Cybersecurity’s privacy problem

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://fortune.com/2015/08/03/cybersecurity-privacy-europe-u-s/?xid=timehp-category

My law professor at Harvard once said the definition of a conservative is a
liberal who has just been mugged. Cybersecurity was the furthest thing from
professor Alan Dershowitz’s mind when he made this comment 30 years ago.
Yet, recent events in Europe illustrate the wisdom of his words.

A surge of cyber and terrorist attacks has threatened the fabric of
European society, leading policymakers to break with history and begin to
prioritize security over privacy.

Historically, it is the United States that has placed a premium on
security. Particularly since the 9/11 terrorist attacks, Americans have
tolerated broad surveillance by their government and sweeping data mining
by private companies.

Europeans, by contrast, have long cherished privacy, both online and off.
Last summer, the European Court of Justice captured this sentiment in its
landmark ruling that individuals have a “right to be forgotten.” Privacy is
even enshrined as a fundamental right in the European Charter of Human
Rights.

Cybersecurity has only recently emerged as a continental concern. Last
fall, government officials and business leaders placed cybersecurity at the
bottom of the list in a poll on the main threats facing Europe, beneath
issues like unemployment, migration, social instability, and interstate
conflict.

Given this history, one might expect the United States to move more quickly
than their European counterparts in passing measures aimed at combating
cyber threats. Instead, it is Europe that has taken the lead.

Why has the need for digital security overtaken privacy as a leading
priority for legislators across the continent?

Looming large is growing concern over an increasingly daring array of cyber
attacks. Over the past year, Europe has experienced a number of online
security breaches of unprecedented size and scale.

The most alarming came in late December, when authorities revealed that
hackers had conducted a massive attack that caused widespread damage on an
iron plant inGermany. This was one of the first successful cyber attacks on
critical infrastructure anywhere in the world.

In January, a wave of cyber attacks temporarily disabled 19,000 French
websites, including that of the Defense Ministry. In April, hackers
claiming affiliation with the “Cyber Caliphate” of the Islamic State
disabled broadcasts and took over the web presence of French public service
television.

And in May, the German Bundestag revealed that more than 20,000 computers
used by parliamentary members and staff had been infected with malware –
the largest attack on the German parliament in history.

As cyber attacks in Europe have grown in intensity and frequency, physical
terrorism has afflicted the continent in new and terrifying ways.

In January, terrorists killed 17 people in an attack on the satire magazine
Charlie Hebdo in Paris. A day later, Belgian police killed two terror
suspects in Verviers.

The ensuing months have only heightened European concerns around physical
terrorism.

Shocking reports of teenage girls across the continent leaving their
families to join ISIS blared into television sets and computer screens from
Birmingham to Brussels.

In late June, terrorists killed 30 Britons at a seaside resort in Tunisia.
Days later, the French, still grieving from the Charlie Hebdo tragedy,
looked on in horror as a man beheaded his boss in southeastern France, and
sent out pictures of his head draped in flags associated with the Islamic
State.

The visceral brutality of recent terrorist attacks in Europe, coupled with
fear engendered by the growing spate of cyber incursions, is dramatically
changing the way Europeans think about privacy and security. The head of
Europol, Robert Wainwright, recently labeled terrorism and cyber crime as
the top threats facing Europe.

This changing landscape has cast a pall of fear over the continent. The
response by policymakers, particularly as it relates to cybersecurity, has
been decisive.

The German parliament just passed its first IT security law, requiring
corporations in sectors involving critical infrastructure to notify the
government and affected individuals of cyber intrusions.

Days later, the Dutch Government enacted a broad breach notification law
that penalizes companies up to 10% of total revenues for failure to comply.

At the continental level, the European Council has approved, after years of
debate, the EU General Data Protection Regulation, a sweeping law that will
mandate that businesses notify National Supervisory Authorities of cyber
breaches within 72 hours, and that they also notify affected individuals
without undue delay. The law is expected to be finalized by the European
Commission and the European Parliament by the end of the year.

This is the kind of unified, national breach notification effort we need to
bring forward in the United States. A uniform national standard would
protect consumers, provide clarity to industry, and require the government
to hold itself accountable to the same standard as everyone else.

It seems that while privacy-minded Europe steps up its focus on security,
security-focused Americans are actually moving in the opposite direction,
demanding greater protection from government and business intrusions into
their personal privacy.

In the wake of the Edward Snowden revelations about NSA surveillance,
businesses have taken steps to prevent the government from snooping on
their customers. Apple  AAPL -2.36%  and Google  GOOG 0.90% implemented new
encryption technology on their iOS8 and Android operating systems. In June,
Apple CEO Tim Cook called the erosion of privacy a threat to the American
way of life: “We at Apple believe that people have a fundamental right to
privacy. The American people demand it, the constitution demands it,
morality demands it.”

The emphasis on security that has characterized state-society relations
since 9/11 seems to be fading in America. Notwithstanding the recent U.S.
Office of Personnel Management breach and a bipartisan 14 to 1 vote by the
Intelligence Committee, the Senate has delayed a decision on crucial
cybersecurity information sharing legislation until this fall.

But this does not mean that what Europe is doing is right, and what the
United States is doing – or not doing – is wrong.

Privacy and security both matter.

Striking the right balance between the two will require partnership,
coordination, and the sharing of best practices between policymakers,
businesses, and citizens on both sides of the Atlantic. Now, more than
ever, finding common ground in our policies and approach is the only way to
stop borderless cyber criminals from threatening our security, while also
preserving the privacy that both of our societies hold dear.

Privacy and security may be the Scylla and Charybdis of the modern world.
But, as Odysseus taught us, the path home lies somewhere in between.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!