Should the Government Require Stronger Security for Companies?
TraitWare?
Enterprise-Class, Phishing-Resistant, Passwordless MFA? for True Zero Trust Access?. Simple, Secure, Cost-Saving Login.
In recent news, the United Health Group (UHG) paid a $22 million ransom to the BlackCat ransomware gang for a late February cyber-attack on subsidiary Change Healthcare. The attack, which was eventually traced back to a stolen password, led to widespread service outages across the U.S. healthcare industry, massive ongoing financial loss to medical clinics, and unpaid claims.
The incident that many are calling a national security threat again stirs debate on whether the government should mandate stronger cybersecurity and privacy practices for companies.
On Wednesday, UHG CEO Andrew Witty testified before the Senate Finance Committee who raised tough questions about the company’s security practices. Witty admitted that Change Healthcare was still using “legacy” IT systems – systems that were clearly not adequate to protect personal information.
The hackers used?stolen credentials?and broke into a Change Healthcare server that was not protected by multifactor authentication (MFA). We know that MFA tops the list of requirements for cybersecurity protocols. The Department of Health and Human Services investigation calls out United Health’s failure to comply with the Health Insurance Portability and Accountability Act, or HIPAA, which enforces safeguards for patients’ healthcare data.
Witty also admitted that the attack could have national security implications, saying that he believed members of the armed forces would also be affected. More information will be provided in the next two weeks, he said.
A Call for Tougher Cybersecurity Standards
Senators on Wednesday’s panel seemed to agree that stronger security should be at least partially a government concern.
Several brought up broader data privacy concerns. With no comprehensive federal data privacy law in the US, debates over how to get one passed have been at a stalemate for years. In April 2024, congress once again presented a bipartisan draft.
Though the UHG incident is not the first to raise concern, the attack on Change Healthcare is a glaring reminder of the importance of cybersecurity. And it has resurfaced heated debate about accountability – not just in the healthcare industry, but in any sector and any business that handles sensitive data.
But just which entities are there to lay down requirements? What are they doing Now?
Organizations have done a lot to urge companies and individuals to better protect our information and identities.
Among efforts to tackle Ransomware, CISA, with the cooperation of the FBI and NSA, recently updated their Stop Ransomware Guide. Definitely worth the read.
The FTC Safeguards Rule requires any company managing sensitive consumer data to put basic security protocols in place. …
In 2020 the White House finally signed the Internet of Things (IOT) Cybersecurity Improvement Act of 2020 into law.
The law requires the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines related to the security of IoT devices.
The law also requires that the Office of Management and Budget (OMB) issue recommendations based on NIST guidelines for federal agencies. which are required to ensure that all IoT devices within their environments fully comply with these standards and guidelines. …
While this is a great effort, the law is primarily setting forth guidelines and recommendations, rather than mandating steep penalties for non-compliance.
Following is a more detailed list of organizations and their missions:
National Institute of Standards and Technology (NIST)
International Organization for Standardization (ISO):
European Union (EU) Data Protection Authorities:
Federal Trade Commission (FTC) (United States):
Cybersecurity and Infrastructure Security Agency (CISA) (United States):
Payment Card Industry Security Standards Council (PCI SSC):
Federal Communications Commission (FCC) (United States):
领英推荐
Internet Engineering Task Force (IETF):
As evidenced by the myriad incidents over the past few years, one cyber-attack can take a serious long-term toll on individuals, companies, and societies. While regulations are in play, most are simply published guidelines. … Many are calling for even greater control over how companies handle our digital valuables. But what are the arguments for greater control?
Arguments for increased government intervention
As technology advances, so do the methods used by cybercriminals to breach networks and steal data. Governments should rise to the occasion to impose higher standards on all sectors to ensure companies and individuals are protected against these evolving threats.
While some companies implement robust cybersecurity measures on their own, many don’t adopt them because a. cost concerns, b. lack of awareness, or c. the belief that they won’t be targeted. Government intervention will establish uniform standards to ensure all companies - regardless of size or sector - are resilient.
Critical infrastructure (power grids, water supply, transportation networks, etc.) is increasingly tied to the internet, and therefore more vulnerable to attack. A successful attack on critical infrastructure could have catastrophic consequences for public safety and national security. Safeguarding these essential services is crucial to minimize risk.
Cyber-attacks are becoming more frequent and more more costly, with the average price in the millions. The financial impact of cyber incidents, including remediation costs, legal fees, and loss of revenue, can be staggering for businesses. Moreover, the long-term reputational damage from a breach can be even more costly. By enforcing stricter cybersecurity requirements, governments can help reduce the likelihood and severity of cyberattacks, thereby lowering the overall economic burden on businesses and society.
With the increasing digitization of personal information, the protection of sensitive data has become a significant concern for individuals. Government regulations such as the GDPR (General Data Protection Regulation) in the European Union have set a precedent for protecting individuals’ privacy rights and holding companies accountable for data breaches. Strengthening cybersecurity requirements ensures that companies handle personal data responsibly, preserving individuals’ privacy and reducing the risk of identity theft and fraud.
By implementing stringent cybersecurity regulations, governments can position themselves as leaders in cybersecurity on the global stage. This not only enhances their own national security but also strengthens international cooperation in combating cyber threats. A coordinated approach to cybersecurity, driven by robust government requirements, fosters collaboration among nations and promotes a safer digital environment for businesses and individuals worldwide.
Contrary to the belief that strict regulations stifle innovation, cybersecurity requirements can actually fuel innovation. Companies are incentivized to develop innovative solutions to meet regulatory standards while also improving their overall security posture. This can foster a culture of innovation within the cybersecurity industry, and lead to important advancements to benefit businesses, consumers, and societies.
Arguments against Government Intervention
Government regulations can sometimes stifle innovation in cybersecurity. Companies may be less motivated to develop new technologies and solutions if they fear burdensome regulatory requirements.
Rapidly evolving cybersecurity threats require equally rapid responses. Government regulations can be slow to adapt, hindering the ability of organizations to respond effectively to emerging threats.
Compliance with government regulations can be expensive for businesses, especially smaller ones. These costs may be passed on to consumers or result in decreased competitiveness for businesses.
Heavy government involvement in cybersecurity could potentially infringe on individuals’ privacy rights. Measures such as increased surveillance or data collection could be seen as overly invasive.
In a globally interconnected world, government regulations on cybersecurity can become complicated, especially when dealing with multinational companies. Differing regulations across countries can create compliance challenges and may even lead to conflicts between governments.
Relying too heavily on government intervention can create a false sense of security. Organizations may become complacent or assume that the government will handle all cybersecurity issues.
Some argue that government regulations may not necessarily lead to better cybersecurity outcomes. Instead, they may create a checkbox mentality where organizations focus on meeting regulatory requirements rather than addressing actual security risks.
Cybersecurity threats are evolving, and what works today may not work tomorrow. Heavy government regulations could inadvertently lock organizations into outdated security measures.
What are your thoughts about Government Intervention in Cybersecurity for the Enterprise?