If Government Can’t Regulate Itself, how can it Regulate Industry?

January 26, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

The foundational assumption of the expert agency regulatory model is that government knows what to do; all that is needed is to compel a recalcitrant private sector to follow government mandates. There is no evidence that government has attained that degree of expertise in cybersecurity. In fact, the data suggest the opposite.

An April 2020 report from GAO on the Defense Department’s cybersecurity found that the Pentagon had not even fully implemented its own initiatives and practices related to improving cyber hygiene, leaving the department in the dark on how and when to respond to breaches: The report said: “The department does not know the extent that cyber hygiene practices have been implemented to protect DOD networks from key cyberattack techniques..”

A U.S. Senate Investigations Subcommittee review on agency cybersecurity compliance with NIST standards found 88%of them failed to properly protect personal identification information, 63% did not have an accurate list of their IT assets, and 75% did not install security patches.

More broadly a 2019 GAO report found:

“The White House Office of Management and Budget and DHS examined the capabilities of 96 civilian agencies across 76 cybersecurity metrics and found that 71 agencies had cybersecurity programs that were either at risk or at high risk. The assessment also stated that agencies were not equipped to determine how malicious actors seek to gain access to their information systems and data”

When asked if agencies are safer now than they used to be, Director of Information Security at the GAO Greg Wilshusen said: “we believe, as we’ve reported last year, that federal information security remains at high risk.”

This kind of lack of compliance by the government with their own standards further calls into question if the government has the ability to judge the private sector on cybersecurity. The government itself has suffered from multiple successful cyber-attacks, including DOD, the SEC, and the Office of Personnel Management.

In earlier posts we provided the evidence from a 2020 study by ESI Thought Leadership that sectors highly regulated for cybersecurity such as healthcare and financial services were not objectively better off in terms of many cybersecurity dimensions that sectors not so regulated. Given their inconsistent record of government complying with their own regulations combined with their susceptibility to attack, we can add government to the list of sectors that are highly regulated but fail to achieve acceptable levels of security.

The reason that these private and public entities are not faring well in terms of cybersecurity does not lie in the dedicated staff charged with providing security.  The fault is in the system itself. Treating cybersecurity as simply a technical operational issue is an incomplete understanding of the issue. A different, enterprise wide, collaborative and economically based model needs to be evolved – and can be – developed and implemented.

Join the Rethink Cybersecurity Community click here