CybersecurityGovernment-developed standards not an effective cybersecurity approach: analyst

Published 3 June 2013

DHS said the department has “recently learned of a vulnerability that existed in the software used by a DHS vendor to process personnel security investigations.” analyst says that it is bad enough that hackers gained access to the personal information of thousands, but what is even more worrisome is the fact that DHS, with it spotty cyber security record, has been placed in charge of regulating the cybersecurity efforts of critical infrastructure industries.

DHS said the department has “recently learned of a vulnerability that existed in the software used by a DHS vendor to process personnel security investigations.” The vulnerability allowed unauthorized access to the personally identifiable information of citizens.

A Heritage Foundation bog notes that the vulnerability was discovered when DHS was alerted by a law enforcement agency that Customs and Border Protection (CBP) was using software from a vendor whose systems were not sufficiently secure. Hackers could thus gain access to the personally identifiable information stored on that vendor’s systems.

It appears that the vendor’s systems CBP used were vulnerable for about four years before the flaw was discovered.  

The Heritage analyst says that it is bad enough that hackers gained access to the personal information of thousands, but what is even more worrisome is the fact that DHS, with it spotty cyber security record, has been placed in charge of regulating the cybersecurity efforts of critical infrastructure industries.

 President Obama signed an executive order in February making DHS responsible for establishing cybersecurity standards for the industry, and last year the Lieberman-Collins bill —  the Cybersecurity Act of 2012 — also assigned DHS the responsibility of developing cybersecurity standards for critical infrastructure industries.

The deeper problem with both the executive order and the Lieberman-Collins bill, the Heritage analyst argues, is that relying on developing and imposing standards is not an effective cybersecurity policy, as standards typically lag behind fast-changing threats and fast-moving technology.

DHS’s cyber failure, together with many other government cyber breaches and failures in the past, is proof that government standards do not lead to greater security.

The imposition of government-developed standards has another unwanted result. As representatives Ed Markey (D-Massachusetts) and Henry Waxman (D-California) noted in a recent report, once standards are established, many companies become preoccupied not with cyber security, but with compliance. The two lawmakers studied utilities, and found that these companies were more interested in doing the minimum to comply with standards and pass inspection rather with the broader issues of security.

DHS’s cyber failure, together with many other government cyber breaches and failures, illustrates that government standards do not lead to greater security. Only in D.C. can an approach fail and then be expanded to cover huge new sections of the economy” the Heritage analyst concludes.