< Back to Current Version

Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources

Changes from November 14, 2017 to January 11, 2019

This page shows textual changes in the document between the two versions indicated in the dates above. Textual matter removed in the later version is indicated with red strikethrough and textual matter added in the later version is indicated with blue.


Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources

November 14, 2017Updated January 11, 2019 (R44408)
Jump to Main Text of Report

Summary

As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminals continue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, and businesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especially China, Russia, Iran, and North Korea.

Much is written on this topic, and this CRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasisemphasis on material published in the past several years. This report includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources:

  • Table 1—cybercrime, data breaches and security, including hacking, real-time attack maps, and statistics (such as economic estimates)
  • Table 2—national security, cyber espionage, and cyberwar, including Stuxnet, China, and the Dark Web
  • Table 3cloud computing, the, The Internet of Things (IoT), smart cites, cloud computing, and FedRAMP

The following reports comprise a series of authoritative reports and resources on these additional cybersecurity topics:


Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources
Rita Tehan.

Introduction

As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminals continue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, and businesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especially China, Russia, Iran, and North Korea.

Much is written on this topic, and this CRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasis on material published in the past several years. This report includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources:

  • Table 1—cybercrime, data breaches and security, including hacking, real-time attack maps, and statistics (such as economic estimates)
  • Table 2—national security, cyber espionage, and cyberwar, including Stuxnet, China, and the Dark Web
  • Table 3cloud computing, the Internet of Things (IoT), smart cities, cloud computing, and FedRAMP

Table 1. Cybercrime, Data Breaches, and Data Security

(include data breaches1, hacking, real-time attack maps, statistics)

Click on any of the states to see a full summary of their data breach notification statute.

Provides a real-time visualization and map of cyberattacks detected by a network of 180 sensors placed around the world. These sensors serve as decoys for automated attacks targeting vulnerabilities in network services, websites, smartphones, and other types of systems. The incidents are displayed in real time on an interactive map as they hit the sensors and a live ticker lists their type, their country of origin, and the targeted services.  

A list of cybercrime perpetrators wanted in the U.S.

HHS Breach Portal: Breaches Affecting 500 or More Individuals

The Norse map does not represent all hacking attempts in the world. Instead, according to Smithsonian Magazine, the map relies on a Norse honeypot network — a network purposefully designed to detect hacking — to provide a representative snapshot of global hacking attempts.

Criminal Underground Economy Series

2018 Cost of a Data Breach

Requires registration

The FTC providesThe Equifax Data Breach: What to Do

Bugs in the System: A Primer on the Software Vulnerability Ecosystem and its Policy Implications

Title

Source

Date

Notes

The Cyberfeed

Anubis Networks

Continuously Updated

This site provides real-time threat intelligence data worldwide.

The site takes the visitor on an automated tour of the world, using something akin to Google Earth and map data based on infections from the top known malware families.

Digital Attack Map

Arbor Networks

Continuously Updated

The map is powered by data fed from 270+ ISP customers worldwide who have agreed to share network traffic and attack statistics. The map displays global activity levels in observed attack traffic, which it collected anonymously, and does not include any identifying information about the attackers or victims involved in any particular attack.

Cyber Incident Timeline

Center for Strategic & International Studies (CSIS)

Continuously Updated

The CSIS's Strategic Technologies program's interactive "Cyber Incident Timeline" details the successful attacks on government agencies, defense and high tech companies, and international economic crimes with losses of more than $1 million, since 2006. It includes news reports and videos on most incidents.

Summary of U.S. State Data Breach Notification Statutes

Davis Wright Tremaine LLP

Continuously Updated

Summary of U.S. State Data Breach Notification Statutes

Davis Wright Tremaine LLP

Continuously Updated

Click on any of the states to see a full summary of their data breach notification statute.

Overview of Current Cyber Attacks

Deutsche Telekom

Continuously Updated

DataBreaches.net

Dissent (pseudonym)

Continuously Updated

This site is a combination of news aggregation, investigative reporting, and commentary on data breaches and data breach laws. Can browse data breaches by sector.

ThreatExchange

European Cybercrime Center (EC3)

Facebook

Europol

Continuously Updated

ThreatExchange is a set of application programming interfaces, or APIs, that let disparate companies trade information about the latest online attacks. Built atop the Facebook Platform—a repository of a standard set of tools for coding applications within the worldwide social network—ThreatExchange is used by Facebook and a handful of other companies, including Tumblr, Pinterest, Twitter, and Yahoo. Access to the service is strictly controlled, but [Facebook] hopes to include more companies as time goes on.

The European Commission decided to establish a European Cybercrime Centre (EC3) at Europol. The Centre will be the focal point in the EU's fight against cybercrime, contributing to faster reactions in the event of online crimes. It will support Member States and the European Union's institutions in building operational and analytical capacity for investigations and cooperation with international partners.

Cyber's Most Wanted

Federal Bureau of Investigation (FBI)

Continuously Updated

Federal Trade Commission List of Settled Data Security Cases

Federal Trade Commission (FTC)

Continuously Updated

The FTC's Legal Resources website offers a compilation of laws, cases, reports, and more. The user can filter the FTC's legal documents by type (case) and topic (data security), resulting in a list of 55 data security cases from 2000 to 2015, in reverse chronological order. Clicking the case name provides more details, such as the case citation, timeline, press releases, and pertinent legal documents.

Threat Intelligence Database

Identity Theft Reports by Type

Fidelis Barncat

FTC

Continuously Updated

The database includes more than 100,000 records with configuration settings extracted from malware samples gathered during Fidelis' incident response investigations and other intelligence gathering operations over the past decade. The typical malware sample includes a large number of configuration elements, including those controlling the behavior of the malware on the host and others related to command-and-control traffic. Barncat is updated with hundreds of new configuration records each day. Barncat is available for use by CERTs, research organizations, government entities, ISPs and other large commercial enterprises. Access is free, but users must request access and meet specific criteriaInteractive aggregated consumer complaint data, compiled by the FTC.  Can explore data by type of fraud and state.

IdentityTheft.gov

FTC

Continuously Updated

The one-stop website is integrated with the FTC's consumer complaint system, allowing consumers who are victims of identity theft to rapidly file a complaint with the FTC and then get a personalized guide to recovery that helps streamline many of the steps involved. The upgraded site, which is mobile and tablet accessible, offers an array of easy-to-use tools that enables identity theft victims to create the documents they need to alert police, the main credit bureaus, and the Internal Revenue Service (IRS) among others.

Barncat Threat Intelligence Database

Fidelis Barncat

Continuously Updated

The database includes more than 100,000 records with configuration settings extracted from malware samples gathered during Fidelis' incident response investigations and other intelligence gathering operations over the past decade. The typical malware sample includes a large number of configuration elements, including those controlling the behavior of the malware on the host and others related to command-and-control traffic. Barncat is updated with hundreds of new configuration records each day. Barncat is available for use by CERTs, research organizations, government entities, ISPs, and other large commercial enterprises. Access is free, but users must request access and meet specific criteria.

Department of Health and Human Services (HHS)

Continuously Updated

As required by Section 13402(e)(4) of the HITECH Act, P.L. 111-5 HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are posted in a more accessible format that allows users to search and sort the posted breaches. Additionally, the format includes brief summaries of the breach cases that the Office for Civil Rights (OCR) has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information.

Combatting Cyber Crime

Homeland Security

Department of Homeland Security (DHS)

Continuously Updated

DHS works with other federal agencies to conduct high-impact criminal investigations to disrupt and defeat cyber criminals, prioritize the recruitment and training of technical experts, develop standardized methods, and broadly share cyber response best practices and tools. Criminal investigators and network security experts with deep understanding of the technologies malicious actors are using and the specific vulnerabilities they are targeting work to effectively respond to and investigate cyber incidents.

HoneyMap

Honeynet Project

Continuously Updated

The HoneyMap displays malicious attacks as they happen. Each red dot represents an attack on a computer. Yellow dots represent "honeypots" or systems set up to record incoming attacks. The black box on the bottom gives the location of each attack. The Honeynet Project is an international 501(c)(3) nonprofit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.

Data Breaches

Data Breaches

Identity Theft Resource Center

Continuously Updated

The report presents detailed information about data exposure events along with running totals for a specific year. Breaches are broken down into five categories: business, financial/credit/financial, educational, governmental/military, and medical/healthcare.

Regional Threat Assessment: Infection Rates and Threat Trends by Location

Microsoft Security Intelligence Report (SIR)

Continuously Updated

The report provides data on infection rates, malicious websites, and threat trends by regional location, worldwide. (Note: Select "All Regions" or a specific country or region to view threat assessment reports.)

No More Ransom

National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Center, Kaspersky Lab and Intel Security

Continuously Updated

The online portal offers a one-stop shop for battling ransomware infections.

ThreatWatch

NextGov

Continuously Updated

ThreatWatch is a snapshot of the data breaches hitting organizations and individuals, globally, on a daily basis. It is not an authoritative list because many compromises are never reported or even discovered. The information is based on accounts published by outside news organizations and researchers.

No More Ransom

National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Center, Kaspersky Lab and Intel Security

Continuously Updated

The online portal offers a one-stop shop for battling ransomware infectionsReal-time Global Map of Cyber Attacks

Norse Corp

Continuously Updated

Information about OPM Cybersecurity Incidents

Office of Personnel Management (OPM)

Continuously Updated

In April 2015, OPM discovered that the personnel data of 4.2 million current and former federal government employees had been stolen. Information such as full name, birth date, home address, and Social Security numbers was affected. While investigating this incident, in early June 2015, OPM discovered that additional information had been compromised, including background investigation records of current, former, and prospective federal employees and contractors.

Chronology of Data Breaches, Security Breaches 2005 to the Present

Privacy Rights Clearinghouse (PRC)

Continuously Updated

The listed (U.S.-only) data breaches have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. This list is not a comprehensive compilation of all breach data. Most of the information is obtained from verifiable media stories, government websites (e.g., state Attorneys General, such as the California AG's breach website), or blog posts with information pertinent to the breach in question.

Breach Level Index

SafeNet

Continuously Updated

During the three months surveyed, January to March, more than 200 million data records were lost or stolen — an increase of 233% from the same time period last year. The industry most prone to breach was health care, at 24% of total incidents, whereas government, financial, and technology tied for second place at 14%.

Trend Micro

Continuously Updated

A review of various cybercrime markets around the world.

Global Botnet Map

Trend Micro

Continuously Updated

Trend Micro continuously monitors malicious network activities to identify command-and-control (C&C) servers and help increase protection against botnet attacks. The real-time map indicates the locations of C&C servers and victimized computers they control that have been discovered in the previous six hours.

Data Breach Investigations Report

Verizon

Continuously Updated

Provides analysis and statistics on worldwide data breaches. "In 93% of cases, it took attackers minutes or less to compromise systems. Organizations, meanwhile, took weeks or more to discover that a breach had even occurred—and it was typically customers or law enforcement that sounded the alarm, not their own security measures."

A Road Map Toward Resilience Against Botnets

DHS

November 29, 2018

The Commerce and Homeland Security Departments laid out a multi-year plan to work with industry and academia to reduce the threat of botnets and develop a more resilient Internet. The agencies' new road map lists 85 tasks in five categories, from exploring the idea of product security labels to developing best practices for how and when companies should cut off technical support for old products.

The Contemporary Cybercrime Ecosystem

Computer Law & Security Review: The International Journal of Technology Law and Practice

November 17, 2018

The article provides a multi-disciplinary overview of the contemporary cybercrime ecosystem and its developments. It does so by reviewing, synthesizing and reporting on recent cybercrime research from fields such as cybersecurity, law, and criminology.

Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements

Security and Exchange Commission (SEC)

October 16, 2018

Nine publicly traded companies that fell victim to spoofing email scams and cyberattacks wired nearly $100 million combined into the hands of fraudsters before vendors, banks, or law enforcement notified them. The SEC wants other public companies to learn from the mistakes.

Supply Chain Security 101: An Expert's View

Krebs on Security

October 12, 2018

Q&A with Brian Krebs and Tony Sager (Center for Internet Security) on the challenges of policing the technology supply chain.

Best Practices for Victim Response and Reporting of Cyber Incidents

Department of Justice (DOJ)

September 27, 2018

The updated guidance seeks to help organizations better equip themselves to be able to respond effectively and lawfully to cyber incidents. The updated version distills insights from private and public sector experts, incorporating new incident response considerations in light of technical and legal developments.

Ponemon Institute

July 11, 2018

The study found that the average cost of a data breach globally is $3.86 million, a 6.4% increase from the 2017 report. Based on in-depth interviews with nearly 500 companies that experienced a data breach, the study analyzes hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.

2018 Internet Security Threat Report

Symantec

May 29, 2018

Targeted attack sector continues its expansion, including a 600 percent increase in IoT attacks; Cryptojacking explodes by 8,500 percent, stealing resources and increasing vulnerability; Ransomware shifts from big score to commodity, lowering prices while increasing variants; Malware implants grow by 200 percent, exploiting the software supply chain; Mobile malware continues to spread: variants increase by 54 percent.

National Cybersecurity Center of Excellence (NCCoE) Data Integrity Building Block

National Institute of Standards and Technology (NIST)

April 27, 2018

NIST is seeking input from the cybersecurity sector on what products and guidance is needed to combat ransomware attacks. NIST wants private-sector stakeholders to provide cybersecurity tools and expertise that help increase data integrity and respond to and mitigate ransomware attacks.

Data Thieves: The Motivations of Cyber Threat Actors and Their Use and Monetization of Stolen Data

RAND

March 15, 2018

Gives a brief overview of four types of cyber threat actors, followed by a discussion of the landscape of the black markets for cybercriminal tools and stolen data, and concludes with some of the ways that state-sponsored actors and cybercriminals use and monetize the stolen data.

Cyberattacks survival guide(Requires subscription)

Cyber Security: A Peer Reviewed Journal

March 2018

This paper highlights five of the most common threats that businesses experience, including polymorphic malware, man-in-the-middle attacks, cryptominers, DDoS bots, and targeted intruders, and describes security techniques that can mitigate the impact of those threats. The paper goes on to describe five real cyberattacks that Check Point's Incident Response Team encountered on customers' networks and how each was remedied.

2018 Data Breach Investigative Report

Verizon

February 27, 2018

The latest report examined 42,068 incidents and 1,935 breaches from 84 countries, drawing from the collective data of 65 organizations. Cyber espionage accounts for 21% of breaches, still far behind the 73% that are financially motivated. Breaches are heavily concentrated in three sectors: financial, health care, and public sector. (76 pages)

2018 Global Threat Report

CrowdStrike

February 26, 2018

Represents research conducted in 2017 by CrowdStrike's threat intelligence, managed hunting, and Threat Graph™ data collection and analysis units. The teams compiled information on nation-state adversaries and the tools, tactics, and procedures (TTPs) they are employing, and the trends observed in 2017.

The Economic Impact of Cybercrime --No Slowing Down

Center for Strategic & International Studies

February 21, 2018

The report concludes that close to $600 billion, nearly one percent of global GDP, is lost to cybercrime each year, which is up from a 2014 study that put global losses at about $445 billion. The report attributes the growth over three years to cybercriminals quickly adopting new technologies and the ease of cybercrime growing as actors leverage black markets and digital currencies.

The Cost of Malicious Cyber Activity to the U.S. Economy

President's Council of Economic Advisers

February 1, 2018

The U.S. economy loses between $57 billion and $109 billion per year to malicious cyber activity. This is between 0.3 and 0.6 percent of the value of all the country's goods and services. The total loss figure is based mostly on analyzing the effects of data breaches and other cyber incidents on companies' stock prices. As a result, the data skews toward larger companies.

Mutual Legal Assistance:  Understanding the Challenges for Law Enforcement in Global Cybercrime Cases

George Washington University (GWU) Center for Cyber & Homeland Security

January 1, 2018

Some of the challenges of investigating transnational cybercrime are unique. As widespread use of the Internet increases, more potential victims are available to cybercriminals. The availability of devices that connect to the Internet is growing rapidly, and activity is no longer confined to traditional desktop computers.  When a data transfers occurs it may also involve several countries, and because criminals do not need to be present at the scene of the crime, many cybercrimes are perpetrated across international borders.

CrowdStrike Cyber Intrusion Services Casebook 2017

Crowdstrike

December 6, 2017

The report focuses on actual intrusion cases the team has remediated, drawing conclusions and insights from these recent global attacks targeting large organizations.

The Equifax Data Breach: What to Do

FTC

September 8, 2017

FTC

September 8, 2017

FTC information on what to do after the Equifax data breach, including information on how to set up a credit freeze and/or fraud alert.

Data Integrity: Recovering from Ransomware and Other Destructive Events (DRAFT)

NIST

September 6, 2017

Data integrity incidents, such as ransomware, destructive malware, malicious insider activity, and even honest mistakes, can compromise enterprise information, including emails, employee records, financial records, and customer data. (456 pages)

The FDIC's Processes for Responding to Breaches of Personally Identifiable Information

FDICFederal Deposit Insurance Corporation (FDIC) Inspector General

September 2017

An FDIC audit found that protocols for responding to a data breach aren't being followed, even as the agency has faced dozens of security incidents in the past two years. The audit stemmed from a series of data breaches at the FDIC over nearly two years, from January 2015 to December 2016. Overall the agency has confirmed or suspects that it was compromised 54 times within that time period. The Office of Inspector General selected 18 of those breaches to evaluate for the audit. (51 pages)

The CERT Guide to Coordinated Vulnerability Disclosure

Carnegie Mellon

August 2017

This document is intended to serve as a guide to those who want to initiate, develop, or improve their own CVD capability. In it, the reader will find an overview of key principles underlying the CVD process, a survey of CVD stakeholders and their roles, and a description of CVD process phases, as well as advice concerning operational considerations and problems that may arise in the provision of CVD and related services. (121 pages)

Social Security Numbers: OMB Actions Needed to Strengthen Federal Efforts to Limit Identity Theft Risks by Reducing Collection, Use, and Display

GAO

Government Accountability Office (GAO)

July 27, 2017

GAO was asked to review federal government efforts to reduce the collection and use of SSNs. This report examines (1) what governmentwidegovernment wide initiatives have been undertaken to assist agencies in eliminating their unnecessary use of SSNs and (2) the extent to which agencies have developed and executed plans to eliminate the unnecessary use and display of SSNs and have identified challenges associated with those efforts.

Highlights of a Forum: Combating Synthetic Identity Fraud

GAO

July 26, 2017

According to experts, synthetic identity fraud (SIF) has grown significantly in the last five years and has resulted in losses exceeding hundreds of millions of dollars to the financial industry in 2016. A key component of synthetic identities is SSNs—the principal identifier in the credit reporting system. GAO convened and moderated a diverse panel of 14 experts on February 15, 2017, to discuss:- how criminals create synthetic identities;, the magnitude of the fraud;, and issues related to preventing and detecting SIF and prosecuting criminals. (33 pages)

Counting the Cost: Cyber Exposure Decoded

Lloyd's of London

July 10, 2017

Lloyd's Class of Business team estimates that the global cyber market is worth between $3 billion and $3.5 billion. Despite this growth, insurers' understanding of cyber liability and risk aggregation is an evolving process as experience and knowledge of cyber-attacks grows. (56 pages)

2017 Cost of Data Breach Study: Global Overview

Ponemon Institute and IBM

June 28, 2017

According to the report, the average total cost of data breach for the 419 companies participating in the research study decreased from $4.00 million to $3.62 million. The average cost for each lost or stolen record containing sensitive and confidential information also significantly decreased from $158 in 2016 to $141 in this year's study. However, despite the decline in the overall cost, companies in this year's study are having larger breaches. (35 pages)

2016 Internet Crime Report

Internet Crime Complaint Center's (IC3)

June 21, 2017

IC3 is a joint project of the National White Collar Crime Center and the FBI. In 2016, IC3 received a total of 298,728 complaints with reported losses in excess of $1.3 billion. This past year, the top three crime types reported by victims were non-payment and nondelivery, personal data breach, and payment scams. (28 pages)

Stateless Attribution: Toward International Accountability in Cyberspace

RAND

June 2017

This report reviews the state of cyber attribution and examines alternative options for producing standardized and transparent attribution that may overcome concerns about credibility. In particular, this exploratory work considers the value of an independent, global organization whose mission consists of investigating and publicly attributing major cyber attacks. (64 pages)

Worldwide DDoS Attacks & Cyber Insights Research Report

Neustar

May 2, 2017

Public and private organizations globally are getting slower at detecting and responding to distributed denial of service (DDoS) attacks as they become larger and more complex, new research shows. More than half of organizations surveyed in a global study reported taking three hours or more to detect a DDoS attack on their websites in the past year. Forty-eight percent said that they take at least three hours to respond to such an attack. (52 pages)

Data Breach Digest: Perspective is Reality

Verizon

April 26, 2017

In the Data Breach Digest, we shareVerizon shares some of ourtheir most interesting cases—anonymized of course—so you can learn from the lessons of others. OurTheir 16 cybercrime case studies cover the most lethal and prevalent threats you face—from partner misuse to sophisticated malware. WeThey set out the measures you can take to better defend your organization and respond quickly if you are a victim of an attack. (100 pages)

Data Breach Investigative Report (registration required)

Verizon

April 27, 2017

The latest report examined 42,068 incidents and 1,935 breaches from 84 countries, drawing from the collective data of 65 organizations. Cyber espionage accounts for 21% of breaches, still far behind the 73% hat are financially motivated. Breaches are heavily concentrated in three sectors: financial, health care, and public sector. (76 pages)

2017 Internet Security Threat Report (registration required)

Symantec

April 26, 2017

Cyberattackers are seeking bigger financial hauls, targeting massive dollar amounts, and more than tripling their asking price via ransomware from 2015 to 2016. In 2015, ransomware demands averaged $294, but that jumped to $1,077 in 2016. The probable cause is that victims are paying up: globally, 34% paid the ransom, and in the United States, 64% did. (77 pages)

The Cyber-Value Connection: Revealing the link between cyber vulnerability

CGI/Oxford Economics

April 2017

The report looks at the reduction in company value that arises from a cyber breach, vividly demonstrating how a severe incident leads to a decline in share price. To ensure rigor and independence, CGI commissioned Oxford Economics to develop a robust econometric model using a "difference in differences" technique to isolate the damage caused to company value by a cyber breach from other movements in the market.(28 pages)

Identity Theft Services: Services Offer Some Benefits but Are Limited in Preventing Fraud

GAO

March 30, 2017

GAO was asked to examine issues related to identity theft services and their usefulness. The report examines, among other objectives, (1) the potential benefits and limitations of identity theft services and (2) factors that affect government and private-sector decisionmaking about them. GAO reviewed products, studies, laws, regulations, and federal guidance and contracts, and interviewed federal agencies, consumer groups, industry stakeholders, and eight providers selected because they were large market participants. (70 pages)

Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits

RAND

March 13, 2017

This report provides findings from real-world zero-day vulnerability and exploit data that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day vulnerabilities and exploits, inform ongoing policy debates regarding stockpiling and vulnerability disclosure, and add extra context for those examining the implications and resulting liability of attacks and data breaches for U.S. consumers, companies, insurers, and for the civil justice system broadly. (133 pages)

IBM X-Force Threat Intelligence Index 2017: The Year of the Mega-Breach

IBM

March 2017

In 2016, more than 4four billion records were leaked worldwide, exceeding the combined total from the two previous years, according to a report from IBM Security. The leaked documents comprised the usual credit cards, passwords, and personal health information, but the report also notes a shift in cybercriminal strategies, finding a number of significant breaches were related to unstructured data such as email archives, business documents, intellectual property, and source code. (30 pages)

The Web of Vulnerabilities: Hunters, Hackers, Spies, and Criminals

Christian Science Monitor's Passcode team and Northwestern University's Medill School of Journalism

February 10, 2017

In a joint multimedia project between The, the Christian Science Monitor's Passcode team and Northwestern University's Medill School of Journalism, they explore the growing arms race to discover software vulnerabilities and what it means for national security and everyone's digital privacy and safety.

2017 Identity Fraud: Securing the Connected Life (press release)

Javelin Strategy & Research

February 2017

The study revealed that the number of identity fraud victims increased by 16% (rising to 15.4 million U.S. consumers) in the last year, a record high since Javelin Strategy & Research began tracking identity fraud in 2003. The study found that despite the efforts of the industry, fraudsters successfully adapted to net two million more victims this year with the amount fraudsters took rising by nearly $1 billion to $16 billion. (6 pages)

In 2017, The Insider Threat Epidemic Begins

Institute for Critical Infrastructure Technology

February 2017

The report offers a comprehensive analysis of the Insider Threat Epidemic, including research on (1) Characterizing Insider Threats (the insider threat cyber "kill chain," non-malicious insider threats, malicious insider threats) (2) The Insider Threat Debate (3) Policies, Procedures, and Guidelines to Combat Insider Threats (4) Non-Technical Controls (5) Technical Controls. (52 pages)

Risk and Anxiety: A Theory of Data Breach Harms

Texas Law Review

December 14, 2016

The essay examines why courts have struggled when dealing with harms caused by data breaches. The difficulty largely stems from the fact that data breach harms are intangible, risk-oriented, and diffuse. The report explores how existing legal foundations support the recognition of such harm. It demonstrates how courts can assess risk and anxiety in a concrete and coherent way.

Verisign Distributed Denial of Service Trends Report

Verisign

December 2016

Provides a view into attack statistics and behavioral trends during the third quarter of 2016: 81% of attacks peaked over 1 Gbps' over1 gibabit per second (GBPS); 82% increase in attack size year over year; 59% of attacks used multiple attack types. (12 pages)

Department Releases Intake and Charging Policy for Computer Crime Matters

Department of Justice

DOJ

October 25, 2016

In the course of litigation, DOJ released the policy under which it chooses whether to bring charges under the Computer Fraud and Abuse Act. As set forth in the memorandum, prosecutors must consider a number of factors to ensure that charges are brought only in cases that serve a substantial federal interest.

Data Breach Response: A Guide for Businesses

Federal Trade Commission (FTC)

FTC

October 25, 2016

The guidance document provides a basic checklist to help identify the general legal coverage for various types of data and point businesses to the relevant legal standards. It also includes a model notice letter for individuals whose Social Security numbers may have been breached. (16 pages)

IoT Devices as Proxies for Cybercrime

Krebs on Security

October 13, 2016

The post looks at how crookscriminals are using hacked IoT devices as proxies to hide their true location online as they engage in a variety of other types of cybercriminal activity—from frequenting underground forums to credit card and tax refund fraud.

Examining the Costs and Causes of Cyber Incidents

RAND

October 10, 2016

Researchers found that the typical cost of a breach was about $200,000 and that most cyber events cost companies less than 0.4% of their annual revenues. The $200,000 cost was roughly equivalent to a typical company's annual information security budget. (15 pages)

From the Trenches: Current Status of Security and Risk in the Financial Sector

SANS Institute

October 6, 2016

According to a recent SANS survey, some 55% of financial services firms report ransomware as the top attack threat, followed by phishing (50%), which previously held the top spot. More than 32% of financial firms say they've lost anywhere from $100,000 to $500,000 due to ransomware attacks.

2016 Internet OrganisedOrganized Crime Threat Assessment (IOCTA)

Europol

September 28, 2016

The IOCTA reports a continuing and increasing acceleration of the security trends observed in previous assessments. The additional increase in volume, scope, and financial damage combined with the asymmetric risk that characterizes cybercrime has reached such a level that in some EU countries cybercrime may have surpassed traditional crime in terms of reporting. (72 pages)

The Rising Face of Cyber Crime: Ransomware

BitSight

September 21, 2016

Ransomware attacks on government agencies around the world have tripled in the past year. Government entities are second most likely to be targeted by ransomware attacks, following only the education sector. About 4% of government agencies had been exposed to Nymaim, and 3% to Locky, both ransomware strains. Of all industries, government had the second lowest security rating and the highest ransomware attack rate. (11 pages)

Ransomware Victims Urged to Report Infections to Federal Law Enforcement

FBI

September 15, 2016

The FBI is requesting that victims reach out to their local FBI office or file a complaint with the Internet Crime Complaint Center, at http://www.IC3.gov, with ransomware infection details (as detailed on the website).

Workshop on Data Breach Aftermath and Recovery for Individuals and Institutions

National Academies Press

September 2016

In January 2016, the National Academies of Sciences, Engineering, and Medicine hosted the Workshop on Data Breach Aftermath and Recovery for Individuals and Institutions. Participants examined existing technical and policy remediations, and they discussed possible new mechanisms for better protecting and helping consumers in the wake of a breach. Speakers were asked to focus on data breach aftermath and recovery and to discuss ways to remediate harms from breaches. The publication summarizes the presentations and discussions from the workshop. (67 pages)

Examining the costs and causes of cyber incidents

Costs and Causes of Cyber Incidents

Journal of Cybersecurity

August 25, 2016

Researchers examined a sample of more than 12 ,000 cyber events that include data breaches, security incidents, privacy violations, and phishing crimes. The findings suggest that public concerns regarding the increasing rates of breaches and legalillegal actions may be excessive compared with the relatively modest financial impact to firms that suffer these events. Specifically, they found that the cost of a typical cyber incident is less than $200 000 (about the same as the firm's annual IT security budget), which represents only 0.4% of a firm's estimated annual revenues. (15 pages)

Cyber Incident Timeline

Center for Strategic & International Studies

August 2016

The CSIS's Strategic Technologies program's interactive "Cyber Incident Timeline" details the successful attacks on government agencies, defense and high tech companies, and international economic crimes with losses of more than $1 million, since 2006. It includes news reports and videos on most incidents.

New America

July 28, 2016

The report offers five initial policy recommendations to ensure that more vulnerabilities are discovered and patched sooner: (1) The U.S. government should minimize its participation in the vulnerability market, because it is the largest buyer in a market that discourages researchers from disclosing vulnerabilities to be patched; (2) The U.S. government should establish strong, clear procedures for government disclosure of the vulnerabilities it buys or discovers, with a heavy presumption toward disclosure; (3) Congress should establish clear rules of the road for government hacking to better protect cybersecurity and civil liberties; (4) Government and industry should support bug bounty programs as an alternative to the vulnerabilities market and investigate other innovative ways to foster the disclosure and prompt patching of vulnerabilities; and (5) Congress should reform computer crime and copyright laws, and agencies should modify their application of such laws to reduce the legal chill on legitimate security research. (40 pages)

Second Interim Status Report on the U.S. Office of Personnel Management's (OPM) Infrastructure Improvement Project – Major IT Business Case

OPM

Office of Personnel Management (OPM)

May 18, 2016

The report finds that funding for the troubled IT security upgrades project remains an issue in part because of the agency's poor planning. The inspector general finds the agency still lacks a "realistic budget" for the massive upgrade. (12 pages)

Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information

RAND Corp.

April 20, 2016

Key findings include (1) 26% of respondents, or an estimated 64 million U.S. adults, recalled a breach notification in the past 12 months; (2) 44% of those notified were already aware of the breach; (3) 62% of respondents accepted offers of free credit monitoring; (4) only 11% of respondents stopped dealing with the affected company following a breach; (5) 32% of respondents reported no costs of the breach and any inconvenience it garnered, while, among those reporting some cost, the median cost was $500; and (6) 77% of respondents were highly satisfied with the company's post-breach response.

2016 Internet Security Threat Report | Government

Symantec

April 13, 2016

Public-sector data breaches exposed some 28 million identities in 2015, but hackers were responsible for only one-third of those compromises, according to new research. Negligence was behind nearly two-thirds of the exposed identities through government agencies. In total, the report suggests 21 million identities were compromised accidentally, compared with 6 million by hackers.

Combatting the Ransomware Blitzkrieg: The Only Defense is a Layered Defense, Layer One: Endpoint Security

The Institute for Critical Infrastructure Technology

April 2016

The report introduces the ins and outs of the more prevalent ransomware variants as well as other endpoints vulnerable to ransomware attacks, such as SCADA/ICS, IoT, cars, cloud, servers, specialized hardware, personal computers, and the most easily exploitable vulnerability, the human. (27 pages)

2016 Data Breach Investigations Report

Verizon

April 2016

Provides analysis and statistics on worldwide data breaches. "In 93% of cases, it took attackers minutes or less to compromise systems. Organizations, meanwhile, took weeks or more to discover that a breach had even occurred—and it was typically customers or law enforcement that sounded the alarm, not their own security measures." (85 pages)

A Look Inside Cybercriminal Call Centers

Krebs on Security

January 11, 2016

CrooksCriminals who make a living via identity theft schemes, dating scams, and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they do not speak fluently. Enter the criminal call center, which allows scammers to outsource those calls to multilingual men and women who can be hired to close the deal.

Target Settlement Memorandum

U.S. District Court, District of Minnesota

December 2, 2015

Target Corporation has agreed to pay financial institutions almost $40 million to settle a class-action suit related to its massive 2013 data breach. The proposed settlement of up to $39,357,938.38 will apply to all U.S. financial institutions that issued payment cards put at risk as a result of the data breach. (20 pages)

The Cyberwar is On (Special Issue)

The Agenda (Politico)

December 2015

The cyber issue of The Agenda magazine contents include "Why Politicians can't Handle Cyber," "Inside the NSA's Hunt for Hackers," "America's Secret Arsenal," " The Biggest Hacks (We Know About)," "Survey: What Keeps America's Computer Experts Up at Night?," The 'Electronic Pearl Harbor'," " Our Best Frenemy, Time for a Ralph Nader Moment," "The Crypto Warrior," and "America's CIO."

Fiscal Year 2015 Top Management Challenges

Office of Personnel Management (OPM), Office of Inspector General (OIG)

October 30, 2015

See Internal Challenges section (pp. 15-22) for a discussion of challenges related to information technology, improper payments, the retirement claims process, and the procurement process. Officials in OPM's Office of Procurement Operations violated the Federal Acquisition Regulation and the agency's own policies in awarding a $20.7 million contract to provide credit monitoring and ID theft services. Investigators turned up "significant deficiencies" in the process of awarding the contract to Winvale Group and its subcontractor CSID. (22 pages)

With Stolen Cards, Fraudsters Shop to Drop

Krebs on Security

September 28, 2015

Fraudsters have perfected the reshipping service, a criminal enterprise that allows card thieves and the service operators to essentially split the profits from merchandise ordered with stolen credit and debit cards.

Drops for Stuff: An Analysis of Reshipping Mule Scams

Federal Bureau of Investigation (FBI) (FBI, University of CACalifornia Santa Barbara, Stony Brook University, Krebs on Security, University College London

September 23, 2015

In reshipping scams, cybercriminals purchase high-value or high-demand products from online merchants using stolen payment instruments, and then ship the items to a credulous citizen. This person, who has been recruited by the scammer under the guise of "work-from-home" opportunities, then forwards the received products to the cybercriminals, most of whom are located overseas. Once the goods reach the cybercriminals, they are then resold on the black market for an illicit profit. (12 pages)

Follow the Data: Dissecting Data Breaches and Debunking Myths

Trend Micro

September 22, 2015

Trend Micro's Forward-Looking Threat Research (FTR) Team has taken 10 years (2005-2015) of information on data breaches in the United States from the Privacy Rights Clearinghouse (PRC) and subjected it to detailed analysis to better understand the real story behind data breaches and their trends. (51 pages)

Timeline: Government Data Breaches

Government Executive

July 6, 2015

The timelines are based mainly on testimony from OPM Director Catherine Archuleta and Andy Ozment, assistant secretary for Cybersecurity and Communications at DHS, supplemented by information from news reports.

2015 Cost of Data Breach Study: Global Analysis

Ponemon Institute and IBM

May 27, 2015

The average cost of a breach was up worldwide in 2014, with U.S. firms paying almost $1.5 million more than the global average. In the United States, a data breach costs organizations on average $5.85 million (the highest of the 10 nations analyzed), up from $5.4 million in 2013. Globally, the cost of a breach is up 15% this year to $3.5 million. The United States likewise had the highest cost per record stolen, at $201, up from $188 last year. The country also led in terms of size of breaches recorded: U.S. companies averaged 29,087 records compromised in 2014. (Free registration required to download.) (31 pages)

Meet 'Tox': Ransomware for the Rest of Us

McAfee Labs

May 23, 2015

The packaging of malware and malware-construction kits for cybercrime "consumers" has been a long-running trend. Various turnkey kits that cover remote access plus botnet plus stealth functions are virtually anywhere. Ransomware, though very prevalent, has not yet appeared in force in easy-to-deploy kits. However, Tox is now available free.

2014 Internet Crime Report

Internet Crime Complaint Center (IC3)

May 19, 2015

IC3, a joint project of the National White Collar Crime Center and the FBI, received 269,422 complaints last year consisting of a wide array of scams affecting victims across all demographic groups. In 2014, victims of Internet crimes in the United States lost more than $800 million. On average, approximately 22,000 complaints were received each month. (48 pages)

Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data

Ponemon Institute

May 2015

A rise in cyberattacks against doctors and hospitals is costing the U.S. health-care system $6 billion a year as organized criminals who once targeted retailers and financial firms increasingly go after medical records. Criminal attacks are up 125% compared with five years ago when lost laptops was the leading threat. The study also found most organizations are unprepared to address new threats and lack adequate resources to protect patient data. (7 pages)

Best Practices for Victim Response and Reporting of Cyber Incidents

Department of Justice
(DOJ)

DOJ

April 29, 2015

DOJ issued new guidance for businesses on best practices for handling cyber incidents. The guidance is broken down into what companies should do—and should not do—before, during, and after an incident. The recommendations include developing an incident response plan, and testing it, identifying highly sensitive data and risk management priorities, and connecting with law enforcement and response firms in advance. (15 pages)

2014 Global Threat Intel Report

CrowdStrike

February 6, 2015

The report summarizes CrowdStrike's year-long daily scrutiny of more than 50 groups of cyber threat actors, including 29 different state-sponsored and nationalist adversaries. Key findings explain how financial malware changed the threat landscape and point of sale malware became increasingly prevalent. The report also profiles a number of new and sophisticated adversaries from China and Russia. (Free registration required.)

Unique in the Shopping Mall: on the Reidentifiability of Credit Card Metadata

Science Magazine

January 30, 2015

Massachusetts Institute of Technology (MIT) scientists showed they can identify an individual with more than 90% accuracy by looking at just four purchases; three if the price is included—and this is after companies "anonymized" the transaction records, saying they wiped away names and other personal details. (5 pages)

Ransomware on the Rise: FBI and Partners Working to Combat This Cyber Threat

FBI

January 20, 2015

Ransomware scams involve a type of malware that infects computers and restricts users' access to their files or threatens the permanent destruction of their information unless a ransom—anywhere from hundreds to thousands of dollars—is paid. The site offers information on the FBI's and federal, international, and private-sector partners' proactive steps to neutralize some of the more significant ransomware scams through law enforcement actions against major botnets.

Exploit This: Evaluating the Exploit Skills of Malware Groups

Sophos Labs Hungary

January 2015

Researchers evaluated the malware and advanced persistent threat (APT) campaigns of several groups that all leveraged a particular exploit—a sophisticated attack against a specific version of Microsoft Office. The report found that none of the groups were able to modify the attack enough to infect other versions of Office, even though several versions were theoretically vulnerable to the same type of attack. Despite the aura of skill and complexity that seems to surround APTs, they are much less sophisticated than they are given credit for. (26 pages)

The Cost of Malware Containment

Ponemon Institute

January 2015

A survey of more than 600 U.S. IT security practitioners found that in a typical week, organizations receive an average of nearly 17,000 malware alerts; only 19% are deemed reliable or worthy of action. Compounding the problem, respondents believe their prevention tools miss 40% of malware infections in a typical week. (Free registration required.)

Addressing the CybersecurityCybersecurity Malicious Insider Threat

Threat

Schluderberg, Larry (Utica College Master's Thesis)

January 2015

"The purpose of this research was to investigate who constitutes Malicious Insider (MI) threats, why and how they initiate attacks, the extent to which MI activity can be modeled or predicted, and to suggest risk mitigation strategies. The results reveal that addressing the Malicious Insider threat is much more than just a technical issue. Dealing effectively with the threat involves managing the dynamic interaction between employees, their work environment and work associates, the systems with which they interact, and organizational policies and procedures." (80 pages)

The Underground Hacker Markets are Booming with Counterfeit Documents, Premiere Credit Cards, Hacker Tutorials, and 1000% Satisfaction Guarantees

(Requires registration)

Dell Secure Works

December 2014

Researchers examined dozens of underground hacker markets and found that business is booming. Prices have gone down for many items and the offerings have expanded. According to the report, "Underground hackers are monetizing every piece of data they can steal or buy and are continually adding services so other scammers can successfully carry out online and in-person fraud." (16 pages)

What Happens When You Swipe Your Card?

60 Minutes

November 30, 2014

From the script for the segment "Swiping Your Card": "Sophisticated cyberthieves steal your credit card information. Common criminals buy it and go on shopping sprees—racking up billions of dollars in fraudulent purchases. The cost of the fraud is calculated into the price of every item you buy. When computer crooks swipe your card number, we all end up paying the price. 2014 is becoming known as the 'year of the data breach.'"

Continuing Federal Cyber Breaches Warn Against Cybersecurity Regulation

Heritage Foundation

October 27, 2014

A list of federal government cybersecurity breaches and failures, most of which occurred during 2013 and 2014. The list is part of a continuing series published by Heritage that serves as a long-term compilation of open-source data about federal cybersecurity breaches dating back to 2004.

2014 Cost of Cybercrime Global Report

Hewlett-Packard Enterprise Security and the Ponemon Institute

October 8, 2014

This 2014 global study of U.S.-based companies, which spanned seven nations, found that over the course of a year, the average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from $11.6 million in the 2013 study. The average time to resolve a cyberattack is also rising, climbing to 45 days from 32 days in 2013. (30 pages) (Email registration required.)

The Deep Web (Special Issue)

The Kernel

September 28, 2014

A special issue devoted to the Deep Web, Tor, Silk Road, black markets, etc.

How Consumers Foot the Bill for Data Breaches (infographic)

NextGov.com

August 7, 2014

More than 600 data breaches occurred in 2013 alone, with an average organizational cost of more than $5 million. But in the end, it is the customers who are often picking up the tab, from higher retail costs to credit card reissue fees.

Is Ransomware Poised for Growth?

Symantec

July 14, 2014

Ransomware usually masquerades as a virtual "wheel clamp" for the victim's computer. For example, pretending to be from the local law enforcement, it might suggest the victim had been using the computer for illicit purposes and claim that to unlock his or her computer the victim would have to pay a fine—often between $100 and $500. The use of Ransomware escalated in 2013, with a 500% (sixfold) increase in attacks between the start and end of the year.

iDATA: Improving Defences Against Targeted Attack

Centre for the Protection of National Infrastructure (UK)

July 2014

The iDATA program consists of a number of projects aimed at addressing threats posed by nation-states and state-sponsored actors. iDATA has resulted in several outputs for the cybersecurity community. The document provides a description of the iDATA program and a summary of the reports. (8 pages)

Cyber Risks: The Growing Threat

Insurance Information Institute

June 27, 2014

Although cyber risks and cybersecurity are widely acknowledged to be serious threats, many companies today still do not purchase cyber risk insurance. Insurers have developed specialist cyber insurance policies to help businesses and individuals protect themselves from the cyber threat. Market intelligence suggests that the types of specialized cyber coverage being offered by insurers are expanding in response to this fast-growing market need. (27 pages)

Hackers Wanted: An Examination of the Cybersecurity Labor Market

RAND Corporation

June 24, 2014

RAND examined the current status of the labor market for cybersecurity professionals—with an emphasis on their being employed to defend the United States. This effort was in three parts: first, a review of the literature; second, interviews with managers and educators of cybersecurity professionals, supplemented by reportage; and third, an examination of the economic literature about labor markets. RAND also disaggregated the broad definition of cybersecurity professionals to unearth skills differentiation as relevant to this study. (110 pages)

Big Data and Innovation, Setting The Record Straight: De-identification Does Work

Information Technology and Innovation Foundation and the Information and Privacy Commissioner, Ontario, Canada

June 16, 2014

The paper examines a select group of articles that are often referenced in support of the myth that de-identified data sets are at risk of re-identifying individuals through linkages with other available data. It examines the ways in which the academic research referenced has been misconstrued and finds that the primary reason for the popularity of these misconceptions is not factual inaccuracies or errors within the literature but rather a tendency on the part of commentators to overstate or exaggerate the risk of re-identification. (13 pages)

Net Losses: Estimating the Global Cost of Cybercrime

Center for Strategic and International Studies and McAfee

June 2014

The report explores the economic impact of cybercrime, including estimation, regional variances, IP theft, opportunity and recovery costs, and the future of cybercrime. (24 pages)

2014 U.S. State of Cybercrime Survey

Pricewaterhouse Coopers, CSO Magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service

May 29, 2014

The cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries. This year, three out of four (77%) respondents to the survey had detected a security event in the past 12 months, and more than one-third (34%) said the number of security incidents detected had increased over the previous year. (21 pages)

Privileged User Abuse and The Insider Threat

Ponemon Institute and Raytheon

May 21, 2014

The report looks at what companies are doing right and the vulnerabilities that need to be addressed with policies and technologies. One problematic area is the difficulty in actually knowing if an action taken by an insider is truly a threat. Sixty-nine percent of respondents say they do not have enough contextual information from security tools to make this assessment, and 56% say security tools yield too many false positives. (32 pages) (Requires free registration to access.)

Online Advertising and Hidden Hazards to Consumer Security and Data Privacy

Senate Permanent Subcommittee on Investigations

May 15, 2014

The report found consumers could expose themselves to malware just by visiting a popular website. It noted that the complexity of the industry made it possible for both advertisers and host websites to defer responsibility and that consumer safeguards failed to protect against online abuses. The report also warned that current practices do not create enough incentives for "online advertising participants" to take preventive measures. (47 pages)

Sharing Cyberthreat Information Under 18 USC §2702(a)(3)

Department of Justice (DOJ)

DOJ

May 9, 2014

DOJ issued guidance for Internet service providers to assuage legal concerns about information sharing. The white paper interprets the Stored Communications Act, (18 U.S.C. §2701 et seq.) which prohibits providers from voluntarily disclosing customer information to governmental entities. The white paper says the law does not prohibit companies from divulging data in the aggregate, without any specific details about identifiable customers. (7 pages)

The Target Breach, by the Numbers

Krebs on Security

May 6, 2014

A synthesis of numbers associated with the Target data breach of December 19, 2013 (e.g., number of records stolen, estimated dollar cost to credit unions and community banks, and the amount of money Target estimates it will spend upgrading payment terminals to support Chip-and-PIN enabled cards).

The Rising Strategic Risks of Cyberattacks

McKinsey and Company

May 2014

The authors suggest that companies are struggling with their capabilities in cyber risk management. As highly visible breaches occur with increasing regularity, most technology executives believe they are losing ground to attackers. Organizations large and small lack the facts to make effective decisions, and traditional "protect the perimeter" technology strategies are proving insufficient.

Big Data: Seizing Opportunities, Preserving Values

White House

May 2014

Findings include a set of consumer protection recommendations, such as national data-breach legislation, and a fresh call for baseline consumer-privacy legislation first recommended in 2012. (85 pages)

Russian Underground Revisited

Trend Micro

April 28, 2014

The price of malicious software—designed to enable online bank fraud, identity theft, and other cybercrimes—is falling dramatically in some of the Russian-language criminal markets in which it is sold. Falling prices are a result not of declining demand but rather of an increasingly sophisticated marketplace. The report outlines the products and services being sold and their prices. (25 pages)

Federal Agencies Need to Enhance Responses to Data Breaches

Government Accountability Office (GAO)

GAO

April 2, 2014

Major federal agencies continue to face challenges in fully implementing all components of agency-wide information security programs, which are essential for securing agency systems and the information they contain—including personally identifiable information (PII). (19 pages)

A "Kill Chain" Analysis of the 2013 Target Data Breach

Senate Commerce Committee

March 26, 2014

The report analyzes what has been reported to date about the Target data breach, using the intrusion kill chain framework, an analytical tool introduced by Lockheed Martin security researchers in 2011 and widely used today by information security professionals in both the public and private sectors. The analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach. (18 pages)

Markets for Cybercrime Tools and Stolen Data

RAND Corporation National Security Research Division and Juniper Networks

March 25, 2014

The report, part of a multiphase study on the future security environment, describes the fundamental characteristics of the criminal activities in cyberspace markets and how they have grown into their current state to explain how their existence can harm the information security environment. (83 pages)

Merchant and Financial Trade Associations Announce Cybersecurity Partnership

Retail Industry Leaders Association

February 13, 2014

Trade associations representing the merchant and financial services industries announced a new cybersecurity partnership. The partnership will focus on exploring paths to increased information sharing, better card security technology, and maintaining the trust of customers. Discussion regarding the partnership was initiated by the Retail Industry Leaders Association and the Financial Services Roundtable.

FTC Statement Marking the FTC's 50th Data Security Settlement

Federal Trade Commission (FTC)

FTC

January 31, 2014

The FTC announced its 50th data security settlement. What started in 2002 with a single case applying established FTC Act precedent to the area of data security has grown into an enforcement program that has helped to increase consumer protections and encouraged companies to make safeguarding consumer data a priority. (2 pages)

Worst Practices Guide to Insider Threats: Lessons from Past Mistakes

American Academy of Arts and Sciences

January 2014

The report presents a worst practices guide of serious past mistakes regarding insider threats. Although each situation is unique, and serious insider problems are relatively rare, the incidents reflect issues that exist in many contexts and that every security manager should consider. Common organizational practices—such as prioritizing production over security, failure to share information across subunits, inadequate rules or inappropriate waiving of rules, exaggerated faith in group loyalty, and excessive focus on external threats—can be seen in many past failures to protect against insider threats. (32 pages)

ENISA Threat Landscape 2013—Overview of Current and Emerging Cyber-Threats

European Union Agency for Network and Information Security (ENISA)

December 11, 2013

The report is a comprehensive compilation of the top 15 cyber threats assessed in the 2013-reporting period. ENISA has collected more than 250 reports regarding cyber threats, risks, and threat agents. (70 pages)

Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent

GAO

December 9, 2013

GAO recommends that "to improve the consistency and effectiveness of government wide data breach response programs, the Director of OMB should update its guidance on federal agencies' responses to a PII-related data breach to include (1) guidance on notifying affected individuals based on a determination of the level of risk; (2) criteria for determining whether to offer assistance, such as credit monitoring to affected individuals; and (3) revised reporting requirements for PII-related breaches to US-CERT [Computer Emergency Response Team], including time frames that better reflect the needs of individual agencies and the government as a whole and consolidated reporting of incidents that pose limited risk." (67 pages)

Cyber-enabled Competitive Data Theft: A Framework for Modeling Long-Run Cybersecurity Consequences

Brookings Institution

December 2013

Economic espionage has existed at least since the industrial revolution, but the scope of modern cyber-enabled competitive data theft may be unprecedented. The authors present what they believe is the first economic framework and model to understand the long-run impact of competitive data theft on an economy by taking into account the actual mechanisms and pathways by which theft harms the victims. (18 pages)

Illicit Cyber Activity Involving Fraud

Carnegie Mellon University Software Engineering Institute

August 8, 2013

Technical and behavioral patterns were extracted from 80 fraud cases—67 insider and 13 external—that occurred between 2005 and the present. These cases were used to develop insights and risk indicators to help private industry, government, and law enforcement more effectively prevent, deter, detect, investigate, and manage malicious insider activity within the banking and finance sectors. (28 pages)

The Economic Impact of Cybercrime and Cyber Espionage

Center for Strategic and& International Studies (CSIS)

July 22, 2013

According to CSIS, losses to the United States (the country in which data is most accessible) may reach $100 billion annually. The cost of cybercrime and cyber espionage to the global economy is some multiple of this, likely measured in hundreds of billions of dollars. (20 pages)

Cyber-Crime, Securities Markets, and Systemic Risk

World Federation of Exchanges and the International Organization of Securities Commissions

July 16, 2013

The report explores the nature and extent of cybercrime in securities markets and the potential systemic risk aspects of this threat. It presents the results of a survey to the world's exchanges on their experiences with cybercrime, cybersecurity practices, and perceptions of the risk. (59 pages)

Remaking American Security: Supply Chain Vulnerabilities and National Security Risks Across the U.S. Defense Industrial Base

Alliance for American Manufacturing

May 2013

Reportedly because the supply chain is global, it makes sense for U.S. officials to cooperate with other nations to ward off cyberattacks. Increased international cooperation to secure the integrity of the global IT system is a valuable long-term objective. (355 pages)

Comprehensive Study on Cybercrime

United Nations Office on Drugs and Crime

February 2013

The study examined the problem of cybercrime from the perspective of governments, the private sector, academia, and international organizations. It presents its results in eight chapters, covering (1) Internet connectivity and cybercrime; (2) the global cybercrime picture; (3) cybercrime legislation and frameworks; (4) criminalization of cybercrime; (5) law enforcement and cybercrime investigations; (6) electronic evidence and criminal justice; (7) international cooperation in criminal matters involving cybercrime; and (8) cybercrime prevention. (320 pages)

Does Cybercrime Really Cost $1 Trillion?

ProPublica

August 1, 2012

In a news release to announce its 2009 report, Unsecured Economies: Protecting Vital Information, computer security firm McAfee estimated a $1 trillion global cost for cybercrime. The number does not appear in the report itself. This estimate is questioned even by the three independent researchers from Purdue University whom McAfee credits with analyzing the raw data from which the estimate was derived. An examination by ProPublica has found new grounds to question the data and methods used to generate these numbers, which McAfee and Symantec say they stand behind.

Proactive Policy Measures by Internet Service Providers against Botnets

Organization for Economic Co-operation and Development (OECD)

May 7, 2012

The report analyzes initiatives in a number of countries through which end-users are notified by Internet service providers (ISPs) when their computers are identified as being compromised by malicious software and encouraged to take action to mitigate the problem. (25 pages)

Developing State Solutions to Business Identity Theft: Assistance, Prevention and Detection Efforts by Secretary of State Offices

National Association of Secretaries of State (NASS)

January 2012

The white paper is the result of efforts by the 19-member NASS Business Identity Theft Task Force to develop policy guidelines and recommendations for state leaders dealing with identity fraud cases involving public business records. (23 pages)

Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines

SANS Institute

October 3, 2011

The 20 security measures are intended to focus agencies' limited resources on plugging the most common attack vectors. (77 pages)

Revealed: Operation Shady RAT: an Investigation Of Targeted Intrusions Into 70+ Global Companies, Governments, and Non-Profit Organizations During the Last 5 Years

McAfee

August 2, 2011

A cyber-espionage operation lasting many years penetrated 72 government and other organizations, most of them in the United States, and has copied everything from military secrets to industrial designs, according to technology security company McAfee. (See page 4 for the types of compromised parties, page 5 for the geographic distribution of victim's country of origin, pages 7-9 for the types of victims, and pages 10-13 for the number of intrusions for 2007-2010). (14 pages)

The Role of Internet Service Providers in Botnet Mitigation: an Empirical Analysis Based on Spam Data

Organisation for Economic Co-operation and Development (OECD)

November 12, 2010

The working paper considers whether ISPs can be critical control points for botnet mitigation, how the number of infected machines varies across ISPs, and why. (31 pages)

Untangling Attribution: Moving to Accountability in Cyberspace (Testimony)

Council on Foreign Relations

July 15, 2010

Robert K. Knake's testimony before the House Committee on Science and Technology on the role of attack attribution in preventing cyberattacks and how attribution technologies can affect the anonymity and privacy of Internet users. (14 pages)

Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities

National Research Council

2009

The report explores important characteristics of cyberattacks. It describes the current international and domestic legal structure as it might apply to cyberattacks and considers analogies to other domains of conflict to develop relevant insights. (368 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Page counts are for documents; other cited resources are webpages.

Table 2. National Security, Cyber Espionage, and Cyberwar

(includes Stuxnet, Dark Web/Darknet)

Cybersecurity Legislation

Too Connected To Fail: How Attackers Can Disrupt the Global Internet, Why It Matters, And What We Can Do About It

Title

Source

Date

Notes

Department of Defense Cyber Crime Center (DC3)

Department of Defense (DOD)

Continuously Updated

DC3's mission is to deliver superior digital and multimedia (D/MM) forensic lab services, cyber technical training, vulnerability sharing, technical solutions development, and cyber analysis within the following DoD mission areas: cybersecurity and critical infrastructure protection, law enforcement and counterintelligence, document and media exploitation, and counterterrorism.

International Telecommunications Union

Continuously Updated

An integral and challenging component of any national cybersecurity strategy is the adoption of regionally and internationally harmonized, appropriate legislation against the misuse of information and communication technologies (ICTs) for criminal or other purposes.

Cyberthreat: Real-Time Map

Kaspersky Labs

Continuously Updated

Kaspersky Labs has launched an interactive cyber threat map that lets viewers see cybersecurity incidents as they occur around the world in real time. The interactive map includes malicious objects detected during on-access and on-demand scans, email and web antivirus detections, and objects identified by vulnerability and intrusion detection subsystems.

Cyberwarfare

RAND

Continuously Updated

Explore RAND reports on cyberwarfare by product type (research, blog, multimedia, event, etc.) or author. Featured reports are at the top of the page.

The Rise of the Private Cyber Corps

CQ Magazine

October 22, 2018

A growing cadre of private threat-intelligence companies engage in daily battle with hackers, foreign spy agencies, and other malware purveyors in attempts to protect Western governments and companies from cyberattacks and espionage.  But as these private companies — the vast majority of which are U.S.-based — expand their reach and power, they are confronting some tough questions, such as, How to call out bad actors? Or, what to do when they find a U.S. government-sponsored espionage or malware effort on one of their client's networks? Who do they tell, who do they alert? And how far do these companies go in revealing their sources and methods to their clients, or to a U.S. intelligence agency that asks for them?

APT38: Un-usual Suspects

FireEye

October 2018

APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions, as well as some of the world's largest cyber heists. The group has compromised more than 16 organizations in at least 13 different countries, sometimes simultaneously, since at least 2014. Since the first observed activity, the group's operations have become increasingly complex and destructive.

2018 Foreign Economic Espionage in Cyberspace Report

Office of the Director of National Intelligence's (ODNI) National Counterintelligence and Security Center

July 24, 2018

The report underscores the strategic threat of cyber economic espionage, noting that next generation technologies such as Artificial Intelligence and the Internet-of-Things offer great opportunities, but also introduce new vulnerabilities to U.S. networks for which the cybersecurity community largely remains unprepared. The report also provides insights into the most pervasive nation-state threat actors – including China, Russia and Iran – and recent examples of their economic espionage activities in the United States through cyberspace. Despite advances in cybersecurity, the report notes that cyberespionage offers such actors a relatively low-cost, high-yield avenue to obtain a wide spectrum of U.S. intellectual property. The report also identifies those U.S. industrial sectors and technologies that are of greatest interest to foreign threat actors.

Report of the Attorney General's Cyber Digital Task Force

DOJ

July 2, 2018

The report describes how DOJ will assess and respond to foreign influence operations like Russia's 2016 election meddling, and also describes a range of challenges hampering the government's ability to fight more traditional cybercrime and recommends possible solutions.

Q&A with Scott Smith, Assistant Director of the FBI's Cyber Division

Politico Pro

June 5, 2018

Smith is proud of how his division works with DHS to inform private-sector partners and the public about cyber threats. Smith also discussed how the FBI works with overseas partners, how it trains agents in the basics of cyber investigations to make up for a shortage of cyber experts in law enforcement, and whether 2018 is the cyber equivalent of the late 1990s — the ominous period of repeated terrorist attacks that preceded 9/11.

Terror in the Dark: How Terrorists Use Encryption, the Darknet, and Cryptocurrencies

Henry Jackson Society; Centre for the Response to Radicalization and Terrorism

April 2018

The report demonstrates how terrorists and extremists have utilized the Darknet to mask their communication and propaganda efforts, to recruit and radicalize, and to gain material benefits such as illicit goods, including, but not limited to, weapons and fraudulent documents. In addition, this report notes the growing tendency of these individuals to utilize cryptocurrencies for transactions and fundraising, enabling them to evade detection by law enforcement entities.

Belfer Center for Science and International Affairs (Harvard)

May 2017

ThisThe paper examines attacks on core internetInternet infrastructure through a lens of national security and nation state conflict. Most analyses have focused on the ability of non-state actors to use these tools to exact ransom or commit mischief. While these are real concerns, an examination of these attacks' applicability in nation state conflict has been missing. (54 pages)

Cyber Compellence: Applying Coercion in the InformationInformation Age

Marine Corps University and Northeastern University, presented at the Annual International Studies Association Meeting, Baltimore, Maryland

April 25, 2017

The paper reviews how state actors applied cyber instruments to coerce adversaries between 2000 to 2014 differentiating between cyber disruption, espionage, and degradation. Cyber disruption and espionage methods seem to achieve their goals of gathering intelligence and signaling through harassment, but do not result in an observable behavioral change in the target in the near-term. Only on limited occasion, usually associated with US activity in cyberspace, does cyber coercion, often in the form of degradation, result in concessions. The idea of quick victory in the cyber domain remains elusive. (27 pages)

Bad Bots: The Weaponization of Social Media

College of William and Mary; Project on International Peace and Security

April 2017

In the next several years, hostile states or non-state actors will accelerate their use of social media bots to undermine democracy, recruit terrorists, disrupt markets, and stymie open-source intelligence collection. This report conducts an alternative futures analysis in order to help policymakers identify options to mitigate the threats of social media bots. In the worst-case and most-likely scenario, a technological stalemate between bots and bot-detection leads to a false sense of confidence in social media information, which allows for breakthroughs in bot technology to create disruptions until bot-detection technology advances. (23 pages)

Strategic Aspects of Cyberattack, Attribution, and Blame

Proceedings of the National Academy of Sciences

March 14, 2017

Attribution of cyberattacks has strategic and technical components. A formal model incorporates both elements and shows the conditions under which it is rational to tolerate an attack and when it is better to assign blame publicly. The model applies to a wide range of conflicts and provides guidance to policymakers about which parameters must be estimated to make a sound decision about attribution and blame. It also draws some surprising conclusions about the risks of asymmetric technical attribution capabilities. (12 pages)

Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits

RAND

March 13, 2017

The report provides findings from real-world zero-day vulnerability and exploit data that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day vulnerabilities and exploits, inform ongoing policy debates regarding stockpiling and vulnerability disclosure, and add extra context for those examining the implications and resulting liability of attacks and data breaches for U.S. consumers, companies, insurers, and for the civil justice system broadly. (133 pages)

Snapshot: Turning Back DDoS Attacks

DHS Science and Technology, Homeland Security Advanced Research Projects Agency's Cyber Security Division (CSD)

February 16, 2017

CSD's Distributed Denial of Service Defense (DDoSD) project is spearheading a three-pronged approach to shift the advantage to network infrastructure defenders. The project's two primary focuses are on increasing deployment of best practices to slow attack scale growth and defending networks against one Tbps attack through development of collaboration tools that can be used by medium-size organizations. A third part of the project addresses other types of denial of service attacks, such as those against 911 and Next Generation 911 emergency management systems.

Task Force on Cyber Deterrence

Defense Science Board

February 2017

The U.S. military lacks the cyber capabilities to defend against potential attacks against financial systems, telecommunications systems, and other elements of critical infrastructure launched by Russia or China. Furthermore, the U.S. military's dependence on IT makes it vulnerable to attacks that could diminish its capabilities to respond to such attacks. The task force recommends that the Pentagon develop a second-strike capability that is cyber-resilient. (44 pages)

The Enemy Has a Voice: Understanding Threats to Inform Smart Investment in Cyber Defense

New America

February 2017

The report discusses the general concept of cyber threat intelligence (CTI) and how this powerful concept can reduce the "offensive dominant" nature of cybersecurity and describe various types of such information. The report outlines challenges with cyber threat intelligence going forward and proposes policy ideas that can help lead to improved access to such information across a variety of organizations. (16 pages)

Cyber Prep 2.0: Motivating Organizational Cyber Strategies in Terms of Threat Preparedness

MITRE Corp.

February 2017

Cyber Prep 2.0 focuses on advanced threats and corresponding elements of organizational strategy and includes material related to conventional cyber threats. Cyber Prep 2.0 can be used in standalone fashion, or it can be used to complement and extend the use of other, more detailed frameworks (e.g., the NIST [National Institute of Standards and Technology] Cybersecurity Framework) and threat models.

The U.S. Government and Zero-Day Vulnerabilities: from Pre-Heartbleed to Shadow Brokers

Columbia Univ. University, Journal of International Affairs

November 2016

Government agencies currently submit zero days they discover to an interagency Vulnerability Equities Process headed by the National Security Council. The review examines questions such as how likely criminals and foreign adversaries are to discover the vulnerability and how much damage they could do if they did discover it, balancing that with what value the vulnerability might provide to U.S. intelligence agencies. (22 pages)

Department Releases Intake and Charging Policy for Computer Crime Matters

Department of Justice

DOJ

October 25, 2016

"In the course of recent litigation, the department yesterday shared the policy under which we choose whether to bring charges under the Computer Fraud and Abuse Act. As set forth in the memorandum, prosecutors must consider a number of factors in order to ensure that charges are brought only in cases that serve a substantial federal interest."

Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats (Project Report)

GWU Center for Cyber & Homeland Security

October 2016

The report places the current cyber threat in its larger strategic context and then assesses the role of private-sector active defense in addressing such threats. With this in mind, the report proposes a framework that defines the most prevalent active defense measures and places them along a spectrum of relative risk and impact, indicating where close coordination with the government becomes necessary for responsible private action. (86 pages)

Brief History of Law Enforcement Hacking in the United States

New America Foundation

September 2016

Understanding the history of government hacking is important in order to engage more people in the ongoing policy discussion. The paper focuses on a selection of illustrative historical cases, with the understanding that due to the secret nature of government investigations, only a fraction of the hacking that has taken place is known. This overview highlights major trends in investigative hacking and will hopefully foster more inquiries into these practices by policymakers and the public. (20 pages)

Predicting Cyber Attacks: A Study of the Successes and Failures of the Intelligence Community

Small Wars Journal

July 7, 2016

The article focuses on identifying the major successes and failures of analysis from the Intelligence Community (IC) to predict cyberattacks against the United States. The research goal is to break down the components of a good cyber defensive force into variables to clearly identify those failures and successes and their effects on the operational ability of the IC in cyberspace. (11 pages)

Tech for Jihad: Dissecting Jihadist's Digital Toolbox

Flashpoint

July 2016

The report attempts to catalog the 36 most noteworthy digital tools in common use by jihadists, and when they started using them. (13 pages)

Cyber Conflict: Prevention, Stability and Control

Carnegie Cyber Policy Initiative

July 2016

Only a few years ago, there were almost no norms globally accepted by governments on cybersecurity or cyber conflict. Even the United States, which had long pushed such norms, had publicly announced very few. The United States and a few other allies confirmed that laws of armed conflict (otherwise known as International Humanitarian Law or the "Geneva Convention") applied to cyberspace. Recently, this has changed with tremendous progress, so much so that 2015 was called the Year of Global Cyber Norms. (10 pages)

Combatting the Ransomware Blitzkrieg: The Only Defense is a Layered Defense, Layer One: Endpoint Security

The Institute for Critical Infrastructure Technology

April, 2016

The brief contains an analysis of the need for endpoint security; vulnerable endpoints (users, personal computers, servers, mobile devices, specialize hardware, and cloud services); potentially vulnerable endpoints (SCADA/ICS, IoT devices, and cars); endpoint security; and selecting an endpoint security strategy. (27 pages)

Know Your Enemies 2.0: The Encyclopedia of the Most Prominent Hactivists, Nation State, and Mercenary Hackers

InformationThe Institute for Critical Infrastructure Technologies (ICIT)

Technology

February 2016

The report covers threat groups not by use of a particular ranking system, but by the dominant players categorized by geography. Zero days, malware, tool kits, exploit techniques, digital foot prints, and targets are covered in this encyclopedia. (81 pages)

Operationalizing Cybersecurity Due Diligence: A Transatlantic Comparative Case Study

South Carolina Law Review

January 12, 2016

"Although much work has been done on applying the law of warfare to cyberattacks, far less attention has been paid to defining a law of cyber peace applicable below the armed attack threshold. Among the most important unanswered questions is what exactly nations' due diligence obligations are to one another and to the private sector, as well as how these obligations should be translated into policy. In this article, we analyze how both the United States and the European Union are operationalizing the concept of cybersecurity due diligence, and then move on to investigate a menu of options presented to the European Parliament in November 2015 by the authors to further refine and apply this concept." (28 pages)

ISIS's OPSEC Manual Reveals How It Handles Cybersecurity

Wired

November 19, 2015

From the article, "So what exactly are ISIS attackers doing for OPSEC? It turns out ISIS has a 34-page guide to operational security, which offers some clues. [R]esearchers with the Combating Terrorism Center at West Point's military academy uncovered the manual and other related documents from ISIS forums and chat rooms."

2015 Annual Report to Congress

U.S.-China Economic Commission

November 17, 2015

Reportedly China causes increasing harm to the U.S. economy and security through two deliberate policies targeting the United States: (1) coordinated, government-backed theft of information from a wide variety of U.S.-based commercial enterprises and (2) widespread restrictions on content, standards, and commercial opportunities for U.S. businesses. Hackers working for the Chinese government—or with the government's support and encouragement—have infiltrated the computer networks of U.S. government agencies, contractors, and private companies, and stolen personal information and trade secrets. (See Chapter 1, Section 4: Commercial Cyber Espionage and Barriers to Digital Trade in China.) (631 pages)

Cyber Defense: An International View

U.S. Army War College Strategic Studies Institute

September 2015

The paper provides an overview of four different national approaches to cyber defense: those of Norway, Estonia, Germany, and Sweden. It also provides a guide for engaging with the relevant governmental and other organizations in each of these countries and compares and contrasts the advantages and drawbacks of each national approach. (65 pages)

Deep Web and the Darknet: A Look Inside the Internet's Massive Black Box

Woodrow Wilson International Center for Scholars

August 1, 2015

"This policy brief outlines what the Deep Web and Darknet are, how they are accessed, and why we should care about them. For policymakers, the continuing growth of the Deep Web in general and the accelerated expansion of the Darknet in particular pose new policy challenges. The response to these challenges may have profound implications for civil liberties, national security, and the global economy." (20 pages)

Cyber-Enabled Economic Warfare: An Evolving Challenge

Hudson Institute

August 2015

This monograph is divided into six chapters: one dissecting the U.S.'s use of cyber-enabled economic warfare; two providing analyses of cyber-enabled economic warfare threats posed to the United States by state and non-state actors; two offering case studies of emerging cyber-enabled economic warfare in two key sectors, financial services and critical infrastructure; and a concluding chapter that reviews key takeaways and next steps. (174 pages)

Russian Underground 2.0

Trend Micro (Forward Looking Threat Team)

July 28, 2015

The Russian underground is a mature ecosystem that covers all aspects of cybercriminal business activities and offers an increasingly professional underground infrastructure for the sale of malicious goods and services. There is increasing professionalization of the crime business that allows cheaper prices to dominate sales and thereby make it easy and very affordable for anyone without significant skill to buy whatever is needed to conduct criminal dealings. (41 pages)

Below the Surface: Exploring the Deep Web

Trend Micro

June 22, 2015

The research paper offers a look into the duality of the Deep Web—how its ability to protect anonymity can be used to communicate freely, away from censorship and law enforcement, or be used to expedite dubious or criminal pursuits. It also briefly touches on the Deep Web's impact, and offers a forecast on how it could evolve over the next few years. (48 pages)

Cybersecurity: Jihadism and the Internet

European Parliament Think Tank

May 18, 2015

"Since the beginning of the conflict in Syria in March 2011, the numbers of European citizens supporting or joining the ranks of ISIL/Da'esh have been growing steadily, and may now be as high as 4,000 individuals. At the same time, the possible avenues for radicalisation are multiplying and the risks of domestic terrorism increasing. The proliferation of global jihadi messaging online and their reliance on social networks suggest that the Internet is increasingly a tool for promoting jihadist ideology, collecting funds, and mobilizing their ranks." (2 pages)

APT30 and the Mechanics of a Long-Running Cyber-Espionage Operation: How a Cyber Threat Group Exploited Governments and Commercial Entities Across Southeast Asia and India for Over a Decade

FireEye

April 2015

Reportedly a Chinese government hacking team has used the same basic set of tools to spy on Southeast Asian and Indian dignitaries for a decade, demonstrating the low level of cyber defenses protecting government information across broad swaths of the world. According to Fireeye, the fact this group, APT30, has been able to use the same basic set of malware tools against government networks since at least 2005 suggests its targets remained unaware for more than a decade they were being spied on or were incapable of countering the threat. (70 pages)

Worldwide Threat Assessment of the U.S. Intelligence Community

Director of National Intelligence

ODNI

February 26, 2015

Cybersecurity is the first threat listed in this annual review of worldwide threats to the United States. Despite ever-improving network defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come. Moreover, the risk calculus employed by some private-sector entities reportedly does not adequately account for foreign cyber threats or the systemic interdependencies between different critical infrastructure sectors. (29 pages)

The Impact of the Dark Web on Internet Governance and Cyber Security

Global Commission on Internet Governance

February 2015

The Dark Web is a part of the Deep Web that has been intentionally hidden and is inaccessible through standard web browsers. The Deep Web has the potential to host an increasingly high number of malicious services and activities. To formulate comprehensive strategies and policies for governing the Internet, it is important to consider insights on its farthest reaches—the Deep Web and, more importantly, the Dark Web. The paper attempts to provide a broader understanding of the Dark Web and its impact on people's lives. (18 pages)

Attributing Cyber Attacks

Thomas Rid and Ben Buchanan, Journal of Strategic Studies

December 23, 2014

The authors introduce the Q Model;, designed to explain, guide, and improve the making of attribution. Matching an offender to an offence is an exercise in minimizing uncertainty on three levels: (1) tactically, attribution is an art as well as a science; (2) operationally, attribution is a nuanced process, not a black-and-white problem; and (3) strategically, attribution is a function of what is at stake politically. Successful attribution requires a range of skills on all levels, careful management, time, leadership, stress-testing, prudent communication, and recognizing limitations and challenges. (36 pages)

Operation Cleaver

Cylance

December 2, 2014

A sophisticated hacking group with ties to Iran has probed and infiltrated targets across the United States and 15 other nations during the past two years in a series of cyberattacks dubbed "Operation Cleaver." The Cleaver group has evolved faster than any previous Iranian campaign, according to the report, which calls Iran "the new China" and expresses concern that the group's surveillance operations could evolve into sophisticated, destructive attacks. (86 pages)

Legal Issues Related to Cyber

NATO Legal Gazette

December 2014

The NATO Legal Gazette contains thematically organized articles usually written by military or civilian legal personnel working at NATO or in the governments of NATO and partner nations. Its purpose is to share articles of significance for the large NATO legal community and connect legal professionals of the Alliance. It is not a formal NATO document. (74 pages)

The National Intelligence Strategy of the United States of America 2014

Office of the Director of National Intelligence

ODNI

September 18, 2014

Cyber intelligence is one of four "primary topical missions" the intelligence community must accomplish. Both state and non-state actors use digital technologies to achieve goals, such as fomenting instability or achieving economic and military advantages. They do so "often faster than our ability to understand the security implications and mitigate potential risks." To become more effective in the cyber arena, the intelligence community reportedly must improve its ability to correctly attribute attacks. (24 pages)

Today's Rising Terrorist Threat and the Danger to the United States: Reflections on the Tenth Anniversary of the 9/11 Commission Report

The Annenberg Public Policy Center and the Bipartisan Policy Center

July 22, 2014

Members of the panel that studied the 2001 attacks urge Congress to enact cybersecurity legislation, the White House to communicate the consequences of potential cyberattacks to Americans, and leaders to work with allies to define what constitutes an online attack on another country. (48 pages)

Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America's Cyber Dependencies

Center for a New American Security

July 2014

The report examines existing information on technology security weaknesses and provides nine specific recommendations for the U.S. government and others to cope with these insecurities. (64 pages)

M Trends: Beyond the Breach: 2014 Threat Report

(Requires registration to download)

Mandiant

April 2014

Cyber-threat actors are expanding the uses of computer network exploitation to fulfill an array of objectives, from the economic to the political. Threat actors are not only interested in seizing the corporate "crown jewels" but are also looking for ways to publicize their views, cause physical destruction, and influence global decisionmakers. Private organizations have increasingly become collateral damage in political conflicts. Reportedly with no diplomatic solution in sight, the ability to detect and respond to attacks has never been more important. (28 pages)

Emerging Cyber Threats Report 2014

Georgia Institute of Technology

January 2014

Brief compilation of academic research on losing control of cloud data, insecure but connected devices, attackers adapting to mobile ecosystems, the high costs of defending against cyberattacks, and advances in information manipulation. (16 pages)

Cybersecurity and Cyberwar: What Everyone Needs to Know

Brookings Institution

January 2014

Authors Peter W. Singer and Allan Friedman look at cybersecurity issues faced by the military, government, businesses, and individuals and examine what happens when these entities try to balance security with freedom of speech and the ideals of an open Internet. (306 pages)

W32.Duqu: The Precursor to the Next Stuxnet

Symantec

November 14, 2013

On October 14, 2011, a research lab with strong international connections alerted Symantec to a sample that appeared to be very similar to Stuxnet, the malware that wreaked havoc in Iran's nuclear centrifuge farms. The lab named the threat Duqu because it creates files with the file name prefix DQ. The research lab provided Symantec with samples recovered from computer systems located in Europe as well as a detailed report with initial findings, including analysis comparing the threat to Stuxnet.

To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve

The Langner Group

November 2013

The report summarizes the most comprehensive research on the Stuxnet malware so far. It combines results from reverse engineering the attack code with intelligence on the design of the attacked plant and background information on the attacked uranium enrichment process. It looks at the attack vectors of the two different payloads contained in the malware and provides an analysis of the bigger and much more complex payload that was designed to damage centrifuge rotors by overpressure. (36 pages)

Strategies for Resolving the Cyber Attribution Challenge

Air University, Maxwell Air Force Base

May 2013

Private-sector reports have proven that it is possible to determine the geographic reference of threat actors to varying degrees. Based on these assumptions, nation-states, rather than individuals, should be held culpable for the malicious actions and other cyber threats that originate in or transit information systems within their borders or that are owned by their registered corporate entities. The work builds on other appealing arguments for state responsibility in cyberspace. (109 pages)

Role of Counterterrorism Law in Shaping 'ad Bellum' Norms for Cyber Warfare

International Law Studies (U.S. Naval War College)

April 1, 2013

"To date there has been little attention given to the possibility that international law generally and counterterrorism law in particular could and should develop a subset of cyber-counterterrorism law to respond to the inevitability of cyberattacks by terrorists and the use of cyber weapons by governments against terrorists, and to supplement existing international law governing cyber war where the intrusions do not meet the traditional kinetic thresholds." (42 pages)

The Tallinn Manual on the International Law Applicable to Cyber Warfare

Cambridge University Press/ NATO Cooperative Cyber Defence Center of Excellence

March 5, 2013

The Tallinn Manual identifies the international law applicable to cyber warfare and sets out 95 "black-letter rules" governing such conflicts. An extensive commentary accompanies each rule, which sets forth the rule's basis in treaty and customary law, explains how the group of experts interpreted applicable norms in the cyber context, and outlines any disagreements within the group as to the rule's application. (Note: The manual is not an official NATO publication but rather an expression of opinions of a group of independent experts acting solely in their personal capacities.) (302 pages)

Cyberterrorism: A Survey of Researchers

Swansea University

March 2013

The report provides an overview of findings from a project designed to capture current understandings of cyberterrorism within the research community. The project ran between June 2012 and November 2012, and it employed a questionnaire that was distributed to more than 600 researchers, authors, and other experts. A total of 118 responses were received from individuals working in 24 countries across six continents. (21 pages)

National Level Exercise 2012: Quick Look Report

Federal Emergency Management Agency (FEMA)

March 2013

National Level Exercise (NLE) 2012 was a series of exercise events that examined the ability of the United States to execute a coordinated response to a series of significant cyber incidents. The NLE 2012 series focused on examining four major themes: planning and implementation of the draft National Cyber Incident Response Plan (NCIRP), coordination among governmental entities, information sharing, and decision making. (22 pages)

Responding to Cyber Attacks and the Applicability of Existing International Law

Army War College

January 2013

The paper identifies how the United States should respond to the threat of cyber operations against essential government and private networks. First, it examines the applicability of established international law to cyber operations. Next, it proposes a method for categorizing cyber operations across a spectrum synchronized with established international law. Then, it discusses actions already taken by the United States to protect critical government and private networks and concludes with additional steps the United States should take to respond to the threat of cyber operations. (34 pages)

Crisis and Escalation in Cyberspace

RAND Corporation

December 2012

The report considers how the Air Force should integrate kinetic and nonkinetic operations. Central to this process was careful consideration of how escalation options and risks should be treated, which, in turn, demanded a broader consideration across the entire crisis-management spectrum. Such crises can be managed by taking steps to reduce the incentives for other states to step into crisis, controlling the narrative, understanding the stability parameters of the crises, and trying to manage escalation if conflicts arise from crises. (200 pages)

Cyberattacks Among Rivals: 2001-2011 (from the article, "The Fog of Cyberwar" by Brandon Variano and Ryan Maness

Foreign Affairs

November 21, 2012

A chart showing cyberattacks by initiator and victim, 2001-2011. (Subscription required.)

Proactive Defense for Evolving Cyber Threats

Sandia National Labs

November 2012

The project applied rigorous predictability-based analytics to two central and complementary aspects of the network defense problem—attack strategies of the adversaries and vulnerabilities of the defenders' systems—and used the results to develop a scientifically grounded, practically implementable methodology for designing proactive cyber defense systems. (98 pages)

Safeguarding Cyber-Security, Fighting in Cyberspace

International Relations and Security Network (ISN)

October 22, 2012

Looks at the militarization of cybersecurity as a source of global tension and makes the case that cyber warfare is already an essential feature of many leading states' strategic calculations, followed by its opposite (i.e., the case that the threat posed by cyber warfare capabilities is woefully overstated).

Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World

Symantec Research Labs

October 16, 2012

The paper describes a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Searching this data set for malicious files that exploit known vulnerabilities indicates which files appeared on the Internet before the corresponding vulnerabilities were disclosed. (12 pages)

Federal Support for and Involvement in State and Local Fusion Centers

Senate Permanent Subcommittee on Investigations

October 3, 2012

A two-year bipartisan investigation found that U.S. Department of Homeland Security efforts to engage state and local intelligence "fusion centers" have not yielded significant useful information to support federal counterterrorism intelligence efforts. In Section VI, "Fusion Centers Have Been Unable to Meaningfully Contribute to Federal Counterterrorism Efforts," Part G, "Fusion Centers May Have Hindered, Not Aided, Federal Counterterrorism Efforts," the report discusses the November 10, 2011 Russian "cyberattack" in Illinois. (141 pages)

Putting the "war" in cyberwar: Metaphor, analogy, and cybersecurity discourse Cyberwar: Metaphor, Analogy, and Cybersecurity Discourse in the United States

First Monday

July 2, 2012

The essay argues that current contradictory tendencies within U.S. cyber war discourse are unproductive and even potentially dangerous. It argues that the war metaphor and nuclear deterrence analogy are neither natural nor inevitable and that abandoning them would open up new possibilities for thinking more productively about the full spectrum of cybersecurity challenges, including the as-yet unrealized possibility of cyberwar.

Nodes and Codes: The Reality of Cyber Warfare

U.S. Army School of Advanced Military Studies, Command and General Staff

May 17, 2012

Explores the reality of cyber warfare through the story of Stuxnet. Three case studies evaluate cyber policy, discourse, and procurement in the United States, Russia, and China before and after Stuxnet to illustrate their similar, yet unique, realities of cyber warfare. (62 pages)

United States Counter Terrorism Cyber Law and Policy, Enabling or Disabling?

Triangle Institute for Security Studies

March 2012

The incongruence between national counterterrorism (CT) cyber policy, law, and strategy degrades the abilities of federal CT professionals to interdict transnational terrorists from within cyberspace. To optimize national CT assets and to stymie the growing threat posed by terrorists' ever-expanding use of cyberspace, national decision-makers should modify current policies to efficiently execute national CT strategies, albeit within the framework of existing CT cyber-related statutes. (34 pages)

A Cyberworm that Knows No Boundaries

RAND Corporation

A Cyberworm that Knows No Boundaries

RAND

December 21, 2011

Stuxnet-like worms pose a serious threat even to infrastructure and computer systems that are not connected to the Internet. Defending against such attacks is an increasingly complex prospect. (55 pages)

Department of Defense Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934

DOD

November

2011

"When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means - diplomatic, informational, military<, and economic - to defend our nation, our allies, our partners and our interests." (14 pages)

Cyber War Will Not Take Place

Journal of Strategic Studies

October 5, 2011

The paper argues that cyber warfare has never taken place, is not currently taking place, and is unlikely to take place in the future. (29 pages)

Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011

Office of the National Counterintelligence Executive

October 2011

Because the United States is a leader in the development of new technologies and a central player in global financial and trade networks, foreign attempts to collect U.S. technological and economic information will continue at a high level and will represent a growing and persistent threat to U.S. economic security. The nature of the cyber threat will evolve with continuing technological advances in the global information environment. (31 pages)

A Four-Day Dive Into Stuxnet's Heart

Threat Level Blog (Wired)

December 27, 2010

"It is a mark of the extreme oddity of the Stuxnet computer worm that Microsoft's Windows vulnerability team learned of it first from an obscure Belarusian security company that even they had never heard of."

Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? A Preliminary Assessment

Institute for Science and International Security

December 22, 2010

The report indicates that commands in the Stuxnet code intended to increase the frequency of devices targeted by the malware exactly match several frequencies at which rotors in centrifuges at Iran's Natanz enrichment plant are designed to operate optimally or are at risk of breaking down and flying apart. (10 pages)

Stuxnet Analysis

European Network and Information Security Agency

October 7, 2010

A European Union cybersecurity agency warns that the Stuxnet malware is a game changer for critical information infrastructure protection. Computer systems that monitor supervisory-controlled and data acquisition systems infected with the worm might be programmed to establish destructive over or under pressure conditions by running industrial pumps at different frequencies.

Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy

National Research Council

October 5, 2010

Per request of the Office of the Director of National Intelligence, the National Research Council undertook a two-phase project aimed to foster a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and of the possible utility of these strategies for the U.S. government. (400 pages)

Cyber Warfare: Armageddon in a Teacup?

Army Command and General Staff, Fort Leavenworth

December 11, 2009

This study examines cyber warfare conducted against Estonia in 2007, Georgia in 2008, and Israel in 2008. According to the report, "In all three cases cyber warfare did not achieve strategic political objectives on its own. Cyber warfare employed in the three cases consisted mainly of Denial of Service attacks and website defacement. These attacks were a significant inconvenience to the affected nations, but the attacks were not of sufficient scope, sophistication, or duration to force a concession from the targeted nation. Cyber warfare offensive capability does not outmatch defensive capability to the extent that would allow the achievement of a strategic political objective through cyber warfare alone. The possibility of strategic-level cyber warfare remains great, but the capability has not been demonstrated at this time." (106 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Page counts are for documents; other cited resources are webpages.

Table 3. Cloud Computing,2 "The Internet of Things,"32 Smart Cities, Cloud Computing,3 and FedRAMP4

The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things

Title

Source

Date

Notes

About FedRAMP

FedRAMP.gov

Continuously Updated

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Internet of Things Consortium

Internet of Things Consortium

Continuously Updated

IoTC is comprised of hardware, software, and analytics companies, in areas including home automation, wearables, connected cars, smart cities, 3D printing, and virtual/augmented reality. On behalf of its members, the IoTC is dedicated to the growth of the internet of thingsInternet of Things marketplace and the development of sustainable business models. The IoTC educates technology firms, retailers, insurance companies, marketers, media companies and the wider business community about the value of IoT.

Cyber-Physical Systems

National Science Foundation (NSF)

Continuously Updated

Cyber-physical systems (CPS) integrate sensing, computation, control, and networking into physical objects and infrastructure, connecting them to the Internet and to each other.

Cyber-Physical Systems

NIRTD Coordination Areas

Office of Science and Technology Policy (OSTP), Networking and Information Technology Research and Development (NITRD) Program)

Continuously Updated

The CPS Senior Steering Group (SSG) is to coordinate programs, budgets, and policy recommendations for CPS research and development (R&D), which includes identifying and integrating requirements, conducting joint program planning, and developing joint strategies.

Cyber-Physical Systems

University of California, Berkeley

Continuously Updated

"CPS are integrations of computation, networking, and physical processes. Embedded computers and networks monitor and control the physical processes, with feedback loops where physical processes affect computations and vice versa."

Internet of Things Consortium

Technology hardware, software and analytics companies

Continuously Updated

IoTC is composed of hardware, software and analytics companies, in areas including home automation, wearables, connected cars, smart cities, 3D printing, and virtual/augmented reality. On behalf of its members, the IoTC is dedicated to the growth of the Internet of things marketplace and the development of sustainable business models. The IoTC educates technology firms, retailers, insurance companies, marketers, media companies, and the wider business community about the value of IoT.

Newly Launched 'Trusted IoT Alliance' Unites the Industry to Further a Blockchain-based Internet of Things

Medium

September 19, 2017

The mission of the Trusted IoT Alliance is to bring companies together to develop and set the standard for an open source blockchain protocol to support IoT technology in major industries worldwide. The Alliance plans to fund small grants to support open source development and is reviewing proposals from IoT and blockchain technologists.

Internet of Things: Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD

GAO

July 27, 2017

Congress included provisions in reports associated with two separate statutes for GAO to assess the IoT-associated security challenges faced by DOD. This report (1) addresses the extent to which DOD has identified and assessed security risks related to IoT devices, (2) assesses the extent to which DOD has developed policies and guidance related to IoT devices, and (3) describes other actions DOD has taken to address security risks related to IoT devices.(46 pages)

Internet of Things: Communities Deploy Projects by Combining Federal Support with Other Funds and Expertise

GAO

July 26, 2017

All four of the communities that GAO reviewed are using federal funds in combination with other resources, both financial and non-financial, to plan and deploy IoT projects. For example, one community used the $40 million DOT award to leverage, from community partners, more than $100 million in additional direct and in-kind contributions, such as research or equipment contributions. Communities discussed four main challenges to deploying IoT, including community sectors (e.g., transportation, energy, and public safety) that are siloed and proprietary systems that are not interoperable with one another. (45 pages)

The Internet of Things Connectivity Binge: What Are the Implications?

Pew Research Center

June 6, 2017

As automobiles, medical devices, smart TVs, manufacturing equipment, and other tools and infrastructure are networked, is it likely that attacks, hacks, or ransomware concerns in the next decade will cause significant numbers of people to decide to disconnect, or will the trend toward greater connectivity of objects and people continue unabated? Some 1,201 industry experts responded to this nonscientific canvassing: 15% of these particular respondents said significant numbers would disconnect and 85% chose the option that most people will move more deeply into connected life. (94 pages)

Technology Assessment: Internet of Things: Status and implications of an increasingly connected world

Implications of an Increasingly Connected World

GAO

May 15, 2017

GAO reviewed key reports and scientific literature; convened two expert meetings with the assistance of the National Academies; and interviewed officials from two agencies to obtain their views on specific implications of the IoT. (78 pages)

IoT, Automation, Autonomy, and Megacities in 2025

Center for Strategic & International Studies

April 26, 2017

Engineers designing and implementing internetInternet-connected IOT devices face daunting challenges that isare creating a discomfort with what they see evolving in their infrastructures. This paper brings their concerns to life by extrapolating from present trends to describe plausible (likely?) future crises playing out in multiple global cities within 10 years. Much of what occurs in the scenarios is fully possible today. This paper attempts to reveal what is possible when these technologies are applied to critical infrastructure applications en masse without adequate security in densely populated cities of the near future that are less resilient than other environments. (16 pages)

The Cyber Shield Act: Is the Legislative Community Finally Listening to Cybersecurity Experts?

Institute for Critical Infrastructure Technology

April 2017

There are three main criteria to ensure a Cyber Shield program works. First, officials must ensure industry leaders are involved in developing the ratings but not leading the team. Second, the program should include a substantial public education component aimed at making consumers care enough about cybersecurity that the rankings actually change their buying decisions. Finally, the rankings themselves should go beyond a mere one-star to five-star ranking to incorporate more dynamic data. (8 pages)

A 21st Century Cyber-Physical Systems Education

National Academy of Sciences Computer Science and Telecommunications Board

February 2017

The report describes the knowledge and skills required to engineer increasingly capable, adaptable, and trustworthy systems that integrate the cyber and physical worlds and recommends paths for creating the courses and programs needed to educate the engineering workforce that builds them. (107 pages)

A Data Privacy Playbook

Berkman Klein Center (Harvard)

February 2017

Opening data has many important benefits, but sharing data comes with inherent risks to individual privacy: released data can reveal information about individuals that would otherwise not be public knowledge. The document is takes a first step toward codifying responsible privacy-protective approaches and processes that could be adopted by cities and other groups that are publicly releasing data. (111 pages)

Cross-Device Tracking: An FTC Staff Report

FTC

January 23, 2017

The report describes the technology used to track consumers across multiple Internet-connected devices, the benefits and challenges associated with it, and industry efforts to address those challenges. The report concludes by making recommendations to industry about how to apply traditional principles like transparency, choice, and security to this relatively new practice. (23 pages)

Rise of the Machines: the Dyn Attack Was Just a Practice Run

Institute for Critical Infrastructure Technology

December 2016

The Mirai IoT botnet has inspired a renaissance in adversarial interest in DDoS botnet innovation based on the lack of fundamental security-by-design in the Internet and in IoT devices... The report provides a comprehensive and detailed analysis of this threat which has forced stakeholders to recognize the lack of security by design and the prevalence of vulnerabilities inherent in the foundational design of IoT devices. (62 pages)

Internet of Things will demand a step-change in search solutions

Will Demand a Step-change in Search Solutions

IEEE Intelligent Systems

November 23, 2016

With more and more IoT devices being connected to the Internet, and smart city data projects starting to be implemented, there is an urgent need to develop new search solutions that will allow information from IoT sources to be found and extracted. Although existing search engines have ever more sophisticated and effective ways of crawling through web pages and searching for textual data, the article argues that they will not be effective in accessing the type of numerical and sensory data that IoT devices will need to gather. (5 pages)

Internet of ThingsThings (IoT) Security and Privacy Recommendations

Broadband Internet Technical Advisory Group (BITAG)

November 22, 2016

BITAG believes the recommendations outlined in this report may help to dramatically improve the security and privacy of IoT devices and minimize the costs associated with collateral damage. In addition, unless the IoT device sector—the sector of the industry that manufactures and distributes these devices—improves device security and privacy, consumer backlash may impede the growth of the IoT marketplace and ultimately limit the promise that IoT holds. (43 pages)

Strategic Principles for Securing the Internet of Things

DHS

November 15, 2016

The document explains IoT risks and provides a set of nonbinding principles and suggested best practices to build toward a responsible level of security for the devices and systems businesses design, manufacture, own, and operate. (17 pages)

Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

NIST

November 2016

NIST formally unveiled their guidelines for increasing the security of Internet-connected devices. The guide provides security guidelines for 30 different processes involved with managing Internet-connected devices, from the supply phase to testing. (257 pages)

Building Smart Communities for the Future: Proceedings of a Workshop

National Academies Press

October 2016

Summary of presentations at the June 21-22, 2016, Government-University-Industry Research Roundtable (GUIRR) meeting to explore the role of connectedness and sustainability in developing smart communities; the challenges and opportunities associated with the roll-out of intelligent systems; and the partnerships among governments, universities, and industry that are integral to these advances. (8 pages)

Announcing Over $80 million in New Federal Investment and a Doubling of Participating Communities in the White House Smart Cities Initiative

White House

September 26, 2016

In September 2015, the White House launched the Smart Cities Initiative to make it easier for cities, federal agencies, universities, and the private sector to work together to research, develop, deploy, and testbed new technologies that can help make our cities more inhabitable, cleaner, and more equitable. This year, to kick off Smart Cities Week, the Administration is expanding this initiative, with over $80 million in new federal investments and a doubling of the number of participating cities and communities, exceeding 70 in total.

Demystifying the Internet of Things

(Information Technology Laboratory) ITL Bulletin

September 2016

NIST SP800-183 offers an underlying and foundational science for IoT-based technologies on the realization that IoT involves sensing, computing, communication, and actuation. It presents a common vocabulary to foster a better understanding of IoT and better communication between those parties discussing IoT. (4 pages)

Increasing the Potential of IoT through Security and Transparency

NTIA

National Telecommunications and Information Administration (NTIA)

August 2, 2016

NTIA is planning to launch a new multistakeholdermulti-stakeholder process to support better consumer understanding of IoT products that support security upgrades. They have used this approach to help make progress on issues such as cybersecurity vulnerability disclosure and to provide more transparency about data collected by mobile apps. Given the burgeoning consumer adoption of IoT, the time seems ripe to bring stakeholders together to help drive some guidelines to encourage the growth of IoT.

Network of 'Things'

NIST

July 28, 2016

The publication provides a basic model aimed at helping researchers better understand IoT and its security challenges. (30 pages)

How Is the Federal Government Using the Internet of Things?

Center for Data Innovation

July 25, 2016

The federal government faces a number of challenges that have slowed the adoption of IoT in the public sector. First, there is a lack of strategic leadership at the federal level about how to make use of IoT. Second, federal agencies do not always have workers with the necessary technical skills to effectively use data generated by IoT. Third, federal agencies do not have sufficient funding to modernize their IT infrastructure and begin implementing IoT pilot projects. Fourth, even when funding exists, federal procurement policies often make it difficult for agencies to quickly and easily adopt the technology. Finally, risks and uncertainty—about privacy, security, interoperability, and return on investment—delay federal adoption as potential federal users wait for the technology to mature and others to adopt first. (30 pages)

FedRAMP High Baseline

General Services Administration (GSA)

June 17, 2016

GSA released a draft of security-control requirements for cloud-computer systems purchased by federal agencies for "high-impact" uses. High-impact data will likely consist of health and law-enforcement data, but not classified information. Currently, cloud computing vendors seeking to sell to federal agencies must obtain security accreditation through FedRAMP. To date, FedRAMP has offered accreditations up to the moderate-impact level. About 80% of federal IT systems are low- and moderate-impacts.

FTC Bureau of Consumer Protection and Office of Policy Planning

June 2, 2016

FTC staff comment on NTIA's Request for Comment on the Internet of Things. The comment highlights lessons learned from the FTC's law enforcement, consumer and business education, and policy activities relating to these issues. It then addresses the benefits and risks of IoT, highlights some best practice recommendations for industry, discusses the role of government in fostering innovation in IoT products and services, and sets forth some considerations for NTIA in setting standards and promoting interoperability. (17 pages)

Cloud Computing: Agencies Need to Incorporate Key Practices to Ensure Effective Performance

GAO

April 7, 2016

GAO was asked to examine federal agencies' use of Service Level Agreements (SLAs). GAO's objectives were to (1) identify key practices in cloud computing SLAs and (2) determine the extent to which federal agencies have incorporated such practices into their SLAs. GAO analyzed research, studies, and guidance developed by federal and private entities to establish a list of key practices to be included in SLAs. GAO validated its list with the entities, including OMB, and analyzed 21 cloud service contracts and related documents of five agencies (with the largest fiscal year 2015 IT budgets) against the key practices to identify any variances, their causes, and impacts. (46 pages)

The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things

National Telecommunications and Information Administration (NTIA)

NTIA

April 6, 2016

NTIA is initiating an inquiry regarding the Internet of Things (IoT)IoT to review the current technological and policy landscape. Through this notice, NTIA seeks broad input from all interested stakeholders—including the private industry, researchers, academia, and civil society—on the potential benefits and challenges of these technologies and what role, if any, the U.S. government should play in this area. After analyzing the comments, the department intends to issue a "green paper" that identifies key issues impacting deployment of these technologies, highlights potential benefits and challenges, and identifies possible roles for the federal government in fostering the advancement of IoT technologies in partnership with the private sector. (5 pages)

Product Testing and Validation

Cybersecurity Assurance Program

Underwriters Laboratories

April 4, 2016

The UL Cybersecurity Assurance Program (CAP) certification verifies that a product offers a reasonable level of protection against threats that may result in unintended or unauthorized access, change or disruption.... The [UL 2900] Standard contains requirements for the vendor to design the security controls in such a way that they demonstrably satisfy the security needs of the product. The Standard also describes testing and verification requirements aimed at collecting evidence that the designed security controls are implemented.

Alternative perspectives on the Internet of Things

Brookings Institution

March 25, 2016

Brookings scholars contribute their individual perspectives on the policy challenges and opportunities associated with IoT.

Emerging Cyber Threats Report 2016

Georgia Institute of Technology Cybersecurity Summit 2015

November 2015

"The intersection of the physical and digital world continued to deepen in 2015. The adoption of network-connected devices and sensors—the Internet of Things—accelerated and was expected to reach nearly 5 billion devices by the end of the year." (20 pages)

Interim Report on 21st Century Cyber-Physical Systems Education

NSF

July 2015

"CPS [also known as The Internet of Things] are increasingly relied on to provide the functionality and value to products, systems, and infrastructure in sectors including transportation, health care, manufacturing, and electrical power generation and distribution. CPS are smart, networked systems with embedded sensors, computer processors, and actuators that sense and interact with the physical world; support real-time, guaranteed performance; and are often found in critical applications." (48 pages)

Internet of Things: Mapping the Value Beyond the Hype

McKinsey Global Institute

June 2015

The paper is based upon a study of more than 100 use cases of the Internet of Things' (IoT's) potential economic impact within next 10 years. It outlines who will benefit and by how much. It also covers the factors—both enablers and barriers—that organizations face as they develop their IoT solutions. (144 pages)

Cloud Computing: Should Companies Do Most of Their Computing in the Cloud?

The Economist

May 26, 2015

Big companies have embraced the cloud more slowly than expected. Some are holding back because of costs and others are wary of entrusting sensitive data to another firm's servers. Should companies be doing most of their computing in the cloud? Representing the "Yes" viewpoint is Simon Crosby, co-founder and chief technology officer (CTO) of Bromium Inc. Representing the "No" viewpoint is Bruce Schneier, CTO at Resilient Systems.

Formation of the Office of Technology Research and Investigation (OTRI)

Federal Trade Commission (FTC)

FTC

March 23, 2015

The OTRI will provide expert research, investigative techniques, and further insights to the agency on technology issues involving all facets of the FTC's consumer protection mission, including privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and IoT. Like the former Mobile Technology Unit (MTU), the new office will be housed in the Bureau of Consumer Protection and is the agency's latest effort to ensure that its core consumer protection mission keeps pace with the rapidly evolving digital economy. Kristin Cohen, the current chief of the MTU, will lead the work of the OTRI.

Insecurity in the Internet of Things (IoT)

Symantec

March 12, 2015

Symantec analyzed 50 smart home devices available today and found that none of them enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Of the mobile apps used to control the tested IoT devices, almost two out of 10 did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities. (20 pages)

FedRAMP High Baseline

General Services Administration (GSA)

February 3, 2015

GSA released a draft of security-control requirements for cloud-computer systems purchased by federal agencies for "high-impact" uses. High-impact data will likely consist of health and law-enforcement data, but not classified information. Currently, cloud computing vendors seeking to sell to federal agencies must obtain security accreditation through FedRAMP. To date, FedRAMP has offered accreditations up to the moderate-impact level. About 80% of federal IT systems are low- and moderate-impacts.

What is The Internet of Things?

O'Reilly Media

January 2015

Ubiquitous connectivity is meeting the era of data. Since working with large quantities of data became dramatically cheaper and easier a few years ago, everything that touches software has become instrumented and optimized. Finance, advertising, retail, logistics, academia, and practically every other discipline has sought to measure, model, and tweak its way to efficiency. Software can ingest data from many inputs, interpret it, and then issue commands in real time. (Free registration required.) (32 pages)

FedRAMP Forward: 2 Year Priorities

General Services Administration (GSA)

December 17, 2014

The report addresses how the program will develop over the next two years. GSA is focusing on three goals for FedRAMP:

  • increased compliance and agency participation,
  • improved efficiencies, and
  • continued adaptation. (14 pages)

The Internet of Things: 2014 OECD Tech Insight Forum

Organisation for Economic Co-operation and Development (OECD)

OECD

December 11, 2014

The IoT extends Internet connectivity beyond traditional machines such as computers, smartphones, and tablets to a diverse range of every-day devices that use embedded technology to interact with the environment, all via the Internet. How can this collected data be used? What new opportunities will this create for employment and economic growth? How can societies benefit from technical developments to health, transport, safety and security, business, and public services? The OECD Technology Foresight Forum facilitated discussion on what policies and practices will enable or inhibit the ability of economies to seize the benefits of IoT.

DOD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process

Department of Defense (DOD)DOD Inspector General

December 4, 2014

Report states that the DOD chief information officer "did not develop an implementation plan that assigned roles and responsibilities as well as associated tasks, resources, and milestones," despite promises that an implementation plan would directly follow the cloud strategy's release. (40 pages)

NSTAC Report to the President on the Internet of Things

President's National Security Telecommunications Advisory Committee

November 18, 2014

The NSTAC unanimously approved a recommendation that governmental Internet traffic could get priority transmission during emergencies. The government already gets emergency priority in more traditional communications networks like the phone system through programs such as the Government Emergency Telecommunications Service (GETS). NSTAC now is proposing a GETS for the Internet. (56 pages)

The Department of Energy's Management of Cloud Computing Activities: Audit Report

Department of Energy (DOE) Inspector General

September 1, 2014

According to the inspector general, DOE should do a better job buying, implementing, and managing its cloud computing services. Programs and sites department-wide have independently spent more than $30 million on cloud services, but the chief information officer's office could not accurately account for the money. (20 pages)

Cloud Computing: The Concept, Impacts, and the Role of Government Policy

Organization for Economic Co-operation and Development (OECD)

OECD

August 19, 2014

The report gives an overview of cloud computing, it

  • . It presents the concept, the services it provides, and deployment models;
  • discusses how cloud computing changes the way computing is carried out;
  • evaluates the impacts of cloud computing (including its benefits and challenges as well as its economic and environmental impacts); and
  • discusses the policy issues raised by cloud computing and the roles of governments and other stakeholders in addressing these issues. (240 pages)

Internet of Things: the Influence of M2M Data on the Energy Industry

GigaOm Research

March 4, 2014

The report examines the drivers of machine-2-machine (M2M)-data exploitation in the smart-grid sector and the oil and gas sector, as well as the risks and opportunities for buyers and suppliers of the related core technologies and services. (21 pages)

Software Defined Perimeter

Cloud Security Alliance

December 1, 2013

Cloud Security Alliance's software defined perimeter (SDP) initiative aims to make "invisible networks" accessible to a wider range of government agencies and corporations. The initiative will foster the development of architecture for securing the IoT using the cloud to create highly secure end-to-end networks between IP-addressable entities. (13 pages)

Delivering on the Promise of Big Data and the Cloud

Booz Allen Hamilton

January 9, 2013

Reference architecture does away with conventional data and analytics silos, consolidating all information into a single medium designed to foster connections called a '"data lake,'" which reduces complexity and creates efficiencies that improve data visualization to allow for easier insights by analysts. (7 pages)

Cloud Computing: An Overview of the Technology and the Issues Facing American Innovators

House Judiciary Committee, Subcommittee on Intellectual Property, Competition, and the Internet

July 25, 2012

OverviewThe hearing includes an overview and discussion of cloud computing issues. (156 pages)

Information Technology Reform: Progress Made but Future Cloud Computing Efforts Should be Better Planned

Government Accountability Office (GAO)

GAO

July 11, 2012

GAO recommends that the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury, and the Administrators of the General Services Administration, and the Small Business Administration should direct their respective chief information officers to establish estimated costs, performance goals, and plans to retire associated legacy systems for each cloud-based service, as applicable. (43 pages)

Cloud Computing Strategy

DOD Chief Information Officer

July 2012

The DOD Cloud Computing Strategy introduces an approach to move the department from the current state of a duplicative, cumbersome, and costly set of application silos to an end state that is agile, secure, and cost-effective and to a service environment that can rapidly respond to changing mission needs. (44 pages)

A Global Reality: Governmental Access to Data in the Cloud—A Comparative Analysis of Ten International Jurisdictions

Hogan Lovells

May 23, 2012

The white paper compares the nature and extent of governmental access to data in the cloud in many jurisdictions around the world. (13 pages)

Policy Challenges of Cross-Border Cloud Computing

U.S. International Trade Commission

May 2012

The report examines the main policy challenges associated with cross-border cloud computing—data privacy, security, and ensuring the free flow of information—and the ways countries are addressing them through domestic policymaking, international agreements, and other cooperative arrangements. (38 pages)

Cloud Computing Synopsis and Recommendations (SP 800-146)

National Institute of Standards and Technology (NIST)

May 2012

NIST's guide explains cloud technologies in plain terms to federal agencies and provides recommendations for IT decisionmakers. (81 pages)

Global Cloud Computing Scorecard a Blueprint for Economic Opportunity

Business Software Alliance

February 2, 2012

The report notes that although many developed countries have adjusted their laws and regulations to address cloud computing, the wide differences in those rules make it difficult for companies to invest in the technology. (24 pages)

Concept of Operations: FedRAMP

General Services Administration (GSA)

GSA

February 7, 2012

FedRAMP is implemented in phases. The document describes all the services that were available at the 2012 initial operating capability. The concept of operations is updated as the program evolves toward sustained operations. (47 pages)

Federal Risk and Authorization Management Program (FedRAMP)

Federal Chief Information Officers Council

January 4, 2012

FedRAMP provides a standard approach to assessing and authorizing (A&A) cloud computing services and products.

Security Authorization of Information Systems in Cloud Computing Environments (FedRAMP)

White House/Office of Management and Budget (OMB)

December 8, 2011

FedRAMP is now required for all agencies purchasing storage, applications, and other remote services from vendors. The Administration promotes cloud computing as a means to save money and accelerate the government's adoption of new technologies. (7 pages)

U.S. Government Cloud Computing Technology Roadmap, Volume I, Release 1.0 (Draft). High-Priority Requirements to Further USG Agency Cloud Computing Adoption (SP 500-293)

National Institute of Standards and Technology (NIST)

December 1, 2011

Volume I is aimed at interested parties that wish to gain a general understanding and overview of the background, purpose, context, work, results, and next steps of the U.S. Government Cloud Computing Technology Roadmap initiative. (32 pages)

U.S. Government Cloud Computing Technology Roadmap, Volume II, Release 1.0 (Draft), Useful Information for Cloud Adopters (SP 500-293)

National Institute of Standards and Technology (NIST)

December 1, 2011

Volume II is designed as a technical reference for those actively working on strategic and tactical cloud computing initiatives including, but not limited to, U.S. government cloud adopters. This volume integrates and summarizes the work completed as of 2011 and explains how these findings support the roadmap introduced in Volume I. (85 pages)

Information Security: Additional Guidance Needed to Address Cloud Computing Concerns

GAO

October 6, 2011

Twenty-two of 24 major federal agencies reported that they were either concerned or very concerned about the potential information security risks associated with cloud computing. GAO recommended that the NIST issue guidance specific to cloud computing security. (17 pages)

Cloud Computing Reference Architecture (SP 500-292)

NIST

September 1, 2011

TheThis special publication, which is not an official U.S. government standard, is designed to provide guidance to specific communities of practitioners and researchers. (35 pages)

Federal Cloud Computing Strategy

White House

February 8, 2011

The strategy outlines how the federal government can accelerate the safe, secure adoption of cloud computing, and provides agencies with a framework for migrating to the cloud. It also examines how agencies can address challenges related to the adoption of cloud computing, such as privacy, procurement, standards, and governance. (43 pages)

25-Point Implementation Plan to Reform Federal Information Technology Management

White House

December 9, 2010

The plan's goals are to reduce the number of federally run data centers from 2,100 to approximately 1,300, rectify or cancel one-third of troubled IT projects, and require federal agencies to adopt a "cloud first" strategy in which they will move at least one system to a hosted environment within a year. (40 pages)

Federal Guidance Needed to Address Control Issues With Implementing Cloud Computing

GAO

July 1, 2010

The report suggests that the OMB director should establish milestones for completing a strategy for implementing the federal cloud computing initiative to assist federal agencies in identifying uses for and information security measures to use in implementing cloud computing. (53 pages)

Source: Highlights compiled by CRS from the reports.

Notes: Page counts are for documents; other cited resources are webpages.

Author Contact Information

[author name scrubbed], Information Research SpecialistRita Tehan, Senior Research Librarian ([email address scrubbed], [phone number scrubbed])

Footnotes

Cloud computing is a web-based service that allows users to access anything from email to social media on a third-party computer. For example, Gmail and Yahoo are cloud-based email services that allow users to access and store emails that are saved on each respective service's computer, rather than on the individual's computer.

1.

"A breach constitutes a 'major incident' when it involves [personally identifiable information] that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people," the [OMB] memo states. "An unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals' PII constitutes a 'major incident.'" Source: Fiscal Year 2016-2017 on Federal Information Security and Privacy Management Requirements, November 4, 2016.

2.

Cloud computing is a web-based service that allows users to access anything from email to social media on a third-party computer. For example, Gmail and Yahoo are cloud-based email services that allow users to access and store emails that are saved on each respective service's computer, rather than on the individual's computer.

3.

The "Internet of Things" (IoT) refers to networks of objects that communicate with other objects and with computers through the Internet. "Things" may include virtually any object for which remote communication, data collection, or control might be useful, such as vehicles, appliances, medical devices, electric grids, transportation infrastructure, manufacturing equipment, or building systems. See also CRS Report R44227, The Internet of Things: Frequently Asked Questions, by [author name scrubbed]Eric A. Fischer.

3.
4.

The Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 to provide a government-wide standard, centralized approach to assessing and authorizing cloud computing services and products. It reached initial operational capabilities in June 2012 and became fully operational during FY2014. See also CRS Report R42887, Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for Federal Information Technology Reform Management, by [author name scrubbed] and [author name scrubbed].

Patricia Moloney Figliola and Eric A. Fischer.