Brookings: Experts - Allan A. Friedman

How Do Government Restrictions Harm International Online Trade and Commerce?

Tue, 26 Feb 2013 14:00:00 -0500

Event Information

February 26, 2013
2:00 PM - 3:30 PM EST

Saul/Zilkha Rooms
Brookings Institution
1775 Massachusetts Avenue NW
Washington, DC 20036

Register for the Event
The trading of goods and services over the Internet is now routine in the global marketplace and a highly important facet of international commerce. The Internet’s capacity to move data across borders securely and efficiently is an important enabler of international trade. Despite the Internet’s significant contribution to international trade and the free flow of goods across borders, governments are employing a range of potentially damaging restrictions that reduce the ability of businesses to use the Internet as a venue for international commerce. Of these various restrictions, which are the most salient and harmful to online international commerce? How are these restrictions being used to prevent cybercrime or protect intellectual property, are they effective, and are there unintended consequences to these regulations?

On February 26, the Center for Technology Innovation at Brookings hosted a discussion on how governments can best enable online global commerce while also taking precautions to maintain security, national interests and intellectual property rights. A panel of experts discussed the increase in international trade and propose steps that governments should take to strengthen international trade rules and norms for the Internet.

Smart Policy: Building an Innovation-Based Economy

Darrell M. West, Allan A. Friedman and Walter D. Valdivia — Tue, 15 Jan 2013 00:00:00 -0500

Darrell West, Allan Friedman and Walter Valdivia argue that the United States needs smarter technology innovation policies in order to capture the economic advantages of the digital economy and improve long-term growth. Growth through smart innovation policy should be front and center for lawmakers as they wrestle with social and economic challenges in an information age, these scholars write.

This paper sets a robust domestic tech policy agenda for 2013 and beyond, as well as offers ideas to reform our economy, improve public sector performance, and train people for 21st century jobs. West, Friedman and Valdivia show how government and civil society can move from ideas, norms, structures, and regimes developed during an industrial period to institutions and policies attuned for the digital world.

Specifically, the writers propose the following to encourage an innovation-based U.S. economy:

Create better metrics for measuring worker productivity in the 21st century economy. Past approaches based on worker hours or total employees in relation to Gross Domestic Product (GDP) ignore the transformational nature of digital technology.
Encourage entrepreneurship by expanding Small Business Administration credit for start ups, adding entrepreneurial skills to school curricula, and making changes in immigration policy that encourage entrepreneurs to come to America.
Retool governments that learn to innovate and collaborate, and develop new approaches to service delivery, transparency, and participation. This includes placing more data online and employing data analytical tools, social media, mobile technology, and search results that improve decision-making.
Strengthen infrastructure by investing in broadband, data centers, and mobile cell towers, and improving access to spectrum for wireless applications.
Protect vital digital assets by updating the Federal Information Security Management Act and developing procedures for monitoring threats to critical infrastructure
Improve knowledge transmission through faster adoption of digital textbooks, more widespread use of creative commons licenses for instructional materials developed with taxpayer dollars, and policy changes that speed education innovation.
Increase technology transfer and the commercialization of knowledge from universities and federal laboratories so that public and private investments translate into jobs and economic activity as well as better health, security, and well-being.
Harmonize cross-border laws to promote global innovation and freedom of expression.

These policy prescriptions draw on a day-long workshop the Center for Technology Innovation at Brookings organized with two dozen innovation leaders in June 2012, well as online crowd-sourcing responses of several hundred experts from around the country in the areas of innovation, technology, and economic development.

Please download the full paper »

Downloads

Smart Policy: Building an Innovation-Based Economy

Authors

Image Source: © Steve Marcus / Reuters

Building an Innovation-Based Economy

Darrell M. West, Allan A. Friedman and Walter D. Valdivia — Tue, 13 Nov 2012 11:13:00 -0500

In a paper released in conjunction with a panel discussion, Darrell West, Allan Friedman and Walter Valdivia identify promising policy ideas to encourage entrepreneurship and innovative growth in the technology industry.

The policy recommendations draw on the expertise and recommendations gathered from a June 2012 workshop, organized by the Center for Technology Innovation at the Brookings Institution, as well as feedback from online crowd-sourcing.

Highlights include:

• We need better metrics for measuring worker productivity in the 21st century economy. Past approaches based on worker hours or total employees in relation to Gross Domestic Product (GDP) ignore the transformational nature of digital technology.

• We should encourage entrepreneurship by expanding Small Business Administration credit for start ups, adding entrepreneurial skills to school curricula, and making changes in immigration policy that encourage entrepreneurs to come to America.

• We need governments that learn to innovate and collaborate, and develop new approaches to service delivery, transparency, and participation. This includes placing more data online and employing data analytical tools, social media, mobile technology, and search results that improve decision-making.

• We should strengthen infrastructure by investing in broadband, data centers, and mobile cell towers, and improving access to spectrum for wireless applications.

• We should protect vital digital assets by updating the Federal Information Security Management Act and developing procedures for monitoring threats to critical infrastructure.

• We need to improve knowledge transmission through faster adoption of digital textbooks, more widespread use of creative commons licenses for instructional materials developed with taxpayer dollars, and policy changes that speed education innovation.

• We need to increase technology transfer and the commercialization of knowledge from universities and federal laboratories so that public and private investments translate into jobs and economic activity as well as better health, security, and well-being.

• We should harmonize cross-border laws to promote global innovation and freedom of expression.

Download Paper » (PDF)

Downloads

Building an Innovation-Based Economy

Authors

Image Source: © Shannon Stapleton / Reuters

A First 100 Days Innovation Agenda for the Next Administration

Tue, 13 Nov 2012 14:00:00 -0500

Event Information

November 13, 2012
2:00 PM - 3:30 PM EST

Falk Auditorium
Brookings Institution
1775 Massachusetts Avenue NW
Washington, DC 20036

The Internet is creating tremendous social, economic, and cultural value. Through digital connections, people are communicating with one another, overcoming social and political hierarchies, and building businesses around the world. Yet despite these positive benefits, many nations are experiencing slow-growing economies and barriers to innovation. In an era of limited growth, it has been difficult to lay the basis for long-term development.

On November 13, the Center for Technology Innovation at Brookings looked at ways to reform the U.S. economy, improve innovation, and address the difficult economic problems the country faces which demand new solutions. How can policymakers encourage growth through innovation? What areas offer the most promising growth for the 21st century? A panel of experts focused on broad topics in the areas of infrastructure, entrepreneurship, knowledge transmission, and protecting digital assets.

After the program, panelists took audience questions.

Related paper: Building an Innovation-Based Economy by Darrell M. West, Allan A. Friedman and Walter D. Valdivia

Video

Full Event - A First 100 Days Innovation Agenda for the Next Administration

Audio

A First 100 Days Innovation Agenda for the Next Administration

Transcript

Transcript (.pdf)

Event Materials

Knowledge and Innovation: Understanding Public Access to Research

Wed, 16 May 2012 14:00:00 -0400

Event Information

May 16, 2012
2:00 PM - 3:30 PM EDT

Falk Auditorium
Brookings Institution
1775 Massachusetts Avenue, N.W.
Washington, DC 20036

Each year, the U.S. government funds research grants to produce papers and reports for journals that remain largely inaccessible to most Americans due to subscription fees. Recent proposals have called for research funded with public money to be made publicly available. The Federal Research Public Access Act aims to change the current system, and make much government-funded research freely available within six months of publication. While few can argue against transparency, discussions about the complex ecosystem of scholarly research can lead to a broader examination of the modern knowledge economy, and its basis on principles of both profit and sharing.

On May 16, the Center for Technology Innovation at Brookings hosted Rep. Mike Doyle (D-Pa.), sponsor of the Federal Research Public Access Act, to discuss the government's role in research publication. Following the Congressman's keynote, a panel of experts explored the broader contexts of open access, the complexities of government mandate, and the role of research publication in innovation. Congressman Doyle and the panel took questions from the audience after each presentation.

Audio

Knowledge and Innovation: Understanding Public Access to Research

Transcript

Uncorrected Transcript (.pdf)

Event Materials

20120516_public_research_transcript_uncorrected

Participants

Moderator

Allan A. Friedman

Panelists

Allan Adler

Vice President for Legal and Government Affairs

The Honorable Mike Doyle (D-Pa.)

Allan A. Friedman

Elliot Maxwell

Fellow, Communications Program, Johns Hopkins University
Distinguished Research Fellow, eBusiness Research Center, Pennsylvania State University

Corey D. Williams

Senior Lobbyist and Associate Director, Office of Government Relations

Antitrust Law Enforcement During the Obama Administration

Mon, 23 Apr 2012 10:30:00 -0400

Event Information

April 23, 2012
10:30 AM - 11:30 AM EDT

Saul/Zilkha Rooms
The Brookings Institution
1775 Massachusetts Avenue, NW
Washington, DC 20036

In the past three and a half years, the Antitrust Division of the U.S. Department of Justice has taken significant civil and criminal enforcement actions in industries essential to consumers’ everyday lives. The division has been active on many fronts, including the litigation challenges to proposed acquisitions by AT&T of T-Mobile and by H&R Block of TaxAct; the civil enforcement actions against anti-competitive conduct in the electronic book, financial services and health care sectors; and criminal prosecutions in the auto parts, real estate and financial services industries.

On April 23, the Governance Studies program at Brookings hosted Sharis A. Pozen, acting assistant attorney general of the Antitrust Division, for a discussion about the division’s work and enforcement approach. Brookings Fellow Allan Friedman provided introductory remarks and moderated the discussion.

Following her remarks, Pozen took questions from the audience.

Audio

Antitrust Law Enforcement During the Obama Administration

Transcript

Transcript (.pdf)

Event Materials

20120423_antitrust_pozen

Participants

Panelists

Sharis A. Pozen

Acting Assistant Attorney General, Antitrust Division
U.S. Department of Justice

Web Chat: Protecting Online Privacy

Allan A. Friedman — Wed, 29 Feb 2012 00:00:00 -0500

Aiming to protect online privacy without stifling innovation, President Obama has proposed a “Consumer Privacy Bill of Rights” to help users exercise more control over the data they share when accessing the internet through their web browsers, smart phones and tablets.

What level of anonymity should consumers expect when browsing the internet? Will companies implement President Obama’s recommendations? On February 29, Allan Friedman answered your questions during a live web chat with POLITCO.

12:30 Vivyan Tran: Welcome everyone, let's get started.

12:30 Allan Friedman: Privacy is one of those values that everyone wants, but no one wants to define. Yet as studies by academics, industry, and the government attest, there is widespread demand for clearer and better defined rules about who has our data and how they are using it.

The administration's recent proposal reaffirms well-known values of the Fair Information Practices in a Privacy Bill of Rights, and calls for a multi-stakeholder process to better define a framework for the privacy practices of the myriad of firms and organizations that hold our data. To move the ball forward quickly, the administration has worked with leading web companies to adopt Do Not Track technology, although how this will be implemented at the company level remains to be seen. Indeed, while it is nice to see a clear articulation of privacy goals without heavy-handed or industry-specific regulation, compliance with robust voluntary codes of conduct is more likely with the prospect of enforcement.

Ultimately, understanding and respecting consumer preferences is good business and creates a more trustworthy environment for the information economy. Doing this in a digital world with short attention spans and imperfect interfaces will not be easy, but transparency and collaboration between different stakeholders is a necessary start.

12:30 Comment From Anne: Why has President Obama chosen to release his privacy bill of rights now? Is it in response to Google's new effort to standardize information across its sites?

12:31 Allan Friedman: Like all major policy initiatives, this has taken some time. It's been in the works for a while, with the cooperation of many different agencies. The Department of Commerce has been particularly active, and released a green paper over a year ago that sought to explore why privacy is important, gathering feedback from a very large sample of the tech industry. They also worked hard to engage the marketing industry for support behind “do not track.”

12:32 Comment From Samantha T: Can you briefly explain the new privacy bill of rights? How would companies have to protect users' data under the new guidelines?

12:34 Allan Friedman: Bill of Rights is an affirmative statement of values, rather than a specific set of rules to be followed. It includes provisions for transparency—how is our data being used—and access—what does someone know about me. This latter property requires some interface and a robust way of making sure you can't learn about my data. Some are even trickier—user control of data requires companies providing mechanisms for control. This will require the cooperation of firms that collect data and hopefully lead to more responsible data collection and storage.

12:34 Comment From Sammy: Since President Obama's privacy bill of rights is only voluntary, will Congress eventually need to pass legislation to define consumers' rights online?

12:35 Allan Friedman: The question of enforcement is key. The Obama administration has favored voluntary, multi-stakeholder initiatives to encourage industry to resolve their own policy issues, saving the administration the political hassle of a fight, and the industry the costs of regulation. Sometimes this works; other times, less so.

12:35 Comment From Charles: Switching for a moment to data security, how successful are U.S. companies in protecting users’ data from outside hacking? It seems as though every day we hear stories of how China is now using teams of hackers to access sensitive information.

12:37 Allan Friedman: "Hacking" is a broad term that covers all manner of sins, from negligent system administrators to sophisticated foreign operatives. Thanks to data breach disclosure laws, we can track the number of breaches of personally identifiable information. We have seen that number decline from regularly reported large breaches to less frequent and smaller breaches, with the occasional high profile attack. This is different than news reports of strategic attacks against firms' trade secrets and intellectual property.

12:37 Comment From Janet T: How do you get consumers to pay attention to these issues? Most people don't even read the fine print on the web, and when they do, their eyes glaze over. Why should they care? How can you communicate that?

12:38 Allan Friedman: Some consumers honestly won't care, and that's fine. The important approach is to lower the cost of consumers safeguarding their privacy by making the statements easier to understand, and control easier to enact. This does not absolve the companies that hold our data from their obligations to safeguard this information and respect our wishes.

12:39 Comment From Christina: I keep hearing more and more about storing information "in the cloud," including data like medical records. How can we be sure that extremely sensitive information like this would be secure?

12:40 Allan Friedman: "The Cloud" refers to remote storage, as opposed to keeping things locally, on your computer, or in a company's basement. There are a few other properties, but the essential policy question is who has responsibility to protect this data. The cloud providers are clearly developing expertise to safeguard their services, but there needs to be clear, contractual delineation about risk and responsibility.

12:40 Comment From Ben L: Will this new bill of rights provide protection against the government subpoenaing information like search data?

12:42 Allan Friedman: No, this bill of rights applies to companies and how they use our data. It might lead to firms capturing and storing less, but will not limit government powers in that regard. Currently, the different treatment of data stored remotely vs. locally is an inhibitor of growth in cloud services, as discussed above.

12:42 Comment From Robert E: Could stronger measures to protect data stifle innovation in the tech sector?

12:43 Allan Friedman: On some level, these rules could stop a firm from finding new ways to exploit consumer data. There's no question about that, any more than other popular consumer protection laws such as automobile safety or drug testing can have that unintended effect. However, I would argue that finding ways to engage consumers while respecting their privacy and giving them control of their own data could create far more opportunities for innovation. For example, the "personal data ecosystem" movement aims to shift control of data to consumers, allowing more opportunities for people and firms to exploit the value of our digital lives.

12:44 Comment From Tim A: Will this do anything to prevent companies from implementing new privacy policies that have caused public outrage? Policies like Google's Google Buzz, or some of Facebook's photo policies?

12:46 Allan Friedman: The model for privacy regulation classically followed what I call "Shame-based regulation": a firm would overstep some boundary, and get pilloried in the press. We see that less in the last few years, particularly with Facebook. This framework will help establish some guidelines for the intent of these privacy policies, and give critics tools to object. What is lacking in the current proposal is an enforcement mechanism beyond existing FTC Fair Trade powers. Ideally, these will not be necessary if companies take the principles to heart.

12:46 Comment From EJ: Google and Microsoft have all agreed to implement a "do not track bar" into their browsers. Is the answer really that simple?

12:48 Allan Friedman: Do Not Track has two components: the ability for users to express their preference, and the web sites' interpretation of these preferences. There has already been some disagreement between privacy advocates and the marketing industry on how they should interpret a do-not-track header from the browser: does it merely refer to targeted advertisements, or does it apply to more general tracking across different web sites and contexts?
12:49 Comment From Sarah: What are some ways that the average consumer can help to better protect their own privacy while surfing online?

12:50 Allan Friedman: Learn more about what your browser and computer are telling the world, and take advantage of browsers and plug-ins that minimize the amount of information you are sharing. Using different browsers for different purposes can not only limit the ability to correlate your behavior, but can protect you against malicious criminal activity.

12:50 Comment From Sally: How do U.S. privacy laws compare to Europe's? I feel that ours are very lax.

12:52 Allan Friedman: The EU has a more comprehensive approach, but this can be limiting at times. The United States has focused on regulating specific types of data, such as medical, or educational records (or even what videos you rent!). This allows for a more flexible approach that does not inhibit non-privacy invasive innovations as much. The United States also focuses on privacy harms, such as requiring transparency following a data breach.

12:52 Comment From Teddy: For a large part, internet services are free because users share their data and companies are then able to sell targeted advertisements. Nothing is free in life. Aren't users essentially "paying" Yahoo or Google by providing them their data?

12:55 Allan Friedman: "If you aren't paying, you aren't the customer" is a common refrain. But if data is going to be an important part of the digital economy, we need to have a transparent marketplace—why shouldn't I know how much I'm paying? Why can't we have competition based on the "price" of less invasive data collection. Good information is necessary for markets to flourish.

12:56 Comment From Tim: Is there a positive case to be made for sharing user data? It makes the user experience more seamless and helps organizations better tailor their services, correct?

12:59 Allan Friedman: Data is a currency, as mentioned above, and certainly there are many things that I love to customize. But studies by Berkeley & Penn and CMU have shown that customization is not always as popular as we may think. The policy question hinges on the question of both control and context. Can I get a seamless experience from a service, but then use it without tying it to my permanent identity some of the time? Privacy is about having different identities in different contexts. We have the ability to link across those contexts, but sometimes we may want to reinforce the separation. It's harder to make the business case for the latter, but I think there is some value there—you just need to change the domain of competition.

12:59 Vivyan Tran: Thanks for the great questions, we'll see you next week!

Authors

Allan A. Friedman

Image Source: © Larry Downing / Reuters

Health Information Exchanges and Megachange

Allan A. Friedman and Darrell M. West — Wed, 08 Feb 2012 00:00:00 -0500

Editor's Note: In this paper, Darrell West and Allan Friedman study how state-level health information exchanges (HIEs) are implemented, where there are opportunities for action and who drives policy change. This paper looks at the current climate for organizational change and study the challenges faced by HIEs and how new technology is moving forward to overcome them; the scholars argue that for these megachange efforts to be effective, policymakers must present a clear vision, achieve consensus on key objectives, overcome organizational and market fragmentation, and work effectively with a range of different constituencies. In particular, this paper addresses the effectiveness and viability of HIE’s in Indiana, Massachusetts, New York, Tennessee, and California and explores why Massachusetts and Indiana are most successful across a number of metrics. CTI also hosted a forum on HIEs to discuss the paper.

Executive Summary

The United States faces a number of large-scale policy challenges. Economic development, job creation, deficit reduction, tax reform, health care, immigration, and national security all represent areas of high political, policy and organizational complexity. Each one faces enormous contentiousness over vision, goals, strategies, and tactics. There is little agreement on basic approaches to these policy subjects, and there are multiple organizations and government jurisdictions involved in administration and implementation. The sheer complexity of action in these areas makes it difficult to resolve conflict and implement effective solutions.

In this paper, we analyze state health information exchanges (HIEs) as an example of what MITRE researcher John Piescik calls “megachange” challenges.[ii] According to the U.S. Department of Health and Human Services, HIEs are “efforts to rapidly build capacity for exchanging health information across the health care system both within and across states.”[iii] This includes insurance information for those without coverage and clinical and medical data in order to connect health care providers and payers. The goals are to increase the flow of information across relevant organizations and improve the efficiency and effectiveness of the health care system.

These organizational innovations are an interesting example of policy change in a big and complex area. Health care represents nearly one-sixth of the overall economy and has costs that are growing well beyond the inflation rate. There are multiple actors such as patients, physicians, hospitals, vendors, payers, and advocacy organizations that are important to health care. It generally has been difficult to forge policy agreements among the various constituencies who are involved in this domain.

To develop a better understanding of megachange and health care, we look at a variety of questions. Using interviews, case studies, and documentary research, we study how state-level HIEs are implemented, what drives policy and organizational change, what the opportunities for action are, what barriers come up, and how HIEs are moving forward to overcome particular problems.

Briefly, we find that state health information exchanges have made progress in establishing organizational frameworks, building technology-based connections, and bringing relevant groups to the table for discussion. However, barriers remain in terms of governance, financing, and policy vision. Many states and localities have experienced difficulties in producing consensus on strategies and approaches, and identifying consistent revenue streams. Some question whether the state level is the proper unit for HIEs given natural marketplaces centering on localities or regions. Until those problems are overcome, it will be impossible for HIEs to achieve their full potential.

These findings have ramifications for U.S. efforts to bring large-scale change to many different policy areas. Our analysis suggests that for megachange efforts to be effective, policymakers must present a clear vision, achieve consensus on key objectives, overcome organizational and market fragmentation, and work effectively with a range of different constituencies. There needs to be adequate financial resources and sustainable business models to support proposed changes and public and private leaders must have incentives to work well together in relationships based on mutual trust.

Download full paper » (PDF)

References

[i] Kent Weaver, “But Will It Work?: Implementation Analysis to Improve Government Performance,” Issues in Governance Studies, February, 2010.

[ii] John Piescik, “Megachange: Leading Change Across Multiple Large Organizations,” McLean, Virginia: MITRE Center for Enterprise Modernization Technical Report MTR070320, November, 2007.

[iii] U.S. Department of Health and Human Services, “State Health Information Exchange Cooperative Agreement Program,” August 10, 2011.

Downloads

Download Full Paper

Authors

Image Source: Bluestocking

Combating Botnets: Strengthening Cybersecurity Through Stakeholder Coordination

Fri, 16 Dec 2011 13:30:00 -0500

Event Information

December 16, 2011
1:30 PM - 3:30 PM EST

Falk Auditorium
The Brookings Institution
1775 Massachusetts Ave., NW
Washington, DC

Millions of American computers have been compromised and are remotely controlled for a variety of malicious purposes in botnets, enabling online crime and aggression. In September, the Departments of Commerce and Homeland Security issued a Request for Information to explore developing a voluntary industry code of conduct to respond to botnets. Internet Service Providers (ISPs), security firms, advocacy groups and citizens submitted comments on how these networks can be detected, how ISPs can notify customers whose computers are affected and how to improve cybersecurity with the appropriate distribution of responsibilities.

Follow and contribute to this event via Twitter using #TechCTI.

On December 16, the Center for Technology Innovation at Brookings will host a discussion examining how government agencies, private firms and citizens can work together to combat the cybersecurity risks associated with botnets. Representatives of the Department of Commerce and the Department of Homeland Security will present their conclusions from the Request for Information on the industry's options for moving forward. In addition, a panel of experts will explore the need for stakeholder cooperation and coordination in fighting botnets, how to engage citizens in strengthening cybersecurity, and the challenges of measuring progress. The discussion will highlight the importance of well-crafted public-private partnerships and careful governance in addressing cybersecurity risks.

After the program, speakers will take audience questions.

Audio

Combating Botnets: Strengthening Cybersecurity Through Stakeholder Coordination

Transcript

Uncorrected Transcript (.pdf)

Event Materials

20111216_botnets

Participants

Panelists

Bruce McConnell

Counselor to the National Protection and Programs Directorate Deputy Under Secretary
U.S. Department Of Homeland Security

Ari Schwartz

Senior Advisor to the Secretary on Technology Policy and Member of the Internet Policy Task Force
U.S. Department of Commerce

Sameer Bhalotra

Deputy Cybersecurity Coordinator, National Security Staff
The White House

Jamie Barnett

Chief of the Commission's Public Safety and Homeland Security Bureau
Federal Communications Commission

Michael Kaiser

Executive Director
National Cyber Security Alliance

Brent Rowe

Senior Economist
RTI International

Hacktivism, Vigilantism and Collective Action in a Digital Age

Fri, 09 Dec 2011 10:00:00 -0500

Event Information

December 9, 2011
10:00 AM - 11:30 AM EST

Falk Auditorium
The Brookings Institution
1775 Massachusetts Ave., NW
Washington, DC

Radical online activism is a new public policy challenge, with groups such as Anonymous being described as everything from terrorist organizations to freedom fighters. With activities ranging from attacking government websites to revealing private information about targeted organizations, these groups have commanded the public’s attention with often-subversive cyberactivism. Policymakers and technology experts are working in particular to understand Anonymous’s origins and motives—and how it functions with no leaders, hierarchy or structure—in order to develop appropriate policy responses to this new type of online collective action.

On December 9, the Center for Technology Innovation at Brookings will host a discussion exploring the impact of "hacktivism" and vigilantism in a digital age. Panelists will examine the environment in which it emerged, implications for developing an effective cybersecurity agenda and how public policies can help deter particularly malicious behavior without quashing internet freedom.

After the program, speakers will take audience questions.

Audio

Hacktivism, Vigilantism and Collective Action in a Digital Age

Transcript

Uncorrected Transcript (.pdf)

Event Materials

20111209_hacktivism

Participants

Panelists

Gabriella Coleman

Professor
New York University

Richard Forno, Ph.D.

Cybersecurity Graduate Program Director
UMBC

Paul Rosenzweig

Principal, Red Branch Consulting
Lecturer in Law, George Washington University

How Mobile Technology is Reshaping the Global Landscape

Thu, 08 Dec 2011 14:00:00 -0500

Event Information

December 8, 2011
2:00 PM - 3:30 PM EST

Falk Auditorium
The Brookings Institution
1775 Massachusetts Ave., NW
Washington, DC

With smart phones now outnumbering personal computers, there has been a sea change in the way people access and share information. Powerful mobile devices and sophisticated digital applications enable users to build businesses, access financial and health care records, expand educational opportunities, conduct research and complete transactions anytime, anywhere.

On December 8, the Center for Technology Innovation at Brookings launched a new mobile economy project, which will examine and document the impact of the mobile revolution on the economies of developed and developing countries, with a forum exploring how mobile technology can ease the everyday lives of Americans. Darrell West, vice president and director of Governance Studies, moderated a discussion with Chris Dede of Harvard University and Allan Friedman of the Brookings Institution. Peggy Johnson, executive vice president and president of Global Market Development at Qualcomm, provided opening remarks.

After the program, panelists took questions from the audience.

This event was discussed on Twitter using the hashtag #CTIMobile.

Video

How Mobile Technology is Reshaping the Global Landscape

Audio

How Mobile Technology is Reshaping the Global Landscape

Transcript

Uncorrected Transcript (.pdf)

Event Materials

20111208_mobile_technology

Participants

Panelists

Peggy Johnson

Executive Vice President and President, Global Market Development
Qualcomm

Chris Dede

Timothy E. Wirth Professor in Learning Technologies, Graduate School of Education
Harvard University

Cybersecurity in the Balance: Weighing the Risks of the PROTECT IP Act and the Stop Online Piracy Act

Allan A. Friedman — Tue, 15 Nov 2011 10:40:00 -0500

Executive Summary

Cybersecurity has dominated headlines and the attention of American policymakers. The challenge is not in recognizing the problem, but in understanding how to balance cybersecurity efforts with other policy priorities and scarce resources. Two new bills designed to combat foreign websites that infringe on American intellectual property present one of the first such decisions to Congress: how can we balance the defense of cyberspace and defense against online piracy when the two conflict?

The Senate bill S.968, or the PROTECT IP Act, and the House bill H.R. 3261, the Stop Online Piracy Act, have raised a great deal of controversy. This paper does not deal with the questions of economic value, free expression or other issues raised by advocates on both sides. Instead, I highlight the very real threats to cybersecurity in a small section of both bills in their attempts to execute policy through the Internet architecture. While these bills will not “break the Internet,” they further burden cyberspace with three new risks. First, the added complexity makes the goals of stability and security more difficult. Second, the expected reaction of Internet users will lead to demonstrably less secure behavior, exposing many American Internet users, their computers and even their employers to known risks. Finally, and most importantly, these bills will set back other efforts to secure cyberspace, both domestically and internationally. As such, policymakers are encouraged to analyze the net benefits of these bills in light of the increased cybersecurity risks.

Risks of Tampering with the Network

The Domain Name System (DNS) is a critical part of the Internet infrastructure, not just for the user seeking to access web pages, but for almost any operation, research question or network maintenance tool used to cross between organizational and network boundaries. Some interference with the DNS is not unheard of, but it should be done only after careful consideration, and with the full participation of Internet stakeholders.

The bills call for operators of DNS resolvers to "prevent the domain name described in the order from resolving." This is, in effect, lying. As we shall see below, this may sometimes be acceptable, but again must be done with care so as not to interfere with other aspects of network operation.

The broader Internet community has had the chance to judge the appropriateness of other attempts to return misleading results. Some network operators take advantage of imperfectly typed URLs to direct users to a landing page, rather than return the expected error message Non-Existent Domain (NXDOMAIN). A browser receiving the result NXDOMAIN might return an error “server not found.” With a DNS redirect, however, the user is taken to a search page that may assist her, but may also display advertisements. One vendor who enables this capacity claims that a service provider can earn $1-3 per subscriber with this service.[i] While DNS redirect for this purpose is not uncommon, many Internet experts do not view it favorably. Internet Corporation for Assigned Names and Numbers’ (ICANN) Security and Stability Advisory Committee (SSAC) cautioned that interfering in DNS responses “can create unpredictable responses,”[ii] and another ICANN advisory group concluded that the practice “create[s] a reasonable risk of a meaningful adverse effect on security and stability.”[iii] The SSAC has recommended that new top level domains be prohibited from using redirection.[iv] Clearly, this practice is viewed with apprehension by the body governing the domain name system.

Part of the threat of redirects is the potential for malicious misuse. The DNS system is based on trust between resolution servers. If an intermediary between the client and the authoritative server is untrustworthy, they can inject an incorrect record, diverting the client to a server other than the intended Internet resource. To make this system more trustworthy, the Internet Engineering Task Force (IETF) developed the Domain Name System Security Extensions (DNSSEC), which uses a set of chained cryptographic signatures to establish trust between the authoritative name server (such as the .com servers) and the recursive resolving servers used to translate from a desired URL to the IP address. This protocol allows correct responses to be provably valid, and incorrect responses to be identified as false. DNSSEC is seen as a needed security improvement for the Internet by both technical experts and the U.S. government. U.S. officials have viewed DNSSEC as important for its own systems, as well as the commercial Internet, since at least 2003. Deployment is proceeding slowly, but with the coordination and support of public and private efforts.

Because DNSSEC is designed to prevent malicious redirection of DNS traffic by verifying that DNS responses have not been tampered with, other forms of redirection will break the assurances from this security tool. Engineers from Comcast, in a circulated IETF working paper, clearly state, “It is critically important that service providers understand that adoption of DNSSEC is technically incompatible with DNS redirect.”[v] If the client is configured to recognize DNSSEC responses, any intercept will trigger the responses of an attempted man-in-the-middle attack. For the purposes of the bills in this paper, this response may be thought to have little policy impact since the goal is to prevent access in the first place. There are two adverse consequences, however. The first is that, without a reliable and standardized warning mechanism, the user may be unable to distinguish between malicious and illegal resources. The second is that one acceptable response to a DNSSEC failure is to query other recursive resolvers to confirm that the resource is not valid and available. This could violate the goals of the bills since these servers may be outside the jurisdiction of the United States.

It is important to acknowledge that DNS redirection may not always be bad for cybersecurity. Indeed, some domains are known to be security risks, hosting malware or serving as a critical link in the communication and coordination of botnets. As researchers identify which domains pose risks, DNS administrators may want to block them. A new tool called Response Policy Zones (RPZ) allows administrators to select lists of domains with bad reputations (assembled by anyone they might trust) and block their users.[vi] RPZ, designed to counter malicious behavior online, essentially creates the functionality called for in the bills to block domains specified by a trusted third party, with the potential to redirect the browser to an arbitrary notice page. However, there are key differences between RPZ and the bills’ proposals.

First, RPZ engineers acknowledge that, as it exists, there is no easy way to make RPZ work well with DNSSEC. This will ultimately require some modification to DNSSEC to incorporate the error messages following an intercepted query. But because DNSSEC will take some time to fully deploy at the user level, there will be time to explore the most efficient means to implement this change. And because these protocols are implemented in voluntarily by network administrators trying to maximize the security of their networks, an appropriate balance can be found by each administrator.

Second, the legal mandate for the bills’ block-list increases the complexity of the DNS network administration. PROTECT IP applies to every “operator of a non-authoritative domain name system server,” including local ISPs and even small businesses that run their own networks. Each network must have the capacity to easily alter what can be accessed on their network, regardless of the preferences of the network administrator and her resources and capacities. Security expert Susan Landau observes that adding points of insertion or observation can dramatically alter the security of a system.[vii] Perhaps the largest difference, of course, is that RPZ is voluntary—and ideally in the interest of the user. In a competitive market, users who find one service provider’s implementation too broad or narrow can go to another. If the users do not believe that a black list is in their interest, they will find ways around it, as explored below.

Tinkering with DNS by mandating false responses may not break the Internet, but it certainly bends it, and introduces new complexities. The security community understands that these risks must be carefully studied before there is widespread deviation from the accepted standards.

Unintended Consequences Introduce New Risks

By preventing American users from accessing foreign websites, the bills’ clear aim, insofar as they deter Americans from supporting behavior that infringes on intellectual property, is to stop piracy. Past efforts to halt piracy do sometimes have limited success, but they also succeed in changing the behavior of millions of Americans to find other means of accessing this content. Any analysis of these bills must therefore explore the consequences of these new behaviors. The DNS blocking of foreign websites is not only trivial to defeat, but many work-arounds will definitely have dangerous unintended consequences.

The bills seek to block access to foreign infringing websites by preventing American domain name servers from translating the infringing domain name into its Internet address. This is trivial to defeat on many levels, as has already been chronicled widely.[viii] One of the easiest and most direct methods is simply to use a DNS server that is located outside of the bills’ jurisdiction in another country. This requires minimal computer expertise.[ix]

Before exploring the harms of using a non-trusted DNS server, is there any reason to expect users to change their behavior en masse? The data says yes. Those seeking infringing content have always responded to legal and technical countermeasures by shifting their habits. From Napster to Kazaa to LimeWire to BitTorrent to illegal streaming websites, users adapt by the millions. When the RIAA succeeded in shutting down the peer-to-peer client LimeWire in 2010, use of a similar client FrostWire more than doubled within 3 months.[x] When Sweden passed a law requiring service providers to turn over identity information on infringers, demand for both paid and unpaid anonymity services skyrocketed “beyond all expectations.”[xi] It would be incredibly naïve to expect anything other than attempts to evade DNS blocking, and using DNS servers outside the U.S. is the easiest path.

This introduces huge risks to American Internet users. These DNS servers can sit as the “man-in-the-middle” on all Internet transactions, allowing the possible compromise of almost any Internet transaction. The attacker can pass along the legitimate website during the attack, preventing the user from realizing that an attack is ongoing. Even the use of encryption (such as SSL or https) will not help. The attacker can not only compromise web traffic, but email as well. There already exists malware that forces victims to use remote, rogue DNS servers to maliciously redirect traffic to key financial websites.[xii] The operators behind these attacks will undoubtedly seek to gain further traffic to these servers.

The risks of malware, financial fraud and espionage will not fall exclusively on the users guilty of infringement. Rather, they will be shared by anyone who shares a network with these users. It is easy to imagine a teenager altering the family PC to access a foreign infringing domain, but leaving the computer compromised for the family’s other uses, including banking, accessing government websites and even work.

Even if the foreign DNS servers are benign and supervised by an open source community, there is still a destabilizing effect. Content Deliver Networks (CDNs), such as Akamai, that make it easier and cheaper to send large files over the Internet by replicating it many times across the Internet. Some CDNs use the DNS request to determine the closest and most efficient content server.[xiii] Foreign domain requests will confuse this system, leading to greater inefficiencies and instability. Interestingly enough, this can lead to slower content deliver from paying, legitimate sites, further increasing the incentives for infringement. ISPs also use local DNS information to better manage their networks; the less complete this data is, the less informed decisions will be.

Cybersecurity Policy

Many cybersecurity issues require international coordination. The GAO has identified 19 international organizations relevant to Internet governance, each with a different set of stakeholders and counter-parties.[xiv] In each forum, the United States must be seen as a good faith actor, seeking to promote global security in cyberspace without advancing alternate agendas. The policies must not be perceived as conflicting with other values, such as openness and limited governance. While many would agree that any measure is acceptable to prevent intellectual property infringement, some might see this as a signal of what values the U.S. will emphasize—and what it will implicitly devalue. As the Council on Foreign Relations’ Rob Knake notes, “If the United States fails to provide the leadership necessary to address the security problems, other states will step in.”

It is important to remember that the United States occupies a unique position in Internet governance. The Internet was invented here, and many of its key institutions remain affiliated with the federal government. U.S. companies support much of the Internet architecture. This dominant position has not gone unnoticed from those who would prefer a more globally representative governing structure. This would necessarily involve reducing U.S. influence in key security-relevant bodies.

American representatives across the government have worked hard to focus the international dialogue on “cybersecurity,” without permitting discussion to be reframed as “information security,” which can include policing of content instead of just actions. This position is undermined by domestic bills that focus on content at the expense of cybersecurity. It will be hard to argue with other nations that discussions should focus on preventing malicious behavior, rather than stamping out illegal content—a category into which many other nations put political speech. Indeed, other observers have pointed out the challenges in reconciling these anti-infringement bills with America’s stated agenda of Internet Freedom, particularly SOPA’s anti-circumvention prescriptions.

Lastly on the international front, it is important to remember the difficulties in perfectly mapping the Internet to national boundaries. It is highly likely that DNS blocking will spill over into other countries. In 2010, China’s internal attempts to block certain websites via DNS spilled over to the broader Internet.[xv] The U.S.-China Economic and Security Review Commission's Annual Report to Congress noted, “The implications of China’s effort to impose ‘localized’ restrictions to something as inherently global in scope as the Internet.”[xvi] Since the United States’ networks are so centrally positioned in the global information infrastructure, there is a good chance that foreign DNS queries will pass through U.S. resolvers. Other countries may object to our unilateral enforcement without adequate international normalization or even discussion.

Domestically, the bills pose three principle risks, based on expectations and trust. First, by mandating an unpopular enforcement mechanism to the ISP, users may grow to trust their ISPs less, even as service providers play an increasingly large role in American cybersecurity policy. If the user is treated as an enemy, it makes winning consumer acceptance for other efforts all the more difficult. A recent proposal from the National Institute of Standards and Technology would have ISPs detect botnets on customers’ machines and work with them for remediation. This requires user trust and a belief that user security is a higher priority for the service provider than other business interests. The ISPs also depend on user trust to make the entire network better off. By studying pooled DNS lookups across a large set of users, security researchers can learn a great deal about attacks based on data referred to as Passive DNS. This data will be incomplete if users evade the DNS blocks en masse, as discussed above.

Expectations also drive investment, and new investment can happen under the jurisdiction of these bills, or outside the country. Without engaging in the larger debate of how this bill will impact long-term economic growth, there is a security issue in jurisdiction. If the provisions in the bills that allow rights holders to go after domestic assets drive these assets offshore, they can make the fight against other illegal digital activities harder to pursue. As new Top Level Domains are issued by ICANN, their supporters may push for offshore control. Similarly, if attacks against website monetization tools, including ad networks and payment networks become too aggressive, offshore alternatives will emerge. American law enforcement and intelligence will have less leverage over these. If one acknowledges that there are cybercrime issues other than intellectual property infringement, such as child pornography or financial fraud, then a long-term enforcement tradeoff will be made. Making it more efficient to drive potential wrongdoing away from America’s jurisdiction may ultimately hinder law enforcement.

Finally, and perhaps most importantly, the bills set a certain expectation with respect to the relative importance of cybersecurity versus industry profitability. There is always a tradeoff between economic efficiency and security. As technology evolves, each sector of the economy discovers new risks, just as they discover new benefits. These bills offer an explicit tradeoff: protecting the economic value of intellectual property from a narrow type of infringement against a larger and more diffuse set of security priorities.

Cybersecurity policymakers will only encounter this tradeoff more frequently. The costs of the status quo must be measured against the security risks of mandating a change in the Internet architecture. Unfortunately, it is always easier to estimate actual business models than uncertain security risks. This is why market solutions for cybersecurity are particularly challenging.[xvii] If securing the power grid harms the business model of energy companies, will Congress still act to ensure our critical infrastructure is less vulnerable to attack?

Will Cybersecurity Be a Priority?

Threats from cyberspace present serious challenges, yet no one suggests that we turn off the Internet to protect ourselves. Similarly, while digital entertainment is a key part of the economy, few argue that we lock down all networks and devices for perfect enforcement of intellectual property. The question is where the balance will be struck.

The risks from the proposed policies are diffuse, and the harms of a perturbed ecosystem, exposed Americans and a more difficult cybersecurity agenda lie in the future. Yet they are real—and will have concrete, negative impacts on our nation’s ability to defend itself, endangering everyone from the average user to shapers of international policy. This will be the first legislation that pits our cybersecurity priorities against entrenched economic interests, highlighting a very real social choice. Congress’ actions on PROTECT IP and SOPA will offer some insight into whether policymakers are genuinely prepared to take cybersecurity seriously.

[i] Xerocole Solutions. http://www.xerocole.com/solutions/

[ii] “SAC 032 Preliminary Report on DNS Response Modification,” ICANN Security and Stability Advisory Committee, June 2008; www.icann.org/en/committees/security/sac032.pdf.

[iii] ICANN Registry Services Technical Evaluation Panel Report on Internet Security and Stability Implications of the Tralliance Corporation search.travel Wildcard Proposal (2006)

[iv] “SAC041: Recommendation to Prohibit Use of Redirection and Synthesized Responses by New TLDs,” ICANN Security and Stability Advisory Committee (2009) www.icann.org/en/committees/security/sac041.pdf.

[v] Creighton, T., Griffiths, C., Livingwood, J., and Weber, R. “DNS Redirect Use by Service Providers. Internet Draft draft-livingood-dns-redirect-03.” (2010) http://tools.ietf.org/html/draft-livingood-dns-redirect-03

[vi] ISC. BIND 9 Administrators Reference Manual, 2011. See 6.2.16.19 and 6.2.16.20

[vii] Landau, Susan. Surveillance or Security? The Risks Posed by New Wiretapping Technologies. MIT Press, 2011

[viii] See, e.g., Wilson, Drew. “8 Technical Methods That Make the PROTECT IP Act Useless.” www.zeropaid.com/news/95013/8-technical-methods-that-make-the-protect-ip-act-useless/

[ix] See, e.g., http://windows.microsoft.com/en-US/windows7/Change-TCP-IP-settings.

[x] Sandoval, Greg. "Study: LimeWire demise slows music piracy" http://www.news.cnet.com/8301-31001_3-20046136-261.html

[xi] Simpson, Peter Vinthagen. New law increases demand for anonymous web surfing www.thelocal.se/18658/20090403/#

[xii] David Dagon, Chris Lee, Wenke Lee, Niels Provos . “Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority”, , Proc. 15th Network and Distributed System Security Symposium (NDSS), 2008.

[xiii] Vixie, Paul. What DNS is Not. ACM Queue, 2009. http://queue.acm.org/detail.cfm?id=1647302.

[xiv] Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance. GAO-10-606 July 2, 2010

[xv] Zmijewski, Earl. "DNS: When Governments Lie." http://www.renesys.com/blog/2010/11/dns-when-governments-lie-1.shtml

[xvi] USCC. 2010 Annual Report to Congress. http://www.uscc.gov/annual_report/2010/Chapter5_Section_2(page236).pdf

[xvii] Friedman, Allan. Economic and Policy Frameworks for Cybersecurity Risks. (2011) www.brookings.edu/papers/2011/0721_cybersecurity_friedman.aspx

Authors

Allan A. Friedman

Image Source: Â© Hyungwon Kang / Reuters

The Cybersecurity Agenda: Policy Options and the Path Forward

Wed, 26 Oct 2011 10:00:00 -0400

Event Information

October 26, 2011
10:00 AM - 12:00 PM EDT

Falk Auditorium
The Brookings Institution
1775 Massachusetts Ave., NW
Washington, DC

Cybersecurity has emerged as a policy priority for both the White House and Congress, and bipartisan consensus on how to address cyber-related challenges is growing. Yet the transition from focusing on isolated threats to building comprehensive cybersecurity solutions has not been entirely seamless. While there is plenty of common ground between the administration’s proposals and legislation proposed by both parties, a number of difficult policy questions remain unanswered.

On October 26, the Center for Technology Innovation at Brookings hosted a forum on cybersecurity challenges and policy options. Congressman James R. Langevin (D-R.I.) delivered a keynote address on his views of the path forward for cybersecurity policy, addressing not only proposed legislation, but the political context that will shape future policy decisions. A panel of experts explored short-term priorities, as well as mapped out the future landscape, with a particular focus on law enforcement, education and the relationship between government and the private sector.

After the program, speakers took audience questions.

Audio

The Cybersecurity Agenda: Policy Options and the Path Forward

Transcript

Uncorrected Transcript (.pdf)

Event Materials

20111026_cybersecurity

Participants

Panelists

Rep. James R. Langevin (D-R.I.)

Co-Founder and Co-Chairman of the House Cybersecurity Caucus
U.S. House of Representatives

Jaak Aaviksoo

Minister of Education and Research and former Minister of Defense
Government of Estonia

James B. Longley

CEO, Diritech, LLC.
Former Representative (R-ME), U.S. Congress

Michael R. Nelson

Research Associate, CSC Leading Edge Forum
Adjunct Professor, Internet Studies, Georgetown University

The America Invents Act: A Patent Law Game-Changer

Fri, 30 Sep 2011 14:00:00 -0400

Event Information

September 30, 2011
2:00 PM - 3:30 PM EDT

Falk Auditorium
The Brookings Institution
1775 Massachusetts Ave., NW
Washington, DC

The American Invents Act of 2011 (AIA) represents the most significant overhaul of the U.S. patent system in a generation. The AIA transforms how patents are obtained, challenged, and valued in acquisition, licensing, and litigation settlement discussions. The new law also transitions the United States away from a “first to invent” system to the “first inventor to file” approach used by most other nations.

On September 30, the Center for Technology Innovation at Brookings hosted a forum about the AIA, its key components and regulatory scope, and its impact on protecting and spurring innovation in the United States. Under Secretary of Commerce for Intellectual Property and Director of the U.S. Patent and Trademark Office (USPTO) David Kappos offered insights into how the AIA changes USPTO operations and its role in the U.S. patent filing and protection system.

After the program, Director Kappos and panelists took questions from the audience.

This event was followed on Twitter using #Invents.

Video

Audio

The America Invents Act: A Patent Law Game-Changer

Participants

Moderator

Panelists

David Kappos

Under Secretary of Commerce for Intellectual Property
Director of the U.S. Patent and Trademark Office

Walter G. Park

Associate Professor
American University

John R. Thomas

Professor of Law
Georgetown University

Economic and Policy Frameworks for Cybersecurity Risks

Allan A. Friedman — Thu, 21 Jul 2011 14:27:00 -0400

Abstract

Congress and the Obama administration have advanced dozens of proposals addressing cybersecurity. While many of these bills propose admirable policies, they often attempt to address a wide range of issues under a poorly matched set of frameworks.

This paper offers three observations built around a framework of risk management to help focus the discussion. First, we caution against conflating different threats simply because they all involve information technology. Crime, espionage and international conflict are very different threats, and grouping them together can lead to poorly framed solutions. Second, we argue that looking at cybersecurity from the perspective of economics can offer important insight into identifying important policy opportunities. Finally, we suggest a series of governance frameworks that can be used in a complementary fashion to address many of the issues discussed.

Introduction

A frequent refrain is that the Internet was not designed with security in mind. While this is true, it fails to capture the nature of the problem: risk is a part of information systems. It is not simply a matter of bolting on security components, or even building a new, trustworthy network to handle our key transactions. The fact is that the risk has been there all along, and there are no direct, technical solutions to addressing systematic risk. Risk is a natural side effect of complex systems. Security itself is a subcomponent of risk; the past few years have demonstrated that a country is just as likely to be knocked off the internet by a typo (Mills, 2009) or a scrap metal scavenger (Parfitt, 2011) as they are by an unfriendly neighbor.

One can draw an analogy to the state of the world at the publication of Rachel Carson’s Silent Spring. Her book did not introduce the risks to a world dependent on heavy industry and toxic pesticides. The dangers were present, but increased awareness forced a decision of how to adapt as a society. What threats will we protect ourselves against, what will we tolerate for the sake of efficiency, and what risk will remain exposed simply because we cannot overcome the policy problems to fix it?

As of July, 2011, Congress was considering or about to consider 22 bills on cybersecurity, in addition to proposed legislation from the White House (CSIS, 2011). While many of these bills propose admirable policies, they still attempt to address a wide range of issues under a poorly matched set of frameworks. This paper offers three observations to help focus the discussion:

First, we caution against conflating different threats simply because they all involve information technology. Crime, espionage and international conflict are very different threats, and grouping them together can lead to poorly framed solutions.
Second, we argue that looking at cybersecurity from the perspective of an economist can offer important insight into identifying important policy opportunities.
Finally, we suggest a series of governance frameworks that can be used in a complementary fashion to address many of the issues discussed. It is important to note that this essay does not attempt to address every challenge we face in addressing the risks in our information infrastructure, but rather offers an approach to thinking about that risk more generally.

Downloads

Download the Paper

Authors

Allan A. Friedman

A New Framework for Consumer Data Privacy Protections

Thu, 21 Jul 2011 15:30:00 -0400

Event Information

July 21, 2011
3:30 PM - 5:00 PM EDT

Falk Auditorium
The Brookings Institution
1775 Massachusetts Ave., NW
Washington, DC

The U.S. Department of Commerce’s Internet Policy Task Force is leading the Obama administration’s efforts to protect consumer privacy and promote innovation in the global digital economy. The task force’s new privacy framework will articulate a set of principles that define rights and obligations concerning personal data: a “consumer privacy bill of rights.” A core element of the framework is a multi-stakeholder process that will serve to translate these general principles into more specific and legally enforceable codes of conduct that apply to specific business contexts. Under the Department of Commerce strategy, the Federal Trade Commission will have the authority to enforce compliance with the code against companies that subscribe to the framework.

The FTC staff’s proposed framework called for companies to follow principles of privacy by design, give consumers clearer choices about how their data is used, and provide greater transparency of their data use practices. The Commission has sought public comment on its proposed framework and expects to issue a final report later this year.

On July 21, the Center for Technology Innovation at Brookings hosted a discussion featuring Jon Leibowitz, Chairman of the Federal Trade Commission, and Cameron F. Kerry, General Counsel of the U.S. Department of Commerce, who shared their views on the Department of Commerce and FTC's strategies to protect consumer privacy while ensuring continued innovation on the Internet.

After the program, speakers took audience questions.

Transcript

Uncorrected Transcript (.pdf)

Event Materials

20110721_consumer_privacy

Participants

Panelists

Cameron F. Kerry

General Counsel
U.S. Department of Commerce

Jon Leibowitz

Chairman
The Federal Trade Commission

Mark Cooper

Director of Research
Consumer Federation of America

Cybersecurity: Incentives and Governance

Thu, 21 Jul 2011 10:00:00 -0400

Event Information

July 21, 2011
10:00 AM - 12:00 PM EDT

Falk Auditorium
The Brookings Institution
1775 Massachusetts Ave., NW
Washington, DC

Despite a rush of media stories, academic research, Capitol Hill briefings, and increased attention from policymakers, the priorities and risks of cybersecurity remain ill-defined and poorly understood. Even knowledgeable experts tend to mistakenly blur separate threats that span the range of crime, espionage, and global conflict, each of which have a unique set of actors, incentives and priorities.

On July 21, the Center for Technology Innovation at Brookings hosted a panel discussion to clarify and refine policy discussions surrounding the risks built into our information technology systems. Panelists evaluated how economic concepts—including externalities, information asymmetries and the network effect—can help us understand how to reward good security practices and punish bad ones, and discussed how these concepts can be embedded in a range of governance mechanisms to better evaluate the alignment of public priorities and private incentives.

After the program, speakers took audience questions.

Audio

Cybersecurity: Incentives and Governance

Transcript

Uncorrected Transcript (.pdf)

Event Materials

20110721_cybersecurity

Participants

Moderator

Panelists

Larry Clinton

President and CEO
Internet Security Alliance

Bruce McConnell

Senior Counselor and Director, Cyber+Strategy, National Protection and Programs Directorate
U.S. Department of Homeland Security

@ Brookings Podcast: Internet Privacy and Security

Allan A. Friedman — Fri, 20 May 2011 14:49:00 -0400

The Internet is central to our modern economy and personal lives, but online privacy and trust are often in conflict. Allan Friedman, fellow and research director for the Center for Technology Innovation at Brookings, says that if people are unwilling to share their information, entire parts of the information economy could collapse. Friedman explores the security of private information on the Internet, what individuals, governments and business can do to keep information safe, and how we allow our data to be used.

previous play pause next

mute unmute

@ Brookings Podcast: Internet Privacy and Security 5:34

Right-click (ctl+click for Mac) on 'Download' and select 'save link as..'

Get Code

Copy and paste the embed code above to your website or blog.

Video

Internet Privacy and Security

Audio

@ Brookings Podcast: Internet Privacy and Security

A. Alfred Taubman Forum on Improving Government Performance

Tue, 22 Mar 2011 08:30:00 -0400

Event Information

March 22, 2011
8:30 AM - 1:00 PM EDT

Falk Auditorium
The Brookings Institution
1775 Massachusetts Ave., NW
Washington, DC

Federal government performance is at a crisis point. According to a recent CNN/Opinion Research national survey, 86 percent of Americans believe the federal government is broken. Voters view government agencies as inefficient and wasteful, trust in government is at an all-time low and most Americans do not view elected officials as effective problem-solvers.

On March 22, the Brookings Institution hosted a half-day conference on improving government performance, efficiency and effectiveness. The second annual A. Alfred Taubman Forum convened leaders from government, academia, and administrative agencies to discuss concrete policy actions to improve federal government performance and to overcome obstacles that hinder good governance. Questions to be explored included: How can we reform our political institutions? How can we improve federal agency performance? Where will we get our future federal workforce and what is the role of technology in making agencies more transparent and efficient?

To discuss these challenges were Jeffrey Zients, chief performance officer and deputy director, White House Office of Management and Budget; Joseph Goldman, interim executive director, Campaign for Stronger Democracy; and Shelley Metzenbaum, associate director for performance and management, White House Office of Management and Budget.

Following each panel, the participants took questions from the audience.

Video

Transcript

Event Materials

Participants

Panelists

Jeffrey Zients

Deputy Director for Management and Chief Performance Officer
Office of Management and Budget, The White House

Joseph Goldman

Interim Executive Director
Campaign for Stronger Democracy

Kathryn Newcomer

Professor of Public Policy and Public Administration and Director, School of Public Policy and Public Administration
The George Washington University

Shelley H. Metzenbaum

Associate Director for Performance and Personnel Management
Office of Management and Budget, The White House

Defense Challenges and Future Opportunities

Wed, 16 Mar 2011 09:30:00 -0400

Event Information

March 16, 2011
9:30 AM - 4:00 PM EDT

Falk Auditorium
The Brookings Institution
1775 Massachusetts Ave., NW
Washington, DC

On March 16, the 21st Century Defense Initiative at Brookings hosted its second annual Military and Federal Fellow Research Symposium, featuring the independent research produced by the members of each military service, and key federal agencies, who spent the last year serving at think tanks and universities across the nation. Organized by the fellows themselves, it was intended to provide a platform for building greater awareness of the cutting-edge work that America’s military and governmental leaders are producing on key policy issues.

The theme of this symposium was "Defense Challenges and Future Opportunities." After a brief introduction by Peter Singer, director, 21st Century Defense Initiative, panel discussions focused on the fellows’ research findings in the areas of emerging governance, regional insecurity, Department of Defense efforts to harness cyberspace, alliance and regional partnerships, and new challenges in the maritime domain. Major General Lori Robinson, director of Legislative Liaison, Office of the Secretary of the Air Force, and former Brookings federal executive fellow, gave the lunchtime address.

After each panel, the speakers took audience questions.

Transcript

Event Materials

Participants

Panelists

COL Timothy McKernan (USA)

Secretary of Defense Corporate Fellow
"The Future of Iraq: The Bumpy Road on the Highway of Peace and Prosperity"

LtCol Christopher Naler (USMC)

Federal Executive Fellow, The Brookings Institution
"Democracy's Guardians: The Role of the Military in Emerging Democracies"

CAPT Lawrence Vasquez (USN)

Federal Executive Fellow, The Brookings Institution
"The Role of Provincial Reconstruction Teams in Afghanistan"

LtCol Jerry Carter (USMC)

National Security Fellow, Harvard University
"Can the Department of Defense Achieve Cyberspace Superiority?"

COL David Hathaway (USAF)

Federal Executive Fellow, The Brookings Institution
"The Digital Kasserine Pass: Command and Control of DOD Cyberforces"

Bruce MacKay

Defense Intelligence Agency Chair
U.S. Marine Corps University

Maj Gen Lori Robinson

Director, Legislative Liaison
Office of the Secretary of the Air Force

CDR Scott Bunnay (USN)

RAND
"Maritime Disorder and Governance of Ship Registries"

CDR Josh Himes (USN)

Navy Fellow, Center for Strategic and International Studies
"Somali Piracy: Follow the Money"

CDR Jeffrey Randall (USCG)

Federal Executive Fellow, The Brookings Institution
"America's Leatherman Tool: The Coast Guard's Law Enforcement"

COL John Angevine (USA)

Federal Executive Fellow, The Brookings Institution
"Australian Defence White Paper 2009"

Julie Boland

Federal Executive Fellow, The Brookings Institution
"Ten Years of the Shanghai Cooperation Organization"

LtCol Butch Bracknell (USMC)

Marine Corps Fellow, The Atlantic Council
"Naval Expeditionary Force Contributions among Latin American Allies"