Remarks of Diane Rinaldo
Acting Assistant Secretary of Commerce for Communications and Information
Data Privacy Conference USA 2019
September 18, 2019
-- As Prepared for Delivery --
Good morning. It’s great to be here at the National Press Club. I was here just last week for NTIA’s annual spectrum policy event. It was a really terrific event, and like today, it’s made all the better because we’re just one block from my office.
We’ll also hear from my colleagues Alex Greenstein, who handles Privacy Shield for the Department of Commerce, as well as Naomi Lefkovitz from our sister agency at the National Institute for Standards and Technology, NIST, who we’ve been working closely with for more than a year.
What’s clear to us all is that, over the past decade, data has transformed our relationships with technology, and our laws haven’t kept pace. We’ve seen some efforts by states and other localities to address privacy concerns, but a patchwork of laws makes it difficult for companies to comply, and consumers’ interests aren’t being well-served.
We know that consumers care about this issue. NTIA has conducted regular surveys about computer and Internet use for decades.
Data from our most recent survey show that nearly three quarters of households that use the Internet expressed concerns about privacy and security risks, such as identity theft or loss of control over personal information
More than a third of online households said those concerns led them to avoid online activities, such as buying goods or making a financial transaction.
The Trump Administration has made clear it’s time to take a fresh look at our how we handle digital privacy. At NTIA, we’ve been working to build consensus around a fundamentally American approach to this issue. We’ve been talking with dozens of stakeholders to better understand what the problems are, what we can agree upon, and how we can move forward.
NTIA put out a request for comments and received more than 200 responses from a range of stakeholders, including industry associations, civil society, academics and individuals.
In the comments and our conversations, we’ve heard a real desire for American leadership on privacy. There is broad industry consensus that we can’t have a patchwork regulatory landscape within the U.S., and where there are differences internationally, we should take care not to harm the data flows that power the global digital economy.
We also received many thoughtful comments on our proposed risk-and-outcomes-based approach. NIST, which is well known for their Cybersecurity Framework, has been working on the practical application of this approach. Earlier this month they released the first draft of their new Privacy Framework.
This new framework aims to give organizations a comprehensive understanding of how they can better manage privacy risks. This tool can help companies optimize their data use and develop innovative products and services while minimizing adverse consequences for consumers.
If you haven’t already dug in to the Privacy Framework, please do. We want this tool to be as valuable as possible to as many organizations as possible. NIST is seeking comments on the framework by October 24.
A risks-and-outcomes focus has another benefit, which is it that it doesn’t entrench large, established businesses at the expense of startups and small firms. Overly burdensome compliance costs could stifle the next generation of innovation, not to mention the jobs and economic benefits that small businesses provide.
As the Administration continues to build out our approach, I invite your continued collaboration. We can work together on a privacy model that ensures Americans trust the technologies in their lives, while guarding against the creation of obstacles to innovation that would harm our economy. A model that protects privacy and allows prosperity to flourish. We believe this is possible.
I want to briefly touch on security, which is an aspect of privacy that is sometimes overlooked. Security and privacy are sometimes treated as separate concerns, but the simple fact is even the strongest privacy laws won’t do much to protect consumers if our networks aren’t secure.
NTIA is involved in a range of policy issues related to the security of our nation’s telecommunications infrastructure.
We are working with our interagency partners to enhance the security of our nation’s telecommunications supply chain. We are also involved in an ongoing effort to mitigate the damaging effects of botnets – automated distributed denial of service (DDoS) attacks that can severely disrupt networks.
Botnet attacks can have large and damaging effects, and they can now capitalize on the ever-growing number of Internet of Things devices. We have seen attacks that have topped a terabit per second. Dealing with a DDoS attack of this magnitude can take time, which is a major concern when mission-critical services are involved. Risks will increase as connected devices continue to proliferate.
In response to an executive order, NTIA worked with NIST and the Department of Homeland Security to deliver a report on botnets last year. The Botnet Report outlines a positive vision for the future, cemented by six principal themes and five complementary goals that would improve the resilience of the Internet ecosystem.
We are tracking progress through a document known as the Botnet Road Map. More than half of the identified tasks are already in progress or completed. Remediating botnet threats is an ecosystem-wide challenge that will take time to accomplish. At the end of this year, the Departments of Commerce and Homeland Security plan to provide a status update to the President that reviews progress, tracks the impact of the road map and sets further priorities.
NTIA has also has pioneered a novel form of public-private partnerships for cybersecurity.
- To address the challenges around the process for disclosing vulnerabilities, we invited security researchers into a discussion with software vendors and their customers, to focus on how collaboration could help everyone.
- We helped lead government efforts to address the risks from an insecure Internet of Things. Our focus was on a key point – let’s make sure that insecure devices can be fixed. So we fostered technical and policy discussions around “patchability.”
- Our current effort addresses the risks in our software supply chain by promoting transparency around third party components. We’re are helping industry understand and use what’s called a “software bill of materials,” also known as “SBOM.”
There’s no question that our country’s tech leadership has resulted in remarkable prosperity, but it has also increased our reliance on technology. Because of this, we must work harder than ever to ensure the Internet and our technology infrastructure is secure.
As new technologies like 5G, the Internet of Things and AI become more integrated into our daily lives, we must strive to have the right policies in place so that the United States can continue to harness the economic benefits of our technological leadership.
NTIA is committed to working with the private sector and coordinating across the federal government to get this done. Our doors are always open.