IEEE Technology and Society Magazine - Summer 2014 - 30

national security challenges in order to facilitate a
cooperative mindset and mutual respect.
There are numerous areas of common ground that
we believe most security and privacy advocates will
support, such as government-funded and transparent
code audits of heavily relied upon security technologies
such as SSL and SSH, assistance in funding the deployment of DNSsec, and the continued development of
high-quality guides to securing systems [8]. Governments could also support the continued development
of robust open-source security tools and operating
systems and encourage broader use of SSL for routine
web activities [9]. Governments also possess unique
and valuable security situational awareness data. For
example, appropriate sharing of previously undisclosed
malware signatures with ISPs and the sharing of generalized security breach data and trends along with timely
and meaningful alerts could prove very beneficial.
The government could serve an important role in
facilitating reports of security vulnerabilities to privatesector companies. Many researchers are fearful of the
repercussions of reporting vulnerabilities directly to the
company affected. Those companies are often hostile
to the news that their products and services have security problems and respond by ignoring the report or
threatening the researcher with litigation. Furthermore,
companies have little incentive to fix these problems.
They face not only the expense of addressing the issue,
but also a possible public relations firestorm and even
litigation if the flaw becomes publicly known. With
all these possible downsides, vendors often choose to
do nothing, leaving users at risk. A government role in
this process could encourage companies to fix security
flaws that might otherwise go unpatched.

pushback from privacy advocates, the media, and
citizens. Despite these advantages, we must tread
carefully. Perfect security and perfect privacy are
dubious and likely unattainable goals. Thus, we
should be mindful of diminishing returns in order
to efficiently pursue privacy and security without a
mandate for perfection.

Win-Win Mindset

References

Many security solutions come at the cost of privacy.
Some, like security theater, improve neither security
nor privacy and are merely a waste of time and money.
Other solutions degrade privacy and civil liberties with
only marginal gains in security, risking significant
negative effects on societal norms, freedom of speech,
rights of assembly, and innovation. Through education
and rational analysis we can accomplish both security
and privacy. It is important to develop a win-win mindset in all participants as they develop solutions. Seeking
common ground among all major parties often serves
as a solid starting point. We must also consider implications beyond security and privacy, including safety,
cost, time, efficacy, and inconvenience to understand
the true net value of a security measure.
Win-win solutions will be more palatable to
government decision makers with minimal risk of

Acknowledgment
We would like to thank participants of the Senior Conference held at West Point in June 2012 who provided
useful potential solutions that increase both privacy
and security. The views in this article are the authors'
and do not reflect the official policy or position of the
u.S. Military Academy, Department of the Army,
Department of Defense, or the u.S. Government.

Author Information
Gregory Conti is an associate professor in the u.S.
Military Academy's Department of Electrical Engineering and Computer Science and is Director of
West Point's Cyber research Center. Email: gregory.
conti@usma.edu.
Lisa Shay is an associate professor in the u.S.
Military Academy's Department of Electrical Engineering and Computer Science and is Director of
West Point's Electrical Engineering program. Email:
lisa.shay@usma.edu.
Woodrow Hartzog is an assistant professor at the
Cumberland School of Law at Samford university, Birmingham, AL, and an Affiliate Scholar with the Center
for Internet and Society at Stanford Law School, Stanford, CA. Contact him at whartzog@samford.edu.

[1] T. Hunte, A. Fertoli, and C. Hamilton, "NYPD Commissioner calls
for more surveillance cameras," WNYC News, Apr. 22, 2013.
[2] "Department of Defense Strategy for Operating in Cyberspace."
u.S. Department of Defense, July 2011.
[3] B. Schneier. Beyond Fear: Thinking Sensibly About Security in an
Uncertain World. Springer, 2003.
[4] K. Hawley. "Why airport security is broken - and how to fix it,"
Wall Street J., Apr. 15, 2012; http://online.wsj.com/article/SB10001424
052702303815404577335783535660546.html.
[5] "response to 'bag check' cartoon," The TSA Blog, Oct. 23, 2009;
http://blog.tsa.gov/2009/10/response-to-bag-check-cartoon.html.
[6] L. Shay, W. Hartzog, and G. Conti, "Beyond sunglasses and spray
paint: A taxonomy of surveillance countermeasures" presented at Int.
Symp. Technology & Society (Toronto, Canada), June 27-29, 2013.
[7] A. Cavoukian, "Privacy by design;" http://privacybydesign.ca/,
accessed Nov. 20, 2012.
[8] A. Kingsley-Hughes. "Are you following the NSA's 'Home Network Security Best Practices'?," Harware 2.0, ZDNet, May 2, 2011;
http://www.zdnet.com/blog/hardware/are-you-following-the-nsashome-network-security-best-practices/12589.
[9] "HTTPS everywhere," Electronic Frontier Foundation; https://
www.eff.org/https-everywhere, accessed Nov. 9, 2012.

IEEE TECHNOLOGY AND SOCIETY MAGAZINE

SuMMEr 2014

http://online.wsj.com/article/SB10001424 http://blog.tsa.gov/2009/10/response-to-bag-check-cartoon.html http://www.privacybydesign.ca/ http://www.zdnet.com/blog/hardware/are-you-following-the-nsas http://https:// http://www.eff.org/https-everywhere

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - Summer 2014