Almost all American adults can remember in great detail their whereabouts on the morning of September 11, 2001. I was on the second floor of the West Wing of the White House at a meeting of the staff of the National Economic Council – and I will never forget the When the Secret Service agent suddenly entered the room, shouting, “You have to leave now.” Ladies, take off your high heels and go!
Just an hour before, as White House technology adviser to the National Economic Council, I briefed the deputy chief of staff on the final details of an Oval Office meeting with the president, scheduled for September 13. Finally, we were ready to get the President’s sign. -off to send a federal privacy bill to Capitol Hill – makes it a federal version of the California Privacy Rights Act, but stronger. The legislation would put safeguards around citizens’ data – requiring prior consent for their information to be shared, governing how their data might be collected and how it would be used.
But that morning the world changed. We evacuated the White House and the day unfolded from tragedy to tragedy, sending shockwaves across our nation and the world. To be in Washington that day was to witness and experience personally what looked like the full spectrum of human emotions: grief, solidarity, disbelief, strength, resolve, urgency… hope.
Much has been written about 9/11, but I want to spend a moment thinking about the next day.
When the National Economic Council staff returned to the office on September 12, I will never forget what Larry Lindsey, our boss at the time, told us: comfortable being here. We are all targets. And I won’t appeal to your patriotism or your faith. But I will – as we are all economists in this room – appeal to your rational self-interest. If we step back now, others will follow, and who will be there to defend the pillars of our society? We’re holding the line here today. Act in a way that will make this country proud. And don’t give up on your commitment to freedom in the name of safety and security.
There are so many reasons to be proud of the way the country has come together and the way our government has responded to the tragic events of September 11. First, however, as a professional in the field of cybersecurity and data privacy, I reflect on Larry’s advice, and many of the crucial lessons learned over the years that followed, especially when he it is about defending the pillars of our society.
While our collective memories of that day are still fresh, 20 years have passed and we now understand the vital role data played in the months leading up to the 9/11 terrorist attacks. But, sadly, we have failed to connect the dots that could have saved thousands of lives by keeping intelligence data too tightly in disparate locations. These data silos obscured patterns that would have been clear if only a framework had been in place to share information securely.
So we thought, ‘Never again’ and government officials decided to increase the amount of intelligence they could collect – without thinking of the significant consequences not only for our civil liberties, but also for the safety of our people. data. So the Patriot Act came into effect, with 20 years of demands for oversight from intelligence and law enforcement agencies crammed into the bill. Having been in the room for the Patriot Act negotiations with the Department of Justice, I can confidently say that while the intentions may have been understandable – to prevent another terrorist attack and protect our people – the negative consequences downstream. have been significant and undeniable.
Home wiretapping and mass surveillance have become the norm, undermining privacy, data security and public trust. This level of surveillance has set a dangerous precedent for data privacy, while producing marginal results in the fight against terrorism.
Sadly, the federal privacy bill we hoped to bring to Capitol Hill the very week of September 11 – the bill that would have strengthened individual privacy protections – has been put on the back burner.
Over the following years, it became easier and cheaper to collect and store massive amounts of surveillance data. As a result, the tech and cloud giants have grown rapidly and dominated the internet. As more and more data was collected (both by the public and private sectors), more and more people gained visibility into individuals’ private data – but no meaningful privacy protection exists. ‘has been set up to support this expanded access.
Today, 20 years later, we find ourselves with a glut of data collection and unhindered access, with giant tech companies and IoT devices collecting data points about our movements, conversations, friends, families and more. body. Massive and costly data leaks, whether from ransomware or just a misconfiguration of a cloud bucket, have become so common that they barely make the headlines. As a result, public confidence has eroded. While privacy should be a human right, it is not a right that is protected – and everyone knows it.
This is evident in the humanitarian crisis we have experienced in Afghanistan. Just one example: tragically, the Taliban seized US military devices that contain biometric data on Afghan citizens who supported coalition forces – data that would allow the Taliban to easily identify and trace these individuals and their families. . This is the worst case of sensitive and private data falling into the wrong hands, and we haven’t done enough to protect it.
This is unacceptable. Twenty years later, we say to ourselves again: “Never again”. September 11 should have been a calculation of how we manage, share and protect intelligence data, but we still haven’t fully understood it. And in both cases – in 2001 and 2021 – the way we handle data has a life or death impact.
That’s not to say we’re not making progress: The White House and the US Department of Defense have put the spotlight on cybersecurity and zero trust data protection this year, with an executive order to push for strengthening federal data systems. . The good news is that we have the technology we need to protect this sensitive data while making it shareable. Additionally, we can put contingency plans in place to prevent data from falling into the wrong hands. But, unfortunately, we’re not moving fast enough – and the slower we solve this secure data management problem, the more innocent lives will be lost along the way.
Looking ahead to the next 20 years, we have the opportunity to restore trust and transform the way we handle data privacy. First of all, we need to put up guardrails. We need a privacy framework that gives individuals autonomy over their own data by default.
This, of course, means that public and private sector organizations must do the technical work behind the scenes to make data ownership and control possible, linking identity to data and returning ownership to the individual. It’s not a quick or easy fix, but it’s doable – and necessary – to protect our people, whether they are U.S. citizens, residents, or allies around the world.
To accelerate the adoption of such data protection, we need an ecosystem of free, accessible and open source, interoperable and flexible solutions. By overlaying data protection and privacy on existing processes and solutions, government entities can securely collect and aggregate data in a way that reveals the big picture without compromising individual privacy. We have these capabilities today, and now is the time to harness them.
Because the truth is that with the sheer volume of data that is being collected and stored, there are many more opportunities for US data to fall into the wrong hands. Devices seized by the Taliban represent only a tiny fraction of the data currently at stake. As we have seen so far this year, cyber attacks against nation states are escalating. This threat to human life is not going to go away.
Larry’s words of September 12, 2001 still resonate: if we back down now, who will be there to defend the pillars of our society? It is up to us, technology leaders in the public and private sectors, to protect and defend the privacy of our employees without compromising their freedoms.
It’s not too late to regain public trust, starting with data. But, in 20 years, will we see this decade as a turning point in the protection and respect of the right of individuals to privacy, or will we still say “Never again”?