As we have recently mentioned on our blog, October is National Cyber Security Awareness Month. And I’m sure we will post more to raise awareness of the risks you personally face, the risks to the institutions you do business with, and to the government itself.
Today, though, I want you to start to broaden your outlook on this issue. While you are getting acquainted with new threats like nation-state funded attacks, cyber-terrorism, and hactivism, I’d also ask you to look at some of the things our legislatures have been proposing in the name of cybersecurity. This includes early efforts to protect critical industry sectors our energy grid or banking systems against cyberattack, and requirements that we move beyond passwords when we access Web sites where we perform transactions or access personal data. As all these initiatives come with costs, none have universal support. But some cybersecurity proposals have generated more controversy than others, including: like the SOPA and PIPA bills that coddled the media industry by conflating digital piracy with cybersecurity and whose proposed remedies would have create a regime of censorship, or the federal development and control of a so-called “Internet Kill Switch“.
There will continue to be a lot going on here legislatively, and anything that changes the government’s role in the Internet will affect you as well. So let’s make also do our job as responsible, informed citizens. Let’s make October National Cybersecurity Policy Awareness Month. Let’s get educated, and involved.
My last post was about how we’re steadily moving towards consumer online privacy regulations over the collection and use of personal online data by businesses. At the same time, however, we’re seeing the US government relentlessly expanding their efforts to monitor people online – and in ways that may completely negate any efforts to regulate the privacy practices of businesses.
It is the fear over cyberterrorism (a term you can’t expect the average person to understand) that is driving many to cede their privacy rights to the government. There are two competing cybersecurity bills working their way through Congress: the Cybersecurity Act of 2012 and the Secure IT Act. They differ fundamentally in areas of jurisdiction (the NSA versus the DHS) and whether the voluntary approach promoting and fostering public-private collaboration is sufficient, or a whether a regulatory approach is also required. But what they have in common is the aggregation and analysis of data on unprecedented scales.
In the background to all this, the Obama administration has just expanded the ability of the National Counterterrorism Center (NCTC) to retain data on people for five years (previously, it was 6 months) – even if they are not suspected of terrorist activity. The NCTC receives data from many other agencies.
So at the same time one side of the US government (the consumer protection side) is restricting what personal data businesses can collect, another side (the cybersecurity side) is moving not only to expand its own access to and control over personal data, but also to enlist in its efforts those very same businesses whose data collection efforts the FTC is otherwise trying to restrain: ISPs and mobile carriers, search engine and web portal companies, social media companies, etc. This opens a very wide door to abuse of any consumer privacy efforts currently underway with the FTC.