How Will The Next President Protect Our Digital Lives?

May 27, 2015
Originally published on May 27, 2015 3:45 pm

As candidates hit the campaign trail, NPR looks at four major issues the next president will face from Day 1 in office.

When President Obama took office back in 2009, "cybersecurity" was not a word that everyday people used. It wasn't debated. Then, mega-breaches against consumers, businesses and the federal government changed that.

The latest came Tuesday, when the Internal Revenue Service said criminals used an online service provided by the agency to access the information of more than 100,000 taxpayers.

Now, the 45th president will have to come into office with a game plan for how to protect us online. The plan could shape up any number of ways because our digital lives — and the attacks against our digital lives — are pretty new. But it's something people care a lot about:

With Edward Snowden, Americans learned they were the target of a mass surveillance program they didn't know about, and that the National Security Agency, a military agency, is porous, vulnerable to insiders hacking and stealing.

With the Sony attack they saw how security breaches can bring big companies to a screeching, embarrassing halt.

And let's not forget the new era of garden-variety crime. Credit card fraud, a la Target, set off a credit monitoring frenzy. And Anthem demonstrated that no institution is sacred. Criminal attacks against health care are the new normal, according to a recent Ponemon Institute study.

(How do hackers even make money from stolen medical records?!)

And then, of course, there are digital crimes of passion. Take revenge porn, a national concern that some states are taking on individually.

Is this starting to feel ... overwhelming?

When it comes to "cybersecurity," the next president of the United States has tough choices to make: Before even getting to solutions, what are the most important problems? And where should the federal government weigh in, or leave it to states or companies? Turns out Americans don't have all that much confidence in any of them:

Back in the 1990s, "we didn't need to worry about security because the market would take care of it," said Jim Lewis, a senior official at the Departments of State and Commerce during the Clinton era. "Consumers would demand security and companies would provide it."

Turns out they were wrong, he says. "That hasn't happened."

Under Clinton, the Internet went from a Pentagon project to a place for companies to play, experiment. And under Obama, Americans saw the smartphone revolution. Lewis says it's time to step back and consider that "just as we have energy policy and space policy and defense policy, maybe we need cyber policy."

It's very hard to regulate technology that's unfolding before our very eyes.

Lewis — who's now a senior fellow with the Center for Strategic and International Studies in Washington, D.C. — names one key issue: consumer protection. And, he says, it's a foreign policy issue.

Certain countries are sanctuaries for cybercriminals. That's often where our personal data is flowing. "Finding out that someone in the Russian mafia has all your credit card information and your Social Security number doesn't make the average voter happy," he said.

Cybersecurity expert Bruce Schneier, a fellow at Harvard's Berkman Center, says another way to protect consumers is corporate accountability.

"What government can do about data breaches is increase the penalties," he says. "Right now your data is not very well protected because the cost of losing it isn't very high to the companies that have it."

Schneier wants to see the next president take on privacy, too — what should police be able to access without a warrant, and what should companies be allowed to store. So far, we've just kind of assumed the answer is ... everything.

For example, the company Uber published a lighthearted blog called Rides of Glory about people using Uber to have flings. Basically they looked at rides happening at night from point A to point B, and rides happening the next morning by the same person back.

Now, Uber didn't publish the names of the people. It was aggregate, Big Data (and interestingly, the company took down the post as well).

But Schneier said, without a federal law on commercial privacy, they could have. "Right now under U.S. law they could do whatever they like with that data. And it is just them being nice that makes them not publish it or sell it to people trying to market to you."

The cybersecurity game plan could tackle any number of topics — data encryption, structural reform of the NSA, the role of Homeland Security. And that's not even counting lightning-rod issues, like whether the next president's Supreme Court nominee believes in changing passwords regularly.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

RENEE MONTAGNE, HOST:

The risk of being compromised online seems to be lurking around every corner. We learned yesterday that thieves stole personal data from more than 100,000 taxpayers through the IRS website. With the government vulnerable along with private companies, it's an issue likely to face whoever occupies the White House. This week, NPR is looking at the challenges that will confront the next president on the first day in office. NPR's Aarti Shahani has more on the crisis in cyber security.

AARTI SHAHANI, BYLINE: The game plan could shape up any number of ways. Our digital lives and the attacks against our digital lives are pretty new.

EDWARD SNOWDEN: My name's Ed Snowden. I'm 29 years old.

SHAHANI: With Edward Snowden, American citizens learned we're the target of a mass surveillance program we didn't know about. And the National Security Agency, a military agency, is porous, vulnerable to insiders hacking and stealing. And with the Sony attack, we see security breaches can bring big companies to a screeching, embarrassing halt.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED WOMAN #1: Leaked emails between two major Hollywood power players now reveal racist jokes against President Obama.

SHAHANI: And let's not forget.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED MAN #1: Target says 40 million credit and debit card accounts...

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED MAN #2: Health insurance company Anthem says it is scrambling to notify millions of its customers whose information may have been stolen...

SHAHANI: Credit card fraud, a la Target, set off a credit monitoring frenzy. And Anthem demonstrated no institution is sacred. How do hackers even make money from stolen medical records? And then, of course, there are the digital crimes of passion we're committing against each other. Take revenge porn.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED WOMAN #2: Some of the photos came from ex-lovers. Other photos were hacked.

SHAHANI: Is this starting to feel overwhelming? When it comes to cybersecurity, the next president of the United States has tough choices to make. Before even getting to solutions, what are the most important problems? And where should the federal government weigh in or leave it to states or companies?

JIM LEWIS: In 1996, we didn't need to worry about security because the market would take care of it.

SHAHANI: That's Jim Lewis, a senior official at the Departments of State and Commerce during the Clinton era, talking about what experts assumed back in the '90s.

LEWIS: Consumers would demand security and companies would provide it. That hasn't happened.

SHAHANI: Under Clinton, the Internet went from a Pentagon project to a place for companies to play, experiment. And under Obama, we saw the smartphone revolution. Lewis says, now, we've got to step back.

LEWIS: And say, just as we have energy policy and space policy and defense policy, maybe we need cyber policy.

SHAHANI: It's very hard to regulate technology that's unfolding before our very eyes. Lewis, who's now a fellow with the Center for Strategic and International Studies in Washington, D.C., names one key issue - consumer protection. And he says it's a foreign policy issue. Certain countries are sanctuaries for cyber criminals. That's often where our personal data is flowing.

LEWIS: Finding out that someone in the Russian mafia has all your credit card information and your social security number doesn't make the average voter happy.

SHAHANI: Cybersecurity expert Bruce Schneier, a fellow at Harvard's Berkman Center, says another way to protect consumers is corporate accountability.

BRUCE SCHNEIER: What government can do about data breaches is increase the penalties. And right now, your data is not very well protected because the cost of losing it isn't very high to the companies that have it.

SHAHANI: Schneier wants to see the next president take on privacy, too. What should police be able to access without a warrant and what should companies be allowed to store? So far, we've just kind of assumed that the answer is everything. For example, the company Uber published a light-hearted article about people using Uber to have flings.

SCHNEIER: Basically, they looked at rides happening in the evening from point A to point B, and rides happening the next morning by the same person back.

SHAHANI: Now, Uber didn't publish the names of the people. It was aggregate, big data. But, Schneier says, without a federal law on commercial privacy, they could have.

SCHNEIER: And right now under U.S. law, they could do whatever they like with that data. And it is just them being nice that makes them not publish it or sell it to people trying to market to you.

SHAHANI: So many issues - data encryption, structural reform of the NSA, the role of Homeland Security. We haven't even talked about whether the next president's Supreme Court nominee believes in changing passwords regularly. Aarti Shahani, NPR News. Transcript provided by NPR, Copyright NPR.