The Department of Homeland Security (DHS) just found out that it had a cybersecurity vulnerability for the past four years that could have led to personally identifiable information being stolen by hackers.
If the government, and specifically DHS, can’t administer its existing cyber standards, then there is no reason to believe it will do a better job when it has to regulate vast portions of the U.S. economy.
The vulnerability was discovered by another law enforcement agency that told DHS that Customs and Border Protection, an agency within DHS, was using a vendor whose systems were not entirely secure. The vulnerability would have allowed hackers to steal Social Security numbers from those DHS was conducting background checks on. While DHS does not believe that any information was lost, the fact that this vulnerability existed for almost four years is very concerning.
More concerning, however, is that some in D.C. want DHS to regulate cybersecurity efforts for whole sectors of the U.S. economy. The President issued an executive order earlier this year that charges DHS with establishing not-so-voluntary cybersecurity standards for companies to comply with. Last year’s Cybersecurity Act of 2012, also known as the Lieberman–Collins bill, used a similar standards-based approach with DHS in charge. However, if DHS couldn’t oversee cybersecurity for its own vendors and contractors, why should we trust it with broader responsibilities?
Regulations and standards are a poor approach to cybersecurity. Regulations are too slow to keep up with the rapidly changing cyber realm. By the time cyber standards are written and implemented, computers will have at least doubled in power, rendering the standards obsolete.
Cyber standards also encourage compliance over true security. A recent report by Representatives Ed Markey (D–MA) and Henry Waxman (D–CA) found that utilities tend to do only the bare minimum in order to comply with regulations. Regulations create this kind of compliance-focused attitude that actually harms cybersecurity efforts. Standards are also concerning because of their potential cost, inflexibility, impact on innovation, and other toxic side effects.
DHS should start improving the security of the government’s networks and work to improve collaborative efforts with the private sector, such as information sharing and analysis of threats. Such efforts are cost-effective, keep up with changing threats, and don’t have the harmful shortcomings of standards.
DHS’s cyber failure, together with many other government cyber breaches and failures, illustrates that government standards do not lead to greater security. Only in D.C. can an approach fail and then be expanded to cover huge new sections of the economy.