Security and Privacy, Yin and Yang
It’s 2019 Data Privacy Week, and what better time to spur a discussion on the convergence of rapidly changing technology and what the next decade is going to look like as the 4th Industrial Revolution begins to crystallize. As stated by the World Economic Forum: Globalization and technology are intimately intertwined. The movement of people, goods, and ideas is accelerated and broadened by new forms of transport and communication. And technological development is, in turn, enhanced by the diversity of ideas and the increased scale that comes from global reach.[i] The Fourth Industrial Revolution can be described as the advent of “cyber-physical systems” involving entirely new capabilities for people and machines. While these capabilities are reliant on the technologies and infrastructure of the Third Industrial Revolution, the Fourth Industrial Revolution represents entirely new ways in which technology becomes embedded within societies and even our human bodies. Examples include genome editing, new forms of machine intelligence, breakthrough materials and approaches to governance that rely on cryptographic methods such as the blockchain.[ii]
Just as the globalization of the previous industrial revolutions leapfrogged different regions, so too is the 4th going to mature unequally. That does not mean that all aspects of the 4IR will affect all regions, but the technologies with the biggest benefits economically, socially, and popularly will be adopted as cultures and people can afford. There are many benefits we expect to see with the 4IR, as technologies converge, embedding 3IR technology into new economies. AI, robotics, quantum, gigabit, autonomous, and xIOT are expected to become ambient and ubiquitous. Two of the biggest technologies expected to mature with the 4IR will be augmented reality and 5G mobile. Until 5G reaches full 3GPP standardization and adoption, technology like AR isn’t viable outside Wi-Fi (home and office) spaces. But when real mobile connectivity, enabled by edge compute and URLLC (ultra-reliable low latency communication) becomes commercially available, AR will be one of the true realizations.
As consumer behaviors evolve and personal devices enable experiences like AR, how and what consumers do is going to become big business. The 3IR is likely to be described by economists and sociologists as the expansion of data creation and economization beyond just the digital revolution it is known as today. The last half decade has exposed a very real and serious need for consumers, providers, and technologies to adopt a posture of data protection. We have seen lawmakers and regulators step up and acknowledge that data is a commodity as well as an opportunity for use and abuse. In the EU, regulators have introduced and passed the GDPR law, which is likely to be a blueprint for many nations in some form. In the U.S., the state of California has followed a similar path with the CCPA (California Consumer Privacy Act) with all remaining 49 states waiting and watching. U.S. regulators, at the state or federal level all, are aware of the need for recognizing and ultimately protecting the data being created, which thus far has been limited to ownership and monetization. But consumer and enterprise protections are just the first step in balancing the economics of data creation. The debate that started in 2018 with the GDPR and CCPA is about data privacy, and what user rights exist around use and retention of data. Considering the long-winded definition of 4IR from the WEO above and the continued attention from world conferences like Davos Economic Forum, there is much to be cognizant and concerned about. 4IR means for nearly every action or experience, data is being collected, and the deepest concerns of exposure, exploitation, and abuse are eminently relevant.
Those companies that anticipated the opportunity and complexity and gravity-well associated with data usage began hiring or enhancing current skill sets around a new role as CDO (Chief Data Officer). Whether as autonomous hire or as additional responsibilities for the CISO or CIO, the CDO is becoming a very critical hire. At a recent data privacy conference in the Valley on the topic of data privacy, both consumer and corporate was jointly hosted by SPB and SPJ[iii]. In attendance was a key group of concerned and engaged technologists, regulators, and executives gathered to peel back the onion.
With recent high visible data exposures at Facebook, Target, Marriott, and many others, it has become clear that no company is immune, and no single or advanced technology can prevent a determined attack. As a result, consumer awareness and apprehension are likely the highest they have ever been. In researching the support for the CCPA, privacy advocates have learned citizens are starting to pay attention to the uses and applications of their data. They realize companies are gathering massive amounts of information, and the research shows, they not only want this information to be held confidential, but they want the opportunity to “opt-out” and not have it shared at all. This is opt-out clause is at the core of the GDPR, whereas the EU’s approach to privacy has been about applying principles to standards, while in the U.S. the practice has been about how to adapt and move forward. It is an EU law, but very much a reality for U.S. companies to implement. Attendees at the conference agreed data privacy needs to be recognized and treated the same way data security was ten years ago.
With the GDPR in the forefront of every CPO in the Valley and across the country, the panel turned their attention to the importance of nuance and understanding. With everyone in agreement on the significance of implementing some form of privacy protection for consumers, the discussions evolved to how best to accomplish the task – How do businesses approach privacy in a way that is good business for everyone while balancing regulation and impact without killing the little guy? The right to be forgotten requests could bring companies and business to a halt with penalties and legal action. We need to optimize, code and build awareness and deletion technologies into all the systems businesses are running or upgrade those systems.
The next few years are going to be a challenge as the regulation pendulum looks to swing away from business-only interests as consumers navigate the convenience versus rights paradigm. Corporate adherence, which under current data protection regulations often tended to be a pay for compliance, now needs to implement a global data privacy solution that is both broad and agile to meet all the varied regulation expected to be enacted. Interpretation of the laws is going to be an ongoing burden. At the end of the day, there were three main conclusions:
- Data privacy must be addressed and can’t be ignored. The people want it!
- Data privacy will not happen on its own without the mobilization of business and government leaders that are committed to putting privacy first yet doing it in a way that won’t crush business.
- Companies need to adopt a posture of urgency that repeats the shared magnitude data security experienced a decade ago. We need to put the resources, tools, and talent in place in our own companies – and then help other organizations do the same.
Meeting this new 4IR world is going be a learning curve, one that can be cumbersome for those companies that cannot afford a full-time CDO or even a CPO (privacy). Data stewardship is not going away and hiring privacy engineers is just the beginning of compliance. Whether as a full-time job or as a service, the CDO is going to be asked to take on an even larger and critical new role, one that can be very expensive around non-compliance. The CIO/CDO is likely to be seen as the new service broker for all such needs going forward.
A distinct advantage that new startups or existing companies might have in the area of AppSec and privacy engineering is connecting with a firm with the bench strength to handle the questions, answers, and solutions occuring on a daily basis. SPJ, a sponsor of the privacy conference, is well connected with the most relevant legal firm in the industry, and also the hottest up and coming security and privacy startups in the Valley. Their security and privacy practice is top shelf, and ready to engage at any level.