The Balance Between National Cybersecurity and Personal Privacy

Data Protection

In BigIDeas on the Go, Sam Visner, Director of the National Cybersecurity Federally Funded Research and Development Center (FFRDC) at MITRE, talks about innovative cybersecurity technologies that help businesses meet industry standards, the future of an interconnected data infrastructure, and the intersection of security and personal privacy.

From the NSA to the private sector and a few stops in between, Visner built his experience primarily in national security. Now, as part of MITRE, a nonprofit that operates in the public interest, he applies that experience to “helping the nation’s businesses and critical infrastructure improve their cybersecurity” by adopting innovative and commercially available technologies.

Connecting businesses to innovative security technology

Current priorities on Visner’s radar include improving the integrity of the upcoming elections process and “working very specifically on the cybersecurity of the nation’s healthcare infrastructure” — an effort that is of particular importance in light of the current pandemic.

“The assumption,” says Visner, “is that a healthcare company, a chain that runs hospitals, a company that is running a transportation service — they don’t have access to highly classified cybersecurity technology.”

These companies need to look for the technologies that are available to them on the market today. Part of Visner’s purview is to identify these technologies and products — particularly those that are innovative and can be “assembled into an architecture, a structure” designed to help various industries meet the security requirements that apply to them.

Effectively doing this requires a forward-thinking approach and the ability to assess technologies within the context of a new global infrastructure “where businesses will reside in the future.” The world is “adopting a common information technology” that calls for a framework that cuts across industries.

For example, says Visner, “think about the Internet of Things (IoT) devices — as many as a million of those devices per square kilometer. 5G will affect every industry. IoT affects every industry. We’ve done a lot of work on infusion pumps, which are devices that are hooked up to human beings, but also hooked up to the hospital’s information technology infrastructure. So if you are in a hospital and you’re connected to a device, it’s probably an IoT device — and in the future, those devices will be connected to a 5G backbone.”

The data from these devices will eventually go through AI applications, and those applications will, in turn, help manage those various devices.

“The big problem isn’t just election security or just healthcare — but securing the overall IT ecosystem in which elections reside, in which healthcare systems reside, in which the next generation of smart transportation infrastructure resides, in which the smart power grid will reside, in which smart cities will reside.”

The role of NIST and the challenge of defining success

As we move toward a more unified ecosystem, measuring success and quantifiable impact “is a very difficult thing to do, because this is a very dynamic environment, and it doesn’t have deterministic outcomes,” says Visner.

Success at this point comes in “increasing evidence that industry after industry is applying the controls and the framework that NIST [National Institute of Standards and Technology’s Cybersecurity Framework] has called for.”

While security standards impact a big part of Visner’s job, the setting of standards itself does not fall under his purview. “We’re working with a part of NIST that helps industry and the nation’s business infrastructure meet the standards that they need to meet.” This is done through industry-specific Practice Guides that demonstrate how technology solutions map to particular standards for a given industry — plus specifics on how to make commercial products work together.

When it comes to the creation of these guides, the priority list is largely set by the government — for example, the upcoming election and health crisis take priority. At the same time, “we’re also working with industry to get their input regarding what problems they’re seeing.”

So while it isn’t yet possible to come up with a quantitative measure of success, “we do see that industry has become more serious and more purposeful.”

Privacy and security — Where do they intersect?

With the amount of data that’s being generated — and especially with 5G just around the corner — privacy concerns inevitably come up. “Every citizen deserves to be able to use the online environment with safety and security,” says Visner, “so it’s necessary that we provide cybersecurity that also respects people’s privacy.”

With the increasing evolution of regulations like GDPR and CCPA, “you have to be able to explain how you’re keeping [a data subject’s] data, where you keep their data, and — if they ask you to get rid of their data — to be able to demonstrate that you have done so.”

In the future, Visner predicts, “we’re going to see a new IP ecosystem” in which networked IoT devices generate “an awful lot of data.” That data will be analyzed by machine learning that will spot patterns, and AI will consume those patterns and, in turn, guide those infrastructures.

What this ultimately points toward — given a more interconnected, global data infrastructure — “is that the privacy problem and the cybersecurity problem unify. The ability to make sure that that information and devices are secure is the other side of making sure that people’s privacy is respected correctly in this new interconnected infrastructure,” says Visner.

“So from a practical perspective, I don’t think you get to solve one problem without solving the other. And if you think you can solve one problem without the other, I think we were not getting it right.”

Listen to the podcast to learn more about Visner’s predictions for the future of cybersecurity.