Obama’s Former Privacy Director Decries America’s Data Security

January 21, 2015

Timothy H. Edgar

President Obama stands in the well of the House, demanding Congress take action on privacy and cybersecurity. Nothing happens. It has become an annual Washington ritual. One we witnessed again last night.

The state of our union’s data is insecure.

In 2009, President Obama announced the creation of a White House cybersecurity office as part of the National Security Staff, and named me its first privacy official. Two years later, the White House proposed legislation, but Congress took no action. Today, we have less privacy and our systems remain as insecure as ever.

How can Congress continue to ignore what is becoming our most pressing national security issue? Bipartisan cheerleading for cybersecurity aside, there is fierce industry opposition to new security or privacy rules. Meanwhile, civil liberties and privacy activists think that panic about cyber breaches will lead to surveillance and filtering that would destroy the open Internet in the name of saving it. Accommodating these concerns should not be an impossible task, but in today’s Washington, it has been.

Last night Obama implored Congress, saying: “And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable.” Obama’s new legislative proposals include incentives for voluntary information sharing, tougher penalties for cybercrime, and consumer privacy protections. They are useful ideas, but even if Congress passed all of them—which they likely won’t— Kim Jong Un will hardly be shaking in his boots. Effective commercial privacy legislation is long overdue, but North Korean cyber-warriors are unlikely to be deterred by new rules safeguarding schoolchildren’s educational data.

North Korean cyber-warriors are unlikely to be deterred by new rules safeguarding schoolchildren’s educational data.

State-sponsored hackers are unlikely to fear American prosecutions, either. The indictments last year of members of a secret military hacking unit in China has had little discernable effect. The intrusions at Home Depot, J.P. Morgan and Sony show that threatening prosecution of hackers protected by powerful foreign governments and outside the reach of American law enforcement simply isn’t an effective deterrent.

The Answers Are Not In Washington

The best ideas I’ve heard for improving our cybersecurity have not come from inside the intelligence community or the White House, but from outside the federal government. In the past few years, privacy start-ups have flourished. Silent Circle offers secure voice and text messaging. Virtru offers a simple browser plug-in to encrypt e-mails and file attachments using existing platforms like Gmail. Big companies have also stepped up. Apple’s new iPhone offers better encryption, closing a backdoor that allowed surveillance and compromised security.

On encryption, gridlock in Washington is good news. The FBI’s push late last year for government-mandated backdoors for encrypted data has fallen flat. Now this dreadful idea has migrated across the pond, where the British government seems determined to weaken cybersecurity in the aftermath of the attacks in Paris. In fact, backdoors for encrypted communications would do nothing to prevent terrorism, but would weaken data security for everyone.

President Obama has encouraged industry to share more detailed information about cyber threats, yet the best sharing arrangements have come from the states and the private sector, not from Washington. While legislation can offer liability protection, the need for such protection as an incentive for sharing has been exaggerated. Companies can and do already share confidential threat information under the protection of nondisclosure agreements. The Advanced Cyber Security Center, based in Boston, is one such sharing arrangement. It includes companies like Pfizer, State Street, and RSA/EMC Corporation along with with the Federal Reserve Bank of Boston and the Commonwealth of Massachusetts.