The hack of the SEC’s Edgar system in September was, as I noted on twitter, not exactly unexpected for anyone who has interacted with it professionally. That said, it has raised once again a number of longstanding industry concerns about the ability of the government to warehouse sensitive data—concerns Senators passed to SEC Chairman Jay Clayton in a Congressional hearing last week. From Reuters:
Senators asked whether the hack raises concerns about other data housed at the SEC, including the consolidated audit trail scheduled to go live later this year. Th[e consolidated audit trail] will contain a record of orders for most equity and listed option trades, and non-public information about the customers behind them. Even before the SEC hack was revealed, stock exchanges and traders were worried about the potential for cyber attacks on the CAT.
Notably, Wall Street’s concerns are not limited to the SEC:
At the Commodity Futures Trading Commission, investment firms have been worried about an automated trading plan that would give the agency access to trading-firm source codes without a subpoena. The agency is revising the rule after an industry backlash, but it is still likely to push for a database of trading records.
I can’t blame the weary eye. Hacks can be extremely damaging—and assist in everything from insider trading to state-sponsored spying, and even terrorism. But expectations and standards should be applied consistently. There have, after all, been two notable hacks in the last two weeks—one of the SEC, and the other of Equifax, a private market participant. (Not to mention the numerous hacks of supposedly unhackable bitcoin exchanges around the world).
If anything, it seems quite possible that industry may be demanding from government something it can’t provide for itself—a 100% unhackable tech infrastructure, safe from criminals and hostile governments alike. If that’s indeed the case, everyone should perhaps take a deep breath (if it’s possible nowadays), and cultivate more reasonable expectations of modern digitally connected systems: namely, 1) that public and private entities devote sufficient resources to cybersecurity to at the very least make hacks extremely difficult to execute (um, can the agencies please get a budget commensurate with their responsibilities?)—and 2) that organizations have swift and effective response mechanisms. Given the spectacularly embarrassing SEC and Equifax failures on the second item in particular, I think it’s hard to say it’s not a reasonable starting point.