October 20, 2017
October 16, 2017
Posted February 16, 2015
President Calls for Threat Information Sharing and Right to Privacy
In the wake of the White House Cybersecurity Summit held at Stanford University last week, Alisdair Faulkner, chief products officer, ThreatMetrix® wrote:
In light of President Obama’s visit to Silicon Valley, now is a better time than ever to address online security and privacy. Collecting an unreasonable amount of personal information will lead to a “Privacy Pearl Harbor.”
How much information collection is too much?
Threat intelligence sharing is necessary but only to a certain extent – businesses must make sure that reasonable security is not an unreasonable privacy invasion. There needs to be a reasonable amount of digital identity verification such as verifying one’s location or phone number when using a banking app. However, some businesses, including ride sharing services and major banks, have access to information about your entire location and activity history each time you use the app. With so much information stored on users’ mobile devices and in specific mobile apps, this often leads to an unreasonable privacy invasion beyond what is necessary for security measures. Instead, the recent influx of data breaches and privacy concerns calls for industry-wide authentication guidelines that do not compromise privacy.
Anonymized shared intelligence: authentication and privacy
To maintain a balance between privacy and security, businesses should leverage anonymized shared intelligence, behavior-based identity proofing and context-based authentication. At a minimum, industries operating online should self-enforce standards for controlling access to customer data from both insider and outsider theft without invading privacy.
Protecting customer and corporate identities
In addition to balancing privacy and security, businesses need to focus on protecting data in use in addition to data at rest. Data in use refers to customer or corporate identities that are used following a data breach without the individual’s knowledge. A key requirement for data protection is for businesses to ensure personally identifiable information is screened against unauthorized use prior to being processed. This can be done through device identification, malware detection and anonymized trust federation.
At summit President acknowledges challenge of info sharing vs. privacy
In her story on techcrunch.com, Sarah Buhr discusses the primary themes that emerged from the President’s call for closer cooperation between government and the private sector. The following has been excerpted from her piece and edited to fit our format. You may find the complete article by clicking on this link.
A new sheriff in town
While pushing for that collaboration, he admitted it would be a challenge to both keep up with cyber threats and protect American’s right to privacy at the same time. “Protecting the American people while making sure government is not abusing its capabilities is hard. The cyberworld is sort of the Wild Wild West and to some degree we are asked to be the sheriff…”
President signs Executive Order
[Obama] signed an Executive Order….. One of those provisions encourages information sharing and analysis organizations (ISAOs), which would serve as points of contact for information sharing between the government and the private sector.
The order added the Department of Homeland Security to the list of government organizations that would be able to approve the sharing of classified information and ensure that proper information is shared between entities.
The Snowden effect
The big question here is whether the private sector will be willing to offer this information. Many companies are still reeling from Edward Snowden’s revelations that they were handing over consumer information to the U.S. government and have since taken measures to encrypt data, even from themselves.
Constructing a cathedral
Obama acknowledged the challenge to protect American citizens from cyber threats, but at the same time protect their right to privacy. [He] likened the process of technological development to building a cathedral.
“[T]hat cathedral will not just be about technology but about the values we have embedded in this system. It will be about privacy and security and about connection. A magnificent cathedral and we’re all going to be a part of that.”