Almost every American adult remembers vivid details of where he was on the morning of September 11, 2001. I was at the National Economic Council staff meeting on the second floor of the West Wing of the White House – and I will never forget that. The moment the Secret Service agent suddenly entered the room, he shouted: “You must go now. Ladies, take off your heels and go! ”
Just an hour ago, as a technology adviser to the National Economic Council White House, I was briefing the Deputy Chief of Staff on the final details of the Oval Office meeting with the President scheduled for September 13. In the end, we were ready to get the President’s signature. Stop sending Federal Privacy Bill to Capitol Hill અ effectively the federal version of the California Privacy Act, but stronger. The law will put a guardrail around citizens’ data-sharing their information requires opt-in consent, controlling how their data can be collected and used.
But that morning, the world changed. We evacuated the White House and the day after the tragedy unfolded with tragedy after sending shockwaves to our nation and the world. Living in DC that day was like witnessing and experiencing personally the whole spectrum of human emotion: grief, unity, distrust, strength, determination, urgency … hope.
A lot has been written about September 11th, but I want to pass a moment to reflect the next day.
When the staff of the National Economic Council returned to office on September 12, I will never forget what our boss, Larry Lindsay, told us at the time: “If some of you don’t feel comfortable living here, I understand. We are all targets. And I will not appeal to your patriotism or faith. But I will-as we are all economists in this room-appeal to your rational interest. If we step back now, others will follow, and who will be there to save the pillars of our society? We are catching the line here today. Act in a way that makes this country proud. And don’t give up your commitment to freedom in the name of safety and security. ”
There is a lot to be proud of about how the country was pulled together on September 11 and how our government responded to the tragedy. First, though, as a professional in the field of cyber security and data privacy, I consider Larry’s advice, and the crucial lessons learned in many years to come – especially when it comes to defending the pillars of our society.
Even though our collective memories of that day still seem fresh, 20 years have passed, and we now understand the important role it played in the months leading up to the 9/11 terrorist attacks. But, unfortunately, we have failed to connect the points that can save the lives of thousands of people by catching intelligence very closely in different places. These data silos have blurred patterns that would have been obvious if there was only one framework for sharing information securely.
So, we told ourselves, “never again,” and government officials decided to increase the amount of intelligence they could gather – without thinking about the significant consequences not only for our civil liberties but also for the protection of our data. So, as patriotic law came into force, 20 years of surveillance requests from intelligence and law enforcement agencies seeped into the bill. Staying in the room for Patriot Act negotiations with the Department of Justice, I can confidently say that while the intentions to prevent other terrorist attacks and to save our people were understandable – the downstream negative consequences were far-reaching and undeniable.
Domestic wiretapping and mass surveillance have become commonplace, undermining individual privacy, data security, and public trust. This level of monitoring sets a dangerous precedent for data privacy, while delivering marginal results in the fight against terrorism.
Unfortunately, the federal privacy bill that we hoped to bring to Capitol Hill in the week of 9/11 – a bill that would strengthen personal privacy protections – was a mothball.
In later years, collecting and storing large amounts of surveillance data became easier and cheaper. As a result, tech and cloud giants grew rapidly and dominated the Internet. As more data was collected (by both the public and private sectors), more and more people gained visibility into individuals’ private data – but with meaningful y access no meaningful privacy protections were maintained.
Now, 20 years later, we meet with Behmoth tech companies and IoT devices collecting data points on our activities, conversations, friends, families and organizations with a plethora of uninterrupted data collection and access access. Large and expensive data leaks – whether from ransomware or just mis-configuring cloud buckets – have become so common that they rarely make the front page. As a result, public confidence has been shaken. While privacy should be a human right, it is not protected – and everyone knows it.
This is evident in the humanitarian crisis we have witnessed in Afghanistan. Just one example: the Taliban have seized U.S. military equipment containing biometric data on Afghan civilians supporting coalition forces – data that makes it easier for the Taliban to identify and track those individuals and their families. This is the worst case scenario for sensitive, private data to fall into the wrong hands, and we haven’t done enough to protect it.
This is unacceptable. Twenty years later, we are once again saying to ourselves, “Never again.” 9/11 should be an account of how we manage, share and protect intelligence, but we still haven’t got it right. And in both cases 200 in 2001 and 2021 આપણે the way we handle data has a life-or-death effect.
This is not to say that we are not making progress: the White House and the U.S. Department of Defense have this year focused on cybersecurity and zero trust data protection, with an executive order toward strengthening federal data systems. The good news is that we have the technology needed to protect this sensitive data while making it shareable. In addition, we can put contingency plans in place to prevent data from falling into the wrong hands. But, unfortunately, we are not moving fast enough – and the slower we solve this problem of secure data management, the more innocent lives will be lost along the way.
Looking forward to the next 20 years, we have the opportunity to rebuild trust and change the way we manage data privacy. First and foremost, we have to put some greirail. We need a privacy framework that gives individuals basic autonomy over their own data.
This, of course, means that public and private sector organizations need to perform behind-the-scenes technical operations, build identities with the data, and return ownership to the individual in order to make it possible to own and control this data. This is not a quick or easy improvement, but it is achievable – and necessary – to protect our people, whether US citizens, residents or allies around the world.
To accelerate the adoption of such data protection, we need an ecosystem of free, accessible and open source solutions that are interoperable and flexible. By layering data protection and privacy with existing processes and solutions, government agencies can securely collect and collect data that reveals a bigger picture without compromising the privacy of the individual. Today we have these capabilities, and now is the time to take advantage of them.
Because the truth is that, with the huge amount of data being collected and stored, there are far more opportunities for American data to fall into the wrong hands. The devices seized by the Taliban are currently a small fraction of the data that is currently at stake. As we have seen so far this year, nation-state cyber attacks are on the rise. This threat to human life does not go away.
Larry’s words of September 12, 2001 still resonate: Who will be there to save the pillars of our society if we just go back? Public and private sector technology leaders – it is up to us to protect and safeguard the privacy of our people without compromising their freedom.
It is not too late for us to rebuild public trust, starting with the data. But, 20 years from now, will we see this decade as a turning point in the protection and support of individuals’ right to privacy, or are we still saying “never again”?