Archives
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
Categories
- Congress
- Defense
- General News
- Health
- Health IT
- Homeland Security
- IBM suspension
- Industry
- Info Security
- Intelligence
- International
- IT management
- Law
- OMB
- Oversight
- Policy
- Politics
- Privacy
- Procurement
- Program Management
- Project management
- Risk management
- Security
- Spending
- State and Local
- Technology
- Telecommunications
- Tip Thursday
- Virtual World
- Web
- White House
- Wireless
- Workplace
What's happening in the federal IT community
By Wednesday, May 14, 2008 | 10:15 PM
Fifteen years ago, cartoonist Peter Steiner drew two dogs sitting in front of a computer, one saying to the other, "On the Internet, nobody knows you're a dog." This iconic adage, cute in its day, is now a warning.
Criminal, terrorist and nation-state cyberattacks against banks, technology companies, online merchants, individuals and government agencies cost the U.S. economy $400 billion annually, focused most often on stealing business and military secrets, and personal data.
In cyberspace, not knowing for sure what person or device is on the other end of the line has serious downsides. It erodes overall trust, limits users' ability to secure their own systems, hinders effective governmental response, and causes organizations to collect more personal data than they really need.
Yet there is important value in anonymity in cyberspace. People need to be able to visit, say, a government health information site without sharing detailed personal information. And, as Justice Stevens wrote in a majority opinion in 1995, "Protections for anonymous speech are vital to democratic discourse."
A zero-sum game between security and privacy is both undesirable and unnecessary.
We can find a balanced way to enhance security without throwing away our privacy rights. Not every transaction demands the same amount of identifying information. Organizations should tailor the amount of identifying information they collect, keeping it to the minimum needed for a specific situation. At the same time, those information collectors should keep an auditable record of what information has changed hands.
As Scott Charney, Microsoft's head of trustworthy computing, suggests in a seminal paper on end-to-end trust, "It may be possible to know something about someone without knowing who they are." We can build systems that verify, for instance, that someone is a minor--and allow them to play in certain online worlds--without requiring they reveal additional personal data. That limit could help protect kids from cyberspace predators.
Government is already deeply involved in securing cyberspace. It must work closely with industry to make authenticated cyber identity a reality.
President Bush's recent classified directive on cybersecurity is said to create a comprehensive approach to the problem. A first test of the program will be measuring how much it enhances both freedom and security.
(A longer version of this post appeared in Forbes.com.)