The Securities and Exchange Commission (SEC) announced an initiative last week to examine the cybersecurity of 50 security brokerages.
The initiative is a detailed, high-level questionnaire that derives much of its content from the National Institute of Standards and Technology cybersecurity framework released earlier this year. This could mark the first attempt by a regulator to use the voluntary framework as the basis for mandatory standards. The SEC’s plan is worrisome, since the framework itself has recently come under criticism for the possibility it will “ultimately undermine cybersecurity.”
However, the timing of the SEC’s announcement is filled with irony: Just two days after the announcement, the Government Accountability Office released a report faulting the SEC for its own lax cybersecurity. The report found multiple weaknesses in the SEC’s own cybersecurity management, including:
Access controls: SEC did not consistently protect its system boundary from possible intrusions; identify and authenticate users; authorize access to resources; encrypt sensitive data; audit and monitor actions taken on the commission’s networks, systems, and databases; and restrict physical access to sensitive assets.
Configuration and patch management: SEC did not securely configure the system at its new data center according to its configuration baseline requirements. In addition, it did not consistently apply software patches intended to fix vulnerabilities to servers and databases in a timely manner.
Segregation of duties: SEC did not adequately segregate its development and production computing environments. For example, development user accounts were active on the system’s production servers.
Contingency and disaster recovery planning: Although SEC had developed contingency and disaster recovery plans, it did not ensure redundancy of a critical server.
Cumulatively: these weaknesses decreased assurance regarding the reliability of the data processed by the key financial system and increased the risk that unauthorized individuals could gain access to critical hardware or software and intentionally or inadvertently access, alter, or delete sensitive data or computer programs.
The Heritage Foundation has previously documented the government’s cybersecurity failures and the weaknesses of mandatory regulation. Instead of a top-down regulatory approach, Congress and the Administration should focus on truly cooperative policies with the private sector. For example, one of the most important such policies is information sharing.
To enable better information sharing, Congress should start by removing ambiguities and restrictions against cybersecurity information sharing, allow information to be shared and used more broadly, and offer protections for those who share information with strong liability, regulatory, and Freedom of Information Act safeguards.
“Do as we say, not as we do” regulatory policies will not secure our cyberspace. Congress and the Administration should fix the problems with the government’s own cybersecurity and work on real collaboration and cooperation with the private sector.
Jared Ferris is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.