• The Heritage Network
    • Resize:
    • A
    • A
    • A
  • Donate
  • Cybersecurity: Homeland Security Follies



    The Department of Homeland Security (DHS) just found out that it had a cybersecurity vulnerability for the past four years that could have led to personally identifiable information being stolen by hackers.

    If the government, and specifically DHS, can’t administer its existing cyber standards, then there is no reason to believe it will do a better job when it has to regulate vast portions of the U.S. economy.

    The vulnerability was discovered by another law enforcement agency that told DHS that Customs and Border Protection, an agency within DHS, was using a vendor whose systems were not entirely secure. The vulnerability would have allowed hackers to steal Social Security numbers from those DHS was conducting background checks on. While DHS does not believe that any information was lost, the fact that this vulnerability existed for almost four years is very concerning.

    More concerning, however, is that some in D.C. want DHS to regulate cybersecurity efforts for whole sectors of the U.S. economy. The President issued an executive order earlier this year that charges DHS with establishing not-so-voluntary cybersecurity standards for companies to comply with. Last year’s Cybersecurity Act of 2012, also known as the Lieberman–Collins bill, used a similar standards-based approach with DHS in charge. However, if DHS couldn’t oversee cybersecurity for its own vendors and contractors, why should we trust it with broader responsibilities?

    Regulations and standards are a poor approach to cybersecurity. Regulations are too slow to keep up with the rapidly changing cyber realm. By the time cyber standards are written and implemented, computers will have at least doubled in power, rendering the standards obsolete.

    Cyber standards also encourage compliance over true security. A recent report by Representatives Ed Markey (D–MA) and Henry Waxman (D–CA) found that utilities tend to do only the bare minimum in order to comply with regulations. Regulations create this kind of compliance-focused attitude that actually harms cybersecurity efforts. Standards are also concerning because of their potential cost, inflexibility, impact on innovation, and other toxic side effects.

    DHS should start improving the security of the government’s networks and work to improve collaborative efforts with the private sector, such as information sharing and analysis of threats. Such efforts are cost-effective, keep up with changing threats, and don’t have the harmful shortcomings of standards.

    DHS’s cyber failure, together with many other government cyber breaches and failures, illustrates that government standards do not lead to greater security. Only in D.C. can an approach fail and then be expanded to cover huge new sections of the economy.

    Posted in Security [slideshow_deploy]

    Comments are closed.

    Comments are subject to approval and moderation. We remind everyone that The Heritage Foundation promotes a civil society where ideas and debate flourish. Please be respectful of each other and the subjects of any criticism. While we may not always agree on policy, we should all agree that being appropriately informed is everyone's intention visiting this site. Profanity, lewdness, personal attacks, and other forms of incivility will not be tolerated. Please keep your thoughts brief and avoid ALL CAPS. While we respect your first amendment rights, we are obligated to our readers to maintain these standards. Thanks for joining the conversation.

    Big Government Is NOT the Answer

    Your tax dollars are being spent on programs that we really don't need.

    I Agree I Disagree ×

    Get Heritage In Your Inbox — FREE!

    Heritage Foundation e-mails keep you updated on the ongoing policy battles in Washington and around the country.