A recent investigation into the Department of Laborâs (DOL) secure information systems revealed âvery seriousâ cybersecurity flaws. Together with many other cybersecurity breaches and failures in the federal government, it is clear the government should not be put in charge of cybersecurity regulation of the private sector.
The DOL failures included basic cybersecurity practices such as locking accounts after three failed attempts. On top of that, more than 75 percent of the accounts inspected âwere granted system access privileges exceeding authorization.â Inactive accounts were also not closed in a timely manner.
What does this mean? Any decent hacker would have been able to crack the password of a DOL employee or ex-DOL employee whose account wasnât deactivated, and would then have a good chance of getting access to sensitive information. Considering that the DOL has access to important informationâincluding Social Security numbers and personal data for many (if not all) workers in the U.S.âsuch failures are inexcusable.
But if the government is not able to fully secure its own systems, why should we put it in charge of setting standards for the private sector? One of the major Senate proposals on cybersecurity seeks to do just that. Furthermore, President Obama is also considering an executive order with similar regulatory elements.
A regulatory approach to cybersecurity would only create a culture of compliance, which, as evidenced by the DOL, usually results in just doing the bare minimum. Additionally, the cyber realm moves too quickly for government regulations to keep up. The most secure measure might be impenetrable today, but a month from now, hackers could have found holes in it.
The U.S. needs to encourage dynamic cybersecurity solutions. Strong information sharing would allow the government and private sector to obtain important information to stop new and different attacks. Lawmakers should explore other solutions that leverage the private sectorâs innovation and creativity, such as insurance, before resorting to government regulation.
If the DOLâs cybersecurity failures have an upside, it is that it reminds lawmakers that the government canât just go it alone; it needs to encourage and enable private-sector solutions.