Americans are divided about what role, if any, Washington should play in setting and enforcing cybersecurity standards for companies that provide critical services such as electricity and banking, according to a new Washington Post poll.
There is limited support for government mandates, but there is no broad-based call for government to stay away, even among Republicans.
About as many Republicans say government should require security standards as say it should avoid the issue entirely. Democrats are split on the matter as well.
The results reflect a degree of nuance not found on Capitol Hill, where lawmakers are considering a bill, backed by the White House, that would require industries to meet specific cybersecurity standards to protect their systems from attack. Democrats largely support the bill; most Republicans oppose it, saying it would add burdensome regulations that would stifle innovation.
The Obama administration has pushed hard to get Congress to move on legislation. Officials recently walked lawmakers through a mock computer attack on the electrical grid in New York City during a summer heat wave to demonstrate the risks of inaction.
Leon Panetta, now defense secretary, warned when he was CIA director that “the next Pearl Harbor that we confront could very well be a cyberattack.”
FBI Director Robert S. Mueller III has said cyberattacks probably will overtake terrorism as the major threat facing the United States.
Some experts say that only an actual cyberattack shutting down an electrical grid or Wall Street, for example, will prompt action.
“We will talk and we will debate, but we will not act,” said Mike McConnell, a former director of national intelligence and former NSA director. “It will take a catastrophic event to galvanize the government and the public to require higher cybersecurity standards to protect the nation.”
According to the poll, 39 percent of Americans favor a government mandate, 28 percent say government should encourage but not require standards, and 26 percent say the government should stay out of the issue.
The survey also found that Americans are divided on whether Congress should pass legislation that would make it easier for the government and the private sector to exchange data about security threats in cyberspace if the exchange could involve content from people’s e-mail and Internet activity.
In the poll, 46 percent of Americans say they believe an information exchange between U.S. companies and the government is justified if it helps thwart cyberattacks, even if it could encroach on personal privacy. About as many, 43 percent, say such an exchange is not justified.
If such legislation includes protections against the release of names and other identifying information from e-mail and other Internet content, support jumps to 65 percent for a system in which companies share cyberthreat data with government officials. The House passed a data-sharing bill, but the White House has threatened to veto it over privacy and other concerns.
In general, the poll found, people worry more about getting a computer virus and having their financial information stolen than they do about someone reading their e-mail or knowing what Web sites they have visited. But about a third of Americans are concerned about those issues as well.
“Americans want both privacy and better cybersecurity,” said Greg Nojeim, senior counsel at the Center for Democracy and Technology, a civil liberties group. “It’s a huge challenge, but Congress has to deliver both.”
About four in 10 Americans think it is unlikely that a major cyberattack will hit the government or industry in the next year, a finding that has not changed much over the past decade despite experts’ warnings that the threat of such an attack has grown.
Part of the reason Americans are not more concerned, experts say, is that the country has not experienced a major destructive attack.
“It doesn’t have the visual bang that a bomb or traditional kinetic attack would have,” said Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute.
Scaremongering is not effective, he said. “We don’t want to say, ‘The sky is falling,’ ” he said. “But we could have one heck of a rainy day.”
The capability exists, for instance, to knock out power or phone and Internet communications in a city, Cilluffo said. The United States and Israel teamed up on a covert cyber-operation to damage centrifuges in an Iranian nuclear facility, but the effects took place over months and no machines outside Iran were damaged.
The public also has mixed views on how prepared the government and businesses are to deal with a major cyberattack.
In general, only about a third of Americans believe the government is prepared to handle a cyberattack, a view that has not changed appreciably since 2002, when a similar poll was conducted.
As for the private sector, 28 percent of Americans think businesses are prepared, while 31 percent think they are not prepared. Again, the numbers have not changed markedly in 10 years.
Americans across party lines see a range of potential aggressors in cyberspace. About 26 percent of those who express concern about a destructive attack see China as the greatest threat, while 19 percent single out al-Qaeda as the likeliest perpetrator. Iran and Russia also make the short list, based on an open-ended question.
The telephone poll was conducted May 17 to 20 among a random national sample of 1,004 adults. Results from the full survey have a margin of sampling error of plus or minus 3.5 percentage points.
Polling manager Peyton M. Craighill and polling analyst Scott Clement contributed to this report.