Edward Snowden, the leaker of the National Security Agency (NSA) surveillance programs, was reportedly able to smuggle thousands of classified documents out of the NSA simply with thumb drives. Despite the NSA’s secret and powerful security measures, Snowden later arrived in Hong Kong with four laptops containing classified information.
Three years ago, 22-year-old PFC. Bradley Manning was able to orchestrate a similar national security breach when he stole, and then released, over a million government documents. Manning likewise accomplished this feat by using a thumb drive and other simple portable media devices. Since then, government security agencies have tightly restricted or banned the use these devices, but it is notoriously hard to enforce such policies.
Even more disturbing, since November 2012, the federal government has experienced at least 16 cybersecurity breaches and failures. Despite the federal government’s inability to police its own cybersecurity, President Obama has issued an executive order that uses a regulatory or standards-based approach to require additional security from private-sector organizations.
The top-down regulatory approach pursued by the Administration and some in Congress is a poor model to impose on the private sector. Instead of enhancing real security, the burden of cybersecurity regulations fosters an atmosphere of compliance. Furthermore, cybersecurity regulations are unable to keep up or adapt to emerging cyber threats, as the government’s disappointing record makes clear.
Instead, President Obama and Congress should implement cost-effective solutions that encourage innovation, and can adapt to the dynamic world of cybersecurity. One positive alternative is government facilitation of threat and vulnerability information sharing between the private and public sectors. This would allow the government to access the resources and knowledge of the private sector’s cybersecurity efforts and vice versa.
Congress should also promote the development of cyber supply-chain ratings, which would help consumers identify potentially vulnerable or compromised supplies. Malicious hardware poses a danger to the private and public sectors because it is hard to detect, has the ability to compromise huge amounts of sensitive data, and can impair vital government functions. By encouraging the development of supply-chain ratings, organizations would be able to make better, risk-based decisions regarding their cybersecurity.
Also, the government should collaborate with the private sector to educate the U.S. public about cybersecurity risks in order to encourage greater security awareness. For example, while Snowden used thumb drives maliciously, many individuals simply do not think about the ability of thumb drives to spread computer viruses and expose information.
The federal government has had a series of severe cybersecurity breaches in recent years, which have exposed personal information and intelligence secrets. Given the poor track record of the regulatory approach, Congress should enable innovative cybersecurity through sensible, risk-based, and cost-effective policies.