Putting the privacy into cybersecurity at DHS

Security and privacy have an awful lot in common; both disciplines care deeply about the confidentiality of personally identifiable information. Attend a cybersecurity conference or a privacy conference, you are likely to hear the same catch phrases “[Security/privacy] is best addressed at the earliest stages of system development, not at the end when retrofitting requirements can become much more difficult and costly.”

Security objectives are organized around the confidentiality, availability, and integrity of information while privacy programs are generally organized around the Fair Information Practice Principles and include transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, accountability and auditing.

While security and privacy are distinct and separate disciplines, in many instances they are mutually reinforcing. For example, privacy programs that implement the data minimization principle through practices such as limiting collection of personally identifiable information (PII) to what is directly relevant and necessary to accomplish specified purpose(s) and only retaining PII for as long as is necessary (i.e., securely disposing of information at the end of its retention schedule) can positively impact security by reducing the attack surface and volume of PII that security teams need to implement protections on.

In our work at DHS, privacy protections are key trust enablers to many of our services in the Office of Cybersecurity and Communications (CS&C). These range from the intrusion detection and prevention services (EINSTEIN) provided to our federal customers, to information sharing programs such as the Cyber Information Sharing and Collaboration Program (CISCP) and the Automated Indicator Sharing (AIS) initiative. For example:

• Our analysts in the National Cybersecurity and Communications Integration Center (NCCIC) are trained how to handle sensitive information, including PII, in the course of day-to-day operations. This includes collection protections that ensure the NCCIC collects no more than what is absolutely necessary to understand a cyber threat or address a cyber risk. Further, any products that are created, or any information that is retained, is carefully reviewed to ensure no information is retained or disseminated that is not necessary.
• Privacy considerations are built into EINSTEIN through technical means, policy, and operational procedure. Most notably, by law, information gathered from the operation of EINSTEIN can only be used for cybersecurity purposes. Data minimization and purpose specification principles are engrained into our operation of EINSTEIN.
• AIS represented an exciting opportunity for CS&C to design an automated system with automated privacy protections from the ground up instead of after the fact. AIS incorporates elements of data minimization and data integrity into is receipt, processing, and dissemination. We affectionately call this our automated “privacy scrub”.

Transparency is a cornerstone of any privacy program and it is a bedrock of the DHS privacy program; we conduct and publish privacy impact assessments including those for AIS, EINSTEIN, and our Continuous Diagnostics and Mitigation (CDM) program. We invite you to read more about privacy at CS&C by visiting our website.

Dr. Andy Ozment is Assistant Secretary, DHS Office of Cybersecurity and Communications (CS&C) and Jamie Danker is Director of Senior Privacy Officer at DHS National Protection and Programs Directorate (NPPD)