You can’t open a government trade publication these days without bumping into some article about Edward Snowden, and not just US focused publications. His story has had global coverage. There is no doubt his actions are forcing change, for better or worse, within governments around the world.
Just this morning, as I was perusing through various articles, I came across the latest submission in FCW entitled “Agencies pay for public distrust in post-Snowden era”. Because I’m personally interested this topic, I decide to dive in, thinking I’m going to be reading more about the impacts and ramifications to the Intelligence Community (IC). However, from the very first paragraph, it was obvious this was not about the IC, rather, it was about cyber security, with insights gleaned from ACT-IAC’s 2014 Cybersecurity Forum. I was curious where this was heading, so I read the rest of the article. For the most part, it went on to discuss the importance of cyber security efforts within the Federal government, all of which made sense.
However after a bit of reflection, I started to wonder, is Snowden the real reason citizens are reluctant to provide personally identifiable information (PII) or is he being used as a timely and convenient excuse? No doubt, the Snowden situation has heightened the public’s awareness of the collection capabilities of the NSA, I’ll not dispute that, however, I’m not convinced his “revelations” are the driving factor for the public’s hesitancy to share with government. Perhaps it is a legitimate driver in limiting the public’s willingness to share PII (or anything else for that matter) on the Internet with anyone, but, not government specifically.
I’d like to offer a somewhat different culprit. I assert the more significant driver to the reluctance to share PII is the growing number of successful cyber-attacks on both public AND private entities. Everywhere you look, organizations are taking fire from cyber-attackers and far too often, the attackers are winning. This is not a result of anything Edward Snowden revealed, these successful attacks are the result of increasingly capable attackers combined with over-burdened, typically under-funded defenders.
While I’m not necessarily advocating a blind eye should be turned to the privacy concerns being raised based on the alleged capabilities and actions of the NSA, I am suggesting perhaps the greater enemy, the more immediate threat within the context of protecting PII is coming from the criminal community, not the IC. To me, it’s a matter of possible versus probable. It is possible the IC could do something nefarious with PII, but not necessarily probable. That community generally has bigger fish to fry. However, without a doubt, it is probable, if not guaranteed, that the criminal community will do something nasty with any PII it can get its hands on.
In my long years of experience, I’ve found it’s generally best to focus more on the probable and give the possible time to work itself out. More often than not, the possible proves to be an edge case and fades away on its own. While we are all getting wrapped around the axle of what the NSA might do, we are being robbed blind by criminals who know exactly what they are going to do.
So, it’s all because of Snowden? I don’t think so.