Lawyers Discuss Finding Balance Between Privacy and Security, Need for R&D Funding
The Justice Department needs more cooperation from attorneys concerned about cyberattacks, said Peter Roman, trial attorney in the agency’s Computer Crime and Intellectual Property Section, at a Thursday panel on hacking and cyberattacks hosted by the FCBA. “I worry about the tendency to fortify yourself thinking that this solves all your problems,” he said, saying he was speaking for himself, not the department. Rather than focusing on self-reliance, Roman encouraged attorneys to work with Justice to “get the bad guys.” Instead of thinking about cybersecurity strategies as protecting one’s home, he said, “you need to think of the Internet like your neighborhood,” where one well-guarded house is unsafe if it’s surrounded by houses with little or no security.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
While “cooperation with law enforcement is critical,” said Sprint Nextel Associate Head of Privacy Sheila Dedeaux, companies must balance that cooperation with commitments to their customers about privacy. “There’s ambiguity” in finding that balance and determining which takes precedence when cooperation and privacy concerns are at odds.
Privacy needs to be a concern when talking about storing and sharing data, said Amie Stepanovich, associate litigation counsel at the Electronic Privacy Information Center (EPIC). As companies try to protect themselves from attacks, she said, it’s important that any information about employees and their activities be kept confidential. This can be achieved by requiring companies to “minimize data” by encrypting it while storing it and anonymizing it as much as possible if it’s going to be passed to anyone else. “There’s no reason that the NSA [National Security Agency] needs to know what websites you visit every single day,” she said.
Roman said cybercrime is “not like street crime.” Instead, it’s similar to white collar crimes, he said, where “you're not going to see immediate results.” “In general, it’s been fairly successful,” he said of his department, declining to specify which countries have been uncooperative with Justice investigations.
The federal government should spend its time and money on research and development, said Doug Britton, CEO of cyber solutions firm Kaprica Security, who spoke on how mobile devices can get hacked. There is a lot of attention focused on projects that will take five to 10 years to complete, he said, but not enough attention focused on things in the shorter term. The question is what can be done with the “really neat technology being developed by really neat programs” right now, he asked.
Most panelists said “bad laws” are worrisome, though they defined the term differently. For Dedeaux, “bad laws … hamper our creativity” and prevent technology companies from offering “all the emerging technologies that users really want.” There are already a “myriad of rules” that companies like Sprint Nextel have to comply with, she said, adding that more won’t solve security concerns.
Data security attorney Amy Mushahwar, who has represented clients before the FCC and FTC among other agencies, agreed: Among requirements issued by state governments, the federal governments, and agencies, as well as those laid out by the Sarbanes-Oxley Act, “legislation is not necessary.” Companies’ ability to solve problems like cyberattacks stems from their creativity, she said, and “you can’t legislate creativity.” Mushahwar said she hoped these multiple requirements would be collapsed into one standard, but “I don’t believe we'll ever get to that place,” she said. Instead of more regulations, she said, there needs to be more research and development “funding to add the creativity component to all of this."
A law that is written poorly and in a non-transparent way would be a “bad law,” said Stepanovich. Any legislation needs to be transparent, she said, unlike actions taken by the NSA, which often won’t disclose under what authority it is acting, let alone what it’s actually doing. EPIC would be “incredibly concerned” if the NSA were to become the center of cybersecurity operations, she said.