The Cybersecurity Canon: Data and Goliath
"Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World" is a book meant to scare you, and it does a good job. The book is designed to get our attention and serve as a wake-up call on a number of issues that beg for more robust public discussion. Chief among these issues are mass surveillance from governments and the commercial world, and how this is affecting personal privacy and even public security. More importantly, I believe Bruce Schneier offers some excellent recommendations as to what we should all be talking about and doing when it comes to bringing these critical issues out of the shadows and into the light. Finally, this book offers some ideas that I believe can serve as the basis for the formulation of improved norms of responsible behavior, more effective government and industry policies and regulations, and perhaps more balanced national and international laws relevant to the digital age. As such, this book deserves a place of honor in the Cybersecurity Canon.
I had the opportunity to visit the Harvard Kennedy School of Government in Cambridge last April to be interviewed by the director of Harvard's Cybersecurity Project. Prior to my interview, I was able to speak with Bruce Schneier, who was working with Harvard's Cybersecurity Project at the time, and he was kind enough to provide me with an autographed copy of this book. I was instantly inspired to read and review it for the Cybersecurity Canon. Little did I realize at the time that another Cybersecurity Canon member, Steve Winterfeld, had already reviewed Bruce's book in October 2015. However, after reading Steve's wonderful review of the book, I wanted to provide another perspective that I believe is relevant and timely. So, this is an endorsement of Steve's earlier book review, and it also provides additional thoughts that I hope will generate interest within the professional cybersecurity community.
In Steve Winterfeld's earlier review, he expertly described how the book is organized into three sections: the world we are creating, what's at stake and what to do about it. As mentioned in my executive summary, I believe the first two sections were designed to generate alarm about what's happening and largely hidden from public view, point out the direction in which we're blindly being led, and educate us about the associated dire consequences unless we change direction and have a more informed public discussion. My assessment is that Bruce intentionally skews the balance a bit between costs and benefits to get our attention in these two sections. I say this because, if you read carefully, he makes a couple of more balanced references to definite benefits to society as a result of the collection and use of our data by governments and the commercial world. Instead of rehashing the first two sections or arguing about whether the balance between security and privacy in surveillance is correctly addressed, I will focus my comments on what I consider to be one of the most foundational and beneficial elements of the book. This is found in the last section, what to do about it, and begins with Chapter 12, Principles.
In Chapter 12, Schneier outlines six important principles that I consider an excellent starting point for a much broader public—private discourse about data collection and use than exists today. As he points out in the chapter opening, these are general principles about universal truths involving surveillance, and while it's easy to agree about the principles, it's much more difficult applying them to the world in which we live. Still, I took these as foundational elements upon which genuine dialogue that considers all angles can occur. I was also impressed because the six principles tie together three equally critical points of view—governments, commercial industries and people.
While I cannot adequately cover them in detail in this review, the six general principle categories are: Security and Privacy (as opposed to Security versus Privacy); Security Over Surveillance (meaning this is an "either/or" proposition, and the priority must go toward security); Transparency (how technological and social trends are demanding less government and corporate secrecy); Oversight and Accountability (focusing on tactical oversight—which is about doing things right, and strategic oversight—which is about doing the right things, as well as ensuring penalties for abuse of either); Resilient Design (including resilience to hardware and software failure, as well as to technological innovation, political change, and coercion); and One World, One Network, One Answer (deciding whether or not we build our information infrastructure for security, surveillance, privacy or resilience because everyone, friend or foe, gets to use that same infrastructure).
There is a lot of current discussion about norms of responsible behavior in the digital environment. The United Nations Group of Government Experts began the process. Presidents Obama and Xi discussed norms in their agreement of 2015. The G7 and, later, the G20 agreed on several norms of responsible behavior. The problem is that these norms are largely about interaction between governments, yet the digital environment is owned, operated and maintained predominantly by the private sector. And of course, nearly everyone on the planet has their hands on devices connected to this environment.
I believe the principles outlined in this book provide a much broader set of foundational ideas that pertain equally to governments, the commercial industries and people—ideas that could serve as the basis for the formulation of improved norms of responsible behavior, more effective government and industry policies and regulations, and perhaps even more balanced national and international laws relevant to the digital age. In fact, that's exactly how the book concludes. Each chapter following the principles provides specific recommendations for what governments, commercial entities and ordinary people can talk about and do to better balance the crucial issues surrounding the ways our data is collected and used.
I think this is a book for just about anyone who is, or should be, interested in what's happening with the collection and use of our data. It's written in plain English, easy to read, relatively short, current, relevant and compelling. For the professional cybersecurity community, I think this book is a must-read. Having served most of my life in the U.S. national security community and more than a decade and a half fighting terrorism, I don't always agree with each point in the book regarding where the right balance is between costs and benefits. However, having been in the commercial cybersecurity industry for almost two years, I have a great deal of respect for the varying views on these increasingly important issues. As far as I'm concerned, this book is an important contribution to a much-needed, much more open dialogue to ensure we are making informed decisions in the digital age.