If someone broke into your house, would you blame your architect, builder, or window manufacturer for enabling the act? Probably not. But if someone hacked your email provider and swiped your credit card information, you’d likely blast and shame the provider all over social media for failing to protect your information. We now expect companies and other firms to proactively safeguard their users’ information. For the Puerto Rican government, this came as big news in April 2022.

The Puerto Rican government has a long history of highly publicized cyberattacks. One of the most infamous concerns the AutoExpresso cyberattack of April 2022. AutoExpresso—an electronic toll system—allows users to pay electronically via stickers on their cars that connect to a virtual payment system. Cyberattackers injected ransomware into the system. They asked for a sum of money, believed to be in the millions, in exchange for returning control of AutoExpresso. The government refused to negotiate with them and instead the system went down for three weeks as a backup system was implemented.

On the day of the attack, members of the governor’s cabinet held a press conference hoping to clear up some of the public’s worries. The meeting had a somber and tense air to it, much like when a parent scolds a child for breaking their sibling’s favorite toy. At the outset, Nanette Martínez Ortíz, then interim director of the Puerto Rico Information Technology Service, squarely placed the blame for the cyberattack on AutoExpresso. You see, AutoExpresso is managed by a private company called PAM. All private companies hired by the government are expected to comply with the government’s digital security measures. According to Martínez Ortíz, PAM was not following protocol “and so, that’s why what happened happened.”

Martínez Ortíz very quickly changed her position after journalists pounced on the idea that AutoExpresso alone was to blame for the attack. The journalists pressed the cabinet members, asking whether the government enforced oversight measures for private contractors. An obvious question was asked: “How will you assure the people that when things return to normal the same thing won’t happen?” What started as a governmental attempt to deflect blame became a trial about the role of government in ensuring safe and secure online systems. Now on the defensive, cabinet members charged back, describing ongoing efforts to ensure that Puerto Rico was equipped with the best in cybersecurity.

This case around AutoExpresso illustrates the legacy of the hacker professionalization movement of the 1990s and early 2000s as explored by scholars Gabriella Coleman and Matt Goersen. Throughout the 1990s, non-malicious black hat hackers sought to rehabilitate the hacker image partly by shifting the onus of cybersecurity onto companies. They blamed companies like Microsoft for poor security, which they happily exploited, claiming that one of their aims was to provoke companies to do better. Hackers weren’t the “bad guys.”

Decades later, in a very different setting, journalists did something similar. They de-emphasized the role of criminal hackers and sought to hold both the Puerto Rican government and the AutoExpresso company accountable for their cybersecurity failures. But this case is even more complicated than this exchange might first suggest. Consider another party that got involved in the fiasco: the Financial Oversight and Management Board. Puerto Ricans are U.S. citizens, but they cannot vote for the president and lack voting representatives in Congress. In 2016 President Obama created a board consisting mostly of non-Puerto Ricans to oversee and allocate the Puerto Rican government’s budget. This includes supervising contracts like the one governing AutoExpresso. In the midst of the cyberattack, the board spoke out and said they were keen to ensure that the next private operator had better cybersecurity provisions. Despite the promise, as of the publishing of this article, the same private company remains in charge of AutoExpresso. This leads to another question: What does it mean to hold a colonized government accountable for cybersecurity?

This case exemplifies how complex it is to hold people and entities responsible in the digital age. Long before the cyberattack, thousands of individuals could have intervened, from the workers in the private company to the members of the Financial Oversight and Management Board. It is the collective failure of all of these layers of responsibility that made the cyberattack possible. And so, this begs further questions about the extent to which each layer is responsible and what it should look like to hold them accountable.

Moral of the story? Maybe don’t point fingers you would not want pointed at you.