Skip Navigation

Critical Cyber: Why the US government must incentivize private corporations to better protect consumer data

In June 2021, the information of 700 million LinkedIn users—more than 90 percent of the platform’s accounts—was leaked on the dark web, with the hacker responsible publicly releasing the data of 500 million of these accounts and selling the remaining 200 million for profit. This was not an isolated incident; data breaches have increased in regularity by more than 102 percent since 2020. Once a hacker has gained entry to a particular database, they can access users’ personal data, intellectual property, and confidential government records, among other important information. Hackers then ransom private data to individuals, companies, and even government agencies in return for large sums of money, making the initial effort of the breach well worth their while. Due to the growing threat of cyberattacks, the US government must incentivize private corporations to take the necessary steps to increase their cyberdefenses and protect their data, safeguarding national interests at home and abroad in the process. 

Although data breaches can be disastrous, they tend to appear less newsworthy than other crises because they don’t often affect people’s daily routines. Even if one’s personal data is accessed, the breach typically poses a minor inconvenience; users rarely have to do more than update their passwords. However, as highlighted by the 2020 hacking of SolarWinds, an Austin-based IT software company, cyberattacks can have serious consequences. SolarWinds products are popular among leading global actors, including US government agencies, Microsoft, and other high-profile private companies. During this data breach, hackers used stolen SolarWinds code to discreetly enter private servers and access secret information. Among the organizations infiltrated during the cyberattacks were the US Departments of Defense, Homeland Security, and the Treasury, as well as US nuclear research labs and several government contractors. This attack had alarming implications for US national security, and it put a spotlight on the government’s inadequate cyberdefense capabilities. Still, corporations and smaller governments are even less equipped to handle these attacks. In May 2019, a piece of code called EternalBlue, which belonged to the National Security Agency, was compromised by hackers. Baltimore, a city whose aging infrastructure was vulnerable to the EternalBlue cyberweapon, found many online services such as email, computer access, water bills, and even health alerts completely shut down. 

Supply chains and local infrastructure systems are particularly vulnerable to ransomware attacks because hackers know that if they can destabilize people’s day-to-day lives, then they will be more likely to receive a payout. The Colonial Pipeline ransomware attack proved this point just this May, when it shut down the transport of refined oil products from Texas to New York for almost an entire week. Using only a single password to access Colonial accounts, hackers wreaked havoc on global supply chains and single-handedly caused gasoline shortages and price surges throughout the Northeast United States. In the end, Colonial executives were forced to pay Russia’s DarkSide hackers millions in Bitcoin to regain control of their systems. 

Currently, there is no federal subsidy that encourages companies or local governments to shore up their cyberdefenses or modernize their cyberinfrastructure, which means that an event like this could easily happen again. Though it would not be particularly difficult for companies, governments, and other entities to invest in simple cybersecurity measures, the lack of guidance around doing so hinders progress in this area. Companies are simply not willing to bear the cost of modernizing without a government mandate to do so. 

To its credit, the US government is implementing new measures to improve its own cyberdefense capabilities—but these must be coupled with efforts to share innovations with private companies. In July 2021, President Biden issued an executive order that mandated modernization of the federal government’s cyber infrastructure with specific timelines, but there is still little incentive for private corporations or local governments to do the same. In recognition of growing cybersecurity threats, in 2018 the federal government established an agency dedicated to improving protections across all levels of government, the Cybersecurity and Infrastructure Security Agency (CISA). Though the creation of CISA is a step in the right direction, the organization only has 2,000 employees, far fewer than other US agencies and far fewer than the urgency of the situation necessitates. The House and the Senate may be working on bipartisan bills to allow CISA to require corporations to publicly report their data breaches, but these bills have not yet passed. 

While this legislation would help protect individuals after their data has been leaked, the government must also promote bills that require a baseline level of cybersecurity standards. According to experts, most cyberattackers are opportunistic—they target vulnerable organizations for a quick cash grab, not for ideological or political reasons. Thus, companies that lack basic security procedures, such as Colonial, place targets on their own backs. Colonial’s weak security likely induced the Colonial Pipeline hack, which was made possible by Colonial’s use of only one password for all of its accounts, rather than implementing a more sophisticated multi-factor authentication system such as Duo Mobile. Companies have traditionally been unwilling to improve their security systems because misaligned market incentives transfer the risk onto their customers. The only way to force organizations to prioritize cybersecurity is through government intervention: The federal government must improve cybersecurity regulations to set a baseline for software sophistication and it must fund the improvement and advancement of software both in its own agencies and in private organizations. It must also work to create better options for small governments and businesses to protect their information and, by proxy, the functioning of society itself. 

To protect national security, it is essential that the government revamp its cyberdefense operations and pass new legislation that effectively encourages private corporations and governments alike to increase their cybersecurity measures. This legislation could take many forms, such as providing tax breaks to companies that meet certain security standards or penalizing corporations that do not adequately protect data. By taking these steps, the United States can work to deter foreign agents with sophisticated hacking operations from attacking its cyberinfrastructure. If the US government can match its technological capabilities to those of foreign instigators, the number of cyberattacks and the threat posed by data breaches will decrease. For now, however, we should all change our passwords.