October 22, 2012
A recent investigation into the Department of Labor’s (DOL) secure information systems revealed “very serious” cybersecurity flaws. Together with many other cybersecurity breaches and failures in the federal government, it is clear the government should not be put in charge of cybersecurity regulation of the private sector.
The DOL failures included basic cybersecurity practices such as locking accounts after three failed attempts. On top of that, more than 75 percent of the accounts inspected “were granted system access privileges exceeding authorization.” Inactive accounts were also not closed in a timely manner.
What does this mean? Any decent hacker would have been able to crack the password of a DOL employee or ex-DOL employee whose account wasn’t deactivated, and would then have a good chance of getting access to sensitive information. Considering that the DOL has access to important information—including Social Security numbers and personal data for many (if not all) workers in the U.S.—such failures are inexcusable.
But if the government is not able to fully secure its own systems, why should we put it in charge of setting standards for the private sector? One of the major Senate proposals on cybersecurity seeks to do just that. Furthermore, President Obama is also considering an executive order with similar regulatory elements.
A regulatory approach to cybersecurity would only create a culture of compliance, which, as evidenced by the DOL, usually results in just doing the bare minimum. Additionally, the cyber realm moves too quickly for government regulations to keep up. The most secure measure might be impenetrable today, but a month from now, hackers could have found holes in it.
The U.S. needs to encourage dynamic cybersecurity solutions. Strong information sharing would allow the government and private sector to obtain important information to stop new and different attacks. Lawmakers should explore other solutions that leverage the private sector’s innovation and creativity, such as insurance, before resorting to government regulation.
If the DOL’s cybersecurity failures have an upside, it is that it reminds lawmakers that the government can’t just go it alone; it needs to encourage and enable private-sector solutions.