Ideally, cybersecurity — and cybersecurity policy — should be somewhat apolitical. It should be based on principles of authentication, access control, technology and, of course, cost. Invariably, however, it gets tied into questions about the role of government as a regulator, privacy and data access policy, and public policy issues like privacy, what data we should be protecting, and from whom. This kind of give and take is not only inevitable, but healthy in a free society. Should we require age verification for access to pornography? To social media? To health information? Should we permit or encourage anonymous postings, or require full accountability? What information should companies and governments be permitted to collect about customers, users, employees or third parties, and how should they be permitted to use it? Should we permit security that is so strong that it thwarts legitimate governmental surveillance goals? How should public/private partnerships work? What is the role of openness in government? All legitimate questions involving cybersecurity and all the subject of legitimate public discourse.

But something new has emerged – the use, primarily by the government, of cybersecurity to achieve partisan political objectives. Two recent incidents in the U.S. illustrate these points. First is the case of Charles Borges, who, until recently, was the chief data officer at the U.S. Social Security Administration. He was responsible for the technology to secure the social security data of hundreds of millions of registrants and beneficiaries. The data his department controlled is among the most sensitive — and the most useful — for industries and threat actors alike. It is the mother’s milk for scammers, spammers, and identity thieves.

Borges claims that he was involuntarily terminated by the SSA (or those above the SSA in the chain of command) for raising a red flag about the fact that SSA apparently moved highly sensitive SSA information from secure servers to the Amazon cloud, where it could be accessed without auditing, and where, at least according to Borges, it was less secure. In June, the U.S. Supreme Court rejected an application for an order preventing SSA from moving the data and making it available to the “Department of Government Efficiency.”  The Social Security information is particularly useful for identifying those who, while in the United States legally and paying taxes, are not citizens. This is why U.S. law restricts who can access the data and for what purposes. 

Here, the government (and the court) have determined that good cybersecurity practices are not required – or at least fall in response to DOGE’s emergency need for swift access to (and probably AI-fueled analysis of) the data of millions of Americans.

At the same time, DHS Director Kristi Noem reportedly fired 24 employees of the Federal Emergency Management Agency (FEMA) – or, as her office’s press release  called them “Inept FEMA Employees,” “deep-state individuals” and “entrenched bureaucrats who led FEMA’s IT team for decades” because they “brazenly neglected basic security protocols” and that DHS discovered “significant security vulnerabilities that gave a threat actor access to FEMA’s network” and “severe lapses in security that allowed the threat actor to breach FEMA’s network and threaten the entire Department and the nation as a whole.” The press release also notes that the problem “was caught before any American citizens were directly impacted” and that “no sensitive data was extracted from any DHS networks.”

Following good security protocols is important. Critical, in fact. If government employees fail to take basic steps to protect data, they need to be encouraged to fix the problem, and if they cannot or will not, they should be educated, trained, or replaced. We have lots of carrots and sticks to encourage or require good security practices – both in the government and outside.

To an outside observer, however, this smacks of the use of cybersecurity (or ignoring cybersecurity) as a cudgel for something else. Secretary Noem has made no secret of her desire to eliminate (or dramatically restructure) FEMA, and firing the entire IT and IT security staff may be part of this effort. Without falling into the rabbit hole of conspiracy theory, it is important that security policy be based on sound principles enumerated by presumably unbiased (or at least where biases are balanced) agencies like NIST or international standards-setting agencies.

For too long, cybersecurity has not received the attention it deserves. I worry that it will now get attention for all the wrong reasons.

Recent Articles By Author