Latest SEC Hack Reminds Lawmakers Why Strong Cybersecurity Shouldn’t be Ignored
No government agency or corporation can maintain impenetrable cybersecurity. Policy makers who attempt to dismantle market-developed cybersecurity tools underestimate cybercriminals’ craftiness as well as the unavoidable risks human fallibility poses. Those who advocate policies that would require users to entrust large amounts of personal data to large databases also underestimate criminals.
On January 9, the Securities and Exchange Commission (SEC) provided a case study in all this. Hackers gained access to the SEC’s X account, posting erroneously that the agency had greenlit exchange-traded funds (ETFs) to hold bitcoin. In response, bitcoin’s value spiked nearly to $48,000. A spokesperson quickly clarified that the announcement was unfounded, and bitcoin’s value sank accordingly. (The SEC then approved the proposal Wednesday.)
According to X’s @Safety account, “the compromise was…due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party.” Moreover, astonishingly, X says the SEC’s account “did not have two-factor authentication enabled at the time the account was compromised.”
In short, the agency failed to implement an elementary cybersecurity measure.
One bucket of anti-security policies – the “treasure trove” bucket – would create programs requiring Americans to aggregate their personal information in government databases, ripe for hackers. This “treasure trove” bucket includes a proposal to form a federal online-age-verification service and another to offer an in-house Internal Revenue Service direct-filing system.
What happened at the SEC is not an isolated incident. Last year, hackers infiltrated DC Health Link, a health insurance marketplace created in compliance with the Affordable Care Act. This breach implicated the data of lawmakers, government staffers, and many others living in the capital.
Also in 2023, Russian cyber gang Clop hacked MOVEit, a file-transfer software product. That hack spiraled, and Clop successfully exploited its advantage to breach the Department of Energy, multiple state-government entities and affiliates, several universities, large corporations, and more.
In big ways and small, the government has proved repeatedly its inability to safeguard sensitive data. Lawmakers and voters alike ought to take note.
Published on January 11, 2024