< Back to Current Version

Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources

Changes from March 3, 2016 to May 20, 2016

This page shows textual changes in the document between the two versions indicated in the dates above. Textual matter removed in the later version is indicated with red strikethrough and textual matter added in the later version is indicated with blue.


Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources

March 3May 20, 2016 (R44408)
Jump to Main Text of Report

Summary

As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminals continue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, and businesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especially China, Russia, Iran, and North Korea.

Much is written on this topic, and this CRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasis on material published in the past several years. This report includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources:

  • Table 1—cybercrime, data breaches and security, including hacking, real-time attack maps, and statistics (such as economic estimates)
  • Table 2—national security, cyber espionage, and cyberwar, including Stuxnet, China, and the Dark Web
  • Table 3—cloud computing, the Internet of Things (IoT), and FedRAMP

The following reports comprise a series of authoritative reports and resources on these additional cybersecurity topics:

For access to additional CRS reports and other resources, see the Cybersecurity Issue Page at http://www.crs.gov.

As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminals continue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, and businesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especially China, Russia, Iran, and North Korea.

Much is written on this topic, and this CRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasis on material published in the past several years. This report includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources:

  • Table 1—cybercrime, data breaches and security, including hacking, real-time attack maps, and statistics (such as economic estimates)
  • Table 2—national security, cyber espionage, and cyberwar, including Stuxnet, China, and the Dark Web
  • Table 3—cloud computing, the Internet of Things (IoT), and FedRAMP

The following reports comprise a series of authoritative reports and resources on these additional cybersecurity topics:

For access to additional CRS reports and other resources, see the Cybersecurity Issue Page at http://www.crs.gov.


Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources

Introduction

As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminals continue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, and businesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especially China, Russia, Iran, and North Korea.

Much is written on this topic, and this CRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasis on material published in the past several years. This report includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources."

  • Table 1—cybercrime, data breaches and security, including hacking, real-time attack maps, and statistics (such as economic estimates)
  • Table 2—national security, cyber espionage, and cyberwar, including Stuxnet, China, and the Dark Web
  • Table 3—cloud computing, the Internet of Things (IoT), and FedRAMP

Table 1. Cybercrime, Data Breaches, and Data Security

(includes hacking, real-time attack maps, statistics)

Target Settlement Memorandum

Title

Source

Date

Notes

The Cyberfeed

Anubis Networks

Continuously Updated

This site provides real-time threat intelligence data worldwide.

Digital Attack Map

Arbor Networks

Continuously Updated

The map is powered by data fed from 270+ ISP customers worldwide who have agreed to share network traffic and attack statistics. The map displays global activity levels in observed attack traffic, which it collected anonymously, and does not include any identifying information about the attackers or victims involved in any particular attack.

Cyber Incident Timeline

Center for Strategic & International Studies (CSIS)

Continuously Updated

The CSIS' Strategic Technologies program's interactive "Cyber Incident Timeline" details the successful attacks on government agencies, defense and high tech companies, and international economic crimes with losses of more than a million dollars, since 2006. It includes news reports and videos on most incidents.

ThreatExchange

Facebook

Continuously Updated

ThreatExchange is a set of application programming interfaces, or APIs, that let disparate companies trade information about the latest online attacks. Built atop the Facebook Platform—a repository of a standard set of tools for coding applications within the worldwide social network—ThreatExchange is used by Facebook and a handful of other companies, including Tumblr, Pinterest, Twitter, and Yahoo. Access to the service is strictly controlled, but [Facebook] hopes to include more companies as time goes on.

Federal Trade Commission List of Settled Data Security Cases

Federal Trade Commission (FTC)

Continuously Updated

The FTC's Legal Resources website offers a compilation of laws, cases, reports, and more. The user can filter the FTC's legal documents by type (case) and topic (data security), resulting in a list of 55 data security cases from 2000 to 2015, in reverse chronological order. Clicking the case name provides more details, such as the case citation, timeline, press releases, and pertinent legal documents.

IdentityTheft.gov

FTC

Continuously Updated

The one-stop website is integrated with the FTC's consumer complaint system, allowing consumers who are victims of identity theft to rapidly file a complaint with the FTC and then get a personalized guide to recovery that helps streamline many of the steps involved. The upgraded site, which is mobile and tablet accessible, offers an array of easy-to-use tools that enables identity theft victims to create the documents they need to alert police, the main credit bureaus, and the Internal Revenue Service (IRS) among others.

HHS Breach Portal: Breaches Affecting 500 or More Individuals

Health and Human Services (HHS)

Continuously Updated

As required by Section 13402(e)(4) of the HITECH Act,, P.L. 111-5 HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are posted in a more accessible format that allows users to search and sort the posted breaches. Additionally, the format includes brief summaries of the breach cases that the Office for Civil Rights (OCR) has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information.

HoneyMap

Honeynet Project

Continuously Updated

The HoneyMap displays malicious attacks as they happen. Each red dot represents an attack on a computer. Yellow dots represent "honeypots" or systems set up to record incoming attacks. The black box on the bottom gives the location of each attack. The Honeynet Project is an international 501(c)(3) nonprofit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.

Regional Threat Assessment: Infection Rates and Threat Trends by Location Regional Threat Assessment: Infection Rates and Threat Trends by Location

Microsoft Security Intelligence Report (SIR)

Continuously Updated

The report provides data on infection rates, malicious websites, and threat trends by regional location, worldwide. (Note: Select "All Regions" or a specific country or region to view threat assessment reports.)

ThreatWatch

NextGov

Continuously Updated

ThreatWatch is a snapshot of the data breaches hitting organizations and individuals, globally, on a daily basis. It is not an authoritative list because many compromises are never reported or even discovered. The information is based on accounts published by outside news organizations and researchers.

Information about OPM Cybersecurity Incidents

Office of Personnel Management (OPM)

Continuously Updated

In April 2015, OPM discovered that the personnel data of 4.2 million current and former federal government employees had been stolen. Information such as full name, birth date, home address, and Social Security numbers was affected. While investigating this incident, in early June 2015, OPM discovered that additional information had been compromised, including background investigation records of current, former, and prospective federal employees and contractors.

Chronology of Data Breaches, Security Breaches 2005 to the Present

Privacy Rights Clearinghouse (PRC)

Continuously Updated

The listed (U.S.-only) data breaches have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. This list is not a comprehensive compilation of all breach data. Most of the information is obtained from verifiable media stories, government web sites/pages (e.g., state Attorneys General, such as the California AG's breach website), or blog posts with information pertinent to the breach in question.

Criminal Underground Economy Series

Trend Micro

Continuously Updated

A review of various cybercrime markets around the world

Global Botnet Map

Trend Micro

Continuously Updated

Trend Micro continuously monitors malicious network activities to identify command-and-control (C&C) servers and help increase protection against botnet attacks. The real-time map indicates the locations of C&C servers and victimized computers they control that have been discovered in the previous six hours.

Combatting the Ransomware Blitzkrieg: The Only Defense is a Layered Defense, Layer One: Endpoint Security

The Institute for Critical Infrastructure Technology

April 2016

The report introduces the ins and outs of the more prevalent ransomware variants as well as other endpoints vulnerable to ransomware attacks, such as SCADA/ICS, IoT, cars, cloud, servers, specialized hardware, personal computers, and the most easily exploitable vulnerability, the human. (27 pages)

A Look Inside Cybercriminal Call Centers

Krebs on Security

January 11, 2016

Crooks who make a living via identity theft schemes, dating scams, and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they do not speak fluently. Enter the criminal call center, which allows scammers to outsource those calls to multi-lingual men and women who can be hired to close the deal.

U.S. District Court, District of Minnesota

December 2, 2015

Target Corporation has agreed to pay financial institutions almost $40 million to settle a class-action suit related to its massive 2013 data breach. The proposed settlement of up to $39,357,938.38 will apply to all U.S. financial institutions that issued payment cards put at risk as a result of the data breach. (20 pages)

The Cyberwar is On (Special Issue)

The Agenda (Politico)

December 2015

The cyber issue of The Agenda magazine contents include "Why Politicians can't Handle Cyber," "Inside the NSA's Hunt for Hackers," "America's Secret Arsenal," " The Biggest Hacks (We Know About)," "Survey: What Keeps America's Computer Experts Up at Night?," The 'Electronic Pearl Harbor'," " Our Best Frenemy, Time for a Ralph Nader Moment," "The Crypto Warrior," and "America's CIO."

Fiscal Year 2015 Top Management Challenges

Office of Personnel Management (OPM), Office of Inspector General (OIG)

October 30, 2015

See Internal Challenges section (pp. 15-22) for a discussion of challenges related to information technology, improper payments, the retirement claims process, and the procurement process. Officials in OPM's Office of Procurement Operations violated the Federal Acquisition Regulation and the agency's own policies in awarding a $20.7 million contract to provide credit monitoring and ID theft services. Investigators turned up "significant deficiencies" in the process of awarding the contract to Winvale Group and its subcontractor CSID. (22 pages)

With Stolen Cards, Fraudsters Shop to Drop

Krebs on Security

September 28, 2015

Fraudsters have perfected the reshipping service, a criminal enterprise that allows card thieves and the service operators to essentially split the profits from merchandise ordered with stolen credit and debit cards.

Drops for Stuff: An Analysis of Reshipping Mule Scams

Federal Bureau of Investigation (FBI), University of CA Santa Barbara, Stony Brook University, Krebs on Security, University College London

September 23, 2015

In reshipping scams, cybercriminals purchase high-value or high-demand products from online merchants using stolen payment instruments, and then ship the items to a credulous citizen. This person, who has been recruited by the scammer under the guise of "work-from-home" opportunities, then forwards the received products to the cybercriminals, most of whom are located overseas. Once the goods reach the cybercriminals, they are then resold on the black market for an illicit profit. (12 pages)

Follow the Data: Dissecting Data Breaches and Debunking Myths

Trend Micro

September 22, 2015

Trend Micro's Forward-Looking Threat Research (FTR) Team has taken 10 years (2005-2015) of information on data breaches in the United States from the Privacy Rights Clearinghouse (PRC) and subjected it to detailed analysis to better understand the real story behind data breaches and their trends. (51 pages)

Timeline: Government Data Breaches

Government Executive

July 6, 2015

The timelines are based mainly on testimony from OPM Director Catherine Archuleta and Andy Ozment, assistant secretary for Cybersecurity and Communications at DHS, supplemented by information from news reports.

2015 Cost of Data Breach Study: Global Analysis

Ponemon Institute and IBM

May 27, 2015

The average cost of a breach was up worldwide in 2014, with U.S. firms paying almost $1.5 million more than the global average. In the United States, a data breach costs organizations on average $5.85 million (the highest of the 10 nations analyzed), up from $5.4 million in 2013. Globally, the cost of a breach is up 15% this year to $3.5 million. The United States likewise had the highest cost per record stolen, at $201, up from $188 last year. The country also led in terms of size of breaches recorded: U.S. companies averaged 29,087 records compromised in 2014. (Free registration required to download.) (31 pages)

Meet 'Tox': Ransomware for the Rest of Us

McAfee Labs

May 23, 2015

The packaging of malware and malware-construction kits for cybercrime "consumers" has been a long-running trend. Various turnkey kits that cover remote access plus botnet plus stealth functions are virtually anywhere. Ransomware, though very prevalent, has not yet appeared in force in easy-to-deploy kits. However, Tox is now available free.

2014 Internet Crime Report

Internet Crime Complaint Center (IC3)

May 19, 2015

IC3, a joint project of the National White Collar Crime Center and the FBI, received 269,422 complaints last year consisting of a wide array of scams affecting victims across all demographic groups. In 2014, victims of Internet crimes in the United States lost more than $800 million. On average, approximately 22,000 complaints were received each month. (48 pages)

Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data

Ponemon Institute

May 2015

A rise in cyberattacks against doctors and hospitals is costing the U.S. health-care system $6 billion a year as organized criminals who once targeted retailers and financial firms increasingly go after medical records. Criminal attacks are up 125% compared with five years ago lost laptops was the leading threat. The study also found most organizations are unprepared to address new threats and lack adequate resources to protect patient data. (7 pages)

Best Practices for Victim Response and Reporting of Cyber Incidents

Department of Justice

(DOJ)

April 29, 2015

DOJ issued new guidance for businesses on best practices for handling cyber incidents. The guidance is broken down into what companies should do—and should not do—before, during, and after an incident. The recommendations include developing an incident response plan, testing it, identifying highly sensitive data and risk management priorities, and connecting with law enforcement and response firms in advance. (15 pages)

2015 Data Breach Investigations Report (DBIR)

Verizon

April 14, 2015

A full 75% of attacks spread from the first victim to the second in 24 hours or less, and more than 40% spread from the first victim to the second in under an hour. On top of the speed with which attackers compromise multiple victims, the useful lifespan of shared information can sometimes be measured in hours. Researchers found that of the IP addresses observed in information sharing feeds, only 2.7% were valid for more than a day. (70 pages)

2014 Global Threat Intel Report

CrowdStrike

February 6, 2015

The report summarizes CrowdStrike's year-long daily scrutiny of more than 50 groups of cyber threat actors, including 29 different state-sponsored and nationalist adversaries. Key findings explain how financial malware changed the threat landscape and point of sale malware became increasingly prevalent. The report also profiles a number of new and sophisticated adversaries from China and Russia. (Free registration required.)

Unique in the Shopping Mall: on the Reidentifiability of Credit Card Metadata

Science Magazine

January 30, 2015

Massachusetts Institute of Technology (MIT) scientists showed they can identify an individual with more than 90% accuracy by looking at just four purchases; three if the price is included—and this is after companies "anonymized" the transaction records, saying they wiped away names and other personal details. (5 pages)

Ransomware on the Rise: FBI and Partners Working to Combat This Cyber Threat

FBI

January 20, 2015

Ransomware scams involve a type of malware that infects computers and restricts users' access to their files or threatens the permanent destruction of their information unless a ransom—anywhere from hundreds to thousands of dollars—is paid. The site offers information on the FBI's and federal, international, and private-sector partners' proactive steps to neutralize some of the more significant ransomware scams through law enforcement actions against major botnets.

Exploit This: Evaluating the Exploit Skills of Malware Groups

Sophos Labs Hungary

January 2015

Researchers evaluated the malware and advanced persistent threat (APT) campaigns of several groups that all leveraged a particular exploit—a sophisticated attack against a specific version of Microsoft Office. The report found that none of the groups were able to modify the attack enough to infect other versions of Office, even though several versions were theoretically vulnerable to the same type of attack. Despite the aura of skill and complexity that seems to surround APTs, they are much less sophisticated than they are given credit for. (26 pages)

The Cost of Malware Containment

Ponemon Institute

January 2015

A survey of more than 600 U.S. IT security practitioners found that in a typical week, organizations receive an average of nearly 17,000 malware alerts; only 19% are deemed reliable or worthy of action. Compounding the problem, respondents believe their prevention tools miss 40% of malware infections in a typical week. (Free registration required.)

Addressing the Cybersecurity Malicious Insider Threat

Schluderberg, Larry (Utica College Master's Thesis)

January 2015

"The purpose of this research was to investigate who constitutes Malicious Insider (MI) threats, why and how they initiate attacks, the extent to which MI activity can be modeled or predicted, and to suggest risk mitigation strategies. The results reveal that addressing the Malicious Insider threat is much more than just a technical issue. Dealing effectively with the threat involves managing the dynamic interaction between employees, their work environment and work associates, the systems with which they interact, and organizational policies and procedures." (80 pages)

The Underground Hacker Markets are Booming with Counterfeit Documents, Premiere Credit Cards, Hacker Tutorials, and 1000% Satisfaction Guarantees

Dell Secure Works

December 2014

Researchers examined dozens of underground hacker markets and found that business is booming. Prices have gone down for many items and the offerings have expanded. According to the report, "Underground hackers are monetizing every piece of data they can steal or buy and are continually adding services so other scammers can successfully carry out online and in-person fraud." (16 pages)

What Happens When You Swipe Your Card?

60 Minutes

November 30, 2014

From the script for the segment "Swiping Your Card": "Sophisticated cyberthieves steal your credit card information. Common criminals buy it and go on shopping sprees—racking up billions of dollars in fraudulent purchases. The cost of the fraud is calculated into the price of every item you buy. When computer crooks swipe your card number, we all end up paying the price. 2014 is becoming known as the 'year of the data breach.'"

Continuing Federal Cyber Breaches Warn Against Cybersecurity Regulation

Heritage Foundation

October 27, 2014

A list of federal government cybersecurity breaches and failures, most of which occurred during 2013 and 2014. The list is part of a continuing series published by Heritage that serves as a long-term compilation of open-source data about federal cybersecurity breaches dating back to 2004.

2014 Cost of Cybercrime Global Report

Hewlett-Packard Enterprise Security and the Ponemon Institute

October 8, 2014

This 2014 global study of U.S.-based companies, which spanned seven nations, found that over the course of a year, the average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from $11.6 million in the 2013 study. The average time to resolve a cyberattack is also rising, climbing to 45 days from 32 days in 2013. (30 pages) (Email registration required.)

The Deep Web (Special Issue)

The Kernel

September 28, 2014

A special issue devoted to the Deep Web, Tor, Silk Road, black markets, etc.

How Consumers Foot the Bill for Data Breaches (infographic)

NextGov.com

August 7, 2014

More than 600 data breaches occurred in 2013 alone, with an average organizational cost of more than $5 million. But in the end, it is the customers who are often picking up the tab, from higher retail costs to credit card reissue fees.

Is Ransomware Poised for Growth?

Symantec

July 14, 2014

Ransomware usually masquerades as a virtual "wheel clamp" for the victim's computer. For example, pretending to be from the local law enforcement, it might suggest the victim had been using the computer for illicit purposes and claim that to unlock his or her computer the victim would have to pay a fine—often between $100 and $500. The use of Ransomware escalated in 2013, with a 500% (sixfold) increase in attacks between the start and end of the year.

iDATA: Improving Defences Against Targeted Attack

Centre for the Protection of National Infrastructure (UK)

July 2014

The iDATA program consists of a number of projects aimed at addressing threats posed by nation-states and state-sponsored actors. iDATA has resulted in several outputs for the cybersecurity community. The document provides a description of the iDATA program and a summary of the reports. (8 pages)

Cyber Risks: The Growing Threat

Insurance Information Institute

June 27, 2014

Although cyber risks and cybersecurity are widely acknowledged to be serious threats, many companies today still do not purchase cyber risk insurance. Insurers have developed specialist cyber insurance policies to help businesses and individuals protect themselves from the cyber threat. Market intelligence suggests that the types of specialized cyber coverage being offered by insurers are expanding in response to this fast-growing market need. (27 pages)

Hackers Wanted: An Examination of the Cybersecurity Labor Market

RAND Corporation

June 24, 2014

RAND examined the current status of the labor market for cybersecurity professionals—with an emphasis on their being employed to defend the United States. This effort was in three parts: first, a review of the literature; second, interviews with managers and educators of cybersecurity professionals, supplemented by reportage; and third, an examination of the economic literature about labor markets. RAND also disaggregated the broad definition of cybersecurity professionals to unearth skills differentiation as relevant to this study. (110 pages)

Big Data and Innovation, Setting The Record Straight: De-identification Does Work

Information Technology and Innovation Foundation and the Information and Privacy Commissioner, Ontario, Canada

June 16, 2014

The paper examines a select group of articles that are often referenced in support of the myth that de-identified data sets are at risk of re-identifying individuals through linkages with other available data. It examines the ways in which the academic research referenced has been misconstrued and finds that the primary reason for the popularity of these misconceptions is not factual inaccuracies or errors within the literature but rather a tendency on the part of commentators to overstate or exaggerate the risk of re-identification. (13 pages)

Net Losses: Estimating the Global Cost of Cybercrime

Center for Strategic and International Studies and McAfee

June 2014

The report explores the economic impact of cybercrime, including estimation, regional variances, IP theft, opportunity and recovery costs, and the future of cybercrime. (24 pages)

2014 U.S. State of Cybercrime Survey

Pricewaterhouse Coopers, CSO Magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service

May 29, 2014

The cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries. This year, three out of four (77%) respondents to the survey had detected a security event in the past 12 months, and more than one-third (34%) said the number of security incidents detected had increased over the previous year. (21 pages)

Privileged User Abuse and The Insider Threat

Ponemon Institute and Raytheon

May 21, 2014

The report looks at what companies are doing right and the vulnerabilities that need to be addressed with policies and technologies. One problematic area is the difficulty in actually knowing if an action taken by an insider is truly a threat. Sixty-nine percent of respondents say they do not have enough contextual information from security tools to make this assessment, and 56% say security tools yield too many false positives. (32 pages) (Requires free registration to access.)

Online Advertising and Hidden Hazards to Consumer Security and Data Privacy

Senate Permanent Subcommittee on Investigations

May 15, 2014

The report found consumers could expose themselves to malware just by visiting a popular website. It noted that the complexity of the industry made it possible for both advertisers and host websites to defer responsibility and that consumer safeguards failed to protect against online abuses. The report also warned that current practices do not create enough incentives for "online advertising participants" to take preventive measures. (47 pages)

Sharing Cyberthreat Information Under 18 USC § 2702(a)(3)

Department of Justice (DOJ)

May 9, 2014

DOJ issued guidance for Internet service providers to assuage legal concerns about information sharing. The white paper interprets the Stored Communications Act, (18 U.S.C. § 2701 et seq.) which prohibits providers from voluntarily disclosing customer information to governmental entities. The white paper says the law does not prohibit companies from divulging data in the aggregate, without any specific details about identifiable customers. (7 pages)

The Target Breach, by the Numbers

Krebs on Security

May 6, 2014

A synthesis of numbers associated with the Target data breach of December 19, 2013 (e.g., number of records stolen, estimated dollar cost to credit unions and community banks, and the amount of money Target estimates it will spend upgrading payment terminals to support Chip-and-PIN enabled cards).

The Rising Strategic Risks of Cyberattacks

McKinsey and Company

May 2014

The authors suggest that companies are struggling with their capabilities in cyber risk management. As highly visible breaches occur with increasing regularity, most technology executives believe they are losing ground to attackers. Organizations large and small lack the facts to make effective decisions, and traditional "protect the perimeter" technology strategies are proving insufficient.

Big Data: Seizing Opportunities, Preserving Values

White House

May 2014

Findings include a set of consumer protection recommendations, such as national data-breach legislation, and a fresh call for baseline consumer-privacy legislation first recommended in 2012. (85 pages)

Russian Underground Revisited

Trend Micro

April 28, 2014

The price of malicious software—designed to enable online bank fraud, identity theft, and other cybercrimes—is falling dramatically in some of the Russian-language criminal markets in which it is sold. Falling prices are a result not of declining demand but rather of an increasingly sophisticated marketplace. The report outlines the products and services being sold and their prices. (25 pages)

Federal Agencies Need to Enhance Responses to Data Breaches

Government Accountability Office (GAO)

April 2, 2014

Major federal agencies continue to face challenges in fully implementing all components of agency-wide information security programs, which are essential for securing agency systems and the information they contain—including personally identifiable information (PII). (19 pages)

A "Kill Chain" Analysis of the 2013 Target Data Breach

Senate Commerce Committee

March 26, 2014

The report analyzes what has been reported to date about the Target data breach, using the intrusion kill chain framework, an analytical tool introduced by Lockheed Martin security researchers in 2011 and widely used today by information security professionals in both the public and private sectors. The analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach. (18 pages)

Markets for Cybercrime Tools and Stolen Data

RAND Corporation National Security Research Division and Juniper Networks

March 25, 2014

The report, part of a multiphase study on the future security environment, describes the fundamental characteristics of the criminal activities in cyberspace markets and how they have grown into their current state to explain how their existence can harm the information security environment. (83 pages)

Merchant and Financial Trade Associations Announce Cybersecurity Partnership

Retail Industry Leaders Association

February 13, 2014

Trade associations representing the merchant and financial services industries announced a new cybersecurity partnership. The partnership will focus on exploring paths to increased information sharing, better card security technology, and maintaining the trust of customers. Discussion regarding the partnership was initiated by the Retail Industry Leaders Association and the Financial Services Roundtable.

FTC Statement Marking the FTC's 50th Data Security Settlement

Federal Trade Commission (FTC)

January 31, 2014

The FTC announced its 50th data security settlement. What started in 2002 with a single case applying established FTC Act precedent to the area of data security has grown into an enforcement program that has helped to increase consumer protections and encouraged companies to make safeguarding consumer data a priority. (2 pages)

Worst Practices Guide to Insider Threats: Lessons from Past Mistakes

American Academy of Arts and Sciences

January 2014

The report presents a worst practices guide of serious past mistakes regarding insider threats. Although each situation is unique, and serious insider problems are relatively rare, the incidents reflect issues that exist in many contexts and that every security manager should consider. Common organizational practices—such as prioritizing production over security, failure to share information across subunits, inadequate rules or inappropriate waiving of rules, exaggerated faith in group loyalty, and excessive focus on external threats—can be seen in many past failures to protect against insider threats. (32 pages)

ENISA Threat Landscape 2013—Overview of Current and Emerging Cyber-Threats

European Union Agency for Network and Information Security (ENISA)

December 11, 2013

The report is a comprehensive compilation of the top 15 cyber threats assessed in the 2013-reporting period. ENISA has collected more than 250 reports regarding cyber threats, risks, and threat agents. (70 pages)

Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent

GAO

December 9, 2013

GAO recommends that "to improve the consistency and effectiveness of government wide data breach response programs, the Director of OMB should update its guidance on federal agencies' responses to a PII-related data breach to include (1) guidance on notifying affected individuals based on a determination of the level of risk; (2) criteria for determining whether to offer assistance, such as credit monitoring to affected individuals; and (3) revised reporting requirements for PII-related breaches to US-CERT [Computer Emergency Response Team], including time frames that better reflect the needs of individual agencies and the government as a whole and consolidated reporting of incidents that pose limited risk." (67 pages)

Cyber-enabled Competitive Data Theft: A Framework for Modeling Long-Run Cybersecurity Consequences

Brookings Institution

December 2013

Economic espionage has existed at least since the industrial revolution, but the scope of modern cyber-enabled competitive data theft may be unprecedented. The authors present what they believe is the first economic framework and model to understand the long-run impact of competitive data theft on an economy by taking into account the actual mechanisms and pathways by which theft harms the victims. (18 pages)

Illicit Cyber Activity Involving Fraud

Carnegie Mellon University Software Engineering Institute

August 8, 2013

Technical and behavioral patterns were extracted from 80 fraud cases—67 insider and 13 external—that occurred between 2005 and the present. These cases were used to develop insights and risk indicators to help private industry, government, and law enforcement more effectively prevent, deter, detect, investigate, and manage malicious insider activity within the banking and finance sectors. (28 pages)

The Economic Impact of Cybercrime and Cyber Espionage

Center for Strategic and International Studies (CSIS)

July 22, 2013

According to CSIS, losses to the United States (the country in which data is most accessible) may reach $100 billion annually. The cost of cybercrime and cyber espionage to the global economy is some multiple of this, likely measured in hundreds of billions of dollars. (20 pages)

Cyber-Crime, Securities Markets, and Systemic Risk

World Federation of Exchanges and the International Organization of Securities Commissions

July 16, 2013

The report explores the nature and extent of cybercrime in securities markets and the potential systemic risk aspects of this threat. It presents the results of a survey to the world's exchanges on their experiences with cybercrime, cybersecurity practices, and perceptions of the risk. (59 pages)

Remaking American Security: Supply Chain Vulnerabilities and National Security Risks Across the U.S. Defense Industrial Base

Alliance for American Manufacturing

May 2013

Reportedly because the supply chain is global, it makes sense for U.S. officials to cooperate with other nations to ward off cyberattacks. Increased international cooperation to secure the integrity of the global IT system is a valuable long-term objective. (355 pages)

Comprehensive Study on Cybercrime

United Nations Office on Drugs and Crime

February 2013

The study examined the problem of cybercrime from the perspective of governments, the private sector, academia, and international organizations. It presents its results in eight chapters, covering (1) Internet connectivity and cybercrime; (2) the global cybercrime picture; (3) cybercrime legislation and frameworks; (4) criminalization of cybercrime; (5) law enforcement and cybercrime investigations; (6) electronic evidence and criminal justice; (7) international cooperation in criminal matters involving cybercrime; and (8) cybercrime prevention. (320 pages)

Does Cybercrime Really Cost $1 Trillion?

ProPublica

August 1, 2012

In a news release to announce its 2009 report, Unsecured Economies: Protecting Vital Information, computer security firm McAfee estimated a $1 trillion global cost for cybercrime. The number does not appear in the report itself. This estimate is questioned even by the three independent researchers from Purdue University whom McAfee credits with analyzing the raw data from which the estimate was derived. An examination by ProPublica has found new grounds to question the data and methods used to generate these numbers, which McAfee and Symantec say they stand behind.

Proactive Policy Measures by Internet Service Providers against Botnets

Organization for Economic Co-operation and Development (OECD)

May 7, 2012

The report analyzes initiatives in a number of countries through which end-users are notified by Internet service providers (ISPs) when their computers are identified as being compromised by malicious software and encouraged to take action to mitigate the problem. (25 pages)

Developing State Solutions to Business Identity Theft: Assistance, Prevention and Detection Efforts by Secretary of State Offices

National Association of Secretaries of State (NASS)

January 2012

The white paper is the result of efforts by the 19-member NASS Business Identity Theft Task Force to develop policy guidelines and recommendations for state leaders dealing with identity fraud cases involving public business records. (23 pages)

Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines

SANS Institute

October 3, 2011

The 20 security measures are intended to focus agencies' limited resources on plugging the most common attack vectors. (77 pages)

Revealed: Operation Shady RAT: an Investigation Of Targeted Intrusions Into 70+ Global Companies, Governments, and Non-Profit Organizations During the Last 5 Years

McAfee

August 2, 2011

A cyber-espionage operation lasting many years penetrated 72 government and other organizations, most of them in the United States, and has copied everything from military secrets to industrial designs, according to technology security company McAfee. (See page 4 for the types of compromised parties, page 5 for the geographic distribution of victim's country of origin, pages 7-9 for the types of victims, and pages 10-13 for the number of intrusions for 2007-2010). (14 pages)

The Role of Internet Service Providers in Botnet Mitigation: an Empirical Analysis Based on Spam Data

Organisation for Economic Co-operation and Development (OECD)

November 12, 2010

The working paper considers whether ISPs can be critical control points for botnet mitigation, how the number of infected machines varies across ISPs, and why. (31 pages)

Untangling Attribution: Moving to Accountability in Cyberspace (Testimony)

Council on Foreign Relations

July 15, 2010

Robert K. Knake's testimony before the House Committee on Science and Technology on the role of attack attribution in preventing cyberattacks and how attribution technologies can affect the anonymity and privacy of Internet users. (14 pages)

Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities

National Research Council

2009

The report explores important characteristics of cyberattacks. It describes the current international and domestic legal structure as it might apply to cyberattacks and considers analogies to other domains of conflict to develop relevant insights. (368 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Page counts are for documents; other cited resources are webpages.

Table 2. National Security, Cyber Espionage, and Cyberwar

(includes Stuxnet, Dark Web/Dark Net)

Operationalizing Cybersecurity Due Diligence: A Transatlantic Comparative Case Study

Title

Source

Date

Notes

Cybersecurity Legislation

International Telecommunications Union

Continuously Updated

An integral and challenging component of any national cybersecurity strategy is the adoption of regionally and internationally harmonized, appropriate legislation against the misuse of information and communication technologies (ICTs) for criminal or other purposes.

Cyberthreat: Real-Time Map

Kaspersky Labs

Continuously Updated

Kaspersky Labs has launched an interactive cyber threat map that lets viewers see cybersecurity incidents as they occur around the world in real time. The interactive map includes malicious objects detected during on-access and on-demand scans, email and web antivirus detections, and objects identified by vulnerability and intrusion detection subsystems.

Combatting the Ransomware Blitzkrieg: The Only Defense is a Layered Defense, Layer One: Endpoint Security

The Institute for Critical Infrastructure Technology

April, 2016

The brief contains an analysis of: the need for endpoint security, vulnerable endpoints (users, personal computers, servers, mobile devices, specialize hardware, and cloud services), potentially vulnerable endpoints (SCADA/ICS, IoT devices, cars), endpoint security, and selecting an endpoint security strategy. (27 pages)

South Carolina Law Review

January 12, 2016

"Although much work has been done on applying the law of warfare to cyberattacks, far less attention has been paid to defining a law of cyber peace applicable below the armed attack threshold. Among the most important unanswered questions is what exactly nations' due diligence obligations are to one another and to the private sector, as well as how these obligations should be translated into policy. In this article, we analyze how both the United States and the European Union are operationalizing the concept of cybersecurity due diligence, and then move on to investigate a menu of options presented to the European Parliament in November 2015 by the authors to further refine and apply this concept." (28 pages)

ISIS's OPSEC Manual Reveals How It Handles Cybersecurity

Wired

November 19, 2015

From the article, "So what exactly are ISIS attackers doing for OPSEC? It turns out ISIS has a 34-page guide to operational security, which offers some clues. [R]esearchers with the Combating Terrorism Center at West Point's military academy uncovered the manual and other related documents from ISIS forums and chat rooms."

2015 Annual Report to Congress

U.S.-China Economic Commission

November 17, 2015

Reportedly China causes increasing harm to the U.S. economy and security through two deliberate policies targeting the United States: (1) coordinated, government-backed theft of information from a wide variety of U.S.-based commercial enterprises and (2) widespread restrictions on content, standards, and commercial opportunities for U.S. businesses. Hackers working for the Chinese government—or with the government's support and encouragement—have infiltrated the computer networks of U.S. government agencies, contractors, and private companies, and stolen personal information and trade secrets. (See Chapter 1, Section 4: Commercial Cyber Espionage and Barriers to Digital Trade in China.) (631 pages)

Cyber Defense: An International View

U.S. Army War College Strategic Studies Institute

September 2015

The paper provides an overview of four different national approaches to cyber defense: those of Norway, Estonia, Germany, and Sweden. It also provides a guide for engaging with the relevant governmental and other organizations in each of these countries and compares and contrasts the advantages and drawbacks of each national approach. (65 pages)

Deep Web and the Darknet: A Look Inside the Internet's Massive Black Box

Woodrow Wilson International Center for Scholars

August 1, 2015

"This policy brief outlines what the Deep Web and Darknet are, how they are accessed, and why we should care about them. For policymakers, the continuing growth of the Deep Web in general and the accelerated expansion of the Darknet in particular pose new policy challenges. The response to these challenges may have profound implications for civil liberties, national security, and the global economy." (20 pages)

Cyber-Enabled Economic Warfare: An Evolving Challenge

Hudson Institute

August 2015

This monograph is divided into six chapters: one dissecting the U.S.'s use of cyber-enabled economic warfare; two providing analyses of cyber-enabled economic warfare threats posed to the United States by state and non-state actors; two offering case studies of emerging cyber-enabled economic warfare in two key sectors, financial services and critical infrastructure; and a concluding chapter that reviews key takeaways and next steps. (174 pages)

Russian Underground 2.0

Trend Micro (Forward Looking Threat Team)

July 28, 2015

The Russian underground is a mature ecosystem that covers all aspects of cybercriminal business activities and offers an increasingly professional underground infrastructure for the sale of malicious goods and services. There is increasing professionalization of the crime business that allows cheaper prices to dominate sales and thereby make it easy and very affordable for anyone without significant skill to buy whatever is needed to conduct criminal dealings. (41 pages)

Below the Surface: Exploring the Deep Web

Trend Micro

June 22, 2015

The research paper offers a look into the duality of the Deep Web—how its ability to protect anonymity can be used to communicate freely, away from censorship and law enforcement, or be used to expedite dubious or criminal pursuits. It also briefly touches on the Deep Web's impact, and offers a forecast on how it could evolve over the next few years. (48 pages)

Cybersecurity: Jihadism and the Internet

European Parliament Think Tank

May 18, 2015

"Since the beginning of the conflict in Syria in March 2011, the numbers of European citizens supporting or joining the ranks of ISIL/Da'esh have been growing steadily, and may now be as high as 4,000 individuals. At the same time, the possible avenues for radicalisation are multiplying and the risks of domestic terrorism increasing. The proliferation of global jihadi messaging online and their reliance on social networks suggest that the Internet is increasingly a tool for promoting jihadist ideology, collecting funds, and mobilizing their ranks." (2 pages)

APT30 and the Mechanics of a Long-Running Cyber-Espionage Operation: How a Cyber Threat Group Exploited Governments and Commercial Entities Across Southeast Asia and India for Over a Decade

FireEye

April 2015

Reportedly a Chinese government hacking team has used the same basic set of tools to spy on Southeast Asian and Indian dignitaries for a decade, demonstrating the low level of cyber defenses protecting government information across broad swaths of the world. According to Fireeye, the fact this group, APT30, has been able to use the same basic set of malware tools against government networks since at least 2005 suggests its targets remained unaware for more than a decade they were being spied on or were incapable of countering the threat. (70 pages)

Worldwide Threat Assessment of the U.S. Intelligence Community

Director of National Intelligence

February 26, 2015

Cybersecurity is the first threat listed in this annual review of worldwide threats to the United States. Despite ever-improving network defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come. Moreover, the risk calculus employed by some private-sector entities reportedly does not adequately account for foreign cyber threats or the systemic interdependencies between different critical infrastructure sectors. (29 pages)

The Impact of the Dark Web on Internet Governance and Cyber Security

Global Commission on Internet Governance

February 2015

The dark Web is a part of the deep Web that has been intentionally hidden and is inaccessible through standard web browsers. The deep Web has the potential to host an increasingly high number of malicious services and activities. To formulate comprehensive strategies and policies for governing the Internet, it is important to consider insights on its farthest reaches—the deep Web and, more importantly, the dark Web. The paper attempts to provide a broader understanding of the dark Web and its impact on people's lives. (18 pages)

Attributing Cyber Attacks

Thomas Rid and Ben Buchanan, Journal of Strategic Studies

December 23, 2014

The authors introduce the Q Model; designed to explain, guide, and improve the making of attribution. Matching an offender to an offence is an exercise in minimizing uncertainty on three levels: (1) tactically, attribution is an art as well as a science; (2) operationally, attribution is a nuanced process, not a black-and-white problem; and (3) strategically, attribution is a function of what is at stake politically. Successful attribution requires a range of skills on all levels, careful management, time, leadership, stress-testing, prudent communication, and recognizing limitations and challenges. (36 pages)

Operation Cleaver

Cylance

December 2, 2014

A sophisticated hacking group with ties to Iran has probed and infiltrated targets across the United States and 15 other nations during the past two years in a series of cyberattacks dubbed "Operation Cleaver." The Cleaver group has evolved faster than any previous Iranian campaign, according to the report, which calls Iran "the new China" and expresses concern that the group's surveillance operations could evolve into sophisticated, destructive attacks. (86 pages)

Legal Issues Related to Cyber

NATO Legal Gazette

December 2014

The NATO Legal Gazette contains thematically organized articles usually written by military or civilian legal personnel working at NATO or in the governments of NATO and partner nations. Its purpose is to share articles of significance for the large NATO legal community and connect legal professionals of the Alliance. It is not a formal NATO document. (74 pages)

The National Intelligence Strategy of the United States of America 2014

Office of the Director of National Intelligence

September 18, 2014

Cyber intelligence is one of four "primary topical missions" the intelligence community must accomplish. Both state and nonstate actors use digital technologies to achieve goals, such as fomenting instability or achieving economic and military advantages. They do so "often faster than our ability to understand the security implications and mitigate potential risks." To become more effective in the cyber arena, the intelligence community reportedly must improve its ability to correctly attribute attacks. (24 pages)

Today's Rising Terrorist Threat and the Danger to the United States: Reflections on the Tenth Anniversary of the 9/11 Commission Report

The Annenberg Public Policy Center and the Bipartisan Policy Center

July 22, 2014

Members of the panel that studied the 2001 attacks urge Congress to enact cybersecurity legislation, the White House to communicate the consequences of potential cyberattacks to Americans, and leaders to work with allies to define what constitutes an online attack on another country. (48 pages)

Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America's Cyber Dependencies

Center for a New American Security

July 2014

The report examines existing information on technology security weaknesses and provides nine specific recommendations for the U.S. government and others to cope with these insecurities. (64 pages)

M Trends: Beyond the Breach: 2014 Threat Report

Mandiant

April 2014

Cyber-threat actors are expanding the uses of computer network exploitation to fulfill an array of objectives, from the economic to the political. Threat actors are not only interested in seizing the corporate "crown jewels" but are also looking for ways to publicize their views, cause physical destruction, and influence global decision makers. Private organizations have increasingly become collateral damage in political conflicts. Reportedly with no diplomatic solution in sight, the ability to detect and respond to attacks has never been more important. (28 pages)

Emerging Cyber Threats Report 2014

Georgia Institute of Technology

January 2014

Brief compilation of academic research on losing control of cloud data, insecure but connected devices, attackers adapting to mobile ecosystems, the high costs of defending against cyberattacks, and advances in information manipulation. (16 pages)

Cybersecurity and Cyberwar: What Everyone Needs to Know

Brookings Institution

January 2014

Authors Peter W. Singer and Allan Friedman look at cybersecurity issues faced by the military, government, businesses, and individuals and examine what happens when these entities try to balance security with freedom of speech and the ideals of an open Internet. (306 pages)

W32.Duqu: The Precursor to the Next Stuxnet

Symantec

November 14, 2013

On October 14, 2011, a research lab with strong international connections alerted Symantec to a sample that appeared to be very similar to Stuxnet, the malware that wreaked havoc in Iran's nuclear centrifuge farms. The lab named the threat Duqu because it creates files with the file name prefix DQ. The research lab provided Symantec with samples recovered from computer systems located in Europe as well as a detailed report with initial findings, including analysis comparing the threat to Stuxnet.

To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve

The Langner Group

November 2013

The report summarizes the most comprehensive research on the Stuxnet malware so far. It combines results from reverse engineering the attack code with intelligence on the design of the attacked plant and background information on the attacked uranium enrichment process. It looks at the attack vectors of the two different payloads contained in the malware and provides an analysis of the bigger and much more complex payload that was designed to damage centrifuge rotors by overpressure. (36 pages)

Strategies for Resolving the Cyber Attribution Challenge

Air University, Maxwell Air Force Base

May 2013

Private-sector reports have proven that it is possible to determine the geographic reference of threat actors to varying degrees. Based on these assumptions, nation-states, rather than individuals, should be held culpable for the malicious actions and other cyber threats that originate in or transit information systems within their borders or that are owned by their registered corporate entities. The work builds on other appealing arguments for state responsibility in cyberspace. (109 pages)

Role of Counterterrorism Law in Shaping 'ad Bellum' Norms for Cyber Warfare

International Law Studies (U.S. Naval War College)

April 1, 2013

"To date there has been little attention given to the possibility that international law generally and counterterrorism law in particular could and should develop a subset of cyber-counterterrorism law to respond to the inevitability of cyberattacks by terrorists and the use of cyber weapons by governments against terrorists, and to supplement existing international law governing cyber war where the intrusions do not meet the traditional kinetic thresholds." (42 pages)

The Tallinn Manual on the International Law Applicable to Cyber Warfare

Cambridge University Press/ NATO Cooperative Cyber Defence Center of Excellence

March 5, 2013

The Tallinn Manual identifies the international law applicable to cyber warfare and sets out 95 "black-letter rules" governing such conflicts. An extensive commentary accompanies each rule, which sets forth the rule's basis in treaty and customary law, explains how the group of experts interpreted applicable norms in the cyber context, and outlines any disagreements within the group as to the rule's application. (Note: The manual is not an official NATO publication but rather an expression of opinions of a group of independent experts acting solely in their personal capacities.) (302 pages)

Cyberterrorism: A Survey of Researchers

Swansea University

March 2013

The report provides an overview of findings from a project designed to capture current understandings of cyberterrorism within the research community. The project ran between June 2012 and November 2012, and it employed a questionnaire that was distributed to more than 600 researchers, authors, and other experts. A total of 118 responses were received from individuals working in 24 countries across six continents. (21 pages)

National Level Exercise 2012: Quick Look Report

Federal Emergency Management Agency (FEMA)

March 2013

National Level Exercise (NLE) 2012 was a series of exercise events that examined the ability of the United States to execute a coordinated response to a series of significant cyber incidents. The NLE 2012 series focused on examining four major themes: planning and implementation of the draft National Cyber Incident Response Plan (NCIRP), coordination among governmental entities, information sharing, and decision making. (22 pages)

Responding to Cyber Attacks and the Applicability of Existing International Law

Army War College

January 2013

The paper identifies how the United States should respond to the threat of cyber operations against essential government and private networks. First, it examines the applicability of established international law to cyber operations. Next, it proposes a method for categorizing cyber operations across a spectrum synchronized with established international law. Then, it discusses actions already taken by the United States to protect critical government and private networks and concludes with additional steps the United States should take to respond to the threat of cyber operations. (34 pages)

Crisis and Escalation in Cyberspace

RAND Corporation

December 2012

The report considers how the Air Force should integrate kinetic and nonkinetic operations. Central to this process was careful consideration of how escalation options and risks should be treated, which, in turn, demanded a broader consideration across the entire crisis-management spectrum. Such crises can be managed by taking steps to reduce the incentives for other states to step into crisis, controlling the narrative, understanding the stability parameters of the crises, and trying to manage escalation if conflicts arise from crises. (200 pages)

Cyberattacks Among Rivals: 2001-2011 (from the article, "The Fog of Cyberwar" by Brandon Variano and Ryan Maness

Foreign Affairs

November 21, 2012

A chart showing cyberattacks by initiator and victim, 2001-2011. (Subscription required.)

Proactive Defense for Evolving Cyber Threats

Sandia National Labs

November 2012

The project applied rigorous predictability-based analytics to two central and complementary aspects of the network defense problem—attack strategies of the adversaries and vulnerabilities of the defenders' systems—and used the results to develop a scientifically grounded, practically implementable methodology for designing proactive cyber defense systems. (98 pages)

Safeguarding Cyber-Security, Fighting in Cyberspace

International Relations and Security Network (ISN)

October 22, 2012

Looks at the militarization of cybersecurity as a source of global tension and makes the case that cyber warfare is already an essential feature of many leading states' strategic calculations, followed by its opposite (i.e., the case that the threat posed by cyber warfare capabilities is woefully overstated).

Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World

Symantec Research Labs

October 16, 2012

The paper describes a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Searching this data set for malicious files that exploit known vulnerabilities indicates which files appeared on the Internet before the corresponding vulnerabilities were disclosed. (12 pages)

Federal Support for and Involvement in State and Local Fusion Centers

Senate Permanent Subcommittee on Investigations

October 3, 2012

A two-year bipartisan investigation found that U.S. Department of Homeland Security efforts to engage state and local intelligence "fusion centers" have not yielded significant useful information to support federal counterterrorism intelligence efforts. In Section VI, "Fusion Centers Have Been Unable to Meaningfully Contribute to Federal Counterterrorism Efforts," Part G, "Fusion Centers May Have Hindered, Not Aided, Federal Counterterrorism Efforts," the report discusses the November 10, 2011 Russian "cyberattack" in Illinois. (141 pages)

Putting the "war" in cyberwar: Metaphor, analogy, and cybersecurity discourse in the United States

First Monday

July 2, 2012

The essay argues that current contradictory tendencies within U.S. cyber war discourse are unproductive and even potentially dangerous. It argues that the war metaphor and nuclear deterrence analogy are neither natural nor inevitable and that abandoning them would open up new possibilities for thinking more productively about the full spectrum of cybersecurity challenges, including the as-yet unrealized possibility of cyberwar.

Nodes and Codes: The Reality of Cyber Warfare

U.S. Army School of Advanced Military Studies, Command and General Staff

May 17, 2012

Explores the reality of cyber warfare through the story of Stuxnet. Three case studies evaluate cyber policy, discourse, and procurement in the United States, Russia, and China before and after Stuxnet to illustrate their similar, yet unique, realities of cyber warfare. (62 pages)

United States Counter Terrorism Cyber Law and Policy, Enabling or Disabling?

Triangle Institute for Security Studies

March 2012

The incongruence between national counterterrorism (CT) cyber policy, law, and strategy degrades the abilities of federal CT professionals to interdict transnational terrorists from within cyberspace. To optimize national CT assets and to stymie the growing threat posed by terrorists' ever-expanding use of cyberspace, national decision-makers should modify current policies to efficiently execute national CT strategies, albeit within the framework of existing CT cyber-related statutes. (34 pages)

A Cyberworm that Knows No Boundaries

RAND Corporation

December 21, 2011

Stuxnet-like worms pose a serious threat even to infrastructure and computer systems that are not connected to the Internet. Defending against such attacks is an increasingly complex prospect. (55 pages)

Department of Defense Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934

DOD

November

2011

"When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means - diplomatic, informational, military< and economic - to defend our nation, our allies, our partners and our interests." (14 pages)

Cyber War Will Not Take Place

Journal of Strategic Studies

October 5, 2011

The paper argues that cyber warfare has never taken place, is not currently taking place, and is unlikely to take place in the future. (29 pages)

Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011

Office of the National Counterintelligence Executive

October 2011

Because the United States is a leader in the development of new technologies and a central player in global financial and trade networks, foreign attempts to collect U.S. technological and economic information will continue at a high level and will represent a growing and persistent threat to U.S. economic security. The nature of the cyber threat will evolve with continuing technological advances in the global information environment. (31 pages)

A Four-Day Dive Into Stuxnet's Heart

Threat Level Blog (Wired)

December 27, 2010

"It is a mark of the extreme oddity of the Stuxnet computer worm that Microsoft's Windows vulnerability team learned of it first from an obscure Belarusian security company that even they had never heard of."

Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? A Preliminary Assessment

Institute for Science and International Security

December 22, 2010

The report indicates that commands in the Stuxnet code intended to increase the frequency of devices targeted by the malware exactly match several frequencies at which rotors in centrifuges at Iran's Natanz enrichment plant are designed to operate optimally or are at risk of breaking down and flying apart. (10 pages)

Stuxnet Analysis

European Network and Information Security Agency

October 7, 2010

A European Union cybersecurity agency warns that the Stuxnet malware is a game changer for critical information infrastructure protection. Computer systems that monitor supervisory-controlled and data acquisition systems infected with the worm might be programmed to establish destructive over or under pressure conditions by running industrial pumps at different frequencies.

Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy

National Research Council

October 5, 2010

Per request of the Office of the Director of National Intelligence, the National Research Council undertook a two-phase project aimed to foster a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and of the possible utility of these strategies for the U.S. government. (400 pages)

Cyber Warfare: Armageddon in a Teacup?

Army Command and General Staff, Fort Leavenworth

December 11, 2009

This study examines cyber warfare conducted against Estonia in 2007, Georgia in 2008, and Israel in 2008. According to the report, "In all three cases cyber warfare did not achieve strategic political objectives on its own. Cyber warfare employed in the three cases consisted mainly of Denial of Service attacks and website defacement. These attacks were a significant inconvenience to the affected nations, but the attacks were not of sufficient scope, sophistication, or duration to force a concession from the targeted nation. Cyber warfare offensive capability does not outmatch defensive capability to the extent that would allow the achievement of a strategic political objective through cyber warfare alone. The possibility of strategic-level cyber warfare remains great, but the capability has not been demonstrated at this time." (106 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Page counts are for documents; other cited resources are webpages.

Table 3. Cloud Computing,1 "The Internet of Things,"2 and FedRAMP3

Emerging Cyber Threats Report 2016

Title

Source

Date

Notes

About FedRAMP

FedRAMP.gov

Continuously Updated

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Cyber-Physical Systems

National Science Foundation (NSF)

Continuously Updated

Cyber-physical systems (CPS) integrate sensing, computation, control, and networking into physical objects and infrastructure, connecting them to the Internet and to each other.

Cyber-Physical Systems

Office of Science and Technology Policy (OSTP), Networking and Information Technology Research and Development (NITRD) Program)

Continuously Updated

The CPS Senior Steering Group (SSG) is to coordinate programs, budgets, and policy recommendations for CPS research and development (R&D), which includes identifying and integrating requirements, conducting joint program planning, and developing joint strategies.

Cyber-Physical Systems

University of California, Berkeley

Continuously Updated

"CPS are integrations of computation, networking, and physical processes. Embedded computers and networks monitor and control the physical processes, with feedback loops where physical processes affect computations and vice versa."

Cloud Computing: Agencies Need to Incorporate Key Practices to Ensure Effective Performance

GAO

April 7, 2016

GAO was asked to examine federal agencies' use of Service Level Agreements (SLAs). GAO's objectives were to (1) identify key practices in cloud computing SLAs and (2) determine the extent to which federal agencies have incorporated such practices into their SLAs. GAO analyzed research, studies, and guidance developed by federal and private entities to establish a list of key practices to be included in SLAs. GAO validated its list with the entities, including OMB, and analyzed 21 cloud service contracts and related documents of five agencies (with the largest fiscal year 2015 IT budgets) against the key practices to identify any variances, their causes, and impacts. (46 pages)

Product Testing and Validation

Underwriters Laboratories

April 4, 2016

The UL Cybersecurity Assurance Program (CAP) certification verifies that a product offers a reasonable level of protection against threats that may result in unintended or unauthorized access, change or disruption… The [UL 2900] Standard contains requirements for the vendor to design the security controls in such a way that they demonstrably satisfy the security needs of the product. The Standard also describes testing and verification requirements aimed at collecting evidence that the designed security controls are implemented.

Alternative perspectives on the Internet of Things

Brookings Institution

March 25, 2016

Brookings scholars contribute their individual perspectives on the policy challenges and opportunities associated with the Internet of Things.

Georgia Institute of Technology Cybersecurity Summit 2015

November 2015

"The intersection of the physical and digital world continued to deepen in 2015. The adoption of network-connected devices and sensors—the Internet of Things—accelerated and was expected to reach nearly 5 billion devices by the end of the year." (20 pages)

Interim Report on 21st Century Cyber-Physical Systems Education

NSF

July 2015

"CPS [also known as "The Internet of Things"] are increasingly relied on to provide the functionality and value to products, systems, and infrastructure in sectors including transportation, health care, manufacturing, and electrical power generation and distribution. CPS are smart, networked systems with embedded sensors, computer processors, and actuators that sense and interact with the physical world; support real-time, guaranteed performance; and are often found in critical applications." (48 pages)

Internet of Things: Mapping the Value Beyond the Hype

McKinsey Global Institute

June 2015

The paper is based upon a study of more than 100 use cases of the Internet of Things' (IoT's) potential economic impact within next 10 years. It outlines who will benefit and by how much. It also covers the factors—both enablers and barriers—that organizations face as they develop their IoT solutions. (144 pages)

Cloud Computing: Should Companies Do Most of Their Computing in the Cloud?

The Economist

May 26, 2015

Big companies have embraced the cloud more slowly than expected. Some are holding back because of costs and others are wary of entrusting sensitive data to another firm's servers. Should companies be doing most of their computing in the cloud? Representing the "Yes" viewpoint is Simon Crosby, co-founder and chief technology officer (CTO) of Bromium Inc. Representing the "No" viewpoint is Bruce Schneier, CTO at Resilient Systems.

Formation of the Office of Technology Research and Investigation (OTRI)

Federal Trade Commission (FTC)

March 23, 2015

The OTRI will provide expert research, investigative techniques, and further insights to the agency on technology issues involving all facets of the FTC's consumer protection mission, including privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and IoT. Like the former Mobile Technology Unit (MTU), the new office will be housed in the Bureau of Consumer Protection and is the agency's latest effort to ensure that its core consumer protection mission keeps pace with the rapidly evolving digital economy. Kristin Cohen, the current chief of the MTU, will lead the work of the OTRI.

Insecurity in the Internet of Things (IoT)

Symantec

March 12, 2015

Symantec analyzed 50 smart home devices available today and found that none of them enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Of the mobile apps used to control the tested IoT devices, almost two out of 10 did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities. (20 pages)

FedRAMP High Baseline

General Services Administration (GSA)

February 3, 2015

GSA released a draft of security-control requirements for cloud-computer systems purchased by federal agencies for "high-impact" uses. High-impact data will likely consist of health and law-enforcement data, but not classified information. Currently, cloud computing vendors seeking to sell to federal agencies must obtain security accreditation through FedRAMP. To date, FedRAMP has offered accreditations up to the moderate-impact level. About 80% of federal IT systems are low- and moderate-impacts.

What is The Internet of Things?

O'Reilly Media

January 2015

Ubiquitous connectivity is meeting the era of data. Since working with large quantities of data became dramatically cheaper and easier a few years ago, everything that touches software has become instrumented and optimized. Finance, advertising, retail, logistics, academia, and practically every other discipline has sought to measure, model, and tweak its way to efficiency. Software can ingest data from many inputs, interpret it, and then issue commands in real time. (Free registration required.) (32 pages)

FedRAMP Forward: 2 Year Priorities

General Services Administration (GSA)

December 17, 2014

The report addresses how the program will develop over the next two years. GSA is focusing on three goals for FedRAMP:

  • increased compliance and agency participation,
  • improved efficiencies, and
  • continued adaptation. (14 pages)

The Internet of Things: 2014 OECD Tech Insight Forum

Organisation for Economic Co-operation and Development (OECD)

December 11, 2014

The IoT extends Internet connectivity beyond traditional machines such as computers, smartphones, and tablets to a diverse range of every-day devices that use embedded technology to interact with the environment, all via the Internet. How can this collected data be used? What new opportunities will this create for employment and economic growth? How can societies benefit from technical developments to health, transport, safety and security, business, and public services? The OECD Technology Foresight Forum facilitated discussion on what policies and practices will enable or inhibit the ability of economies to seize the benefits of IoT.

DOD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process

Department of Defense (DOD) Inspector General

December 4, 2014

Report states that the DOD chief information officer "did not develop an implementation plan that assigned roles and responsibilities as well as associated tasks, resources and milestones," despite promises that an implementation plan would directly follow the cloud strategy's release. (40 pages)

NSTAC Report to the President on the Internet of Things

President's National Security Telecommunications Advisory Committee

November 18, 2014

The NSTAC unanimously approved a recommendation that governmental Internet traffic could get priority transmission during emergencies. The government already gets emergency priority in more traditional communications networks like the phone system through programs such as the Government Emergency Telecommunications Service (GETS). NSTAC now is proposing a GETS for the Internet. (56 pages)

The Department of Energy's Management of Cloud Computing Activities: Audit Report

Department of Energy (DOE) Inspector General

September 1, 2014

According to the inspector general, DOE should do a better job buying, implementing, and managing its cloud computing services. Programs and sites department-wide have independently spent more than $30 million on cloud services, but the chief information officer's office could not accurately account for the money. (20 pages)

Cloud Computing: The Concept, Impacts, and the Role of Government Policy

Organization for Economic Co-operation and Development (OECD)

August 19, 2014

The report gives an overview of cloud computing, it

  • presents the concept, the services it provides, and deployment models;
  • discusses how cloud computing changes the way computing is carried out;
  • evaluates the impacts of cloud computing (including its benefits and challenges as well as its economic and environmental impacts); and
  • discusses the policy issues raised by cloud computing and the roles of governments and other stakeholders in addressing these issues. (240 pages)

Internet of Things: the Influence of M2M Data on the Energy Industry

GigaOm Research

March 4, 2014

The report examines the drivers of machine-2-machine (M2M)-data exploitation in the smart-grid sector and the oil and gas sector, as well as the risks and opportunities for buyers and suppliers of the related core technologies and services. (21 pages)

Software Defined Perimeter

Cloud Security Alliance

December 1, 2013

Cloud Security Alliance's software defined perimeter (SDP) initiative aims to make "invisible networks" accessible to a wider range of government agencies and corporations. The initiative will foster the development of architecture for securing the IoT using the cloud to create highly secure end-to-end networks between IP-addressable entities. (13 pages)

Delivering on the Promise of Big Data and the Cloud

Booz Allen Hamilton

January 9, 2013

Reference architecture does away with conventional data and analytics silos, consolidating all information into a single medium designed to foster connections called a 'data lake,' which reduces complexity and creates efficiencies that improve data visualization to allow for easier insights by analysts. (7 pages)

Cloud Computing: An Overview of the Technology and the Issues Facing American Innovators

House Judiciary Committee, Subcommittee on Intellectual Property, Competition, and the Internet

July 25, 2012

Overview and discussion of cloud computing issues. (156 pages)

Information Technology Reform: Progress Made but Future Cloud Computing Efforts Should be Better Planned

Government Accountability Office (GAO)

July 11, 2012

GAO recommends that the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury, and the Administrators of the General Services Administration, and Small Business Administration should direct their respective chief information officers to establish estimated costs, performance goals, and plans to retire associated legacy systems for each cloud-based service, as applicable. (43 pages)

Cloud Computing Strategy

DOD Chief Information Officer

July 2012

The DOD Cloud Computing Strategy introduces an approach to move the department from the current state of a duplicative, cumbersome, and costly set of application silos to an end state that is agile, secure, and cost-effective and to a service environment that can rapidly respond to changing mission needs. (44 pages)

A Global Reality: Governmental Access to Data in the Cloud—A Comparative Analysis of Ten International Jurisdictions

Hogan Lovells

May 23, 2012

The white paper compares the nature and extent of governmental access to data in the cloud in many jurisdictions around the world. (13 pages)

Policy Challenges of Cross-Border Cloud Computing

U.S. International Trade Commission

May 2012

The report examines the main policy challenges associated with cross-border cloud computing—data privacy, security, and ensuring the free flow of information—and the ways countries are addressing them through domestic policymaking, international agreements, and other cooperative arrangements. (38 pages)

Cloud Computing Synopsis and Recommendations (SP 800-146)

National Institute of Standards and Technology (NIST)

May 2012

NIST's guide explains cloud technologies in plain terms to federal agencies and provides recommendations for IT decision makers. (81 pages)

Global Cloud Computing Scorecard a Blueprint for Economic Opportunity

Business Software Alliance

February 2, 2012

The report notes that although many developed countries have adjusted their laws and regulations to address cloud computing, the wide differences in those rules make it difficult for companies to invest in the technology. (24 pages)

Concept of Operations: FedRAMP

General Services Administration (GSA)

February 7, 2012

FedRAMP is implemented in phases. The document describes all the services that were available at the 2012 initial operating capability. The concept of operations is updated as the program evolves toward sustained operations. (47 pages)

Federal Risk and Authorization Management Program (FedRAMP)

Federal Chief Information Officers Council

January 4, 2012

FedRAMP provides a standard approach to assessing and authorizing (A&A) cloud computing services and products.

Security Authorization of Information Systems in Cloud Computing Environments (FedRAMP)

White House/Office of Management and Budget (OMB)

December 8, 2011

FedRAMP is now required for all agencies purchasing storage, applications, and other remote services from vendors. The Administration promotes cloud computing as a means to save money and accelerate the government's adoption of new technologies. (7 pages)

U.S. Government Cloud Computing Technology Roadmap, Volume I, Release 1.0 (Draft). High-Priority Requirements to Further USG Agency Cloud Computing Adoption (SP 500-293)

National Institute of Standards and Technology (NIST)

December 1, 2011

Volume I is aimed at interested parties that wish to gain a general understanding and overview of the background, purpose, context, work, results, and next steps of the U.S. Government Cloud Computing Technology Roadmap initiative. (32 pages)

U.S. Government Cloud Computing Technology Roadmap, Volume II, Release 1.0 (Draft), Useful Information for Cloud Adopters (SP 500-293)

National Institute of Standards and Technology (NIST)

December 1, 2011

Volume II is designed as a technical reference for those actively working on strategic and tactical cloud computing initiatives including, but not limited to, U.S. government cloud adopters. This volume integrates and summarizes the work completed as of 2011 and explains how these findings support the roadmap introduced in Volume I. (85 pages)

Information Security: Additional Guidance Needed to Address Cloud Computing Concerns

GAO

October 6, 2011

Twenty-two of 24 major federal agencies reported that they were either concerned or very concerned about the potential information security risks associated with cloud computing. GAO recommended that the NIST issue guidance specific to cloud computing security. (17 pages)

Cloud Computing Reference Architecture (SP 500-292)

NIST

September 1, 2011

The special publication, which is not an official U.S. government standard, is designed to provide guidance to specific communities of practitioners and researchers. (35 pages)

Federal Cloud Computing Strategy

White House

February 13, 2011

The strategy outlines how the federal government can accelerate the safe, secure adoption of cloud computing, and provides agencies with a framework for migrating to the cloud. It also examines how agencies can address challenges related to the adoption of cloud computing, such as privacy, procurement, standards, and governance. (43 pages)

25-Point Implementation Plan to Reform Federal Information Technology Management

White House

December 9, 2010

The plan's goals are to reduce the number of federally run data centers from 2,100 to approximately 1,300, rectify or cancel one-third of troubled IT projects, and require federal agencies to adopt a "cloud first" strategy in which they will move at least one system to a hosted environment within a year. (40 pages)

Federal Guidance Needed to Address Control Issues With Implementing Cloud Computing

GAO

July 1, 2010

The report suggests that the OMB director should establish milestones for completing a strategy for implementing the federal cloud computing initiative to assist federal agencies in identifying uses for and information security measures to use in implementing cloud computing. (53 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Page counts are for documents; other cited resources are webpages.

Author Contact Information

[author name scrubbed], Information Research Specialist ([email address scrubbed], [phone number scrubbed])

Footnotes

1.

Cloud computing is a web-based service that allows users to access anything from email to social media on a third-party computer. For example, Gmail and Yahoo are cloud-based email services that allow users to access and store emails that are saved on each respective service's computer, rather than on the individual's computer.

2.

The "Internet of Things" (IoT) refers to networks of objects that communicate with other objects and with computers through the Internet. "Things" may include virtually any object for which remote communication, data collection, or control might be useful, such as vehicles, appliances, medical devices, electric grids, transportation infrastructure, manufacturing equipment, or building systems. See also CRS Report R44227, The Internet of Things: Frequently Asked Questions, by [author name scrubbed]

3.

The Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 to provide a government-wide standard, centralized approach to assessing and authorizing cloud computing services and products. It reached initial operational capabilities in June 2012 and became fully operational during FY2014. See also CRS Report R42887, Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for Federal Information Technology Reform Management, by [author name scrubbed] and [author name scrubbed].