Certification Survey Extra: Government and cybersecurity, Part 3
Certification Survey Extra is a series of periodic dispatches that give added insight into the findings of our most recent Certification Survey. These posts contain previously unpublished Certification Survey data.
How safe is your money? It’s been 11 years since the financial collapse of 2008 and some economists are predicting that a new crash is brewing. About 430 years ago, Shakespeare declared, in the mouth of Jack Cade’s murderous rabble who seize London in Henry VI, Part 2, “The first thing we do, let’s kill all the lawyers.” Would the line be “all the bankers” in 2019?
Some would argue, on the other hand, that fear of investment shenanigans overlooks a potentially more alarming threat to the global money management sector: cyberattacks. Hackers raided the Federal Reserve Bank of New York in 2016, intending to drain $1 billion from an account held by the central bank of Bangladesh. The attack was detected and $899 million worth of fraudulent transfers were blocked.
That sounds like a pretty impressive security coup if you don’t know that the hackers tripped themselves up with a spelling error. And if you’re willing to swallow the fact that, gaffe notwithstanding, the thieves successfully stole $101 million, of which roughly $63 million has yet to be recovered. What happens if a more devious and better-coordinated attack comes together?
Bankers are aware of the dangers, but whether they are also doing enough to combat such threats is a bit of an open question. Governments depend on financial stability. There was a lot of political point scoring and posturing in the aftermath of the 2008 crisis, but the federal government acted to stave off its worst effects about as quickly as the government has ever taken action on anything.
Given the likelihood that government officials are the ones most likely to be left holding a mop and a bucket the next time that there’s a financially devastating cyberattack, should those same officials be firm in requesting advance preparation and protection? In our recent Security Certification Survey, we asked what role governments should play in guarding against digital financial upheaval.
Here’s how certified information security professionals responded:
Statement 1: Government should aggressively promote cybersecurity protections and preparedness in the financial and banking sector.
Strongly Agree: 42.4 percent
Agree: 42.1 percent
Neither Agree nor Disagree: 10.7 percent
Disagree: 3.3 percent
Strongly Disagree: 1.5 percent
Statement 2: Government should directly regulate cybersecurity protections and preparedness in the financial and banking sector.
Strongly Agree: 24.7 percent
Agree: 38 percent
Neither Agree nor Disagree: 19.6 percent
Disagree: 13.3 percent
Strongly Disagree: 4.4 percent
Almost everyone who responded to the survey thinks that government should be involved. Roughly 85 percent of those surveyed either agree (42.1 percent) or strongly agree (42.4 percent) that government officials should “aggressively promote” a stronger degree of protection and preparedness. Meanwhile, not even a full 5 percent are directly resistant to that notion.
On the other hand, it would seem that there’s a line between “aggressively promoting” something and requiring it by law that some would rather not cross. There’s still strong support for direct intervention by government officials: Almost 63 percent of survey respondents either agree (38 percent) or strongly agree (24.7 percent) that regulating banking sector cybersecurity is a good idea.
The group of those unwilling to venture an opinion is nearly twice the size of the fence sitter segment when the keyword is the less forceful “aggressively promote.” And nearly 18 percent either disagree (13.3 percent) or strongly disagree (4.4 percent) with the notion of direct regulation.
There was a great deal of foot dragging on long-needed financial regulation prior to the 2008 crisis, of course, versus a much stronger degree of willingness to take action after Humpty Dumpty had his great fall. Perhaps it will take a similarly catastrophic incident to really get the ball rolling on government regulation of cybersecurity as well.