Almost every American adult remembers, in vivid detail, where they were the morning of September 11, 2001. I was on the second floor of the West Wing of the White House, at a National Economic Council Staff meeting — and I will never forget the moment the Secret Service agent abruptly entered the room, shouting: “You must leave now. Ladies, take off your high heels and go!”
Just an hour before, as the National Economic Council White House technology adviser, I was briefing the deputy chief of staff on final details of an Oval Office meeting with the president, scheduled for September 13. Finally, we were ready to get the president’s sign-off to send a federal privacy bill to Capitol Hill — effectively a federal version of the California Privacy Rights Act, but stronger. The legislation would put guardrails around citizens’ data — requiring opt-in consent for their information to be shared, governing how their data could be collected and how it would be used.
But that morning, the world changed. We evacuated the White House and the day unfolded with tragedy after tragedy sending shockwaves through our nation and the world. To be in D.C. that day was to witness and personally experience what felt like the entire spectrum of human emotion: grief, solidarity, disbelief, strength, resolve, urgency … hope.
Much has been written about September 11, but I want to spend a moment reflecting on the day after.
When the National Economic Council staff came back into the office on September 12, I will never forget what Larry Lindsey, our boss at the time, told us: “I would understand it if some of you don’t feel comfortable being here. We are all targets. And I won’t appeal to your patriotism or faith. But I will — as we are all economists in this room — appeal to your rational self-interest. If we back away now, others will follow, and who will be there to defend the pillars of our society? We are holding the line here today. Act in a way that will make this country proud. And don’t abandon your commitment to freedom in the name of safety and security.”
There is so much to be proud of about how the country pulled together and how our government responded to the tragic events on September 11. First, however, as a professional in the cybersecurity and data privacy field, I reflect on Larry’s advice, and many of the critical lessons learned in the years that followed — especially when it comes to defending the pillars of our society.
Even though our collective memories of that day still feel fresh, 20 years have passed, and we now understand the vital role that data played in the months leading up to the 9/11 terrorist attacks. But, unfortunately, we failed to connect the dots that could have saved thousands of lives by holding intelligence data too closely in disparate locations. These data silos obscured the patterns that would have been clear if only a framework had been in place to share information securely.
So, we told ourselves, “Never again,” and government officials set out to increase the amount of intelligence they could gather — without thinking through significant consequences for not only our civil liberties but also the security of our data. So, the Patriot Act came into effect, with 20 years of surveillance requests from intelligence and law enforcement agencies crammed into the bill. Having been in the room for the Patriot Act negotiations with the Department of Justice, I can confidently say that, while the intentions may have been understandable — to prevent another terrorist attack and protect our people — the downstream negative consequences were sweeping and undeniable.
Domestic wiretapping and mass surveillance became the norm, chipping away at personal privacy, data security and public trust. This level of surveillance set a dangerous precedent for data privacy, meanwhile yielding marginal results in the fight against terrorism.
Unfortunately, the federal privacy bill that we had hoped to bring to Capitol Hill the very week of 9/11 — the bill that would have solidified individual privacy protections — was mothballed.
Over the subsequent years, it became easier and cheaper to collect and store massive amounts of surveillance data. As a result, tech and cloud giants quickly scaled up and dominated the internet. As more data was collected (both by the public and the private sectors), more and more people gained visibility into individuals’ private data — but no meaningful privacy protections were put in place to accompany that expanded access.
Now, 20 years later, we find ourselves with a glut of unfettered data collection and access, with behemoth tech companies and IoT devices collecting data points on our movements, conversations, friends, families and bodies. Massive and costly data leaks — whether from ransomware or simply misconfiguring a cloud bucket — have become so common that they barely make the front page. As a result, public trust has eroded. While privacy should be a human right, it’s not one that’s being protected — and everyone knows it.
This is evident in the humanitarian crisis we have seen in Afghanistan. Just one example: Tragically, the Taliban have seized U.S. military devices that contain biometric data on Afghan citizens who supported coalition forces — data that would make it easy for the Taliban to identify and track down those individuals and their families. This is a worst-case scenario of sensitive, private data falling into the wrong hands, and we did not do enough to protect it.
This is unacceptable. Twenty years later, we are once again telling ourselves, “Never again.” 9/11 should have been a reckoning of how we manage, share and safeguard intelligence data, but we still have not gotten it right. And in both cases — in 2001 and 2021 — the way we manage data has a life-or-death impact.
This is not to say we aren’t making progress: The White House and U.S. Department of Defense have turned a spotlight on cybersecurity and Zero Trust data protection this year, with an executive order to spur action toward fortifying federal data systems. The good news is that we have the technology we need to safeguard this sensitive data while still making it shareable. In addition, we can put contingency plans in place to prevent data that falls into the wrong hands. But, unfortunately, we just aren’t moving fast enough — and the slower we solve this problem of secure data management, the more innocent lives will be lost along the way.
Looking ahead to the next 20 years, we have an opportunity to rebuild trust and transform the way we manage data privacy. First and foremost, we have to put some guardrails in place. We need a privacy framework that gives individuals autonomy over their own data by default.
This, of course, means that public- and private-sector organizations have to do the technical, behind-the-scenes work to make this data ownership and control possible, tying identity to data and granting ownership back to the individual. This is not a quick or simple fix, but it’s achievable — and necessary — to protect our people, whether U.S. citizens, residents or allies worldwide.
To accelerate the adoption of such data protection, we need an ecosystem of free, accessible and open source solutions that are interoperable and flexible. By layering data protection and privacy in with existing processes and solutions, government entities can securely collect and aggregate data in a way that reveals the big picture without compromising individuals’ privacy. We have these capabilities today, and now is the time to leverage them.
Because the truth is, with the sheer volume of data that’s being gathered and stored, there are far more opportunities for American data to fall into the wrong hands. The devices seized by the Taliban are just a tiny fraction of the data that’s currently at stake. As we’ve seen so far this year, nation-state cyberattacks are escalating. This threat to human life is not going away.
Larry’s words from September 12, 2001, still resonate: If we back away now, who will be there to defend the pillars of our society? It’s up to us — public- and private-sector technology leaders — to protect and defend the privacy of our people without compromising their freedoms.
It’s not too late for us to rebuild public trust, starting with data. But, 20 years from now, will we look back on this decade as a turning point in protecting and upholding individuals’ right to privacy, or will we still be saying, “Never again,” again and again?