Guidance Software Inc.’s third annual Federal Summit, held on March 6 outside Washington, D.C., focused on cybersecurity, e-discovery and enterprise forensics. Not surprisingly, the topics reflected the company’s product offerings, but the dialogue went far beyond the EnCase platform and the event’s agenda.
What emerged was a story of Big Data engulfing big government—with the private sector facing similar challenges as the growing size and complexity of data use across society blurs the line between public- and private-sector data issues.
The Federal Summit’s two tracks—cybersecurity and e-discovery—framed the discussions throughout the event with topics that included insider and outsider data security threats affecting the federal government, the balance between data privacy and national security, and data transfer between the government and the private sector through e-discovery and the Freedom of Information Act.
This year’s meeting had a greater data security focus than in past years, and recent high-profile data breaches explain why.
2013 was a big year for high-profile Big Data breaches. The year began with news of a private-sector data breach when The New York Times announced Chinese hackers had infiltrated its email system the previous fall after the newspaper published articles critical of the family of Chinese Premier Wen Jiabao.
Then in June, the U.S. Department of Justice charged Edward Snowden with espionage after the former government contractor, an employee of the consulting firm Booz Allen Hamilton Inc., released classified documents about National Security Agency surveillance programs.
At the end of the year—just in time for the holiday shopping season—Target Corp. announced hackers had broken into its IT system, accessing credit and debit card information on millions of the retail chain’s customers.
Tony Sager of the SANS Institute, a former NSA directorate chief information officer, put the data breach problem in perspective for event attendees.
“We have a losing strategy. Our human defenders are working against armies of robots,” Sager said.
The trifecta of data breaches, along with others receiving less publicity, triggered swift action on cybersecurity by the U.S. Congress—at least as far as introducing bills and issuing press releases. However, speakers at the summit agreed it was unlikely any bills would be signed into law this year.
“If I were going to Las Vegas, I wouldn’t bet on any legislation passing, even the small bills,” said attorney Sanford Reback, director of global business at Bloomberg Government.
Reback cited 2014 as being an election year, as well as more more fundamental obstacles, such as Congress being concerned that legislation would stifle the U.S. tech industry, a strong driver of the American economy, as reasons he didn’t expect data security legislation this year—despite the widespread media coverage of these breaches.
The e-discovery sessions also had a data management and security focus. Given the government audience, the first e-discovery panel discussed the dual use of e-discovery and FOIA requests when seeking government data, noting that many litigators file FOIA requests before beginning formal e-discovery.
An audience member from the U.S. Department of Defense summed up the general feelings in the room about these requests when he said, “The difference is FOIA requests have to be reasonable, while e-discovery requests are almost always unreasonable.”
Despite the reasonableness requirement and the nine FOIA exemptions, panelists and government employees in the audience agreed that FOIA requests were still a tremendous burden on federal government agencies, and no one thought pending congressional legislation would solve the problem.
H.R. 1211, the proposed FOIA Oversight and Implementation Act of 2014, which passed unanimously in the House of Representatives on Feb. 25, provides for an online portal for FOIA requests. But no one in the room seemed to believe a website was going to solve the ever-increasing problem of FOIA requests, which numbered 704,394 in fiscal year 2013.
The afternoon e-discovery panel featured a discussion of the balance between privacy and security in government e-discovery with Assistant U.S. Attorney Edward McAndrew and this article’s author, who is an analyst and counsel at 451 Research, in which we discussed the privacy-security trade-off domestically and internationally.
I noted the difference in privacy vs. security outside the U.S., outlining the current state of affairs in Europe with the proposed General Data Protection Regulation and the impact of the NSA-Snowden affair on the U.S.-EU Safe Harbor, pointing out that the balance in Europe tips toward the privacy side of the scale.
McAndrew described the U.S. government’s need for security while still recognizing—despite the belief of many Europeans—the government’s real concern about privacy and the requirements for ensuring data privacy under U.S. law.
As Bloomberg’s Reback noted earlier in the day, privacy and security are not mutually exclusive concepts.
“Privacy and cybersecurity are two sides of the same coin,” Reback noted. “Take the Target breach—it was a cybersecurity issue and a privacy issue.”
Attorney David Horrigan is an industry analyst and counsel at 451 Research, and a former reporter for The National Law Journal and Law Technology News. His complete 451 Research report on the Federal Summit can be found here. Email: firstname.lastname@example.org.