Certification Survey Extra is a series of periodic dispatches that give added insight into the findings of our most recent Certification Survey. These posts contain previously unpublished Certification Survey data.
At the end of 2020, a computer hacking story with major implications got a fairly minor brush-off from national news media in the United States. In a nutshell, an ongoing hack of IT resource management firm SolarWinds was uncovered. Among the SolarWinds clients potentially exposed for as long as eight months: the United States of America.
More specifically, the Department of the Treasury, Department of Justice, Department of Energy, and Department of Defense were all compromised. Ongoing coverage of the 2020 U.S. presidential election and its contentious aftermath overshadowed the SolarWinds breach for months, though President Joe Biden did eventually announce sanctions against Russia, believed to have sponsored and directed the attack.
The SolarWinds incident, however, is only the most recent example of a phenomenon that every national government must contend with: Effective government tends to require vast computer networks and massive amounts of information. It takes impressive breadth and depth of protection to secure such assets, but government often lags behind — or at least seems to lag behind— in the realm of effective cybersecurity.
In 2019, we conducted a survey of certified cybersecurity professionals and asked them a number of pointed questions about the interaction between cybersecurity and government. Seeing as how the problem persists, we asked those questions again this year. Broadly speaking, does government do a good job with this stuff? Or should we expect better?
Here's what we learned by asking survey respondents to rate the level of their agreement with two overarching statements about cybersecurity and government:
Statement 1: Protection of government information and technology assets is adequate.
Strongly Agree: 6.8 percent
Agree: 18.8 percent
Neither Agree nor Disagree: 19.9 percent
Disagree: 39.2 percent
Strongly Disagree: 15.3 percent
Statement 2: Protection of government information and technology assets should be improved.
Strongly Agree: 40.9 percent
Agree: 47.7 percent
Neither Agree nor Disagree: 9.1 percent
Disagree: 0.6 percent
Strongly Disagree: 1.7 percent
For those who are wondering, the dictionary definition of 'adequate' is 'satisfactory or acceptable in quality or quantity.' So while it's a little surprising to see that more than 25 percent of those surveyed think that governments do an acceptable job with this stuff — about 7 percent 'strongly' hold that opinion — maybe the distance between acceptable and excellent is cutting officials some slack here.
If you give the idea little more teeth, however, almost everyone thinks that governments not just can do better, but are obligated to do better. (The operative word, in that regard, is 'should.') Nearly 90 percent of respondents either agree or strongly agree not just that there's room for improvement, but that action ought to be taken.
Is it likely that governments will take action? Truly effective cybersecurity requires at least some commitment of resources, and any question of allocating funds and manpower is likely to get bogged down. Every time there's a breakdown in the system, however, we're probably at least a little closer to concrete action on a better solution — or to a meltdown on a scale that could make the SolarWinds fiasco look like a day in the park.