United States National Cyber Director Chris Inglis said there is plenty of room for both the technology and privacy industries, and the intelligence gathering and national security arms of the federal government to coexist in cyberspace without their core missions colliding.
Inglis laid out a vision for creation of what he called a new “social contract” between the technology and privacy industries, and U.S. national security cyber apparatuses during a discussion facilitated by Morrison & Foerster of counsel and co-chair of its Global Risk and Crisis Management Group, Robert Litt, former General Counsel for the Director of National Intelligence, at the IAPP’s Global Privacy Summit 2022 in Washington, D.C.
While Inglis declined to lay out specific policies that would codify the laws defining this new social contract, he said all stakeholders must take a step back and identify what the greater end-goal or end-goals are of the development of specific cyber technologies first, and then develop the hardware and software to meet those objectives.
“The role of cyberspace, the role of IT, the role of technology is to transcend what perhaps is the immediate need in the world is and think about the long arc,” Inglis said. “As a practicing computer scientist, I've been in this conversation for more than forty years, which is just leave us to develop all of these amazing capabilities that everyone will love, they're going to want to go to the equivalent of a Best Buy or Amazon to buy them, and we’ll attend to the security of attributes later or we’ll attend to the delivery of privacy later.”
“Later, never comes because we're on to the next iteration of this (technology),” he continued. “So, we can’t do technology first. We might be able to do technology in parallel.”
Inglis said whether it’s individual users, enterprises or government agencies, the key to building a new cybersecurity social contract between government and citizens will mean all parties must take proactive steps to maintain their own resiliency and security into the future.
“(We’ll need to) ask each other, what do we owe each other, such that individuals participate in their own defense, organizations participate in their own defense, sectors, governments participate in that defense?” Inglis said. “And (then) we complement one another to deliver the things that we expect in this space, whether that’s privacy, confidentiality, integrity or availability; we want to deliver those things, and we can only do that in a collaborative fashion.”
Through collaboration, Inglis said both the government and the tech industry need to realize each other’s benefits to one another, while also understanding that both sides will have to make some compromises.
“We have to acknowledge that it's the private sector that is the principal source of innovation,” Inglis said. “The private sector shouldn't need a pass key to get in to see the government and government to be proactive about pushing those (meetings), nor should the private sector need a PhD in government in order to get some insight into what the government knows and how it knows that.”
Inglis may be one of the most uniquely qualified government officials to offer perspective of the at-times, fundamental conflicting nature between individual privacy and national security.
As the former deputy director of the National Security Agency from 2006 to 2014, Inglis and the agency was embroiled in one of the largest intelligence leaks in American history after former Booz Allen Hamilton subcontractor Edward Snowden exposed the NSA’s bulk collection of metadata of American citizens’ communications in 2013.
Inglis joked at the start of his session dealing with the fallout of Snowden’s disclosures was, “A month of walking through Mordor.”
During the session, Litt asked if the U.S. government still sought to fight the tech industry over encryption of users’ data, given how intelligence agencies have advocated for companies to install backdoors in their encryption for surveillance purposes.
Inglis said the debate over encryption is still taking place internationally. He said in order for both the consumer and tech side, and the U.S. government side to come to an understanding over the tool of encryption, it would require the government to better assess why both state and non-state adversaries were using a specific encryption technology to begin with.
“We still have before us this idea about what is it that we want these architectures to deliver to us,” Inglis said. “And if we ultimately determined that these architectures should deliver some ability to deliver a guarantee of privacy, some ability to deliver collective security, meaning that (the government understands) why these architectures are being used to our detriment; we're going to understand how to probably support the private sector and kind of the pursuit of this interest, but with some full guarantee of privacy and, and proprietary kind of protection.”
“Then, I think we're going to define a set of attributes that then can be implemented using a variety of architectural mechanisms,” he continued. “Encryption becomes then a means to a larger end, as opposed to an objective in and of itself.”