Government Security: Do As I Say, Not As I Do?

by Alex Neystat 0 Comments

It seems every month we read news about another breach or hack, with each incident appearing more severe and prominent than the previous. The unfortunate irony is those making the rules are not subject to immunity.

The government’s vulnerability to cyberattacks was most recently on display Sept. 20, when the U.S. Securities & Exchange Commission announced hackers may have accessed and used private SEC information to conduct illegal trading. The most troubling piece of news? The hack of the SEC’s EDGAR filing system — which is home to millions of corporate disclosure documents, including quarterly earning statements and filings on mergers and acquisitions — occurred in 2016, but it took until August 2017 to report the breach and link to illegal trading.

“Infiltrating the SEC’s system to review announcements before they are released publicly,” the agency announced, “would serve as a virtual treasure trove for a hacker seeking to make easy money.”

This disclosure from the SEC comes just weeks after credit-reporting company Equifax announced a breach lasting several months that exposed more than 100 million people’s private information. Both hacks at the SEC and Equifax were related to software or application vulnerabilities.

I wish this surprised me.

Due to their complex nature, it’s often the largest organizations and regulators that struggle with implementing cybersecurity best practices. Simply complying with a framework doesn’t guarantee protection; compliance doesn’t equal security. And let’s remember, modern hackers are after information, not anarchy. It’s more profitable for a hacker to lay dormant (for years) and collect information than try to destroy the integrity of the data.

With such high-profile breaches, it’s time to ask some hard questions: How long were hackers able to access these databases? How can government entities better protect our data? How do we, as the private sector cybersecurity industry, support their efforts? We talk about the shared security model, and let’s not forget about the shared intelligence model. Maybe it’s time to reinvigorate talks on a formal alliance between the private and public sectors.