The security-and-privacy world is changing rapidly. We’ve long thought about security and privacy as two equivalent goals, picturing a world in which both were equally achievable and could exist simultaneously. However, we’ve learned that security and privacy are sometimes mutually exclusive. For example, after the 2015 terrorist attack in San Bernardino, California, the US Federal Bureau of Investigation clashed with Apple over access to the shooter’s iPhone.
We expect to see even more examples of security or privacy, rather than security and privacy, which brings us to our third topic: surveillance. The ability to surveil is a new “-ility” (quality attribute) for systems engineers to contend with. The Internet of Things (IoT) paradigm of a seemingly limitless number of sensors on our phones, in public spaces, and in our homes and workplaces creates volumes of data that might well sacrifice privacy in the name of security. Endless surveillance does enhance security at some level — even if it only assists criminal investigation and prosecution rather than prevents crime — but surveillance also deprives law-abiding citizens of the hope of privacy.
For Computing Now’s June 2016 issue, we present six articles from the IEEE Computer Society Digital Library (CSDL): three on the security-versus-privacy conundrum, and three on how surveillance is joining more traditional security and privacy “-ilities.” We hope that focusing on the underrepresented topic of surveillance will help illuminate what has become a trust problem. Additionally, we’ve included two videos that focus on security and privacy challenges and opportunities.
As software security continues to grow and evolve, companies need sound advice on implementation. In “Four Software Security Findings,” Gary McGraw reveals conclusions from a multiyear data analysis of 78 companies, including Adobe, Bank of America, and Intel. Researchers used the Building Security In Maturity Model (BSIMM) to observe and measure the companies’ security initiatives, concluding that they were best able to protect their assets when they understood that: (1) there is no “special snowflake” in software security; (2) every company needs a software security group; (3) experience and maturity make a big difference; and (4) software security should be evenly distributed.
The Internet has the potential to offer both liberty and protection, but it can also be abused to breed oppression rather than create safety. George Hurlburt and his colleagues’ “Security or Privacy? A Matter of Perspective” considers how we define “secure enough” and “private enough.” The article illustrates the potential relationships between security and privacy, and describes the features of those relationships.
Juhee Kwon and M. Eric Johnson explore security in healthcare and related US regulations in “Protecting Patient Data — The Economic Perspective of Healthcare Security.” One such regulation is the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which aids electronic health record adoption, but also contains regulatory and market mechanisms to address security investment failures. The authors examine the impact of security strategies, focusing on operational maturity, patients’ awareness of security breaches, and the public-good nature of information security. They conclude that market-driven security investments should be reinforced with regulatory intervention across all types of healthcare organizations.
Shari Lawrence Pfleeger’s “The Eyes Have It: Surveillance and How It Evolved” presents the history of surveillance to help readers understand how to design, build, and use technology responsibly and in context. She analyzes surveillance policies and observes that, today, technology has amplified the consequences of surveillance and the reach of those consequences.
In “Personal Data and Government Surveillance,” Daniel E. Geer Jr. discusses privacy and government surveillance, focusing on shifting mindsets, digital conscripts, flash crashes, and observability. Geer states that “the price of freedom is the probability of crime” and that it’s our responsibility to choose whether: to demand protections, conveniences, and services that can be done only with pervasive data; to fear only fear itself or to fear the absence of fear; and to be part of the problem or part of the solution.
In “Insecure Surveillance: Technical Issues with Remote Computer Searches,” Steven M. Bellovin, Matt Blaze, and Susan Landau discuss how proposed changes to US federal rules that authorize warrants for remote computer searches could create serious security problems and compromise criminal investigations. The authors argue that all democracies should be concerned with matters of jurisdiction, proportionality, privacy, intrusiveness, evidence preservation, and the balance between effective law enforcement and risk to the innocent.
Mary Theofanos on “security fatigue.”
Logan Mailloux discusses the use of modeling and simulation to understand and study quantum cryptography.
We’re excited to present video previews of two articles that will appear in the September/October 2016 issue of IT Professional, which will examine “Cybersecurity or Privacy.”
In the first video, Mary Theofanos from the (US) National Institute of Standards and Technology discusses the user as an integral part of the system, what it means to have usable security, and how we could have both usability and security. She describes “security fatigue,” how users grow weary of the effort it takes to make online-security decisions and therefore opt out of deciding. Theofanos concludes that usable security should “help users do a right thing, make it hard for them to do a wrong thing, and help them recover when the wrong thing happens.” Look for the full, peer-reviewed article, “Security Fatigue,” in IT Professional.
Recent developments in quantum computing will surely impact the security and privacy of modern cryptography. In the second video, Logan Mailloux of the US Air Force Institute of Technology discusses the use of modeling and simulation to understand and study quantum cryptography, and—more specifically — the implementation security gap in quantum key distribution (QKD) systems. Look for the full, peer-reviewed article, “Post-Quantum Cryptography: What Advancements in Quantum Computing Mean for IT Professionals,” in IT Professional.
Thank you for reading our Security, Privacy, and Surveillance issue of Computing Now. The research landscape is growing, and we hope that the articles and videos presented here will inspire creative new ideas.
We welcome your comments and perspectives on these exciting topics. For example:
- How will security and privacy shape and transform the IT industry, business, and society as a whole?
- How will the security-versus-privacy conundrum be addressed in the next five to ten years?
- What are your real-life experiences with surveillance, and what security- and privacy-related issues have you faced?
- How can security regulatory bodies and researchers work together to benefit IT security?
Please share your insights, ideas, and experiences in the comments section below.
Irena Bojanova is chair of the Committee on Integrity on the IEEE Computer Society Publications Board, as well as an associate editor in chief of IT Professional magazine and an IEEE Senior Member. You can reach her at email@example.com.
Jeffrey Voas is the security column editor for Computer magazine and an IEEE Fellow. You can reach him at firstname.lastname@example.org.