Security, privacy a delicate mix

John Sabo, Computer Associates International Inc.'s business manager for security, privacy and trust initiatives, came to the private sector from the Social Security Administration, where he was director of the electronic services staff.At SSA, he helped develop the Social Security Online Web site and other e-government services. Sabo also was on the team that dealt with the 1997 controversy around Web-based Personal Earnings and Benefit Estimate Statements. Concern about authenticating requests forced SSA to withdraw PEBES.Sabo was SSA's representative to the Federal Public-Key Infrastructure Steering Committee and on a number of advisory boards for IT standards and policies. Now, he is Computer Associates' representative to the International Security, Trust and Privacy Alliance and is on the Computer System Security and Privacy Advisory Board. He also has been on the membership committee of the industry's IT Information Sharing and Analysis Center.Sabo holds degrees from King's College and the University of Notre Dame. He speaks frequently about security, privacy and trust in e-government and e-business.GCN senior editor William Jackson interviewed Sabo by telephone.SABO: There tends to be a lot of confusion and imprecision about these terms. Most people view privacy as security, when in fact information privacy encompasses a much broader set of requirements.There are multiple parties involved in information privacy: a data subject such as a citizen, and a data processor such as an agency. Privacy practices deal with things such as notice, choice, constraints on collection and use, and access to data.Privacy is applicable to both parties. Security is only one of a set of privacy principles.Security covers such things as data confidentiality, identification, authentication, access authorization and data integrity. To protect integrity and allow for review and correction of information, which are privacy requirements, you must have a number of security services to ensure that only an authenticated person can have access.Computer Associates is a member of the International Security Trust and Privacy Alliance, a nonprofit organization focused on defining privacy services. It recently announced Version 1.0 of its privacy services framework to formalize IT-based privacy services.SABO: In any kind of environment where you provide services based on sensitive information, you are going to have trade-offs between consumer convenience and the measures needed to guard privacy and enforce security. In the brick-and-mortar world, people over the years have become comfortable with the trade-offs. You're really dealing with risk management.The questions are: What is the level of risk? What policies are needed to meet regulatory requirements and mitigate risk? And how can you apply them in an online environment to achieve trust?What constitutes an acceptable level of risk in the electronic environment is, frankly, unexplored territory. A useful private-sector example is financial services, which serve millions of customers effectively. There are clear privacy and security policies and business processes, and customers are comfortable with them.It's harder for the government to deal with risk management because there is an extra public trust component. Agencies that have traditionally been custodians of personal information, such as the IRS and Social Security Administration, in general have been good stewards, yet nothing is 100 percent.SABO: My sense is that the tilt hasn't been so much within electronic services, it has been that the resources that would have gone into accelerating e-government are being diverted to immediate defensive needs.As the government begins providing more services electronically and the public expects that convenience and value, agencies ultimately will migrate away from their old ways of doing business. Then the exposure to disruption becomes a greater risk.Interestingly, the National Research Council's report on cybersecurity, Pay Now or Pay Later, examined studies of information security from the past decade to see if the recommendations are still valid. It reached the disheartening conclusion that, if anything, our state of security is worse today.SABO: As somebody who was directly involved, I would be the first to tell you there are many lessons to be learned. The report issued following the incident, Privacy and Customer Service in the Electronic Age, is still valuable because of its candor about what led up to the decision to go online and what was done afterward.One of the key lessons was outreach. As you start moving into new service delivery models, you need to be cautious and do outreach to the communities of interest. In the PEBES case, we had not gone out early enough to the privacy experts who could have raised some flags.What was initially described as a privacy issue really was security. How do we authenticate an individual online?Most of the experts testifying at hearings felt that in the usual business process, requesting information on paper with a signature was adequate. If you think about it, that isn't very secure and is really enforceable only by extensive audit controls. Online, you need additional risk management measures that we haven't seen in traditional service delivery.SABO: I'm a member of the board that advises the National Institute of Standards and Technology and the secretary of Commerce on security and privacy. The board has spent a good amount of time looking at security metrics, baseline practices and privacy challenges.My personal view is that the tools are available, but it's critical to do risk assessment and bring strong management into play to ensure controls are in place and working.The Office of Management and Budget provides high-level guidance, and the CIO Council, General Accounting Office and NIST work on best practices. But management complexities require hard work. Agencies must build the policies and, much more importantly, follow through.Even when risk is understood, many problems stem from inadequate implementation and provisioning of resources. The primary need is to take information security seriously. Many policies are probably quite comparable from agency to agency, so they don't have to reinvent the wheel.SABO: I believe there is some good government and private-sector work going on.Cybersecurity chief Richard Clarke's outreach to the private sector is the kind of cajoling, influencing and pushing that needs to happen to encourage private-sector involvement.Another good example is in cybercrime and law enforcement work by the Secret Service, the FBI and others. The New York Electronic Crimes Task Force, which started eight to 10 years ago, set up lines of communication between law enforcement and industry. Although it sounds simple, it's a breakthrough collaboration model and so successful that it was referenced in the USA Patriot Act as a model to be adopted nationally.The ISACs are beginning to get traction. The IT ISAC has established an operations center. Policies are in place defining how members can contribute vulnerability warnings and how they can be shared. Information is starting to flow up to the National Infrastructure Protection Center and other parties.The private sector can be very competitive, and it is being asked to organize itself to share data without compromising business confidentiality. That's tricky.SABO: Agencies should take the time to find out what the private sector is doing. There is a huge opportunity for agencies to improve citizen trust, to improve government services, to improve security and to protect privacy better.