January 26, 2017

Americans and Cybersecurity

3. Attitudes about cybersecurity policy

Cybersecurity does not just impact Americans at an individual level: These issues have potentially profound implications for the U.S. government, law enforcement agencies and the companies and other entities that maintain the nation’s infrastructure. On this front, Americans’ views and perceptions of the national cybersecurity environment are complex and multifaceted. Although their knowledge of some major cyberattacks that have occurred in recent years is somewhat limited, there is a general public consensus that the coming years will likely see significant attacks on our public infrastructure and financial systems. And the public remains highly divided over the best way to approach issues such as encrypted communications in the context of law enforcement investigations.

A majority of Americans expect significant cyberattacks in the next five years

Many Americans expect that the coming five years will see significant cyberattacks on the country’s public infrastructure and financial systems. Fully 70% of Americans expect that the United States will definitely (18%) or probably (51%) experience a significant cyberattack on its public infrastructure (such as air traffic control systems or power grids).

A similar share expects that a significant cyberattack on the country’s banking and financial systems will definitely (18%) or probably (48%) happen over the same time frame. Only a small fraction of Americans think that major cyberattacks on our public infrastructure (3%) or financial systems (4%) will definitely not occur in the next five years.

Men are somewhat more likely than women to think that there will definitely be major cyberattacks on both our public infrastructure (22% vs. 15%) and financial systems (23% vs. 14%) in the next five years, but otherwise Americans’ views on this subject do not differ substantially across demographic groups.

Although a majority of Americans think that significant cyberattacks on our public infrastructure and financial systems are likely in the next five years, they express mixed opinions about the extent to which the government and private industries are prepared to face these attacks.

When it comes to the U.S. government’s preparedness to handle these attacks, around six-in-ten Americans feel that the government is very (13%) or somewhat (49%) prepared to prevent a cyberattack on our public infrastructure; a similar share feels that the government is very (18%) or somewhat (51%) prepared to prevent a cyberattack on U.S. government agencies themselves. At the same time, around one-in-ten Americans feel that the government is not at all prepared to handle a major cyberattack on public infrastructure (14%) or on government agencies (11%).

When it comes to their feelings about private industry, roughly six-in-ten Americans feel that U.S. businesses themselves are very (9%) or somewhat (52%) prepared to prevent cyberattacks on their own systems. But 12% think that the private sector is not at all prepared to prevent cyberattacks on their own systems.

Americans’ perceptions of how prepared the government and private sector are to defend against cyberattacks are largely consistent across demographic groups. However, those under the age of 50 are somewhat more optimistic than older Americans about the ability of these institutions to withstand future attacks. Those ages 18 to 49 are more likely than older Americans to say that the U.S. government is very prepared to handle cyberattacks on public infrastructure (17% vs. 9%) or government agencies (24% vs. 12%), and they are also slightly more likely to say that U.S. businesses are very prepared to handle attacks on their own systems (11% vs. 7%).

Americans show widespread awareness of 2011 Target credit card breach, less awareness of some other major cyberattacks

Americans’ awareness of a number of high-profile cyberattacks that have occurred in the United States and abroad in recent years is decidedly mixed. The survey asked about five specific attacks and found that Americans are most aware of the breach of credit card data of Target store customers that occurred in 2011 (note: this survey was fielded prior to some more recent high-profile data breaches, including the hacking of the DNC email system and the breach of email accounts of Yahoo customers). A sizeable majority of Americans (75%) have heard at least something about the Target breach, and nearly half the public (47%) has heard a lot about it.

Americans are less familiar with two other recent cyberattacks involving private corporations. Around half the public (49%) has heard at least something about the 2015 data breach of the AshleyMadison.com website, with 25% indicating that they have heard a lot about this. And 40% of Americans have some awareness of the 2014 cyberattack on the Sony Corp. that exposed millions of internal corporate emails and documents and damaged the company’s internal networks (with 20% indicating that they have heard a lot about it).

The public has much lower awareness of two other attacks that were arguably larger and more dangerous than those discussed above: the 2015 attack on the records of the U.S. government Office of Personnel Management (OPM) and another 2015 attack in which hackers took down a power grid in Ukraine by attacking the grid’s computer systems. One-third (33%) of Americans are aware of the OPM attack (with only 12% having heard a lot about it), while around one-in-five (22%) have heard of the Ukraine attack (with just 5% having heard a lot about it). Roughly two-thirds of Americans have not heard anything about the OPM hack, and around three-quarters have no awareness of the Ukraine attack.

Americans remain divided over whether government should be able to access encrypted communications

The issue of encryption – specifically, whether or not the government should legally be able to bypass or decode encrypted communications when investigating criminal cases – has long been a hot-button topic in the ongoing debate over the appropriate balance between individual privacy concerns and the needs of law enforcement in the digital age. This issue again became front page news in 2016, when the FBI obtained a court order to compel Apple to unlock the iPhone of one of the perpetrators of the mass shooting in San Bernadino, California.

In a Pew Research Center survey conducted at that time, 51% of Americans felt that Apple should be required to unlock the iPhone at the FBI’s request, while 38% felt that Apple should not be required to do this.

This survey posed a more general question (with two competing statements) about the tradeoffs between security and privacy, and it finds that Americans’ views on this subject remain divided. Fully 46% of Americans agree with the statement: “The government should be able to access encrypted communications when investigating crimes.” On the other hand, a comparable share (44%) agrees that “technology companies should be able to use encryption technology that is unbreakable, even to law enforcement.” An additional 4% of Americans volunteer that their answer to this question depends on the circumstances.

Men are more likely than women (by a 49% to 39% margin) to say that technology companies should be able to use unbreakable encryption. Conversely, women (51%) are somewhat more likely than men (40%) to support the government’s right to access encrypted information when investigating a crime. And although Americans of all ages are somewhat split on this issue, younger adults are more inclined to believe that encryption technologies should be unbreakable even to the government. Roughly half of 18- to 29-year-olds (49%) feel that technology companies should be able to use encryption that is unbreakable to law enforcement, but that figure falls to 35% among Americans 65 and older.

There is also a partisan element to these views. Democrats (including independents who lean towards the Democratic party) tend to support the notion that technology companies should be able to use encryption protocols that are unbreakable to law enforcement, although by a fairly close margin (48% vs. 43% who say the government should be able to bypass encryption). Meanwhile, Republicans tend to feel more strongly that the government should be able to access encrypted messages when investigating crimes (by a 53% to 38% margin).