Governments of all types have long proven to be challenged in the area of cyber security. Forget the long-standing jokes about government red tape and inefficiency; this isn't about not being able to get it done. It's about years of giving security short shrift.
Consider that the United Nations' second annual Cyber Security Index released last summer indicated that just 38 percent of the world's countries have a published cyber security policy, while another 12 percent are in the process of developing one. Translation: Half of all countries have no cyber security policy or any plans to establish one. Not exactly a recipe for diligent cyber security.
And this came just a couple of months after the WannaCry virus wreaked havoc around the world, an event that itself came just one day after President Trump signed an executive order on federal cyber security policy. (An order that was, it's worth noting, greeted by a healthy dose of skepticism.)
What's more, according to a 2017 report from risk management vendor Security Scorecard, government is near the bottom of a list of 18 industries the report ranked in terms of overall security ratings. The good news, if it can be called that, is that the sector, which ranked dead last in 2016, leapfrogged telecommunications and education to avoid being in the cellar again.
As much as these threads offered an indictment of government cyber security efforts, a year later, governments around the world appear to be waking up to the responsibilities they face on this front. And in another Security Scorecard report released earlier this year, government ranked ahead of not just telecom and education, but also hospitality, manufacturing, entertainment, healthcare and pharmaceutical.
In other words, palpable progress is occurring, and the effects are visible all over the world.
For instance, Poland recently adopted a draft law on a new cyber security system that will loop in the country's providers of key services, from energy and transportation to banking and healthcare. Based on the sectors being looped in, it's apparent that Polish leaders have identified the nation's infrastructure as a potential vulnerable spot, much as their American counterparts have.
Nearly 9,000 miles away, the state government of Queensland, Australia just earmarked more than $17 million to create a government cyber security strategy. The new strategy, which comes on the heels of the October appointment of the state's first-ever CISO, will reverse a standing practice of having each agency manage its own security measures. (This is ironic given that Trump's executive order went exactly the opposite way, mandating that U.S. agencies take responsibility for their own cyber security programs.)
Elsewhere in Australia, the Australian Parliament also voted recently to invest $9 million on a cyber security centre that will protect the parliamentary network. This was related in part to fallout from the 2014 discovery that Chinese intelligence agencies had gained unauthorized access to that network for a year beginning sometime in 2011. It's a tale that many governments can tell, and in a few years, the U.S. and U.K. may be looking at the WannaCry virus as a similarly watershed moment in their cyber security development.
Meanwhile, in the Philippines, the department of information and communication technology has received a small budget to set up a "situational awareness platform" intended to help the nation do a better job of cooperating on cyber threats by sharing threat information and activities. With all the discussion in security circles in recent years about the importance of sharing insight on security incidents, it's clear Filipino leaders were paying attention.
Make no mistake. This may all be a smokescreen of sorts, little more than a smattering of political maneuverings intended to placate those calling for more stringent security measures in every level of government.
But the more likely truth is that elected officials have been shaken into action less by campaign aspirations and more by the increasing graveness of cyber security events. The breaches have gotten bigger and more effective, the headlines more prominent, and public awareness has mushroomed. And given the speed with which technologies such as artificial intelligence, the Internet of Things and the various incarnations of cloud computing are invading every aspect of doing business, whether in the private or public sector, there's simply no looking the other way anymore.
It's either address cyber security in a meaningful way, or pay a very public price for it. It seems the price has gotten high enough. Let's hope the efforts we're seeing to more effectively secure government systems prove to be lasting ones.