Cybersecurity

Congress should address recurring cases of cyber espionage at home


On March 20, the U.S. House of Representatives approved the Protecting Americans Data from Foreign Adversaries Act of 2024 by a unanimous vote of 414-0 to prevent companies from selling the American people’s data to rogue nations like China and North Korea. Days before, it passed legislation banning TikTok from the U.S. over concerns over foreign espionage and data mining. The Senate is currently considering both measures.

These actions send a clear and concise message that Congress is taking America´s data privacy seriously. But like so many congressional initiatives, these piecemeal actions miss the mark and the point, leaving the nation vulnerable to further cyber-attacks.

The Department of Justice’s recent indictment of seven Chinese nationals for hacking demonstrates the futility of this exercise. Experts believe the accused individuals remain in China – beyond the reach of the American justice system. The indictment makes for a good press release, but it does not change anything.

Instead of focusing its efforts on addressing the foreign actors that mine the American people’s data, Congress should be focusing on improving the cybersecurity practices of the domestic actors who repeatedly allow this foreign hacking to occur. These public and private entities continue to make the same mistakes without ever getting so much as a slap on the wrist from lawmakers.

For example, last week, the Department of Homeland Security released the Cyber Safety Review Board findings examining the mistakes that caused dozens of high-level government email accounts, including that of Commerce Secretary Gina Raimondo, to become compromised. The Biden administration-appointed board found that a China-based hacking group gained extensive access due to a series of strategic decisions from Microsoft that “collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.” The board also noted the extent of the hack was greater than anyone knew.

Earlier this year, hackers connected with the Russian government also infiltrated Microsoft’s software, bringing the tally of software vulnerabilities criminals have exploited in this company’s software to over 280 over the past 22 years – higher than the next three companies combined. Yet, until this point, the government (sans Sen. Ron Wyden, D-OR, who has vocally sounded the alarm on the need for tighter cybersecurity measures) has done little to address these clear security flaws. It continues to provide the company hundreds of millions of dollars’ worth of no-bid government contracts without mandating it make any changes.

But I suppose it’s hard for the government to incentivize problem actors in the private sector to improve their cybersecurity capabilities when many government agencies struggle with the same issue.

Take, for instance, the Office of Personnel Management, the hiring arm of the federal government. The Government Accountability Office added it to its High Risk List in 2001 over cyber security vulnerability concerns, and it remains on that list today. From a 2015 breach – the largest in government history at that time – that led to 4 million government workers’ personal information, including Social Security numbers, birth dates, and fingerprint records, becoming compromised due to OPM using “older systems that needed to be modernized,” to the agency failing to monitor how it exchanges information with organizations that possess different levels of security and privacy requirements in the present day, it’s clear that cyber security has not and is still not a priority for the agency.

While Rep. James Comer, R-Ky., the Chairman of the House Oversight Committee, has held hearings on OPM and broader efforts to protect the nation from cyber-attacks, the larger Congress continues to ignore these threats. It hasn’t issued legislation to impose more scrutiny or oversight of OPM’s cyber security practices or threatened to make greater use of the agency’s private market competitors, which have far better cyber security track records.

The attack on Americans’ data and privacy takes many forms, and many threats exist. China is a problem. North Korea is a problem. Even Russia is a problem. But these actors will likely never be America’s friends – at least not in the short term. Congress can’t keep passing legislation under the assumption that putting pressure on these countries will solve these widescale data capture and cyber security issues. Instead, it should impose this pressure on the public and private domestic organizations that these foreign governments continue to hack.

Since they receive significant amounts of government contracts and funding, they have every incentive to cooperate – and their cooperation can make it far more difficult for these problem actors to conduct their dirty work on our shores. It’s the only sustainable path forward.

Reynold Schweickhardt is a fellow at the Foundation for American Innovation, and former Director of Technology Policy at the U.S. House of Representatives.



Source

Related Articles

Back to top button