Remembering roles and responsibilities in big data, cybersecurity
9 Dec 2013|

Last week, David Schaefer introduced an interesting new dimension to the big data debate developing on The Strategist, that of cybersecurity. With defenders of metadata collection hammering home the counter-terrorism angle, the future utility of this type of surveillance for an equally pressing cyber threat has indeed been woefully overlooked. In fact, big data collection to identify anomalies indicative of cyberattacks or for forensic investigation already represents a highly lucrative business model for many IT companies. It’s also arguably a far more effective use of big data than counter-terrorism. But while metadata is a highly effective tool in this regard, the critical question is to what degree the governments should even be involved in protecting private cyber infrastructure.

Schaefer points to a US pilot program to protect the high-tech defence industry as a potential practical application of metadata for cybersecurity. Important in this example is that the US counts its defence industrial base as a part of national critical infrastructure and the protection is focused on sensitive government data. While the government has a clear role and interest in protecting critical infrastructure from threats, cyber or otherwise, its role in whole-of-system big data collection under the auspices of wider cybersecurity is suspect.

Given the vast complexity and interconnected nature of cyberspace, there’s no doubt that an effective system-wide cyber security mechanism, if possible, could significantly limit external cyber threats. Metadata provides an avenue for more dynamic and adaptive system security. By collecting and organizing the entirety of a system’s raw data, a baseline of normal operations can be established, helping to identify breaches, prompt active and passive defensive measures, and investigate vulnerabilities. I don’t argue as to the potential for metadata collection for cybersecurity and cyber forensics, but it’s the responsibility of infrastructure owners and operators and private businesses to secure their own system.

In the realm of cyber security the role of the government (outside and .mil domains) should fall somewhere between watchdog and facilitator. Information sharing, identifying best practices, public outreach, coordination, providing incentives, regulation, and even mandating measures to improve cybersecurity are all important, if not vital, functions for the government.  But even before questions of privacy are raised, we need to establish a clear line delineating the roles and responsibilities of government.

As Schaefer lays out, it’s certainly well worth looking at the full spectrum of threats and solutions metadata collection can address, but having the technical capability to institute security measures doesn’t necessarily make them appropriate. Counter-terrorism falls squarely in the realm of traditional national security—that’s why it has been the poster child for embattled intelligence organisations. Cyberspace, on the other hand, lies primarily in the private domain, physically, economically, and even socially. An argument can be made for the government to assemble intelligence from disaggregated metadata systems for information sharing purposes, but cybersecurity of this sort isn’t sufficient justification for the government to be collecting the raw data itself.

There’ll always be concerns over any collection of metadata, whether conducted by the government or by the private sector. Internet Service Providers in particular will face a tough balance between securing systems and respecting customer privacy. At the moment, one of the best ways to protect these rights is through a strictly ‘need to know’ filtering as exists in banking, tax collection, and other sectors, where redacting unnecessary personal details as information becomes aggregated is standard practice. This is best accomplished at a more localised level, where data collection and management can be tailored to the specific circumstance, rather than with an overarching government data vacuum. In fact it’s the government itself that can, and should, play a pro-active role in ensuring through regulation that strict privacy and civil liberty protections are put in place.

All in all, big data collection shows incredible promise in cybersecurity, and there are many areas in which the government can improve, promote, and even utilise such methods. But, with the risk of sounding overly libertarian, sometimes it’s best to check government over reach at the door.

Klee Aiken is an analyst in ASPI’s International Cyber Policy Centre.