Congress has begun investigations into the power wielded by tech giants Amazon, Apple, Facebook, and Google – from their effect on the news media, to their impact on retail markets, to their handling of data. Unusual for these divided times, the concerns are bipartisan, with members of both parties suggesting that new legislation and regulation may be needed.
A number of big challenges are hurting consumers, including “serious breaches of privacy” and “loss of control of data,” Rep. David Cicilline, D-R.I., chairman of the House Antitrust Subcommittee, told CNBC.
This discussion of what Cicilline has called a “monopoly moment” is healthy and overdue. However, while Congress examines whether we should trust the tech titans with so much of our data and other assets, it would be great to see more urgency on another question: Can we trust the government itself with our data?
Federal and state government databases hold a treasure trove of sensitive, personal information that is used to collect taxes, administer benefits, register vehicles, or run elections. Not to mention the 434.2 million phone records on Americans that the National Security Agency collected last year, according to a government report.
Hackers, naturally, know that government sites are a rich target, and some of the largest cybersecurity breaches of recent years have taken place in the public sector.
In two separate incidents in June 2015, the U.S. Office of Personnel Management discovered that attackers had stolen the Social Security numbers and other confidential information of 25.7 million current and former federal employees and contractors. The hackers’ haul even included 5.6 million fingerprints of job applicants who has undergone background investigations.
In 2016, the IRS said that 700,000 Social Security numbers were taken in a hack the year before.
In 2018, a “SamSam” ransomware attack shut down the city of Atlanta’s online systems, forcing the cancellation of court proceedings and preventing the collection of water bills and traffic fines. Last month, a ransomware assault has affected services in Baltimore and cost the city at least $18.2 million in lost or delayed revenue and direct restoration costs.
And then there are the foreign attempts to interfere with elections. U.S. officials have testified that Russian hackers targeted voting systems in 21 states in 2016, though no actual votes are believed to have been affected.
Since free and fair elections are a core tenet of our democracy, voter registration pages and election systems are the most sensitive areas of state and municipal web infrastructure. Election databases also contain personally identifiable information such as names, ages, and addresses. As my company’s experience with various state governments show, these systems are constantly under attack.
In fact, we’ve seen up to two-thirds of state election agencies’ website traffic consist of malicious bots searching for data to steal or scrape. Even more disturbingly, we have also seen spikes in automated traffic attacking the websites as registration deadlines approach. These spikes slow down the performance of back-end databases, compromising the agencies’ overall ability to effectively conduct elections.
This evidence shows that the existential threat to government data is every bit as important as the security and privacy concerns driving the congressional investigation of Amazon, Apple, Facebook, and Google. But is enough being done?
More than three years after the devastating attack on the U.S. Office of Personnel Management, a report by the General Accounting Office in November found that the agency had not implemented 29 of the 80 recommendations the government’s in-house auditor had made to shore up its cyber defenses.
In Atlanta, an audit determined that leading up to the ransomware attack, the city had ignored repeated warnings about flaws in its security posture, including a failure to address 1,500 to 2,000 severe vulnerabilities that the city’s Information Management and the Office of Information Security had identified.
Where control of data is concerned, it’s vital that the federal and state governments look themselves in the mirror just as hard as Congress is now assessing the tech giants. A few specific recommendations:
- Government agencies at all levels should conduct an exhaustive review of their cyber security capabilities and hold leaders personally responsible for ensuring they are up to snuff for constantly evolving threats.
- Beyond investigating the practices of a few companies, Congress also should focus energy on a long-overdue update of the Computer Fraud and Abuse Act, a 33-year-old law that makes it unlawful to break into a computer to access or alter information and, astoundingly, still serves as a legal guidepost in today’s new landscape of bots, malware, ransomware and other malicious attacks.
- The Trump administration should make sure to follow through with its May 2 executive order on cyber defense that promised to “grow the cybersecurity capability of the United States Government, increase integration of the federal cybersecurity workforce, and strengthen the skills of federal information technology and cybersecurity practitioners.” It also called for a “cybersecurity rotational assignment program” within the federal government that “will serve as a mechanism for knowledge transfer and a development program for cybersecurity practitioners.”
An important discussion is happening on Capitol Hill about the influence of Amazon, Apple, Facebook, and Google in our lives and society. It would be hypocritical, however, to lose sight of how much of our data sits in government computer systems and that it also faces serious threat.