Why hacking must be addressed in digital privacy policymaking

In addition to greater transparency for digital data collection, storage, and dissemination activities, the hacking universe, including cybersecurity defenses, also needs greater exposure.

Distorted and glitched binary flag of the United States of America
Traffic Analyzer / Getty Images

Digital privacy is one side of a two-sided policy coin. Virtually all attention to date has been focused on developing legal and regulatory remedies to address this pervasive public concern. But in doing so, they have devoted little attention to the flip side—namely, digital hacking. Although data systems that are thought to be secure from intrusion may be the result of random technological breakdowns or human error, there usually are far less benign explanations for major cybersecurity breaches that expose personal information on a massive scale.

This reality should make Why Hackers Win by Patrick Burkart and Tom McCourt ( University of California Press, 2019) essential reading for those grappling with how best to craft a workable framework for enhancing digital privacy protection. Burkart is a professor at Texas A&M’s Department of Communication, and McCourt is a professor at Fordham University’s Department of Communication and Media Studies.

The authors describe hacking as “an interface between technical code (the structure of trusted systems), legal code (the laws that govern their access and use), and social code (their impact on society, particularly in terms of privacy and sanctioned activity). And they discount a popular but erroneous perception that hacking is an activity typically undertaken by a lone wolf operating in an offshore bedroom or basement. Rather, the authors contend that “[a]lthough hacking ostensibly undermines their own security, corporations and states paradoxically use hacking for gain. Hacking can suit a broad spectrum of purposes, including gathering intelligence, managing crises, and accumulating competitive advantage over rivals.”

They also note that while examining abuses of power through exploiting computer vulnerabilities, they did not find “master conspiracies” of surveillance and espionage, or even a systematic imposition of will, in coordinated hacking campaigns. Instead, they see “a proliferation of agents contributing to offenses and defenses played in long games and embedded in global networks.” Soberly, they assert that hacking has become “a mundane, ‘business as usual’ application of force for many enterprises."

Their research includes notable real-world examples of hacking undertaken for strategic political and economic ends. Including the disruption of the SWIFT international payments system, the Paradise Papers (13.4 million confidential documents relating to offshore investments that were leaked to two German reporters), and the ways in which states have targeted journalists and dissidents through hacking. They also discuss “growth hacks” by companies such as Uber, News Corp., and Volkswagen, which is the rapid accumulation of user metrics to achieve short-term growth through low-cost marketing techniques. Such activities, while privacy invasive, have “increasingly become a standard business strategy.” In short, “hacking and cybersecurity reinforces and accelerates each other in social, economic and political life.”

As with those who advocate greater transparency for digital data collection, storage, and dissemination activities, the hacking universe, including cybersecurity defenses, also needs greater exposure. “The torrents of public money flowing into private security operations,” argue the authors, “should be accounted for and audited by elected representatives. Debates about the social value of these expenditures than can be raised.”

And the United States would be well served by establishing a counterpart to Canada’s Citizens Lab at the University of Toronto, which examines samples of spyware and other forms of invasive software that is submitted by other researchers or individuals who suspect that they have been targeted. As Burkart and McCourt note, the Citizens Lab “provides a model for opening up, rather than enclosing and privatizing, actionable knowledge about real-time threats to the public network and their indicators. These disclosures can undermine the secrecy that preserves the advantages of spyware vendors who hoard vulnerabilities.” These two measures—public auditing of private cybersecurity firms and public funding for a national facility that can test and expose system vulnerabilities—represent tangible steps that Congress can take to help address the other side of the proverbial privacy policy coin.

It will not be enough to explain why hackers win. Those who are developing an activist agenda for digital privacy protection must be willing to advance approaches that raise the barriers for hacking at the same time they argue for higher digital privacy protection guardrails to control the behavior of private companies.

Stuart N. Brotman is a Fellow at the Woodrow Wilson International Center for Scholars in Washington, DC. He is based in its Science and Technology Innovation Program, focusing on digital privacy policy issues.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)