In the first article in this three-part series, we examined some of the contradictory elements regarding the government’s “ability to use cyberspace” and how privacy concerns may hinder government’s national security objectives, and in the second installment we discussed feedback from the CSFI membership regarding the conflict between security and privacy demands.
In this final article in the series we will examine the role cryptography plays in the security vs. privacy debate.
The Role of Crypto
When processes and people fail to solve the conundrum of national security and privacy, then technology can be used as a creative way to foster innovation that in turn can minimize conflict and create more trust. Trusted systems and trusted communications are all about truth and transparency.
IBM has been granted a patent on an encryption method that, if implemented, could be revolutionary. It makes it possible to process encrypted data without having to decrypt that data first. Known as “fully homomorphic encryption,” this encryption method has long been something of a Holy Grail for computer scientists, and IBM in particular has been seeking this particular prize for years.
The company’s receipt of a patent is a strong hint it may be inching toward to a practical solution, rather than simply something that works on paper. The idea behind homomorphic encryption (HE) is simple enough. With most encryption schemes, the encrypted data has to be decrypted entirely before any significant work — e.g., math or programming operations — can be done on it. HE, on the other hand, lets you perform math directly on the encrypted data and have the results of that math show in the underlying data.
What’s more, all this is done without having to decrypt any of the data and thus expose it to attack. In theory, it means programs — or whole VMs — could run while encrypted and exchange encrypted data between them as they did so.
The holy grail of privacy would be to have one’s data encrypted at all times and to be able to allow a third-party to manipulate it while keeping its contents encrypted at all times. Homomorphic encryption can offer a technological solution that could work as an answer to national security and privacy concerns.
It is worth noting that metadata constitutes as a critical data collection asset to intelligence agencies while the data itself can be harvested through legal means based on the metadata patterns of communications.
The documentation being used in support of this paper adds the whole-of-nation approach to the issue of privacy and security. It is worth noting the unique work developed by NIST and the addition of privacy controls to their famous set of security controls. These controls are guidelines to a better privacy posture but its implementation not yet mandated by law. Unlike the EU, privacy in the US is not a constitutional right, but a privilege.
Privacy is a privilege perceived by individuals based upon their observation of restrictions placed on data collectors for use and disclosure. Restrictions are industry specific and industry plays a major role in writing the regulation. There is a strong sense of privacy protection and controls in industries like health care and finance, but a very little set of controls when applied to national security initiatives.
It seems that the concept of being able to control what the federal government can and cannot see, collect, or store on its citizens is highly rooted on constitutional rights in America.
In many instances, intelligence groups do not collect information from citizens but rather collect information about citizens from service providers who collect vast amounts of data about customers and retain such information as business records.
To help federal organizations deal with privacy, the National Institute of Standards and Technology included a set of controls devoted exclusively to privacy in its newest revision (rev 4) of its Special Publication 800-53, Security and Privacy Controls for Federal Information System and Organizations.
This latest revision of Security and Privacy Controls adds new guidance for handling insider threats, supply chain risk, mobile and cloud computing technologies and other cybersecurity issues and challenges. Other areas addressed in the update include application security, firmware integrity, distributed systems, and advanced persistent threat.
The revised SP 800-53 also contains a new appendix of privacy controls and related implementation guidance based on the internationally recognized Fair Information Practice Principles.
One can argue that in order to fully fulfill the DoD’s mission of operating in cyberspace with full spectrum capabilities certain privacy “deals” must be worked with the private sector. James Farewell in Industry’s vital role in national cyber security. Strategic Studies Quarterly 6, no. 4: 10-41, states the following:
“The competing demands of economic recovery and protecting critical cyber infrastructure (CI) have heightened the need for stronger partnerships between the US government (USG) and private industry. Developing new technologies, strategies, plans, operations, tools, and techniques are essential to protect cyber security. How we meet this challenge has opened an important philosophical debate in the United States about the role of government and its relationship to private industry.”
The world’s population approaches seven billion people, finding the threat before it can exploit a vulnerability devastating a nations infrastructure, economic security or its population is the search for a needle in a haystack. The US government is faced with a serious dilemma: how can the government, especially intelligence agencies, be able to find the right set of data in a vast chaotic, unsecure, obscure, environment such as cyberspace and yet avoid mass data collection or collection of data about data – metadata?
In conclusion, as innovation becomes the driving force of the Internet, security and policy move slowly from behind, not necessarily leading from behind but rather attempting to control human perception in a more conflicting paradigm. The expectation of 100% privacy on the Internet along with the expectation of 100% security on the Internet is a fallacy clearly understood by privacy and security leaders alike.
The question remains, can there really be a harmonious intersection between privacy and national security in the contested domain of cyberspace?
The current indications point to a negative “no” as an answer. The environment (cyberspace) is the same for all worldwide citizens, but the views on both security and privacy differ. Until we have one international body that would be empowered to have overview of the many intelligence agencies worldwide for mass collection of data in cyberspace, as many as 120 international Intelligence agencies, privacy will always be somewhat compromised.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
About the Author: Paul de Souza, CCSE, NSA-IAM, BCCPP, Sec+, Net+, CHCP, SANs E-Warfare, JNCIA-FWV. Mr de Souza is the Founder/President/Director of CSFI (Cyber Security Forum Initiative) and its divisions CSFI-CWD (Cyber Warfare Division) and CSFI-LPD (Law and Policy Division). He served as a Federal Director of Training and Education for Norman Data Defense Systems and he also teaches PSSL 6247 Cyber Defense Strategies at George Washington University. Mr de Souza has over 15 years of cyber security experience and has worked as a Chief Security Engineer for AT&T, where he designed and approved secure networks for MSS. Mr de Souza also worked for CSC and US Robotics as a Security Engineer. He has consulted for several governments, military organizations and private institutions on best network security practices and also presented in Estonia, the country of Georgia, Australia, Czech Republic, Belgium,Spain, Sweden, Israel, and all across the United States.
About CSFI: CSFI, founded in 2009, is a nonprofit organization. Its mission is to provide cyberdefense awareness, guidance and security solutions through collaboration, education, volunteer work and advanced training.
CSFI supports the U.S. government and military as well as private commercial interests and their international partners. CSFI is comprised of a large community with more than 30,000 cybersecurity and cyberwarfare professionals from all divisions of the government, military, private sector and academia. Tripwire is proud to be a Gold Sponsor of CSFI.
- Defensive Cyberspace Operations and Intelligence
- Executive Cyber Intelligence Report: April 22, 2014
- The Cyber Security Forum Initiative
- Mark Coffin on the Cyber Security Forum Initiative
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock
 Serdar Yegulalp, IBM’s Homomorphic Encyrption Could Revolutionize Security, January 2, 2014, http://www.infoworld.com/t/encryption/ibms-homomorphic-encryption-could-revolutionize-security-233323 (accessed March 26, 2014).
 NIST, Security and Privacy Controls for Federal Information Systems and Organizations, January 15, 2014, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf (accessed March 2, 2014).
 James P. Farwell, “Industry’s Vital Role in National Cyber Security,” Strategic Studies Quarterly 6, no. 4: 10-41, http://search.proquest.com/docview/1240323762?accountid=8289 (accessed March 2, 2014).