Public Policy Forum Hosted by UMUC Focuses on Personal Data and State Infrastructure

Editor’s note: On Dec. 6, University of Maryland University College (UMUC) hosted the Maryland Cybersecurity Council’s public policy forum on cybersecurity, which featured questions and answers from public- and private-sector experts on personal data collection and privacy protection, as well as infrastructure protection and incidence response. This article is taken from a UMUC Cyber Connections Blog post authored by Alex Kasten; it details highlights from the forum’s sessions.

The public-policy event featured opening remarks from Maryland Attorney General Brian Frosh and UMUC President Javier Miyares, followed by panel discussions with Allison Lefrak, senior attorney, Privacy and IP Protection, Federal Trade Commission (FTC); Claire Gartland, director, Consumer Privacy Project, Electronic Privacy Center; and Phyllis Schneck, chief cybersecurity official for the Department of Homeland Security (DHS).

The panels were moderated by Maryland State Senator Susan Lee and Professor Michael Greenberger, who is director of the Center for Health and Homeland Security, Carey School of Law, University of Maryland, Baltimore.

Reining in the “Three Vs” 
High points of the panel discussion on personal data issues with Lee, Lefrak and Gartland focused on the collection and digitization of data, a top-of-mind concern to many citizens because the amount of data collected has increased significantly due to the proliferation of pervasive communications networks.

The growth of big data, according to Lefrak, results from the “three Vs”—the volume of data that can now be collected; the velocity at which companies can collect, analyze, and harness the power of data; and the wide variety of data that companies can access and analyze.

For its part, Lefrak said, the FTC focuses on a three-pronged approach to data protection. Enforcement is key. The agency sends a strong message to companies about the need to protect consumers. The FTC also addresses consumer privacy from a legislative standpoint through its policies. Finally, the agency educates the public to make sure that both businesses and consumers are apprised of the laws around data collection and protection.

Can federal and state governments ensure appropriate privacy protection? For starters, according to the panelists, privacy laws and courts need to reflect modern technologies. For example, video protection laws commonly use the phrase, “videotape service provider,” which is an antiquated term in today’s digital world.

The bottom line, from the FTC’s perspective, is that privacy protections are critical in order to maintain consumer trust. With the transition to a new administration, the state of balance among data collection, consumer privacy and consumer benefit remains to be seen.

Mitigating Large-Scale Cyber Attacks
In the panel discussion on infrastructure protection, Greenberger and Schneck discussed federal and state efforts to secure critical infrastructure and respond to incidents.

How do we bring cybersecurity together with infrastructure protection? Schneck discussed how federal sector-specific agencies work with owners and operators in each sector to develop plans to enhance their security and resiliency.

In light of federal efforts to secure the infrastructure and respond to significant incidents, what should states be doing and how can the federal government and states work in tandem?

“For the federal government, one challenge is that states constitutionally have a lot of power,” Schneck said. “The federal government has to be sensitive to this authority.”

The threat of our adversaries, whether it’s Russia, China, North Korea or Iran, is alive and well, she added.

“They are executing with an agility that we have yet to enjoy. We can mitigate future attacks through data collection. If we don’t have enough data, then the cyber adversary wins because we lack the situational awareness.

“We can combat cyber attacks by arming our networks, by understanding that when a threat or computer instruction comes in, we know not to run it. It’s as simple as that,” Schneck said.