Certification Survey Extra is a series of periodic dispatches that give added insight into the findings of our most recent Certification Survey. These posts contain previously unpublished Certification Survey data.
Though it's not an official motto, even the United States Postal Service embraces the ageworn expression about "Neither snow nor rain nor heat nor gloom of night" preventing its mail carriers from "swift completion of their appointed rounds." What about hackers? Might digital malefactors succeed at disrupting what snow, rain, heat, and gloom of night cannot stymie?
It may have already happened. A USPS website issue exposed data tied to roughly 60 million users over an unknown period of time prior to 2018, when the vulnerability was fixed and publicly disclosed. Prior to that moment in time, any logged-in USPS.com user could have widely queried the system to retrieve sensitive data about other users.
The USPS blunder, however, is only the most recent example of a phenomenon that every national government must contend with: Effective government tends to require vast computer networks and massive amounts of information. It takes impressive breadth and depth of protection to secure such assets, but government often lags behind — or at least seems to lag behind— in the realm of effective cybersecurity.
Past cybersecurity certification surveys have asked certified cybersecurity professionals a number of pointed questions about the interaction between cybersecurity and government. Seeing as how the problem persists, we asked those questions again this year. Broadly speaking, does government do a good job with this stuff? Or should we expect better?
Here's what we learned by asking survey respondents to rate the level of their agreement with two overarching statements about cybersecurity and government:
Statement 1: Protection of government information and technology assets is adequate.
Strongly Agree: 8.8 percent
Agree: 17.1 percent
Neither Agree nor Disagree: 19 percent
Disagree: 39 percent
Strongly Disagree: 16.1 percent
Statement 2: Protection of government information and technology assets should be improved.
Strongly Agree: 39 percent
Agree: 50.2 percent
Neither Agree nor Disagree: 7.8 percent
Disagree: 2.4 percent
Strongly Disagree: 0.5 percent
For those who are wondering, the dictionary definition of "adequate" is "satisfactory or acceptable in quality or quantity." So while it's a little surprising to see that more than 25 percent of those surveyed think that governments do an acceptable job with this stuff — about 9 percent "strongly" hold that opinion — maybe the distance between acceptable and excellent is cutting officials some slack here.
If you give the idea little more teeth, however, almost everyone thinks that governments not just can do better, but are obligated to do better. (The operative word, in that regard, is "should.") Nearly 90 percent of respondents either agree or strongly agree not just that there's room for improvement, but that action ought to be taken.
Is it likely that governments will take action? Truly effective cybersecurity requires at least some commitment of resources, and any question of allocating funds and manpower is likely to get bogged down. Every time there's a breakdown in the system, however, we're probably at least a little closer to concrete action on a better solution — or to a meltdown on a scale that could make the 60 million users exposed on USPS.com look like a day in the park.