Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/19/2015
04:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Former White House Advisor: Marry Infosec To Economics

Melissa Hathaway, former cybersecurity policy advisor to the White House, says the security and economy agendas should go hand-in-hand, and Western nations' use of surveillance technology is 'alarming.'

GTEC CONFERENCE, OTTAWA -- Former cybersecurity advisor to the White House Melissa Hathaway says Western democratic nations' current use of data collection and surveillance technologies is "alarming" and that to improve Internet security, nations need to wed their infosec agenda to their economic agenda.

Hathaway, now president of Hathaway Global Strategies LLC, will present a keynote speech on the topic "Transparency, Trust, and the Internet" in Ottawa this week at the GTEC conference, an event now in its 23rd year and0 focused on the Canadian ICT sector. 

Melissa Hathaway"I think it's alarming what's happening in Western countries," she says, referring to information gathering, data discovery requests, and surveillance activities conducted by these governments' agencies in the name of security of the state or political stability. 

The issues are not unique to the West, either. Hathway notes that she just returned from India, where a debate over encryption is underway, similar to the one ongoing in the United States. In the U.S., law enforcement and intelligence agencies have been lobbying for backdoors, key escrows, weaker cryptographic algorithms, or other methods that would make it possible for law enforcement to read encrypted data. 

"I do not believe that any government should weaken technology," Hathaway says. "Even if you're doing it for safety concerns, there will be criminals who" find a way to use it for criminal purposes.

Compounding the surveillance issue, says Hathaway, is that private sector companies like Google that have extensive stores of citizen personal data and/or communications "are being deputized as law enforcement" by being asked to look for suspicious activity and content. "It's a very fine line that is being crossed now," she says.

It's a growing problem, because more large-scale data aggregators will enter the market as the Internet of Things expands. Yet, as Hathaway explains, neither citizens nor enterprises can adequately protect themselves from the risks this presents -- without knowing who has your data and how they're using it, citizens cannot adequately assess the risk to their privacy, and companies cannot adequately assess risks to their company presented by third-party suppliers.

"I think there's not a lot of transparency, and I think that's somewhat deliberate," Hathaway says. "Google doesn't want you to know all the ways it's using your data."

A 'Capital Conversation'

In order to make Internet security a national priority and truly bring about change, says Hathaway, "you have to make this a capital conversation."

Nations can increase their gross domestic product by connecting more citizens (and things) to the Internet, Hathaway says. She points to Gartner's estimate that the near-term global economic opportunity generated by the Internet of Things is $19 trillion. "If you don't invest in security, you're pretty much guaranteed to lose 1 to 2 percent of your GDP," she says. ICT investments will generate gains of GDP, but without the appropriate security measures, says Hathaway, there's a threat of those ICT investments becoming a "net zero."

She offers some suggestions for moving the needle in the right direction.

First "we can't divorce the economics from the security," says Hathaway, "and they have to be married from the top."

She also recommends the U.S. winnow down its official list of 16 critical infrastructures to just three --  energy, financial services, and telecommunictions -- to better focus their priorities and resources.

"Then, becuse we have a lot of vulnerable products ... it's essential we start cleaning up our own infected infrastructure," says Hathaway. "These are three doable things for any sitting government that wants to own this problem."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PZav
50%
50%
PZav,
User Rank: Author
10/20/2015 | 3:59:14 PM
Technology Used for Collecting Information
I wanted to add that most of the attacks I see, because we're focused on detecting threats outside the firewall, are exploitations of the very technology used to collect user information. All of us are surrounded by this technology, at all times. We don't even know its there and we were never given the choice to accept it. Its the cost of the 'free' Internet.

Aside from my own tirade (stepping off my soap box now) I find the points made in this article very fascinating. I particularly like the points about whittling down the critical infrastructure list. Also, it is nice to see someone outside of technology recognize the dangers of tampering with encryption.   

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/20/2015 | 10:12:43 AM
Re: Speaking sense
Unfortunately, even when you are in a position to make change happen the procedures and hoops you need to jump through to streamline initiatives is daunting.

Plus without sometype of cohesion between the government and private sectors, any resolution remains inconsistent at best.

But yes, I very much agree with your statement.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
10/20/2015 | 7:07:09 AM
Speaking sense
It's great to see someone in such a high profile position speaking a lot of sense about encryption, privacy and the encroachment of law enforcement into the mandates of large corporations.

That said, it's very typical that these sorts of radical thoughts are mainly aired after a person has left a position of governmental power. Why is that these peopelc an only speak their minds when they are unable to do much about it?
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5798
PUBLISHED: 2019-05-23
Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2019-5799
PUBLISHED: 2019-05-23
Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5800
PUBLISHED: 2019-05-23
Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5801
PUBLISHED: 2019-05-23
Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-5802
PUBLISHED: 2019-05-23
Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.