Certification Survey Extra is a series of periodic dispatches that give added insight into the findings of our most recent Certification Survey. These posts contain previously unpublished Certification Survey data.
In June 2015, the Office of Personnel Management of the United States government issued a fairly embarrassing (to government officials) and damaging (for all involved) admission that hackers had breached a government database containing detailed information about government employees. Investigators eventually concluded that records connected to more than 21 million individuals had been stolen.
That's one fairly momentous example of a phenomenon that every national government must contend with: Effective government tends to require vast computer networks and massive amounts of information. It takes impressive breadth and depth of protection to secure such assets, but government often lags behind — or at least seems to lag behind — in the realm of effective cybersecurity.
In the aftermath of the OPM breach, even government officials seemed a little gobsmacked by the level of (human) inattention and (mechanical) inadequacy that played right into the hackers's hands. As reported by security writer Brian Krebs, U.S. officials ultimately declared that the breach had resulted from "a cascading series of cybersecurity blunders from the agency's senior leadership on down to the outdated technology used to secure the sensitive data."
For our recent Security Certification Survey, we asked certified information security professionals what they think. Do governments do a good job with this stuff? Or should we expect better? Here's what we learned by asking survey respondents to rate the level of their agreement with two overarching statements about government and cybersecurity:
Statement 1: Protection of government information and technology assets is adequate.
Strongly Agree: 10.4 percent
Agree: 13.7 percent
Neither Agree nor Disagree: 17 percent
Disagree: 40.7 percent
Strongly Disagree: 18.1 percent
Statement 2: Protection of government information and technology assets should be improved.
Strongly Agree: 45.2 percent
Agree: 43 percent
Neither Agree nor Disagree: 8.8 percent
Disagree: 2.6 percent
Strongly Disagree: 0.4 percent
In case you're wondering, the dictionary definition of "adequate" is "satisfactory or acceptable in quality or quantity." So while it's a little surprising to see that nearly 25 percent of those surveyed think that governments do an acceptable job with this stuff — 10 percent "strongly" hold that opinion — maybe the distance between acceptable and excellent is cutting officials some slack here.
If you give the idea little more teeth, however, almost everyone thinks that government not just can do better, but are obligated to do better. (The operative word, in that regard, is "should.") Nearly 90 percent of respondents either agree or strongly agree not just that there's room for improvement, but that action ought to be taken.
Is it likely that governments will take action? Truly effective cybersecurity requires at least some commitment of resources, and any question of allocating funds and manpower is likely to get bogged down. Every time there's a breakdown in the system, however, we're probably at least a little closer to concrete action on a better solution.