Craig Mundie stopped to speak at MIT last week on his way to New York to receive the Eisenhower Award for his contributions to national security. At the MIT EmTech event, Mundie, a senior advisor to the CEO at Microsoft and a member of the U.S. President's Council of Advisors on Science and Technology, spoke about cybersecurity threats and the personal privacy issues that have been a top public concern of late.
Personal privacy concerns have increased because so much more data about us is collected and it is collected by many new entities. People used to be comfortable allowing credit card companies and telephone companies to collect transactional data about them because they knew how the data would be used. Likewise, medical and genomic data are of lesser concern because the laws have so narrowly defined the use of this data. Mundie thinks people should be concerned because they are being “observed” more and more frequently by governments and businesses. People don’t always know when they are being observed, and even when they do, the purpose of the data collected is rarely made clear to them.
At the initial point of use, apps or websites will ask permission to collect usage data, but will not reveal the use of the data collected. Mundie points out that after the data is collected, new uses for it will emerge. An architecture that allows a person to change his or her mind is needed.
Mundie’s prescription is to put cryptographic wrappers around the data. The wrappers are analogous to digital rights management (DRM). Only the owners of the data could decrypt it, and they could only decrypt it for the purposes that were stated when it was first collected. When new uses of the data emerge, the person to whom the data belongs should have the ability to opt out. If the consequences of the retention of certain data should later become an issue, the owner could restrict access further or delete it.
Mundie’s prescription of putting the owner of the personal data in control of its use addresses the data that people know is collected about them. He recommends the wrapper of DRM approach because he believes legislation cannot be written to address every privacy concern.
However, he did not have a suggestion for the data that people are unaware are collected about them.
At MIT, Mundie established a taxonomy of cybersecurity, divided between threats and actors. The threats he cited were hacking, crime, espionage, war and terrorism. The actors he indentified are amateurs, professionals and sovereign states.
None of these threats are new. What is new is that, for the first time, many of these threats are prevalent at a massive scale. The consequences of a nation state's resources being applied to cyberwar, cyberterrorism or economic espionage are significant.
China’s intellectual property threats are particularly frightening, Mundie said. He explained that governments needed to count on the creation of economic value from their inventions and discoveries. Economic espionage could cripple a country’s ability to realize the value of its inventions. Mundie was clear in identifying China as a sovereign state engaged in economic espionage, and says businesses and government need to take action to confront the Chinese.
Business need to identify core assets stored in digital form and control access to them. Loss of a chemical formula might have a financial impact, but a competing sovereign nation or enemy that successful stole intellectual property, such as F116 fighter designs, would also have an immeasurable military impact. Both exploits are within the capabilities and of interest to the Chinese government and industry.
Mundie has the deep expertise acquired through a 40-year career in startups and technical leadership roles at Microsoft. In his role as policy advisor he projects a patient demeanor that seems mismatched with the urgency of the issues personal privacy and cybersecurity. When he's giving out advice on how to address these complex issues, we need to listen.