Illustration via Max Fleishman (Licensed)
Americans rank cyberattacks from other countries second on a list of global threats facing the United States, according to a new survey.
A new Pew Research Center survey about views of America's place in the world found that 72 percent of Americans describe cyberattacks as a major threat, and 22 percent describe it as a minor threat. Only the Islamic State, the terrorist group also known as ISIS, ranked higher, garnering scores of 80 percent and 16 percent, respectively.
The new findings highlight the psychological and political impact of perceived aggressions in cyberspace, where treaties, laws, and customs developed almost entirely before the advent of the personal computer are struggling to adapt to the faster-paced and murkier online battlefield.
Rob Knake, a senior cyber fellow at the Council on Foreign Relations and the National Security Council's former director of cybersecurity policy, said the finding should be deeply concerning because it reflects Americans' misguided security priorities.
“We really have taken this threat out of proportion.”
While many people tend to point out that it is statistically unlikely for an ISIS attack to kill an American, Knake said, “It's really technically impossible for a cyberattack to kill an American.”
“We really have taken this threat out of proportion,” he added.
“There's good research that shows public perceptions of risk are shaped by media, not reality,” James Lewis, a cyber expert who directs the Center for Strategic and International Studies's Strategic Technologies Program, said in an email. “It's worse now because you have a big dose of snake oil in cyber 'research,' much of which has become a new form of PR. So it's really more a reflection of how little the public knows and how much silliness is out there.”
Knake also said he found it odd that Americans were extremely concerned about cyberattacks while remaining largely unconcerned about China and Russia gaining global influence (those two scenarios ranked lowest on the list of fears). Cybersecurity experts generally believe that the only scenarios in which the U.S. would experience massive, heavily destructive cyberattacks are ones involving open conflict with either Russia or China, or both.
Adam Segal, the director of the Digital and Cybersecurity Policy Program at the Council on Foreign Relations and an expert in China studies, agreed that the findings were puzzling.
“I'd say I was surprised since [the] U.S. has not been the victim of a destructive cyber attack,” Segal said in an email, adding that it would “be good to know more about how participants understood cyber attack and what they thought the threat to U.S. was.”
Indeed, despite the question's wording, survey respondents might have been thinking about all kinds of digital security issues when they answered it.
“In general, there is a tendency to include a lot of different activities under the label ‘cyberattacks,’” Michael Sulmeyer, the director of the Cyber Security Project at Harvard's Belfer Center, said in an email. “But I think given that this poll places cyber threats second only to [the Islamic State], those surveyed understand that foreign nations can use cyber capabilities against us a new form of hard power—going beyond theft, to include disruption, deletion, and even destruction.”
Unlike other threats like ISIS terrorism or the Syrian and Iraqi refugee crises, cyberattacks prompt roughly the same levels of fear across parties. The nine-point gap between Republicans who call them a major threat (78 percent) and Democrats who say the same (69 percent) is smaller than the gap for all but two of the other top threats (infectious diseases and economic instability).
Liberal Democrats are the least likely to view cyberattacks as a major threat (65 percent of those partisans said they were), with fears rising roughly linearly along the partisan scale; eight in 10 conservative Republicans described cyberattacks as a major threat to the country.
Cybersecurity has been an issue ever since networked computers assumed a prominent role in global commerce, communication, and governance. The systems that form the Internet were built for speed and convenience rather than security, and it quickly showed. But cyberattacks rarely became major news stories until hackers believed to be working for the Chinese government breached the servers of the Office of Personnel Management, the federal government's HR department.
The June 2015 OPM hack inspired congressional hearings and forced the office's director to resign under bipartisan pressure. The breach also prompted renewed debate over the United States's cyber relationship with China, widely seen as one of the most aggressive cyber powers, along with Russia.
The fact that the 22 million federal employees' personnel records—which included millions of fingerprints—did not surface on a Dark Net marketplace suggested that China was keeping the files to itself, possibly to blackmail officials and recruit double agents.
The personnel-office breach only highlighted how many other government agencies and businesses have been subject to cyberattacks. Hackers have breached servers at Sony Pictures Entertainment, Target, Yahoo, JPMorgan Chase, MasterCard, and Home Depot, to name just a few high-profile examples.
Dave Weinstein, the director of cybersecurity for the New Jersey government, said that the Pew results were “representative of the public's growing exposure to cyber threats.”
“It's no longer a phenomenon that only impacts large companies or governments; rather, it's increasingly personal and therefore tangible,” Weinstein said in a Twitter direct message.
Importantly, he said, “It also reveals that we no longer define threats as manifested in a physical or violent manner.”
The U.S. and China agreed in September 2015 not to pursue cyber espionage for commercial purposes, but that deal—the effectiveness of which remains to be seen—does not cover political activities like hacking government agencies, which are seen as traditional extensions of long-condoned international behavior.
The new Pew numbers are little changed from late October 2013, the last time the group asked about cyberattacks. At that time, 70 percent called them a major threat and 23 percent called them a minor threat.
“The results of the survey seem to be consistent with what U.S. national security leaders have been saying for some time.”
“I would expect it to remain in about same place,” Segal said of the steady fear level, “as people have a general sense of vulnerability in cyberspace but events in [the] physical world dominate the news.”
The public's fear of cyber threats is consistent with how the U.S. military views the cyber domain. Sulmeyer, formerly a senior cyber policy adviser at the Defense Department, pointed to Director of National Intelligence James Clapper's latest annual threat assessment, which lists cyber before terrorism and nuclear proliferation.
“The results of the survey,” Sulmeyer said, “seem to be consistent with what U.S. national security leaders have been saying for some time.”
But military officials also consider global warming to be a paramount national-security threat, and the Pew survey shows that softer-seeming issues do not resonate as strongly as ones involving violence.
To Knake, the gap between fear of cyberattacks and fear of things like global warming suggested that people had elevated cyber worries “to a level that's probably not healthy.”