Americans split on federal government security, encryption attitudes

News roundup: Half of Americans don't trust federal government security. Plus, a Kaspersky Lab manager was arrested; an internal DOD network was found vulnerable; and more.

A recent study from Pew Research Center found that approximately half of Americans don't trust the federal government with their personal data, and they are equally split over whether the government should be able to access encrypted communications during a criminal investigation.

The study, called "Americans and Cybersecurity," collected data between March 30, 2016, and May 3, 2016, from more than 1,000 adults living in the United States. It found Americans have wavering security confidence in both public and private institutions, from cellphone manufacturers to credit card companies and email providers.

However, far and away, Americans have the least confidence in the federal government, with 28% of respondents saying they are not confident at all that the federal government can keep their data secure. While there's plenty of middle ground, only 12% of Americans are "very confident" in federal government security.

"Overall, there is relatively little variation in Americans' attitudes towards these entities based on their demographic characteristics," the Pew report stated. "However, users who have directly experienced certain types of data theft in their own lives tend to have lower levels of confidence in the institutions that were involved in these experiences."

The report suggested a correlation between the 64% of adults in America who have experienced some kind of personal data theft -- such as fraudulent credit card charges or compromised sensitive information, like an account number -- to the low confidence in certain types of organizations.

Another notable finding of the survey is Americans' attitude about whether the government should be able to access encrypted communications when investigating a crime. While the results varied by age and political party, Americans are still generally split on this issue. Forty-six percent of respondents think the government should be able to access encrypted communications, and 44% think tech companies should be able to use encryption that the government can't break. Both Democrats and younger adults showed more support for encryption, while older adults and Republicans support the government being able to access encrypted communications.

"The issue of encryption -- specifically, whether or not the government should legally be able to bypass or decode encrypted communications when investigating criminal cases," according to the survey, "has long been a hot-button topic in the ongoing debate over the appropriate balance between individual privacy concerns and the needs of law enforcement in the digital age."

Prior to the survey being taken, the encryption debate was highlighted by the legal battle between Apple and the FBI following the mass shooting in San Bernardino, Calif.

In other news:

  • A high-level manager at antivirus software maker Kaspersky Lab has reportedly been arrested by Russian authorities and charged with treason. Ruslan Stoyanov, head of Kaspersky's computer incidents investigations unit, was arrested in Russia in December, along with Sergei Mikhailov, a senior Russian FSB intelligence officer, reportedly on the charge of treason. Stoyanov had worked at Kaspersky since 2012, and according to Kaspersky, his arrest was for incidents predating his employment at the firm. "The case against this employee does not involve Kaspersky Lab," according to the firm's statement. "The employee, who is Head of the Computer Incidents Investigation Team, is under investigation for a period predating his employment at Kaspersky Lab. We do not possess details of the investigation. The work of Kaspersky Lab's Computer Incidents Investigation Team is unaffected by these developments."
  • A security researcher who participated in the HackerOne program Hack the Army found a way to gain access to an internal U.S. Department of Defense network through a public Army recruitment website. The Hack the Army program received 416 total reports, and 118 of them were valid. But this particular vulnerability was the worst. "A researcher could move from a public-facing website, goarmy.com, and get to and internal DOD website that requires special credentials to access," according to HackerOne's report. "They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system. On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious." HackerOne also said once that bug report was submitted, the Army was able to block further attacks and prevent the vulnerability from being exploited.
  • According to a recent Ponemon Institute survey, 48% of respondents said their company paid the ransom when it suffered a ransomware attack. Despite the FBI's guidance not to pay ransoms in these attacks, almost half of the surveyed companies paid out an average of $2,500 to the attackers. The report found the ransoms were paid in bitcoin 33% of the time and cash 25% of the time, while 55% of respondents said the attacker provided the decryption key once the payment was made. Another notable finding in the report was companies that experience a ransomware attack don't report the incident because they don't want the publicity. "Despite the FBI's pleas to report the incident to law enforcement, 49% of respondents say their company did not report the ransomware attack." The report surveyed 618 respondents who were primarily IT contractors, managers and business managers who directly report to a CISO.
  • Mozilla Firefox is joining in the fight against unsafe websites. "Starting today in the latest Firefox, web pages that collect passwords, like an email service or bank, but have not been secured with HTTPS will be more clearly highlighted as potential threats," said Mozilla in a blog post. Previously, Firefox would show a green lock on a page when it was secure, but now, it will also show a crossed-out lock with a pop-up box that alerts users when it's not secured with HTTPS. "Keeping users safe online has been a key priority for Mozilla," the blog post read. "And we've long been a vocal proponent for using HTTPS to secure a user's web experience through efforts like Let's Encrypt." Google uses a similar feature in its Chrome browser.

Next Steps

Find out what enterprises should learn from government cybersecurity problems

Learn what effect FITARA has on U.S. government cybersecurity

Discover more about the influence government hacking has on cyber attribution

Dig Deeper on Security operations and management