Government in the Crossfire: The Challenge of Data Privacy
Updated: Aug 7, 2020
If you corporate privacy people think you have it tough, pity your peers in the government sector.
A panel of experts told attendees at the RSA Conference Wednesday that the government agencies we should trust most with our data are not only overwhelmed, they're also severely handicapped in their efforts to keep that data safe. And that's a crying shame, given what government could be accomplishing with that data.
Panelist J.R. Reagan, global CISO for Deloitte, said government has a historic opportunity to accomplish things with big data—if only it could get out of its own way. And that starts with the fact that it's hopelessly behind the times.
"We're applying yesterday’s privacy constructs to a digital world that keeps moving forward," said Reagan. "We need to have different constructs to manage the data differently."
Along those lines, he pointed out that researchers at the Massachusetts Institute of Technology are working on algorithms that would describe the privacy issues within data sets, suggesting that this would enable agencies to use data effectively without worrying about potential privacy risks.
But there's another problem lurking below that: Even if agencies had such a capability at their fingertips, they're ill equipped to take full advantage of it.
Lee Tien, senior staff attorney at the Electronic Frontier Foundation, said that a lack of understanding of data privacy implications has left government entities in the U.S. far behind their international counterparts.
"There's almost a technological illiteracy about the scale of data collection via the Internet," said Tien.
For instance, Tien said he's seen a lot of activity among local and state governments on the West Coast, which would be encouraging if not for this illiteracy.
"The people doing it know nothing about privacy," he said. "They don't have the ability to evaluate the risks they're creating.
Even worse, they often don't even seem to care. Reagan went so far as to suggest "we're being too flippant about the topic."
"There's a sense of seriousness about it in other countries, but we don't have that in North America," he said.
Part of the problem, according to Reagan, is that government agencies have no incentive to take risks.
"It puts them in the awkward position of always being a little behind, when we want them to be leading edge," he said. "Those two things seem to conflict. They're getting better, but they've got a long way to go."
That said, government officials who have honestly assessed the privacy and security skills of their agency’s tech teams, and found them lacking, have found answers by looking for help outside of their organizations.
"We're pushing really hard by trying to leverage our corporate partners," said Flint Waters, CIO of the state of Wyoming. "We've been pushing it out of the legacy data center and getting out of a business we don't do well."
Waters has seen the benefits of such outsourcing. He said the state has moved "a huge portion of its infrastructure" into Google's cloud, and as a result, the state was spared when a coordinated attack of several states succeeded in each target except for Wyoming.
"That's not a challenge," Waters said, mindful of the audience to which he was speaking.
The move to Google, while fruitful, has not stopped attackers from trying. Water said he's seeing attacks motivated by everything from wanting to make a political statement to targeting an individual for blackmail.
Which is why he believes that figuring out technological answers addresses only part of the problem. The rest needs to be handled in the legal arena.
"Laws aren't catching up," said Waters. "A lot of citizens grew up with the assumption that their persons and papers were protected. Today, most of us in this room think of our digital content as our papers. But the courts don't, and the laws don't."