Cybersecurity’s privacy problem
My law professor at Harvard once said the definition of a conservative is a liberal who has just been mugged. Cybersecurity was the furthest thing from professor Alan Dershowitz’s mind when he made this comment 30 years ago. Yet, recent events in Europe illustrate the wisdom of his words.
A surge of cyber and terrorist attacks has threatened the fabric of European society, leading policymakers to break with history and begin to prioritize security over privacy.
Historically, it is the United States that has placed a premium on security. Particularly since the 9/11 terrorist attacks, Americans have tolerated broad surveillance by their government and sweeping data mining by private companies.
Europeans, by contrast, have long cherished privacy, both online and off. Last summer, the European Court of Justice captured this sentiment in its landmark ruling that individuals have a “right to be forgotten.” Privacy is even enshrined as a fundamental right in the European Charter of Human Rights.
Cybersecurity has only recently emerged as a continental concern. Last fall, government officials and business leaders placed cybersecurity at the bottom of the list in a poll on the main threats facing Europe, beneath issues like unemployment, migration, social instability, and interstate conflict.
Given this history, one might expect the United States to move more quickly than their European counterparts in passing measures aimed at combating cyber threats. Instead, it is Europe that has taken the lead.
Why has the need for digital security overtaken privacy as a leading priority for legislators across the continent?
Looming large is growing concern over an increasingly daring array of cyber attacks. Over the past year, Europe has experienced a number of online security breaches of unprecedented size and scale.
The most alarming came in late December, when authorities revealed that hackers had conducted a massive attack that caused widespread damage on an iron plant in Germany. This was one of the first successful cyber attacks on critical infrastructure anywhere in the world.
In January, a wave of cyber attacks temporarily disabled 19,000 French websites, including that of the Defense Ministry. In April, hackers claiming affiliation with the “Cyber Caliphate” of the Islamic State disabled broadcasts and took over the web presence of French public service television.
And in May, the German Bundestag revealed that more than 20,000 computers used by parliamentary members and staff had been infected with malware – the largest attack on the German parliament in history.
As cyber attacks in Europe have grown in intensity and frequency, physical terrorism has afflicted the continent in new and terrifying ways.
In January, terrorists killed 17 people in an attack on the satire magazine Charlie Hebdo in Paris. A day later, Belgian police killed two terror suspects in Verviers.
The ensuing months have only heightened European concerns around physical terrorism.
Shocking reports of teenage girls across the continent leaving their families to join ISIS blared into television sets and computer screens from Birmingham to Brussels.
In late June, terrorists killed 30 Britons at a seaside resort in Tunisia. Days later, the French, still grieving from the Charlie Hebdo tragedy, looked on in horror as a man beheaded his boss in southeastern France, and sent out pictures of his head draped in flags associated with the Islamic State.
The visceral brutality of recent terrorist attacks in Europe, coupled with fear engendered by the growing spate of cyber incursions, is dramatically changing the way Europeans think about privacy and security. The head of Europol, Robert Wainwright, recently labeled terrorism and cyber crime as the top threats facing Europe.
This changing landscape has cast a pall of fear over the continent. The response by policymakers, particularly as it relates to cybersecurity, has been decisive.
The German parliament just passed its first IT security law, requiring corporations in sectors involving critical infrastructure to notify the government and affected individuals of cyber intrusions.
Days later, the Dutch Government enacted a broad breach notification law that penalizes companies up to 10% of total revenues for failure to comply.
At the continental level, the European Council has approved, after years of debate, the EU General Data Protection Regulation, a sweeping law that will mandate that businesses notify National Supervisory Authorities of cyber breaches within 72 hours, and that they also notify affected individuals without undue delay. The law is expected to be finalized by the European Commission and the European Parliament by the end of the year.
This is the kind of unified, national breach notification effort we need to bring forward in the United States. A uniform national standard would protect consumers, provide clarity to industry, and require the government to hold itself accountable to the same standard as everyone else.
It seems that while privacy-minded Europe steps up its focus on security, security-focused Americans are actually moving in the opposite direction, demanding greater protection from government and business intrusions into their personal privacy.
In the wake of the Edward Snowden revelations about NSA surveillance, businesses have taken steps to prevent the government from snooping on their customers. Apple (AAPL) and Google (GOOG) implemented new encryption technology on their iOS8 and Android operating systems. In June, Apple CEO Tim Cook called the erosion of privacy a threat to the American way of life: “We at Apple believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it.”
The emphasis on security that has characterized state-society relations since 9/11 seems to be fading in America. Notwithstanding the recent U.S. Office of Personnel Management breach and a bipartisan 14 to 1 vote by the Intelligence Committee, the Senate has delayed a decision on crucial cybersecurity information sharing legislation until this fall.
But this does not mean that what Europe is doing is right, and what the United States is doing – or not doing – is wrong.
Privacy and security both matter.
Striking the right balance between the two will require partnership, coordination, and the sharing of best practices between policymakers, businesses, and citizens on both sides of the Atlantic. Now, more than ever, finding common ground in our policies and approach is the only way to stop borderless cyber criminals from threatening our security, while also preserving the privacy that both of our societies hold dear.
Privacy and security may be the Scylla and Charybdis of the modern world. But, as Odysseus taught us, the path home lies somewhere in between.
Peter J. Beshar is executive vice president and general counsel of Marsh & McLennan Companies. He has testified before both Houses of Congress on cybersecurity and terrorism matters.