In the wake of numerous large-scale data breaches at U.S. companies, a federal appeals court just gave the government authority to sue companies who show negligence toward customer data in defense against hackers. In an attempt to beat back charges from the Federal Trade Commission’s suit over the leak of 619,000 Wyndham Resorts customer credit card numbers, the hotel chain challenged the authority of the agency to hold the corporation to any cybersecurity standard, comparing it to “regulating the locks on hotel room doors.” The Appeals Court disagreed: “Were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”
This should be a good thing. In the wake of the Sony hack last winter, President Barack Obama, the FTC, and numerous lawmakers swore to fight for stronger security standards among private companies. Massive theft of financial data from companies like Anthem Insurance and Home Depot, as well personal data housed on Ashley Madison, stand to hurt consumers—both when it comes to their bank accounts and their reputations. Somebody should stand up for the consumer.
However, it’s sadly debatable whether the federal government is the right man for the job. It would be great if, as Obama stated last January, companies and the federal government could unite in sharing information about data breaches in order to prevent cyberattacks—or at least reduce their likelihood. But the federal government itself has hardly been a role model for corporations to follow on cybersecurity. Numerous attacks, from both state and non-state actors, have seized the personal information of millions of Americans right from the U.S. government’s own servers. This raises an important question: Should the government then be setting the standard for security?
This should be a good thing. In the wake of the Sony hack last winter, President Barack Obama, the FTC, and numerous lawmakers swore to fight for stronger security standards among private companies.
When the government sets standards for itself, for example, it fails to meet them far more often than it succeeds. According to a 2014 Government Accountability Office (GAO) report, 17 out of 24 federal agencies suffered from “significant weaknesses in information security controls.” In fact, reports the GAO, “these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases.” This lack of follow through on attack response is probably why federal agencies have seen a consistent increase in cyber incidents year over year, rising from 34,048 in 2010 to 46,160 in 2013, an increase of over 26 percent.
Most of these attacks come from two sources: China and Russia. A live map managed by the cybersecurity firm Norse shows a constant back-and-forth between the United States and China—with smatterings from Russia, Eastern Europe, and the Middle East. While the U.S. certainly doles out its own volley of cyberattacks (such as the infamous Stuxnet exploit against Iran), we’re also the top target. This not-so-secret cyberwar has resulted in some of the largest—and most problematic—breaches of any entity, not just government agencies.
This past March, the State Department admitted that Russian hackers had infiltrated most of the declassified portions of their email system, a breach State department officials called “the worst ever.” The breach should be especially worrisome in the face of Hillary Clinton’s lack of personal security over the email server she used while Secretary of State, as well as the private servers used by her predecessor Colin Powell. The Russians supposedly used the information gleaned from the State Department hack to enter the email servers of the White House, though no classified information was obtained. Russian hackers would then go on to steal 100,000 tax returns from average Americans.
These are not the security habits of a federal government ready to set standards of liability for the private sector. While the attacks against the federal government have been constant and sophisticated, the private sector likewise faces increased scrutiny from foreign hackers and identity thieves. The aforementioned attacks on Sony, Home Depot, Anthem, and Wyndham join the major leaks from Target and Neiman Marcus to reveal a concerted effort against U.S. private interests that could rival, and even surpass, efforts against the government’s information.
The breach should be especially worrisome in the face of Hillary Clinton’s lack of personal security over the email server she used while Secretary of State.
Threats against the federal government don’t just concern those working directly for federal agencies. The government’s lack of benchmarks for its own cybersecurity have also resulted in the sort of large scale data dumps to which the private sector is slowly growing accustomed. Perhaps no hack has caused as many tails to shiver as this summer’s breach of the Office of Personnel Management, which resulted in the theft of over 20 million current and former federal employees. The data obtained in the hack, largely believed to be part of a Chinese effort to build profiles for purposes of blackmail or spy recruitment, included Social Security numbers and even fingerprints.
Robert Knake of the Council on Foreign Relations shrugged off the OPM hack, calling it “not by any stretch the most dastardly thing [China has] done in cyberspace. It’s just the most recent one that we know about.” This is not just terrifying in its inconclusiveness—it’s also hypocritical of the federal government to allow. In his cybersecurity proposal, President Obama sets a “National Data Breach Notification Standard,” forcing companies that collect information from more than 10,000 customers to notify each party whose information has been compromised, including law enforcement and credit rating agencies.
That’s a tall glass for the federal government to pour—considering they could never live up to such a demand. While it’s reasonable the government would want to keep the leak of sensitive data quiet, the Obama administration could start encouraging companies to be more transparent about their security flaws through leading by example. This is especially important when we think about the the information the federal government has collected. If you think Ashley Madison is bad, just imagine the hellish Mad Max landscape we’d become if the National Security Agency’s phone and Internet records were leaked.
This is not to say the FTC should not be interested in holding companies responsible for a lack of concern for their customers’ data. Everywhere a consumer goes, they’re being tracked—by their smartphones as much as their credit card. Enforcing a federal standard for the handling of such information, similar to the federal standards imposed upon banks, would be a fantastic evolution into a 2015 mindset. One could only wish the federal government could lead that innovative charge by being the change it wants to see in corporate America.
Gillian Branstetter is a social commentator with a focus on the intersection of technology, security, and politics. Her work has appeared in the Washington Post, Business Insider, Salon, the Week, and xoJane. She attended Pennsylvania State University. Follow her on Twitter @GillBranstetter.
Illustration by Max Fleishman