Nico Sell, Founder of 533DZ Foundation and a World Economic Forum Tech Entrepreneur & Anja Kaspersen, Head of International Security, World Economic Forum
First published by The Hill on July 12, 2016
At a time of the global information security crisis, we often hear that in order to achieve stronger security against emerging threats, including terrorism and cyber attacks, we must accept less privacy. This should apply to our communications, financial transactions, and all other internet-powered activities. Many simply assume that more visibility and state control automatically translate into more safety.
Coming at it with different sets of expertise and experiences, we argue against this alleged conflict between privacy and security. And here is why.
For centuries, only a handful of states have had the resources to wreak havoc on a massive scale. Today, technology is rapidly democratizing this destructive capability. Remote cyber attacks can now target any world region, disrupting or destroying digital assets – valuable information networks and physical objects – dams, power plants, and other industrial facilities.
International criminal groups run the bot armies of billions of puppet computers, which belong to unknowing victims around the world, to attack corporate systems. The attribution is clearly no easy tasks when cyber vulnerabilities are involved, thus traditional state-level deterrence strategies often prove futile.
In this complex and rapidly changing security environment, many domestic and international policy-makers appear to believe that the only “defense” to counter these emerging threats is the increased control over population. In their view, the premise seems straightforward – if individuals with destructive intent are able to communicate with complete privacy, it will have a negative impact on the law enforcement’s ability to uncover wrongdoings.
Hence, the security vs. privacy narrative equates privacy with potential for criminality, and security with government access to citizens’ data.
As a result, to keep the public safe, governments scale up the surveillance techniques historically relied upon to enforce security policy. With expanding connectivity, there is no longer the time-consuming need to bug phone lines individually and have human agents read the intercepted conversations. Instead, communications can be hoovered up en masse and analyzed to search the haystack of data for patterns and anomalies that might indicate potential threats.
The key question is whether these policies are effective in reaching their stated goals in a new increasingly decentralized cyber reality?
Recent world events cast some doubt on the effectiveness of this approach. In the aftermath of the Brussels and Paris terrorist attacks, we have learned that the problem has not been the lack of information, but rather ineffective data analysis and failed international cooperation in sharing intelligence in a timely fashion. When the haystack becomes so large, the chances are authorities may miss crucial intelligence.
However, even if data analytics and intelligence sharing mechanisms could be improved, the existence of mass data collection and the ongoing push for encryption backdoors imply that it is technically possible to exploit global networks en masse without creating the attack entry points accessible to others – criminals or foreign intelligence.
Today, the increasing connectivity, advancing technology, and a proliferation of internet-powered devices make it impossible to isolate backdoors to be only useful to particular governments and their needs for investigative powers. At a time when the record numbers of high-impact data breaches are reported almost daily, any and all vulnerabilities are indeed open for exploitation to anyone who can find them – be it in consumer applications, critical infrastructure, or government networks.
With the Web being a global ecosystem, we can no longer segregate it to weaken security for only bad actors, whose possible criminal activities may pose risks to national security. Injecting vulnerabilities in commonly used protocols or services indiscriminately affects the security of everyone using these technologies.
In addition, we are not guaranteed that bad actors will not create their own encryption tools or use stronger security offered by foreign companies. According to a recent global survey of encryption products, only one third of these tools are produced in the US while two thirds are developed elsewhere, with Germany, UK, Canada, France and Sweden being the top generators of crypto tech. The report also found that 44% of over 860 encryption products available are free, and 34% are open source.
In this complex technological environment, citizens, government systems, corporations, and critical infrastructure facilities are increasingly connected and everyone’s security is dependent on the same protocols and hardware while bad actors can still access strong encryption to secure their data. Thus, compromising the integrity of global networks appears unlikely to result in much gain in intelligence capabilities. Hence, the net outcome likely becomes less security and less privacy for all.
Interestingly, the existing mass data collection programs across the world have been long surrounded by secrecy regarding their very existence and the governments’ capabilities to infiltrate information networks. Such secrecy, aside from the public perception that it is undermining the social contract at the core of democratic governance, also puts national governments at a disadvantage by limiting the critical input they may receive from their citizenry in an effort to strengthen national security.
Considering a rise of cyber threats and a dire state of security in most technologies – consumer, enterprise or industrial, and the fact that 85% of all critical infrastructure is privately owned, it appears short-sighted to not actively engage the expert community and a broader public from contributing to this critical conversation. Information security and technology experts may offer valuable insights into the latest research and innovation occurring in the private sector, which can significantly influence the effectiveness of government data collection and defense strategies.
As technology redefines security, who can credibly provide it, and where the cyber attacks might be coming from, there is an urgent need to redefine a new social contract for the cyber age to ensure the sustainability of an increasingly connected global economy and reducing risks to the critical infrastructure.
While it would be unrealistic to expect no state secrecy regarding intelligence activities, the important question to think through is how to ensure that effective safeguards are in place to protect against potential abuse from all parties – government and corporate actors. This requires an agile and fit-for-purpose oversight regime so it is conducted in a most responsible and secure fashion minimizing the probability of citizens’ personal data being misused or compromised.
It is clearly time to broaden the dialogue to engage all stakeholders to think through these complex technological and policy issues, including the private industry that may often be overly focused on indiscriminate collection and infinite storage of consumer data.
There are no easy answers or solutions but one thing is sure: by creating a false tension between privacy and security, the issues that are far more pressing to the safety of global communications and information networks are not being addressed. Collecting more data does not guarantee intelligence efficacy. Surveillance and other intelligence mechanisms can play a legitimate role in curbing malicious behavior online of offline, but these powers should be used sparingly and strategically.
There is a need for greater literacy about security policies’ impact, consolidating and strengthening of the norms around the collection and use of data and a more inclusive dialogue on how to address shared vulnerabilities in a new increasingly decentralized world.