Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/19/2015
04:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Former White House Advisor: Marry Infosec To Economics

Melissa Hathaway, former cybersecurity policy advisor to the White House, says the security and economy agendas should go hand-in-hand, and Western nations' use of surveillance technology is 'alarming.'

GTEC CONFERENCE, OTTAWA -- Former cybersecurity advisor to the White House Melissa Hathaway says Western democratic nations' current use of data collection and surveillance technologies is "alarming" and that to improve Internet security, nations need to wed their infosec agenda to their economic agenda.

Hathaway, now president of Hathaway Global Strategies LLC, will present a keynote speech on the topic "Transparency, Trust, and the Internet" in Ottawa this week at the GTEC conference, an event now in its 23rd year and0 focused on the Canadian ICT sector. 

Melissa Hathaway"I think it's alarming what's happening in Western countries," she says, referring to information gathering, data discovery requests, and surveillance activities conducted by these governments' agencies in the name of security of the state or political stability. 

The issues are not unique to the West, either. Hathway notes that she just returned from India, where a debate over encryption is underway, similar to the one ongoing in the United States. In the U.S., law enforcement and intelligence agencies have been lobbying for backdoors, key escrows, weaker cryptographic algorithms, or other methods that would make it possible for law enforcement to read encrypted data. 

"I do not believe that any government should weaken technology," Hathaway says. "Even if you're doing it for safety concerns, there will be criminals who" find a way to use it for criminal purposes.

Compounding the surveillance issue, says Hathaway, is that private sector companies like Google that have extensive stores of citizen personal data and/or communications "are being deputized as law enforcement" by being asked to look for suspicious activity and content. "It's a very fine line that is being crossed now," she says.

It's a growing problem, because more large-scale data aggregators will enter the market as the Internet of Things expands. Yet, as Hathaway explains, neither citizens nor enterprises can adequately protect themselves from the risks this presents -- without knowing who has your data and how they're using it, citizens cannot adequately assess the risk to their privacy, and companies cannot adequately assess risks to their company presented by third-party suppliers.

"I think there's not a lot of transparency, and I think that's somewhat deliberate," Hathaway says. "Google doesn't want you to know all the ways it's using your data."

A 'Capital Conversation'

In order to make Internet security a national priority and truly bring about change, says Hathaway, "you have to make this a capital conversation."

Nations can increase their gross domestic product by connecting more citizens (and things) to the Internet, Hathaway says. She points to Gartner's estimate that the near-term global economic opportunity generated by the Internet of Things is $19 trillion. "If you don't invest in security, you're pretty much guaranteed to lose 1 to 2 percent of your GDP," she says. ICT investments will generate gains of GDP, but without the appropriate security measures, says Hathaway, there's a threat of those ICT investments becoming a "net zero."

She offers some suggestions for moving the needle in the right direction.

First "we can't divorce the economics from the security," says Hathaway, "and they have to be married from the top."

She also recommends the U.S. winnow down its official list of 16 critical infrastructures to just three --  energy, financial services, and telecommunictions -- to better focus their priorities and resources.

"Then, becuse we have a lot of vulnerable products ... it's essential we start cleaning up our own infected infrastructure," says Hathaway. "These are three doable things for any sitting government that wants to own this problem."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PZav
50%
50%
PZav,
User Rank: Author
10/20/2015 | 3:59:14 PM
Technology Used for Collecting Information
I wanted to add that most of the attacks I see, because we're focused on detecting threats outside the firewall, are exploitations of the very technology used to collect user information. All of us are surrounded by this technology, at all times. We don't even know its there and we were never given the choice to accept it. Its the cost of the 'free' Internet.

Aside from my own tirade (stepping off my soap box now) I find the points made in this article very fascinating. I particularly like the points about whittling down the critical infrastructure list. Also, it is nice to see someone outside of technology recognize the dangers of tampering with encryption.   

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/20/2015 | 10:12:43 AM
Re: Speaking sense
Unfortunately, even when you are in a position to make change happen the procedures and hoops you need to jump through to streamline initiatives is daunting.

Plus without sometype of cohesion between the government and private sectors, any resolution remains inconsistent at best.

But yes, I very much agree with your statement.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
10/20/2015 | 7:07:09 AM
Speaking sense
It's great to see someone in such a high profile position speaking a lot of sense about encryption, privacy and the encroachment of law enforcement into the mandates of large corporations.

That said, it's very typical that these sorts of radical thoughts are mainly aired after a person has left a position of governmental power. Why is that these peopelc an only speak their minds when they are unable to do much about it?
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28898
PUBLISHED: 2021-04-15
In QED ResourceXpress through 4.9k, a large numeric or alphanumeric value submitted in specific URL parameters causes a server error in script execution due to insufficient input validation.
CVE-2021-28055
PUBLISHED: 2021-04-15
An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. The anti-CSRF token generation is predictable, which might allow CSRF attacks that add an admin user.
CVE-2021-31402
PUBLISHED: 2021-04-15
The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.
CVE-2021-26582
PUBLISHED: 2021-04-15
A security vulnerability in HPE IceWall SSO Domain Gateway Option (Dgfw) module version 10.0 on RHEL 5/6/7, version 10.0 on HP-UX 11i v3, version 10.0 on Windows and 11.0 on Windows could be exploited remotely to allow cross-site scripting (XSS).
CVE-2021-29433
PUBLISHED: 2021-04-15
### Impact Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. ### Patches Fixed by 3175fd3. ### Workarounds There are no known workarounds. ### References n/a ### For ...