A new Washington Post poll suggests that the American public is divided over what to do about cyber threats. And the division does not correlate with party politics. People are divided pretty evenly on whether they are “very” or “fairly” concerned about major cyberattacks on US businesses or the government or “just somewhat” or “not at all concerned.” When it comes to what to do about the threat, 39 percent of Americans favor a government requirement that companies meet certain cybersecurity standards, while 28 percent say government should encourage but not require standards, and 26 percent say the government should stay out of it entirely. People are also split about proposals to increase sharing of information between the government and the private sector, with 46 percent thinking it’s OK to share information that may include personal Internet content and email, and 43 percent saying this goes too far in invading privacy. Sixty-five percent are OK with sharing such information if there were privacy protections preventing the release of names or other identifying information.
The split in the public’s view isn’t at all surprising. In part it seems to reflect a lack of widespread awareness of the current level of attacks, and in part a lack of education about the true potential for serious damage to our economy and security. What’s more striking to me are some of the comments from present and former public officials about the poll. An article about the poll quotes National Security Agency Director Keith Alexander (who also heads up the US Cyber Command) as saying “a purely voluntary and market-driven system is not sufficient” to protect critical networks. And former DNI and NSA Director Mike McConnell is quoted as saying “We will talk and we will debate, but we will not act. It will take a catastrophic event to galvanize the government and the public to require higher cybersecurity standards to protect the nation.”
Some of us have been saying the same things since the 1990s. But you never had the head of an agency (or former head of an agency) saying this until recently. Just lower level guys like me. So the good—and the bad—news is that the level of concern has reached the highest levels of government, at long last. But the purely bad news is that some of these people still think that only a catastrophe will cause the government and private government to take action that matches the seriousness of the threat. Some cybersecurity proposals have advanced pretty far in Congress this year for the first time. But concerns over civil liberties (from the left) are likely to stymie fairly mild proposals for increased information sharing, while concerns about government regulation (from the right) are likely to stymie mild proposals for security standards for critical infrastructures. As we enter the summer lull on Capitol Hill and the silly season in presidential politics, it seems unlikely that anything meaningful will come out of the congressional sausage grinder. Which means it’s back to the drawing board in the next Congress. And likely another year, or more, before Congress considers any serious legislation—barring, in McConnell’s words, a “catastrophic event.”