Reading this morning’s Wall Street Journal I had mixed feelings on the article “FTC Can Target Firms for Lax Security.” In many ways this is a positive step forward because it adds another compelling regulatory incentive to businesses encouraging them to take information security seriously and specifically to take all reasonable safeguards to protect consumer data. While commercial forces such as brand and reputational damage, diminished profitability, and legal liability imposed by consumer lawsuits provides a compelling set of drivers encouraging business to do the right thing, these drivers are occasionally insufficient as some businesses factor these concerns into “acceptable losses” or simply a cost of doing business. While data breaches are certainly very costly to the business victimized by such a breach, the impact to the business is almost negligible when compared to the impact on individual consumers and members of the public.
While a reasonable amount of government oversight provides an additional compensating control, we continue to struggle to manage the challenges presented by lack of sufficient oversight of the government. Regardless of any particular political point of view, we clearly have a government which is out of control and has demonstrated conclusively the inability to properly manage its own cybersecurity. We have seen breaches at the State Department, the IRS, and the Office of Personnel Management. We are even becoming increasingly aware that high-ranking government officials have operated outside of the control of government information systems utilizing their own private email servers and addresses for as yet an undetermined level of risk which very well may have compromised sensitive and/or personally identifiable information.
Another example of government inability to effectively implement its own controls is the toxic spill caused by the environmental protection agency, the very agency charged with protecting the environment. If a private firm had made the same mistake as the EPA, the vast and unlimited resources and power of the government would have undoubtedly been brought to bear on the offending firm. Who is going to hold the EPA, the IRS, the State Department, and the OPM accountable for their failures? There would appear to be no effective controls and minimal if any consequences.
There are 2 fundamental inadequacies, in my opinion, which drive these failures and contribute to inadequate controls. First, government agencies operate in an administrative area of government with lack of meaningful oversight. While agencies are created and funded by Congress, they make their own rules and regulations and are administrated under the Executive branch rather than the Legislature. Secondly, as is the case in the private sector, people are the weakest link and holding government employees accountable to an extent sufficient to improve the inherent human weakness is next to impossible to do.
Congress needs to impose painful consequences on agencies who fail to effectively implement and maintain cybersecurity controls. As government is the highest authority in the land, our elected representatives need to implement effective oversight which includes consequences. The most obvious consequence could potentially be severe budget consequences. I’m not at all suggesting that we should risk important and essential activities. However, there remains plenty of fluff in agency budgets and cutbacks can be made to hurt without compromising the mission. In the worse cases, agencies could face elimination with their mission and functions rolled into other agencies who have demonstrated competency in protecting the public’s information.
The people problem posed by careless government employees is a bigger challenge. While there certainly are many highly skilled, dedicated and diligent people working for the government, we need to be honest and admit that there are others who are not as diligent. Still, according to data released by the Whitehouse, 21% of Federal employees violate policies. Such cavalier attitudes and enforcement of polices would have severe repercussions in the private sector.
Government employees need to be held to a higher standard simply because they occupy positions of public trust. They are the guardians of sensitive data on every American and should be expected to go above and beyond to protect that data. Here, Congress needs to enact laws which can hold civilian employees accountable either from a civil or criminal perspective, or both for proven disregard and failure to take reasonable steps to protect the public’s data. Of course, due process needs to be observed, yet government employees need to fully appreciate the reality that they have a duty to protect the public, and failure to act reasonably can have consequences. Sadly, the current situation lacks appropriate consequences sufficient to change behaviors.
We can throw all the money and the best technology in the world at this problem, yet the reality remains that effective controls are a three legged stool of people, process and technology. Congress needs define and enforce a process, and we, the people need to hold our elected representatives accountable for enforcing accountability on public employees. Then, the technology stands half a chance of being effective.