By Ryan Hagemann | Watchdog Arena
Security breaches are all the rage these days. From this past spring’s hack at the Office of Personnel Management to the more recent debacle surrounding the release of Ashley Madison users’ personal data, it seems like everyone is getting basic cybersecurity practices wrong – and average Americans are suffering as a result.
Despite this, states and local municipalities have been far more removed from the types of hacks that have crippled faith and confidence in the federal government and private firms. Nonetheless, some states seem to be moving towards cybersecurity regimes that mimic the federal government’s myopic focus on “information sharing.” Unfortunately, these approaches are unlikely to solve the cybersecurity problem.
California and Virginia recently announced the creation of state-level cybersecurity integration centers, mimicking President Obama’s 2015 memorandum that established the Cyber Threat Intelligence Integration Center. Thus far, states have handled the cybersecurity issue relatively effectively, but the approach towards creating centralized cybersecurity “reporting” agencies is far from the best approach to dealing with this problem.
New agencies purporting to serve as central clearinghouses of cyber threat information are not the silver bullet solution for curing cybersecurity ills. These centers, no doubt created with the best of intentions, are unlikely to add positive solutions to a problem that, by its very nature, often cannot be solved by adding additional layers of bureaucracy.
So what is the solution?
There is no on single answer, but many of the problems come down to a lack of personal responsibility and appropriate education on the matter of cybersecurity. As I detailed in a recent article, the primary problem associated with cybersecurity breaches is not a lack of information, but a lack of network owners taking responsibility in ensuring best practices are followed when handling data security.
Simple things like using SSL/TLS to encrypt website traffic can make a world of difference, but even still many federal websites do not use these protocols – nor do some organizations, like the Heritage Foundation, which recently suffered its own data breach.
Of course efforts at encrypting data are not helped by federal officials, like FBI director James Comey, sounding the alarm over illusory concerns of “going dark” as a result of the use and availability of strong encryption (For a more detailed account of why such fear mongering is completely off base, see these pieces: here, here, and here).
Bug bounty programs, where firms and governments pay hackers and systems penetration engineers to scour their software and systems for potential security flaws, are another simple-to-implement system that will invariably pay dividends to organizations in the long term. And from a legislative perspective, the solution isn’t more regulation: it’s government and industry making effective use of the tools already available to them.
Although recent legislation like the Cybersecurity Information Sharing Act (CISA) would purport to solve many of the issues that have made recent data breaches possible, its emphasis, like California and Virginia’s cyber integration centers, is far too focused on the need for information sharing. Yes, sharing information is important in preempting possible attacks and threat signatures, but no amount of information sharing would have solved any of the major breaches over the past six months.
Local municipalities can also help aid in proliferating best practices vis-à-vis cyber hygiene by educating people on the use of online tools. Unfortunately, although some states have taken such steps, federal law enforcement and intelligence agencies have at times stepped in and put a stop to such efforts, as evidenced by a recent push from a New Hampshire library attempting to teach people how to browse the Internet anonymously using Tor.
Their efforts met with disapproval by local law enforcement after an email from the Department of Homeland Security expressed concern over the possibilities of its use by criminal elements (an ironic twist given that the State Department is counted among the top funders and supporters of the Tor project).
Educational efforts such as these can go a long way towards creating a more informed and security-conscious public, which in turn can pay dividends on local and state governments’ abilities to allocate funding for cybersecurity purposes. When individuals understand what goes into cybersecurity, they can more effectively assess the efforts of local lawmakers and officials.
California and Virginia may be moving in a suboptimal direction on cybersecurity solutions, but the great thing about federalism is that each state serves as its own laboratory for experimentation. Here’s hoping the cybersecurity successes experienced by other states can have a positive ripple effect on the others, as well as private firms and the federal government.
This article was written by a contributor of Watchdog Arena, Franklin Center’s network of writers, bloggers, and citizen journalists.