Cybersecurity:
Authoritative Reports and Resources

Rita Tehan
Information Research Specialist
May 8, 2012
Congressional Research Service
7-5700
www.crs.gov
R42507
CRS Report for Congress
Pr
epared for Members and Committees of Congress

Cybersecurity: Authoritative Reports and Resources

Summary
Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide.
Attacks have been initiated by individuals, as well as countries. Targets have included
government networks, military defenses, companies, or political organizations, depending upon
whether the attacker was seeking military intelligence, conducting diplomatic or industrial
espionage, or intimidating political activists. In addition, national borders mean little or nothing to
cyberattackers, and attributing an attack to a specific location can be difficult, which also makes a
response problematic.
Congress has been actively involved in cybersecurity issues, holding hearings every year since
2001. There is no shortage of data on this topic: government agencies, academic institutions,
think tanks, security consultants, and trade associations have issued hundreds of reports, studies,
analyses, and statistics.
This report provides links to selected authoritative resources related to cybersecurity issues. This
report includes information on
• “Legislation”
• “Hearings in the 112th Congress”
• “Executive Orders and Presidential Directives”
• “Data and Statistics”
• “Cybersecurity Glossaries”
• “Reports by Topic”
• Government Accountability Office (GAO) reports
• White House/Office of Management and Budget reports
• Military/DOD
• Cloud Computing
• Critical Infrastructure
• National Strategy for Trusted Identities in Cyberspace (NSTIC)
• Cybercrime/Cyberwar
• International
• Education/Training/Workforce
• Research and Development (R&D)
• “Related Resources: Other Websites”
The report will be updated as needed.

Congressional Research Service

Cybersecurity: Authoritative Reports and Resources

Contents
Introduction...................................................................................................................................... 1
Legislation ....................................................................................................................................... 1
Hearings in the 112th Congress ........................................................................................................ 2
Executive Orders and Presidential Directives................................................................................ 12
Data and Statistics.......................................................................................................................... 15
Cybersecurity Glossaries ............................................................................................................... 18
Reports by Topic............................................................................................................................ 19
CRS Reports Overview: Cybersecurity Policy Framework .................................................... 19
CRS Reports: Critical Infrastructure ....................................................................................... 34
CRS Reports: Cybercrime and National Security ................................................................... 40
Related Resources: Other Websites ............................................................................................... 49

Tables
Table 1. Major Legislation: Senate (112th Congress)....................................................................... 2
Table 2. Major Legislation: House (112th Congress) ....................................................................... 2
Table 3. House Hearings (112th Congress), by Date ........................................................................ 4
Table 4. House Hearings (112th Congress), by Committee.............................................................. 7
Table 5. House Markups (112th Congress), by Date ........................................................................ 9
Table 6. Senate Hearings (112th Congress), by Date...................................................................... 10
Table 7. Senate Hearings (112th Congress), by Committee............................................................ 11
Table 8. Executive Orders and Presidential Directives.................................................................. 13
Table 9. Data and Statistics: Cyber Incidents, Data Breaches, Cyber Crime................................. 16
Table 10. Glossaries of Cybersecurity Terms ................................................................................ 18
Table 11. Selected Reports: Cybersecurity Overview.................................................................... 20
Table 12. Selected Government Reports: Government Accountability Office (GAO).................. 22
Table 13. Selected Government Reports: White House/Office of Management and Budget ........ 27
Table 14. Selected Government Reports: Department of Defense (DOD) .................................... 29
Table 15. Selected Government Reports: National Strategy for Trusted Identities in
Cyberspace (NSTIC) .................................................................................................................. 31
Table 16. Selected Reports: Cloud Computing.............................................................................. 32
Table 17. Selected Reports: Critical Infrastructure........................................................................ 35
Table 18. Selected Reports: Cybercrime/Cyberwar....................................................................... 41
Table 19. Selected Reports: International Efforts .......................................................................... 43
Table 20. Selected Reports: Education/Training/Workforce.......................................................... 46
Table 21. Selected Reports: Research & Development (R&D) ..................................................... 48
Congressional Research Service

Cybersecurity: Authoritative Reports and Resources

Table 22. Related Resources: Congressional/Government ............................................................ 49
Table 23. Related Resources: International Organizations ............................................................ 50
Table 24. Related Resources: News............................................................................................... 51
Table 25. Related Resources: Other Associations and Institutions................................................ 52

Contacts
Author Contact Information........................................................................................................... 53
Key Policy Staff............................................................................................................................. 53

Congressional Research Service

Cybersecurity: Authoritative Reports and Resources

Introduction
Cybersecurity is a sprawling topic that includes national, international, government, and private
industry dimensions. More than 40 bills and resolutions with provisions related to cybersecurity
have been introduced in the first session of the 112th Congress, including several proposing
revisions to current laws. In the 111th Congress, the total was more than 60. Several of those bills
received committee or floor action, but none have become law. In fact, no comprehensive
cybersecurity legislation has been enacted since 2002.
This report provides links to cybersecurity hearings and legislation under consideration in the
112th Congress, as well as executive orders and presidential directives, data and statistics,
glossaries, and authoritative reports.
For CRS analysis, please see the collection of CRS reports found on the Issues in Focus:
Cybersecurity site.
Legislation
No major legislative provisions relating to cybersecurity have been enacted since 2002, despite
many recommendations made over the past decade. The Obama Administration sent Congress a
package of legislative proposals in May 20111 to give the federal government new authority to
ensure that corporations that own the assets most critical to the nation’s security and economic
prosperity are adequately addressing the risks posed by cybersecurity threats.
Cybersecurity legislation is advancing in both chambers in the 112th Congress. The House
introduced a series of bills that address a variety of issues—from toughening law enforcement of
cybercrimes to giving the Department of Homeland Security oversight of federal information
technology and critical infrastructure security to lessening liability for private companies that
adopt cybersecurity best practices. The Senate is pursuing a comprehensive cybersecurity bill
with several committees working to create a single vehicle for passage.
Table 1 and Table 2 provide lists of major Senate and House legislation under current
consideration in the 112th Congress, in order by date introduced. When viewed in HTML, the bill
numbers are active links to the Bill Summary and Status page in the Legislative Information
Service (LIS). The tables include bills with committee action, floor action, or significant
legislative interest.

1 White House, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, May
2011, at http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.
Congressional Research Service
1

Cybersecurity: Authoritative Reports and Resources

Table 1. Major Legislation: Senate (112th Congress)
Bill No.
Title
Committee(s)
Date Introduced
S. 413
Cybersecurity and Internet Freedom Act Homeland Security and
February 17, 2011
of 2011
Governmental Affairs
S. 1151
Personal Data Privacy and Security Act
Judiciary June
7,
2011
of 2011
S. 1342
Grid Cyber Security Act
Energy and Natural Resources
July 11, 2011
S. 1535
Personal Data Protection and Breach
Judiciary
September 22, 2011
Accountability Act of 2011
S. 2102
Cybersecurity Information Sharing Act
Homeland Security and
February 13, 2012
of 2012
Governmental Affairs
S. 2105
Cybersecurity Act of 2012
Homeland Security and
February 14, 2012
Governmental Affairs
S. 2151
SECURE IT Act
Commerce, Science, and
March 1, 2012
Transportation
Source: Legislative Information System (LIS).
Table 2. Major Legislation: House (112th Congress)
Bill No.
Title
Committee(s)
Date Introduced
H.R. 76
Cybersecurity Education Enhancement
Homeland Security; House
January 5, 2011
Act of 2011
Oversight and Government Reform
H.R. 174
Homeland Security Cyber and Physical
Technology; Education and the
January 5, 2011
Infrastructure Protection Act of 2011
Workforce; Homeland Security
H.R. 2096
Cybersecurity Enhancement Act of 2011
Science, Space, and Technology
June 2, 2011
H.R. 3523
Cyber Intelligence Sharing and
Committee on Intelligence
November 30, 2011
Protection Act
(Permanent Select)
H.R. 3674
PRECISE Act of 2011
Homeland Security; Oversight and
December 15, 2011
Government Reform; Science,
Space, and Technology; Judiciary;
Intelligence (Permanent Select)
H.R. 4263
SECURE IT Act of 2012 Strengthening
Oversight and Government
March 27, 2012
and Enhancing Cybersecurity by Using
Reform, the Judiciary, Armed
Research, Education, Information, and
Services, and Intelligence
(Permanent Select)
H.R. 3834
Advancing America’s Networking and
Science, Space, and Technology
January 27, 2012
Information Technology Research and
Development Act of 2012
H.R. 4257
Federal Information Security
Oversight and Government Reform
April 18, 2012
Amendments Act of 2012
Source: Legislative Information System (LIS).
Hearings in the 112th Congress
The following tables list cybersecurity hearings in the 112th Congress. Table 3 and Table 4
contain identical content but organized differently. Table 3 lists House hearings arranged by date
Congressional Research Service
2

Cybersecurity: Authoritative Reports and Resources

(most recent first), and Table 4 lists House hearings arranged by committee. Table 5 lists House
markups by date; Table 6 and Table 7 contain identical content. Table 6 lists Senate hearings
arranged by date, and Table 7 lists Senate hearings arranged by committee. When viewed in
HTML, the document titles are active links.
Congressional Research Service
3

Cybersecurity: Authoritative Reports and Resources

Table 3. House Hearings (112th Congress), by Date
Title Date
Committee
Subcommittee
Iranian Cyber Threat to U.S. Homeland
April 26, 2012
Homeland Security
Cybersecurity, Infrastructure Protection
and Security Technologies and
Counterterrorism and Intelligence
America is Under Cyber Attack: Why Urgent Action is
April 24, 2012
Homeland Security
Oversight, Investigations and Management
Needed
The DHS and DOE National Labs: Finding Efficiencies and
April 19, 2012
Homeland Security
Cybersecurity, Infrastructure Protection
Optimizing Outputs in Homeland Security Research and
and Security Technologies
Development
Cybersecurity: Threats to Communications Networks and
March 28, 2012
Energy and Commerce
Communications and Technology
Public-Sector Responses
IT Supply Chain Security: Review of Government and
March 27, 2012
Energy and Commerce
Oversight and Investigations
Industry Efforts
Fiscal 2013 Defense Authorization: IT and Cyber
March 20, 2012
Armed Services
Emerging Threats and Capabilities
Operations
Cybersecurity: The Pivotal Role of Communications
March 7, 2012
Energy and Commerce
Communications and Technology
Networks
NASA Cybersecurity: An Examination of the Agency’s
February 29, 2012
Science, Space, and Technology
Investigations and Oversight
Information Security
Critical Infrastructure Cybersecurity: Assessments of
February 28, 2012
Energy and Commerce
Oversight and Investigations
Smart Grid Security
Hearing on Draft Legislative Proposal on Cybersecurity
December 6, 2011
Homeland Security
Cybersecurity, Infrastructure Protection
and Security Technologies
Cyber Security: Protecting Your Small Business
December 1, 2011
Smal Business
Healthcare and Technology
Cyber Security: Protecting Your Small Business
November 30, 2011
Smal Business
Healthcare and Technology
Combating Online Piracy (H.R. 3261, Stop the Online
November 16, 2011
Judiciary

Piracy Act)
Cybersecurity: Protecting America’s New Frontier
November 15, 2011
Judiciary
Crime, Terrorism and Homeland Security
Institutionalizing Irregular Warfare Capabilities
November 3, 2011
Armed Services
Emerging Threats and Capabilities
Cloud Computing: What are the Security Implications?
October6, 2011
Homeland Security
Cybersecurity, Infrastructure Protection
and Security Technologies
Cyber Threats and Ongoing Efforts to Protect the Nation
October 4, 2011
Permanent Select Intelligence

CRS-4

Cybersecurity: Authoritative Reports and Resources

Title Date
Committee
Subcommittee
The Cloud Computing Outlook
September 21, 2011
Science, Space, and Technology
Technology and Innovation
Combating Cybercriminals
September 14, 2011
Financial Services
Financial Institutions and Consumer Credit
Cybersecurity: An Overview of Risks to Critical
July 26, 2011
Energy and Commerce
Oversight and Investigations
Infrastructure
Cybersecurity: Assessing the Nation’s Ability to Address
July 7, 2011
Oversight and Government Reform

the Growing Cyber Threat
Field Hearing: Hacked Off: Helping Law Enforcement
June 29, 2011
Financial Services (field hearing in

Protect Private Financial Information
Hoover, AL)
Examining the Homeland Security Impact of the Obama
June 24, 2011
Homeland Security
Cybersecurity, Infrastructure Protection
Administration’s Cybersecurity Proposal
and Security Technologies
Sony and Epsilon: Lessons for Data Security Legislation
June 2, 2011
Energy and Commerce
Commerce, Manufacturing, and Trade
Protecting the Electric Grid: the Grid Reliability and
May 31, 2011
Energy and Commerce

Infrastructure Defense Act
Unlocking the SAFETY Act’s [Support Anti-terrorism
May 26, 2011
Homeland Security
Cybersecurity, Infrastructure Protection,
by Fostering Effective Technologies - P.L. 107-296]
and Security Technologies
Potential to Promote Technology and Combat
Terrorism
Protecting Information in the Digital Age: Federal
May 25, 2011
Science, Space and Technology
Research and Science Education
Cybersecurity Research and Development Efforts
Cybersecurity: Innovative Solutions to Challenging
May 25, 2011
Judiciary
Intellectual Property, Competition and the
Problems
Internet
Cybersecurity: Assessing the Immediate Threat to the
May 25, 2011
Oversight and Government Reform
National Security, Homeland Defense and
United States
Foreign Operations
DHS Cybersecurity Mission: Promoting Innovation and
April 15, 2011
Homeland Security
Cybersecurity, Infrastructure Protection
Securing Critical Infrastructure
and Security Technologies
Communist Chinese Cyber-Attacks, Cyber-Espionage and
April 15, 2011
Foreign Affairs
Oversight and Investigations
Theft of American Technology
Budget Hearing - National Protection and Programs
March 31, 2011
Appropriations (closed/classified)
Energy and Power
Directorate, Cybersecurity and Infrastructure Protection
Programs
Examining the Cyber Threat to Critical Infrastructure and
March 16, 2011
Homeland Security
Cybersecurity, Infrastructure Protection
the American Economy
and Security Technologies
2012 Budget Request from U.S. Cyber Command
March 16, 2011
Armed Services
Emerging Threats and Capabilities
CRS-5

Cybersecurity: Authoritative Reports and Resources

Title Date
Committee
Subcommittee
What Should the Department of Defense’s Role in Cyber
February 11, 2011
Armed Services
Emerging Threats and Capabilities
Be?
Preventing Chemical Terrorism: Building a Foundation of
February 11, 2011
Homeland Security
Cybersecurity, Infrastructure Protection
Security at Our Nation’s Chemical Facilities
and Security Technologies
World Wide Threats
February 10, 2011
Permanent Select Intelligence

Source: Compiled by the Congressional Research Service (CRS).
CRS-6

Cybersecurity: Authoritative Reports and Resources

Table 4. House Hearings (112th Congress), by Committee
Committee Subcommittee
Title
Date
Appropriations

Budget Hearing - National Protection and Programs Directorate, Cybersecurity
March 31, 2011
(closed/classified)
and Infrastructure Protection Programs
Armed Services
Emerging Threats and Capabilities
Fiscal 2013 Defense Authorization: IT and Cyber Operations
March 20, 2012
Armed Services
Emerging Threats and Capabilities
Institutionalizing Irregular Warfare Capabilities
November 3, 2011
Armed Services
Emerging Threats and Capabilities
2012 Budget Request for U.S. Cyber Command
March 16, 2011
Armed Services
Emerging Threats and Capabilities
What Should the Department of Defense’s Role in Cyber Be?
February 11, 2011
Energy and Commerce
Communications and Technology
Cybersecurity: Threats to Communications Networks and Public-Sector
March 28, 2012
Responses
Energy and Commerce
Oversight and Investigations
IT Supply Chain Security: Review of Government and Industry Efforts
March 27, 2012
Energy and Commerce
Communications and Technology
Cybersecurity: The Pivotal Role of Communications Networks
March 7, 2012
Energy and Commerce
Oversight and Investigations
Critical Infrastructure Cybersecurity: Assessments of Smart Grid Security
February 28, 2012
Energy and Commerce
Oversight and Investigations
Cybersecurity: An Overview of Risks to Critical Infrastructure
July 26, 2011
Energy and Commerce
Commerce, Manufacturing, and Trade
Sony and Epsilon: Lessons for Data Security Legislation
June 2, 2011
Energy and Commerce
Energy and Power
Protecting the Electric Grid: the Grid Reliability and Infrastructure Defense Act May 31, 2011
Financial Services
Financial Institutions and Consumer Credit
Combating Cybercriminals
September 14, 2011
Financial Services
Field hearing in Hoover, AL
Field Hearing: “Hacked Off: Helping Law Enforcement Protect Private
June 29, 2011
Financial Information
Foreign Affairs
Oversight and Investigations
Communist Chinese Cyber-Attacks, Cyber-Espionage and Theft of American
April 15, 2011
Technology
Homeland Security
Cybersecurity, Infrastructure Protection and
Iranian Cyber Threat to U.S. Homeland
April 26, 2012
Security Technologies and Counterterrorism
and Intelligence
Homeland Security
Oversight, Investigations and Management
America is Under Cyber Attack: Why Urgent Action is Needed
April 24, 2012
Homeland Security
Cybersecurity, Infrastructure Protection and
The DHS and DOE National Labs: Finding Efficiencies and Optimizing
April 19, 2012
Security Technologies
Outputs in Homeland Security Research and Development
Homeland Security
Cybersecurity, Infrastructure Protection and
Hearing on Draft Legislative Proposal on Cybersecurity
December 6, 2011
Security Technologies
Homeland Security
Cybersecurity, Infrastructure Protection and
Cloud Computing: What are the Security Implications?
October 6, 2011
Security Technologies
CRS-7

Cybersecurity: Authoritative Reports and Resources

Committee Subcommittee
Title
Date
Homeland Security
Cybersecurity, Infrastructure Protection and
Examining the Homeland Security Impact of the Obama Administration’s
June 24, 2011
Security Technologies
Cybersecurity Proposal
Homeland Security

Unlocking the SAFETY Act’s [Support Anti-terrorism by Fostering Effective May 26, 2011
Technologies - P.L. 107-296] Potential to Promote Technology and
Combat Terrorism
Homeland Security
Cybersecurity, Infrastructure Protection and
DHS Cybersecurity Mission: Promoting Innovation and Securing Critical
April 15, 2011
Security Technologies
Infrastructure
Homeland Security
Cybersecurity, Infrastructure Protection and
Examining the Cyber Threat to Critical Infrastructure and the American
March 16, 2011
Security Technologies
Economy
Homeland Security
Cybersecurity, Infrastructure Protection and
Preventing Chemical Terrorism: Building a Foundation of Security at Our
February 11, 2011
Security Technologies
Nation’s Chemical Facilities
Judiciary
Combating Online Piracy (H.R. 3261, Stop the Online Piracy Act)
November 16, 2011
Judiciary
Crime, Terrorism and Homeland Security
Cybersecurity: Protecting America’s New Frontier
November 15, 2011
Judiciary
Intellectual Property, Competition and the
Cybersecurity: Innovative Solutions to Challenging Problems
May 25, 2011
Internet
Oversight and

Cybersecurity: Assessing the Nation’s Ability to Address the Growing Cyber
July 7, 2011
Government Reform
Threat
Oversight and
Subcommittee on National Security,
Cybersecurity: Assessing the Immediate Threat to the United States
May 25, 2011
Government Reform
Homeland Defense and Foreign Operations
Permanent Select

Cyber Threats and Ongoing Efforts to Protect the Nation
October 4, 2011
Intelligence
Permanent Select

World Wide Threats
February 10, 2011
Intelligence
Science, Space and
Investigations and Oversight
NASA Cybersecurity: An Examination of the Agency’s Information Security
February 29, 2012
Technology
Science, Space and
Technology and Innovation
The Cloud Computing Outlook
September 21, 2011
Technology
Science, Space and
Research and Science Education
Protecting Information in the Digital Age: Federal Cybersecurity Research and
May 25, 2011
Technology
Development Efforts
Small Business
Healthcare and Technology
Cyber Security: Protecting Your Small Business
November 30, 2011
Source: Compiled by CRS.
CRS-8

Cybersecurity: Authoritative Reports and Resources

Table 5. House Markups (112th Congress), by Date
Title
Date
Committee
Subcommittee
Consideration and Markup of H.R. 3674
February 1, 2012
Homeland Security
Cybersecurity, Infrastructure
Protection and Security Technologies
Markup: Draft Bill: Cyber Intelligence Sharing and Protection Act of 2011
December 1, 2011
Permanent Select Intelligence

Markup on H.R. 2096, Cybersecurity Enhancement Act of 2011
July 21, 2011
Science, Space and Technology

Discussion Draft of H.R. 2577, a bill to require greater protection for sensitive
June 15, 2011
Energy and Commerce
Commerce, Manufacturing, and
consumer data and timely notification in case of breach
Trade
Source: Compiled by CRS.
CRS-9

Cybersecurity: Authoritative Reports and Resources

Table 6. Senate Hearings (112th Congress), by Date
Title
Date
Committee
Subcommittee
To receive testimony on U.S. Strategic Command and U.S. Cyber Command in
March 27, 2012
Armed Services

review of the Defense Authorization Request for Fiscal Year 2013 and the
Future Years Defense Program.
To receive testimony on cybersecurity research and development in review of the
March 20, 2012
Armed Services
Emerging Threats and
Defense Authorization Request for Fiscal Year 2013 and the Future Years Defense
Capabilities
Program
The Freedom of Information Act: Safeguarding Critical Infrastructure Information
March 13, 2012
Judiciary

and the Public’s Right to Know
Securing America’s Future: The Cybersecurity Act of 2012
February 16, 2012
Homeland Security and Governmental

Affairs
Cybercrime: Updating the Computer Fraud and Abuse Act to Protect Cyberspace
September 7, 2011
Judiciary

and Combat Emerging Threats
Role of Small Business in Strengthening Cybersecurity Efforts in the United States
July 25, 2011
Smal Business and Entrepreneurship

Privacy and Data Security: Protecting Consumers in the Modern World
June 29, 2011
Commerce, Science and Transportation

Cybersecurity: Evaluating the Administration’s Proposals
June 21, 2011
Judiciary
Crime and Terrorism
Cybersecurity and Data Protection in the Financial Sector
June 21, 2011
Banking, Housing and Urban Affairs

Protecting Cyberspace: Assessing the White House Proposal
May 23, 2011
Homeland Security and Governmental

Affairs
Cybersecurity of the Bulk-Power System and Electric Infrastructure
May 5, 2011
Energy and Natural Resources

To receive testimony on the health and status of the defense industrial base and May 3, 2011
Armed Services
Emerging Threats and
its science and technology-related elements
Capabilities
Cyber Security: Responding to the Threat of Cyber Crime and Terrorism
April 12, 2011
Judiciary
Crime and Terrorism
Oversight of the Federal Bureau of Investigation
March 30, 2011
Judiciary

Cybersecurity and Critical Electric Infrastructurea
March 15, 2011
Energy and Natural Resources

Information Sharing in the Era of WikiLeaks: Balancing Security and Collaboration
March 10, 2011
Homeland Security and Governmental

Affairs
Homeland Security Department’s Budget Submission for Fiscal Year 2012
February 17, 2011
Homeland Security and Governmental

Affairs
Source: Compiled by CRS.
a. The March 15, 2011, hearing before the Committee on Energy and Natural Resources was closed. The hearing notice was removed from the committee’s website.
CRS-10

Cybersecurity: Authoritative Reports and Resources

Table 7. Senate Hearings (112th Congress), by Committee
Committee Subcommittee
Title
Date
Armed Services
Emerging Threats and
To receive testimony on cybersecurity research and development in review of
March 30, 2012
Capabilities
the Defense Authorization Request for Fiscal Year 2013 and the Future Years
Defense Program
Armed Services
Emerging Threats and
To receive testimony on the health and status of the defense industrial base
May 3, 2011
Capabilities
and its science and technology-related elements
Banking, Housing and Urban Affairs

Cybersecurity and Data Protection in the Financial Sector
June 21, 2011
Commerce, Science and Transportation

Privacy and Data Security: Protecting Consumers in the Modern World
June 29, 2011
Energy and Natural Resources

Cybersecurity of the Bulk-Power System and Electric Infrastructure
May 5, 2011
Energy and Natural Resources (closed)

Cybersecurity and Critical Electric Infrastructurea
March 15, 2011
Homeland Security & Governmental Affairs

Securing America’s Future: The Cybersecurity Act of 2012
February 16, 2012
Homeland Security and Governmental Affairs

Protecting Cyberspace: Assessing the White House Proposal
May 23, 2011
Homeland Security and Governmental Affairs
Information Sharing in the Era of WikiLeaks: Balancing Security and
March 10, 2011
Collaboration
Homeland Security and Governmental Affairs
Homeland Security Department’s Budget Submission for Fiscal Year 2012
February 17, 2011
Judiciary
The Freedom of Information Act: Safeguarding Critical Infrastructure
March 13, 2012
Information and the Public’s Right to Know
Judiciary
Cybercrime: Updating the Computer Fraud and Abuse Act to Protect
September 7, 2011
Cyberspace and Combat Emerging Threats
Judiciary
Crime and Terrorism
Cybersecurity: Evaluating the Administration’s Proposals
June 21, 2011
Judiciary
Crime and Terrorism
Cyber Security: Responding to the Threat of Cyber Crime and Terrorism
April 12, 2011
Judiciary
Oversight of the Federal Bureau of Investigation
March 30, 2011
Smal Business and Entrepreneurship

Role of Small Business in Strengthening Cybersecurity Efforts in the United
July 25, 2011
States
Source: Compiled by CRS.
a. The March 15, 2011 hearing before the Committee on Energy and Natural Resources was closed. The hearing notice was removed from the committee’s website.
CRS-11

Cybersecurity: Authoritative Reports and Resources

Executive Orders and Presidential Directives
Executive orders are official documents through which the President of the United States
manages the operations of the federal government. Presidential directives pertain to all aspects of
U.S. national security policy and are signed or authorized by the President.
The following reports provide additional information on executive orders and presidential
directives:
• CRS Report RS20846, Executive Orders: Issuance, Modification, and
Revocation, by Vanessa K. Burrows and
• CRS Report 98-611, Presidential Directives: Background and Overview, by L.
Elaine Halchin.
Table 8 provides a list of executive orders and presidential directives pertaining to information
and computer security.

Congressional Research Service
12

Cybersecurity: Authoritative Reports and Resources

Table 8. Executive Orders and Presidential Directives
(by date of issuance)
Title Date
Source
Notes
E.O. 13587, Structural Reforms to Improve the Security of
October 7, 2011
White House
This order directs structural reforms to ensure responsible
Classified Networks and the Responsible
sharing and safeguarding of classified information on
computer networks that shal be consistent with appropriate
http://www.gpo.gov/fdsys/pkg/FR-2011-10-13/pdf/2011-
protections for privacy and civil liberties. Agencies bear the
26729.pdf
primary responsibility for meeting these twin goals. These
policies and minimum standards will address all agencies that
operate or access classified computer networks, all users of
classified computer networks (including contractors and
others who operate or access classified computer networks
controlled by the Federal Government), and all classified
information on those networks.
E.O. 13407, Public Alert and Warning System
June 26, 2006
White House
Assigns the Secretary of Homeland Security the
responsibility to establish or adopt, as appropriate, common
http://www.gpo.gov/fdsys/pkg/WCPD-2006-07-03/pdf/WCPD-
alerting and warning protocols, standards, terminology, and
2006-07-03-Pg1226.pdf
operating procedures for the public alert and warning system
to enable interoperability and the secure delivery of
coordinated messages to the American people through as
many communication pathways as practicable, taking account
of Federal Communications Commission rules as provided
by law.
HSPD-7, Homeland Security Presidential Directive No. 7:
December 17, 2003
White House
Assigns the Secretary of Homeland Security the
Critical Infrastructure Identification, Prioritization, and
responsibility of coordinating the nation’s overall efforts in
Protection
critical infrastructure protection across all sectors. HSPD-7
also designates the Department of Homeland Security (DHS)
http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm
as lead agency for the nation’s information and
telecommunications sectors.
E.O. 13286, Amendment of Executive Orders, and Other
February 28, 2003
White House
Designates the Secretary of Homeland Security the Executive
Actions, in Connection With the Transfer of Certain Functions
Agent of the National Communication System Committee of
to the Secretary of Homeland Security
Principals, which are the agencies, designated by the
President, that own or lease telecommunication assets
http://edocket.access.gpo.gov/2003/pdf/03-5343.pdf
identified as part of the National Communication System, or
which bear policy, regulatory, or enforcement responsibilities
of importance to national security and emergency
preparedness telecommunications.
CRS-13

Cybersecurity: Authoritative Reports and Resources

Title Date
Source
Notes
Presidential Decision Directive/NSC-63
May 22, 1998
White House
Sets as a national goal the ability to protect the nation's
critical infrastructure from intentional attacks (both physical
http://www.fas.org/irp/offdocs/pdd/pdd-63.htm
and cyber) by the year 2003. According to the PDD, any
interruptions in the ability of these infrastructures to provide
their goods and services must be “brief, infrequent,
manageable, geographically isolated, and minimally
detrimental to the welfare of the United States."
NSD-42, National Security Directive 42 - National Policy for
July 5, 1990
White House
Establishes the National Security Telecommunications and
the Security of National Security Telecommunications and
Information Systems Security Committee, now called the
Information Systems
Committee on National Security Systems (CNSS). CNSS is
an interagency committee, chaired by the Department of
http://bushlibrary.tamu.edu/research/pdfs/nsd/nsd42.pdf
Defense. Among other assignments, NSD-42 directs the
CNSS to provide system security guidance for national
security systems to executive departments and agencies; and
submit annually to the Executive Agent an evaluation of the
security status of national security systems. NSD-42 also
directs the Committee to interact, as necessary, with the
National Communications System Committee of Principals.
E.O. 12472, Assignment of National Security and Emergency
April 3, 1984
National
Established a national communication system as those
Preparedness Telecommunications Functions (amended by E.O.
Communications
telecommunication assets owned or leased by the federal
13286 of February 28, 2003 and changes made by E.O. 13407,
System (NCS)
government that can meet the national security and
June 26, 2006)
emergency preparedness needs of the federal government,
together with an administrative structure that could ensure
http://www.ncs.gov/library/policy_docs/eo_12472.html
that a national telecommunications infrastructure is
developed that is responsive to national security and
emergency preparedness needs.
Note: Descriptions compiled by CRS from government websites.


CRS-14

Cybersecurity: Authoritative Reports and Resources

Data and Statistics
This section identifies data and statistics from government, industry, and IT security firms
regarding the current state of cybersecurity threats in the United States and internationally. These
include incident estimates, costs, and annual reports on data security breaches, identity theft,
cyber crime, malware, and network security.

Congressional Research Service
15

Cybersecurity: Authoritative Reports and Resources

Table 9. Data and Statistics: Cyber Incidents, Data Breaches, Cyber Crime
Title Date
Source
Pages
Notes
Worldwide Threat Assessment: Infection Rates and Threat ongoing Microsoft
Security
N/A
Data on infection rates, malicious websites
Trends by Location
Intelligence Report
and threat trends by regional location,
(SIR)
worldwide.
http://www.microsoft.com/security/sir/threat/
default.aspx#!introduction
McAfee Research & Reports (multiple)
2009-2012
McAfee
N/A
Links to reports on cybersecurity threats,
malware, cybercrime, and spam.
http://www.mcafee.com/us/about/newsroom/research-
reports.aspx
Significant Cyber Incidents Since 2006
January 19, 2012
Center for
9
A list of significant cyber events since 2006.
Strategic and
From the report, “Significance is in the eye
http://csis.org/publication/cyber-events-2006
International
of the beholder, but we focus on successful
Studies (CSIS)
attacks on government agencies, defense and
high tech companies, or economic crimes
with losses of more than a million dollars.”
2011 ITRC Breach Report Key Findings
December10, 2011
Identity Theft
N/A
According to the report, hacking attacks
Resource Center
were responsible for more than one-quarter
http://www.idtheftcenter.org/artman2/publish/headlines/
(ITRC)
(25.8%) of the data breaches recorded in the
Breaches_2011.shtml
Identity Theft Resource Center’s 2011
Breach Report
, hitting a five-year all time high.
This was followed by “Data on the Move”
(when an electronic storage device, laptop
or paper folders leave the office where it is
normally stored) and “Insider Theft,” at
18.1% and 13.4% respectively.
The Risk of Social Engineering on Information Security: A
September 2011
Check Point
7
[The] report reveals 48% of large companies
Survey of IT Professionals
and 32% of companies of all sizes surveyed
have been victims of social engineering,
http://www.checkpoint.com/press/downloads/social-
experiencing 25 or more attacks in the past
engineering-survey.pdf
two years, costing businesses anywhere
from $25,000 to over $100,000 per security
incident. [P]hishing and social networking
tools are the most common sources of
socially engineered threats.
CRS-16

Cybersecurity: Authoritative Reports and Resources

Title Date
Source
Pages
Notes
Second Annual Cost of Cyber Crime Study
August 2011
Ponemon Institute
30
[T]he median annualized cost for 50
benchmarked organizations is $5.9 million
http://www.arcsight.com/col ateral/whitepapers/
per year, with a range from $1.5 million to
2011_Cost_of_Cyber_Crime_Study_August.pdf
$36.5 million each year per company. This
represents an increase in median cost of
56% from [Ponemon’s] first cyber cost study
published last year.
Revealed: Operation Shady RAT: an Investigation of
August 2, 2011
McAfee Research
14
A comprehensive analysis of victim profiles
Targeted Intrusions into 70+ Global Companies,
Labs
from a five-year targeted operation which
Governments, and Non-Profit Organizations During the
penetrated 72 government and other
Last 5 Years
organizations, most of them in the United
States, and copied everything from military
http://www.mcafee.com/us/resources/white-papers/wp-
secrets to industrial designs. See page 4 for
operation-shady-rat.pdf
types of compromised parties, page 5 for
geographic distribution of victim’s country of
origin, pages 7-9 for types of victims, and
pages 10-13 for the number of intrusions for
2007-2010.
2010 Annual Study: U.S. Cost of a Data Breach
March 2011
Ponemon
39
The average organizational cost of a data
Institute/Symantec
breach increased to $7.2 million and cost
http://www.symantec.com/content/en/us/about/media/pdfs/
companies an average of $214 per
symantec_ponemon_data_breach_costs_report.pdf?
compromised record.
om_ext_cid=
biz_socmed_twitter_facebook_marketwire_linkedin_2011
Mar_worldwide_costofdatabreach
FY2010 Report to Congress on the Implementation of the
March 2011
White House/
48
The number of attacks against federal
Federal Information Security Management Act of 2002
Office of
networks increased nearly 40% last year,
Management and
while the number of incidents targeting U.S.
http://www.whitehouse.gov/sites/default/files/omb/assets/
Budget
computers overall was down roughly 1% for
egov_docs/FY10_FISMA.pdf
the same period. (See pp. 12-13).
A Good Decade for Cybercrime: McAfee’s Look Back at
December 29,
McAfee
11
A review of the most publicized, pervasive,
Ten Years of Cybercrime
2010
and costly cybercrime exploits from 2000-
2010.
http://www.mcafee.com/us/resources/reports/rp-good-
decade-for-cybercrime.pdf
Note: Statistics are from the source publication and have not been independently verified by CRS.
CRS-17

Cybersecurity: Authoritative Reports and Resources

Cybersecurity Glossaries
Table 10 includes links to glossaries of useful cybersecurity terms, including those related to cloud computing and cyberwarfare.
Table 10. Glossaries of Cybersecurity Terms
Title Source
Date
Pages
Notes
Cloud Computing Reference Architecture
National Institute of
September 2011
35
Provides guidance to specific communities of practitioners
Standards and
and researchers.
http://collaborate.nist.gov/twiki-cloud-computing/pub/
Technology (NIST)
CloudComputing/ReferenceArchitectureTaxonomy/
NIST_SP_500-292_-_090611.pdf
Glossary of Key Information Security Terms
NIST
February 2011
211
The glossary provides a central resource of terms and
definitions most commonly used in NIST information
http://col aborate.nist.gov/twiki-cloud-computing/pub/
security publications and in Committee for National Security
CloudComputing/ReferenceArchitectureTaxonomy/
Systems (CNSS) information assurance publications.
NIST_SP_500-292_-_090611.pdf
CIS Consensus Information Security Metrics
Center for Internet
November 2010
175
Provides definitions for security professionals to measure
Security
some of the most important aspects of the information
http://collaborate.nist.gov/twiki-cloud-computing/pub/
security status. The goal is to give an organization the ability
CloudComputing/ReferenceArchitectureTaxonomy/
to repeatedly evaluate security in a standardized way,
NIST_SP_500-292_-_090611.pdf
allowing it to identify trends, understand the impact of
activities and make responses to improve the security
status. (Free registration required.)
Joint Terminology for Cyberspace Operations
Chairman of the
November 1,
16
This lexicon is the starting point for normalizing terms in all
Joint Chiefs of Staff
2010
cyber-related documents, instructions, CONOPS, and
http://collaborate.nist.gov/twiki-cloud-computing/pub/
publications as they come up for review.
CloudComputing/ReferenceArchitectureTaxonomy/
NIST_SP_500-292_-_090611.pdf
Department of Defense Dictionary of Military and
Chairman of the
November 8,
547
Provides joint policy and guidance for Information
Associated Terms
Joint Chiefs of Staff
2010 (as
Assurance (IA) and Computer Network Operations (CNO)
amended
activities.
http://collaborate.nist.gov/twiki-cloud-computing/pub/
through January
CloudComputing/ReferenceArchitectureTaxonomy/
15, 2012)
NIST_SP_500-292_-_090611.pdf
DHS Risk Lexicon
Department of
September 2010
72
The lexicon promulgates a common language, facilitates the
Homeland Security
clear exchange of structured and unstructured data, and
http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon-
(DHS) Risk Steering
provides consistency and clear understanding with regard to
2010.pdf
Committee
the usage of terms by the risk community across the DHS.
Note: Highlights compiled by CRS from the reports.
CRS-18

Cybersecurity: Authoritative Reports and Resources

Reports by Topic
This section gives references to analytical reports on cybersecurity from CRS, other
governmental agencies, and trade organizations. The reports are grouped under the following
cybersecurity topics: policy framework overview, critical infrastructure, and cybercrime and
national security.
For each topic, CRS reports are listed first and then followed by tables with reports from other
organizations. The overview reports provide an analysis of a broad range of cybersecurity issues
(Table 11 to Table 16). The critical infrastructure reports (Table 17) analyze cybersecurity issues
related to telecom infrastructure, the electricity grid, and industrial control systems. The
cybercrime and national security reports (Table 18) analyze a wide range of cybersecurity issues,
including identify theft and government policies for dealing with cyberwar scenarios. In addition,
tables with selected reports on international efforts to address cybersecurity problems, training for
cybersecurity professionals, and research and development efforts in other areas are also provided
(Table 19 to Table 21).
CRS Reports Overview: Cybersecurity Policy Framework
• CRS Report R42114, Federal Laws Relating to Cybersecurity: Discussion of
Proposed Revisions, by Eric A. Fischer
• CRS Report R41941, The Obama Administration’s Cybersecurity Proposal:
Criminal Provisions, by Gina Stevens
• CRS Report R40150, A Federal Chief Technology Officer in the Obama
Administration: Options and Issues for Consideration, by John F. Sargent Jr.
• CRS Report R42409, Cybersecurity: Selected Legal Issues, by Edward C. Liu
et al.

Congressional Research Service
19

Cybersecurity: Authoritative Reports and Resources

Table 11. Selected Reports: Cybersecurity Overview
Title Source
Date
Pages
Notes
Cyber-security: The Vexed Question of Global Rules: An
McAfee and the Security
February
108
The report examines the current state of cyber-
Independent Report on Cyber-Preparedness Around the
Defense Agenda
2012
preparedness around the world, and is based on survey
World
results from 80 policy-makers and cybersecurity experts in
the government, business, and academic sectors from 27
http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon-
countries. The countries were ranked on their state of
2010.pdf
cyber-preparedness.
Mission Critical: A Public-Private Strategy for Effective
Business Roundtable
October
28
According to the report, “[p]ublic policy solutions must
Cybersecurity
11, 2011
recognize the absolute importance of leveraging policy
foundations that support effective global risk management,
http://businessroundtable.org/uploads/studies-
in contrast to “check-the-box” compliance approaches that
reports/downloads/2011_10_Mission_Critical_A_Public-
can undermine security and cooperation. The document
Private_Strategy_for_Effective_Cybersecurity_4_20_12.pdf
concludes with specific policy proposals and activity
commitments.
World Cybersecurity Technology Research Summit
Centre for Secure
September 14
The Belfast 2011 event attracted international cyber
(Belfast 2011)
Information Technologies
12, 2011
security experts from leading research institutes,
(CSIT)
government bodies, and industry who gathered to discuss
http://www.csit.qub.ac.uk/media/pdf/
current cyber security threats, predict future threats and
Filetoupload,252359,en.pdf
the necessary mitigation techniques, and to develop a
collective strategy for next research.
A Review of Frequently Used Cyber Analogies
National Security
July 22,
7
The current cybersecurity crisis can be described several
Cyberspace Institute
2011
ways with numerous metaphors. Many compare the
http://www.nsci-va.org/WhitePapers/2011-07-22-Cyber
current crisis with the lawlessness to that of the Wild West
Analogies Whitepaper-K McKee.pdf
and the out-dated tactics and race to security with the
Cold War. When treated as a distressed ecosystem, the
work of both national and international agencies to
eradicate many infectious diseases serves as a model as
how poor health can be corrected with proper resources
and execution. Before these issues are discussed, what
cyberspace actually is must be identified.
America’s Cyber Future: Security and Prosperity in the
Center for a New
June 1,
296
To help U.S. policymakers address the growing danger of
Information Age
American Security
2011
cyber insecurity, this two-volume report features chapters
on cyber security strategy, policy, and technology by some
http://www.cnas.org/node/6405
of the world’s leading experts on international relations,
national security, and information technology.
CRS-20

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages
Notes
Resilience of the Internet Interconnection Ecosystem
European Network and
April 11,
238
Part I: Summary and Recommendations; Part II: State of the
http://www.enisa.europa.eu/act/res/other-areas/inter-x/
Information Security
2011
Art Review (a detailed description of the Internet’s routing
report/interx-report
Agency (ENISA)
mechanisms and analysis of their robustness at the
technical, economic and policy levels.); Part III: Report on
the Consultation (a broad range of stakeholders were
consulted. This part reports on the consultation and
summarizes the results). Part IV: Bibliography and
Appendices.
Improving our Nation’s Cybersecurity through the Public-
Business Software
March 8,
26
This paper proposes expanding the existing partnership
Private Partnership: a White Paper
Alliance, Center for
2011
within the framework of the National Infrastructure
Democracy & Technology,
Protection Plan. Specifically, it makes a series of
http://www.cdt.org/files/pdfs/20110308_cbyersec_paper.pdf U.S. Chamber of
recommendations that build upon the conclusions of
Commerce, Internet
President Obama’s Cyberspace Policy Review.
Security Alliance, Tech
America
Cybersecurity Two Years Later
CSIS Commission on
January
22
From the report: “We thought then [in 2008] that securing
Cybersecurity for the 44th
2011
cyberspace had become a critical challenge for national
http://csis.org/files/publication/
Presidency, Center for
security, which our nation was not prepared to meet.... In
110128_Lewis_CybersecurityTwoYearsLater_Web.pdf
Strategic and International
our view, we are still not prepared.”
Studies
Toward Better Usability, Security, and Privacy of
National Research Council September 70
Discusses computer system security and privacy, their
Information Technology: Report of a Workshop
21, 2010
relationship to usability, and research at their intersection.
This is drawn from remarks made at the National Research
http://www.nap.edu/catalog.php?record_id=12998
Council’s July 2009 Workshop on Usability, Security and
Privacy of Computer Systems
as well as recent reports from
the NRC's Computer Science and Telecommunications
Board on security and privacy.
National Security Threats in Cyberspace
Joint Workshop of the
September 37
The two-day workshop brought together more than two
National Security Threats
15, 2009
dozen experts with diverse backgrounds: physicists;
http://nationalstrategy.com/Portals/0/documents/
in Cyberspace and the
telecommunications executives; Silicon Valley
National%20Security%20Threats%20in%20Cyberspace.pdf
National Strategy Forum
entrepreneurs; federal law enforcement, military, homeland
security, and intelligence officials; congressional staffers; and
civil liberties advocates. For two days they engaged in an
open-ended discussion of cyber policy as it relates to
national security, under Chatham House Rules: their
comments were for the public record, but they were not
for attribution.
Note: Highlights compiled by CRS from the reports.
CRS-21

Cybersecurity: Authoritative Reports and Resources

Table 12. Selected Government Reports: Government Accountability Office (GAO)
Title Date
Pages Notes
Cybersecurity: Chal enges to Securing the Modernized
February 28, 2012
19
As GAO reported in January 2011, securing smart grid systems and networks
Electricity Grid
presented a number of key challenges that required attention by government
and industry. GAO made several recommendations to the Federal Energy
http://www.csit.qub.ac.uk/media/pdf/
Regulatory Commission (FERC) aimed at addressing these challenges. The
Filetoupload,252359,en.pdf
commission agreed with these recommendations and described steps it is
taking to implement them.
Critical Infrastructure Protection: Cybersecurity Guidance
December 9, 2011
77
Given the plethora of guidance available, individual entities within the sectors
Is Available, but More Can Be Done to Promote Its Use
may be challenged in identifying the guidance that is most applicable and
effective in improving their security posture. Improved knowledge of the
http://www.gao.gov/products/GAO-12-92
guidance that is available could help both federal and private sector decision
makers better coordinate their efforts to protect critical cyber-reliant assets.
Cybersecurity Human Capital: Initiatives Need Better
November 29, 2011
86
All the agencies GAO reviewed faced challenges determining the size of their
Planning and Coordination
cybersecurity workforce because of variations in how work is defined and the
lack of an occupational series specific to cybersecurity. With respect to other
http://www.gao.gov/products/GAO-12-8
workforce planning practices, all agencies had defined roles and responsibilities
for their cybersecurity workforce, but these roles did not always align with
guidelines issued by the federal Chief Information Officers Council and
National Institute of Standards and Technology (NIST)
Federal Chief Information Officers: Opportunities Exist to
October 17, 2011
72
GAO is recommending that OMB update its guidance to establish measures of
Improve Role in Information Technology Management
accountability for ensuring that CIOs' responsibilities are fully implemented
and require agencies to establish internal processes for documenting lessons
http://www.gao.gov/products/GAO-11-634
learned.
Information Security: Additional Guidance Needed to
October 5, 2011
17
Twenty-two of 24 major federal agencies reported that they were either
Address Cloud Computing Concerns
concerned or very concerned about the potential information security risks
associated with cloud computing. GAO recommended that the NIST issue
http://www.gao.gov/products/GAO-12-130T
guidance specific to cloud computing security.
Information Security: Weaknesses Continue Amid New
October 3, 2011
49
Weaknesses in information security policies and practices at 24 major federal
Federal Efforts to Implement Requirements
agencies continue to place the confidentiality, integrity, and availability of
sensitive information and information systems at risk. Consistent with this
http://www.gao.gov/products/GAO-12-137
risk, reports of security incidents from federal agencies are on the rise,
increasing over 650% over the past 5 years. Each of the 24 agencies reviewed
had weaknesses in information security controls.
Federal Chief Information Officers: Opportunities Exist to
October 17, 2011
72
GAO is recommending that the Office of Management and Budget (OMB)
Improve Role in Information Technology Management
update its guidance to establish measures of accountability for ensuring that
CIOs' responsibilities are fully implemented and require agencies to establish
http://www.gao.gov/products/GAO-11-634
internal processes for documenting lessons learned.
CRS-22

Cybersecurity: Authoritative Reports and Resources

Title Date
Pages Notes
Defense Department Cyber Efforts: Definitions, Focal
July 29, 2011
33
This letter discusses the Department of Defense’s cyber and information
Point, and Methodology Needed for DoD to Develop Full-
assurance budget for fiscal year 2012 and future years defense spending. The
Spectrum Cyberspace Budget Estimates
objectives of this review were to (1) assess the extent to which DOD has
prepared an overarching budget estimate for ful -spectrum cyberspace
http://www.gao.gov/products/GAO-11-695R
operations across the department; and (2) identify the challenges DOD has
faced in providing such estimates.
Continued Attention Needed to Protect Our Nation’s
July 26, 2011
20
A number of significant challenges remain to enhancing the security of cyber-
Critical Infrastructure
reliant critical infrastructures, such as (1) implementing actions recommended
by the president's cybersecurity policy review; (2) updating the national
http://www.gao.gov/products/GAO-11-463T
strategy for securing the information and communications infrastructure;
(3) reassessing DHS's planning approach to critical infrastructure protection;
(4) strengthening public-private partnerships, particularly for information
sharing; (5) enhancing the national capability for cyber warning and analysis;
(6) addressing global aspects of cybersecurity and governance; and (7) securing
the modernized electricity grid.
Defense Department Cyber Efforts: DoD Faces Chal enges
July 25, 2011
79
GAO recommends that DOD evaluate how it is organized to address
in Its Cyber Activities
cybersecurity threats; assess the extent to which it has developed joint
doctrine that addresses cyberspace operations; examine how it assigned
http://www.gao.gov/products/GAO-11-75
command and control responsibilities; and determine how it identifies and acts
to mitigate key capability gaps involving cyberspace operations.
Critical Infrastructure Protection: Key Private and Public
August 16, 2010
38
The Special Assistant to the President and Cybersecurity Coordinator and the
Cyber Expectations Need to Be Consistently Addressed
Secretary of Homeland Security, should take two actions: (1) use the results
of this report to focus their information-sharing efforts, including their
http://www.gao.gov/products/GAO-10-628
relevant pilot projects, on the most desired services, including providing timely
and actionable threat and alert information, access to sensitive or classified
information, a secure mechanism for sharing information, and providing
security clearance and (2) bolster the efforts to build out the National
Cybersecurity and Communications Integration Center as the central focal
point for leveraging and integrating the capabilities of the private sector,
civilian government, law enforcement, the military, and the intelligence
community.
Information Security: State Has Taken Steps to Implement
July 8, 2011
63
The Department of State implemented a custom application called iPost and a
a Continuous Monitoring Application, but Key Chal enges
risk scoring program that is intended to provide continuous monitoring
Remain
capabilities of information security risk to elements of its information
technology (IT) infrastructure. To improve implementation of iPost at State,
http://www.gao.gov/products/GAO-11-149
the Secretary of State should direct the Chief Information Officer to develop,
document, and maintain an iPost configuration management and test process.
CRS-23

Cybersecurity: Authoritative Reports and Resources

Title Date
Pages Notes
Cybersecurity: Continued Attention Needed to Protect
March 16, 2011
16
Executive branch agencies have made progress instituting several
Our Nation's Critical Infrastructure and Federal
governmentwide initiatives that are aimed at bolstering aspects of federal
Information Systems
cybersecurity, such as reducing the number of federal access points to the
Internet, establishing security configurations for desktop computers, and
http://www.gao.gov/products/GAO-11-463T
enhancing situational awareness of cyber events. Despite these efforts, the
federal government continues to face significant challenges in protecting the
nation's cyber-reliant critical infrastructure and federal information systems.
Electricity Grid Modernization: Progress Being Made on
January 12, 2011
50
GAO identified the following six key challenges: (1) Aspects of the regulatory
Cybersecurity Guidelines, but Key Challenges Remain to
environment may make it difficult to ensure smart grid systems' cybersecurity.
be Addressed
(2) Utilities are focusing on regulatory compliance instead of comprehensive
security. (3) The electric industry does not have an effective mechanism for
http://www.gao.gov/products/GAO-11-117
sharing information on cybersecurity. (4) Consumers are not adequately
informed about the benefits, costs, and risks associated with smart grid
systems. (5) There is a lack of security features being built into certain smart
grid systems. (6) The electricity industry does not have metrics for evaluating
cybersecurity.
Information Security: Federal Agencies Have Taken Steps
November 30, 2010
50
Existing governmentwide guidelines and oversight efforts do not fully address
to Secure Wireless Networks, but Further Actions Can
agency implementation of leading wireless security practices. Until agencies
Mitigate Risk
take steps to better implement these leading practices, and OMB takes steps
to improve governmentwide oversight, wireless networks will remain at an
http://www.gao.gov/products/GAO-11-43
increased vulnerability to attack.
Cyberspace Policy: Executive Branch Is Making Progress
October 6, 2010
66
Of the 24 recommendations in the President’s May 2009 cyber policy review
Implementing 2009 Policy Review Recommendations, but
report, 2 have been fully implemented, and 22 have been partial y
Sustained Leadership Is Needed
implemented. While these efforts appear to be steps forward, agencies were
largely not able to provide milestones and plans that showed when and how
http://www.gao.gov/products/GAO-11-24
implementation of the recommendations was to occur.
DHS Efforts to Assess and Promote Resiliency Are
September 23, 2010
46
The Department of Homeland Security (DHS) has not developed an effective
Evolving but Program Management Could Be Strengthened
way to ensure that critical national infrastructure, such as electrical grids and
telecommunications networks, can bounce back from a disaster. DHS has
http://www.gao.gov/products/GAO-10-772
conducted surveys and vulnerability assessments of critical infrastructure to
identify gaps, but has not developed a way to measure whether owners and
operators of that infrastructure adopt measures to reduce risks.
Information Security: Progress Made on Harmonizing
September 15, 2010
38
OMB and NIST established policies and guidance for civilian non-national
Policies and Guidance for National Security and Non-
security systems, while other organizations, including the Committee on
National Security Systems
National Security Systems (CNSS), DOD, and the U.S. intelligence community,
have developed policies and guidance for national security systems. GAO was
http://www.gao.gov/products/GAO-10-916
asked to assess the progress of federal efforts to harmonize policies and
guidance for these two types of systems
CRS-24

Cybersecurity: Authoritative Reports and Resources

Title Date
Pages Notes
United States Faces Challenges in Addressing Global
August 2, 2010
53
GAO recommends that the Special Assistant to the President and
Cybersecurity and Governance
Cybersecurity Coordinator should make recommendations to appropriate
agencies and interagency coordination committees regarding any necessary
http://www.gao.gov/products/GAO-10-606
changes to more effectively coordinate and forge a coherent national
approach to cyberspace policy.
Federal Guidance Needed to Address Control Issues With
July 1, 2010
53
To assist federal agencies in identifying uses for cloud computing and
Implementing Cloud Computing
information security measures to use in implementing cloud computing, the
Director of OMB should establish milestones for completing a strategy for
http://www.gao.gov/products/GAO-10-513
implementing the federal cloud computing initiative.
Continued Attention Is Needed to Protect Federal
June 16, 2010
15
Multiple opportunities exist to improve federal cybersecurity. To address
Information Systems from Evolving Threats
identified deficiencies in agencies’ security controls and shortfalls in their
information security programs, GAO and agency inspectors general have
http://www.gao.gov/products/GAO-10-834t
made hundreds of recommendations over the past several years, many of
which agencies are implementing. In addition, the White House, the Office of
Management and Budget, and certain federal agencies have undertaken several
governmentwide initiatives intended to enhance information security at federal
agencies. While progress has been made on these initiatives, they all face
challenges that require sustained attention, and GAO has made several
recommendations for improving the implementation and effectiveness of these
initiatives.
Information Security: Concerted Response Needed to
March 24, 2010
21
Without proper safeguards, federal computer systems are vulnerable to
Resolve Persistent Weaknesses
intrusions by individuals who have malicious intentions and can obtain
sensitive information. The need for a vigilant approach to information security
http://www.gao.gov/products/GAO-10-536t
has been demonstrated by the pervasive and sustained cyber attacks against
the United States; these attacks continue to pose a potential y devastating
impact to systems as well as the operations and critical infrastructures that
they support.
Cybersecurity: Continued Attention Is Needed to Protect
March 16, 2010
15
The White House, the Office of Management and Budget, and certain federal
Federal Information Systems from Evolving Threats
agencies have undertaken several governmentwide initiatives intended to
enhance information security at federal agencies. While progress has been
http://www.gao.gov/products/GAO-11-463T
made on these initiatives, they all face challenges that require sustained
attention, and GAO has made several recommendations for improving the
implementation and effectiveness of these initiatives.
CRS-25

Cybersecurity: Authoritative Reports and Resources

Title Date
Pages Notes
Concerted Effort Needed to Consolidate and Secure
April 12, 2010
40
To reduce the threat to federal systems and operations posed by cyber
Internet Connections at Federal Agencies
attacks on the United States, OMB launched, in November 2007, the Trusted
Internet Connections (TIC) initiative, and later, in 2008, the Department of
http://www.gao.gov/products/GAO-10-237
Homeland Security’s (DHS’s) National Cybersecurity Protection System
(NCPS), operational y known as Einstein, which became mandatory for federal
agencies as part of TIC. In order to further ensure that federal agencies have
adequate, sufficient, and timely information to successful y meet the goals and
objectives of the TIC and Einstein programs, the Secretary of Homeland
Security should, to better understand whether Einstein alerts are valid,
develop additional performance measures that indicate how agencies respond
to alerts.
Cybersecurity: Progress Made But Challenges Remain in
March 5, 2010
64
To address strategic challenges in areas that are not the subject of existing
Defining and Coordinating the Comprehensive National
projects within CNCI but remain key to achieving the initiative’s overall goal
Initiative
of securing federal information systems, the Director of OMB should continue
development of a strategic approach to identity management and
http://www.gao.gov/products/GAO-10-338
authentication, linked to HSPD-12 implementation, as initially described in the
Chief Information Officers Council's plan for implementing federal identity,
credential, and access management, so as to provide greater assurance that
only authorized individuals and entities can gain access to federal information
systems.
Continued Efforts Are Needed to Protect Information
November 17, 2009
24
GAO has identified weaknesses in all major categories of information security
Systems from Evolving Threats
controls at federal agencies. For example, in fiscal year 2008, weaknesses were
reported in such controls at 23 of 24 major agencies. Specifically, agencies did
http://www.gao.gov/products/GAO-10-230t
not consistently authenticate users to prevent unauthorized access to systems;
apply encryption to protect sensitive data; and log, audit, and monitor
security-relevant events, among other actions.
Efforts to Improve Information sharing Need to Be
August 27, 2003
59
Information on threats, methods, and techniques of terrorists is not routinely
Strengthened
shared; and the information that is shared is not perceived as timely, accurate,
or relevant.
http://www.gao.gov/products/GAO-03-760
Source: GAO.
Note: Highlights compiled by CRS from the reports.
CRS-26

Cybersecurity: Authoritative Reports and Resources

Table 13. Selected Government Reports: White House/Office of Management and Budget
Title Date
Pages Notes
Trustworthy Cyberspace: Strategic Plan for the Federal
December 6,
36
As a research and development strategy, this plan defines four strategic
Cybersecurity Research and Development Program
2011
thrusts: Inducing Change; Developing Scientific Foundations; Maximizing
Research Impact; and Accelerating Transition to Practice.
http://www.whitehouse.gov/sites/default/files/microsites/ostp/
fed_cybersecurity_rd_strategic_plan_2011.pdf
Structural Reforms to Improve the Security of Classified
October 7, 2011
N/A
President Obama signed an executive order outlining data security
Networks and the Responsible Sharing and Safeguarding of
measures and rules for government agencies to fol ow to prevent further
Classified Information
data leaks by insiders. The order included the creation of a senior steering
committee that will oversee the safeguarding and sharing of information.
http://www.whitehouse.gov/the-press-office/2011/10/07/
executive-order-structural-reforms-improve-security-classified-
networks-
FY 2012 Reporting Instructions for the Federal Information
September 14,
29
Rather than enforcing a static, three-year reauthorization process, agencies
Security Management Act and Agency Privacy Managementa
2011
are expected to conduct ongoing authorizations of information systems
through the implementation of continuous monitoring programs.
http://www.whitehouse.gov/sites/default/files/omb/memoranda/
Continuous monitoring programs thus fulfill the three year security
2011/m11-33.pdf
reauthorization requirement, so a separate re-authorization process is not
necessary.
International Strategy for Cyberspace
May 16, 2011
30
The strategy marks the first time any administration has attempted to set
forth in one document the U.S. government’s vision for cyberspace,
http://www.whitehouse.gov/sites/default/files/rss_viewer/
including goals for defense, diplomacy, and international development.
international_strategy_for_cyberspace.pdf
Cybersecurity Legislative Proposal (Fact Sheet)
May 12, 2011
N/A
The Administration's proposal ensures the protection of individuals'
privacy and civil liberties through a framework designed expressly to
http://www.whitehouse.gov/the-press-office/2011/05/12/fact-
address the challenges of cybersecurity. The Administration's legislative
sheet-cybersecurity-legislative-proposal
proposal includes: Management, Personnel, Intrusion Prevention Systems,
and Data Centers.
Federal Cloud Computing Strategy
February 13,
43
The strategy outlines how the federal government can accelerate the safe,
2011
secure adoption of cloud computing, and provides agencies with a
http://www.cio.gov/documents/Federal-Cloud-Computing-
framework for migrating to the cloud. It also examines how agencies can
Strategy.pdf
address challenges related to the adoption of cloud computing, such as
privacy, procurement, standards, and governance.
25 Point Implementation Plan to Reform Federal Information
December 9,
40
The plan’s goals are to reduce the number of federal y run data centers
Technology Management
2010
from 2,100 to approximately 1,300, rectify or cancel one-third of troubled
IT projects, and require federal agencies to adopt a “cloud first” strategy in
http://www.cio.gov/documents/25-Point-Implementation-Plan-to-
which they will move at least one system to a hosted environment within a
Reform-Federal%20IT.pdf
year.
CRS-27

Cybersecurity: Authoritative Reports and Resources

Title Date
Pages Notes
Clarifying Cybersecurity Responsibilities
July 6, 2010
39
This memorandum outlines and clarifies the respective responsibilities and
activities of the Office of Management and Budget (OMB), the
http://www.whitehouse.gov/sites/default/files/omb/assets/
Cybersecurity Coordinator, and DHS, in particular with respect to the
memoranda_2010/m10-28.pdf
Federal Government's implementation of the Federal Information Security
Management Act of 2002 (FISMA).
The National Strategy for Trusted Identities in Cyberspace:
June 25, 2010
39
The NSTIC, which is in response to one of the near term action items in
Creating Options for Enhanced Online Security and Privacy
the President's Cyberspace Policy Review, calls for the creation of an
online environment, or an Identity Ecosystem, where individuals and
http://www.dhs.gov/xlibrary/assets/ns_tic.pdf
organizations can complete online transactions with confidence, trusting
the identities of each other and the identities of the infrastructure where
transaction occur.
Comprehensive National Cybersecurity Initiative (CNCI)
March 2, 2010
5
The CNCI establishes a multi-pronged approach the federal government is
to take in identifying current and emerging cyber threats, shoring up
http://www.whitehouse.gov/cybersecurity/comprehensive-
current and future telecommunications and cyber vulnerabilities, and
national-cybersecurity-initiative
responding to or proactively addressing entities that wish to steal or
manipulate protected data on secure federal systems.
Cyberspace Policy Review: Assuring a Trusted and Resilient
May 29, 2009
76
The President directed a 60-day, comprehensive, “clean-slate” review to
Communications Infrastructure
assess U.S. policies and structures for cybersecurity. The review team of
government cybersecurity experts engaged and received input from a
http://www.whitehouse.gov/assets/documents/
broad cross-section of industry, academia, the civil liberties and privacy
Cyberspace_Policy_Review_final.pdf
communities, state governments, international partners, and the legislative
and executive branches. This paper summarizes the review team’s
conclusions and outlines the beginning of the way forward toward a
reliable, resilient, trustworthy digital infrastructure for the future.
Source: Highlights compiled by CRS from the White House reports.
a. White House and Office of Management and Budget.
CRS-28

Cybersecurity: Authoritative Reports and Resources

Table 14. Selected Government Reports: Department of Defense (DOD)
Title Source
Date
Pages
Notes
DOD Information Security Program: Overview, Classification,
DOD February
16,
84
Describes the DOD Information Security Program. and
and Declassification
2012
provides guidance for classification and declassification of
DOD information that requires protection in the
http://www.fas.org/sgp/othergov/dod/5200_01v1.pdf
interest of the national security.
Defense Department Cyber Efforts: Definitions, Focal Point,
General
July 29, 2011
33
This letter discusses DOD’s cyber and information
and Methodology Needed for DOD to Develop Ful -Spectrum
Accountability
assurance budget for fiscal year 2012 and future years
Cyberspace Budget Estimates
Office (GAO)
defense spending. The objectives of this review were to
(1) assess the extent to which DOD has prepared an
http://www.gao.gov/products/GAO-11-695R
overarching budget estimate for ful -spectrum cyberspace
operations across the department; and (2) identify the
challenges DOD has faced in providing such estimates.
Legal Reviews of Weapons and Cyber Capabilities
Secretary of the Air July 27, 2011
7
States the Air Force must subject cyber capabilities to
Force
legal review for compliance with the Law of Armed
http://www.e-publishing.af.mil/shared/media/epubs/AFI51-
Conflict and other international and domestic laws. The
402.pdf
Air Force judge advocate general must ensure that all
cyber capabilities “being developed, bought, built,
modified or otherwise acquired by the Air Force" must
undergo legal review—except for cyber capabilities
within a Special Access Program, which must undergo
review by the Air Force general counsel.
Department of Defense Strategy for Operating in Cyberspace
DOD
July 14, 2011
19
This is an unclassified summary of DOD's cyber-security
strategy.
http://www.defense.gov/news/d20110714cyber.pdf
Cyber Operations Personnel Report (DOD)
DOD
April, 2011
84
This report focuses on FY2009 Department of Defense
Cyber Operations personnel, with duties and
http://www.nsci-va.org/CyberReferenceLib/2011-04-
responsibilities as defined in Section 934 of the Fiscal
Cyber%20Ops%20Personnel.pdf
Year 2010 National Defense Authorization Act (NDAA).
Appendix A - Cyber Operations-related Military
Occupations
Appendix B – Commercial Certifications Supporting the
DOD Information Assurance Workforce Improvement
Program
Appendix C – Military Services Training and
Development
Appendix D - Geographic Location of National Centers
of Academic Excellence in Information Assurance
CRS-29

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages
Notes
Critical Code: Software Producibility for Defense
National Research
October 20,
161
Assesses the nature of the national investment in
Council,
2010
software research and, in particular, considers ways to
http://www.nap.edu/catalog.php?record_id=12979
Committee for
revitalize the knowledge base needed to design, produce,
Advancing
and employ software-intensive systems for tomorrow’s
Software-Intensive
defense needs.
Systems
Producibility
Defending a New Domain
U.S. Deputy
September
N/A
In 2008, the U.S. Department of Defense suffered a
Secretary of
2010
significant compromise of its classified military computer
http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/
Defense, William J.
networks. It began when an infected flash drive was
defending-a-new-domain
Lynn (Foreign
inserted into a U.S. military laptop at a base in the Middle
Affairs)
East. This previously classified incident was the most
significant breach of U.S. military computers ever, and
served as an important wake-up call
The QDR in Perspective: Meeting America’s National Security
Quadrennial
July 30, 2010
159
From the report: “The expanding cyber mission also
Needs In the 21st Century (QDR Final Report)
Defense Review
needs to be examined. The Department of Defense
should be prepared to assist civil authorities in defending
http://www.usip.org/quadrennial-defense-review-independent-
cyberspace – beyond the Department’s current role."
panel-/view-the-report
Cyberspace Operations: Air Force Doctrine Document 3-12
U.S. Air Force
July 15, 2010
62
This Air Force Doctrine Document (AFDD) establishes
doctrinal guidance for the employment of U.S. Air Force
http://www.e-publishing.af.mil/shared/media/epubs/afdd3-12.pdf
forces in, through, and from cyberspace. It is the
keystone of Air Force operational-level doctrine for
cyberspace operations.
DON (Department of the Navy) Cybersecurity/Information
U.S. Navy
June 17, 2010
14
To establish policy and assign responsibilities for the
Assurance Workforce Management, Oversight and Compliance
administration of the Department of the Navy (DON)
Cybersecurity (CS)/Information Assurance Workforce
http://www.doncio.navy.mil/PolicyView.aspx?ID=1804
(IAWF) Management Oversight and Compliance
Program.
Note: Highlights compiled by CRS from the reports.
CRS-30

Cybersecurity: Authoritative Reports and Resources

Table 15. Selected Government Reports: National Strategy for Trusted Identities in Cyberspace (NSTIC)
Title Source
Date
Pages
Notes
Recommendations for Establishing an Identity Ecosystem
NIST February
17,
51
NIST responds to comments received in response to
Governance Structure for the National Strategy for Trusted
2012
the related Notice of Inquiry published in the Federal
Identities in Cyberspace
Register on June 14, 2011
http://www.nist.gov/nstic/2012-nstic-governance-recs.pdf
Models for a Governance Structure for the National Strategy for
Department of
June 14, 2011
4
The department seeks public comment from all
Trusted Identities in Cyberspace
Commerce
stakeholders, including the commercial, academic and
civil society sectors, and consumer and privacy
http://www.nist.gov/nstic/2012-nstic-governance-recs.pdf
advocates on potential models, in the form of
recommendations and key assumptions in the
formation and structure of the steering group.
Administration Releases Strategy to Protect Online Consumers
White House
April 15, 2011
52
Press release on a proposal to administer the
and Support Innovation and Fact Sheet on National Strategy for
processes for policy and standards adoption for the
Trusted Identities in Cyberspace
Identity Ecosystem Framework in accordance with
the National Strategy for Trusted Identities in
http://www.whitehouse.gov/the-press-office/2011/04/15/
Cyberspace (NSTIC).
administration-releases-strategy-protect-online-consumers-and-
support-in
National Strategy for Trusted Identities in Cyberspace
White House
April 15, 2011
52
The NSTIC aims to make online transactions more
trustworthy, thereby giving businesses and consumers
http://www.whitehouse.gov/blog/2010/06/25/national-strategy-trust
more confidence in conducting business online.
cyberspace
Note: Highlights compiled by CRS from the reports.
CRS-31

Cybersecurity: Authoritative Reports and Resources

Table 16. Selected Reports: Cloud Computing
Title Source
Date
Pages
Notes
Global Cloud Computing Scorecard a Blueprint for
Business Software
February 2, 2012
24
This report notes that while many developed countries
Economic Opportunity
Alliance
have adjusted their laws and regulations to address cloud
computing, the wide differences in those rules make it
http://portal.bsa.org/cloudscorecard2012/
difficult for companies to invest in the technology.
Concept of Operations: FedRAMP
General Services
February 7, 2012
47
Implementation of FedRAMP will be in phases. This
Administration (GSA)
document describes all the services that will be available at
http://www.gsa.gov/graphics/staffoffices/
initial operating capability—targeted for June 2012. The
FedRAMP_CONOPS.pdf
Concept of Operations will be updated as the program
evolves toward sustained operations.
Federal Risk and Authorization Management Program
Federal CIO Council
January 4, 2012
N/A
The Federal Risk and Authorization Management Program
(FedRAMP)
or FedRAMP has been established to provide a standard
approach to Assessing and Authorizing (A&A) cloud
http://www.gsa.gov/portal/category/102371
computing services and products.
Security Authorization of Information Systems in Cloud White House/Office of December 8, 2011
7
The Federal Risk and Authorization Management Program
Computing Environments (FedRAMP)
Management and
(FedRAMP) will now be required for all agencies
Budget (OMB)
purchasing storage, applications and other remote services
http://www.cio.gov/fedrampmemo.pdf
from vendors. The Obama Administration has championed
cloud computing as a means to save money and accelerate
the government’s adoption of new technologies.
U.S. Government Cloud Computing Technology
NIST
December 1, 2011
32
Volume I is aimed at interested parties who wish to gain a
Roadmap, Volume I, Release 1.0 (Draft). High-Priority
general understanding and overview of the background,
Requirements to Further USG Agency Cloud
purpose, context, work, results, and next steps of the U.S.
Computing Adoption
Government Cloud Computing Technology Roadmap
initiative.
http://www.nist.gov/itl/cloud/upload/
SP_500_293_volumeI-2.pdf
U.S. Government Cloud Computing Technology
NIST
December 1, 2011
85
Volume II is designed to be a technical reference for those
Roadmap, Release 1.0 (Draft), Volume II Useful
actively working on strategic and tactical cloud computing
Information for Cloud Adopters
initiatives, including, but not limited to, U.S. government
cloud adopters. Volume II integrates and summarizes the
http://www.nist.gov/itl/cloud/upload/
work completed to date, and explains how these findings
SP_500_293_volumeII.pdf
support the roadmap introduced in Volume I.
CRS-32

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages
Notes
Information Security: Additional Guidance Needed to
GAO
October 5, 2011
17
Twenty-two of 24 major federal agencies reported that
Address Cloud Computing Concerns
they were either concerned or very concerned about the
potential information security risks associated with cloud
http://www.gao.gov/products/GAO-12-130T
computing. GAO recommended that the NIST issue
guidance specific to cloud computing security. NIST has
issued multiple publications which address such guidance;
however, one publication remains in draft, and is not to be
finalized until the first quarter of fiscal year 2012.
Cloud Computing Reference Architecture
NIST
September 1, 2011
35
This “Special Publication," which is not an official U.S.
government standard, is designed to provide guidance to
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=
specific communities of practitioners and researchers.
909505
Guide to Cloud Computing for Policy Makers
Software and
July 26, 2011
27
The SAII concludes “that there is no need for cloud-
Information Industry
specific legislation or regulations to provide for the safe
http://www.siia.net/index.php?option=com_docman&
Association (SAII)
and rapid growth of cloud computing, and in fact, such
task=doc_download&gid=3040&Itemid=318
actions could impede the great potential of cloud
computing."
Federal Cloud Computing Strategy
White House
February 13, 2011
43
The strategy outlines how the federal government can
accelerate the safe, secure adoption of cloud computing,
http://www.cio.gov/documents/Federal-Cloud-
and provides agencies with a framework for migrating to
Computing-Strategy.pdf
the cloud. It also examines how agencies can address
challenges related to the adoption of cloud computing,
such as privacy, procurement, standards, and governance
Notes: These reports analyze cybersecurity issues related to the federal government’s adoption of cloud computing storage options. Highlights compiled by CRS from
the reports.

CRS-33

Cybersecurity: Authoritative Reports and Resources

CRS Reports: Critical Infrastructure
• CRS Report RL30153, Critical Infrastructures: Background, Policy, and
Implementation, by John D. Moteff
• CRS Report R41886, The Smart Grid and Cybersecurity—Regulatory Policy and
Issues, by Richard J. Campbell
• CRS Report R42338, Smart Meter Data: Privacy and Cybersecurity, by Brandon
J. Murrill, Edward C. Liu, and Richard M. Thompson II
• CRS Report RL33586, The Federal Networking and Information Technology
Research and Development Program: Background, Funding, and Activities, by
Patricia Moloney Figliola
• CRS Report 97-868, Internet Domain Names: Background and Policy Issues, by
Lennard G. Kruger
• CRS Report R42351, Internet Governance and the Domain Name System: Issues
for Congress, by Lennard G. Kruger

Congressional Research Service
34

Cybersecurity: Authoritative Reports and Resources

Table 17. Selected Reports: Critical Infrastructure
Title Source
Date
Pages
Notes
Cybersecurity for Energy Delivery Systems Program
Department of
ongoing
N/A
The program assists the energy sector asset owners (electric,
Energy, Office of
oil, and gas) by developing cybersecurity solutions for energy
http://energy.gov/oe/technology-development/energy-
Electricity
delivery systems through integrated planning and a focused
delivery-systems-cybersecurity
Delivery &
research and development effort. CEDS co-funds projects with
Energy Reliability
industry partners to make advances in cybersecurity capabilities
for energy delivery systems.
ICT Applications for the Smart Grid: Opportunities and
Organization for
January 10, 2012
44
This report discusses “smart” applications of information and
Policy Implications
Economic Co-
communication technologies (ICTs) for more sustainable energy
operation and
production, management and consumption. The report outlines
http://www.oecd-ilibrary.org/docserver/download/ful text/
Development
policy implications for government ministries dealing with
5k9h2q8v9bln.pdf?expires=1330527950&id=id&accname=
(OECD)
telecommunications regulation, ICT sector and innovation
guest&checksum=
promotion, and consumer and competition issues.
F4470043AC638BE19D5131C3D5CE5EA4
The Department’s Management of the Smart Grid
Department of
January 1, 2012
21
According to the Inspector General, DOE's rush to award
Investment Grant Program
Energy (DOE)
stimulus grants for projects under the next generation of the
Inspector
power grid, known as the Smart grid, resulted in some firms
http://energy.gov/ig/downloads/departments-management-
General
receiving funds without submitting complete plans for how to
smart-grid-investment-grant-program-oas-ra-12-04
safeguard the grid from cyber attacks.
Critical Infrastructure Protection: Cybersecurity
General
December 9,
77
Given the plethora of guidance available, individual entities
Guidance Is Available, but More Can Be Done to
Accountability
2011
within the sectors may be challenged in identifying the guidance
Promote Its Use
Office (GAO)
that is most applicable and effective in improving their security
posture. Improved knowledge of the guidance that is available
http://www.gao.gov/products/GAO-12-92
could help both federal and private sector decision makers
better coordinate their efforts to protect critical cyber-reliant
assets.
The Future of the Electric Grid
Massachusetts
December 5,
39
Chapter 1 provides an overview of the status of the grid, the
Institute of
2011
challenges and opportunities it will face, and major
http://web.mit.edu/mitei/research/studies/the-electric-grid-
Technology (MIT)
recommendations. To facilitate selective reading, detailed
2011.shtml
descriptions of the contents of each section in Chapters 2–9 are
provided in each chapter’s introduction, and recommendations
are collected and briefly discussed in each chapter's final section.
(See: Chapter 9, Data Communications, Cybersecurity, and
Information Privacy, pages 208-234).
CRS-35

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages
Notes
FCC's Plan for Ensuring the Security of
Federal
June 3, 2011
1
FCC Chairman Genachowski's response to letter from Rep.
Telecommunications Networks
Communications
Anna Eshoo dated November 2, 2010, re: concerns about the
Commission
implications of foreign-controlled telecommunications
ftp://ftp.fcc.gov/pub/Daily_Releases/Daily_Business/2011/
(FCC)
infrastructure companies providing equipment to the U.S.
db0610/DOC-307454A1.txt
market.
Cyber Infrastructure Protection
U.S. Army War
May 9, 2011
324
Part I deals with strategy and policy issues related to cyber
College
security and provides discussions covering the theory of
http://www.strategicstudiesinstitute.army.mil/pubs/
cyberpower, Internet survivability, large scale data breaches, and
display.cfm?pubid=1067
the role of cyberpower in humanitarian assistance. Part 2 covers
social and legal aspects of cyber infrastructure protection and
discusses the attack dynamics of political and religiously
motivated hackers. Part 3 discusses the technical aspects of
cyber infrastructure protection including the resilience of data
centers, intrusion detection, and a strong emphasis on Internet
protocol (IP) networks.
In the Dark: Crucial Industries Confront Cyberattacks
McAfee and
April 21, 2011
28
The study reveals an increase in cyber attacks on critical
Center for
infrastructure such as power grids, oil, gas, and water; the study
http://www.mcafee.com/us/resources/reports/rp-critical-
Strategic and
also shows that that many of the world's critical infrastructures
infrastructure-protection.pdf
International
lacked protection of their computer networks, and reveals the
Studies (CSIS)
cost and impact of cyberattacks
Cybersecurity: Continued Attention Needed to Protect
General
March 16, 2011
16
According to GAO, executive branch agencies have also made
Our Nation's Critical Infrastructure and Federal
Accountability
progress instituting several government-wide initiatives that are
Information Systems
Office (GAO)
aimed at bolstering aspects of federal cybersecurity, such as
reducing the number of federal access points to the Internet,
http://www.gao.gov/products/GAO-11-463T
establishing security configurations for desktop computers, and
enhancing situational awareness of cyber events. Despite these
efforts, the federal government continues to face significant
challenges in protecting the nation's cyber-reliant critical
infrastructure and federal information systems.
CRS-36

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages
Notes
Federal Energy Regulatory Commission's Monitoring of
North American
January 26, 2011
30
NERC developed Critical Infrastructure Protection (CIP) cyber
Power Grid Cyber Security
Electric Reliability
security reliability standards which were approved by the FERC
Corp. (NERC)
in January 2008. Although the Commission had taken steps to
http://www.wired.com/images_blogs/threatlevel/2011/02/
ensure CIP cyber security standards were developed and
DoE-IG-Report-on-Grid-Security.pdf
approved, NERC’s testing revealed that such standards did not
always include controls commonly recommended for protecting
critical information systems. In addition, the CIP standards
implementation approach and schedule approved by the
Commission were not adequate to ensure that systems-related
risks to the nation's power grid were mitigated or addressed in
a timely manner.
Electricity Grid Modernization: Progress Being Made on
General
January 12, 2011
50
To reduce the risk that NIST's smart grid cybersecurity
Cybersecurity Guidelines, but Key Challenges Remain to
Accountability
guidelines will not be as effective as intended, the Secretary of
be Addressed
Office (GAO)
Commerce should direct the Director of NIST to finalize the
agency's plan for updating and maintaining the cybersecurity
http://www.gao.gov/products/GAO-11-117
guidelines, including ensuring it incorporates (1) missing key
elements identified in this report, and (2) specific milestones for
when efforts are to be completed. Also, as a part of finalizing the
plan, the Secretary of Commerce should direct the Director of
NIST should assess whether any cybersecurity challenges
identified in this report should be addressed in the guidelines.
Partnership for Cybersecurity Innovation
White House
December 6,
4
The Obama Administration released a Memorandum of
(Office of Science
2010
Understanding signed by the National Institute of Standards and
http://www.whitehouse.gov/blog/2010/12/06/partnership-
& Technology
Technology (NIST) of the Department of Commerce, the
cybersecurity-innovation
Policy)
Science and Technology Directorate of the Department of
Homeland Security (DHS/S&T), and the Financial Services Sector
Coordinating Council (FSSCC). The goal of the agreement is to
speed the commercialization of cybersecurity research
innovations that support the nation’s critical infrastructures.
WIB Security Standard Released
International
November 10,

The Netherlands-based International Instrument Users
Instrument Users
2010
Association (WIB), an international organization that represents
http://www.isssource.com/wib/
Association
global manufacturers in the industrial automation industry,
(WIB)
announced the second version of the Process Control Domain
Security Requirements For Vendors document—the first
international standard that outlines a set of specific
requirements focusing on cyber security best practices for
suppliers of industrial automation and control systems.
CRS-37

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages
Notes
Information Security Management System for Microsoft
Microsoft
November 2010
15
This study describes the standards Microsoft fol ows to address
Cloud Infrastructure
current and evolving cloud security threats. It also depicts the
internal structures within Microsoft that handle cloud security
http://cdn.globalfoundationservices.com/documents/
and risk management issues.
InformationSecurityMangSysforMSCloudInfrastructure.pdf
NIST Finalizes Initial Set of Smart Grid Cyber Security
National Institute
September 2,
N/A
NIST released a 3-volume set of recommendations on all things
Guidelines
of Standards and
2010
relevant to securing the Smart Grid. The guidelines address a
Technology
variety of topics, including high-level security requirements, a
http://www.nist.gov/public_affairs/releases/nist-finalizes-
(NIST)
risk assessment framework, an evaluation of privacy issues in
initial-set-of-smart-grid-cyber-security-guidelines.cfm
residences and recommendations for protecting the evolving
grid from attacks, malicious code, cascading errors, and other
threats.
Critical Infrastructure Protection: Key Private and Public
General
July 15, 2010
38
Private sector stakeholders reported that they expect their
Cyber Expectations Need to Be Consistently Addressed
Accountability
federal partners to provide usable, timely, and actionable cyber
Office (GAO)
threat information and alerts; access to sensitive or classified
http://www.gao.gov/products/GAO-10-628
information; a secure mechanism for sharing information;
security clearances; and a single centralized government
cybersecurity organization to coordinate government efforts.
However, according to private sector stakeholders, federal
partners are not consistently meeting these expectations.
The future of cloud computing
Pew Research
June 11, 2010
26
Technology experts and stakeholders say they expect they will
Center’s Internet
“live mostly in the cloud” in 2020 and not on the desktop,
http://pewinternet.org/Reports/2010/The-future-of-cloud-
& American Life
working mostly through cyberspace-based applications accessed
computing.aspx
Project
through networked devices.
The Reliability of Global Undersea Communications Cable IEEE/EastWest
May 26, 2010
186
This study submits 12 major recommendations to the private
Infrastructure (The ROGUCCI Report)
Institute
sector, governments and other stakeholders—especial y the
financial sector—for the purpose of improving the reliability,
http://www.ieee-rogucci.org/files/
robustness, resilience, and security of the world’s undersea
The%20ROGUCCI%20Report.pdf
communications cable infrastructure.
NSTB Assessments Summary Report: Common Industrial
Department of
May 1, 2010
123
Computer networks controlling the electric grid are plagued
Control System Cyber Security Weaknesses
Energy, Idaho
with security holes that could allow intruders to redirect power
National
delivery and steal data. Many of the security vulnerabilities are
http://www.fas.org/sgp/eprint/nstb.pdf
Laboratory
strikingly basic and fixable problems.
Explore the reliability and resiliency of commercial
Federal
April 21, 2010
N/A
The Federal Communications Commission launched an inquiry
broadband communications networks
Communications
on the ability of existing broadband networks to withstand
Commission
significant damage or severe overloads as a result of natural
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-
(FCC)
disasters, terrorist attacks, pandemics or other major public
305618A1.doc
emergencies, as recommended in the National Broadband Plan.
CRS-38

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages
Notes
Security Guidance for Critical Areas of Focus in Cloud
Cloud Security
December 2009
76
“Through our focus on the central issues of cloud computing
Computing V2.1
Alliance
security, we have attempted to bring greater clarity to an
otherwise complicated landscape, which is often filled with
http://www.cloudsecurityalliance.org/csaguide.pdf
incomplete and oversimplified information. Our focus ... serves
to bring context and specificity to the cloud computing security
discussion: enabling us to go beyond gross generalizations to
deliver more insightful and targeted recommendations.”
21 Steps to Improve Cyber Security of SCADA Networks U.S. Department
January 1, 2007
10
The President’s Critical Infrastructure Protection Board and the
of Energy,
Department of Energy have developed steps to help any
http://www.oe.netl.doe.gov/docs/prepare/
Infrastructure
organization improve the security of its SCADA networks. The
21stepsbooklet.pdf
Security and
steps are divided into two categories: specific actions to improve
Energy
implementation, and actions to establish essential underlying
Restoration
management processes and policies.
Note: Highlights compiled by CRS from the reports.
CRS-39

Cybersecurity: Authoritative Reports and Resources

CRS Reports: Cybercrime and National Security
• CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud
and Abuse Statute and Related Federal Criminal Laws, by Charles Doyle
• CRS Report 94-166, Extraterritorial Application of American Criminal Law, by
Charles Doyle
• CRS Report 98-326, Privacy: An Overview of Federal Statutes Governing
Wiretapping and Electronic Eavesdropping, by Gina Stevens and Charles Doyle
• CRS Report RL32706, Spyware: Background and Policy Issues for Congress, by
Patricia Moloney Figliola
• CRS Report CRS Report R41975, Illegal Internet Streaming of Copyrighted
Content: Legislation in the 112th Congress, by Brian T. Yeh
• CRS Report R42112, Online Copyright Infringement and Counterfeiting:
Legislation in the 112th Congress, by Brian T. Yeh
• CRS Report R40599, Identity Theft: Trends and Issues, by Kristin M. Finklea
• CRS Report R41927, The Interplay of Borders, Turf, Cyberspace, and
Jurisdiction: Issues Confronting U.S. Law Enforcement, by Kristin M. Finklea
• CRS Report RL34651, Protection of Children Online: Federal and State Laws
Addressing Cyberstalking, Cyberharassment, and Cyberbullying, by Alison M.
Smith

Congressional Research Service
40

Cybersecurity: Authoritative Reports and Resources

Table 18. Selected Reports: Cybercrime/Cyberwar
Title Source
Date
Pages Notes
Developing State Solutions to Business Identity Theft:
National
January 2012
23
This white paper is the result of efforts by the 19-member NASS
Assistance, Prevention and Detection Efforts by Secretary
Association of
Business Identity Theft Task Force to develop policy guidelines
of State Offices
Secretaries of
and recommendations for state leaders dealing with identity fraud
State
cases involving public business records.
http://www.nass.org/index.php?option=com_docman&
task=doc_download&gid=1257
A Cyberworm that Knows No Boundaries
RAND December
55
Stuxnet-like worms pose a serious threat even to infrastructure
21, 2011
and computer systems that are not connected to the Internet.
http://www.rand.org/content/dam/rand/pubs/
However, defending against such attacks is an increasingly
occasional_papers/2011/RAND_OP342.pdf
complex prospect.
Department of Defense Cyberspace Policy Report : A
DOD November
14
From the report: “When warranted, we will respond to hostile
Report to Congress Pursuant to the National Defense
15, 2011
attacks in cyberspace as we would to any other threat to our
Authorization Act for Fiscal Year 2011, Section 934
country. We reserve the right to use all necessary means -
diplomatic, informational, military and economic - to defend our
http://www.defense.gov/home/features/2011/
nation, our allies, our partners and our interests.”
0411_cyberstrategy/docs/
NDAA%20Section%20934%20Report_For%20webpage.pdf
W32.Duqu: The Precursor to the Next Stuxnet
Symantec October
24,
N/A
On October 14, 2011, a research lab with strong international
2011
connections alerted Symantec to a sample that appeared to be
http://www.symantec.com/connect/
very similar to Stuxnet, the malware which wreaked havoc in
w32_duqu_precursor_next_stuxnet
Iran’s nuclear centrifuge farms last summer. The lab named the
threat “Duqu” because it creates files with the file name prefix
“~DQ”. The research lab provided Symantec with samples
recovered from computer systems located in Europe, as well as a
detailed report with their initial findings, including analysis
comparing the threat to Stuxnet.
Cyber War Will Not Take Place
Journal of
October 5,
29
The paper argues that cyber warfare has never taken place, is not
Strategic Studies
2011
currently taking place, and is unlikely to take place in the future.
http://www.tandfonline.com/doi/abs/10.1080/
01402390.2011.608939
CRS-41

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages Notes
Revealed: Operation Shady RAT: an Investigation Of
McAfee August
2,
14
A cyber-espionage operation lasting many years penetrated 72
Targeted Intrusions Into 70+ Global Companies,
2011
government and other organizations, most of them in the United
Governments, and Non-Profit Organizations During the
States, and has copied everything from military secrets to
Last 5 Years
industrial designs, according to technology security company
McAfee. See page 4 for the types of compromised parties), page 5
http://www.mcafee.com/us/resources/white-papers/wp-
for the geographic distribution of victim’s country of origin, pages
operation-shady-rat.pdf
7-9 for the types of victims, and pages 10-13 for the number of
intrusions for 2007-2010.
A Four-Day Dive Into Stuxnet’s Heart
Threat Level
December
N/A
From the article, “It is a mark of the extreme oddity of the
Blog (Wired)
27, 2010
Stuxnet computer worm that Microsoft’s Windows vulnerability
http://www.wired.com/threatlevel/2010/12/a-four-day-
team learned of it first from an obscure Belarusian security
dive-into-stuxnets-heart/
company that even they had never heard of.”
Did Stuxnet Take Out 1,000 Centrifuges at the Natanz
Institute for
December
10
This report indicates that commands in the Stuxnet code intended
Enrichment Plant? Preliminary Assessment
Science and
22, 2010
to increase the frequency of devices targeted by the malware
International
exactly match several frequencies at which rotors in centrifuges at
http://isis-online.org/isis-reports/detail/did-stuxnet-take-
Security
Iran’s Natanz enrichment plant are designed to operate optimally
out-1000-centrifuges-at-the-natanz-enrichment-plant/
or are at risk of breaking down and flying apart.
The Role of Internet Service Providers in Botnet
Organisation for
November
68
This working paper considers whether ISPs can be critical control
Mitigation: an Empirical Analysis Bases on Spam Data
Economic Co-
12, 2010
points for botnet mitigation, how the number of infected machines
operation and
varies across ISPs, and why.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=
Development
10.1.1.165.2211&rep=rep1&type=pdf
(OECD)
Stuxnet Analysis
European
October 7,
N/A
EU cybersecurity agency warns that the Stuxnet malware is a
Network and
2010
game changer for critical information infrastructure protection;
http://www.enisa.europa.eu/media/press-releases/stuxnet-
Information
PLC control ers of SCADA systems infected with the worm might
analysis
Security Agency
be programmed to establish destructive over/under pressure
conditions by running pumps at different frequencies.
Proceedings of a Workshop on Deterring Cyberattacks:
National
October 5,
400
At the request of the Office of the Director of National
Informing Strategies and Developing Options for U.S.
Research
2010
Intelligence, the National Research Council undertook a two-
Policy
Council
phase project aimed to foster a broad, multidisciplinary
examination of strategies for deterring cyberattacks on the United
http://www.nap.edu/catalog.php?record_id=
States and of the possible utility of these strategies for the U.S.
12997#description
government.
Untangling Attribution: Moving to Accountability in
Council on
July 15, 2010
14
Robert K. Knake’s testimony before the House Committee on
Cyberspace [Testimony]
Foreign Relations
Science and Technology on the role of attack attribution in
preventing cyber attacks and how attribution technologies can
http://i.cfr.org/content/publications/attachments/
affect the anonymity and the privacy of Internet users.
Knake%20-Testimony%20071510.pdf
CRS-42

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages Notes
Technology, Policy, Law, and Ethics Regarding U.S.
National
January 1,
368
This report explores important characteristics of cyberattack. It
Acquisition and Use of Cyberattack Capabilities
Research
2009
describes the current international and domestic legal structure as
Council
it might apply to cyberattack, and considers analogies to other
http://www.nap.edu/catalog.php?record_id=12651&
domains of conflict to develop relevant insights.
utm_medium=etmail&utm_source=
National%20Academies%20Press&utm_campaign=
NAP+mail+eblast+10.27.09+-
+Cyberattack+Preorder+sp&utm_content=Downloader&
utm_term=#description
Note: Highlights compiled by CRS from the reports.
Table 19. Selected Reports: International Efforts
Title Source
Date
Pages
Notes
Cyber-security: The Vexed Question of Global Rules: An
McAfee
February 1, 2012
108
Forty-five percent of legislators and cybersecurity
Independent Report on Cyber-Preparedness Around the
experts representing 27 countries think cybersecurity
World
is just as important as border security. The authors
surveyed 80 professionals from business, academia
http://www.mcafee.com/us/resources/reports/rp-sda-cyber-
and government to gauge worldwide opinions of
security.pdf?cid=WBB048
cybersecurity.
Cyber Power Index
Booz Allen Hamilton
January 15, 2012
N/A
The index of developing countries’ ability to
and the Economist
withstand cyber attacks and build strong digital
http://www.cyberhub.com/CyberPowerIndex
Intelligence Unit
economies, rates the countries on their legal and
regulatory frameworks; economic and social issues;
technology infrastructure; and industry. The index
puts the United States in the No. 2 spot, and the UK
in No. 1.
Foreign Spies Stealing US Economic Secrets in Cyberspace
Office of the
November 3, 2011
31
According to the report, espionage and theft through
National
cyberspace are growing threats to the United States’
http://www.ncix.gov/publications/reports/fecie_al /
Counterintelligence
security and economic prosperity, and the world’s
Foreign_Economic_Collection_2011.pdf
Executive
most persistent perpetrators happen to also be U.S.
allies.
CRS-43

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages
Notes
The UK Cyber Security Strategy: Protecting and promoting
Cabinet Office
November 2011
43
Chapter 1 describes the background to the growth of
the UK in a digital world
(United Kingdom)
the networked world and the immense social and
economic benefits it is unlocking. Chapter 2 describes
http://www.cabinetoffice.gov.uk/sites/default/files/resources/
these threats. The impacts are already being felt and
uk-cyber-security-strategy-final.pdf
will grow as our reliance on cyberspace grows.
Chapter 3 sets out where we want to end up—with
the government’s vision for UK cyber security in
2015.
Cyber Dawn: Libya
Cyber Security
May 9, 2011
70
Project Cyber Dawn: Libya uses open source material
Forum Initiative
to provide an in-depth view of Libyan cyberwarfare
http://www.unveillance.com/wp-content/uploads/2011/05/
capabilities and defenses.
Project_Cyber_Dawn_Public.pdf
China’s Cyber Power and America’s National Security
U.S. Army War
March 24, 2011
86
This report examines the growth of Chinese cyber
College, Strategy
power; their known and demonstrated capabilities for
http://www.dtic.mil/dtic/tr/ful text/u2/a552990.pdf
Research Project
offensive, defensive and exploitive computer network
operations; China‘s national security objectives; and
the possible application of Chinese cyber power in
support of those objectives.
Worldwide Threat Assessment of the U.S. Intelligence
James Clapper,
February 10, 2011
34
Provides an assessment of global threats:
Community (Testimony)
Director of National
convergence, malware, the “Chinese" connection,
Intelligence
foreign military capabilities in cyberspace, counterfeit
http://www.dni.gov/testimonies/
computer hardware and intel ectual property theft,
20110210_testimony_clapper.pdf
and identity theft/finding vulnerable government
operatives.
Working Towards Rules for Governing Cyber Conflict:
EastWest Institute
February 3, 2011
60
[The authors] led the cyber and traditional security
Rendering the Geneva and Hague Conventions in
experts through a point-by-point analysis of the
Cyberspace
Geneva and Hague Conventions. Ultimately, the
group made five immediate recommendations for
http://vialardi.org/nastrazzuro/pdf/US-Russia.pdf
Russian and U.S.-led joint assessments, each exploring
how to apply a key convention principle to
cyberspace.
The Reliability of Global Undersea Communications Cable
IEEE/EastWest
May 26, 2010
186
This study submits 12 major recommendations to the
Infrastructure (The Rogucci Report)
Institute
private sector, governments and other
stakeholders—especially the financial sector—for the
http://www.ieee-rogucci.org/files/
purpose of improving the reliability, robustness,
The%20ROGUCCI%20Report.pdf
resilience, and security of the world’s undersea
communications cable infrastructure.
CRS-44

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages
Notes
ITU Toolkit for Cybercrime Legislation
International
February 2010
N/A
This document aims to provide countries with sample
Telecommunications
legislative language and reference material that can
http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-toolkit-
Union
assist in the establishment of harmonized cybercrime
cybercrime-legislation.pdf
laws and procedural rules.
Note: Highlights compiled by CRS from the reports.
CRS-45

Cybersecurity: Authoritative Reports and Resources

Table 20. Selected Reports: Education/Training/Workforce
Title Source
Date
Pages
Notes
Cybersecurity Human Capital: Initiatives Need Better
General
November 29, 2011
86
To ensure that government-wide cybersecurity
Planning and Coordination
Accountability
workforce initiatives are better coordinated and planned,
Office (GAO)
and to better assist federal agencies in defining roles,
http://www.gao.gov/products/GAO-12-8
responsibilities, skills, and competencies for their
workforce, the Secretary of Commerce, Director of the
Office of Management and Budget, Director of the Office
of Personnel Management, and Secretary of Homeland
Security should col aborate through the NICE initiative to
develop and finalize detailed plans allowing agency
accountability, measurement of progress, and
determination of resources to accomplish agreed-upon
activities.
NICE Cybersecurity Workforce Framework
National Initiative
November 21, 2011
35
The adoption of cloud computing into the Federal
for Cybersecurity
Government and its implementation depend upon a
http://www.nist.gov/manuscript-publication-search.cfm?
Education (NICE)
variety of technical and non-technical factors. A
pub_id=909505
fundamental reference point, based on the NIST
definition of cloud computing, is needed to describe an
overall framework that can be used government-wide.
This document presents the NIST Cloud Computing
Reference Architecture (RA) and Taxonomy (Tax) that
will accurately communicate the components and
offerings of cloud computing.
2011 State of Cyberethics, Cybersafety and Cybersecurity
National Cyber
May 13, 2011
16
This year’s survey further explores the perceptions and
Curriculum in the U.S. Survey
Security Alliance
practices of U.S. teachers, school administrators and
and Microsoft
technology coordinators in regards to cyberethics,
http://www.staysafeonline.org/sites/default/files/
cybersafety, and cybersecurity education. This year's
resource_documents/2011%20National%20K-
survey finds that young people still are not receiving
12%20Study%20Final_0.pdf
adequate training and that teachers are ill-prepared to
teach the subjects due, in large part, to lack of
professional development.
CRS-46

Cybersecurity: Authoritative Reports and Resources

Title Source
Date
Pages
Notes
Cyber Operations Personnel Report (DOD)
Department of
April 2011
84
This report is focused on FY09 Department of Defense
Defense
Cyber Operations personnel, with duties and
http://www.nsci-va.org/CyberReferenceLib/2011-04-
responsibilities as defined in Section 934 of the Fiscal
Cyber%20Ops%20Personnel.pdf
Year (FY) 2010 National Defense Authorization Act
(NDAA).
Appendix A - Cyber Operations-related Military
Occupations
Appendix B – Commercial Certifications Supporting the
DoD Information Assurance Workforce Improvement
Program
Appendix C – Military Services Training and
Development
Appendix D - Geographic Location of National Centers
of Academic Excellence in Information Assurance
Design of the DETER Security Testbed
University of
January 13, 2011
N/A
The Department of Homeland Security (DHS) will invest
Southern California
$16 million over the next five years to expand a
http://www.isi.edu/deter/news/news.php?story=20
(USC) Information
cybersecurity testbed at the University of Southern
Sciences Institute,
California (USC). The Deterlab testbed provides an
University of
isolated 400-node mini-Internet, in which researchers can
California Berkeley
investigate malware and other security threats without
(UCB), McAfee
danger of infecting the real Internet. It also supports
Research
classroom exercises in computer security for nearly 400
students at 10 universities and col eges.
The Power of People: Building an Integrated National
Project on National November 2010
326
This study was conducted in fulfillment of Section 1054 of
Security Professional System for the 21st Century
Security Reform
the National Defense Authorization Act for Fiscal Year 2010,
(PNSR)
which required the commissioning of a study by “an
http://www.pnsr.org/data/images/
appropriate independent, nonprofit organization, of a
pnsr_the_power_of_people_report.pdf
system for career development and management of
interagency national security professionals.”
Note: Highlights compiled by CRS from the reports.
CRS-47

Cybersecurity: Authoritative Reports and Resources

Table 21. Selected Reports: Research & Development (R&D)
Title Source
Date
Pages
Notes
Information Security Risk Taking
National
January 17, 2012
N/A
The NSF is funding research on giving organizations
Science
information-security risk ratings, similar to credit ratings
http://www.nsf.gov/awardsearch/showAward.do?
Foundation
for individuals
AwardNumber=1127185
(NSF)
At the Forefront of Cyber Security Research
NSF
August 11, 2011
N/A
TRUST is a university and industry consortium that
examines cyber security issues related to health care,
http://www.livescience.com/15423-forefront-cyber-
national infrastructures, law and other issues facing the
security-research-nsf-bts.html
general public.
Designing A Digital Future: Federally Funded Research And White House
December 16, 2010
148
The President’s Council of Advisors on Science and
Development In Networking And Information Technology
Technology (PCAST) has made several recommendations
in a report about the state of the government’s
http://www.whitehouse.gov/sites/default/files/microsites/
Networking and Information Technology Research and
ostp/pcast-nitrd-report-2010.pdf
Development (NITRD) Program.
Partnership for Cybersecurity Innovation
White House
December 6, 2010
10
The Obama Administration released a Memorandum of
Office of
Understanding signed by the National Institute of
http://www.whitehouse.gov/blog/2010/12/06/partnership-
Science and
Standards and Technology (NIST) of the Department of
cybersecurity-innovation
Technology
Commerce, the Science and Technology Directorate of
Policy
the Department of Homeland Security (DHS/S&T), and
the Financial Services Sector Coordinating Council
(FSSCC). The goal of the agreement is to speed the
commercialization of cybersecurity research innovations
that support our nation’s critical infrastructures.
Science of Cyber-Security
Mitre Corp
November 2010
86
JASON was requested by DOD to examine the theory
(JASON
and practice of cyber-security, and evaluate whether
http://www.fas.org/irp/agency/dod/jason/cyber.pdf
Program Office)
there are underlying fundamental principles that would
make it possible to adopt a more scientific approach,
identify what is needed in creating a science of cyber-
security, and recommend specific ways in which scientific
methods can be applied.
American Security Challenge
National
October 18, 2010
N/A
The objective of the Challenge is to increase the visibility
Security
of innovative technology and help the commercialization
http://www.americansecuritychallenge.com/
Initiative
process so that such technology can reach either the
public or commercial marketplace faster to protect our
citizens and critical assets.
Note: Highlights compiled by CRS from the reports.
CRS-48

Cybersecurity: Authoritative Reports and Resources

Related Resources: Other Websites
This section contains other cybersecurity resources, including U.S. government, international, news sources, and other associations and
institutions.
Table 22. Related Resources: Congressional/Government
Name Source
Notes
Congressional Cybersecurity Caucus
Led by Representatives Jim Langevin.,
Provides statistics, news on congressional cyberspace actions,
and Mike McCaul.
and links to other informational websites.
http://housecybersecuritycaucus.langevin.house.gov/index.shtml
Cybersecurity and Trustworthiness Projects and Reports
Computer Science and
A list of independent and informed reports on cybersecurity
Telecommunications Board, National
and public policy.
http://sites.nationalacademies.org/CSTB/CSTB_059144
Academy of Sciences
Cybersecurity
White House National Security
Links to White House policy statements, key documents,
Council
videos, and blog posts.
http://www.whitehouse.gov/cybersecurity
Office of Cybersecurity and Communications (CS&C)
U.S. Department of Homeland Security As the sector-specific agency for the communications and
information technology (IT) sectors, CS&C coordinates
http://www.dhs.gov/xabout/structure/gc_1185202475883.shtm
national level reporting that is consistent with the National
Response Framework (NRF).
U.S. Cyber Command
U.S. Department of Defense
Links to press releases, fact sheets, speeches, announcements,
and videos.
http://www.defense.gov/home/features/2010/0410_cybersec/
U.S. Cyber-Consequences Unit
U.S. Cyber-Consequences Unit (US-
U.S.-CCU, a nonprofit 501c(3) research institute, provides
CCU)
assessments of the strategic and economic consequences of
http://www.usccu.us/
possible cyber-attacks and cyber-assisted physical attacks. It
also investigates the likelihood of such attacks and examines
the cost-effectiveness of possible counter-measures.
Note: Highlights compiled by CRS from the reports.
CRS-49

Cybersecurity: Authoritative Reports and Resources

Table 23. Related Resources: International Organizations
Name Source Notes
Australian Internet Security Initiative
Australian Communications and Media
The Australian Internet Security Initiative (AISI) isan antibotnet
Authority
initiative that collects data on botnets in collaboration with
http://www.acma.gov.au/WEB/STANDARD/pc=PC_310317
Internet Service Providers (ISPs), and two industry codes of
practice.
Cybercrime
Council of Europe
Links to the Convention on Cybercrime treaty, standards,
news, and related information.
http://www.coe.int/t/DGHL/cooperation/economiccrime/
cybercrime/default_en.asp
Cybersecurity Gateway
International Telecommunications Union
ITU's Global Cybersecurity Agenda (GCA) is the framework
(ITU)
for international cooperation with the objective of building
http://groups.itu.int/Default.aspx?alias=groups.itu.int/
synergies and engaging all relevant stakeholders in our
cybersecurity-gateway
collective efforts to build a more secure and safer information
society for all.
Cybercrime Legislation - Country Profiles
Council of Europe
These profiles have been prepared within the framework of the
Council of Europe’s Project on Cybercrime in view of sharing
http://www.coe.int/t/dg1/legalcooperation/economiccrime/
information on cybercrime legislation and assessing the current
cybercrime/Documents/CountryProfiles/default_en.asp
state of implementation of the Convention on Cybercrime
under national legislation.
ENISA: Securing Europe’s Information Society
European Network and Information
ENISA inform businesses and citizens in the European Union on
Security Agency (ENISA)
cybersecurity threats, vulnerabilities, and attacks. (Requires free
http://www.enisa.europa.eu/
registration to access.)
German Anti-Botnet Initiative
Organisation for Economic Co-operation
This is a private industry initiative which aims to ensure that
and Development (OECD) (English-
customers whose personal computers have become part of a
http://www.oecd.org/dataoecd/42/50/45509383.pdf
language summary)
botnet without them being aware of it are informed by their
Internet Service Providers about this situation and at the same
time are given competent support in removing the malware.
International Cyber Security Protection Alliance (ICSPA)
International Cyber Security Protection
A global not-for-profit organization that aims to channel
Alliance (ICSPA)
funding, expertise, and help directly to law enforcement cyber
https://www.icspa.org/about-us/
crime units around the world.
NATO Cooperative Cyber Defence Centre of Excel ence
North Atlantic Treaty Organization
The Center is an international effort that currently includes
(CCD COE)
(NATO)
Estonia, Latvia, Lithuania, Germany, Hungary, Italy, the Slovak
Republic, and Spain as sponsoring nations, to enhance NATO’s
http://www.ccdcoe.org/
cyber defence capability.
Note: Highlights compiled by CRS from the reports.
CRS-50

Cybersecurity: Authoritative Reports and Resources

Table 24. Related Resources: News
Name Source
Computer Security (Cybersecurity)
New York Times
http://topics.nytimes.com/top/reference/timestopics/subjects/c/
computer_security/index.html
Cybersecurity
NextGov.com
http://topics.nextgov.com/cybersecurity
Cyberwarfare and Cybersecurity
Benton Foundation
http://benton.org/taxonomy/term/1193
Homeland Security
Congressional Quarterly (CQ)
http://homeland.cq.com/hs/news.do;jsessionid=
20B0A2F676BA73C13DDC30A877479F46
Cybersecurity
Homeland Security News Wire
http://www.homelandsecuritynewswire.com/topics/cybersecurity
Congressional Research Service
51

Cybersecurity: Authoritative Reports and Resources

Table 25. Related Resources: Other Associations and Institutions
Name Notes
Cybersecurity from the Center for Strategic &
Links to experts, programs, publications, and multimedia.
International Studies (CSIS)
CSIS is a bipartisan, nonprofit organization whose affiliated
scholars conduct research and analysis and develop policy
http://csis.org/category/topics/technology/
initiatives that look to the future and anticipate change.
cybersecurity
Cyberconflict and Cybersecurity Initiative from the
Focuses on the relationship between cyberwar and the
Council on Foreign Relations
existing laws of war and conflict; how the United States
should engage other states and international actors in
http://www.cfr.org/projects/world/cyberconflict-and-
pursuit of its interests in cyberspace; how the promotion of
cybersecurity-initiative/pr1497
the free flow of information interacts with the pursuit of
cybersecurity; and the private sector’s role in defense,
deterrence, and resilience.
Federal Cyber Service from the Scholarship For
Scholarship For Service (SFS) is designed to increase and
Service (SFS)
strengthen the cadre of federal information assurance
professionals that protect the government’s critical
https://www.sfs.opm.gov/
information infrastructure. This program provides
scholarships that ful y fund the typical costs that students
pay for books, tuition, and room and board while attending
an approved institution of higher learning.
Institute for Information Infrastructure Protection
I3P is a consortium of leading universities, national
(I3P)
laboratories and nonprofit institutions dedicated to
strengthening the cyber infrastructure of the United States.
http://www.thei3p.org/
Internet Security Alliance (ISA)
ISAalliance is a nonprofit collaboration between the
Electronic Industries Alliance (EIA), a federation of trade
https://netforum.avectra.com/eWeb/StartPage.aspx?
associations, and Carnegie Mellon University’s CyLab.
Site=ISA
National Association of State Chief Information
NASCIO’s cybersecurity awareness website. The Resource
Offices (NASCIO)
Guide provides examples of state awareness programs and
initiatives.
http://www.nascio.org/advocacy/cybersecurity
National Board of Information Security Examiners
The National Board of Information Security Examiners
(NBISE)
(NBISE) mission is to increase the security of information
networks, computing systems, and industrial and military
http://www.nbise.org/certifications.php
technology by improving the potential and performance of
the cyber security workforce.
National Initiative for Cybersecurity Education (NICE) NICE Attempts to forge a common set of definitions for the
cybersecurity workforce.
http://csrc.nist.gov/nice/
National Security Cyberspace Institute (NSCI)
NSCI provides education, research and analysis services to
government, industry, and academic clients aiming to
http://www.nsci-va.org/whitepapers.htm
increase cyberspace awareness, interest, knowledge, and/or
capabilities.
U.S. Cyber Challenge (USCC)
USCC’s goal is to find 10,000 of America's best and
brightest to fill the ranks of cybersecurity professionals
http://www.uscyberchal enge.org/
where their skills can be of the greatest value to the nation.
Source: Highlights compiled by CRS from the reports of related associations and institutions.


Congressional Research Service
52

Cybersecurity: Authoritative Reports and Resources

Author Contact Information

Rita Tehan

Information Research Specialist
rtehan@crs.loc.gov, 7-6739


Key Policy Staff

Area of Expertise
Name
Phone
E-mail
General Policy Issues
Eric A. Fischer
7-7071
efischer@crs.loc.gov
General Policy Issues
John Rollins
7-5529
jrollins@crs.loc.gov
Critical Infrastructure
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Critical Infrastructure
Richard J. Campbell
7-7905
rcampbell@crs.loc.gov
Critical Infrastructure
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Critical Infrastructure
Lennard Kruger
7-7070
lkruger@crs.loc.gov
Cybercrime Charles
Doyle
7-6968
cdoyle@crs.loc.gov
Cybercrime Brian
Yeh
7-5182
byeh@crs.loc.gov
Cybercrime Kristin
Finklea
7-6259
kfinklea@crs.loc.gov
Cybercrime Gina
Stevens
7-2581
gstevens@crs.loc.gov
National Security
John Rollins
7-5529
jrollins@crs.loc.gov
National Security
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov,
National Security
Paul Kerr
7-8693
pkeer@crs.loc.gov


Congressional Research Service
53