Who is responsible for implementing or managing cybersecurity safeguards?

In this guide

• Governments and cybersecurity
• Corporate cybersecurity
• Individual cybersecurity
• Layers of responsibility
• FAQ
• Sources

The question of who is responsible for cybersecurity has been hotly debated over the last few years.

While the issues involving cybersecurity and responsibility have no clear black-and-white areas to determine who is exactly responsible for what, it is clear that everyone — especially governments and corporations — needs to play a role in the fight against cybercrime.

With recent events like major data breaches and global cyberattacks, this belief is more relevant than ever. In the case of cyberattacks and data breaches, companies and organizations are often viewed as negligent for not protecting their customers’ information.

Governments also face blame when they do not or cannot stop malicious cyber activities from happening on their soil.

While it is true that everyone should play their part in the battle against cybercrime, this problem will not be solved with only one side taking action.

Furthermore, it is important to remember that cybersecurity is a constantly evolving field and it will take all of us working together to keep the internet safe from malicious attacks.

Related resources

• Cyberwarfare: A Complete Guide
• Cybersecurity in the federal government
• Cybersecurity at the state level
• Cybersecurity in critical industries
• How to respond to cyber hacks and security breaches

Governments and cybersecurity

It goes without saying that it is the government’s responsibility to keep its citizens safe. It’s also appropriate for government representatives to regulate various industries (like financial services) and how they use data.

However, whenever new regulations are put in place, it is critical that there not be any loopholes or unintended consequences that could harm consumers.

Regulations need clear guidelines to ensure criminals and other bad actors do not exploit loopholes. In the US, the Federal Trade Commission (FTC) develops policies and collaborates with law enforcement partners nationally and internationally to protect consumers.

More specifically, the Cybersecurity and Infrastructure Security Agency (CISA) defends US infrastructure against cyber threats. As a part of the Department of Homeland Security, CISA is responsible for protecting federal networks and critical infrastructure from attacks. 

The United States Computer Emergency Readiness Team (US-CERT) also responds to computer security incidents across all US agencies.

Governments and election cybersecurity

While governments, in general, have a responsibility to protect infrastructure, one area where governments should have complete control of security issues occurs during elections. All US citizens should have the right to a free and fair election process.

Elections are the cornerstone of democracy and it is critical that voters are not falsely influenced by other countries’ meddling. Along similar lines, citizens should also feel confident in the electoral process.

Cybersecurity experts should look at all areas of potential breaches, including voter registration lists, voting machines, electronic vote-counting systems, etc. This would ensure that there are no security gaps in the election system. 

Citizens also have the right to be confident in election results. There should be a transparent and reliable process that ensures audits of the vote count are conducted both quickly and carefully.

There is no guarantee that cyberattacks or meddling in elections will stop, so government officials need to come up with ways to work together on this issue.

This requires working across all levels of government to ensure a safe election process.

Examples of election cyberattacks

Unfortunately, over the past few years, elections in both Europe and the United States faced numerous attacks. 

Some recent examples of attempted election attacks include the following:

• In 2015, the European Union’s e-voting websites, the Federal Election Commission and the State Registration Service, were targeted by Denial-of-Service (DoS) attacks concurrently with the start of local elections and referendums.
• In the run-up to the US presidential election in 2016, a wide range of Russians searched for vulnerabilities in state voter databases and hacked the Hillary Clinton campaign, the Democratic Congressional Campaign Committee (DCCC), and the Democratic National Committee (DNC). They also attempted to breach Sen. Marco Rubio’s campaign and the Republican National Committee. Additionally, politically damaging information was released online and false information was spread via Twitter, Facebook, YouTube, and Instagram.
• In 2018, the US government accused Russian nationals of attempting to tamper with the 2016 presidential election. This represented a shift from detecting and defending malicious activity to directly confronting cyber threats.

How do hackers infiltrate a state’s election infrastructure?

The most popular types of cybercriminal attacks include distributed denial of service assaults (DDoS) against government and media websites.

Hackers also send emails compromised by malware in an attempt to obtain passwords and other personal information. It’s also been reported that cybercriminals obtained the personal data of election officials on the dark web.

Overall, these assaults appear to be intended to steal data, alter election results, or disrupt the release of election results. There have also been reports of efforts to influence voters and undermine public confidence in election outcomes and the electoral process.

These activities have been noted by US government reports concerning the presidential election of 2016. 

How can these incidents be prevented?  

Basic cyber-security measures can prevent hackers from succeeding in their attacks. If organizations can combine these measures with routine analysis, the ability of threat actors to cause widespread harm becomes significantly reduced.  

Preventative security measures that governments and election officials may take include:

• Administrative controls: To properly safeguard an organization, proper positions, responsibilities, rules, and procedures must be created.. (ie – proper hiring procedures).
• Physical controls: Physical controls should be used to restrict who has access to a facility or location. (ie – barriers, locks, etc)
• Technical controls: Electronic hardware and software solutions must be used to give access to data and networks. . (ie – anti-virus software, firewalls, etc)

How to keep government staff safe from attacks

During periods of heightened tension, threat actors may attempt to exploit staff and anybody who is part of the election process. Threat actors may utilize a variety of assault techniques, such as phishing and social engineering, to steal sensitive data.

Individuals who are in managerial or executive roles, as well as those who directly support them, are more likely to be targets of these assaults as their data is readily accessible.

Individuals may also unintentionally expose information that hackers can use to compromise electoral processes. All personnel, particularly election officials, must exercise caution when providing any details about their positions.

Mandatory cyber security training should be given to those who are engaged in election procedures as part of the government’s overall risk management process.

Phishing and social engineering attacks should be identified during the training. Established methods for keeping people safe from these attacks should be implemented as well.

Other ways the government is improving cybersecurity

After high-profile cyber hacking incidents, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity in May of 2021. Its main objectives are as follows:

•  To improve tech security at the federal level by making IT systems stronger 
• To improve the cybersecurity of federal contractors
• To establish baseline security standards for the development of software sold to the government.
• To require information technology companies to disclose cyber security issues and remove legal barriers to communicating with government entities.

With this Executive Order, the government hopes to make it more difficult to hack into government and government contractor systems. 

It also requires IT providers to disclose any cyber security breaches and makes it easier for them to work with the government.

Corporations and cybersecurity responsibility

It’s also interesting to note that the responsibility of keeping people safe from cyber-attacks and privacy breaches is not always up to governments.

For instance, for years company data breaches have been commonplace.

Home Depot, LinkedIn, eBay, and Target are just a few other examples of major corporations that have had data breaches.

Since data breaches also cost companies a significant amount of money in terms of reputation, lost revenue, and potential lawsuits, companies are being more proactive when it comes to cyber-attacks. 

In order to safeguard data, corporations now invest in various security technologies to prevent future assaults.

For example, many corporations now use biometric authentication (i.e., fingerprints, and eye scans) to verify identities, and Apple has been a leader in offering fingerprint biometric authentication to its consumers since 2013. 

Additionally, banks such as The Royal Bank of Scotland utilize behavioral biometric technology. In this instance, biometric software analyses a user’s behavior to develop a “behavior profile.”

It learns activities like how someone holds the phone, whether they type with one or two hands, and how they scroll or switch between screens. 

The encryption conundrum

While data encryption is often used by tech companies to prevent data breaches, it is also used by criminals to conceal their activities. There’s also the issue of whether corporations should work with law enforcement to “unlock” data on smartphones and other devices.

In a high-profile instance in 2016, a federal judge asked Apple to assist the FBI in unlocking an iPhone belonging to Syed Farook, who killed 14 people in a mass shooting in San Bernardino, California.

Apple was asked to give “necessary technical assistance” to the US authorities, which would entail changing the security system that disables a phone after 10 failed password attempts. When this function is activated, the phone’s data becomes inaccessible. 

However, Apple refused to assist the FBI. Tim Cook, Apple’s CEO, described the edict as “chilling” and stated that the company would need to create “a master key, capable of unlocking hundreds of millions of locks.”

The argument put forward by Tim Cook was that if the FBI could get into this iPhone, they would be able to unlock many others too.

On the other hand, the FBI claimed that the data on the phone may assist them in preventing another terrorist attack. They also stated that they were not looking for a “master key,” but simply wanted Apple’s assistance in this instance.

That said, the U.S. Justice Department found another way to access the data on the iPhone without Apple’s help. 

Will this problem resurface in the future?

The issue of whether corporations should help law enforcement decipher encrypted devices remains, and we may see a new wave of similar court cases in the future.

This situation occurs because authorities are constantly fighting terrorism, crimes involving pedophiles, gang activity, online child pornography trafficking rings, human trafficking networks, and drug cartels.

There are numerous other groups that regularly use advanced encryption to protect their data from law enforcement investigations. The issue as to whether or not corporations should allow access to encrypted devices is a more complex situation.

Encrypted devices usually store personal information about the owner of the device and if law enforcement has immediate access to this information, it could help solve numerous crimes. The issue at hand deals with corporate policy versus government policy.

When a corporation releases the information from an encrypted device, they have to decide whether or not they will open themselves to future liability from the person whose data was released.

This situation becomes even more complicated when a government agency requests that a corporation provide access to an encrypted device because it may result in direct legal action against them for hindering a criminal investigation.

Individuals and personal cybersecurity responsibility

At a personal level, individuals need to be aware of the risks associated with cybersecurity. Cybersecurity can be compromised not only by external actors but also through internal negligence and carelessness.

Individuals must understand the risks associated with using devices, sharing information online, and conducting any form of online business. 

As a general rule, it’s better for individuals not to provide personal details unless they are sure of who is receiving them. Along similar lines, information about passwords, PINs, or bank account details should only be given when absolutely necessary.

In short, individuals need to be vigilant about their personal cybersecurity with respect to what they share online.

Individuals should not rely on companies and the government to keep them safe. Cybersecurity must be everyone’s responsibility. In general, people should do the following to keep themselves safe online:

• Use strong and unique passwords for each website or account.
• Only log in through trusted devices (such as your computer at home).
• If you receive an email from Amazon saying that there has been unusual activity on your Amazon account, do not click the link in that email. Instead, go to Amazon directly
• Use multi-factor authentication where available. This adds an extra layer of security by requiring more than one factor (e.g., password and email verification) to access accounts.
• Keep software up-to-date on all devices so that important patches are installed as soon as possible after they are announced. Hackers love to take advantage of holes in software that are not patched.
• Avoid public Wi-Fi hotspots. Hackers can easily sit on a network and steal private information, including user names, passwords, credit card numbers, etc.
• Clear the browser cache after each browsing session. Attackers can exploit the cache to gather information about your browsing habits.
• Pay attention to domain names. URLs that include variations in spelling or a different domain can be decoys to trick people into entering personal information.
• Ensure your antimalware software is up-to-date and active. Antimalware software will protect devices from malicious sites, security holes, viruses, ransomware, etc.

Overall then, individuals play an important role when it comes to protecting themselves and their data online.

The onus isn’t just on the government and companies that store our data: each individual needs to take some responsibility too.

Are the government, corporations, and individuals all responsible for cybersecurity?

To some degree, everyone is responsible for cybersecurity. Governments have a responsibility to protect their citizens, and in the modern world, that means taking steps to ensure that digital resources are protected from outside interference. 

Companies need to keep their customers’ data safe. At the same time, it’s important for users of technology to implement cybersecurity measures, such as using decent passwords and avoiding phishing schemes.

While cybersecurity is a complex and ever-evolving process, taking certain precautions can help minimize the risks. And ultimately, the cybersecurity responsibility falls on everyone – whether you are a government official, a business CEO, or an average Joe.

Frequently asked questions

Sources

• 2016 Presidential Campaign Hacking article | From CNN in October 2023.
• Executive Order: Improving Nation’s Cybersecurity | From Whitehouse.gov in October 2023.
• 2021 High profile cyber hacking incidents | From Whitehouse.gov in October 2023.
• 2013 Yahoo data breach | Sourced from IT Pro website in October 2023.