Part 3 of the “Accountability in Cybersecurity is Broken” Series
The Day I Learned the Truth
The first time I realized politics was a dirty business was in 1998.
Our U.S. Representative came to visit our workplace. At one point, he asked us: “What do you think my #1 priority is in Washington?”
Naively, I answered: “To represent your constituents at the Federal level.”
He laughed. Not a little chuckle. A laugh.
Then he said, “No. My number one priority is to get re-elected. This is the number one priority of every politician on Capitol Hill.”
Ugh. What a disappointment.
That moment taught me something important: reelection trumps representation. And that same mindset explains why our political system has failed to hold anyone accountable for cybersecurity failures.
Root Cause #3: Political Incentives Don’t Align With Cybersecurity
This series is about accountability. And here’s the third root cause: politicians don’t care about cybersecurity because cybersecurity doesn’t win elections.
Think about it: accountability depends on someone stepping up to enforce consequences. In theory, that should be our elected leaders. But if lawmakers see no political upside to pushing for cybersecurity reform, they won’t do it. They’ll chase the issues that get them reelected instead.
What Actually Wins Elections
In 2025, the issues dominating campaigns are:
1. Economy & Inflation
2. Immigration & Border Security
3. Health Care
4. Crime & Public Safety
5. Education
6. Tax Policy
7. Housing
8. Climate Change
9. AI & Tech Regulation
10. Abortion
Cybersecurity doesn’t make the list.
A Pew survey shows 72% of Americans want stronger data protection regulation. That sounds promising—until you realize those same people won’t actually vote based on it. Politicians know this. And so cybersecurity gets ignored.
A Legal System That Reflects Indifference
Because cybersecurity doesn’t move votes, Congress has never made it a priority. Instead, we get a patchwork:
• HIPAA for healthcare
• GLBA for finance
• FISMA for federal systems
• CFAA & ECPA from 1986 (back when fax machines were “cutting edge”)
This patchwork is:
• Scarce – Many industries aren’t covered at all
• Outdated – Laws don’t address cloud, IoT, or AI-driven threats
• Ineffective – They punish breaches after the fact instead of preventing them
And when new rules do arrive—like the SEC’s Cyber Disclosure Rule or CIRCIA—they’re late, narrow, and watered down.
This isn’t an accident. It’s the direct result of lawmakers prioritizing reelection over meaningful reform.
NOTE: If you don’t know what all these acronyms stand for, don’t feel at all intimidated, most people have never heard of some of them. HIPAA is Health Insurance Portability and Accountability Act (1996), GLBA is Gramm-Leach-Bliley Act (1999), FISMA is Federal Information Security Management Act (2002), CFAA is Computer Fraud and Abuse Act (1986), ECPA is Electronic Communications Privacy Act (1986), and CIRCIA is Cyber Incident Reporting for Critical Infrastructure Act (2022).
Why Accountability Dies in Politics
Accountability requires consequences. But in cybersecurity, there are none at the political level because:
1. Low Voter Salience – People don’t vote on it.
2. Too Technical – Hard to explain in a soundbite.
3. No Short-Term Payoff – Laws take years; elections happen every 2–6 years.
4. Lobbying Pressure – Big tech and finance water down anything with teeth.
So, when hospitals, schools, or critical infrastructure get hit by ransomware, where’s the accountability? Nowhere. Politicians shrug, issue a statement, and go back to campaigning on issues that actually sway voters.
The Evidence Is Everywhere
Here are just three simple examples off the top of my head:
• SolarWinds (2020) – Nation-state compromise of federal agencies. Nothing in our laws prevented it.
• Uber (2016) – CISO covered up a breach. Punishment years later, but only after millions were impacted.
• Microsoft Exchange (2025) – CISA had to scramble with emergency directives. The vulnerabilities? Still out there.
These failures aren’t just technical. They’re political. We’ve normalized a system where lawmakers face zero consequences for neglecting one of the most critical national security issues of our time.
The Accountability Gap
This is the heart of it:
If politicians won’t prioritize cybersecurity, they can’t be held accountable for failing at it.
And if lawmakers face no consequences, the cycle continues. Breaches happen. People suffer. Businesses collapse. And yet—no one in power is forced to answer for it.
That’s partly to blame for why accountability in cybersecurity is broken.
What Needs to Change
If we want accountability, we need to make cybersecurity a voting issue. That means:
• Demanding stronger laws – Mandatory, enforceable requirements
• Demanding effective laws – Simple, uniform, and effective requirements
• Forcing modernization – Stop fighting AI-driven threats with 40-year-old laws
• Making it personal – Connect the dots when your local hospital, school, or government gets hit
Until then, the accountability vacuum will remain. Politicians will keep chasing votes, not security.
Bottom line: Cybersecurity doesn’t win elections. That’s why politicians don’t give a shit. And as long as that’s the case, accountability will stay broken.
Wrapping It Up
In Part 1, we made the case that Accountability in Cybersecurity is Broken. Since then, we’ve started digging into why. Each piece highlights a root cause of the problem:
• Part 2: It’s Not Real Until It Hurts: Why No One Demands Change
• Part 3: Cybersecurity Doesn’t Win Elections: So Politicians Don’t Give a Sht* (this post)
Next up → Part 4: Breach? Jackpot. How the Legal System Profits from Failure
Class-action lawsuits are a business model. Prevention isn’t.
If you’re up for debate—or just want to know more—Matt and I will be breaking it down on InfoSec to Insanity. Stay tuned.
