How Facebook’s Outage Could Shape Public Preferences on Cybersecurity Policy
What can public opinion polling tell us about public perceptions of cybersecurity?
Published by The Lawfare Institute
in Cooperation With
On Oct. 4, Facebook experienced its longest global outage in its history. Facebook’s internal servers and external services—including the main platform, WhatsApp and Instagram—were down for six hours. The event highlighted the indispensable nature of Facebook’s services worldwide. While Facebook managed to get back online fairly quickly, the outage may have lasting effects in the realm of public opinion. The outage made cyber threats more visible and showed their potential impact. Our research has shown how exposure to cyber vulnerabilities can influence public attitudes on how to address burgeoning cybersecurity challenges.
In the aftermath of Facebook’s outage, media coverage focused on impactful stories ranging from the financial loss experienced by small businesses to the emotional distress of losing contact with elderly loved ones. Worries that the outage was the result of a hack abounded, as did speculation that the personal data of Facebook’s users was up for sale. Sen. Marsha Blackburn even claimed in a congressional hearing that “the private data of over 1.5 billion—that’s right, 1.5 billion—Facebook users is being sold on a hacking forum[.] That’s its biggest data breach to date.”
By the evening of the outage, Facebook’s vice president of engineering and infrastructure, Santosh Janardhan, wrote a blog post to reassure customers that “no malicious activity” was involved. Facebook’s disappearance was reportedly the result of an internal DNS outage, and the company has denied any foul play. The New York Times reported that claims of scraped user data being available for purchase were “largely unverified, and possibly fake.”
To be clear, Facebook is not the only media service to demonstrate significant vulnerabilities. On Oct. 6, the popular streaming platform Twitch experienced a malicious hack in which user passwords, revenue data and even its source code leaked. In September, Syniverse—which services wireless carriers including AT&T, Verizon and T-Mobile—reported to the Securities and Exchange Commission (SEC) that a breach dating back to 2016 compromised consumer data such as phone numbers, callers’ locations and the content of text messages.
Facebook’s outage, however, is unique. Not only was the outage highly visible, but the affected audience—from grandfathers posting baby pictures to young teenagers sharing news articles—included many people who may have been less aware of the cyber vulnerabilities they regularly face. Facebook’s suite of services boasts a whopping 3.5 billion users, representing approximately 45 percent of the global population. WhatsApp alone has 2 billion users, many of whom rely on the service as a primary means of communication.
In data exposure events, recipients often “experience” the incident by receiving an impersonal form letter notifying them of a potential data breach. Many then see few effects beyond an annoying password change. Affected users found out about the Facebook outage in a more personal way—and saw personal effects. Many users, such as Safi Rauf, discovered the outage when trying, and failing, to log into some of their most routinely used services. Rauf’s inability to send messages on WhatsApp interrupted his communication with people his organization, Human First Coalition, is trying to aid in leaving Afghanistan.
Facebook’s outage is also unique because of its widespread coverage in the media. Syniverse’s SEC filing garnered little media attention, but Facebook’s outage received extensive coverage (and even briefly achieved a near monopoly on tech reporting). By bringing cyber vulnerabilities to the forefront, Facebook’s outage has the potential to increase public concern about cyber threats and data privacy. This could even help to galvanize the regulation of cyberspace.
In ongoing research, we have examined public attitudes about cybersecurity. We conducted a survey among a representative sample of 2,797 Americans from Dec. 11, 2020, through Jan. 12, 2021. Our results indicate the public is concerned, but not especially knowledgeable, about cybersecurity issues.
Respondents see cybersecurity as both a national and a personal threat. Some 93 percent of Americans see cyberterrorism as a threat to the United States, and almost four out of five anticipate a major cyberattack against the United States to happen within the next year. Similarly, 93 percent report concerns about their personal data security, and more than half anticipate an upcoming attack against themselves or someone they know well. This data points to urgency for overhauling U.S. cyber policy.
Public perceptions of hackers emphasize these critical worries. For example, 86 percent of surveyed Americans see cyberterrorists as “dangerous,” 51 percent say they are “smart,” 68 percent think of them as “evil,” and only 12 percent say that they act rationally. (Interestingly, survey participants see hackers as more dangerous, smarter and more evil than Russian military officers—although they are perceived as just as likely to “operate alone.”) Other research suggests cyberterrorism triggers public anger. While Facebook says its outage didn’t involve such ominous actors, this research highlights already prominent public concerns about cybersecurity, which the Facebook incident may have escalated. This research also suggests more malicious hacks—which, unfortunately, remain likely—may do even more to activate public concerns.
Yet worries about cybersecurity are not accompanied by much familiarity with cyber incidents. We find that 78 percent of Americans report not knowing a lot about cyberterrorism, and only 28 percent report that they or someone they know well has been victimized by it. Notably, women are less than half as likely as men to report exposure to cyberterrorism. We find that exposure is positively correlated with survey respondents’ age, education level and income. That is, the older, more educated and well-off people are, the more likely they are to have been exposed to a hostile cyber event. Propensity toward exposure also varies by partisanship, with 36 percent of Democrats and 27 percent of Republicans reporting exposure to adverse cyber incidents.
While low levels of experience might seem reassuring on the surface, the downside is that knowledge about cyber vulnerabilities is essential for prevention. Familiarity with the risks of the cyber realm can encourage more cautious individual approaches to technology or even drive public advocacy for corporations and government officials to improve cybersecurity policies. Increased awareness and education about cybersecurity, therefore, could be an important measure to improve public safety.
Facebook’s widespread and widely discussed outage may play an important role in raising public awareness—and public concern—about cyber vulnerabilities. After all, those who have been exposed to adverse cybersecurity events are significantly more likely to view future cyberattacks against the United States as a likely event, be concerned about their personal data vulnerability, and expect themselves or someone they know well to soon be the victim of a hack. They may also be better equipped to use more caution and more effectively protect their data.
Americans want a solution to the cybersecurity crisis. Only 5 percent of Americans think the best response to hacks is to do nothing, and this proportion decreases to just 2 percent among those with a history of exposure to cyber vulnerabilities. This trend may create some space for politicians to design and implement forward-thinking cybersecurity agendas—a stated political objective of the Biden administration.
One particularly popular policy option involves an international agreement to regulate cyberspace. Some 84 percent of Americans would support an international treaty on cyber weapons, with options ranging from an agreement not to target commercial or civilian infrastructure to a total ban on offensive uses of cyber capabilities. The recent Facebook outage could make such an agreement even more popular. In fact, our research finds that those who have been exposed to cyber vulnerabilities are 13 percentage points more likely to support a treaty regulating cyberspace. While there are many obstacles to an effective international agreement on cybersecurity, the international nature of the problem makes pursuing such a pathway nonetheless vital.
Those who have been exposed to cyber vulnerabilities are less likely to prefer diplomatic and economic approaches and instead favor military alternatives. We find that exposed individuals are 14 percentage points more likely to support military retaliation to a hack. This is one critical way in which the recent Facebook outage—and other major cybersecurity events—might shape emerging cyber policies. Even though the Facebook outage doesn’t appear to have been a hack, the incident highlights—for a wide audience—the immense vulnerabilities of technological systems on which huge swaths of society rely. These systems also store incredible amounts of personal data. Heightened perceptions of vulnerability not only encourage individual caution in cyberspace but also can lead people to support more aggressive government responses to cybersecurity threats and incidents.
Consider the 2020 revelations about SolarWinds, the largest hack of the U.S. government to date. Like Facebook’s outage, the hack was unusually visible. More than half of those we surveyed reported seeing “some” or “a lot” of SolarWinds coverage. Exposure to SolarWinds meaningfully influenced how people thought about cybersecurity. For example, those who had learned about the hack expressed more hawkish preferences on how the U.S. government should respond to future hostile cyber operations.
By highlighting the broad and critical nature of cyber vulnerabilities, the Facebook incident may have had similar effects. Unlike SolarWinds, the Facebook outage appears not to have been a malicious hack. Nevertheless, widespread personal experiences with Facebook’s outage combined with prolonged and high-intensity coverage of the event suggests the outage could play a role in making cybersecurity issues more salient in the public eye. Our research suggests those exposed to the outage could become more worried about cybersecurity and, in turn, adopt more hawkish preferences for how the U.S. government should handle future hostile cyber incidents when they occur.
This is concerning. Robust public pressure for retaliation to adverse cyber events would be problematic, as deterrence is difficult to accomplish in cyberspace and retaliation to cyber incidents can easily spiral. Public support for retaliation could potentially enable hawkish decision-makers to take misguidedly aggressive approaches in the event of hostile cyber operations.
Facebook’s recent outage undoubtedly shook consumer and investor confidence in its enterprise, but the long-term and policy effects of the event may turn out to be even larger. As cyber vulnerabilities become more visible and impactful, public attitudes on cybersecurity policy are likely to evolve. New research suggests this exposure not only makes people more fearful of hacking, but it also increases public demand for policy solutions to cybersecurity challenges. It will be up to the Biden administration to effectively channel public demand for cybersecurity solutions into policies that have an impact.
The views expressed in this article are those of the authors and do not reflect the official policy or position of the Department of Defense or the U.S. government.