Opinion: Obama's Cyber Security Plan May Not be So Secure After All

January 27, 2015


On January 22, 2015, President Obama once again mentioned how digital theft and data destruction is a serious and dangerous issue that needs to be addressed.

No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. -President Obama

Recently, Obama also called out for a better privacy data laws that would help protect against these attacks. However, more than helping our security, this proposal might cause additional danger. First of all, the proposal calls for an integration of data, much like Michael Roger’s Cyber Intelligence and Sharing Act, which affords private companies liability protection to share information with Homeland Security Department’s National Cyber Security and Communications Integration Center. In other words, the Government has access to the data of private companies like Google and Facebook in order to give us “better” security and privacy.

Secondly, the proposal also considers searching for vulnerabilities in websites a crime. Although this would actually help in discouraging people from trying to get in a website and hack it, it also disables people from testing out defenses of the website and be able to see how to better improve it. Jeff Moss, founder of Black Hat and DEFCON, hosts yearly a gathering of hackers around world sharing the vulnerabilities of websites and exposing them so that they are taken care of.

Finally, the proposal calls for the anonymization of data in order to protect the privacy of users. However, anonymization of data might be a false insurance. A 2013 paper by MIT researchers Yves-Alexandre de Montjoye and César A. Hidalgo discusses an experiment where they took a random sample of 1.5 million cell users over 15 months and found that, when locational cellphone data is anonymized, just four data points—information created by the anonymous user—was enough to effectively reveal the users’ identity 95 percent of the time.

You can read more on this issue at The Atlantic.