Security, privacy a delicate mix

 

Connecting state and local government leaders

John Sabo, Computer Associates International Inc.'s business manager for security, privacy and trust initiatives, came to the private sector from the Social Security Administration, where he was director of the electronic services staff.

John Sabo, Computer Associates International Inc.'s business manager for security, privacy and trust initiatives, came to the private sector from the Social Security Administration, where he was director of the electronic services staff.At SSA, he helped develop the Social Security Online Web site and other e-government services. Sabo also was on the team that dealt with the 1997 controversy around Web-based Personal Earnings and Benefit Estimate Statements. Concern about authenticating requests forced SSA to withdraw PEBES.Sabo was SSA's representative to the Federal Public-Key Infrastructure Steering Committee and on a number of advisory boards for IT standards and policies. Now, he is Computer Associates' representative to the International Security, Trust and Privacy Alliance and is on the Computer System Security and Privacy Advisory Board. He also has been on the membership committee of the industry's IT Information Sharing and Analysis Center.Sabo holds degrees from King's College and the University of Notre Dame. He speaks frequently about security, privacy and trust in e-government and e-business.GCN senior editor William Jackson interviewed Sabo by telephone.SABO: There tends to be a lot of confusion and imprecision about these terms. Most people view privacy as security, when in fact information privacy encompasses a much broader set of requirements.There are multiple parties involved in information privacy: a data subject such as a citizen, and a data processor such as an agency. Privacy practices deal with things such as notice, choice, constraints on collection and use, and access to data.Privacy is applicable to both parties. Security is only one of a set of privacy principles.Security covers such things as data confidentiality, identification, authentication, access authorization and data integrity. To protect integrity and allow for review and correction of information, which are privacy requirements, you must have a number of security services to ensure that only an authenticated person can have access.Computer Associates is a member of the International Security Trust and Privacy Alliance, a nonprofit organization focused on defining privacy services. It recently announced Version 1.0 of its privacy services framework to formalize IT-based privacy services.SABO: In any kind of environment where you provide services based on sensitive information, you are going to have trade-offs between consumer convenience and the measures needed to guard privacy and enforce security. In the brick-and-mortar world, people over the years have become comfortable with the trade-offs. You're really dealing with risk management.The questions are: What is the level of risk? What policies are needed to meet regulatory requirements and mitigate risk? And how can you apply them in an online environment to achieve trust?What constitutes an acceptable level of risk in the electronic environment is, frankly, unexplored territory. A useful private-sector example is financial services, which serve millions of customers effectively. There are clear privacy and security policies and business processes, and customers are comfortable with them.It's harder for the government to deal with risk management because there is an extra public trust component. Agencies that have traditionally been custodians of personal information, such as the IRS and Social Security Administration, in general have been good stewards, yet nothing is 100 percent.SABO: My sense is that the tilt hasn't been so much within electronic services, it has been that the resources that would have gone into accelerating e-government are being diverted to immediate defensive needs.As the government begins providing more services electronically and the public expects that convenience and value, agencies ultimately will migrate away from their old ways of doing business. Then the exposure to disruption becomes a greater risk.Interestingly, the National Research Council's report on cybersecurity, Pay Now or Pay Later, examined studies of information security from the past decade to see if the recommendations are still valid. It reached the disheartening conclusion that, if anything, our state of security is worse today.SABO: As somebody who was directly involved, I would be the first to tell you there are many lessons to be learned. The report issued following the incident, Privacy and Customer Service in the Electronic Age, is still valuable because of its candor about what led up to the decision to go online and what was done afterward.One of the key lessons was outreach. As you start moving into new service delivery models, you need to be cautious and do outreach to the communities of interest. In the PEBES case, we had not gone out early enough to the privacy experts who could have raised some flags.What was initially described as a privacy issue really was security. How do we authenticate an individual online?Most of the experts testifying at hearings felt that in the usual business process, requesting information on paper with a signature was adequate. If you think about it, that isn't very secure and is really enforceable only by extensive audit controls. Online, you need additional risk management measures that we haven't seen in traditional service delivery.SABO: I'm a member of the board that advises the National Institute of Standards and Technology and the secretary of Commerce on security and privacy. The board has spent a good amount of time looking at security metrics, baseline practices and privacy challenges.My personal view is that the tools are available, but it's critical to do risk assessment and bring strong management into play to ensure controls are in place and working.The Office of Management and Budget provides high-level guidance, and the CIO Council, General Accounting Office and NIST work on best practices. But management complexities require hard work. Agencies must build the policies and, much more importantly, follow through.Even when risk is understood, many problems stem from inadequate implementation and provisioning of resources. The primary need is to take information security seriously. Many policies are probably quite comparable from agency to agency, so they don't have to reinvent the wheel.SABO: I believe there is some good government and private-sector work going on.Cybersecurity chief Richard Clarke's outreach to the private sector is the kind of cajoling, influencing and pushing that needs to happen to encourage private-sector involvement.Another good example is in cybercrime and law enforcement work by the Secret Service, the FBI and others. The New York Electronic Crimes Task Force, which started eight to 10 years ago, set up lines of communication between law enforcement and industry. Although it sounds simple, it's a breakthrough collaboration model and so successful that it was referenced in the USA Patriot Act as a model to be adopted nationally.The ISACs are beginning to get traction. The IT ISAC has established an operations center. Policies are in place defining how members can contribute vulnerability warnings and how they can be shared. Information is starting to flow up to the National Infrastructure Protection Center and other parties.The private sector can be very competitive, and it is being asked to organize itself to share data without compromising business confidentiality. That's tricky.SABO: Agencies should take the time to find out what the private sector is doing. There is a huge opportunity for agencies to improve citizen trust, to improve government services, to improve security and to protect privacy better.

What's more

Age: 56

Pets: Three 'rescue' dogs'Lucy, a Doberman mix; Buster, a Jack Russell-bull terrier mix; and Harvey, a mutt

Last movie seen: 'Lord of the Rings'

Worst job: Working in an A&P Supermarket's meat department

Favorite Web site: www.classmates.com

Leisure activities: Travel to all continents, including Antarctica

Hero: Explorer Ernest Shackleton

John Sabo, CA's security point man











GCN: Your job at Computer Associates International Inc. involves both security and privacy'what do you see as the difference?











GCN: Isn't there an inevitable tension between electronic service delivery and security?









GCN: Have security concerns affected electronic delivery of government services since Sept. 11?







GCN: What did you learn from the controversy at SSA when the agency tried to provide interactive access to Personal Earnings and Benefit Estimate Statements?









GCN: How can agencies provide adequate system and network security for e-government?









GCN: How is the IT Information Sharing and Analysis Center working out?










GCN: What advice do you have for agencies about privacy and security?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.