"Privacy" vs "Security" or Privacy AND Security
Perhaps I'm alone on this, but I may not think of "privacy" and "security" the same way as some readers of this blog. It's common to hear that there is a tension between these two ideas, but I consider them to be very different, at least at the enterprise level.Privacy is primarily concerned with protecting customer data, often called Personally Identifiable Information (PII). Lawyers are typically the dominant players. This field is heavily regulated, with laws requiring disclosure when "records" are lost. The costs of an incident are borne primarily by the individuals whose PII was stolen.
Security is primarily concerned with protecting intellectual property, often including trade secrets. Security professionals are typically dominant players. The field is less regulated, since a company loses its own IP. The costs of an incident are borne primarily by the enterprise because they become less competitive.
In this sense, an enterprise seeks to preserve both privacy and security: protect customer data and company data.
Of course, there are plenty of "privacy advocates" who concentrate on "protecting" the activities of anyone who interacts with an enterprise, whether customers or employees. My problem with these sorts of privacy advocates is that their laws, tactics, and worldview are often detrimental to the privacy and security I defined earlier.
For example, intruders know that it can be difficult to instrument and monitor activity in countries with "strict privacy laws" (hello .eu). As a result, intruders prey on organizations operating in those countries, knowing that it is rough for CIRTs to detect and respond to intruders. The result is that customer and enterprise data is at greater risk thanks to "privacy laws."
In terms of my last post, More Evidence Military Will Eventually Defend Civilian Networks, the focus is clearly on security as defined in this post. I could see Cyber Command helping American companies protect intellectual property. Secretary Lynn clearly said he is not trying to aid consumers losing their credit cards to online thieves.
Comments
As of 2008 the EU considers IP Addresses personal information at least with regard to search engines. Official document here: (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp148_en.pdf).
Last I heard, in the US they are still not personal information: http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=109242
Some decent high level analysis of both rulings here: http://thefraudblog.com/2009/07/17/ip-address-and-pii-what-are-the-implications/
W.r.t. enterprises, protecting customer data is a matter of security, not privacy. Only if security is breached and customer data ends up in the wrong hands, privacy may play a role. For example, I do not consider theft and abuse of my credit card data a privacy matter.
W.r.t. your "(hello .eu)" comment: perhaps in Europe we (unfortunately) have more experience with governments (both in the past and nowadays) collecting information for scientifically unproven purposes, and those governments tend to either leak or loose that information, of abuse it for other purposes than claimed.
You write: "As a result, intruders prey on organizations operating in those countries". Unfortunately you do not provide any evidence w.r.t. this statement.
Allow me to point you to websites such as http://www.maliciousnetworks.org/ that clearly point out that most malware and spam still originates from the USA, thus proving you wrong.
It appears that, apart from the DoD, also NATO is looking for funding to compensate for the lack of interest by the public (voter) for traditional warfare, by appealing to FUD such as "cyber warfare" and "internet attacks by malicious governments". IMHO this is crap.
The internet is full of cyber *criminals* that have to be taken care of, and we fail horribly in doing so. Criminals penetrate organizations and companies for financial gain. We don't need the army to fight them, we need international justice to haunt them down, and disconnect them from the Internet. We need governments to sanctionize other governments that maintain safe havens for criminal attackers (RBN, "bulletproof hosting" etc). We need governments to mandate ISP's to take compromised PC's offline, so that they cannot be used to execute DDoS and spam attacks, and spread malware. We need governments to sanctionize companies that fail to protect customer data (in this respect the USA does a better job than the EU). We need governments to hold software makers (financially) responsible for security bugs in their software. Finally governments should spend more money on research to make software and (network) infrastructures more secure.
Deep packet inspection by NSA sensors in our network is not the solution; attackers will easily evade them, while there is even a risk that attackers exploit such green/brown colored monitoring equipment. No thanks for me.
Read ...
https://ssd.eff.org/wire/govt/pen-registers
It is a very well studied concept that to catch people breaking rules requires some monitoring and surveillance. This can be automated (speeding cameras, IDS, etc.) or it can be more manual/tool assisted (cop with radar gun standing on side of road, analyst pouring over logs and SIEM, etc.).
It is impractical or nearly impossible to have a surveillance program that only captures information relevant strictly to security violations. This fact raises concerns about WHAT ELSE those who are vigilantly looking for bad guys may be seeing.
The link above is a good start. Check out CALEA, FISA courts, Patriot Act, and The US Bill of Rights.
I believe it is a trade off…how much privacy am I willing to give up for a reciprocal amount of security?
This obviously begs many questions. For years a ‘risk management’ community has attempted to apply project management/financial accounting type methods (R= v*t*i) to determine how to best optimize of find the right balance b/w the two.
Separating security and privacy (especially in the context of Einstein sensors) is something, Richard, I have to really question your reasoning on.
-Dan
'You write: "As a result, intruders prey on organizations operating in those countries". Unfortunately you do not provide any evidence w.r.t. this statement.
Allow me to point you to websites such as http://www.maliciousnetworks.org/ that clearly point out that most malware and spam still originates from the USA, thus proving you wrong.'
*Your* "evidence" means nothing to me. "Malware and spam" mean almost nothing in my world. Those events are a nuisance compared to the sorts of threats I worry about.
You're clearly entitled to your opinion, but remember I am speaking from the perspective of defending a Fortune 5 global enterprise with over 300,000 users and half a million systems. Maybe I don't relate well to some of my blog readers, but if you want that sort of large-scale, global perspective that's what you will get here.
Speaking in the spirit of my last comment -- I am describing a real separation between security and privacy, not a theoretical one. It's based on my real-world observations. If it doesn't match your experience, that's fine.
You deal with these various privacy laws, but cannot reference them?
Maybe I don't relate well to some of my blog readers, but if you want that sort of large-scale, global perspective that's what you will get here.
Perhaps some actual examples to help prove the somewhat controversial and grandiose statement that "customer and enterprise data is at greater risk thanks to "privacy laws."" would be useful to aid our limited understanding.
When you work in a really large organization you have to rely on others who are experts in various laws, regulations, and other restrictions that affect my work. Sorry, I'm just a caveman. If you want a law blog, look elsewhere.
Here's a few "actual examples" to "aid your limited understanding":
1. I need to sign contracts (!) with various *internal* business units in strict privacy law countries just to deploy instrumentation to combat threats.
2. It can take me 6 to 12 months to deploy sensors in locations with strict privacy laws.
3. I have seen intruders repeatedly set up shop on those networks.
On 1. I am not sure contracts strictly speaking are required to send over personal data, one must only ensure that it is protected as per originating country requirements (EU directive, e.g.). People love papers, so they will sign something; fine, I buy this.
On 2. 6-12 months of deployment in those countries sounds like a lot of internal inertia. I don't believe that only privacy laws are to blame for delays so significant.
On 3. that's mighty interesting!
You are not describing "a real separation between security and privacy" in you blog post... And pumping your credentials (which I do admire, and still hail your Extrusion Detection as one of the most seminal books in network security) into the conversation may intimidate some folks, but it doesn't make your argument any more compelling.
IMHO, you're evading the problem by defining privacy concerns with "PII", and security concerns with the protection of "IP". Then saying that they are both value at risk...then you make this leap that this 'solves' any privacy concerns...half baked.
Again, you have to give up privacy if you want monitoring, and you have to monitor to catch bad guys.
Going back to our initial exchange (on this topic) ; what makes you think that the privacy concerns have been resolved? How will relevant data be separated from the stream while doing DPI? If it is available, I couldn't think of anyone else who could explain that to me than yourself...in part why I read your blog.
In an effort to stay on topic, I haven't even begun to bring up all of the other issues with this idea of govt. IDSs going onto private networks on by voluntary consent of the owner...
-Dan
Give me a break. I am not trying to "pump my credentials" to "intimidate" anyone. I am trying to describe my experience and why that may be different from someone else's experience.
Everyday I look back and haven't watched/defended a network in years...I guess I am just a theorist at this point...hell I'm about to start a PhD.
I would like to see more of a 'result oriented' approach from the goverment, which I believe will require more accountability than this ineffectual 'voluntary monitoring' or 'voluntary information sharing' tone.
If I may quote, "What a disappointment."
-Dan
I am all for consumer privacy and think US can learn a lot for Europe in this regards. However, every privacy law should be constructed with a well-worded System Administrator's exception that allows for rapid defense and investigation of YOUR OWN computing assets regardless of location. That is the downfall of the EU privacy laws IMHO.
Can you specify in some tangible depth on why exactly it takes so long? laws, policies, general fear of doing things wrong?
In my experience it wasn't privacy concers as much as lack of logs!
You may consider researching around the American Bar Association's Section of Science & Technology Law, Information Security Committee. I saw their Jody Westby and colleagues give a well rounded panel discussion on international cybercrime law enforcment issues.
http://new.abanet.org/sections/scitech/ST230002/Pages/default.aspx?com=ST230002
-Dan