UPDATED 00:00 EDT / JANUARY 30 2020

SECURITY

Data breaches, privacy concerns and government pressure turn up the heat for cybersecurity experts

There’s a growing realization among leaders in the cybersecurity community that 2020 will be the year of significant legislative action to protect user data. The problem is that safeguarding data may actually be harder than ever.

“There’s more activity, more concern and more acknowledgment of privacy now than I have seen in the last 30 years,” Julie Brill, former commissioner of the U.S. Federal Trade Commission and chief privacy officer of Microsoft Corp., said during an appearance on Tuesday at a Data Privacy Day event hosted at LinkedIn Corp.’s headquarters in San Francisco. “What we are seeing right now is a trust gap and people feel out of control. We need to focus on that gap and try to close it.”

If the “trust gap” is indeed going to be closed, it won’t be through any lack of trying by government officials. There’s a tidal wave of legislation about to swamp the business community as legislators in state capitals across the U.S. are feeling the heat from constituents and seeking to enact strict data privacy controls.

On Jan. 1, the most restrictive U.S. data privacy law to-date, California’s Consumer Privacy Act or CCPA, went into effect. It was designed to limit the access and sharing of personal online information for users, although the new law has sparked debate and disagreement around compliance requirements for the business community.

Even more restrictive data privacy regulation has been proposed for the California ballot this year and additional states have apparently mobilized to follow CCPA’s lead.

“Just in January alone, over 700 privacy bills were introduced at the state level,” said Stacey Gray, senior policy counsel at the Future of Privacy Forum. “We need a comprehensive federal standard.”

Pressure on encryption tech

The concern among some in the cybersecurity world is that putting data privacy regulation in the hands of the federal government could end up making a tough situation even worse. Over the course of three days in San Francisco this week, cybersecurity researchers heard presentations from industry experts at the Usenix Enigma Conference in San Francisco, including one that focused exclusively on current governmental interest in encrypted messaging.

The protection of encrypted information on cell phones came under heavy fire in 2019 as high-ranking U.S. senators, officials at the Department of Justice and the FBI have criticized tech companies such as Apple Inc. for refusing to allow “back door” access by law enforcement to personal user data stored on devices.

The tech industry has relied on the Communications Assistance for Law Enforcement Act of 1994 or CALEA as its defense. The act forced telephone companies to allow law enforcement to wiretap calls, but it did not cover online communications software. That’s what the U.S. government would like to change.

“They’re not above the law, they’re doing exactly what the law says they can do,” Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, said during a discussion at Usenix Enigma of tech company responsibility. “There is no expressed law to require a company to decrypt data it doesn’t hold on a device.”

The issue has come to a boil recently as Apple refused a request from Attorney General William Barr to unlock the iPhone of a suspected shooter at a Pensacola, Florida, air base in December.

“The FBI became the only organization on earth complaining that computer security is too good,” said Matt Blaze, chair of computer science and law at Georgetown University. “Computer security is not, in fact, too good in 2020. It’s actually kind of a mess and encryption is one of the few tools that works.”

Cell tracking and smart toy risks

There was plenty of evidence at the San Francisco cybersecurity conference to support Blaze’s assertion about the current state of computer security. Research presented this week at Usenix Enigma highlighted ongoing concern around the use of invasive cell phone tracking devices, ways that supposedly “anonymized data” is in fact not anonymized at all, how virtual and augmented reality devices offer genuine security risks, and vulnerabilities in smart toys that can expose child user data.

As if safeguarding data isn’t enough of a problem, the misuse of media platforms for disinformation campaigns is also drawing increased scrutiny by security professionals. At a lengthy Usenix Enigma presentation on Wednesday, researchers presented an analysis of how nation-states are becoming more sophisticated in manipulating public opinion.

For Renee DiResta, technical research manager at Stanford Internet Observatory, the catalyst for her interest in this area occurred not long after she had a baby and began to notice ads on her browser from the anti-vaccination movement. DiResta, who led a research team tasked to assess Russia’s influence operations in the U.S. during the past decade, has analyzed files turned over to the Senate by Facebook Inc. to piece together a more complete picture of how social media information was weaponized.

Russian involvement

DiResta found that a combination of strategies employed by Russia’s Internet Research Agency and GRU, the country’s military intelligence arm, generated millions of engagement responses to posted online content prepared by completely fictitious writers.

“State actors are the best-resourced, particularly Russia,” DiResta said. “There is an extraordinary commitment to the long game out of Russia that we haven’t seen out of other nation-states.”

State actors are not the only ones leveraging the spread of misinformation over the internet. Online platforms have become a valued resource for terrorist recruiters, conspiracy theorists and spammers, according to the researchers.

And the misuse of online information is not purely confined to malicious actors either. Based on a presentation at Usenix Enigma by Melanie Ensign, head of security, privacy and engineering communications at Uber Inc., a case could be made that a vague system of online metrics, such as mentions, impressions and click-through measurement is contributing to a swirling tornado of dubious information.

“We’ve made up numbers that mean nothing, but make us feel we are delivering value to organizations,” Ensign said. “The industry is trying to mature in terms of quantitative measurement, but the root of these measurements leads to a lot of mistrust and misinformation. There’s a lot of things coming together to create an ecosystem that is just ripe for professional lying.”

Back at the Data Privacy Day event, a top government official from Canada described how data breaches had reached such a level that 30 million Canadian citizens had been affected, which is not much less than the country’s entire population. The cybersecurity industry sits at a critical junction in 2020, where safeguarding data has become increasingly more difficult at the same time that companies holding information are being pressured by government and consumers to take stronger protective action.

“Your data is who you are, it is your identity,” said Tom Pendergast, chief learning officer for MediaPRO. “People don’t want to be pawns to the companies they’ve given their data to. It’s a really important moment for all of us.”

Image: TheDigitalArtist/Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU