Jane Holl Lute is the former deputy secretary of Homeland Security, where she served as the agency’s chief operating officer. She also remains a member of the board of directors of the Center for Internet Security. From 2003-2009, Lute served as assistant secretary-general of the United Nations (U.N.) and established the Department of Field Support, responsible for comprehensive on-the-ground support to U.N. peace operations worldwide, including rapid-response efforts in support of development and humanitarian operations and crises.
Lute is scheduled to provide a Tech Talk at the Symantec Government Symposium on Aug. 30 in Washington, D.C. MeriTalk caught up with Lute, who agreed to offer her thoughts on the evolving struggle between privacy and security, and a preview of her presentation.
MeriTalk: You most recently served as the CEO of the Center for Internet Security, which is home to the Multi-State Information Sharing and Analysis Center. What can you tell us about the cybersecurity posture at the state and local level? Do we have a grasp of what the issues are at the state, local and tribal levels in the U.S.?
Lute: I think we do understand what the issues are and the challenge for us is to change the game in cybersecurity. State and local enterprises have the same challenges that other public sector enterprises have and that the Federal government has, which is to be able to use your systems confident that your data and user identities are not being compromised.
There’s a problem-definition challenge. We haven’t yet really distributed responsibility for cybersecurity in a way that allows everybody to have a clear understanding of who’s responsible for doing what. One of the incredible functions of the Multi-State Information Sharing and Analysis Center (MS-ISAC), of which all 50 states are a member, is that it provides a platform and a reference point for sharing and understanding best practices.
But yes, state and local governments do have a resource challenge. They have an organization and prioritization challenge. And they certainly have a manpower challenge like everyone does.
MeriTalk: The Department of Homeland Security recently announced a proposal to ask certain categories of visitors to the United States about their social media use. You served as the nation’s deputy secretary of Homeland Security from 2009-2014. Some privacy advocates have grave concerns about this. What do you think about this idea and how can we find the right balance between security and privacy?
Lute: I think people are reasonably concerned as we get more and more cyber-savvy about the flows of data and the power of those data flows. It really illustrates part of the tension that I think is inherent in the homeland security mission. For example, on the one hand our border mission requires that we keep out people and things that might be dangerous. But on the other hand, our expectation is that we will expedite legitimate trade and travel. And so what we’re seeing increasingly is that data plays a role in that. The conundrum is that when people get on Twitter and Facebook, what expectations of privacy exist? This is a conversation that we, as a society, need to have. So, on the one hand government would be criticized for not knowing what would be obvious to even the casual Twitter user. But on the other hand, we don’t want and our constitution protects us from government capriciously looking into our private business.
But there’s a deep public skepticism about what government is doing. The government now has the burden to demonstrate that what it is asking for is reasonable, it will properly protect it, it will use it appropriately, it will safeguard it, and that there are means of redress if there is a question on the part of an individual whose data has been used.
MeriTalk: Another area where technology seems to be outpacing our ability as a society to understand the full range of its implications is unmanned systems, or drones. Is enough being done from a regulatory perspective on drones and privacy, and do you think a voluntary set of best practices is enough? (Voluntary practices are never applied evenly across industries.)
Lute: I think these are very legitimate questions. You have drones flying in the West and you can see someone’s herds and their holdings, and it’s tantamount to looking in their bank account. We have greater visibility into each other’s activities when we are government or private sector enterprises. So what should the rules be? What should we leave to voluntary measures and best practice behaviors that people by and large observe, and for what should we rely upon the law or other regulatory or statutory provisions to safeguard? There will be rulemaking in this area. There will be laws passed in this area. That’s not really the interesting question. The interesting question is what aspects of the use of drones over the domestic United States will we manage through the regulatory process and what aspects of it will we manage through good order and discipline, and expectations of self-policing.
MeriTalk: Can you offer a preview of your Tech Talk presentation at this year’s Symantec Government Symposium?
Lute: When you’re talking about cybersecurity, I think there are really three interesting questions that we have not yet resolved, and I’m going to talk about them as they relate to privacy.
Question No. 1 is how do we construct systems we can trust from components we can’t?
Question No. 2 is how do we protect the integrity of our data and our identity in an open Internet?
And question No. 3 is what should the rules be in terms of what should the role of government be?