Commerce Case Study: Cyberstupid
James Carafano /
It would be funny if it all wasn’t so tragic. According to The Washington Post, an agency in the Department of Commerce was so ravaged by a malicious virus that its entire information technology infrastructure, from desktop computers to hand-held cell phones, had to be shut down.
Ironic. The Department of Commerce’s polyglot of offices includes the National Institute of Standards and Technology (NIST), which does some of the federal government’s most cutting-edge work on improving cybersecurity.
Apparently, the folks at Commerce don’t pay much attention to NIST. “Cyber experts have repeatedly pointed to a lack of system security at Commerce,” says the Post. “The agency’s IT systems ‘are constantly exposed to an increasing number of cyber attacks, which are becoming more sophisticated and more difficult to detect,’ Inspector General Todd J. Zinser wrote last year.”
There are two lessons worth learning here.
The first is yet another reminder that malicious cyber-activity becomes a much bigger problem when people act cyberstupid and don’t take safeguarding their networks seriously.
Second, and more important, is that, when it comes to cybersecurity, it is clear that not only does government not always have the answer, but in some cases it proves itself far less competent than the private sector. The latest debacle from the Commerce Department is another cautionary tale reminding us that empowering government to dictate security on the Internet is probably not the best answer.
Even if the government were competent in promulgating regulations and enforcing them (a dubious proposition in and of itself), government does not move at Internet speed. It takes about 18 months to establish regulations and begin to enforce them—during that period, the technologies used online can change dramatically. Giving government more regulatory power over cybersecurity is not a great idea.
Government and the private sector ought to cross-talk more. Promoting effective information sharing is a laudable goal, but it would be even better if folks like those running the information technology programs at Commerce paid attention.