While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
In early 2014, while the National Security Agency recovered from a rash of stories about leaked documents and an internal audit that detailed a series of privacy violations, the intelligence organization hired Rebecca Richards.
Previously, Richards had served as the senior director for privacy compliance at the Department of Homeland Security, and at the NSA, she would hold an unusual title. She became the agency’s first director of civil liberties and privacy, a position that reports directly to the agency’s chief.
Today, her job is to further the NSA’s protections of citizens’ privacy and civil liberties, but her hiring is also representative of a larger shift at agencies.
In the era of Big Data, privacy programs are now integral to IT security strategies. New regulations, transparency pressures, and a series of security breaches at government agencies — including those that exposed millions of records — have made the privacy of personal information a priority for leaders.
As a result, CIOs are investing more in traditional security technologies. This means they’re working with chief privacy officers (CPOs) to determine the privacy implications of the agencies’ capabilities and spending more time and money on a wide range of privacy-related applications, including preventing data from flowing to a specific terminal, department or country.
“Major breaches, as well as broader concerns about cybersecurity and critical infrastructure, have raised the profile of data security and, concurrently, data privacy, within the federal government,” says Trevor Hughes, president of the International Association of Privacy Professionals (IAPP).
Privacy technologies encompass a wide spectrum of capabilities that can include data discovery, classification and data-flow mapping solutions; automated privacy impact assessments; activity monitoring to track users accessing sensitive information; and privacy-centric incident response tools that generate assessment and notification processes following a breach.
They all have the same simple goal: keep private information private.
In 2016, former President Barack Obama signed an executive order establishing the Federal Privacy Council and called for each agency to appoint a senior official for privacy. Today, hiring trends reflect these mandates. Government CPOs surveyed for the “IAPP-EY Annual Privacy Governance Report 2016” said they expected privacy staffing to grow by 30 percent in 2017, outpacing hiring in all other segments.
“Our commitment to protecting privacy and civil liberties, and to providing appropriate transparency, is more important than ever for earning and retaining the trust of the American people,” says Alex Joel, the civil liberties protection officer for the Office of the Director of National Intelligence. “This is especially true given how rapidly technology changes. To be effective, the Intelligence Community must quickly adapt to new technological changes — we do not want our intelligence agencies to confront 21st-century challenges with 20th-century technologies.
“But technological changes raise new and different privacy implications, which agencies must identify and address with appropriate privacy safeguards,” he adds.
Federal leaders have placed CPOs as peers with their CISO and CIO counterparts to foster the kind of communication and collaboration that is often lacking in government, and this can help reduce privacy risks. CPOs generally purchase technology from their own budgets, or with CISO approval.
For example, Richards serves on the NSA’s senior leadership team.
“People say you can’t have privacy without security, but it goes both ways,” she says. “Without a privacy chief to provide insight on an agency’s data, how that data could — and should — be used, and the privacy implications of those uses, it’s impossible to develop a strong security program,” she says.
In today’s digital economy, the challenge for agencies is to manage ever-growing sets of personal data and their associated risk.
To do this, an Office of Management and Budget memo released in July 2016 emphasizes that IT leaders should focus on “real-time knowledge of the environment,” encrypt moderate and high-impact information, and limit the use and access of personally identifiable information.
Consider the work at the Health and Human Services Department.
“With a combination of subject-matter expertise, rigorous processes, and effective technologies, we’re able to integrate privacy protections within our IT security program to protect personally identifiable information and personal health information,” says CIO Beth Killoran.
In 2016, HHS created the position of chief privacy and data-sharing officer, who oversees its new Office of Privacy and Information Management. Among other responsibilities, the office will consolidate department-level privacy functions and oversee records management.
“If an agency doesn’t understand its IT environment and data, it’s difficult to develop an effective privacy program,” Killoran says.
The privacy segment, though nascent, is fast-moving. In a 2016 survey of privacy and IT executives from TRUSTe-IAPP, 40 percent of organizations received higher budget allocations for privacy-related technologies. This could include tools for data discovery, mapping, de-identification, activity monitoring and incident response.
Meanwhile, agencies are also doubling efforts to invest in commercially available security technologies, including Software as a Service. The Veterans Health Administration issued new directives in early 2017 for accessing personally identifiable information in Veterans Affairs IT systems. More recently, that department announced it will adopt a commercial off-the-shelf electronic health records system, which is expected to ease security and privacy challenges associated with maintaining its legacy EHR system, known as VistA.
For its part, HHS is considering cloud access security broker services, which place security solutions between an organization and its cloud services providers. This technique enforces security policies, ensures compliance and aims to prevent data loss. HHS teams also scan the data types held in cloud-based systems, Killoran says, and consult with her colleagues in the privacy office to review assessment findings and address issues.
But for all agencies, the emphasis on privacy is built on a basic tenet.
“Data is the now and the future,” Richards says. “Violating privacy by failing to protect it is the quickest way to lose citizens’ trust.”