In the first article in this three-part series, we examined some of the contradictory elements regarding the government’s “ability to use cyberspace” to truly gain a strategic advantage, at issues surrounding our freedom to maneuver throughout and within cyberspace, and how privacy concerns may hinder government’s maneuverability in cyberspace, potentially compromising the mission of an entire military which has the primary goal of defending the nation.
In this second installment, we will provide some background on the Cyber Security Forum Initiative (CSFI), it’s primary divisions, and then look at some feedback from the membership regarding the conflict between security and privacy demands.
The Cyber Security Forum Initiative
CSFI is a non-profit organization headquartered in Omaha, NE, and in Washington, DC, with a mission to provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training to assist the US Government, US Military, Commercial Interests, and International Partners.
CSFI was born out of the collaboration of dozens of experts, and today CSFI is comprised of a large community of nearly 31,000 Cyber Security and Cyber Warfare professionals from the government, military, private sector, and academia.
Due to our increasing size and reach CSFI has sub-divided into multiple divisions, the most active of which are the: CSFI-CWD (Cyber Warfare Division) and CSFI-LPD (Law and Policy Division). CSFI-CWD (Cyber Warfare Division) focuses on the Cyber Warfare domain, tactics, techniques, strategies, and methods.
This is a sensitive topic, but is one of our most exciting areas of growth. CSFI-LPD (Law and Policy Division) aims to integrate legal and policy thinking and expertise in cyber security initiatives by developing IT and cyber law/criminal law/LOAC arguments and concepts to support in the defending against current cyber threats, managing cyber incidents and building a comprehensive cyber security framework.
This division is intended to invite all professionals contributing to cyber security from their specific area of expertise. While the primary target group is legal and policy experts, the division is intended to offer content of interest and relevance to many other experts involved in cyber incident handling with the background of information technology, law enforcement, intelligence, military or economy.
The CSFI Survey
As a way to capture some public sentiment on the topic of privacy and national security I decided to post a question for the CSFI membership to debate: “In your opinion, how can privacy and national security co-exist in harmony in the contested domain of cyberspace?”
This post generated a dialogue of over 142 comments. Of the responses received, the following are some of the more thought-provoking posts:
“A gentleman in our country just posted a comment that argues that ‘if you don’t want to be bothered with privacy issues, then you should stay off-grid.’ Then I told him that it will not be possible in the digital era. Privacy is connected with Human Rights and it is a universal norms and should be uphold by the law.” ~Ardi Sutedja K., Indonesia, Deputy/Head of Group VI with Indonesia Information Resilience & Cyber Security Agency under the Office of the Coordinating Minister for Politics, Justice and National Security.
This is a clear example of the understanding of one’s inevitable dependency on the Internet, here described as the digital era. It is worth noting that in Indonesia data privacy is a human right, unlike in the US where privacy is not a constitutional right.
In reference to Indonesia’s commitment on data privacy, Indonesian Human Rights Law No. 39 of 1999 broadly provides that each individual has the right to privacy. Article 32 of the Human Rights Law provides that freedom and secrecy of communications by letter or any other electronic media may not be disturbed or interrupted except upon the instruction of a judge or other lawful authority.
- “To begin the discussion, my definition of privacy is the ability to reveal oneself selectively.” ~Don O’Neill, who served on the Executive Board of the IEEE Software Engineering Technical Committee and as a Distinguished Visitor of the IEEE. He is a founding member of the Washington DC Software Process Improvement Network (SPIN) and the National Software Council (NSC) and served as the President of the Center for National Software Studies (CNSS) from 2005 to 2008.
Mr. O’Neill’s vision on privacy is very similar to Robert C. Post’s, in that privacy is the ability to control what other’s can know about one’s true self:
“I think the first and foremost objective is clearly define what privacy and national security means and will entail. I also think that harmonizing the two will require transparency in exactly how organizations will do their jobs. Another important factor is the independent oversight mechanism required to ensure that organizations are not slipping into gray areas as well.” ~Emilio Iasiello, Cyber Security Professional.
The gray areas Emilio refers to here, seems to be at the intersection of National Security and Privacy. The definition of privacy seems to be more porous, more fluid, and ambiguous when compared to the definition of National Security: “A collective term for the defense and foreign relations of a country, protection of the interests of a country” versus “the state of being free from intrusion or disturbance in one’s private life or affairs.”
“It is indeed a very interesting question. The underlying question not asked is: Why is cyberspace contestable? We assert that it is because data is by default uncontrolled, that is, in its default state, any person on any computer with the appropriate software can open, read, alter, and retransmit any file. This ‘freeness’, along with support for system level anonymity, are the two underlying root causes for our current struggles. If you change the default state of data to controlled, that is, make is so data it is not available to persons, applications, and computers until control conditions set by the data’s owner are met, and you don’t support anonymous use, you can begin to tackle the problems at a fundamental level. Anonymity does not provide privacy, it destroys the possibility of having it. Exercising privacy in the real or virtual world always requires two elements; knowing who are talking to and inhibiting surveillance.” ~David Kruger, Vice President of Sales at Absio Corporation.
The link between electrons traveling through global private and public networks, also known as the Internet, become more understandable by humans (readable) at the higher layers of the OSI model (Open Systems Interconnection model). At the higher layers privacy becomes naturally a part of communications as PII (personally identifiable information) becomes a concern for most people and organizations.
Hiding PII on the internet can benefit internet citizens from becoming victims of fraud and other criminal activities, but can also be a hindrance for surveillance systems looking for patterns of threats against national security. There is a cost to national security when anonymity or obfuscation of communications taking place in cyberspace. Dealing with this cost is at the crux of the national security versus privacy.
“They can coexist harmoniously so long as civil liberties are not forfeited in the pursuit to security. While the well being of America as a whole supersedes the privileges of the individual, the security measures should not be over intrusive and infringe civil liberties for which this country was founded.” ~Pat Caruso, Cyber-Security Analyst.
“There needs to be reasonable cause to believe that the communications might be nefarious, such as my choosing to communicate with a known or suspected criminal or terrorist. That may be inferred from metadata about the communication. At that point a court order could be obtained, in secret if necessary, and with all necessary haste, to intercept and decrypt those communications.” ~Alex Burns, President of HaveTex. Alex serves small businesses in northern Virginia, with IT networking services, cyber security, cloud services and general technology consulting.
The collection of metadata by intelligence agencies is a way to obtain a certain level of situational awareness of illegal communication, given the fact that such agencies have the intelligence on the actors communicating. Data about data can have a minimal impact on privacy, but can be also perceived by many as inappropriate.
A good example of mass surveillance of metadata would be phone communications – not the content of the conversation but the numbers being used and frequency of the communication taking place. When the proper governmental oversight is deployed for the protection of privacy to avoid abuse, then trust between people and government increases. This oversight can also be monitored by private groups for auditing and verification.
In the third and final article in this series, we will examine the role cryptography plays in the security vs. privacy debate – stay tuned!
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
About the Author: Paul de Souza, CCSE, NSA-IAM, BCCPP, Sec+, Net+, CHCP, SANs E-Warfare, JNCIA-FWV. Mr de Souza is the Founder/President/Director of CSFI (Cyber Security Forum Initiative) and its divisions CSFI-CWD (Cyber Warfare Division) and CSFI-LPD (Law and Policy Division). He served as a Federal Director of Training and Education for Norman Data Defense Systems and he also teaches PSSL 6247 Cyber Defense Strategies at George Washington University. Mr de Souza has over 15 years of cyber security experience and has worked as a Chief Security Engineer for AT&T, where he designed and approved secure networks for MSS. Mr de Souza also worked for CSC and US Robotics as a Security Engineer. He has consulted for several governments, military organizations and private institutions on best network security practices and also presented in Estonia, the country of Georgia, Australia, Czech Republic, Belgium,Spain, Sweden, Israel, and all across the United States.
About CSFI: CSFI, founded in 2009, is a nonprofit organization. Its mission is to provide cyberdefense awareness, guidance and security solutions through collaboration, education, volunteer work and advanced training.
CSFI supports the U.S. government and military as well as private commercial interests and their international partners. CSFI is comprised of a large community with more than 30,000 cybersecurity and cyberwarfare professionals from all divisions of the government, military, private sector and academia. Tripwire is proud to be a Gold Sponsor of CSFI.
- Defensive Cyberspace Operations and Intelligence
- Executive Cyber Intelligence Report: April 22, 2014
- The Cyber Security Forum Initiative
- Mark Coffin on the Cyber Security Forum Initiative
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock
 Cyber Security Forum Initiative, Question on Privacy and National Security, http://www.linkedin.com/groupItem?view=&gid=1836487&type=member&item=5852825801745002496&trk=groups_most_popular-0-b-ttl&goback=%2Egmp_1836487 (accessed March 26, 2014).
 Richard Emmerson and Indrawan Dwi Yuriutomo, A Look at Data Privacy in Indonesia, September 21, 2012, http://blog.ssek.com/index.php/2012/09/a-look-at-data-privacy-in-indonesia/ (accessed March 26, 2014).
 Dictionary.com, National Security, http://dictionary.reference.com/browse/national+security?s=t (accessed March 26, 2014).
 Dictionary.com, Privacy, http://dictionary.reference.com/browse/privacy?s=t (accessed March 26, 2014).