In a discussion of who might best secure the consumer’s privacy interests, the FCC, the FTC and the NTIA each made the case for being awarded the prize. The credentials offered included the FCC’s treatment of Customer Proprietary Network Information (CPNI), and the FTC’s successes with halting advertiser’s Internet tracking of consumers. It was very thin gruel and did not answer the question of which government agency can be best suited to protecting and advising the public on cyber-privacy.
The topic is important and it deserves more than partisan politics. The public purpose to be served is to prevent breaches of confidentiality, integrity and availability for the public’s information during its transit or storage. Some prevention comes through educating the public, government and companies on smarter security practices, and some comes from intimidating and actively dominating cybercriminals.
Wiretaps, email collection, location tracking, web-behavior monitoring, data theft and unauthorized database entry (including the bulk collection of telephone metadata as perfected by the NSA) violate the public’s confidentiality. Computer viruses, worms and website defacements alter the public’s data, ruining the integrity of their data. Attacks that damage data storage equipment or that cause network outages (e.g., distributed denial of service attacks) degrade availability of the public’s information. The challenges to confidentiality, integrity and accessibility are today’s wide world of cybercrime.
Most advice and protections today come from the public’s contracts for commercial services, such as firewalls, key and password management, anti-virus monitoring, intrusion detection, encryption and decryption, cookie management and backup, and post-attack recovery. Those areas are broad and there are unresolved conflicts such as law enforcement access to encrypted information, international cooperation between privacy regimes, and agreement on what constitutes legitimate surveillance.
Against the vast backdrop of privacy issues, the FCC cares for a minuscule portion. Certifications for equipment that uses Radio Frequencies (RF) and regulations for treating CPNI are the FCC’s current privacy portfolio.
Today, 90% of connected devices are collecting personal information and 70% of them are transmitting this data without encryption. By 2020, there will be 50 billion interconnected things. Many of those devices will use RF for communication among themselves and they will likely be using Wi-Fi frequencies above 30GHz. The sheer number of send and receive pairs will require engineering coordination to avoid interference with each other. Those attributes suggest the Internet of Things (IoT) devices and ultra-high frequency Wi-Fi might fall into the FCC’s wheelhouse.
On the downside, the FCC’s interactions with the real world are through regulatory proceedings conducted with hostility toward the telecom industry. The FCC’s perspective is narrow, intensely partisan (it loves inventing telecom entitlements), and it moves like a glacier before global warming.
A few of the FCC’s staff have security clearances, but there are insufficient working relationships with national security agencies to effectively research a cyberattack, pursue, and apprehend the culprits. Dangerous cybercriminals no longer live in their mom’s basement – they tend to be sophisticated organizations under contract to our nation state enemies. The FCC’s regulatory attorneys will not intimidate Chinese army hackers, the Iranian military or the Russian mafia.
The FTC provides marginal privacy protection by holding vendors to promises they make. such as not tracking Internet consumers. The FTC also fines vendors who misrepresent their level of security, and the FTC restrains some marketers through its Do Not Call program. The FTC has shown insights on the public’s privacy needs during an IoT era. For example, the FTC is “wrestling with questions raised by the ever-improving ability of algorithms to make inferences and predictions about us.” But like the FCC, the FTC could not effectively research a cyberattack, pursue and apprehend the culprits.
To be effective, the public’s advisor and protector needs the technical knowledge to understand the cyber threats and the forensic skills to investigate how each crime was committed. Investigations are conducted to protect the public, not to secure the civil rights of perpetrators.
To stifle cyber threats, the protector needs quasi-military authority and enough might to counter the cybercriminals’ actions. Naming the perp and conducting a “perp-walk” does not protect the public. Fast, decisive action is needed. When a painfully slow judicial proceeding is preferred, the protector can handoff apprehended criminals to the Department of Justice. When a military handling is chosen, it can supply target coordinates to the DoD or CIA.
There are federal agencies with enough technical savvy (NSA and Defense Intelligence Agency) to counterattack cyber-criminals, and some with the tenacity (FBI and DoJ) to deplete the finances of cyber criminals, however none has both the skill and the right mission.
The FBI would be a natural choice for protector, but for its limiting attitudes – fear of technology, obsession with gym-time and reluctance to work with others. The FBI is oriented to law-enforcement and has no experience with the military outlook (kill people and break things) which will be needed for some cybercriminals.
A Department that should have the technical skill and tenacity is Homeland Security (DHS). DHS developed a collegial relationship with industry sectors during hardening of their cyber-perimeter and sharpening their response to cyber-attack. That relationship could give DHS access to industry’s far flung monitoring sites. Unfortunately, DHS cannot connect the dots. DHS chronically fails to secure the US physical border. It botches the screening of immigrants coming through lawful routes, and its TSA-wing fails at airport security. Some DHS incompetence is explained by political correctness forced on it from above (e.g., the ban on scrutinizing immigration candidates’ social media).
Effectiveness should rule the protector’s operations, not political correctness. We doubt that the public’s need for privacy protection and advice will be addressed any time soon. Much of the task can be done by commercial vendors. But some of it requires fast, sophisticated assessments and aggressive action against criminals and nation state actors. That can only be done by government.