(R to L) moderator Richard Wilhelm and panelists Jonathan Zittrain, Lawrence Lessig, James Fallows, and Jeffery Rosen
Booz Allen Hamilton Executive Vice President Richard Wilhelm moderated a panel titled “The Freedom of the Press in the Age of (Wiki)Leaks” on June 28, 2011, at the Aspen Institute’s Aspen Ideas Festival. The panel included Jonathan Zittrain, professor of law at Harvard University; Lawrence Lessig, professor of law at Harvard University; James Fallows, a national correspondent for The Atlantic; and Jeffery Rosen, professor of law at George Washington University and legal affairs editor of The New Republic. Wilhelm shared the following thoughts and observations following the panel:
I was particularly intrigued by Lawrence Lessig’s analogy that in the past, information leaks were more like a drip, drip, drip … relatively small, and relatively easy to deal with, as opposed to the tsunami of information that technologies, particularly anonymous technologies, have required us to deal with in recent years.
Another was that prosecution in these cases will fail, that it is not a legitimate response to the situation we face.
The third aha moment, which is more implied than anything else, is that there is no way to keep it a secret if there is huge data breach. Those who did it are going to brag about it. It’s going to be out there, and it’s going to get around instantaneously.
Most of us growing up before the cyber age would never think about going down the street and taking a piece of mail from a neighbor’s box. But we have a whole generation who doesn’t think twice about tapping into somebody else’s data in cyberspace without permission. They don’t view it as a crime. Rather they view it as sport, or more importantly that information is free. We’ve got to change that dynamic a little bit, and I think we’ve got a great opportunity.
We deal extensively with balancing issues of privacy and openness with our clients in government and private industry. Interestingly, we are taking our clients through “what if” drills. If information is released without authorization, what are the strategies for containing the damage? How should it be dealt with from a public relations standpoint? How should our client interact with the government, industrial partners, its employees? And what should it say to the markets in such an event?
Both governmental and nongovernmental information is managed in systems that are privately owned and operated. Emerging out of the information age and the cyber age are large amounts of extremely sensitive data—things that the nation depends on to function, like financial networks and our energy infrastructure. We are starting to understand the new paradigm for protecting those systems, a partnership between industry and government. We have made progress over the last 10 years, but the answer hasn’t evolved yet.
First of all, realize that there are no absolutes in the world of cybersecurity. The minute you have an “absolute” defense for today’s threats, you can be sure somebody is out there working to defeat it.
The traditional way of defending a network is to have a specific profile of what “bad” looks like and a program to defend the system against those “bads.” But that doesn’t work against tomorrow’s threat. The better way to do it is identify what “good” looks like for your profile, and then examine everything that doesn’t look “good.” That way we are able catch not only bad things coming in, but also anomalous things coming in that need to be looked at.
Technology issues are not trivial, but in my view they are the least important of the complicated calculus that actually solves this problem. Far more important are data policies, cultural aspects, operational aspects, and organizational aspects. Who controls the money for this area? Who’s accountable? There may be a policy in place, but does the chief information officer have authority to enforce it?
