intelligence community, as you know, has reduced private protections.”

The center’s framework will be similar to that of the National Counterterrorism Center, which is a concern for Libicki, of the RAND Corporation.

“The last cyber attack had elements of terrorism in it. Does that mean we should look at this entire problem purely through the lens of counterterrorism?” Libicki said. “Why are you duplicating a methodological framework that culminates in a set of actions, like predator drones, which are totally inappropriate for cyber?”

Kathleen Butler, a spokesperson for the Office of the Director of National Intelligence, did not have any additional comment beyond the president’s announcement of the center as she said initial planning is still underway.

While experts say it will take time for the private sector to fully engage in the information sharing initiatives, the government’s efforts have been mostly positive.

“This is about enabling people to share what they know and get access to what others know such that protection can be more pervasive,” said Bobbie Stempfley, Mitre’s director of cybersecurity implementation. “That’s really a powerful concept.”

]]>
Political analyst Al From talks Democratic Party readiness for 2016 http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/17/political-analyst-al-from-talks-democratic-party-readiness-for-2016/ Tue, 17 Mar 2015 15:45:43 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21074 Continue reading ]]> WASHINGTON — Democratic Leadership Council founder and Medill M.S.J. alum Al From turned a critical eye onto his own party during a March 12 visit to the Medill Washington newsroom.

During the talk with Medill undergraduates, From discussed the history of the contemporary Democratic party, political strategy and his analysis of the Democratic party’s prognosis in the battle for the White House in 2016. From’s book “The New Democrats and the Return to Power” serves as a historical guide to how the modern Democratic party came together, but he dedicated much of his current analysis to the party’s future and he pulled no punches.

From started off his evaluation of the Democrats’ current obstacles by calling out Democrats for prioritizing fancy campaign delivery mechanisms over a relatable platform.

“The truth is, despite all the talk about different ways to communicate, you know, no amount of money or technology or social media or campaign strategy or tactics can make up for a message that doesn’t connect with voters,” From said.

He went on to accuse Democrats of being too comfortable with their historic “demographic advantage” in presidential elections and not taking into account factors such as the potential flippability of the Hispanic vote and the recent Republican capture of the Asian vote. From emphasized the idea that “votes are not necessarily forever” and noted that President Barack Obama’s absence from the 2016 ballot could significantly impact the minority and youth votes for the worse.

From also underscored the importance of working to improve the economy vs. solely focusing on minimum wage. He cited an old friend’s success as a case study for this point, attributing the decrease in American equality observed under Bill Clinton’s presidential administration to national economic growth.

“The problem with the Democrats is you spend so much time worrying about the, uh, about passing out the golden eggs, you forget to worry about the health of the goose,” From explained.

Additionally, From said that members of his party must keep healthcare reinvention and modernization at the forefront of their considerations, since there is a correlation between the efficiency of federal services and the public’s faith in government.

“I learned at a very young age that government reform is not an advocation of liberal goals; it’s essential to achieving them,” he said. “Government is our vehicle for doing good things.”

]]>
Whistleblowing in the FBI: problems lie deeper than confusing legal boundaries http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/16/whistleblowing-in-the-fbi-problems-lie-deeper-than-confusing-legal-boundaries/ Mon, 16 Mar 2015 14:08:01 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21070 Continue reading ]]> WASHINGTON — Former FBI agent Michael German thought the agency had the information it needed to see the 9/11 terrorist attacks coming. In the aftermath of the attack, German reported a cover-up of a failed counterterrorism investigation that infringed upon people’s civil liberties in unprecedented ways.

Yet when German raised these concerns, the Department of Justice inspector general failed to investigate, he said. He also said the IG Office failed to protect him from official retaliation within the FBI, including possible surveillance, resulting in the 16-year veteran resigning in 2004.

“I tried to challenge the system from within, but they don’t like that,” German said in an interview with the American Civil Liberties Union. “They made it very uncomfortable so I finally realized it was time to work on the outside.”

German’s case became one of the most visible examples of the challenges facing whistleblowers in the intelligence community. In addition to a legal framework that makes it incredibly difficult for whistleblowers to come forward, a more subtle influence lurks beneath the surface: a culture that views whistleblowers as traitors, not reformers.

A new report by the Government Accountability Office released last Thursday found that, despite recent efforts to extend whistleblower protections to FBI employees, they remain exposed to retaliation for reporting wrongdoing.

Under the Whistleblower Protection Act of 1989, federal employees are generally protected from retaliation for reporting wrongdoing, entitling them to pursue legal recourse should they face retribution. However, FBI employees were excluded from these protections, and in 1998 the Department of Justice established separate guidelines that were meant to protect whistleblowers within the agency.

Yet the guidelines permitting FBI agents to disclose wrongdoing are unclear, according to the GAO report. For example, FBI employees must report wrongdoing only to a handful of designated officials. As a result, more than half of the 62 cases reviewed by the GAO were dismissed without review.

According Steven L. Katz, formerly counsel to the Senate Committee on Governmental Affairs and an expert on federal whistleblowing law, those in the FBI face much deeper issues than simply unclear legal guidelines. Instead, intelligence agents are a part of a culture that targets whistleblowers and punishes their behavior.

“When someone raises concerns, do you throw them overboard, or do you sit down with them and thank them?” he said. “The FBI throws them overboard.”

Katz argued that the GAO report fails to reflect the human aspect of the FBI in making it difficult for whistleblowers to come forward, focusing instead solely on the regulations that govern whistleblowing activities.

“The agencies are full of people, not just processes,” Katz said. “It’s the people who screw up because the laws look perfect on the books.”

According to Katz, other government agencies have faced similar problems with whistleblower culture. Last year, a series of attempted break-ins at the White House prompted Secret Service Director Julia Pierson to resign. A report released after the incident found that the Secret Service was “too insular,” ignoring the warning signs made plain by the attacks.

“In the agencies where you have a law enforcement culture, where power is might, people tend to transfer that culture of enforcement that’s outward facing inwards,” he said.

In 2012, President Barack Obama released Presidential Policy Directive 19, which established whistleblowing protection for those in the intelligence community. Elements of the directive were codified under the Intelligence Authorization Act for FY2014, but the guidelines of the directive aren’t permanent and can be easily reversed by a different president.

The result adds up to a climate that, while improving in some key ways, remains hostile to the act of whistleblowing. In an organization that possesses some of the nation’s most important classified information, the threat to the success of the FBI is intimately tied to the future of the country itself, as the 9/11 attacks demonstrated.

“You want the FBI to be effective, and so to help them be more effective you’d expect them to have better protection against retaliation from reporting problems,” said David Maurer, director for GAO’s homeland security and justice department. “It’s ironic that they have less whistleblower protection than the rest of the government.”

]]>
Private sector advises Obama’s cybersecurity proposal http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/10/private-sector-advises-obamas-cybersecurity-proposal/ Tue, 10 Mar 2015 19:00:32 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=20966 Continue reading ]]> WASHINGTON —President Barack Obama’s cybersecurity information sharing proposal – with its focus on sharing only targeted threat information between private firms and the government is a better approach than “ill-advised” widespread sharing, a former top privacy official for homeland security said Wednesday.

The Committee on Homeland Security’s Cybersecurity, Infrastructure Protection and Security Technologies subcommittee heard from industry, privacy and academic experts regarding what they think cyber threat information sharing should look like. The previous week, Department of Homeland Security representatives went before the entire committee to explain how this legislation could protect Americans from increasing cybersecurity threats.

Obama’s three-part proposal includes increased sharing among private sector companies and between them and the government. It also encourages the formation of Information Sharing and Analysis Organizations and creates certain guidelines for both the private and federal sectors regarding personal information retention and sharing.

Under the legislation, businesses would share information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which would pass it onto relevant federal agencies and ISAOs. Participating businesses would receive targeted liability protection in return.

Mary Ellen Callahan, former Department of Homeland Security chief privacy officer, agreed with this targeted sharing approach, calling immediate widespread sharing of threats “ill-advised.” According to Callahan, private sector threats–usually IP addresses and URLs–are reported to the DHS, and then distilled to remove any personal information.

In the end, government security professionals only have information on the threat, its source and target, and how to combat it.

Subcommittee Chairman John Ratcliffe, R-Texas, referred to recent breaches at companies such as Anthem, Sony Pictures, Target and J.P. Morgan as examples of why the legislation is needed. “We need to pass legislation that facilitates the sharing of cyber threat indicators and contains robust privacy protections to improve collaboration between federal civilian agencies, like DHS, and the private sector,” he said.

Many companies choose not to share cyber threat indicators or breaches with one another or the government for fear of legal liability, or having their names in the media as companies with poor cybersecurity. Without this sharing of information, hackers can use the same tactics repeatedly with multiple companies.

Private companies want to see a bill that would allow them to voluntarily share cyber threats with other organizations, but have flexibility in what they share with the government, according to Matthew Eggers, senior director of National Security and Emergency Preparedness for the U.S. Chamber of Commerce.

“This is a bill trying to convince them to participate in a voluntary program that makes their lives more difficult. For folks like me saying ‘I’m not fond of government being in my cell or ERP (Enterprise Resource Planning–software for data management),’ that’s going to be a neat trick,” Eggers said.

The key will be convincing companies that Obama’s proposal would better protect everyone in the long run.

“We need a federated sharing community, not a competitive one,” Greg Garcia,
executive director of the Financial Services Sector Coordinating Council, said. “Withholding info to get ahead… Balkanizing or siloing information–that defeats the purpose.”

This is not the first time Obama has proposed legislation to safeguard America from cyber attacks. In 2011, he rolled out his Cybersecurity Legislative Proposal in an effort to give the private sector and government the tools they need to combat cyber threats. In 2013, he issued the Executive Order on Improving Critical Infrastructure Cybersecurity, which established cybersecurity framework standards that were developed in tandem with the private industry.

]]>