Contemporary society seems to be of the opinion that we need to lessen our privacy to increase our personal security; it’s a view opined by governments globally, and with frequency. Privacy and security should not be considered mutually exclusive. I assert that when we feel we have privacy, we feel more secure. Technology is so ingrained in our day-to-day lives that separating privacy and security is impossible and illogical.
We are a year on from the enforcement of GDPR discussion; the regulation was constructed to give EU residents control over how companies stored and processed their information. Data protection and privacy by design being two core principles, both partially satisfied through robust information security. Privacy allows the data subject to control the collection and use of information which relates directly to them – Regulations such as GDPR and the California Privacy Act aim to ensure that organisations deploy the appropriate controls which allow data subjects appropriate privacy: access control, data minimisation and data deletion policies. Information Security ensures that nefarious and accidental threat actions minimise the likelihood and impact of data being misappropriated, lost or stolen. Good privacy hygiene by companies ultimately presents a less attractive target for a cybersecurity attack – in some cases anyway; we will explore actor motivations in more detail across Chapter 5.
An intrinsic link exists between data privacy and cybersecurity, but there are also some very clear distinctions between the two. Privacy is expected and inferred in almost everything we do yet the litany of data breaches, and cyber-attacks we see suggests it is a very different story with cybersecurity.
The US Fourth Amendment protects the people’s right “to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”. It took 100 years for lawmakers to recognise phone calls as requiring the expectation of privacy and applicability to the Fourth Amendment. Such glacially slow progress in amendment reform, a tautology in itself, does present issues with application and interpretation in a technological world which is changing all the time.
Government use the protection of citizens rhetoric to placate the populous and allow for systematic and, often irrational, need for surveillance. If we take a moment to look at statistics from major cloud service providers, the examples of systematic requests for information are ubiquitous and growing in frequency.
Not all privacy-v-security conversations take place in government offices. In recent years, malware actors have continued to leverage encryption to maximise their success of satisfying their objectives. Encryption is leveraged for the delivery of encrypted payloads into an organisation and, on occasion, for the hiding of code and secondary files within an archive. Threat actors are also increasingly using HTTP for outbound beaconing from a compromised workstation to ‘call home’, more colloquially known as a ‘botnet call-back’. These call-backs are frequently performed with the inclusion of Transport Layer Security (TLS) in the hope that encrypting the communication channel will prevent gateway security devices from inspecting content.
As malicious traffic continues to be delivered through encrypted means, decryption and inspection devices become a vital component of a technical security architecture. The enterprise ‘blind spot’ is growing with the adoption of ‘encryption by design’ from malware authors. The adoption of TLS encryption for malware delivery and egress obfuscation is another example of cybercrime democratisation. Criminals are not writing proprietary code to include encryption routines, and they are leveraging the same ‘as-a-service’ cloud repositories which offer encryption services to offer consumers with confidentiality.
In my experience, the privacy-v-security debate demands a strong CISO, someone who can articulate why the threat landscape truly has changed and why the inspection of encrypted traffic is a necessary security control. Here in Europe, the ability to basically ‘break’ confidentiality is not a popular one with Human Resources teams, unions and workers councils. While the capability of decryption is needed, a carte blanche model is unacceptable. Like most security controls, a configurable model is needed. Indiscriminate decryption of traffic is not going to be acceptable to any data protection officer (DPO), privacy advocate or employee. Most companies I work with have specific rules for sites containing ‘sensitive’ information: healthcare and banking being top of this list. This is not to say that malware and data loss has never occurred from reputable sites although companies need to make risk-based decisions. We’ll revisit this dichotomy in our chapter on controls.
Another reason that I feel security and privacy are intrinsically linked is the need for companies to protect the right to privacy for citizens, consumers and company employees. In 2018, I wrote a magazine article which became a conference keynote speech. The title was ‘80% of GDPR is outside of the CISO’s control’. While the headline was constructed in such a way as to cause controversy, I spoke about the fact that a large percentage of privacy requirements relate to areas outside of information security: retention justification, defining legitimate reasons for collecting information and interpreting if information should be considered personally identifiable. In saying this, plenty of privacy requirements need cybersecurity controls. The overwhelming majority of information these days is digital and security controls often ensure that privacy can be retained within an organisation or an online consumer experience.