Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:15 PM
Connect Directly

Former White House Advisor: Marry Infosec To Economics

Melissa Hathaway, former cybersecurity policy advisor to the White House, says the security and economy agendas should go hand-in-hand, and Western nations' use of surveillance technology is 'alarming.'

GTEC CONFERENCE, OTTAWA -- Former cybersecurity advisor to the White House Melissa Hathaway says Western democratic nations' current use of data collection and surveillance technologies is "alarming" and that to improve Internet security, nations need to wed their infosec agenda to their economic agenda.

Hathaway, now president of Hathaway Global Strategies LLC, will present a keynote speech on the topic "Transparency, Trust, and the Internet" in Ottawa this week at the GTEC conference, an event now in its 23rd year and0 focused on the Canadian ICT sector. 

Melissa Hathaway"I think it's alarming what's happening in Western countries," she says, referring to information gathering, data discovery requests, and surveillance activities conducted by these governments' agencies in the name of security of the state or political stability. 

The issues are not unique to the West, either. Hathway notes that she just returned from India, where a debate over encryption is underway, similar to the one ongoing in the United States. In the U.S., law enforcement and intelligence agencies have been lobbying for backdoors, key escrows, weaker cryptographic algorithms, or other methods that would make it possible for law enforcement to read encrypted data. 

"I do not believe that any government should weaken technology," Hathaway says. "Even if you're doing it for safety concerns, there will be criminals who" find a way to use it for criminal purposes.

Compounding the surveillance issue, says Hathaway, is that private sector companies like Google that have extensive stores of citizen personal data and/or communications "are being deputized as law enforcement" by being asked to look for suspicious activity and content. "It's a very fine line that is being crossed now," she says.

It's a growing problem, because more large-scale data aggregators will enter the market as the Internet of Things expands. Yet, as Hathaway explains, neither citizens nor enterprises can adequately protect themselves from the risks this presents -- without knowing who has your data and how they're using it, citizens cannot adequately assess the risk to their privacy, and companies cannot adequately assess risks to their company presented by third-party suppliers.

"I think there's not a lot of transparency, and I think that's somewhat deliberate," Hathaway says. "Google doesn't want you to know all the ways it's using your data."

A 'Capital Conversation'

In order to make Internet security a national priority and truly bring about change, says Hathaway, "you have to make this a capital conversation."

Nations can increase their gross domestic product by connecting more citizens (and things) to the Internet, Hathaway says. She points to Gartner's estimate that the near-term global economic opportunity generated by the Internet of Things is $19 trillion. "If you don't invest in security, you're pretty much guaranteed to lose 1 to 2 percent of your GDP," she says. ICT investments will generate gains of GDP, but without the appropriate security measures, says Hathaway, there's a threat of those ICT investments becoming a "net zero."

She offers some suggestions for moving the needle in the right direction.

First "we can't divorce the economics from the security," says Hathaway, "and they have to be married from the top."

She also recommends the U.S. winnow down its official list of 16 critical infrastructures to just three --  energy, financial services, and telecommunictions -- to better focus their priorities and resources.

"Then, becuse we have a lot of vulnerable products ... it's essential we start cleaning up our own infected infrastructure," says Hathaway. "These are three doable things for any sitting government that wants to own this problem."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
10/20/2015 | 3:59:14 PM
Technology Used for Collecting Information
I wanted to add that most of the attacks I see, because we're focused on detecting threats outside the firewall, are exploitations of the very technology used to collect user information. All of us are surrounded by this technology, at all times. We don't even know its there and we were never given the choice to accept it. Its the cost of the 'free' Internet.

Aside from my own tirade (stepping off my soap box now) I find the points made in this article very fascinating. I particularly like the points about whittling down the critical infrastructure list. Also, it is nice to see someone outside of technology recognize the dangers of tampering with encryption.   

User Rank: Ninja
10/20/2015 | 10:12:43 AM
Re: Speaking sense
Unfortunately, even when you are in a position to make change happen the procedures and hoops you need to jump through to streamline initiatives is daunting.

Plus without sometype of cohesion between the government and private sectors, any resolution remains inconsistent at best.

But yes, I very much agree with your statement.
User Rank: Ninja
10/20/2015 | 7:07:09 AM
Speaking sense
It's great to see someone in such a high profile position speaking a lot of sense about encryption, privacy and the encroachment of law enforcement into the mandates of large corporations.

That said, it's very typical that these sorts of radical thoughts are mainly aired after a person has left a position of governmental power. Why is that these peopelc an only speak their minds when they are unable to do much about it?
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via UPnP function.
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via management screen.
PUBLISHED: 2020-02-21
Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
PUBLISHED: 2020-02-21
Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors.
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.