When the Federal Communication Commission’s website crashed on May 8, many suspected it was due to an overwhelming influx of comments around new net neutrality rules. But the FCC said that wasn’t the case – instead it was hit by multiple DDoS attacks that brought the site to its knees. Senators have requested more information about the incident, because it’s still not entirely clear what happened, who was responsible, or how to prevent future attacks.
There’s a simple solution to this. What if we treated the government more like a business?
If the FCC was a private company, we might already know many of the details about the attack. Security breach notification laws have been on the books for more than a decade in some states, holding companies to a standard of transparency, especially when customer data is at stake.
{mosads}Right now, the various levels of government have no cyber security reporting requirements. Yet this information would help us better understand attacks and prevent them in the future, not to mention alert citizens to any potential breach of their personal data. By adopting these disclosure standards, the government could serve as a shining example of what needs to be accomplished in the security space.
Here’s why the government hasn’t been held to the same standards as business and how we might encourage more transparency from every victim of hackers, whether in the private or public sector.
Why businesses report attacks but the government doesn’t
Businesses are required by law to notify customers after a breach and take steps to prevent a similar attack in the future. California was the first state to require this, and most state laws in place today follow its model. Customers must be informed in writing, within a specific time period, of the discovery of the attack, alerting them that their passwords, payment information, or other data has been compromised.
Right now, however, there is no national cybersecurity disclosure law on the books, and no law that requires the government to disclose attacks against it. There are likely many reasons why, but perhaps one of them is that government disclosures could enable future attacks.
From floppy disks to unsupported software, government technology can be a blast from the past, and disclosing the technical nature of an attack might reveal information that other hackers could use for new attacks, armed with knowledge of vulnerabilities in the hardware or software still being used for important government functions.
Where the government takes a more open approach
Some countries, however, set a shining example for holding their governments to higher standards of disclosure and transparency around security and privacy.
Singapore, for example, has a strong security strategy. Certainly it’s a smaller country with a smaller population, so it has an easier time getting its arms around all the moving parts. But its smart city program, cyber security initiatives, and the way it governs data and discloses to the populace what will and won’t be shared are great examples of how government can be more transparent. Of course there are some areas the Singapore government keeps close to the vest, but it has rules and laws in place that specify what doesn’t have to be reported.
Switzerland too demonstrates strong security and privacy policies. The country’s constitution clearly states that every citizen has a right to privacy and a right to be protected against misuse of their personal data, and because it’s not a member of the European Union, it can play by its own rules. Switzerland has an aggressive anti-surveillance culture. As a result, many of the world’s secure email services and VPNs are run from there, as are many malicious services – strict rights to privacy attract both good and bad actors.
How to improve cybersecurity through government disclosures
The FCC serves as a watchdog for all things cybersecurity, so it would not be trivial if it was taken down in an attack. It makes sense that the organization that fines companies for not having the proper controls in place should have the proper controls in place as well.
All of the watchdog agencies, from the FCC to the Department of Homeland Security to the SEC to the FBI, should be held to the higher standard that businesses are. Agencies like the FAA, Department of the Interior, Department of Agriculture, and so on, should also have a program in place for cybersecurity disclosures, but it need not be as strict as that for the watchdogs.
Of course there will be cybersecurity incidents within the military or other agencies that must remain classified. That’s fine, and we should create or clarify rules for what is protected and what is disclosed.
When attacks hit, we should get the answers to some basic questions. Looking at the shutdown of the FCC website, we should know:
- Where the attack came from;
- Who was responsible for the attack;
- What the motivation for the attack was;
- What the technical nature of the attack was;
- What controls were in place;
- How quickly the government was able to respond.
It’s time we had one law about cybersecurity disclosures at the federal level for both public and private entities. By better understanding the nature of attacks and the vulnerabilities behind them, we could spark public debate about the best way to protect ourselves, shine sunlight on vulnerabilities, and make good financial decisions to ensure infrastructure, elections, our financial system, and other potential targets are secure.
Carl Herberger is the vice president of security solutions at cybersecurity firm Radware. He also served as a U.S. Air Force officer, with his last duty serving the Pentagon. While at the Pentagon, he evaluated computer security events affecting daily Air Force operations. He also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense.
The views expressed by contributors are their own and are not the views of The Hill.