Keeping Up With... Cybersecurity, Usability, and Privacy
This edition of Keeping
Up With... was written by Bohyun Kim.
Bohyun Kim is Associate Director,
Library Applications and Knowledge Systems, at the University of
Maryland-Baltimore, Health Sciences and Human Services Library, email: bkim@hshsl.umaryland.edu.[1]
What is Cybersecurity?
Cybersecurity is a broad term. It refers to
the activities, practices, and technology that keep computers, networks,
programs, and data secure and protected from harmful activities such as
unauthorized access, modification, or damage. We became familiar with this
term, ‘cybersecurity,’ through the reports of recent security breaches
at J.P Morgan, Target, Sony, Anthem Blue Cross and Blue Shield,
to name a few. The government and higher education institutions are not an exception
to cyberattacks. In 2015, the Office of Personnel Management of the U.S.
Federal Government got hacked twice, and its sensitive data was stolen.[2] In 2014, University
of Maryland at College Park and Indiana University also suffered similar
data breaches.
Cybersecurity Measures
To prevent such a data breach, institutional
IT staff are trained to protect their systems against vulnerabilities and
intrusion attempts. Employees and end users are educated to be careful about
dealing with institutional or customers’ data. There are systematic measures
that organizations can implement such as two-factor authentication, stringent
password requirements, and locking accounts after a certain number of failed
log-in attempts. While the term, ‘cybersecurity,’ may sound grand, actual
cybersecurity measures can be mundane ranging from keeping the software
versions and patches up-to-date, keeping viruses and malware away with effective
anti-virus and anti-spyware, educating users so that they won’t fall for
phishing or email scams, and backing up the data on a regular basis.
Competing Concerns – Cybersecurity vs. Usability and Privacy
However, some of the cybersecurity measures may
negatively affect the usability of systems and applications, thereby lowering
users’ productivity. One good example is the website of the United States
Postal Service (https://www.usps.com/). The USPS website does
not provide a way to reset the password for users who forgot their usernames.
Furthermore, if a user enters wrong answers to the two security questions to
retrieve the password more than twice, the system automatically locks the
account. Clearly, the system that does not allow the password reset is more
secure than the one that does. But average users do forget their
passwords, usernames, and even the answers to the security questions that they
set up themselves. That makes this USPS site seriously flawed in terms of
usability. As another example, imagine that a library decides to block all
international traffic to their licensed e-resources to prevent foreign hackers
from accessing those e-resources. This would certainly help libraries avoid a
potential breach of licensing terms in advance. But it would also render those
e-resources unusable to the legitimate users traveling abroad.
Security is important, but systems and
applications also exist for users to do their job. The more user-friendly and
the simpler the cybersecurity guidelines are to follow, the more users will
observe them, thereby making networks and systems more secure.
Another competing concern is the invasion of
privacy. Through the documents that Edward Snowden leaked in 2013, we know that
NSA collected the communication records of millions of people in bulk,
regardless of suspicion of wrongdoing through Verizon.[3] After a cyberattack
against the University of California at Los Angeles, the University of
California system installed a device that is capable of capturing, analyzing,
and storing all network traffic to and from the campus for over 30 days without
consulting or notifying the faculty and those who would be subject to the
monitoring.[4] In February
2016, the FBI requested Apple to create a backdoor application that will bypass
the current security measure in place in its iOS in relation to the San
Bernadino shooting incident. In April 2016, an anti-encryption bill was
submitted to the Senate, which proposed that people should be required to
comply with any authorized court order for data and that if that data
is “unintelligible” – meaning encrypted – then it must be decrypted for
the court.[5]
These recent events show that certain
cybersecurity measures can be used to greatly invade privacy rather than
protect it. This is ironic because security is essential to privacy. Because we
do not always fully understand how the technology actually works or how it can
be exploited for both good and bad purposes, we need to be careful about giving
blank permission to any party to access, collect, and use our private data
without clear understanding, oversight, and consent.
Conclusion
Librarianship is a fundamentally
user-oriented profession. As such, librarians have been making great efforts to
make library-related data, systems, and applications as user-friendly as
possible. These efforts should continue along with the efforts to make those
data, systems and applications secure. Library resources, systems, and
applications all exist to be used, and that is why they need to be secured
after all, not the other way around.
At the same time, libraries must continue to
keep sensitive patron data safe and protected to ensure people’s privacy and
intellectual freedom. As more libraries try to collect, retain, and analyze a
variety of library data to improve their services and collections, this will
become even more important. The Electronic Frontier Foundation
states that privacy means respect for individuals’ autonomy,
anonymous speech, and the right to free association.[6] If part of a library’s
mission is to contribute to helping people to become such autonomous human
beings through learning and sharing knowledge without having to worry about
being observed and/or censored, libraries should advocate for people’s privacy
both online and offline as well as in all forms of communication technologies
and devices.
Notes
[1] This article is a revised and
significantly shortened version of my previous blog post published in the ACRL
TechConnect blog. Bohyun Kim, "Cybersecurity,
Usability, Online Privacy, and Digital Surveillance,"ACRL
TechConnect Blog, May 9, 2016.
[2] Lisa Rein and Andrea Peterson, "What You Need to Know about the Hack of Government Background Investigations," The Washington Post, July 9, 2015.
[3] Glenn Greenwald, "NSA Collecting Phone Records of Millions of Verizon Customers Daily," The Guardian, June 6, 2013.
[4] Phil Matier and Andy Ross, "Cal Professors Fear UC Bosses Will Snoop on Them," San Francisco Chronicle, January 29, 2016. Scott Jaschik, "U of Big Brother?," Inside Higher Ed, February 1, 2016.
[5] Andy Greenberg, "The Senate's Draft Encryption Bill Is 'Ludicrous, Dangerous, Technically Illiterate,'" WIRED, April 8, 2016.
[6] "Privacy," Electronic Frontier Foundation, accessed May 5, 2016.
[2] Lisa Rein and Andrea Peterson, "What You Need to Know about the Hack of Government Background Investigations," The Washington Post, July 9, 2015.
[3] Glenn Greenwald, "NSA Collecting Phone Records of Millions of Verizon Customers Daily," The Guardian, June 6, 2013.
[4] Phil Matier and Andy Ross, "Cal Professors Fear UC Bosses Will Snoop on Them," San Francisco Chronicle, January 29, 2016. Scott Jaschik, "U of Big Brother?," Inside Higher Ed, February 1, 2016.
[5] Andy Greenberg, "The Senate's Draft Encryption Bill Is 'Ludicrous, Dangerous, Technically Illiterate,'" WIRED, April 8, 2016.
[6] "Privacy," Electronic Frontier Foundation, accessed May 5, 2016.
Resources and Recommended Readings
Beckstrom, Matthew. Protecting
Patron Privacy: Safe Practices for Public Computers.
Santa Barbara, California: Libraries Unlimited, 2015.
Case, Andrew. “HowTo: Privacy & Security
Conscious Browsing.” Gist, August 26, 2015. https://gist.github.com/atcuno/3425484ac5cce5298932.
Cranor, Lorrie Faith, and Simson Garfinkel. Security
and Usability: Designing Secure Systems That People Can Use. 1
edition. Beijing; Farnham; Sebastopol, CA: O’Reilly Media, 2005.
“Cybersecurity.” Homeland
Security News Wire. Accessed August 24, 2016. http://www.homelandsecuritynewswire.com/topics/cybersecurity.
“Cybersecurity.” Educause
Library. Accessed August 24, 2016. https://library.educause.edu/topics/cybersecurity.
Grama, Joanna Lyn, and Valerie M. Vogel. “The
2016 Top 3 Strategic Information Security Issues.” EDUCAUSE
Review Online, January 11, 2016. http://er.educause.edu/articles/2016/1/the-2016-top-3-strategic-informat....
Greenwald, Glenn. “Why Privacy Matters.” TED,
October 2014. https://www.ted.com/talks/glenn_greenwald_why_privacy_matters.
“Have I Been Pwned?” Accessed August 24,
2016. https://haveibeenpwned.com/.
“Information Security.” The
Guardian. Accessed August 24, 2016. http://www.theguardian.com/media-network/information-security.
Kaplan-Moss, Jacob. “InfoSec Engineering
Reading List.” GitHub, May 25, 2016. https://github.com/jacobian/infosec-engineering.
“Library Freedom Project.” Library
Freedom Project. Accessed August 24, 2016. https://libraryfreedomproject.org/.
“Library Privacy Statement.” University
of Michigan Library. Accessed May 5, 2016. http://www.lib.umich.edu/library-administration/user-privacy-policy-univ....
Olavsrud, Thor. “5 Information Security
Trends That Will Dominate 2016.” CIO, December 21, 2015. http://www.cio.com/article/3016791/security/5-information-security-trend....
“Privacy.” Electronic Frontier Foundation.
Accessed May 5, 2016. https://www.eff.org/issues/privacy.
“Resources.” Library
Freedom Project. Accessed August 24, 2016. https://libraryfreedomproject.org/resources/.
“Risk Assessment / Security &
Hacktivism.” Ars Technica.
Accessed August 24, 2016. http://arstechnica.com/security/.
“SEC4LIB Listserv.” Accessed August 24, 2016.
https://listserv.nd.edu/cgi-bin/wa?A0=SEC4LIB.
“Security Now! Episode Archive.” Gibson
Research Corporation. Accessed August 24, 2016. https://www.grc.com/securitynow.htm.
The Electronic Frontier Foundation.
“Surveillance Self-Defense.” Surveillance Self-Defense.
Accessed August 24, 2016. https://ssd.eff.org/en.
“Tips.” United States Computer
Emergency Readiness Team. Accessed August 23, 2016. https://www.us-cert.gov/ncas/tips.
“Why Privacy?” Privacy
Rights Clearinghouse. Accessed May 5, 2016. https://www.privacyrights.org/why-privacy.
Zalaznick, Matt. “Cyberattacks on the Rise in
Higher Education.” University Business Magazine,
October 2013. https://www.universitybusiness.com/article/cyberattacks-rise-higher-educ....
Zalewski, Michal. The
Tangled Web: A Guide to Securing Modern Web Applications. 1
edition. San Francisco: No Starch Press, 2011.
Regards
Pralhad Jadhav
Senior Manager @ Library
Khaitan & Co
Note | If anybody use these post for forwarding
in any social media coverage or covering in the Newsletter please give due
credit to those who are taking efforts for the same.
No comments:
Post a Comment