[BreachExchange] Debunking conventional wisdom to get out of the security and privacy rut

[Audrey McNeil]

https://www.helpnetsecurity.com/2019/01/23/make-progress-towards-data-privacy/

Given the unprecedented rate of technological change, the dizzying news
cycle, and an always-on social media mentality, it may be surprising to
learn that when it comes to security and privacy we are actually deep in a
rut.

Faced with seemingly daily news stories of mega breaches and unauthorized
selling or sharing of personal data, the general public is overwhelmed with
the contradictory feelings of defeatism and anger. Congressional hearings
and legislative proposals have attempted to raise awareness of data privacy
and security but, to date, little progress has been made. And all the while
the security industry continues to advocate for “best practices” that even
experts have trouble following consistently.

This rut persists largely due to conventional wisdom that has been taken as
gospel but which, upon closer inspection, is blocking any technological or
legal innovation in data security and privacy.

We see this same mentality dominating the social media business model,
which takes for granted that ad-based revenue is the only possible business
model. Dr. Zeynep Tufekci recently eloquently rejected this conventional
wisdom, providing counter examples and alternative regulations to force a
reimagining of revenue streams that are not dependent on the vast data
collection behind an ad-based business model. We similarly must overturn
the conventional wisdom that deters data privacy and security.

Here are four beliefs that must be debunked by the big tech and security
communities in order to make meaningful progress towards a society that
values and protects data privacy:

1. Data privacy protections hinder innovation

The conventional wisdom most embedded within the tech and business
community is that data protection hinders innovation. This was a theme
during the debate over the recently passed California Consumer Privacy Act
(CCPA). However, this myopic perspective signals a general disconnect with
the state of cybersecurity and attacks by criminals and nation-states on
American corporations.

By some accounts, the intellectual property stolen from U.S. companies
through digital means constitutes “the greatest transfer of wealth in
history.” Intellectual property is at the core of innovation, and it is
being plundered at historically unprecedented rates measured in the
trillions of dollars. As a recent United States Trade Representative report
highlighted, China alone is responsible for “unauthorized access to
intellectual property, trade secrets, confidential business information,
technical data, negotiating positions, and sensitive and proprietary
internal business communications.”

The lack of persistent, useable data protection tools and the absence of
national privacy legislation are already hindering American innovation.
With trillions of dollars and the intellectual property that serves as the
backbone of our economic prosperity and national security lost, we need to
view data privacy and security as core to innovation, not a hindrance.

2. Data privacy is irrelevant if you have nothing to hide

Conventional wisdom also holds that data protection and privacy aren’t
relevant for those who have nothing to hide. Even if you have somehow
avoided social media, e-commerce and any tangential connection to corporate
proprietary data, there’s still a good chance your financial, health, and
personally identifiable information (PII) have been compromised. Corporate
breaches extend well beyond personal secrets and target very specific and
lucrative PII in addition to intellectual property.

After the Marriott breach, China is now considered to be the biggest threat
to individual privacy. Having amassed consumer data – including social
security numbers, birth dates, income and addresses – from the Office of
Personnel Management, Anthem, and now potentially Marriott (to just name a
few sources), consumers are direct victims when it comes to corporate
attacks. You can even assess how much of your personally identifiable
information has been stolen across all of the most high-profile breaches.

3. There is an inherent trade-off between security and convenience

Of course, data protection has historically been so cumbersome that even
those who do take data privacy seriously find security “best practices” too
difficult to implement. Conventional wisdom holds that an inherent
trade-off must exist between security and convenience and has left us with
the sage advice to avoid clicking on links and to memorize lengthy and
complex passwords and change them often.

It is mind-blowing that this has been the state of security for so long.
Also, data privacy and security best practices have disrupted business
workflows, ignored user experience, and have been obscured within lengthy,
esoteric terms of agreements for far too long. There are signs that this is
slowly changing, but usable security must become a core part of development
instead of being accessible to only the most sophisticated users.

4. Self-regulation is sufficient for securing data

Unfortunately, it does not seem like market forces will push data privacy
out of its rut. As Apple’s Tim Cook recently noted, when it comes to
privacy, “we have to admit when the free market is not working.” While
self-regulation was once deemed sufficient for data privacy, there is
finally an agreement that some regulation is necessary to protect data
privacy. Finely tuned regulation is required to prompt innovation and
safeguard privacy. This yet again turns conventional wisdom on its head, as
thoughtful regulations can be the conduit for innovation in an industry so
deeply muddled in unsustainable best practices.

U.S. legislation has also been stalled for years, but 2019 may finally see
some progress toward federal data privacy and security legislation. Driven
by global forces such as the European Union’s General Data Protection
Regulation and shifting domestic public opinion in favor of some form of
data protection, Congress is feeling the pressure to do something about
data privacy.

This would be a welcome change, but lessons must be learned from existing
efforts to ensure data protection legislation focuses on transparency,
control, accountability, and feasibility. Under the proper incentive
structures – combining both carrots and sticks – regulations could provide
the much- needed spark to elevate innovation in an industry that continues
to spend billions of dollars with little progress to show for it.

The digital landscape is only growing in complexity. New technologies are
infringing on data integrity and the proliferation of cyber capabilities
and threat actors continue to expand without limitations on targets or
impact. We must get out of the current rut in our approaches to data
privacy and finally make concrete legal and technological progress that
prioritizes data privacy as a fundamental right, as well as an economic and
national security imperative.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190124/00e410d0/attachment.html>