Most year-end retrospectives dub each year as the “Year of the Data Breach,” with each year worse than the one before. But 2018 ended that trend and instead became the year data privacy dominated public discourse. Despite growing breach fatigue, unauthorized data access became personal. When looking at the range of high-profile breaches, the public does not differentiate between Facebook’s mishandling of data with Cambridge Analytica or Equifax’s data breach. While one included a hack and the other unauthorized disclosure, the end result is the same for the victims. Both incidents include unauthorized data access, and ultimately contributed to the growing societal swell in favor of greater data protections. The nexus of security and privacy became the epicenter of the public debate. Instead of acquiescing that privacy is dead or security is futile, this nexus can be the spark that ignites the policy, legal, and technological innovation required to counter the full range of unauthorized data access.
The security and privacy communities have traditionally remained separate, and according to a recent Forrester survey, many businesses don’t understand the difference between the two. Security is largely viewed as a technical problem, while privacy remains focused on normative claims about legitimate access. More specifically, security has been viewed as the technical way to implement privacy choices. The challenge with this two-step approach is that it equally assumes data access is authorized and that all entities involved are acting in the best interest of the data owner and are infallible. Whether it’s data-aggregators, data brokers, insider threats, or nation-state adversaries, privacy writ large cannot solely be viewed in terms of opting in or opting out. To be clear, that is an essential component when crafting privacy regulations, but personal choice is not sufficient to protect privacy against the range of threats. Similarly, there are “best practices” organizations can take to enhance security, but nevertheless mistakes occur, and determined attackers can eventually compromise a network. In fact, within security, the “assume breach” mindset has all but become a fundamental axiom and inherently leads to the premise that privacy is dead.
Unauthorized access: A security and privacy problem
While 2018 certainly was the year privacy entered the public conscious, unauthorized access was the sub-headline that remains under-explored. Looking at the largest data compromises of 2018, personal information ranging from passport numbers to health information to credit card numbers were stolen in the millions. Although portrayed as security breaches, they have significant impact on privacy. Importantly, looking at the mode of compromise, these top compromises not only include a range of “traditional” hacks, such as credential theft and phishing attacks; but also include unauthorized data disclosure (e.g. Cambridge Analytica) as well as misconfigured or incorrectly secured servers, APIs, and cloud services. Unauthorized access is the core thread connecting each of these breaches – and they are breaches of both security and privacy.
Shifting the mental mode away from approaching security and privacy as distinct entities has numerous benefits. Perhaps most importantly, by focusing on the intersection, the notion that there must be a trade-off between security and privacy disappears and unleashes untapped imagination and creativity for addressing unauthorized data access. Of course, it’s easier to accept you can’t achieve both, but this is simply too impactful an issue for intellectual laziness. In fact, privacy ranks as the most important social issue for Americans, especially when framed as mishandling personal information.
Privacy-awareness breeds improved security
What kind of future can be achieved by focusing on the nexus of security and privacy? First, in a recent survey, Cisco found that GDPR-compliant companies experience fewer data breaches. When compliant companies are breached, fewer records are lost, the costs are less, and system downtime drops by a third. Compliance is a win for both security and privacy.
Second, Chief Privacy Officers and Chief Information Security Officers could become better aligned. From data storage to data retention to the security stack, decisions that previously were viewed as only security or privacy decisions lacked a more holistic perspective, and could potentially find efficiencies that improve both security and privacy.
Next, accountability is essential for both security and privacy. Breach notification and breach response generally fall under the territory of complying with data privacy regulations, but they have significant security impacts as well. However, given how much personal data has been stolen by foreign governments, privacy regulations alone aren’t enough to create some sort of deterrent via accountability and retaliation. In addition to synthesizing a federal breach notification regulation, global cyber norms can detail what is acceptable behavior within cyberspace and what is off-limits. With a credible one-two punch on accountability, the risk calculus for attackers may shift.
To demonstrate the benefit of focusing on this nexus, the internet of things (IoT) is a great place to start. Proposed federal internet of things (IoT) legislation, as well as California’s recently passed IoT law, focuses on securing IoT devices to enhance security while introducing privacy-preserving protections. And since IoT devices represent an enormous attack surface for automated attacks, as well as targeted privacy violations, these kinds of regulations can also help limit global botnets, such as the Mirai bot that targets IoT devices, as well as preserve privacy by protecting against unauthorized access to home assistants, thermostats, or any of the hundreds of other household connected devices.
We must move beyond the false dichotomy of security or privacy and instead aspire for a world where we have both. There certainly are distinct aspects to security and privacy, and those should not be ignored, but a shift in mindset is needed to move beyond security as a technical issue and privacy as a legal or social issue. Given the rise of unauthorized data exposure, it’s time to focus on the intersection of privacy and security and craft legal and technical solutions that address both. To paraphrase Tim Berners-Lee in his recognition on the commemoration of 30 years of the world wide web, it would be defeatist and unimaginative to do otherwise.