Thoughts from Our Fellows: Ensure Data Security and Privacy Rights of Individuals
February 01, 2022
February 01, 2022
Welcome to Thoughts from Our Fellows, a collection of recent activity regarding the Academy's Grand Challenge of each Month. In January, the Academy focused on Ensure Data Security and Privacy Rights of Individuals. Below you will find:
- The recommendations from our Election 2020 project regarding the first year of the new administration,
- Recommendations from our fellows for the next few years of the Biden Administration,
- Management Matters podcasts related to this grand challenge, and
- The top 5 clicked articles on this grand challenge from our Management Matters online newsletter.
Election 2020
In November of 2020, the Academy published a paper on this topic as a part of its Election 2020 Project. The Working Group recommended the following actions for its paper, Data Privacy and Security.
- Create a presidential commission on privacy and security that engages the US population in a long-term dialogue on data privacy and security.
- Create a workforce advisory commission on cybersecurity and privacy that addresses the urgent and growing skills crisis in the IT workforce for data privacy and security.
- Develop and implement a policy framework to protect data security and individual privacy that enacts standards to protect consumer online data and a comprehensive national data privacy law to protect consumers and foster innovation and economic growth and builds on the large-scale initiative, the Cyberspace Solarium Commission.
- Build on current efforts in the Cross-Agency Priority goals related directly to privacy and security: IT Modernization and Data, Accountability and Transparency.
Thoughts from Our Fellows
In addition to our Election 2020 papers, which focused on recommended actions for the first year of a new administration, the Academy also asked its Fellows
"What should public administrators in the federal government do to address the challenges in the Data Security and Privacy Rights realm? What should they prioritize?"
Dan Chenok and Karen Evans: Public sector leaders and their partners in academia and industry can work together, with a strategy and leadership from the new White House National Cybersecurity Director and DHS CISA working with other key agencies, to take significant actions to increase data security and improve privacy rights. These actions can come in domains that include:
Technology: using emerging technologies, like AI and evolving authentication and cryptographic methods, to enhance the effectiveness of cyber products and services; and building cyber security and data privacy protocols into the design of technology and analytics programs so that underlying cloud, data, and other systems are more secure.
Partnerships: building an ever-expanding network of alliances with industry around learning from best commercial practice; sharing information among government and industry organizations about vulnerabilities, threats, and incidents through groups like the DHS Joint Cyber Defense Collaborative; and supporting partnerships with academia to learn from leading-edge research.
People: growing a skilled cyber workforce, as the Academy's Cyber workforce report to DHS indicated, by upskilling current staff, strengthening curricular and job matching connections with colleges and universities to make federal cyber work a sought-after professional opportunity; and integrating cyber into K-12 curricula via grant programs and similar support for local educational institutions.
Marilu Goodyear: There is an opportunity to address the career needs of adults who wish to develop skills in order to ensure a career that contributes to society and the need for cybersecurity professionals. We often think about K-12 education as the main emphasis but I believe efforts should focus on underemployed adults who have the potential to fill these positions. The NAPA report provides background on how to incorporate this approach into the overall federal plan.
In terms of security of systems:
- Developing policy that describes clearly security protocols and ways of auditing them
- Continuously assessing risk in the physical (buildings), technical (hardware and software, institutional and personal computing) and organizational practices (processes), and acting accordingly updating practices, locks or technical components.
- A major security problem is the lack of awareness and training across the whole organization. Emphasis should be given to training programs.
In terms of privacy:
- Training on the importance of data stewardship. Everyone in the organization takes part in keeping data safe and useful
- Develop a stronger regulation for private actors. Self-regulation is not enough, and the federal government must provide a clearer set of requirements that need to be met.
Randolph May: The most important thing that Congress can do to promote the privacy rights of individuals is pass a national privacy and data security law. Right now, while the FTC has authority to sanction Internet companies that fail to comply with the representations and disclosures regarding privacy and data security they make on their websites, the agency does not have the authority (nor should it necessarily) to adopt broad regulations that prospectively regulate privacy rights and responsibilities. Although Congress has been considering privacy bills for several years, it has yet to adopt a law establishing a national privacy framework.
The national privacy law should require clear consumer disclosures that require individuals to "opt-in" before websites collect and use medical, financial, and other personally identifiable sensitive information. For non-sensitive information, an "opt-out" requirement should apply. The national law should not create a broad new private right of action for alleged violations because the flood of litigation likely to ensue will stifle investment in new services and applications. Instead, under the new federal law, the FTC should be given the resources it needs to determine whether violations of privacy rights have occurred and the authority to compensate those whose rights have been violated.
Finally, and importantly, in any new law, Congress should preempt state privacy and data security laws that are inconsistent with federal law. A patchwork of inconsistent state laws already is developing. California, Virginia, and Colorado have recently adopted their own varying laws, and more states are considering doing so. Because it is difficult, if not impossible, for Internet providers which operate in all 50 states and around the world to comply with the patchwork of varying state regulations, in effect, the strictest, most burdensome state law - currently California's - becomes the de facto national standard. It should be Congress, not California or any other state, that develops a national framework that properly balances consumers' rights and Internet websites' responsibilities.
Related Podcasts
Data Security Integration and Collaboration with Maria Roat
Fellow: Maria Roat
Season: 1 Episode:90 | January 24, 2022
The Importance of Collaboration in Data Security with Luis Luna-Reyes
Fellow: Luis Luna-Reyes
Season: 1 Episode:89 | January 17, 2022
Enterprise Risk Management and Data Security with Tom Brandt
Fellow: Thomas Brandt
Season: 1 Episode:88 | January 10, 2022
Top 5 Articles on Ensure Data Security and Privacy Rights of Individuals
SIGN UP FOR THE DAILY MANAGEMENT MATTERS NEWSLETTER
Nextgov: US still lacks federal cyber strategy after decades of attempts, by Mariam Baksh
Despite starts and stops dating back to the early 1990s and frequent references to a national strategy, U.S. cybersecurity remains in jeopardy from the lack of a comprehensive plan that includes accountability to specific outcomes, according to a leading official from the Government Accountability Office.
“The reality is that every administration, honestly since the Clinton administration, has applied effort and priority to trying to coalesce some sort of national strategy—maybe it's in different shapes and forms, may be in several documents or one—but no one has gotten all the way there and we definitely have not gotten to the point of actually executing a strategy,” said Nick Marinos, a director of information technology and cybersecurity at GAO.
Marinos was participating in a Dec. 9 event Government Executive hosted on the discipline of enterprise risk management, something federal agencies are required to practice in the development of their individual priorities. Agencies’ risk management activities are guided by technical guidance from the National Institute of Standards and Technology, but Marinos said they should also have a big-picture reference to who’s responsible for what outside of their own operations.
Route Fifty: Blockhain organization tests Web3 premise by hosting NYC data, by Stephanie Kanowitz
Filecoin, an open source decentralized file storage network, is testing out its service by duplicating New York City's open data and hosting the information on its platform. Protocol Labs, an open source research, development and deployment laboratory, and the Filecoin
Foundation will store and maintain city data on demographics, air quality and legal notices on the network—at no cost for at least the next five years.
NextGov: Think twice before scanning that QR code, FBI warns, by Shourjya Mookerjee
Quick response, or QR, codes have taken off since the start of the pandemic, giving governments and businesses a fast, contactless way to pass information to consumers. Their popularity and ease of use have prompted the FBI to warn end users that cybercriminals can tamper with the codes to redirect them to malicious sites.
In an alert, the bureau gave a brief overview of the methods cybercriminals are using. In most cases, the falsified QR code will redirect the user to a malicious website or domain, where the unassuming consumer will input sensitive personal or financial information.
Breaking Defense: Geopolitics keeps overruling cyber norms, so what's the alternative?, by Laura G. Brent
Whenever a new technology emerges as a national security issue, governments want to establish norms of behavior. We are seeing it with AI, with unmanned systems, with hypersonic technology — and we have seen it with cyberspace.
Setting norms can be useful. The process itself can have benefits: it requires governments to communicate and develop a better understanding of how different nations view challenging issues. When norms are agreed upon, even if voluntary and non-binding, they can make explicit what may be mutually beneficial to states.
Route Fifty: Top public sector cybersecurity threat no longer is employees by, Andre Claudio
External threats overshadow internal ones as the public sector’s greatest cybersecurity concern, according to the Public Sector Cybersecurity Survey Report by SolarWinds.
The report by SolarWinds, a company that develops software for businesses to help manage their networks and technology, highlights how state and local government professionals perceive IT challenges and the sources of IT security threats.