Data breaches have become a hot button topic in recent years. From the ransomware attack that breached the National Health Service in the U.K. to the disastrous Equifax breach that just keeps going, major corporations and government entities are discovering that no one is immune to cyber attack.
Where, in the end, does the buck stop? Is there an ultimate responsible party for data security? Should governments be held responsible — at least in part — for the safety and privacy of their citizens if there is an absence of legislative measures to enforce cybersecurity measures? It’s a question with big implications and several answers, depending on one’s position about government spending, what actions constitute overreach, and whether governments are even the most qualified entities to enforce standards because they often prove behind the times in their own operations.
Changing Circumstances May Require More Involved Regulation
In the last couple of decades the meaning of security and the ways in which information is collected, secured, and stolen have changed dramatically. It may be that a national standard of cybersecurity for private businesses is required moving forward, and it may be that governments have an imperative to get involved.
L0pht’s 2018 senate testimony, revisiting its 20 year old testimony, identified a number of changing factors in the landscape of cyber security.
One of the biggest changes concerning this discussion is the rise of “nation state attackers” — cyberattacks performed or sponsored by other nations. There’s a very clear interest for governments like the U.S. and England to get involved in the cybersecurity of its citizens when attacks are being performed on behalf of other countries. It becomes an issue of national defense.
Recent breaches and thwarted attacks in particular have highlighted a government interest in cyber security. The Facebook / Cambridge Analytica scandal appears to be related to potential political manipulation campaigns using the data of U.S. citizens.
Clearly, the interest is there. The fact is that many companies within the U.S. have woefully inadequate security, and something approach a national set of standards for security measures might go a long way to keeping citizens safe from foreign intrusion and the incompetence or greed of some businesses.
Is the Government Best Equipped to Handle Cyber Security?
Some people might argue that the U.S government is not up to the task of being the arbiters of “good” security. There are some convincing arguments in this corner.
For a start, there’s a considerable amount of wasteful IT spending by government departments. Some reports cite overspending on IT in the millions of dollars, and others mention instances of unused licenses and equipment that, again, cost millions. That kind of spending bloat is unattractive, and in cases of unused licenses, potentially directly harmful to security.
There’s also the question of overreach. Law enforcement agencies and governments have tried before to gain access to sensitive, private information on their own citizens. A government backdoor into encrypted services might well be one measure governments wish to take, but security and privacy includes the right to be protected from governments taking liberties with your private data.
High profile breaches around the world are also eroding trust that governments are capable of moving quickly enough to protect their own information.
So there is a question as to whether governments have the ethical authority to dictate cybersecurity. The ethics of data collection and use are a complex and evolving conversation. One big issue is government agencies occasionally coming to odds with tech companies in disputes over encryption. In several cases, tech companies have been asked to create workarounds for their own security measures by law enforcement. A good deal of criticism has been directed at encryption by politicians and agencies. Whatever the result of these issues, however courts rule and what proves to be constitutional or not, there’s a conflict of interest. Asking companies to create cracks to their own security measures isn’t in the best interest of cybersecurity. It might be of interest to other important issues, such as solving major crimes, but these actions erode a government’s moral authority on the importance of security and privacy, specifically.
But… Government Interest in Cyber Security is Here to Stay
The cybersecurity field requires leadership, research, and constant vigilance. Governments have a legitimate interest in protecting their citizens from foreign cyber aggression, and there’s no guarantee that a business is any more interested in genuine privacy than a government department. Corporations should have a fiduciary duty when it comes to cybersecurity, and there needs to be better oversight if we’re going to stop future Equifax incidents, or Facebook incidents.
“The government” is not a single entity, after all, and the wishes of the FBI, a law enforcement agency, don’t necessarily reflect or affect the interests of a regulatory commission. That’s how branches of government work; they’re supposed to balance one another out. So there’s a good chance that better government oversight of cybersecurity might help put in check requests by other government officials that cross the line.
In the end, there isn’t a single catch-all answer to the problem of cyber security. It is, however, encouraging to see the Senate thinking about a government’s duty to protect the data of its citizens.