.
.

Cybersecurity:
Authoritative Reports and Resources, by Topic

Rita Tehan
Information Research Specialist
November 21, 2013
Congressional Research Service
7-5700
www.crs.gov
R42507

c11173008

.
.
Cybersecurity: Authoritative Reports and Resources, by Topic

Summary
Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide.
Attacks have been initiated by individuals, as well as countries. Targets have included
government networks, military defenses, companies, or political organizations, depending upon
whether the attacker was seeking military intelligence, conducting diplomatic or industrial
espionage, or intimidating political activists. In addition, national borders mean little or nothing to
cyberattackers, and attributing an attack to a specific location can be difficult, which also makes a
response problematic.
Congress has been actively involved in cybersecurity issues, holding hearings every year since
2001. There is no shortage of data on this topic: government agencies, academic institutions,
think tanks, security consultants, and trade associations have issued hundreds of reports, studies,
analyses, and statistics.
This report provides links to selected authoritative resources related to cybersecurity issues. It
includes information on
• “CRS Reports by Topic”
• Government Accountability Office (GAO) reports
• White House/Office of Management and Budget reports
• Military/DOD
• Cloud Computing
• Critical Infrastructure
• National Strategy for Trusted Identities in Cyberspace (NSTIC)
• Cybercrime/Cyberwar
• International
• Education/Training/Workforce
• Research and Development (R&D)
• “Related Resources: Other Websites”
The report will be updated as needed.

Congressional Research Service
c11173008

.
.
Cybersecurity: Authoritative Reports and Resources, by Topic

Contents
Introduction ...................................................................................................................................... 1
CRS Reports by Topic ..................................................................................................................... 1
CRS Reports and Other CRS Products Overview: Cybersecurity Policy Framework .............. 1
CRS Reports: Critical Infrastructure ....................................................................................... 33
CRS Reports and Other CRS Products: Cybercrime and National Security ........................... 42
Related Resources: Other Websites ............................................................................................... 68

Tables
Table 1. Selected Reports: Cybersecurity Overview ....................................................................... 3
Table 2. Selected Government Reports: Government Accountability Office (GAO) ...................... 7
Table 3. Selected Government Reports: White House/Office of Management and Budget .......... 14
Table 4. Selected Government Reports: Department of Defense (DOD) ...................................... 18
Table 5. Selected Government Reports: National Strategy for Trusted Identities in
Cyberspace (NSTIC) .................................................................................................................. 23
Table 6. Selected Government Reports: Other Federal Agencies .................................................. 24
Table 7. Selected Reports: Cloud Computing ................................................................................ 30
Table 8. Selected Reports: Critical Infrastructure .......................................................................... 34
Table 9. Selected Reports: Cybercrime/Cyberwar ......................................................................... 43
Table 10. Selected Reports: International Efforts .......................................................................... 50
Table 11. Selected Reports: Education/Training/Workforce .......................................................... 60
Table 12. Selected Reports: Research & Development (R&D) ..................................................... 65
Table 13. Related Resources: Congressional/Government ............................................................ 68
Table 14. Related Resources: International Organizations ............................................................ 70
Table 15. Related Resources: News ............................................................................................... 71
Table 16. Related Resources: Other Associations and Institutions ................................................ 72

Contacts
Author Contact Information........................................................................................................... 73
Key Policy Staff ............................................................................................................................. 73

Congressional Research Service
c11173008

.
.
Cybersecurity: Authoritative Reports and Resources, by Topic

Introduction
Cybersecurity is a sprawling topic that includes national, international, government, and private
industry dimensions. In the 113th Congress, 5 bills have been introduced in the Senate and 7 in the
House.1 More than 40 bills and resolutions with provisions related to cybersecurity were
introduced in the first session of the 112th Congress, including several proposing revisions to
current laws. In the 111th Congress, the total was more than 60. Several of those bills received
committee or floor action, but none became law. In fact, no comprehensive cybersecurity
legislation has been enacted since 2002.
For Congressional Research Service (CRS) analysis, please see the collection of CRS reports
found on the Issues in Focus: Cybersecurity site.
CRS Reports by Topic
This section gives references to analytical reports on cybersecurity from CRS, other
governmental agencies, and trade organizations. The reports are grouped under the following
cybersecurity topics: policy framework overview, critical infrastructure, and cybercrime and
national security.
For each topic, CRS reports are listed first and then followed by tables with reports from other
organizations. The overview reports provide an analysis of a broad range of cybersecurity issues
(Table 1 to Table 7). The critical infrastructure reports (Table 8) analyze cybersecurity issues
related to telecom infrastructure, the electricity grid, and industrial control systems. The
cybercrime and national security reports (Table 9) analyze a wide range of cybersecurity issues,
including identify theft and government policies for dealing with cyberwar scenarios. In addition,
tables with selected reports on international efforts to address cybersecurity problems, training for
cybersecurity professionals, and research and development efforts in other areas are also provided
(Table 10 to Table 12).
CRS Reports and Other CRS Products Overview: Cybersecurity
Policy Framework

• CRS Report R42114, Federal Laws Relating to Cybersecurity: Overview and
Discussion of Proposed Revisions, by Eric A. Fischer
• CRS Report R41941, The Obama Administration’s Cybersecurity Proposal:
Criminal Provisions, by Gina Stevens
• CRS Report R42984, The 2013 Cybersecurity Executive Order: Overview and
Considerations for Congress, by Eric A. Fischer et al.
• CRS Report R40150, A Federal Chief Technology Officer in the Obama
Administration: Options and Issues for Consideration, by John F. Sargent Jr.

1 For information on congressional cybersecurity activity in the 113th and 112th Congresses, see CRS Report R43317,
Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan. This report provides links to
cybersecurity hearings and legislation under consideration in the 113th Congress and those considered in the 112th
Congress, as well as executive orders and presidential directives. For selected statistics and glossaries, see CRS Report
R43310, Cybersecurity: Data, Statistics, and Glossaries, by Rita Tehan.
Congressional Research Service
1
c11173008

.
.
Cybersecurity: Authoritative Reports and Resources, by Topic

• CRS Report R42409, Cybersecurity: Selected Legal Issues, by Edward C. Liu et
al.
• CRS Report R43015, Cloud Computing: Constitutional and Statutory Privacy
Protections, by Richard M. Thompson II
• CRS Legal Sidebar, House Intelligence Committee Marks Up Cybersecurity Bill
CISPA, Richard M. Thompson II
• CRS Legal Sidebar, Can the President Deal with Cybersecurity Issues via
Executive Order?, Vivian S. Chu
Congressional Research Service
2
c11173008

.
.

Table 1. Selected Reports: Cybersecurity Overview
Title Source
Date
Pages
Notes
Defending an Open, Global, Secure, and Resilient Internet
Council on Foreign
June 2013
127
The Task Force recommends that the United States
http://www.cfr.org/cybersecurity/defending-open-global-
Relations
develop a digital policy framework based on four
secure-resilient-internet/p30836
pillars, the last of which is that U.S.-based industry
work rapidly to establish an industry-led approach
to counter current and future cyberattacks.
Measuring What Matters: Reducing Risk by Rethinking How Safegov.org, in coordination
March 2013
39
Rather than periodical y auditing whether an
We Evaluate Cybersecurity
with the National Academy
agency's systems meet the standards enumerated in
http://www.safegov.org/media/46155/
of Public Administration
FISMA at a static moment in time, agencies and their
measuring_what_matters_final.pdf
inspectors general should keep running scorecards
of “cyber risk indicators" based on continual IG
assessments of a federal organization's cyber
vulnerabilities.,
Developing a Framework To Improve Critical
National Institute of
February 12,
5
NIST announced the first step in the development
Infrastructure Cybersecurity (Federal Register Notice;
Standards and Technology
2013
of a Cybersecurity Framework, which will be a set
Request for Information)
(NIST)
of voluntary standards and best practices to guide
http://www.gpo.gov/fdsys/pkg/FR-2013-02-26/pdf/2013-
industry in reducing cyber risks to the networks and
04413.pdf
computers that are vital to the nation’s economy,
security, and daily life.
SEI Emerging Technology Center: Cyber Intelligence
Carnegie Mellon University
January 2013
23
This report addresses the endemic problem of
Tradecraft Project
functional cyber intelligence analysts not effectively
http://www.sei.cmu.edu/library/assets/whitepapers/citp-
communicating with non-technical audiences. It also
summary-key
demonstrates organizations’ reluctance to share
information within their own entities, industries, and
across economic sectors.
The National Cyber Security Framework Manual
NATO Cooperative Cyber
December 11,
253
Provides detailed background information and in-
http://www.ccdcoe.org/publications/books/
Defense Center of
2012
depth theoretical frameworks to help the reader
NationalCyberSecurityFrameworkManual.pdf
Excel ence
understand the various facets of National Cyber
Security, according to different levels of public
policy formulation. The four levels of government—
political, strategic, operational and
tactical/technical—each have their own perspectives
on National Cyber Security, and each is addressed
in individual sections within the Manual.
CRS-3
c11173008

.
.

Title Source
Date
Pages
Notes
Cyber Security Task Force: Public-Private Information
Bipartisan Policy Center
July 2012
24
Outlines a series of proposals that would enhance
Sharing
information sharing. The recommendations have
http://bipartisanpolicy.org/sites/default/files/Public-
two major components: (1) mitigation of perceived
Private%20Information%20Sharing.pdf
legal impediments to information sharing, and (2)
incentivizing private sector information sharing by
alleviating statutory and regulatory obstacles.
Cyber-security: The Vexed Question of Global Rules: An
McAfee and the Security
February 2012
108
The report examines the current state of cyber-
Independent Report on Cyber-Preparedness Around the
Defense Agenda
preparedness around the world, and is based on
World
survey results from 80 policy-makers and
http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon-
cybersecurity experts in the government, business,
2010.pdf
and academic sectors from 27 countries. The
countries were ranked on their state of cyber-

preparedness.
Mission Critical: A Public-Private Strategy for Effective
Business Roundtable
October 11,
28
According to the report, “[p]ublic policy solutions
Cybersecurity
2011
must recognize the absolute importance of
http://businessroundtable.org/uploads/studies-reports/
leveraging policy foundations that support effective
downloads/2011_10_Mission_Critical_A_Public-
global risk management, in contrast to “check-the-
Private_Strategy_for_Effective_Cybersecurity_4_20_12.pdf
box” compliance approaches that can undermine
security and cooperation.” The document concludes
with specific policy proposals and activity
commitments.
Twenty Critical Security Controls for Effective Cyber
SANS October
3,
77
The 20 critical security control measures are
Defense: Consensus Audit Guidelines (CAG)
2011
intended to focus agencies and large enterprises’
http://www.sans.org/critical-security-controls/
limited resources by plugging the most common
attack vectors.

World Cybersecurity Technology Research Summit (Belfast Centre for Secure
September 12,
14
The Belfast 2011 event attracted international cyber
2011)
Information Technologies
2011
security experts from leading research institutes,
http://www.csit.qub.ac.uk/InnovationatCSIT/Reports/
(CSIT)
government bodies, and industry who gathered to
Filetoupload,295594,en.pdf
discuss current cyber security threats, predict
future threats and the necessary mitigation
techniques, and to develop a collective strategy for
next research.
CRS-4
c11173008

.
.

Title Source
Date
Pages
Notes
A Review of Frequently Used Cyber Analogies
National Security
July 22, 2011
7
The current cybersecurity crisis can be described
http://www.nsci-va.org/WhitePapers/2011-07-22-Cyber-
Cyberspace Institute
several ways with numerous metaphors. Many
Analogies-Whitepaper-K-McKee.pdf
compare the current crisis with the lawlessness to
that of the Wild West and the out-dated tactics and
race to security with the Cold War. When treated
as a distressed ecosystem, the work of both national
and international agencies to eradicate many
infectious diseases serves as a model as how poor
health can be corrected with proper resources and
execution. Before these issues are discussed, what
cyberspace actually is must be identified.
America’s Cyber Future: Security and Prosperity in the
Center for a New American
June 1, 2011
296
To help U.S. policymakers address the growing
Information Age
Security
danger of cyber insecurity, this two-volume report
http://www.cnas.org/node/6405
features chapters on cyber security strategy, policy,
and technology by some of the world’s leading
experts on international relations, national security,
and information technology.
Resilience of the Internet Interconnection Ecosystem
European Network and
April 11, 2011
238
Part I: Summary and Recommendations; Part II:
http://www.enisa.europa.eu/act/res/other-areas/inter-x/
Information Security Agency
State of the Art Review (a detailed description of
report/interx-report
(ENISA)
the Internet’s routing mechanisms and analysis of
their robustness at the technical, economic and
policy levels.); Part III: Report on the Consultation
(a broad range of stakeholders were consulted. This
part reports on the consultation and summarizes
the results). Part IV: Bibliography and Appendices.
Improving our Nation’s Cybersecurity through the Public-
Business Software Alliance,
March 8, 2011
26
This paper proposes expanding the existing
Private Partnership: A White Paper
Center for Democracy &
partnership and makes a series of recommendations
http://www.cdt.org/files/pdfs/20110308_cbyersec_paper.pdf
Technology, U.S. Chamber
that build upon the conclusions of President
of Commerce, Internet
Obama’s Cyberspace Policy Review.
Security Alliance, Tech
America
Cybersecurity Two Years Later
CSIS Commission on
January 2011
22
From the report: “We thought then [in 2008] that
http://csis.org/files/publication/
Cybersecurity for the 44th
securing cyberspace had become a critical challenge
110128_Lewis_CybersecurityTwoYearsLater_Web.pdf
Presidency, Center for
for national security, which our nation was not
Strategic and International
prepared to meet.... In our view, we are still not
Studies
prepared.”
CRS-5
c11173008

.
.

Title Source
Date
Pages
Notes
Toward Better Usability, Security, and Privacy of
National Research Council
September 21,
70
Discusses computer system security and privacy,
Information Technology: Report of a Workshop
2010
their relationship to usability, and research at their
http://www.nap.edu/catalog.php?record_id=12998
intersection. This is drawn from remarks made at
the National Research Council’s July 2009 Workshop
on Usability, Security and Privacy of Computer Systems

as well as recent reports from the NRC's Computer
Science and Telecommunications Board on security
and privacy.
National Security Threats in Cyberspace
Joint Workshop of the
September 15,
37
The two-day workshop brought together more than
http://nationalstrategy.com/Portals/0/documents/
National Security Threats in
2009
two dozen experts with diverse backgrounds:
National%20Security%20Threats%20in%20Cyberspace.pdf
Cyberspace and the
physicists; telecommunications executives; Silicon
National Strategy Forum
Valley entrepreneurs; federal law enforcement,
military, homeland security, and intelligence officials;
congressional staffers; and civil liberties advocates.
For two days they engaged in an open-ended
discussion of cyber policy as it relates to national
security, under Chatham House Rules: their
comments were for the public record, but they
were not for attribution.
Note: Highlights compiled by CRS from the reports.
CRS-6
c11173008

.
.

Table 2. Selected Government Reports: Government Accountability Office (GAO)
Title Date
Pages Notes
GPS Disruptions: Efforts to Assess Risks to Critical
November 6, 2013
58
GAO was asked to review the effects of GPS disruptions on the nation’s
Infrastructure and Coordinate Agency Actions Should Be
critical infrastructure. GAO examined (1) the extent to which DHS has
Enhanced
assessed the risks and potential effects of GPS disruptions on critical
http://www.gao.gov/products/GAO-14-15
infrastructure, (2) the extent to which DOT [Department of Transportation]
and DHS have developed backup strategies to mitigate GPS disruptions, and
(3) what strategies, if any, selected critical infrastructure sectors employ to
mitigate GPS disruptions and any remaining challenges.
DHS Is Generally Filling Mission-Critical Positions, but
September 17, 2013
47
One in five jobs at a key cybersecurity component within DHS is vacant, in
Could Better Track Costs of Coordinated Recruiting
large part due to steep competition in recruiting and hiring qualified personnel.
Efforts
National Protection and Programs Directorate (NPPD) officials cited
http://gao.gov/products/GAO-13-742
chal enges in recruiting cyber professionals because of the length of time taken
to conduct security checks to grant top-secret security clearances as well as
low pay in comparison with the private sector.
Telecommunications Networks: Addressing Potential
May 21, 2013
52
The federal government has begun efforts to address the security of the
Security Risks of Foreign-Manufactured Equipment
supply chain for commercial networks... There are a variety of other
http://www.gao.gov/products/GAO-13-652T
approaches for addressing the potential risks posed by foreign-manufactured
equipment in commercial communications networks, including those
approaches taken by foreign governments... Although these approaches are
intended to improve supply chain security of communications networks, they
may also create the potential for trade barriers, additional costs, and
constraints on competition, which the federal government would have to take
into account if it chose to pursue such approaches.
Outcome-Based Measures Would Assist DHS in Assessing
April 11, 2013
45
Until the Department of Homeland Security and its sector partners develop
Effectiveness of Cybersecurity Efforts
appropriate outcome-oriented metrics, it wil be difficult to gauge the
http://www.gao.gov/products/GAO-13-275?source=ra
effectiveness of efforts to protect the nation’s core and access
communications networks and critical support components of the Internet
from cyber incidents. While no cyber incidents have been reported affecting
the nation’s core and access networks, communications networks operators
can use reporting mechanisms established by FCC and DHS to share
information on outages and incidents.
Information Sharing: Agencies Could Better Coordinate to
April 4, 2013
72
Agencies have neither held entities accountable for coordinating nor assessed
Reduce Overlap in Field-Based Activities
opportunities for further enhancing coordination to help reduce the potential
http://www.gao.gov/products/GAO-13-471
for overlap and achieve efficiencies. The Departments of Justice (DOJ), DHS,
and the Office of National Drug Control Policy (ONDCP)—the federal
agencies that oversee or provide support to the five types of field-based
entities—acknowledged that entities working together and sharing information
is important, but they do not hold the entities accountable for such
coordination.
CRS-7
c11173008

.
.

Title Date
Pages Notes
Cybersecurity: A Better Defined and Implemented
March 7, 2013
36
“[A]lthough federal law assigns the Office of Management and Budget (OMB)
National Strategy Is Needed to Address Persistent
responsibility for oversight of federal government information security, OMB
Challenges
recently transferred several of these responsibilities to DHS.... [I]t remains
http://www.gao.gov/products/GAO-13-462T
unclear how OMB and DHS are to share oversight of individual departments
and agencies. Additional legislation could clarify these responsibilities.”
2013 High Risk List
February 14, 2013
275
Every two years at the start of a new Congress, GAO cal s attention to
http://www.gao.gov/highrisk#t=0
agencies and program areas that are high risk due to their vulnerabilities to
fraud, waste, abuse, and mismanagement, or are most in need of
transformation. Cybersecurity programs on the list include: Protecting the
Federal Government’s Information Systems
and the Nation's Cyber Critical
Infrastructures
and Ensuring the Effective Protection of Technologies Critical to U.S.
National Security Interests
.
Cybersecurity: National Strategy, Roles, and
February 14, 2013
112
GAO recommends that the White House Cybersecurity Coordinator develop
Responsibilities Need to Be Better Defined and More
an overarching federal cybersecurity strategy that includes all key elements of
Effectively Implemented
the desirable characteristics of a national strategy. Such a strategy would
http://www.gao.gov/products/GAO-13-187
provide a more effective framework for implementing cybersecurity activities
and better ensure that such activities will lead to progress in cybersecurity.
Information Security: Federal Communications
January 25, 2013
35
“The FCC did not effectively implement appropriate information security
Commission Needs to Strengthen Controls over Enhanced
controls in the initial components of the Enhanced Secured Network (ESN)
Secured Network Project
project.... Weaknesses identified in the commission’s deployment of
http://www.gao.gov/products/GAO-13-155
components of the ESN project as of August 2012 resulted in unnecessary risk
that sensitive information could be disclosed, modified, or obtained without
authorization. GAO is making seven recommendations to the FCC to
implement management controls to help ensure that ESN meets its objective
of securing FCC's systems and information.”
Cybersecurity: Challenges in Securing the Electricity Grid
July 17, 2012
25
In a prior report, GAO has made recommendations related to electricity grid
http://www.gao.gov/products/GAO-12-926T
modernization efforts, including developing an approach to monitor
compliance with voluntary standards. These recommendations have not yet
been implemented.
Information Technology Reform: Progress Made but
July 11, 2012
43
To help ensure the success of agencies’ implementation of cloud-based
Future Cloud Computing Efforts Should be Better Planned
solutions, the Secretaries of Agriculture, Health and Human Services,
http://www.gao.gov/products/GAO-12-756
Homeland Security, State, and the Treasury, and the Administrators of the
General Services Administration and Small Business Administration should
direct their respective chief information officer (CIO) to establish estimated
costs, performance goals, and plans to retire associated legacy systems for
each cloud-based service discussed in this report, as applicable.
CRS-8
c11173008

.
.

Title Date
Pages Notes
DOD Actions Needed to Strengthen Management and
July 9, 2012
46
DOD’s oversight of electronic warfare capabilities may be further complicated
Oversight
by its evolving relationship with computer network operations, which is also
http://www.gao.gov/products/GAO-12-479?source=ra
an information operations-related capability. Without clearly defined roles and
responsibilities and updated guidance regarding oversight responsibilities,
DOD does not have reasonable assurance that its management structures will
provide effective department-wide leadership for electronic warfare activities
and capabilities development and ensure effective and efficient use of its
resources.
Information Security: Cyber Threats Facilitate Ability to
June 28, 2012
20
This statement discusses (1) cyber threats facing the nation’s systems, (2)
Commit Economic Espionage
reported cyber incidents and their impacts, (3) security controls and other
http://www.gao.gov/products/GAO-12-876T
techniques available for reducing risk, and (4) the responsibilities of key federal
entities in support of protecting IP.
Cybersecurity: Chal enges to Securing the Modernized
February 28, 2012
19
As GAO reported in January 2011, securing smart grid systems and networks
Electricity Grid
presented a number of key challenges that required attention by government
http://www.gao.gov/products/GAO-12-507T
and industry. GAO made several recommendations to the Federal Energy
Regulatory Commission (FERC) aimed at addressing these challenges. The
commission agreed with these recommendations and described steps it is
taking to implement them.
Critical Infrastructure Protection: Cybersecurity Guidance
December 9, 2011
77
Given the plethora of guidance available, individual entities within the sectors
Is Available, but More Can Be Done to Promote Its Use
may be challenged in identifying the guidance that is most applicable and
http://www.gao.gov/products/GAO-12-92
effective in improving their security posture. Improved knowledge of the
guidance that is available could help both federal and private sector decision
makers better coordinate their efforts to protect critical cyber-reliant assets.
Cybersecurity Human Capital: Initiatives Need Better
November 29, 2011
86
All the agencies GAO reviewed faced challenges determining the size of their
Planning and Coordination
cybersecurity workforce because of variations in how work is defined and the
http://www.gao.gov/products/GAO-12-8
lack of an occupational series specific to cybersecurity. With respect to other
workforce planning practices, all agencies had defined roles and responsibilities
for their cybersecurity workforce, but these roles did not always align with
guidelines issued by the federal Chief Information Officers Council (CIOC)
and National Institute of Standards and Technology (NIST).
Federal Chief Information Officers: Opportunities Exist to
October 17, 2011
72
GAO is recommending that OMB update its guidance to establish measures of
Improve Role in Information Technology Management
accountability for ensuring that CIOs’ responsibilities are fully implemented
http://www.gao.gov/products/GAO-11-634
and require agencies to establish internal processes for documenting lessons
learned.
Information Security: Additional Guidance Needed to
October 5, 2011
17
Twenty-two of 24 major federal agencies reported that they were either
Address Cloud Computing Concerns
concerned or very concerned about the potential information security risks
http://www.gao.gov/products/GAO-12-130T
associated with cloud computing. GAO recommended that the NIST issue
guidance specific to cloud computing security.
CRS-9
c11173008

.
.

Title Date
Pages Notes
Information Security: Weaknesses Continue Amid New
October 3, 2011
49
Weaknesses in information security policies and practices at 24 major federal
Federal Efforts to Implement Requirements
agencies continue to place the confidentiality, integrity, and availability of
http://www.gao.gov/products/GAO-12-137
sensitive information and information systems at risk. Consistent with this
risk, reports of security incidents from federal agencies are on the rise,
increasing over 650% over the past 5 years. Each of the 24 agencies reviewed
had weaknesses in information security controls.
Federal Chief Information Officers: Opportunities Exist to
October 17, 2011
72
GAO is recommending that the Office of Management and Budget (OMB)
Improve Role in Information Technology Management
update its guidance to establish measures of accountability for ensuring that
http://www.gao.gov/products/GAO-11-634
CIOs’ responsibilities are fully implemented and require agencies to establish
internal processes for documenting lessons learned.
Defense Department Cyber Efforts: Definitions, Focal
July 29, 2011
33
This letter discusses the Department of Defense’s cyber and information
Point, and Methodology Needed for DOD to Develop
assurance budget for FY2012 and future years defense spending. The
Ful -Spectrum Cyberspace Budget Estimates
objectives of this review were to (1) assess the extent to which DOD has
http://www.gao.gov/products/GAO-11-695R
prepared an overarching budget estimate for ful -spectrum cyberspace
operations across the department and (2) identify the challenges DOD has
faced in providing such estimates.
Continued Attention Needed to Protect Our Nation’s
July 26, 2011
20
A number of significant challenges remain to enhancing the security of cyber-
Critical Infrastructure
reliant critical infrastructures, such as (1) implementing actions recommended
http://www.gao.gov/products/GAO-11-463T
by the President's cybersecurity policy review; (2) updating the national
strategy for securing the information and communications infrastructure;
(3) reassessing DHS's planning approach to critical infrastructure protection;
(4) strengthening public-private partnerships, particularly for information
sharing; (5) enhancing the national capability for cyber warning and analysis;
(6) addressing global aspects of cybersecurity and governance; and (7) securing
the modernized electricity grid.
Defense Department Cyber Efforts: DOD Faces
July 25, 2011
79
GAO recommends that DOD evaluate how it is organized to address
Challenges in Its Cyber Activities
cybersecurity threats; assess the extent to which it has developed joint
http://www.gao.gov/products/GAO-11-75
doctrine that addresses cyberspace operations; examine how it assigned
command and control responsibilities; and determine how it identifies and acts
to mitigate key capability gaps involving cyberspace operations.
Information Security: State Has Taken Steps to Implement
July 8, 2011
63
The Department of State implemented a custom application called iPost and a
a Continuous Monitoring Application, but Key Chal enges
risk scoring program that is intended to provide continuous monitoring
Remain
capabilities of information security risk to elements of its information
http://www.gao.gov/products/GAO-11-149
technology (IT) infrastructure. To improve implementation of iPost at State,
the Secretary of State should direct the Chief Information Officer to develop,
document, and maintain an iPost configuration management and test process.
CRS-10
c11173008

.
.

Title Date
Pages Notes
Cybersecurity: Continued Attention Needed to Protect
March 16, 2011
16
Executive branch agencies have made progress instituting several government-
Our Nation’s Critical Infrastructure and Federal
wide initiatives aimed at bolstering aspects of federal cybersecurity, such as
Information Systems
reducing the number of federal access points to the Internet, establishing
http://www.gao.gov/products/GAO-11-463T
security configurations for desktop computers, and enhancing situational
awareness of cyber events. Despite these efforts, the federal government
continues to face significant challenges in protecting the nation's cyber-reliant
critical infrastructure and federal information systems.
Electricity Grid Modernization: Progress Being Made on
January 12, 2011
50
GAO identified six key challenges: (1) Aspects of the regulatory environment
Cybersecurity Guidelines, but Key Challenges Remain to
may make it difficult to ensure smart grid systems’ cybersecurity. (2) Utilities
be Addressed
are focusing on regulatory compliance instead of comprehensive security. (3)
http://www.gao.gov/products/GAO-11-117
The electric industry does not have an effective mechanism for sharing
information on cybersecurity. (4) Consumers are not adequately informed
about the benefits, costs, and risks associated with smart grid systems. (5)
There is a lack of security features being built into certain smart grid systems.
(6) The electricity industry does not have metrics for evaluating cybersecurity.
Information Security: Federal Agencies Have Taken Steps
November 30, 2010
50
Existing government-wide guidelines and oversight efforts do not fully address
to Secure Wireless Networks, but Further Actions Can
agency implementation of leading wireless security practices. Until agencies
Mitigate Risk
take steps to better implement these leading practices, and OMB takes steps
http://www.gao.gov/products/GAO-11-43
to improve government-wide oversight, wireless networks will remain at an
increased vulnerability to attack.
Cyberspace Policy: Executive Branch Is Making Progress
October 6, 2010
66
Of the 24 recommendations in the President’s May 2009 cyber policy review
Implementing 2009 Policy Review Recommendations, but
report, 2 have been fully implemented, and 22 have been partial y
Sustained Leadership Is Needed
implemented. While these efforts appear to be steps forward, agencies were
http://www.gao.gov/products/GAO-11-24
largely not able to provide milestones and plans that showed when and how
implementation of the recommendations was to occur.
DHS Efforts to Assess and Promote Resiliency Are
September 23, 2010
46
The Department of Homeland Security (DHS) has not developed an effective
Evolving but Program Management Could Be Strengthened
way to ensure that critical national infrastructure, such as electrical grids and
http://www.gao.gov/products/GAO-10-772
telecommunications networks, can bounce back from a disaster. DHS has
conducted surveys and vulnerability assessments of critical infrastructure to
identify gaps, but has not developed a way to measure whether owners and
operators of that infrastructure adopt measures to reduce risks.
Information Security: Progress Made on Harmonizing
September 15, 2010
38
OMB and NIST established policies and guidance for civilian non-national
Policies and Guidance for National Security and Non-
security systems, while other organizations, including the Committee on
National Security Systems
National Security Systems (CNSS), DOD, and the U.S. intelligence community,
http://www.gao.gov/products/GAO-10-916
have developed policies and guidance for national security systems. GAO was
asked to assess the progress of federal efforts to harmonize policies and
guidance for these two types of systems.
CRS-11
c11173008

.
.

Title Date
Pages Notes
United States Faces Challenges in Addressing Global
August 2, 2010
53
GAO recommends that the Special Assistant to the President and
Cybersecurity and Governance
Cybersecurity Coordinator should make recommendations to appropriate
http://www.gao.gov/products/GAO-10-606
agencies and interagency coordination committees regarding any necessary
changes to more effectively coordinate and forge a coherent national
approach to cyberspace policy.
Critical Infrastructure Protection: Key Private and Public
July 15, 2010
38
The Special Assistant to the President and Cybersecurity Coordinator and the
Cyber Expectations Need to Be Consistently Addressed
Secretary of Homeland Security should take two actions: (1) use the results of
http://www.gao.gov/products/GAO-10-628
this report to focus their information-sharing efforts, including their relevant
pilot projects, on the most desired services, including providing timely and
actionable threat and alert information, access to sensitive or classified
information, a secure mechanism for sharing information, and security
clearance and (2) bolster the efforts to build out the National Cybersecurity
and Communications Integration Center as the central focal point for
leveraging and integrating the capabilities of the private sector, civilian
government, law enforcement, the military, and the intelligence community.
Federal Guidance Needed to Address Control Issues With
July 1, 2010
53
To assist federal agencies in identifying uses for cloud computing and
Implementing Cloud Computing
information security measures to use in implementing cloud computing, the
http://www.gao.gov/products/GAO-10-513
Director of OMB should establish milestones for completing a strategy for
implementing the federal cloud computing initiative.
Continued Attention Is Needed to Protect Federal
June 16, 2010
15
Multiple opportunities exist to improve federal cybersecurity. To address
Information Systems from Evolving Threats
identified deficiencies in agencies’ security controls and shortfalls in their
http://www.gao.gov/products/GAO-10-834t
information security programs, GAO and agency inspectors general have
made hundreds of recommendations over the past several years, many of
which agencies are implementing. In addition, the White House, OMB, and
certain federal agencies have undertaken several government-wide initiatives
intended to enhance information security at federal agencies. While progress
has been made on these initiatives, they all face challenges that require
sustained attention, and GAO has made several recommendations for
improving the implementation and effectiveness of these initiatives.
Information Security: Concerted Response Needed to
March 24, 2010
21
Without proper safeguards, federal computer systems are vulnerable to
Resolve Persistent Weaknesses
intrusions by individuals who have malicious intentions and can obtain
http://www.gao.gov/products/GAO-10-536t
sensitive information. The need for a vigilant approach to information security
has been demonstrated by the pervasive and sustained cyberattacks against
the United States; these attacks continue to pose a potential y devastating
impact to systems and the operations and critical infrastructures they support.
CRS-12
c11173008

.
.

Title Date
Pages Notes
Cybersecurity: Continued Attention Is Needed to Protect
March 16, 2010
15
The White House, the Office of Management and Budget, and certain federal
Federal Information Systems from Evolving Threats
agencies have undertaken several government-wide initiatives intended to
http://www.gao.gov/products/GAO-11-463T
enhance information security at federal agencies. While progress has been
made on these initiatives, they all face challenges that require sustained
attention, and GAO has made several recommendations for improving the
implementation and effectiveness of these initiatives.
Concerted Effort Needed to Consolidate and Secure
April 12, 2010
40
To reduce the threat to federal systems and operations posed by cyberattacks
Internet Connections at Federal Agencies
on the United States, OMB launched, in November 2007, the Trusted Internet
http://www.gao.gov/products/GAO-10-237
Connections (TIC) initiative, and later, in 2008, DHS’s National Cybersecurity
Protection System (NCPS), operationally known as Einstein, which became
mandatory for federal agencies as part of TIC. To further ensure that federal
agencies have adequate, sufficient, and timely information to successfully meet
the goals and objectives of the TIC and Einstein programs, DHS’s Secretary
should, to better understand whether Einstein alerts are valid, develop
additional performance measures that indicate how agencies respond to alerts.
Cybersecurity: Progress Made But Challenges Remain in
March 5, 2010
64
To address strategic challenges in areas that are not the subject of existing
Defining and Coordinating the Comprehensive National
projects within CNCI but remain key to achieving the initiative’s overall goal
Initiative
of securing federal information systems, OMB’s Director should continue
http://www.gao.gov/products/GAO-10-338
developing a strategic approach to identity management and authentication,
linked to HSPD-12 implementation, as initial y described in the CIOC's plan
for implementing federal identity, credential, and access management, so as to
provide greater assurance that only authorized individuals and entities can gain
access to federal information systems.
Continued Efforts Are Needed to Protect Information
November 17, 2009
24
GAO has identified weaknesses in all major categories of information security
Systems from Evolving Threats
controls at federal agencies. For example, in FY2008, weaknesses were
http://www.gao.gov/products/GAO-10-230t
reported in such controls at 23 of 24 major agencies. Specifically, agencies did
not consistently authenticate users to prevent unauthorized access to systems;
apply encryption to protect sensitive data; and log, audit, and monitor
security-relevant events, among other actions.
Efforts to Improve Information sharing Need to Be
August 27, 2003
59
Information on threats, methods, and techniques of terrorists is not routinely
Strengthened
shared; and the information that is shared is not perceived as timely, accurate,
http://www.gao.gov/products/GAO-03-760
or relevant.
Source: Highlights compiled by CRS from the GAO reports.
CRS-13
c11173008

.
.

Table 3. Selected Government Reports: White House/Office of Management and Budget
Title Date
Pages Notes
Immediate Opportunities for Strengthening the Nation’s
November 2013
31
Report of the President’s Council of Advisors on Science and
Cybersecurity
Technology (PCAST). The report recommends the government phase
http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCA
out insecure, outdated operating systems, like Windows XP, implement
ST/pcast_cybersecurity_nov-2013.pdf
better encryption technology, and encourage automatic security updates,
among other changes. PCAST also recommends, for regulated industries,
that the government help create cybersecurity best practices and audit
their adoption—and for independent agencies, PCAST write new rules
that require businesses to report their cyber improvements.
Incentives to Support Adoption of the Cybersecurity Framework
August 6, 2013
N/A
To promote cybersecurity practices and develop these core capabilities,
http://www.whitehouse.gov/blog/2013/08/06/incentives-support-
we are working with critical infrastructure owners and operators to
adoption-cybersecurity-framework
create a Cybersecurity Framework – a set of core practices to develop
capabilities to manage cybersecurity risk ... Over the next few months,
agencies will examine these options in detail to determine which ones to
adopt and how, based substantially on input from critical infrastructure
stakeholders.
Cross Agency Priority Goal: Cybersecurity, FY2013 Q2 Status
June 2013
26
Executive branch departments and agencies will achieve 95%
Report
implementation of the Administration’s priority cybersecurity capabilities
http://goals.performance.gov/node/39069
by the end of FY2014. These capabilities include strong authentication,
Trusted Internet Connections (TIC), and Continuous Monitoring.
Improving Cybersecurity
March 2013
N/A
The Administration updated all 14 cross-agency priority goals on the
http://technology.performance.gov/initiative/ensure-cybersecurity/
Performance.gov portal, giving all new targets for agencies to hit over the
home
next two years. The Office of Management and Budget also is using the
opportunity to better connect agency performance improvement officers
to the Trusted Internet Connections and Homeland Security.
FY 2012 Report to Congress on the Implementation of the
March 2013
68
More government programs violated data security law standards in 2012
Federal Information Security Management Act of 2002
than in the previous year, and at the same time, computer security costs
http://www.whitehouse.gov/sites/default/files/omb/assets/
have increased by more than $1 billion. Inadequate training was a large
egov_docs/fy12_fisma.pdf
part of the reason all-around FISMA adherence scores slipped from 75%
in 2011 to 74% in 2012. Agencies reported that about 88% of personnel
with system access privileges received annual security awareness
instruction, down from 99% in 2011. Meanwhile, personnel expenses
accounted for the vast majority—90%—of the $14.6 billion departments
spent on information technology security in 2012.
CRS-14
c11173008

.
.

Title Date
Pages Notes
Administration Strategy for Mitigating the Theft of U.S. Trade
February 20,
141
“First, we will increase our diplomatic engagement.... Second, we will
Secrets
2013
support industry-led efforts to develop best practices to protect trade
http://www.whitehouse.gov//sites/default/files/omb/IPEC/
secrets and encourage companies to share with each other best practices
admin_strategy_on_mitigating_the_theft_of_u.s._trade_secrets.p
that can mitigate the risk of trade secret theft.... Third, DOJ will continue
df
to make the investigation and prosecution of trade secret theft by foreign
competitors and foreign governments a top priority.... Fourth, President
Obama recently signed two pieces of legislation that will improve
enforcement against trade secret theft.... Lastly, we will increase public
awareness of the threats and risks to the U.S. economy posed by trade
secret theft.”
National Strategy for Information Sharing and Safeguarding
December 2012
24
Provides guidance for effective development, integration, and
http://www.whitehouse.gov/sites/default/files/docs/
implementation of policies, processes, standards, and technologies to
2012sharingstrategy_1.pdf
promote secure and responsible information sharing.
Collaborative and Cross-Cutting Approaches to Cybersecurity
August 1, 2012
N/A
Michael Daniel, White House Cybersecurity Coordinator, highlights a
http://www.whitehouse.gov/blog/2012/08/01/col aborative-and-
few recent initiatives where voluntary, cooperative actions are helping to
cross-cutting-approaches-cybersecurity
improve the nation’s overall cybersecurity.
Trustworthy Cyberspace: Strategic Plan for the Federal
December 6,
36
As a research and development strategy, this plan defines four strategic
Cybersecurity Research and Development Program
2011
thrusts: Inducing Change; Developing Scientific Foundations; Maximizing
http://www.whitehouse.gov/sites/default/files/microsites/ostp/
Research Impact; and Accelerating Transition to Practice.
fed_cybersecurity_rd_strategic_plan_2011.pdf
Structural Reforms to Improve the Security of Classified
October 7, 2011
N/A
President Obama signed an executive order outlining data security
Networks and the Responsible Sharing and Safeguarding of
measures and rules for government agencies to fol ow to prevent further
Classified Information
data leaks by insiders. The order included the creation of a senior
http://www.whitehouse.gov/the-press-office/2011/10/07/
steering committee that will oversee the safeguarding and sharing of
executive-order-structural-reforms-improve-security-classified-
information.
networks-
FY 2012 Reporting Instructions for the Federal Information
September 14,
29
Rather than enforcing a static, three-year reauthorization process,
Security Management Act and Agency Privacy ManagementError!
2011
agencies are expected to conduct ongoing authorizations of information
Reference source not found.
systems through the implementation of continuous monitoring programs.
http://www.whitehouse.gov/sites/default/files/omb/memoranda/
Continuous monitoring programs thus fulfill the three year security
2011/m11-33.pdf
reauthorization requirement, so a separate re-authorization process is
not necessary.
International Strategy for Cyberspace
May 16, 2011
30
The strategy marks the first time any administration has attempted to set
http://www.whitehouse.gov/sites/default/files/rss_viewer/
forth in one document the U.S. government’s vision for cyberspace,
international_strategy_for_cyberspace.pdf
including goals for defense, diplomacy, and international development.
CRS-15
c11173008

.
.

Title Date
Pages Notes
Cybersecurity Legislative Proposal (Fact Sheet)
May 12, 2011
N/A
The Administration’s proposal ensures the protection of individuals'
http://www.whitehouse.gov/the-press-office/2011/05/12/fact-
privacy and civil liberties through a framework designed expressly to
sheet-cybersecurity-legislative-proposal
address the challenges of cybersecurity. The Administration's legislative
proposal includes: Management, Personnel, Intrusion Prevention Systems,
and Data Centers.
Federal Cloud Computing Strategy
February 13,
43
The strategy outlines how the federal government can accelerate the
http://www.whitehouse.gov/sites/default/files/omb/assets/egov_do
2011
safe, secure adoption of cloud computing, and provides agencies with a
cs/federal-cloud-computing-strategy.pdf
framework for migrating to the cloud. It also examines how agencies can
address challenges related to the adoption of cloud computing, such as
privacy, procurement, standards, and governance.
25 Point Implementation Plan to Reform Federal Information
December 9,
40
The plan’s goals are to reduce the number of federally run data centers
Technology Management
2010
from 2,100 to approximately 1,300, rectify or cancel one-third of
http://www.dhs.gov/sites/default/files/publications/digital-
troubled IT projects, and require federal agencies to adopt a “cloud first”
strategy/25-point-implementation-plan-to-reform-federal-it.pdf
strategy in which they will move at least one system to a hosted
environment within a year.
Clarifying Cybersecurity Responsibilities
July 6, 2010
39
This memorandum outlines and clarifies the respective responsibilities
http://www.whitehouse.gov/sites/default/files/omb/assets/
and activities of the Office of Management and Budget (OMB), the
memoranda_2010/m10-28.pdf
Cybersecurity Coordinator, and DHS, in particular with respect to the
Federal Government’s implementation of the Federal Information
Security Management Act of 2002 (FISMA).
The National Strategy for Trusted Identities in Cyberspace:
June 25, 2010
39
The NSTIC, which is in response to one of the near term action items in
Creating Options for Enhanced Online Security and Privacy
the President’s Cyberspace Policy Review, calls for the creation of an
http://www.dhs.gov/xlibrary/assets/ns_tic.pdf
online environment, or an Identity Ecosystem, where individuals and
organizations can complete online transactions with confidence, trusting
the identities of each other and the identities of the infrastructure where
transaction occur.
Comprehensive National Cybersecurity Initiative (CNCI)
March 2, 2010
5
The CNCI establishes a multi-pronged approach the federal government
http://www.whitehouse.gov/cybersecurity/comprehensive-
is to take in identifying current and emerging cyber threats, shoring up
national-cybersecurity-initiative
current and future telecommunications and cyber vulnerabilities, and
responding to or proactively addressing entities that wish to steal or
manipulate protected data on secure federal systems.
CRS-16
c11173008

.
.

Title Date
Pages Notes
Cyberspace Policy Review: Assuring a Trusted and Resilient
May 29, 2009
76
The President directed a 60-day, comprehensive, “clean-slate” review to
Communications Infrastructure
assess U.S. policies and structures for cybersecurity. The review team of
http://www.whitehouse.gov/assets/documents/
government cybersecurity experts engaged and received input from a
Cyberspace_Policy_Review_final.pdf
broad cross-section of industry, academia, the civil liberties and privacy
communities, state governments, international partners, and the
legislative and executive branches. This paper summarizes the review
team’s conclusions and outlines the beginning of the way forward toward
a reliable, resilient, trustworthy digital infrastructure for the future.
Source: Highlights compiled by CRS from the White House reports.
CRS-17
c11173008

.
.

Table 4. Selected Government Reports: Department of Defense (DOD)
Title Source
Date
Pages
Notes
An Assessment of the Department of Defense Strategy for
U.S. Army War
September
60
This monograph is organized in three main parts. The
Operating in Cyberspace
College
2013
first part explores the evolution of cyberspace strategy
http://www.strategicstudiesinstitute.army.mil/pdffiles/
through a series of government publications leading up to
PUB1170.pdf
the DoD Strategy for Operating in Cyberspace. In the
second part, each strategic initiative is elaborated and
critiqued in terms of significance, novelty, and
practicality. In the third part, the monograph critiques
the DoD Strategy as a whole.
Military and Security Developments Involving the People’s
Department of
May 6, 2013
92
China is using its computer network exploitation
Republic of China 2013 (Annual Report to Congress)
Defense
capability to support intelligence collection against the
http://www.defense.gov/pubs/2013_China_Report_FINAL.pdf
U.S. diplomatic, economic, and defense industrial base
sectors that support U.S. national defense programs. The
information targeted could potentially be used to benefit
China’s defense industry, high-technology industries,
policymaker interest in U.S. leadership thinking on key
China issues, and military planners building a picture of
U.S. network defense networks, logistics, and related
military capabilities that could be exploited during a
crisis.
Resilient Military Systems and the Advanced Cyber Threat
Department of
January 2013
146
The report states that, despite numerous Pentagon
http://www.defense.gov/pubs/2013_China_Report_FINAL.pdf
Defense Science
actions to parry sophisticated attacks by other countries,
Board
efforts are “fragmented” and the Defense Department
“is not prepared to defend against this threat.” The
report lays out a scenario in which cyberattacks in
conjunction with conventional warfare damaged the
ability of U.S. forces to respond, creating confusion on
the battlefield and weakening traditional defenses.
FY 2012 Annual Report
Department of
January 2013
372
Annual report to Congress by J. Michael Gilmore,
http://www.dote.osd.mil/pub/reports/FY2012/pdf/other/
Defense
director of Operational Test and Evaluation. Assesses
2012DOTEAnnualReport.pdf
the operational effectiveness of systems being developed
for combat. See “Information Assurance (I/A) and
Interoperability (IOP)” chapter, pages 305-312, for
information on network exploitation and compromise
exercises.
CRS-18
c11173008

.
.

Title Source
Date
Pages
Notes
Basic Safeguarding of Contractor Information Systems
Department of
August 24,
4
This regulation authored by the DOD, General Services
(Proposed Rule)
Defense (DoD),
2012
Administration (GSA), and National Aeronautics and
http://www.gpo.gov/fdsys/pkg/FR-2012-08-24/pdf/2012-
General Services
Space Administration (NASA) “would add a contract
20881.pdf
Administration
clause to address requirements for the basic safeguarding
(GSA), and National
of contractor information systems that contain or
Aeronautics and
process information provided by or generated for the
Space
government (other than public information).”
Administration
(NASA)
DOD Actions Needed to Strengthen Management and
GAO
July 9, 2012
46
DOD’s oversight of electronic warfare capabilities may
Oversight
be further complicated by its evolving relationship with
http://www.gao.gov/products/GAO-12-479?source=ra
computer network operations, which is also an
information operations-related capability. Without
clearly defined roles and responsibilities and updated
guidance regarding oversight responsibilities, DOD does
not have reasonable assurance that its management
structures will provide effective department-wide
leadership for electronic warfare activities and
capabilities development and ensure effective and
efficient use of its resources.
Cloud Computing Strategy
DOD, Chief
July 2012
44
The DOD Cloud Computing Strategy introduces an
http://www.defense.gov/news/DoDCloudComputingStrategy.pdf Information Officer
approach to move the department from the current
state of a duplicative, cumbersome, and costly set of
application silos to an end state, which is an agile, secure,
and cost effective service environment that can rapidly
respond to changing mission needs.
DOD Defense Industrial Base (DIB) Voluntary Cyber Security
Federal Register
May 11, 2012

DOD interim final rule to establish a voluntary cyber
and Information Assurance Activities
security information sharing program between DOD and
http://www.gpo.gov/fdsys/pkg/FR-2012-05-11/pdf/2012-
eligible DIB companies. The program enhances and
10651.pdf
supplements DIB participants’ capabilities to safeguard
DOD information that resides on, or transits, DIB
unclassified information.
DOD Information Security Program: Overview, Classification,
DOD February
16,
84
Describes the DOD Information Security Program, and
and Declassification
2012
provides guidance for classification and declassification of
http://www.fas.org/sgp/othergov/dod/5200_01v1.pdf
DOD information that requires protection in the
interest of the national security.
CRS-19
c11173008

.
.

Title Source
Date
Pages
Notes
Cyber Sentries: Preparing Defenders to Win in a Contested
Air War Col ege
February 7,
38
This paper examines the current impediments to
Domain
2012
effective cybersecurity workforce preparation and offers
http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA561779&
new concepts to create Cyber Sentries through realistic
Location=U2&doc=GetTRDoc.pdf
training, network authorities tied to certification, and
ethical training. These actions present an opportunity to
significantly enhance workforce quality and allow the
Department to operate effectively in the contested cyber
domain in accordance with the vision established in its
Strategy for Cyberspace Operations
Defense Department Cyber Efforts: Definitions, Focal Point,
Government
July 29, 2011
33
This letter discusses DOD’s cyber and information
and Methodology Needed for DOD to Develop Ful -Spectrum
Accountability
assurance budget for fiscal year 2012 and future years
Cyberspace Budget Estimates
Office (GAO)
defense spending. The objectives of this review were to
http://www.gao.gov/products/GAO-11-695R
(1) assess the extent to which DOD has prepared an
overarching budget estimate for ful -spectrum cyberspace
operations across the department; and (2) identify the
challenges DOD has faced in providing such estimates.
Legal Reviews of Weapons and Cyber Capabilities
Secretary of the Air July 27, 2011
7
States the Air Force must subject cyber capabilities to
http://www.fas.org/irp/doddir/usaf/afi51-402.pdf
Force
legal review for compliance with the Law of Armed
Conflict and other international and domestic laws. The
Air Force judge advocate general must ensure that all
cyber capabilities “being developed, bought, built,
modified or otherwise acquired by the Air Force" must
undergo legal review—except for cyber capabilities
within a Special Access Program, which must undergo
review by the Air Force general counsel.
Department of Defense Strategy for Operating in Cyberspace
DOD
July 14, 2011
19
This is an unclassified summary of DOD’s cyber-security
http://www.defense.gov/news/d20110714cyber.pdf
strategy.
CRS-20
c11173008

.
.

Title Source
Date
Pages
Notes
Cyber Operations Personnel Report (DOD)
DOD
April, 2011
84
This report focuses on FY2009 Department of Defense
http://www.hsdl.org/?view&did=488076
Cyber Operations personnel, with duties and
responsibilities as defined in Section 934 of the Fiscal
Year 2010 National Defense Authorization Act (NDAA).
Appendix A—Cyber Operations-related Military
Occupations
Appendix B—Commercial Certifications Supporting the
DOD Information Assurance Workforce Improvement
Program
Appendix C—Military Services Training and
Development
Appendix D—Geographic Location of National Centers
of Academic Excellence in Information Assurance
Anomaly Detection at Multiple Scales (ADAMS)
Defense Advanced
November 9,
74
The design document was produced by Al ure Security
http://info.publicintelligence.net/DARPA-ADAMS.pdf
Research Projects
2011
and sponsored by the Defense Advanced Research
Agency (DARPA)
Projects Agency (DARPA). It describes a system for
preventing leaks by seeding believable disinformation in
military information systems to help identify individuals
attempting to access and disseminate classified
information.
Critical Code: Software Producibility for Defense
National Research
October 20,
161
Assesses the nature of the national investment in
http://www.nap.edu/catalog.php?record_id=12979
Council,
2010
software research and, in particular, considers ways to
Committee for
revitalize the knowledge base needed to design, produce,
Advancing
and employ software-intensive systems for tomorrow’s
Software-Intensive
defense needs.
Systems
Producibility
Defending a New Domain
U.S. Deputy
September
N/A
In 2008, the U.S. Department of Defense suffered a
http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/
Secretary of
2010
significant compromise of its classified military computer
defending-a-new-domain
Defense, William J.
networks. It began when an infected flash drive was
Lynn (Foreign
inserted into a U.S. military laptop at a base in the Middle
Affairs)
East. This previously classified incident was the most
significant breach of U.S. military computers ever, and
served as an important wake-up call.
The QDR in Perspective: Meeting America’s National Security
Quadrennial
July 30, 2010
159
From the report: “The expanding cyber mission also
Needs In the 21st Century (QDR Final Report)
Defense Review
needs to be examined. The Department of Defense
http://www.usip.org/quadrennial-defense-review-independent-
should be prepared to assist civil authorities in defending
panel-/view-the-report
cyberspace – beyond the Department’s current role."
CRS-21
c11173008

.
.

Title Source
Date
Pages
Notes
Cyberspace Operations: Air Force Doctrine Document 3-12
U.S. Air Force
July 15, 2010
62
This Air Force Doctrine Document (AFDD) establishes
http://www.fas.org/irp/doddir/usaf/afdd3-12.pdf
doctrinal guidance for the employment of U.S. Air Force
operations in, through, and from cyberspace. It is the
keystone of Air Force operational-level doctrine for
cyberspace operations.
DON (Department of the Navy) Cybersecurity/Information
U.S. Navy
June 17, 2010
14
To establish policy and assign responsibilities for the
Assurance Workforce Management, Oversight and Compliance
administration of the Department of the Navy (DON)

Cybersecurity (CS)/Information Assurance Workforce
(IAWF) Management Oversight and Compliance
Program.
Note: Highlights compiled by CRS from the reports.
CRS-22
c11173008

.
.

Table 5. Selected Government Reports: National Strategy for Trusted Identities in Cyberspace (NSTIC)
Title Source
Date
Pages
Notes
NIST Awards Grants to Improve Online Security and Privacy
NIST September
17,
N/A
NIST announced more than $7 mil ion in grants to
http://www.nist.gov/itl/nstic-091713.cfm
2013
support the National Strategy for Trusted Identities in
Cyberspace (NSTIC). The funding will enable five U.S.
organizations to develop pilot identity protection and
verification systems that offer consumers more
privacy, security, and convenience online.
Five Pilot Projects Receive Grants to Promote Online Security
NIST September
20,
N/A
NIST announced more than $9 million in grant
and Privacy
2012
awards to support the NSTIC. Five U.S. organizations
http://www.nist.gov/itl/nstic-092012.cfm
will pilot identity solutions that increase confidence in
online transactions, prevent identity theft, and
provide individuals with more control over how they
share their personal information.
Recommendations for Establishing an Identity Ecosystem
NIST February
17,
51
NIST responds to comments received in response to
Governance Structure for the National Strategy for Trusted
2012
the related Notice of Inquiry published in the Federal
Identities in Cyberspace
Register on June 14, 2011.
http://www.nist.gov/nstic/2012-nstic-governance-recs.pdf
Models for a Governance Structure for the National Strategy for
Department of
June 14, 2011
4
The department seeks public comment from all
Trusted Identities in Cyberspace
Commerce
stakeholders, including the commercial, academic and
http://www.nist.gov/nstic/nstic-frn-noi.pdf
civil society sectors, and consumer and privacy
advocates on potential models, in the form of
recommendations and key assumptions in the
formation and structure of the steering group.
Administration Releases Strategy to Protect Online Consumers
White House
April 15, 2011
52
Press release on a proposal to administer the
and Support Innovation and Fact Sheet on National Strategy for
processes for policy and standards adoption for the
Trusted Identities in Cyberspace
Identity Ecosystem Framework in accordance with
http://www.whitehouse.gov/the-press-office/2011/04/15/
the NSTIC.
administration-releases-strategy-protect-online-consumers-and-
support-in
National Strategy for Trusted Identities in Cyberspace
White House
April 15, 2011
52
The NSTIC aims to make online transactions more
http://www.whitehouse.gov/blog/2010/06/25/national-strategy-trust
trustworthy, thereby giving businesses and consumers
cyberspace
more confidence in conducting business online.
Note: Highlights compiled by CRS from the reports.
CRS-23
c11173008

.
.

Table 6. Selected Government Reports: Other Federal Agencies
Title Source
Date
Pages Notes
Immediate Opportunities for Strengthening the Nation’s
President’s
November 2013
31
The report recommends the government phase out insecure,
Cybersecurity
Council of
outdated operating systems, like Windows XP, implement
http://www.whitehouse.gov/sites/default/files/microsites/ost
Advisors on
better encryption technology, and encourage automatic
p/PCAST/pcast_cybersecurity_nov-2013.pdf
Science and
security updates, among other changes. PCAST also
Technology
recommends, for regulated industries, that the government
(PCAST)
help create cybersecurity best practices and audit their
adoption — and for independent agencies, PCAST write new
rules that require businesses to report their cyber
improvements.
DHS' Efforts to Coordinate the Activities of Federal Cyber
DHS Inspector
October 2013
29
DHS could do a better job sharing information among the five
Operations Center
General
federal centers that coordinate cybersecurity work. The
http://www.oig.dhs.gov/assets/Mgmt/2014/OIG_14-
department’s National Cybersecurity and Communications
02_Oct13.pdf
Integration Center, or the NCCIC, is tasked with sharing
information about malicious activities on government
networks with cybersecurity offices within the Defense
Department, the FBI, and federal intelligence agencies. But the
DHS center and the five federal cybersecurity hubs do not all
have the same technology or resources, preventing them
from having shared situational awareness of intrusions or
threats and restricting their ability to coordinate response.
The centers also have not created a standard set of categories
for reporting incidents.
Cybersecurity Framework
NIST October
22,
47
NIST seeks comments on the preliminary version of the
http://www.nist.gov/itl/cyberframework.cfm
2013
Cybersecurity Framework (“preliminary Framework"). Under
Executive Order 13636, the Secretary of Commerce is tasked
to direct the Director of NIST to work with stakeholders to
develop a framework to reduce cyber risks to critical
infrastructure.
Discussion Draft of the Preliminary Cybersecurity
NIST
August 28, 2013
36
The Framework provides a common language and mechanism
Framework
for organizations to (1) describe current cybersecurity
http://nist.gov/itl/upload/discussion-draft_preliminary-
posture; (2) describe their target state for cybersecurity; (3)
cybersecurity-framework-082813.pdf
identify and prioritize opportunities for improvement within
the context of risk management; (4) assess progress toward
the target state; and (5) foster communications among
internal and external stakeholders.
CRS-24
c11173008

.
.

Title Source
Date
Pages Notes
Special Cybersecurity Workforce Project (Memo for Heads Office of
July 8, 2013
N/A
The OPM is collaborating with the White House Office of
of Executive Departments and Agencies)
Personnel
Science and Technology Policy, the Chief Human Capital
http://www.chcoc.gov/transmittals/TransmittalDetails.aspx?
Management
Officers Council (CHCOC), and the Chief Information
TransmittalID=5716
(OPM)
Officers Council (CIOC) in implementing a special workforce
project that tasks federal agencies’ cybersecurity, information
technology, and human resources communities to build a
statistical data set of existing and future cybersecurity
positions in the OPM Enterprise Human Resources
Integration (EHRI) data warehouse by the end of FY2014.
Guide to Malware Incident Prevention and Handling for
NIST
July 1, 2013
47
Provides recommendations for improving an organization's
Desktops and Laptops
malware incident prevention measures. Also gives extensive
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
recommendations for enhancing an organization's existing
NIST.SP.800-83r1.pdf
incident response capability so that it is better prepared to
handle malware incidents, particularly widespread ones.
DRAFT Outline—Preliminary Framework to Reduce Cyber NIST
July 1, 2013
5
This draft is produced for discussion purposes at the
Risks to Critical Infrastructure
upcoming workshops and to further encourage private-sector
http://www.nist.gov/itl/upload/
input before NIST publishes a preliminary Draft Framework to
draft_outline_preliminary_framework_standards.pdf
Reduce Cyber Risks to Critical Infrastructure (“the Framework”)
for public comment in October.
Computer Security Incident Coordination (CSIC): Providing NIST
June 28, 2013
3
NIST is seeking information relating to Computer Security
Timely Cyber Incident Response
Incident Coordination (CSIC) as part of the research needed
http://www.gpo.gov/fdsys/pkg/FR-2013-06-28/pdf/2013-
to write a NIST Special Publication (SP) to help Computer
15542.pdf
Security Incident Response Teams (CSIRTs) coordinate
effectively when responding to computer-security incidents.
The NIST SP will identify technical standards, methodologies,
procedures, and processes that facilitate prompt and effective
response.
Proposed Establishment of a Federal y Funded Research and NIST
June 21, 2013
3
NIST intends to sponsor a Federal y Funded Research and
Development Center—Second Notice
Development Center (FFRDC) to facilitate public-private
http://www.gpo.gov/fdsys/pkg/FR-2013-06-21/pdf/2013-
col aboration for accelerating the widespread adoption of
14897.pdf
integrated cybersecurity tools and technologies. This is the
second of three notices that must be published over a 90-day
period to advise the public of the agency’s intention to
sponsor an FFRDC.
CRS-25
c11173008

.
.

Title Source
Date
Pages Notes
Update on the Development of the Cybersecurity
NIST
June 18, 2013
3
NIST is seeking input about foundational cybersecurity
Framework
practices, ideas for how to manage privacy and civil-liberties
http://www.nist.gov/itl/upload/
needs, and outcome-oriented metrics that leaders can use in
nist_cybersecurity_framework_update_061813.pdf
evaluating the position and progress of their organizations’
cybersecurity status. In a few weeks, NIST expects to post an
outline of the preliminary cybersecurity framework, including
existing standards and practices.
Content of Premarket Submissions for Management of
Food and Drug June 14, 2013
1
This guidance identifies cybersecurity issues that
Cybersecurity in Medical Devices
Administration
manufacturers should consider in preparing premarket
http://www.gpo.gov/fdsys/pkg/FR-2013-06-14/pdf/2013-
(FDA)
submissions for medical devices in order to maintain
14167.pdf
information confidentiality, integrity, and availability.
DHS Can Take Actions to Address Its Additional
Department of
June 5, 2013
26
The National Protection and Programs Directorate (NPPD)
Cybersecurity Responsibilities
Homeland
was audited to determine whether the Office of
http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-
Security
Cybersecurity and Communications had effectively
95_Jun13.pdf
implemented its additional cybersecurity responsibilities to
improve the security posture of the federal government.
Although actions have been taken, NPPD can make further
improvements to address its additional cybersecurity
responsibilities.
Mobile Security Reference Architecture
Federal CIO
May 23, 2013
104
Gives agencies guidance in the secure implementation of
Council and
mobile solutions through their enterprise architectures. The
https://cio.gov/wp-content/uploads/downloads/2013/05/
the
document provides in-depth reference architecture for mobile
Mobile-Security-Reference-Architecture.pdf
Department of
computing.
Homeland
Security (DHS)
Initial Analysis of Cybersecurity Framework RFI Responses
NIST
May 15, 2013
34
This document represents NIST's initial analysis of the
Request for Information (RFI) responses. Its purpose is to
http://csrc.nist.gov/cyberframework/
describe the methodology that NIST used to perform the
rfi_initial_responses.html
initial analysis of the submitted responses, and to identify and
describe the Cybersecurity Framework themes that emerged
as a part of the initial analysis.
Proposed Establishment of a Federal y Funded Research and NIST
April 22, 2013
2
To help the National Cybersecurity Center of Excellence
Development Center-First Notice
(NCCoE) address industry’s needs most efficiently, NIST will
sponsor its first Federally Funded Research and Development
http://www.gpo.gov/fdsys/pkg/FR-2013-04-22/pdf/2013-
Center (FFRDC) to facilitate public-private col aboration for
09376.pdf
accelerating the widespread adoption of integrated
cybersecurity tools and technologies.
CRS-26
c11173008

.
.

Title Source
Date
Pages Notes
Privacy Impact Assessment for EINSTEIN 3 - Accelerated
Department of
April 19, 2013
27
DHS will deploy EINSTEIN 3 Accelerated (E3A) to enhance
(E3A)
Homeland
cybersecurity analysis, situational awareness, and security
Security
response. Under the direction of DHS, ISPs will administer
http://www.dhs.gov/sites/default/files/publications/privacy/
intrusion prevention and threat-based decision-making on
PIAs/
network traffic entering and leaving participating federal
PIA%20NPPD%20E3A%2020130419%20FINAL%20signed.p
civilian Executive Branch agency networks. This Privacy
df
Impact Assessment (PIA) is being conducted because E3A will
include analysis of federal network traffic, which may contain
personally identifiable information (PII).
Cyber Student Initiative
Department of
April 18, 2013
2
The Cyber Student Initiative program will begin at
Homeland
Immigration and Customs Enforcement computer forensic
http://www.dhs.gov/sites/default/files/publications/
Security
labs in 36 cities nationwide, where students will be trained
SHP_Cyber_Student_Initiative_Bulletin.pdf
and gain hands-on experience within the department’s
cybersecurity community. The unpaid volunteer program is
only available to community college students and veterans
pursuing a degree in the cybersecurity field.
Security and Privacy Controls for Federal Information
NIST
April 2013
3
Special Publication 800-53, Revision 4, provides a more
Systems (SP 800-53)
holistic approach to information security and risk
management by providing organizations with the breadth and
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
depth of security controls necessary to fundamental y
NIST.SP.800-53r4.pdf
strengthen their information systems and the environments in
which those systems operate—contributing to systems that
are more resilient in the face of cyberattacks and other
threats. This “Build It Right" strategy is coupled with a variety
of security controls for "Continuous Monitoring" to give
organizations near real-time information that is essential for
senior leaders making ongoing risk-based decisions affecting
their critical missions and business functions.
Guide to Attribute Based Access Control Definition and
NIST
April 2013
54
Improving information sharing while maintaining control over
Consideration (SP 800-162)
access to that information is a primary goal of guidance
coming from the NIST.
CRS-27
c11173008

.
.

Title Source
Date
Pages Notes
National Level Exercise 2012: Quick Look Report
Federal
March 2013
22
National Level Exercise (NLE) 2012 was a series of exercise
http://www.fema.gov/library/viewRecord.do?id=7240
Emergency
events that examined the ability of the United States to
Management
execute a coordinated response to a series of significant cyber
Agency
incidents. As a part of the National Exercise Program, NLE
2012 emphasized the shared responsibility among all levels of
government, the private sector, and the international
community to secure cyber networks and coordinate
response and recovery actions. The NLE 2012 series was
focused on examining four major themes: planning and
implementation of the draft National Cyber Incident
Response Plan (NCIRP), coordination among governmental
entities, information sharing, and decision making.
Measuring What Matters: Reducing Risks by Rethinking
National
March 2013
39
Rather than periodical y auditing whether an agency‘s systems
How We Evaluate Cybersecurity
Academy of
meet the standards enumerated in Federal Information
http://www.safegov.org/media/46155/
Public
Security Management Act (FISMA) at a static moment in time,
measuring_what_matters_final.pdf
Administration
agencies and their inspectors general should keep running
and
scorecards of “cyber risk indicators" based on continual IG
Safegov.org
assessments of a federal organization's cyber vulnerabilities.
Developing a Framework To Improve Critical
National
February 26,
5
NIST announced the first step in the development of a
Infrastructure Cybersecurity
Institute of
2013
Cybersecurity Framework, which will be a set of voluntary
http://www.gpo.gov/fdsys/pkg/FR-2013-02-26/pdf/2013-
Standards and
standards and best practices to guide industry in reducing
04413.pdf
Technology
cyber risks to the networks and computers that are vital to
(NIST)
the nation’s economy, security, and daily life.
CRS-28
c11173008

.
.

Title Source
Date
Pages Notes
Fol ow-up Audit of the Department's Cyber Security
Department of
December 2012
25
“In 2008, we reported in The Department's Cyber Security
Incident Management Program
Energy
Incident Management Program (DOE/IG-0787, January 2008)
https://www.hsdl.org/?view&did=728459
Inspector
that the Department and NNSA established and maintained a
General
number of independent, at least partially duplicative, cyber
security incident management capabilities. Although certain
actions had been taken in response to our prior report, we
identified several issues that limited the efficiency and
effectiveness of the Department's cyber security incident
management program and adversely impacted the ability of
law enforcement to investigate incidents. For instance, we
noted that the Department and NNSA continued to operate
independent, partially duplicative cyber security incident
management capabilities at an annual cost of more than $30
million. The issues identified were due, in part, to the lack of a
unified, Department-wide cyber security incident management
strategy. In response to our finding, management concurred
with the recommendations and indicated that it had initiated
actions to address the issues identified.”
Secure and Trustworthy Cyberspace (SaTC) Program
National
October 4,
N/A
This grant program seeks proposals that address
Solicitation
Science
2012
Cybersecurity from a Trustworthy Computing Systems
http://www.nsf.gov/funding/pgm_summ.jsp?pims_id=504709
Foundation and
perspective (TWC); a Social, Behavioral and Economic
the National
Sciences perspective (SBE); and a Transition to Practice
Science and
perspective (TPP).
Technology
Council (NSTC)
Information Sharing Environment: Annual Report to
Information
June 30, 2012
188
“This Report, which PM-ISE is submitting on behalf of the
Congress 2012
Sharing
President, incorporates input from our mission partners and
http://ise.gov/sites/default/files/
Environment
uses their initiatives and PM-ISE’s management activities to
ISE_Annual_Report_to_Congress_2012.pdf
(ISE)
provide a cohesive narrative on the state and progress of
terrorism-related responsible information sharing, including its
impact on our collective ability to secure the nation and our
national interests.”
Cybersecurity: CF Disclosure Guidance: Topic No. 2
Securities and
October 13,
N/A
The statements in this CF Disclosure Guidance represent the
http://www.sec.gov/divisions/corpfin/guidance/cfguidance-
Exchange
2011
views of the Division of Corporation Finance. This guidance is
topic2.htm
Commission
not a rule, regulation, or statement of the Securities and
Exchange Commission. Further, the Commission has neither
approved nor disapproved its content.
Note: Highlights compiled by CRS from the reports.
CRS-29
c11173008

.
.

Table 7. Selected Reports: Cloud Computing
Title Source
Date
Pages
Notes
Delivering on the Promise of Big Data and the Cloud
Booz, Al en, Hamilton
January 9, 2013
7
Reference architecture does away with conventional
http://www.boozallen.com/media/file/
data and analytics silos, consolidating all information
BigDataInTheCloud.pdf
into a single medium designed to foster connections
called a “data lake," which reduces complexity and
creates efficiencies that improve data visualization to
allow for easier insights by analysts.
Cloud Computing: An Overview of the Technology and the
House Judiciary
July 25, 2012
156
Overview and discussion of cloud computing issues.
Issues facing American Innovators
Comm., Subcom. on
http://judiciary.house.gov/hearings/Hearings%202012/
Intellectual Property,
hear_07252012_2.html
Competition, and the
Internet
Information Technology Reform: Progress Made but Future
GAO
July 11, 2012
43
To help ensure the success of agencies’ implementation
Cloud Computing Efforts Should be Better Planned
of cloud-based solutions, the Secretaries of Agriculture,
http://www.gao.gov/products/GAO-12-756
Health and Human Services, Homeland Security, State,
and the Treasury, and the Administrators of the

General Services Administration and Small Business
Administration should direct their respective CIO to
establish estimated costs, performance goals, and plans
to retire associated legacy systems for each cloud-based
service discussed in this report, as applicable.
Cloud Computing Strategy
DOD, Chief
July 2012
44
The DOD Cloud Computing Strategy introduces an
http://www.defense.gov/news/
Information Officer
approach to move the department from the current
DoDCloudComputingStrategy.pdf
state of a duplicative, cumbersome, and costly set of
application silos to an end state, which is an agile,
secure, and cost effective service environment that can
rapidly respond to changing mission needs.
A Global Reality: Governmental Access to Data in the
Hogan Lovells
May 23, 2012
13
This White Paper compares the nature and extent of
Cloud - A Comparative Analysis of Ten International
governmental access to data in the cloud in many
Jurisdictions
jurisdictions around the world.
http://www.hoganlovells.com/files/News/c6edc1e2-d57b-
402e-9cab-
a7be4e004c59/Presentation/NewsAttachment/a17af284-
7d04-4008-b557-
5888433b292d/Revised%20Government%20Access%20to%
20Cloud%20Data%20Paper%20(18%20July%2012).pdf
CRS-30
c11173008

.
.

Title Source
Date
Pages
Notes
Policy Challenges of Cross-Border Cloud Computing
U.S. International
May 1, 2012
38
Examine the main policy chal enges associated with
http://www.usitc.gov/journals/Policy_Challenges_of_Cross-
Trade Commission
cross-border cloud computing—data privacy, security,
border_Cloud_Computing_rev.pdf
and ensuring the free flow of information—and the
ways that countries are addressing them through

domestic policymaking, international agreements, and
other cooperative arrangements.
Cloud Computing Synopsis and Recommendations
NIST
May 2012
81
The National Institute of Standards and Technology has
http://csrc.nist.gov/publications/nistpubs/800-146/sp800-
unveiled a guide that explains cloud technologies in
146.pdf
“plain terms” to federal agencies and provides
recommendations for IT decision makers.
Global Cloud Computing Scorecard a Blueprint for
Business Software
February 2,
24
This report notes that while many developed countries
Economic Opportunity
Alliance
2012
have adjusted their laws and regulations to address
http://portal.bsa.org/cloudscorecard2012/
cloud computing, the wide differences in those rules
make it difficult for companies to invest in the
technology.
Concept of Operations: FedRAMP
General Services
February 7,
47
Implementation of FedRAMP will be in phases. This
http://www.gsa.gov/graphics/staffoffices/
Administration (GSA)
2012
document describes all the services that will be available
FedRAMP_CONOPS.pdf
at initial operating capability—targeted for June 2012.
The Concept of Operations will be updated as the
program evolves toward sustained operations.
Federal Risk and Authorization Management Program
Federal CIO Council
January 4, 2012
N/A
The Federal Risk and Authorization Management
(FedRAMP)
Program or FedRAMP has been established to provide a
http://www.gsa.gov/portal/category/102371
standard approach to Assessing and Authorizing (A&A)
cloud computing services and products.
Security Authorization of Information Systems in Cloud
White House/Office
December 8,
7
The Federal Risk and Authorization Management
Computing Environments (FedRAMP)
of Management and
2011
Program (FedRAMP) will now be required for all
http://www.whitehouse.gov/sites/default/files/omb/assets/eg
Budget (OMB)
agencies purchasing storage, applications and other
ov_docs/fedrampmemo.pdf
remote services from vendors. The Obama
Administration has championed cloud computing as a
means to save money and accelerate the government’s
adoption of new technologies.
U.S. Government Cloud Computing Technology Roadmap,
NIST December
1,
32
Volume I is aimed at interested parties who wish to gain
Volume I, Release 1.0 (Draft). High-Priority Requirements
2011
a general understanding and overview of the
to Further USG Agency Cloud Computing Adoption
background, purpose, context, work, results, and next
http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeI-
steps of the U.S. Government Cloud Computing
2.pdf
Technology Roadmap initiative.
CRS-31
c11173008

.
.

Title Source
Date
Pages
Notes
U.S. Government Cloud Computing Technology Roadmap,
NIST December
1,
85
Volume II is designed to be a technical reference for
Release 1.0 (Draft), Volume II Useful Information for Cloud
2011
those actively working on strategic and tactical cloud
Adopters
computing initiatives, including, but not limited to, U.S.
http://www.nist.gov/itl/cloud/upload/
government cloud adopters. Volume II integrates and
SP_500_293_volumeII.pdf
summarizes the work completed to date, and explains
how these findings support the roadmap introduced in
Volume I.
Information Security: Additional Guidance Needed to
GAO October
5,
17
Twenty-two of 24 major federal agencies reported that
Address Cloud Computing Concerns
2011
they were either concerned or very concerned about
http://www.gao.gov/products/GAO-12-130T
the potential information security risks associated with
cloud computing. GAO recommended that the NIST
issue guidance specific to cloud computing security.
NIST has issued multiple publications which address
such guidance; however, one publication remains in
draft, and is not to be finalized until the first quarter of
fiscal year 2012.
Cloud Computing Reference Architecture
NIST September
1,
35
This “Special Publication," which is not an official U.S.
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505
2011
government standard, is designed to provide guidance
to specific communities of practitioners and
researchers.
Guide to Cloud Computing for Policy Makers
Software and
July 26, 2011
27
The SAII concludes “that there is no need for cloud-
http://www.siia.net/index.php?option=com_docman&task=
Information Industry
specific legislation or regulations to provide for the safe
doc_download&gid=3040&Itemid=318
Association (SAII)
and rapid growth of cloud computing, and in fact, such
actions could impede the great potential of cloud
computing."
Federal Cloud Computing Strategy
White House
February 13,
43
The strategy outlines how the federal government can
http://www.whitehouse.gov/sites/default/files/omb/assets/eg
2011
accelerate the safe, secure adoption of cloud
ov_docs/federal-cloud-computing-strategy.pdf
computing, and provides agencies with a framework for
migrating to the cloud. It also examines how agencies
can address challenges related to the adoption of cloud
computing, such as privacy, procurement, standards,
and governance.
Notes: These reports analyze cybersecurity issues related to the federal government’s adoption of cloud computing storage options. Highlights compiled by CRS from
the reports.

CRS-32
c11173008

.
.
Cybersecurity: Authoritative Reports and Resources, by Topic

CRS Reports: Critical Infrastructure
• CRS Report R42683, Critical Infrastructure Resilience: The Evolution of Policy
and Programs and Issues for Congress, by John D. Moteff
• CRS Report RL30153, Critical Infrastructures: Background, Policy, and
Implementation, by John D. Moteff
• CRS Report R42660, Pipeline Cybersecurity: Federal Policy, by Paul W.
Parfomak
• CRS Report R41536, Keeping America’s Pipelines Safe and Secure: Key Issues
for Congress, by Paul W. Parfomak
• CRS Report R41886, The Smart Grid and Cybersecurity—Regulatory Policy and
Issues, by Richard J. Campbell
• CRS Report R42338, Smart Meter Data: Privacy and Cybersecurity, by Brandon
J. Murrill, Edward C. Liu, and Richard M. Thompson II
• CRS Report RL33586, The Federal Networking and Information Technology
Research and Development Program: Background, Funding, and Activities, by
Patricia Moloney Figliola
• CRS Report 97-868, Internet Domain Names: Background and Policy Issues, by
Lennard G. Kruger
• CRS Report R42351, Internet Governance and the Domain Name System: Issues
for Congress, by Lennard G. Kruger

Congressional Research Service
33
c11173008

.
.

Table 8. Selected Reports: Critical Infrastructure
Title Source
Date
Pages
Notes
The Critical Infrastructure Gap: U.S. Port Facilities and
Brookings
July 2013
50
The study argues that the level of cyber security awareness and
Cyber Vulnerabilities
Institution/
culture in U.S. port facilities is relatively low and that a
http://www.brookings.edu/~/media/research/files/papers/
Center for 21st
cyberattack at a major U.S. port would quickly cause significant
2013/07/02%20cyber%20port%20security%20kramek/
Century Security
damage to the economy.
03%20cyber%20port%20security%20kramek.pdf
and Intelligence
FFIEC Forms Cybersecurity and Critical Infrastructure
Federal Financial
June 6, 2013
2
FFIEC announced the formation of a working group to further
Working Group
Institutions
promote coordination across the federal and state banking
http://op.bna.com/bar.nsf/id/jtin-98errp/$File/ffieccyber.pdf Examination
regulatory agencies on critical infrastructure and cybersecurity
Council (FFIEC)
issues.
Electric Grid Vulnerability: Industry Responses Reveal
Rep. Edward
May 21, 2013
35
The report found that less than a quarter of investor-owned
Security Gaps
Markey and Rep.
utilities and less than half of municipal and cooperation-owned
http://markey.house.gov/sites/markey.house.gov/files/
Henry Waxman
utilities followed through with voluntary standards issued by the
documents/Markey%20Grid%20Report_05.21.13.pdf
Federal Energy Regulatory Commission after the Stuxnet worm
struck in 2010.
Initial Analysis of Cybersecurity Framework RFI
National Institute
May 20, 2013
33
Comments on the chal enges of protecting the nation’s critical
Responses
of Standards and
infrastructure have identified a handful of top-of-mind issues for
http://csrc.nist.gov/cyberframework/nist-initial-analysis-of-
Technology
the more than 200 people and organizations who responded to
rfi-responses.pdf
a formal request for information. NIST has released an initial
analysis of 243 responses to the Feb. 26 RFI. The analysis will
form the basis for an upcoming workshop at Carnegie Mellon
University in Pittsburgh as NIST moves forward on creating a
cybersecurity framework for essential energy, utility, and
communications systems.
Joint Working Group on Improving Cybersecurity and
General Services
May 13, 2013
3
Among other things, PPD-21 requires the General Services
Resilience Through Acquisition, Notice of Request for
Administration
Administration, in consultation with DOD and DHS, to jointly
Information
provide and support government-wide contracts for critical
http://www.gpo.gov/fdsys/pkg/FR-2013-05-13/pdf/2013-
infrastructure systems and ensure that such contracts include
11239.pdf
audit rights for the security and resilience of critical
infrastructure.
CRS-34
c11173008

.
.

Title Source
Date
Pages
Notes
Version 5 Critical Infrastructure Protection Reliability
Federal Energy
April 24, 2013
18
FERC proposes to approve the Version 5 Critical Infrastructure
Standards (Notice of Proposed Rulemaking)
Regulatory
Protection Reliability Standards, CIP-002-5 through CIP-011-1,
http://www.gpo.gov/fdsys/pkg/FR-2013-04-24/pdf/2013-
Commission
submitted by the North American Electric Reliability
09643.pdf
Corporation, the Commission-certified Electric Reliability
Organization. The proposed Reliability Standards, which pertain
to the cyber security of the bulk electric system, represent an
improvement over the current Commission-approved CIP
Reliability Standards as they adopt new cyber security controls
and extend the scope of the systems that are protected by the
CIP Reliability Standards.
Incentives To Adopt Improved Cybersecurity Practices
National Institute
March 28, 2013
N/A
The Commerce Department is preparing a report on ways to
http://www.ntia.doc.gov/federal-register-notice/2013/
of Standards and
incentivize companies and organizations to improve their
notice-inquiry-incentives-adopt-improved-cybersecurity-
Technology and
cybersecurity. To better understand what stakeholders – such as
practices-html
the National
companies, trade associations, academics and others – believe
Telecommunicati
would best serve as incentives, the Department has released a

ons and
series of questions to gather public comments in a Notice of
Information
Inquiry.
Administration
SCADA and Process Control Security Survey
SANS Institute
February 1,
19
SANS Institute surveyed professionals who work with SCADA
https://www.sans.org/reading_room/analysts_program/
2013
and process control systems. Of the nearly 700 respondents,
sans_survey_scada_2013.pdf
70% said they consider their SCADA systems to be at high or
severe risk; one-third of them suspect that they have been
already been infiltrated.
Fol ow-up Audit of the Department’s Cyber Security
U.S. Department
December 1,
25
In 2008, it was reported in the Department's Cyber Security
Incident Management Program
of Energy
2012
Incident Management Program (DOE/IG-0787, January 2008)
https://www.hsdl.org/?view&did=728459
Inspector
that the department and NNSA established and maintained a
General’s Office
number of independent, at least partially duplicative, cyber
security incident management capabilities. Although certain
actions had been taken in response to the prior report,
identified were several issues that limited the efficiency and
effectiveness of the department's cyber security incident
management program and adversely affected the ability of law
enforcement to investigate incidents. In response to the finding,
management concurred with the recommendations and
indicated that it had initiated actions to address the issues
identified.
CRS-35
c11173008

.
.

Title Source
Date
Pages
Notes
Terrorism and the Electric Power Delivery System
National
November 2012
146
Focuses on measures that could make the power delivery
http://www.nap.edu/catalog.php?record_id=12050
Academies of
system less vulnerable to attacks, restore power faster after an
Science
attack, and make critical services less vulnerable while the
delivery of conventional electric power has been disrupted.
New FERC Office to Focus on Cyber Security
U.S. Department
September 20,
N/A
The Federal Energy Regulatory Commission announced the
http://www.ferc.gov/media/news-releases/2012/2012-3/09-
of Energy
2012
creation of the agency’s new Office of Energy Infrastructure
20-12.asp
Security, which will work to reduce threats to the electric grid
and other energy facilities. The goal is for the office to help
FERC, as well as other agencies and private companies, better
identify potential dangers and solutions.
Canvassing the Targeting of Energy Infrastructure: The
Journal of Energy
August 7, 2012
8
The Energy Infrastructure Attack Database (EIAD) is a non-
Energy Infrastructure Attack Database
Security
commercial dataset that structures information on reported
http://www.ensec.org/index.php?option=com_content&
(criminal and political) attacks to EI (worldwide) since 1980, by
view=article&id=379:canvassing-the-targeting-of-energy-
non-state actors. In building this resource, the objective was to
infrastructure-the-energy-infrastructure-attack-database&
develop a product that could be broadly accessible and also
catid=128:issue-content&Itemid=402
connect to existing available resources
Smart-Grid Security
Center for
August 1, 2012
26
Highlights the significance of and the chal enges with securing the
http://tuscany.gmu.edu/centers/cip/cip.gmu.edu/wp-
Infrastructure
smart grid.
content/uploads/2013/06/TheCIPReport_August2012_Sm
Protection and
artGrid.pdf
Homeland
Security, George
Mason School of
Law
Cybersecurity: Challenges in Securing the Electricity Grid GAO
July 17, 2012
25
In a prior report, GAO has made recommendations related to
http://www.gao.gov/products/GAO-12-926T
electricity grid modernization efforts, including developing an
approach to monitor compliance with voluntary standards.
These recommendations have not yet been implemented.
ICS-CERT Incident Response Summary Report (2009-
U.S. Industrial
June 28, 2012
17
The number of reported cyberattacks on U.S. critical
2011)
Control System
infrastructure increased sharply—from 9 incidents in 2009 to
http://www.us-cert.gov/control_systems/pdf/ICS-
Cyber Emergency
198 in 2011; water sector-specific incidents, when added to the
CERT_Incident_Response_Summary_Report_09_11.pdf
Response Team
incidents that affected several sectors, accounted for more than
(ICS-CERT)
half of the incidents; in more than half of the most serious cases,
implementing best practices such as login limitation or properly
configured firewall, would have deterred the attack, reduced the
time it would have taken to detect an attack, and minimize its
impact.
CRS-36
c11173008

.
.

Title Source
Date
Pages
Notes
Energy Department Develops Tool with Industry to Help
U.S. Department
June 28, 2012
N/A
The Cybersecurity Self-Evaluation Tool utilizes best practices
Utilities Strengthen Their Cybersecurity Capabilities
of Energy
that were developed for the Electricity Subsector Cybersecurity
http://energy.gov/articles/energy-department-develops-
Capability Maturity Model Initiative, which involved a series of
tool-industry-help-utilities-strengthen-their-cybersecurity
workshops with the private sector to draft a maturity model
that can be used throughout the electric sector to better
protect the grid.
Electricity Subsector Cybersecurity Risk Management
Department of
May 2012
96
The guideline describes a risk management process that is
Process
Energy, Office of
targeted to the specific needs of electricity sector organizations.
http://energy.gov/oe/downloads/cybersecurity-risk-
Electricity
The objective of the guideline is to build upon existing guidance
management-process-rmp-guideline-final-may-2012
Delivery &
and requirements to develop a flexible risk management process
Energy Reliability
tuned to the diverse missions, equipment, and business needs of
the electric power industry.
Cybersecurity for Energy Delivery Systems Program
Department of
ongoing
N/A
The program assists the energy sector asset owners (electric,
http://energy.gov/oe/technology-development/energy-
Energy, Office of
oil, and gas) by developing cybersecurity solutions for energy
delivery-systems-cybersecurity
Electricity
delivery systems through integrated planning and a focused
Delivery &
research and development effort. CEDS co-funds projects with
Energy Reliability
industry partners to make advances in cybersecurity capabilities
for energy delivery systems.
ICT Applications for the Smart Grid: Opportunities and
Organization for
January 10, 2012
44
This report discusses “smart” applications of information and
Policy Implications
Economic Co-
communication technologies (ICTs) for more sustainable energy
http://www.oecd-ilibrary.org/content/workingpaper/
operation and
production, management and consumption. The report outlines
5k9h2q8v9bln-en
Development
policy implications for government ministries dealing with
(OECD)
telecommunications regulation, ICT sector and innovation
promotion, and consumer and competition issues.
The Department’s Management of the Smart Grid
Department of
January 1, 2012
21
According to the Inspector General, DOE's rush to award
Investment Grant Program
Energy (DOE)
stimulus grants for projects under the next generation of the
http://energy.gov/ig/downloads/departments-management-
Inspector
power grid, known as the Smart grid, resulted in some firms
smart-grid-investment-grant-program-oas-ra-12-04
General
receiving funds without submitting complete plans for how to
safeguard the grid from cyberattacks.
Critical Infrastructure Protection: Cybersecurity
Government
December 9,
77
Given the plethora of guidance available, individual entities
Guidance Is Available, but More Can Be Done to
Accountability
2011
within the sectors may be challenged in identifying the guidance
Promote Its Use
Office (GAO)
that is most applicable and effective in improving their security
http://www.gao.gov/products/GAO-12-92
posture. Improved knowledge of the available guidance could
help both federal and private-sector decision makers better
coordinate their efforts to protect critical cyber-reliant assets.
CRS-37
c11173008

.
.

Title Source
Date
Pages
Notes
The Future of the Electric Grid
Massachusetts
December 5,
39
Chapter 1 provides an overview of the status of the grid, the
http://web.mit.edu/mitei/research/studies/the-electric-grid-
Institute of
2011
challenges and opportunities it will face, and major
2011.shtml
Technology (MIT)
recommendations. To facilitate selective reading, detailed
descriptions of the contents of each section in Chapters 2–9 are
provided in each chapter’s introduction, and recommendations
are collected and briefly discussed in each chapter's final section.
(See Chapter 9, Data Communications, Cybersecurity, and
Information Privacy, pages 208-234).
FCC‘s Plan for Ensuring the Security of
Federal
June 3, 2011
1
FCC Chairman Genachowski's response to letter from Rep.
Telecommunications Networks
Communications
Anna Eshoo dated November 2, 2010, re: concerns about the
ftp://ftp.fcc.gov/pub/Daily_Releases/Daily_Business/2011/
Commission
implications of foreign-controlled telecommunications
db0610/DOC-307454A1.txt
(FCC)
infrastructure companies providing equipment to the U.S.
market.
Cyber Infrastructure Protection
U.S. Army War
May 9, 2011
324
Part 1 deals with strategic and policy issues related to
http://www.strategicstudiesinstitute.army.mil/pubs/
College
cybersecurity and discusses the theory of cyberpower, Internet
display.cfm?pubid=1067
survivability, large scale data breaches, and the role of
cyberpower in humanitarian assistance. Part 2 covers social and
legal aspects of cyber infrastructure protection and discusses the
attack dynamics of political and religiously motivated hackers.
Part 3 discusses the technical aspects of cyber infrastructure
protection, including the resilience of data centers, intrusion
detection, and a strong emphasis on Internet protocol (IP)
networks.
In the Dark: Crucial Industries Confront Cyberattacks
McAfee and
April 21, 2011
28
The study reveals an increase in cyberattacks on critical
http://www.mcafee.com/us/resources/reports/rp-critical-
Center for
infrastructure such as power grids, oil, gas, and water; the study
infrastructure-protection.pdf
Strategic and
also shows that that many of the world’s critical infrastructures
International
lacked protection of their computer networks, and reveals the
Studies (CSIS)
cost and impact of cyberattacks
Cybersecurity: Continued Attention Needed to Protect
Government
March 16, 2011
16
According to GAO, executive branch agencies have also made
Our Nation’s Critical Infrastructure and Federal
Accountability
progress instituting several government-wide initiatives that are
Information Systems
Office (GAO)
aimed at bolstering aspects of federal cybersecurity, such as
http://www.gao.gov/products/GAO-11-463T
reducing the number of federal access points to the Internet,
establishing security configurations for desktop computers, and
enhancing situational awareness of cyber events. Despite these
efforts, the federal government continues to face significant
challenges in protecting the nation's cyber-reliant critical
infrastructure and federal information systems.
CRS-38
c11173008

.
.

Title Source
Date
Pages
Notes
Federal Energy Regulatory Commission’s Monitoring of
North American
January 26, 2011
30
NERC developed Critical Infrastructure Protection (CIP) cyber
Power Grid Cyber Security
Electric Reliability
security reliability standards which were approved by the FERC
http://www.wired.com/images_blogs/threatlevel/2011/02/
Corp. (NERC)
in January 2008. Although the Commission had taken steps to
DoE-IG-Report-on-Grid-Security.pdf
ensure CIP cyber security standards were developed and
approved, NERC’s testing revealed that such standards did not
always include controls commonly recommended for protecting
critical information systems. In addition, the CIP standards
implementation approach and schedule approved by the
Commission were not adequate to ensure that systems-related
risks to the nation's power grid were mitigated or addressed in
a timely manner.
Electricity Grid Modernization: Progress Being Made on
Government
January 12, 2011
50
To reduce the risk that NIST’s smart grid cybersecurity
Cybersecurity Guidelines, but Key Challenges Remain to
Accountability
guidelines will not be as effective as intended, the Secretary of
be Addressed
Office (GAO)
Commerce should direct the Director of NIST to finalize the
http://www.gao.gov/products/GAO-11-117
agency's plan for updating and maintaining the cybersecurity
guidelines, including ensuring it incorporates (1) missing key
elements identified in this report, and (2) specific milestones for
when efforts are to be completed. Also, as a part of finalizing the
plan, the Secretary of Commerce should direct the Director of
NIST should assess whether any cybersecurity challenges
identified in this report should be addressed in the guidelines.
Partnership for Cybersecurity Innovation
White House
December 6,
4
The Obama Administration released a Memorandum of
http://www.whitehouse.gov/blog/2010/12/06/partnership-
(Office of Science
2010
Understanding signed by the National Institute of Standards and
cybersecurity-innovation
& Technology
Technology (NIST) of the Department of Commerce, the
Policy)
Science and Technology Directorate of the Department of
Homeland Security (DHS/S&T), and the Financial Services Sector
Coordinating Council (FSSCC). The goal of the agreement is to
speed the commercialization of cybersecurity research
innovations that support the nation’s critical infrastructures.
WIB Security Standard Released
International
November 10,

The Netherlands-based International Instrument Users
http://www.isssource.com/wib/
Instrument Users
2010
Association (WIB), an international organization that represents
Association
global manufacturers in the industrial automation industry,
(WIB)
announced the second version of the Process Control Domain
Security Requirements For Vendors document—the first
international standard that outlines a set of specific
requirements focusing on cyber security best practices for
suppliers of industrial automation and control systems.
CRS-39
c11173008

.
.

Title Source
Date
Pages
Notes
Information Security Management System for Microsoft
Microsoft
November 2010
15
This study describes the standards Microsoft fol ows to address
Cloud Infrastructure
current and evolving cloud security threats. It also depicts the
http://cdn.globalfoundationservices.com/documents/
internal structures within Microsoft that handle cloud security
InformationSecurityMangSysforMSCloudInfrastructure.pdf
and risk management issues.
NIST Finalizes Initial Set of Smart Grid Cyber Security
National Institute
September 2,
N/A
NIST released a three-volume set of recommendations on all
Guidelines
of Standards and
2010
things relevant to securing the Smart Grid. The guidelines
http://www.nist.gov/public_affairs/releases/nist-finalizes-
Technology
address a variety of topics, including high-level security
initial-set-of-smart-grid-cyber-security-guidelines.cfm
(NIST)
requirements, a risk assessment framework, an evaluation of
privacy issues in residences and recommendations for protecting
the evolving grid from attacks, malicious code, cascading errors,
and other threats.
Critical Infrastructure Protection: Key Private and Public
Government
July 15, 2010
38
Private-sector stakeholders reported that they expect their
Cyber Expectations Need to Be Consistently Addressed
Accountability
federal partners to provide usable, timely, and actionable cyber
http://www.gao.gov/products/GAO-10-628
Office (GAO)
threat information and alerts; access to sensitive or classified
information; a secure mechanism for sharing information;
security clearances; and a single centralized government
cybersecurity organization to coordinate government efforts.
However, according to private sector stakeholders, federal
partners are not consistently meeting these expectations.
The future of cloud computing
Pew Research
June 11, 2010
26
Technology experts and stakeholders say they expect they will
http://pewinternet.org/Reports/2010/The-future-of-cloud-
Center’s Internet
“live mostly in the cloud” in 2020 and not on the desktop,
computing.aspx
& American Life
working mostly through cyberspace-based applications accessed
Project
through networked devices.
The Reliability of Global Undersea Communications Cable IEEE/EastWest
May 26, 2010
186
This study submits 12 major recommendations to the private
Infrastructure (The ROGUCCI Report)
Institute
sector, governments and other stakeholders—especial y the
http://www.ieee-rogucci.org/files/
financial sector—for the purpose of improving the reliability,
The%20ROGUCCI%20Report.pdf
robustness, resilience, and security of the world’s undersea
communications cable infrastructure.
NSTB Assessments Summary Report: Common Industrial
Department of
May 1, 2010
123
Computer networks controlling the electric grid are plagued
Control System Cyber Security Weaknesses
Energy, Idaho
with security holes that could allow intruders to redirect power
http://www.fas.org/sgp/eprint/nstb.pdf
National
delivery and steal data. Many of the security vulnerabilities are
Laboratory
strikingly basic and fixable problems.
Explore the reliability and resiliency of commercial
Federal
April 21, 2010
N/A
The Federal Communications Commission launched an inquiry
broadband communications networks
Communications
on the ability of existing broadband networks to withstand
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-
Commission
significant damage or severe overloads as a result of natural
305618A1.doc
(FCC)
disasters, terrorist attacks, pandemics or other major public
emergencies, as recommended in the National Broadband Plan.
CRS-40
c11173008

.
.

Title Source
Date
Pages
Notes
Security Guidance for Critical Areas of Focus in Cloud
Cloud Security
December 2009
76
“Through our focus on the central issues of cloud computing
Computing V2.1
Alliance
security, we have attempted to bring greater clarity to an
http://www.cloudsecurityalliance.org/csaguide.pdf
otherwise complicated landscape, which is often filled with
incomplete and oversimplified information. Our focus ... serves
to bring context and specificity to the cloud computing security
discussion: enabling us to go beyond gross generalizations to
deliver more insightful and targeted recommendations.”
21 Steps to Improve Cyber Security of SCADA Networks U.S. Department
January 1, 2007
10
The President’s Critical Infrastructure Protection Board and the
http://www.oe.netl.doe.gov/docs/prepare/
of Energy,
Department of Energy have developed steps to help any
21stepsbooklet.pdf
Infrastructure
organization improve the security of its SCADA networks. The
Security and
steps are divided into two categories: specific actions to improve
Energy
implementation, and actions to establish essential underlying
Restoration
management processes and policies.
Note: Highlights compiled by CRS from the reports.

CRS-41
c11173008

.
.
Cybersecurity: Authoritative Reports and Resources, by Topic

CRS Reports and Other CRS Products: Cybercrime and
National Security

• CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud
and Abuse Statute and Related Federal Criminal Laws, by Charles Doyle
• CRS Report 94-166, Extraterritorial Application of American Criminal Law, by
Charles Doyle
• CRS Report R42403, Cybersecurity: Cyber Crime Protection Security Act (S.
2111, 112th Congress)—A Legal Analysis, by Charles Doyle
• CRS Report 98-326, Privacy: An Overview of Federal Statutes Governing
Wiretapping and Electronic Eavesdropping, by Gina Stevens and Charles Doyle
• CRS Report RL32706, Spyware: Background and Policy Issues for Congress, by
Patricia Moloney Figliola
• CRS Report CRS Report R41975, Illegal Internet Streaming of Copyrighted
Content: Legislation in the 112th Congress, by Brian T. Yeh
• CRS Report R42112, Online Copyright Infringement and Counterfeiting:
Legislation in the 112th Congress, by Brian T. Yeh
• CRS Report R40599, Identity Theft: Trends and Issues, by Kristin Finklea
• CRS Report R41927, The Interplay of Borders, Turf, Cyberspace, and
Jurisdiction: Issues Confronting U.S. Law Enforcement, by Kristin Finklea
• CRS Report RL34651, Protection of Children Online: Federal and State Laws
Addressing Cyberstalking, Cyberharassment, and Cyberbullying, by Alison M.
Smith
CRS Report R42547, Cybercrime: Conceptual Issues for Congress and U.S. Law
Enforcement
, by Kristin Finklea and Catherine A. Theohary
CRS Legal Sidebar, Legal Barriers to an Expanded Role of the Military in
Defending Against Domestic Cyberattacks, Andrew Nolan
CRS Legal Sidebar, Obstacles to Private Sector Cyber Threat Information
Sharing, Edward C. Liu

Congressional Research Service
42
c11173008

.
.

Table 9. Selected Reports: Cybercrime/Cyberwar
Title Source
Date
Pages Notes
Cyber-Warfare: Is the risk of cyber-warfare overrated?
The Economist
August 2,
N/A (Economist Debates adapt the Oxford style of debating to an online
http://www.economist.com/debate/days/view/997
2013
forum. Each side has three chances to persuade readers: opening,
rebuttal, and closing.) “Separating hype from the urgent questions
is hard. Amid talk of a ‘digital Pearl Harbour’ and ‘advanced
persistent threats’ it is hard to know whether we are really ‘losing
the war’ against the purveyors and users of malware and digital
weapons.”
ThreatWatch
NextGov
August 2013
N/A
ThreatWatch is a snapshot of the data breaches hitting
http://www.nextgov.com/cybersecurity/threatwatch/
organizations and individuals, globally, on a daily basis. It is not an
authoritative list, because many compromises are never reported
or even discovered. The information is based on accounts
published by outside news organizations and researchers.
The Economic Impact of Cybercrime and Cyber Espionage Center for
July 22, 2013
20
Losses to the United States (the country where data is most
http://csis.org/publication/economic-impact-cybercrime-
Strategic and
accessible) may reach $100 billion annually. The cost of
and-cyber-espionage
International
cybercrime and cyber espionage to the global economy is some
Studies
multiple of this likely measured in hundreds of billions of dollars.
Electric Grid Vulnerability: Industry Responses Reveal
Rep. Edward
May 21, 2013
35
The report found that less than a quarter of investor-owned
Security Gaps
Markey and Rep.
utilities and less than half of municipal and cooperation-owned
http://markey.house.gov/sites/markey.house.gov/files/
Henry Waxman
utilities followed through with voluntary standards issued by the
documents/Markey%20Grid%20Report_05.21.13.pdf
Federal Energy Regulatory Commission after the Stuxnet worm
struck in 2010.
Towards Trustworthy Social Media and Crowdsourcing
Wilson Center
May 2013
12
Individuals and organizations interested in using social media and
http://www.scribd.com/doc/138508756/Towards-
crowdsourcing currently lack two key sets of information: a
Trustworthy-Social-Media-and-Crowdsourcing#download
systematic assessment of the vulnerabilities in these technologies
and a comprehensive set of best practices describing how to
address those vulnerabilities. Identifying those vulnerabilities and
developing those best practices are necessary to address a
growing number of cybersecurity incidents ranging from innocent
mistakes to targeted attacks that have claimed lives and cost
millions of dollars.
Remaking American Security: Supply Chain Vulnerabilities
Alliance for
May 2013
355
Because the supply chain is global, it makes sense for U.S. officials
& National Security Risks Across the U.S. Defense
American
to cooperate with other nations to ward off cyberattacks.
Industrial Base
Manufacturing
Increased international cooperation to secure the integrity of the
http://americanmanufacturing.org/files/
global IT system is a valuable long-term objective.
RemakingAmericanSecurityMay2013.pdf
CRS-43
c11173008

.
.

Title Source
Date
Pages Notes
Role of Counterterrorism Law in Shaping 'ad Bellum'
International Law April 1, 2013
42
The prospect of cyber war has evolved from science fiction and
Norms for Cyber Warfare
Studies (U.S.
over-the-top doomsday depictions on television, films, and in
https://www.hsdl.org/?view&did=734375
Naval War
novels to reality and front-page news… To date there has been
College)
little attention given to the possibility that international law
generally and counterterrorism law in particular could and should
develop a subset of cyber-counterterrorism law to respond to the
inevitability of cyberattacks by terrorists and the use of cyber
weapons by governments against terrorists, and to supplement
existing international law governing cyber war where the
intrusions do not meet the traditional kinetic thresholds.
The Tallinn Manual on the International Law Applicable to
Cambridge
March 5,
282
The Tallinn Manual identifies the international law applicable to
Cyber Warfare
University Press/
2013
cyber warfare and sets out 95 ‘black-letter rules’ governing such
http://ccdcoe.org/249.html
NATO
conflicts. An extensive commentary accompanies each rule, which
Cooperative
sets forth each rules’ basis in treaty and customary law, explains
Cyber Defence
how the group of experts interpreted applicable norms in the
Center of
cyber context, and outlines any disagreements within the group as
Excel ence
to each rules’ application. (Note: The manual is not an official
NATO publication, but an expression of opinions of a group of
independent experts acting solely in their personal capacity.)
APT1: Exposing One of China’s Cyber Espionage Units
Mandiant February
19,
76
The details analyzed during hundreds of investigations signal that
http://intelreport.mandiant.com/
2013
the groups conducting these activities (computer security
Mandiant_APT1_Report.pdf
breaches around the world) are based primarily in China and that
the Chinese government is aware of them.
Video demo of Chinese hacker activity
Mandiant February
19,
N/A
Video of APT1 attacker sessions and intrusion activities (5-minute
http://intelreport.mandiant.com/
2013
video).
Crisis and Escalation in Cyberspace
RAND Corp.
December
200
The genesis for this work was the broader issue of how the Air
http://www.rand.org/pubs/monographs/MG1215.html
2012
Force should integrate kinetic and nonkinetic operations. Central
to this process was careful consideration of how escalation
options and risks should be treated, which, in turn, demanded a
broader consideration across the entire crisis-management
spectrum. Such crises can be managed by taking steps to reduce
the incentives for other states to step into crisis, by controlling
the narrative, understanding the stability parameters of the crises,
and trying to manage escalation if conflicts arise from crises.
CRS-44
c11173008

.
.

Title Source
Date
Pages Notes
Cyberattacks Among Rivals: 2001-2011 (from the article,
Foreign Affairs
November
N/A
A chart showing cyberattacks by initiator and victim, 2001-2011.
“The Fog of Cyberwar” by Brandon Variano and Ryan
21, 2012
Maness (subscription required)
http://www.foreignaffairs.com/cyberattacks-by-initiator-
and-victim
Emerging Cyber Threats Report 2013
Georgia Institute
November
9
The year ahead will feature new and increasingly sophisticated
http://www.gtsecuritysummit.com/pdf/
of Technology
14, 2012
means to capture and exploit user data, escalating battles over the
2013ThreatsReport.pdf
control of online information and continuous threats to the U.S.
supply chain from global sources. (From the annual Georgia Tech
Cyber Security Summit 2012).
Proactive Defense for Evolving Cyber Threats
Sandia National
November 1,
98
The project applied rigorous predictability-based analytics to two
http://prod.sandia.gov/techlib/access-control.cgi/2012/
Labs
2012
central and complementary aspects of the network defense
1210177.pdf
problem—attack strategies of the adversaries and vulnerabilities of
the defenders’ systems—and used the results to develop a
scientifically-grounded, practically-implementable methodology for
designing proactive cyber defense systems.
Safeguarding Cyber-Security, Fighting in Cyberspace
International
October 22,
N/A
Looks at the Militarisation of Cyber Security as a Source of Global
http://www.isn.ethz.ch/isn/Editorial-Plan/Dossiers/Detail/?
Relations and
2012
Tension, and makes the case that cyber-warfare is already an
lng=en&id=154059&contextid782=154059
Security
essential feature of many leading states’ strategic calculations,
Network (ISN)
followed by its opposite—i.e., one that believes the threat posed
by cyber-warfare capabilities is woefully overstated.
Before We Knew It: An Empirical Study of Zero-Day
Symantec
October 16,
12
The paper describes a method for automatical y identifying zero-
Attacks In The Real World
Research Labs
2012
day attacks from field-gathered data that records when benign and
http://users.ece.cmu.edu/~tdumitra/public_documents/
malicious binaries are downloaded on 11 million real hosts around
bilge12_zero_day.pdf
the world. Searching this data set for malicious files that exploit
known vulnerabilities indicates which files appeared on the
Internet before the corresponding vulnerabilities were disclosed.
ZeroAccess: We’re Gonna Need a Bigger Planet
F-Secure and
October 15,
N/A
The idea of a network of malware-infected zombie computers
http://www.f-secure.com/weblog/archives/00002428.html
Google Maps
2012
rigged to do the bidding of criminals conjures up a frightening
image on its own. A new visualization of the so-called ZeroAcess
botnet shows how widespread such schemes can become.
Investigative Report on the U.S. National Security Issues
House
October 8,
60
The committee initiated this investigation in November 2011 to
Posed by Chinese Telecommunications Companies
Permanent
2012
inquire into the counterintelligence and security threat posed by
Huawei and ZTE
Select
Chinese telecommunications companies doing business in the
http://intelligence.house.gov/press-release/investigative-
Committee on
United States.
report-us-national-security-issues-posed-chinese-
Intelligence
telecommunications
CRS-45
c11173008

.
.

Title Source
Date
Pages Notes
Federal Support for and Involvement in State and Local
U.S. Senate
October 3,
141
A two-year bipartisan investigation found that U.S. Department of
Fusion Centers
Permanent
2012
Homeland Security efforts to engage state and local intelligence
http://www.hsgac.senate.gov/download/?id=49139e81-
Subcommittee
“fusion centers” has not yielded significant useful information to
1dd7-4788-a3bb-d6e7d97dde04
on Investigations
support federal counterterrorism intelligence efforts. In Section
VI, “Fusion Centers Have Been Unable to Meaningfully Contribute
to Federal Counterterrorism Efforts,” Part G, “Fusion Centers
May Have Hindered, Not Aided, Federal Counterterrorism
Efforts,” the report discusses the Russian “Cyberattack” in Illinois.
HoneyMap—Visualizing Worldwide Attacks in Real-Time
The Honeynet
October 1,
N/A
The HoneyMap shows a real-time visualization of attacks against
http://www.honeynet.org/node/960
Project
2012
the Honeynet Project’s sensors deployed around the world.
Manual on International Law Applicable to Cyber Warfare
NATO
August 2012
N/A
The Tallinn Manual is a nonbinding yet authoritative restatement
(“The Tal inn Manual”)
Cooperative
of the law of armed conflict as it relates to cyberwar. It offers
http://www.ccdcoe.org/249.html
Cyber Defence
guidance to attackers, defenders, and legal experts on how
Centre of
cyberattacks can be classified as actions covered under the law,
Excel ence,
such as armed attacks.
Tal inn, Estonia
Does Cybercrime Really Cost $1 Trillion?
ProPublica August
1, N/A
In a news release from computer security firm McAfee to
http://www.propublica.org/article/does-cybercrime-really-
2012
announce its 2009 report, “Unsecured Economies: Protecting Vital
cost-1-trillion
Information,” the company estimated a trillion dollar global cost
for cybercrime. The number does not appear in the report itself.
McAfee’s trillion-dollar estimate is questioned even by the three
independent researchers from Purdue University whom McAfee
credits with analyzing the raw data from which the estimate was
derived. An examination of their origins by ProPublica has found
new grounds to question the data and methods used to generate
these numbers, which McAfee and Symantec say they stand
behind.
Putting the “war” in cyberwar: Metaphor, analogy, and
First Monday
July 2, 2012
N/A
This essay argues that current contradictory tendencies are
cybersecurity discourse in the United States
unproductive and even potential y dangerous. It argues that the
http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/
war metaphor and nuclear deterrence analogy are neither natural
article/view/3848/3270
nor inevitable and that abandoning them would open up new
possibilities for thinking more productively about the full spectrum
of cyber security challenges, including the as-yet unrealized
possibility of cyber war.
Information Security: Cyber Threats Facilitate Ability to
GAO June
28,
20
This statement discusses (1) cyber threats facing the nation’s
Commit Economic Espionage
2012
systems, (2) reported cyber incidents and their impacts, (3)
http://www.gao.gov/products/GAO-12-876T
security controls and other techniques available for reducing risk,
and (4) the responsibilities of key federal entities in support of
protecting IP.
CRS-46
c11173008

.
.

Title Source
Date
Pages Notes
Measuring the Cost of Cybercrime
11th Annual
June 25,
N/A
“For each of the main categories of cybercrime we set out what is
http://weis2012.econinfosec.org/papers/
Workshop on
2012
and is not known of the direct costs, indirect costs and defence
Anderson_WEIS2012.pdf
the Economics of
costs - both to the UK and to the world as a whole.”
Information
Security
Nodes and Codes: The Reality of Cyber Warfare
U.S. Army
May 17, 2012
62
Explores the reality of cyber warfare through the story of Stuxnet.
http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA567190&
School of
Three case studies evaluate cyber policy, discourse, and
Location=U2&doc=GetTRDoc.pdf
Advanced
procurement in the United States, Russia, and China before and
Military Studies,
after Stuxnet to illustrate their similar, yet unique, realities of
Command and
cyber warfare.
General Staff
The Impact of Cybercrime on Businesses
Ponemon
May 2012
21
The study found that targeted attacks on businesses cost
http://www.checkpoint.com/products/downloads/
Institute
enterprises an average of $214,000. The expenses are associated
whitepapers/ponemon-cybercrime-2012.pdf
with forensic investigations, investments in technology, and brand
recovery costs.
Proactive Policy Measures by Internet Service Providers
Organisation for
May 7, 2012
25
This report analyzes initiatives in a number of countries through
against Botnets
Economic Co-
which end-users are notified by ISPs when their computer is
http://www.oecd-ilibrary.org/science-and-technology/
operation and
identified as being compromised by malicious software and
proactive-policy-measures-by-internet-service-providers-
Development
encouraged to take action to mitigate the problem.
against-botnets_5k98tq42t18w-en
Developing State Solutions to Business Identity Theft:
National
January 2012
23
This white paper is the result of efforts by the 19-member NASS
Assistance, Prevention and Detection Efforts by Secretary
Association of
Business Identity Theft Task Force to develop policy guidelines
of State Offices
Secretaries of
and recommendations for state leaders dealing with identity fraud
http://www.nass.org/index.php?option=com_docman&
State
cases involving public business records.
task=doc_download&gid=1257
A Cyberworm that Knows No Boundaries
RAND December
55
Stuxnet-like worms pose a serious threat even to infrastructure
http://www.rand.org/content/dam/rand/pubs/
21, 2011
and computer systems that are not connected to the Internet.
occasional_papers/2011/RAND_OP342.pdf
However, defending against such attacks is an increasingly
complex prospect.
Department of Defense Cyberspace Policy Report: A
DOD November
14
From the report: “When warranted, we will respond to hostile
Report to Congress Pursuant to the National Defense
15, 2011
attacks in cyberspace as we would to any other threat to our
Authorization Act for Fiscal Year 2011, Section 934
country. We reserve the right to use all necessary means -
http://www.defense.gov/home/features/2011/
diplomatic, informational, military and economic - to defend our
0411_cyberstrategy/docs/
nation, our allies, our partners and our interests.”
NDAA%20Section%20934%20Report_For%20webpage.pdf
CRS-47
c11173008

.
.

Title Source
Date
Pages Notes
W32.Duqu: The Precursor to the Next Stuxnet
Symantec October
24,
N/A
On October 14, 2011, a research lab with strong international
http://www.symantec.com/connect/
2011
connections alerted Symantec to a sample that appeared to be
w32_duqu_precursor_next_stuxnet
very similar to Stuxnet, the malware which wreaked havoc in
Iran’s nuclear centrifuge farms last summer. The lab named the
threat “Duqu” because it creates files with the file name prefix
“DQ”. The research lab provided Symantec with samples
recovered from computer systems located in Europe, as well as a
detailed report with their initial findings, including analysis
comparing the threat to Stuxnet.
Cyber War Will Not Take Place
Journal of
October 5,
29
The paper argues that cyber warfare has never taken place, is not
http://www.tandfonline.com/doi/abs/10.1080/
Strategic Studies
2011
currently taking place, and is unlikely to take place in the future.
01402390.2011.608939
Twenty Critical Security Controls for Effective Cyber
SANS October
3,
77
The 20 measures are intended to focus agencies’ limited resources
Defense: Consensus Audit Guidelines (CAG)
2011
on plugging the most common attack vectors.
http://www.sans.org/critical-security-controls/
Revealed: Operation Shady RAT: an Investigation Of
McAfee August
2,
14
A cyber-espionage operation lasting many years penetrated 72
Targeted Intrusions Into 70+ Global Companies,
2011
government and other organizations, most of them in the United
Governments, and Non-Profit Organizations During the
States, and has copied everything from military secrets to
Last 5 Years
industrial designs, according to technology security company
http://www.mcafee.com/us/resources/white-papers/wp-
McAfee. See page 4 for the types of compromised parties), page 5
operation-shady-rat.pdf
for the geographic distribution of victim’s country of origin, pages
7-9 for the types of victims, and pages 10-13 for the number of
intrusions for 2007-2010.
USCYBERCOM and Cyber Security: Is a Comprehensive
Army War
May 12, 2011
32
Examine five aspects of USCYBERCOM: organization, command
Strategy Possible?
College
and control, computer network operations (CNO),
http://handle.dtic.mil/100.2/ADA565051
synchronization, and resourcing. Identify areas that currently
present significant risk to USCYBERCOM’s ability to create a
strategy that can achieve success in its cyberspace operations.
Recommend potential solutions that can increase the effectiveness
of the USCYBERCOM strategy.
A Four-Day Dive Into Stuxnet’s Heart
Threat Level
December
N/A
From the article, “It is a mark of the extreme oddity of the
http://www.wired.com/threatlevel/2010/12/a-four-day-
Blog (Wired)
27, 2010
Stuxnet computer worm that Microsoft’s Windows vulnerability
dive-into-stuxnets-heart/
team learned of it first from an obscure Belarusian security
company that even they had never heard of.”
CRS-48
c11173008

.
.

Title Source
Date
Pages Notes
Did Stuxnet Take Out 1,000 Centrifuges at the Natanz
Institute for
December
10
This report indicates that commands in the Stuxnet code intended
Enrichment Plant? Preliminary Assessment
Science and
22, 2010
to increase the frequency of devices targeted by the malware
http://isis-online.org/isis-reports/detail/did-stuxnet-take-
International
exactly match several frequencies at which rotors in centrifuges at
out-1000-centrifuges-at-the-natanz-enrichment-plant/
Security
Iran’s Natanz enrichment plant are designed to operate optimally
or are at risk of breaking down and flying apart.
The Role of Internet Service Providers in Botnet
Organisation for
November
68
This working paper considers whether ISPs can be critical control
Mitigation: an Empirical Analysis Bases on Spam Data
Economic Co-
12, 2010
points for botnet mitigation, how the number of infected machines
http://citeseerx.ist.psu.edu/viewdoc/download?doi=
operation and
varies across ISPs, and why.
10.1.1.165.2211&rep=rep1&type=pdf
Development
Stuxnet Analysis
European
October 7,
N/A
EU cybersecurity agency warns that the Stuxnet malware is a
http://www.enisa.europa.eu/media/press-releases/stuxnet-
Network and
2010
game changer for critical information infrastructure protection;
analysis
Information
PLC control ers of SCADA systems infected with the worm might
Security Agency
be programmed to establish destructive over/under pressure
conditions by running pumps at different frequencies.
Proceedings of a Workshop on Deterring Cyberattacks:
National
October 5,
400
Per request of the Office of the Director of National Intelligence,
Informing Strategies and Developing Options for U.S.
Research
2010
the National Research Council undertook a two-phase project
Policy
Council
aimed to foster a broad, multidisciplinary examination of strategies
http://www.nap.edu/catalog.php?record_id=
for deterring cyberattacks on the United States and of the
12997#description
possible utility of these strategies for the U.S. government.
Untangling Attribution: Moving to Accountability in
Council on
July 15, 2010
14
Robert K. Knake’s testimony before the House Committee on
Cyberspace [Testimony]
Foreign Relations
Science and Technology on the role of attack attribution in
http://i.cfr.org/content/publications/attachments/
preventing cyberattacks and how attribution technologies can
Knake%20-Testimony%20071510.pdf
affect the anonymity and the privacy of Internet users.
Technology, Policy, Law, and Ethics Regarding U.S.
National
January 1,
368
This report explores important characteristics of cyberattack. It
Acquisition and Use of Cyberattack Capabilities
Research
2009
describes the current international and domestic legal structure as
http://www.nap.edu/catalog.php?record_id=12651&
Council
it might apply to cyberattack, and considers analogies to other
utm_medium=etmail&utm_source=
domains of conflict to develop relevant insights.
National%20Academies%20Press&utm_campaign=
NAP+mail+eblast+10.27.09+-
+Cyberattack+Preorder+sp&utm_content=Downloader&
utm_term=#description
Note: Highlights compiled by CRS from the reports.
CRS-49
c11173008

.
.

Table 10. Selected Reports: International Efforts
Title Source
Date
Pages
Notes
Confidence Building Measures and International Cybersecurity
ICT 4 Peace Foundation
June 21, 2013
21
Confidence building measures can serve to lay
http://ict4peace.org/what-next-building-confidence-measures-for-
the foundation for agreeing on acceptable
the-cyberspace/
norms of behavior for states as well as
confidence and trust building measures to
avoid miscalculation and escalation. The
report is divided into four main sections: (1)
Transparency, Compliance, and Verification
Measures; (2) Cooperative Measures; (3)
Collaboration and Communication
Mechanisms; and (4) Stability and Restraint
Measures. A final section discusses next steps
for diplomatic CBM processes.
FACT SHEET: U.S.-Russian Cooperation on Information and
White House
June 17, 2013
N/A
The United States and the Russian Federation
Communications Technology Security
are creating a new working group, under the
http://www.whitehouse.gov/the-press-office/2013/06/17/fact-
auspices of the Bilateral Presidential
sheet-us-russian-cooperation-information-and-communications-
Commission, dedicated to assessing emerging
technol
ICT threats and proposing concrete joint
measures to address them. This group will
begin its practical activities within the next
month.
Proposal for a Directive of the European Parliament and of the
European Parliament Civil June 6, 2013
58
Cyber criminals will face tougher EU-wide
Council on Attacks Against Information Systems
Liberties Committee
penalties, under a draft directive agreed by
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-
MEPs, Council and Commission negotiators
%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-
last year and endorsed by the Civil Liberties
480.665%2b01%2bDOC%2bPDF%2bV0%2f%2fEN
Committee. The compromise text is to be
voted by the full House in July and be formally
adopted by the Council shortly thereafter.
CRS-50
c11173008

.
.

Title Source
Date
Pages
Notes
Telecommunications Networks: Addressing Potential Security
General Accountability
May 21, 2013
52
The federal government has begun efforts to
Risks of Foreign-Manufactured Equipment
Office
address the security of the supply chain for
http://www.gao.gov/products/GAO-13-652T
commercial networks... There are a variety of
other approaches for addressing the potential
risks posed by foreign-manufactured
equipment in commercial communications
networks, including those approaches taken
by foreign governments... While these
approaches are intended to improve supply
chain security of communications networks,
they may also create the potential for trade
barriers, additional costs, and constraints on
competition, which the federal government
would have to take into account if it chose to
pursue such approaches.
The Global Cyber Game: Achieving Strategic Resilience in the
Defence Academy of the
May 8, 2013
127
Provides a systematic way of thinking about
Global Knowledge Society
United Kingdom
cyberpower and its use by a range of global
http://www.da.mod.uk/publications/library/technology/20130508-
players. The global cyberpower contest is
Cyber_report_final_U.pdf/view
framed as a Global Cyber Game, played out
on a 'Cyber Gameboard'—a framework that
can be used for strategic and tactical thinking
about cyber strategy.
Defence White Paper 2013
Australia Department of
May 3, 2013
148
The Australian Cyber Security Centre will
http://www.defence.gov.au/whitepaper2013/docs/
Defence
bring together security capabilities from the
WP_2013_web.pdf
Defence Signals Directorate, Defence
Intelligence Organisation, Australian Security
Intelligence Organisation (ASIO), the
Attorney-General’s Department’s Computer
Emergency Response Team (CERT) Australia,
Australian Federal Police (AFP) and the
Australian Crime Commission (ACC).
Remaking American Security: Supply Chain Vulnerabilities &
Alliance for American
May 2013
355
Because the supply chain is global, it makes
National Security Risks Across the U.S. Defense Industrial Base
Manufacturing
sense for U.S. officials to cooperate with
http://americanmanufacturing.org/files/
other nations to ward off cyberattacks.
RemakingAmericanSecurityMay2013.pdf
Increased international cooperation to secure
the integrity of the global IT system is a
valuable long-term objective.
CRS-51
c11173008

.
.

Title Source
Date
Pages
Notes
Cyber Security Information Partnership (CISP)
Cabinet Office, United
March 27, 2013
N/A
CISP introduces a secure virtual ‘collaboration
https://www.gov.uk/government/news/government-launches-
Kingdom
environment’ where government and industry
information-sharing-partnership-on-cyber-security
partners can exchange information on threats
and vulnerabilities in real time. The Cyber
Security Information Sharing Partnership will
be complemented by a ‘Fusion Cell,’ which
will be supported on the government side by
the Security Service, GCHQ and the National
Crime Agency, and by industry analysts from
a variety of sectors.
The Tallinn Manual on the International Law Applicable to Cyber
Cambridge University
March 5, 2013
282
The Tallinn Manual identifies the international
Warfare
Press/ NATO
law applicable to cyber warfare and sets out
http://ccdcoe.org/249.html
Cooperative Cyber
ninety-five ‘black-letter rules’ governing such
Defence Center of
conflicts. An extensive commentary
Excel ence
accompanies each rule, which sets forth each
rules’ basis in treaty and customary law,
explains how the group of experts
interpreted applicable norms in the cyber
context, and outlines any disagreements
within the group as to each rules’ application.
(Note: The manual is not an official NATO
publication, but an expression of opinions of a
group of independent experts acting solely in
their personal capacity.)
Administration Strategy for Mitigating the Theft of U.S. Trade
White House
February 20,
141
“First, we will increase our diplomatic
Secrets
2013
engagement.... Second, we will support
http://www.whitehouse.gov//sites/default/files/omb/IPEC/
industry-led efforts to develop best practices
admin_strategy_on_mitigating_the_theft_of_u.s._trade_secrets.p
to protect trade secrets and encourage
df
companies to share with each other best
practices that can mitigate the risk of trade
secret theft.... Third, DOJ will continue to
make the investigation and prosecution of
trade secret theft by foreign competitors and
foreign governments a top priority.... Fourth,
President Obama recently signed two pieces
of legislation that will improve enforcement
against trade secret theft.... Lastly, we will
increase public awareness of the threats and
risks to the U.S. economy posed by trade
secret theft.”
CRS-52
c11173008

.
.

Title Source
Date
Pages
Notes
APT1: Exposing One of China’s Cyber Espionage Units
Mandiant February
19,
76
The details analyzed during hundreds of
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
2013
investigations signal that the groups
conducting these activities (computer security
breaches around the world) are based
primarily in China and that the Chinese
government is aware of them.
Video demo of Chinese hacker activity
Mandiant February
19,
N/A
Video of APT1 attacker sessions and intrusion
http://intelreport.mandiant.com/
2013
activities (5-minute video).
Worldwide Threat Assessment of the U.S. Intelligence
James Clapper, Director
February 11,
34
Clapper provided an assessment of global
Community (Testimony)
of National Intelligence
2013
cybersecurity threats: U.S. critical
http://www.dni.gov/files/documents/Intelligence%20Reports/2013%
infrastructure, eroding U.S. economic and
20WWTA%20US%20IC%20SFR%20%20HPSCI%2011%20Apr%20
national security, information control and
2013.pdf
Internet governance, and hactivists and
http://www.dni.gov/testimonies/20110210_testim
criminals.
ony_clapper.pdf
An Open, Safe and Secure Cyberspace
European Union
February 7,
20
The strategy articulates the EU’s vision of
http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan-
2013
cyber-security in terms of five priorities:
protect-open-internet-and-online-freedom-and-opportunity-
achieving cyber resilience; drastically reducing
cyber-security
cybercrime; developing cyber defence policy
and capabilities related to the Common
Security and Defence Policy (CSDP);
developing the industrial and technological
resources for cyber-security; establishing a
coherent international cyberspace policy for
the European Union and promoting core EU
values.
Linking Cybersecurity Policy and Performance
Microsoft Trustworthy
February 6,
27
Introduces a new methodology for examining
http://blogs.technet.com/b/trustworthycomputing/archive/2013/02/
Computing
2013
how socio-economic factors in a country or
06/linking-cybersecurity-policy-and-performance-microsoft-
region impact cybersecurity performance.
releases-special-edition-security-intelligence-report.aspx
Examine measures such as use of modern
technology, mature processes, user education,
law enforcement and public policies related to
cyberspace. This methodology can build a
model that will help predict the expected
cybersecurity performance of a given country
or region.
CRS-53
c11173008

.
.

Title Source
Date
Pages
Notes
The Chinese Defense Economy Takes Off: Sector-by-Sector
UC Institute on Global
January 25,
87
This collection of 15 policy briefs explores
Assessments and the Role of Military End-Users
Conflict and Cooperation 2013
how China has made such impressive military
http://igcc.ucsd.edu/assets/001/504355.pdf
technological progress over the past few
years, what is in store, and what are the
international security implications. The briefs
are summaries of a series of longer research
papers presented at the third annual Chinese
defense economy conference held by the
Study of Innovation and Technology in China
in July 2012.
Defence and Cyber-Security, vol. 1 - Report, together with formal
House of Commons
December 18,
51
Given the inevitable inadequacy of the
minutes, oral and written evidence
Defence Committee
2012
(vol. 1)
measures available to protect against a
http://www.publications.parliament.uk/pa/cm201213/cmselect/
(UK)
37
constantly changing and evolving threat, and
cmdfence/106/106.pdf
(vol. 2)
given the Minister for the Cabinet Office’s
comment, it is not enough for the Armed
Defence and Cyber-Security, vol. 2 - Additional Written Evidence
Forces to do their best to prevent an effective
http://www.publications.parliament.uk/pa/cm201213/cmselect/
attack. In its response to this report the
cmdfence/106/106vw.pdf
Government should set out details of the
contingency plans it has in place should such
an attack occur. If it has none, it should say
so—and urgently create some.
The Challenge of Cyber Power for Central African Countries:
Naval Postgraduate
December 2012
209
“The Central African militaries, which are
Risks and Opportunities
School
supposed to be the first line of defense for
http://handle.dtic.mil/100.2/ADA576285
their governments' institutions, are
dramatically behind the times. To address this
situation, the governments of Central Africa
need to adopt a col aborative cyber strategy
based on common investment in secure cyber
infrastructures. Such cooperation will help to
create a strong cyber environment conducive
of the confidence and trust necessary for the
emergence of a cyber community of Central
African States (C3AS). For Central African
militaries, massive training and recruiting will
be the first move to begin the process of
catching up.”
CRS-54
c11173008

.
.

Title Source
Date
Pages
Notes
Cybersecurity: Managing risks for greater opportunities
Organization for
November 29,
N/A
The OECD launched a broad consultation of
http://oecdinsights.org/2012/11/29/cybersecurity-managing-risks-
Economic Co-operation
2012
all stakeholders from member and non-
for-greater-opportunities/
and Development
member countries to review its Security
Guidelines. The review will take into account
newly emerging risks, technologies and policy
trends around such areas as cloud computing,
digital mobility, the Internet of things, social
networking, etc.
Cybersecurity Policy Making at a Turning Point: Analysing a New
Organization for
November 16,
57
This report analyses the latest generation of
Generation of National Cybersecurity Strategies for the Internet
Economic Co-operation
2012
national cybersecurity strategies in ten OECD
Economy
and Development
countries and identifies commonalities and
http://www.oecd.org/sti/ieconomy/
differences.
cybersecurity%20policy%20making.pdf
2012 Report to Congress of the U.S.-China Economic and
U.S.-China Economic and
November 2012
509
This report responds to the mandate for the
Security Review Commission, One Hundred Twelfth Congress,
Security Review
Commission ‘to monitor, investigate, and
Second Session, November 2012
Commission
report to Congress on the national security
https://www.hsdl.org/?view&did=725530
implications of the bilateral trade and
economic relationship between the United
States and the People’s Republic of China. See
“China's Cyber Activities," Chapter 2, Section
2, pp. 147-169.
Australia: Telecommunications data retention—an overview
Parliamentary Library of
October 24,
32
In July 2012, the Commonwealth Attorney-
http://parlinfo.aph.gov.au/parlInfo/download/library/prspub/
Australia
2012
General’s Department released a Discussion
1998792/upload_binary/1998792.pdf
Paper, Equipping Australia against emerging
and evolving threats, on the proposed
national security reforms.... Of the 18 primary
proposals and the 41 individual reforms that
they comprise, the suggestion that carriage
service providers (CSPs) be required to
routinely retain certain information associated
with every Australian’s use of the Internet and
phone services for a period of up to two
years (‘data retention’) is the issue that seems
to have attracted the most attention.
CRS-55
c11173008

.
.

Title Source
Date
Pages
Notes
More Than Meets the Eye: Clandestine Funding, Cutting-Edge
Lawrence Livermore
October 23,
17
Analyzes how the Chinese leadership views
Technology and China’s Cyber Research & Development Program National Laboratory
2012
information technology research and
http://www.osti.gov/bridge/servlets/purl/1055833/
development (R&D), as well as the role cyber
R&D plays in China’s various strategic
development plans. Explores the
organizational structure of China’s cyber R&D
base. Concludes with a projection of how
China might field new cyber capabilities for
intelligence platforms, advanced weapons
systems, and systems designed to support
asymmetric warfare operations.
Investigative Report on the U.S. National Security Issues Posed by
House Permanent Select
October 8,
60
The committee initiated this investigation in
Chinese Telecommunications Companies Huawei and ZTE
Committee on
2012
November 2011 to inquire into the
http://intelligence.house.gov/press-release/investigative-report-us-
Intelligence
counterintelligence and security threat posed
national-security-issues-posed-chinese-telecommunications
by Chinese telecommunications companies
doing business in the United States.
Manual on International Law Applicable to Cyber Warfare (“The
NATO Cooperative
August 2012
N/A
The Tallinn Manual is a nonbinding yet
Tallinn Manual”)
Cyber Defence Centre of
authoritative restatement of the law of armed
http://www.ccdcoe.org/249.html
Excellence, Tallinn,
conflict as it relates to cyberwar. It offers
Estonia
attackers, defenders, and legal experts
guidance on how cyberattacks can be
classified as actions covered under the law,
such as armed attacks.
Bilateral Discussions on Cooperation in Cybersecurity
China Institute of
June 2012
N/A
(Scrol down for English). Since 2009, CSIS
http://www.cicir.ac.cn/chinese/newsView.aspx?nid=3878
Contemporary
and CICIR have held six formal meetings on
International
cybersecurity (accompanied by several
Relations and the Center
informal discussions), called “Sino-U.S.
for Strategic and
Cybersecurity Dialogue.” The meetings have
International Studies
been attended by a broad range of U.S. and
(CSIS)
Chinese officials and scholars responsible for
cybersecurity issues. The goals of the
discussions have been to reduce
misperceptions and to increase transparency
of both countries’ authorities and
understanding on how each country
approaches cybersecurity, and to identify
areas of potential cooperation.
CRS-56
c11173008

.
.

Title Source
Date
Pages
Notes
Five Years after Estonia’s Cyber Attacks: Lessons Learned for
NATO
May 2012
8
In April 2007 a series of cyberattacks targeted
NATO?
Estonian information systems and
http://www.ndc.nato.int/download/downloads.php?icode=334
telecommunication networks. Lasting 22 days,
the attacks were directed at a range of
servers (web, e-mail, DNS) and routers. The
2007 attacks did not damage much of the
Estonian information technology
infrastructure. However, the attacks were a
true wake-up call for NATO, offering a
practical demonstration that cyberattacks
could now cripple an entire nation dependent
on IT networks.
Cyber-security: The Vexed Question of Global Rules: An
McAfee
February 1, 2012
108
Forty-five percent of legislators and
Independent Report on Cyber-Preparedness Around the World
cybersecurity experts representing 27
http://www.mcafee.com/us/resources/reports/rp-sda-cyber-
countries think cybersecurity is just as
security.pdf?cid=WBB048
important as border security. The authors
surveyed 80 professionals from business,
academia and government to gauge
worldwide opinions of cybersecurity.
Cyber Power Index
Booz Allen Hamilton and
January 15,
N/A
The index of developing countries’ ability to
http://www.cyberhub.com/CyberPowerIndex
the Economist
2012
withstand cyberattacks and build strong digital
Intelligence Unit
economies, rates the countries on their legal
and regulatory frameworks; economic and
social issues; technology infrastructure; and
industry. The index puts the United States in
the No. 2 spot, and the UK in No. 1.
Foreign Spies Stealing US Economic Secrets in Cyberspace
Office of the National
November 3,
31
According to the report, espionage and theft
http://www.ncix.gov/publications/reports/fecie_al /
Counterintelligence
2011
through cyberspace are growing threats to
Foreign_Economic_Collection_2011.pdf
Executive
the United States’ security and economic
prosperity, and the world’s most persistent
perpetrators happen to also be U.S. allies.
CRS-57
c11173008

.
.

Title Source
Date
Pages
Notes
The UK Cyber Security Strategy: Protecting and promoting the
Cabinet Office (United
November 2011
43
Chapter 1 describes the background to the
UK in a digital world
Kingdom)
growth of the networked world and the
http://www.cabinetoffice.gov.uk/sites/default/files/resources/uk-
immense social and economic benefits it is
cyber-security-strategy-final.pdf
unlocking. Chapter 2 describes these threats.
The impacts are already being felt and will
grow as our reliance on cyberspace grows.
Chapter 3 sets out where we want to end
up—with the government’s vision for UK
cyber security in 2015.
Cyber Dawn: Libya
Cyber Security Forum
May 9, 2011
70
Project Cyber Dawn: Libya uses open source
http://www.unveillance.com/wp-content/uploads/2011/05/
Initiative
material to provide an in-depth view of Libyan
Project_Cyber_Dawn_Public.pdf
cyberwarfare capabilities and defenses.
China’s Cyber Power and America’s National Security
U.S. Army War College,
March 24, 2011
86
This report examines the growth of Chinese
http://www.dtic.mil/dtic/tr/ful text/u2/a552990.pdf
Strategy Research Project
cyber power; their known and demonstrated
capabilities for offensive, defensive and
exploitive computer network operations;
China‘s national security objectives; and the
possible application of Chinese cyber power
in support of those objectives.
Working Towards Rules for Governing Cyber Conflict: Rendering EastWest Institute
February 3,
60
[The authors] led the cyber and traditional
the Geneva and Hague Conventions in Cyberspace
2011
security experts through a point-by-point
http://vialardi.org/nastrazzuro/pdf/US-Russia.pdf
analysis of the Geneva and Hague
Conventions. Ultimately, the group made five
immediate recommendations for Russian and
U.S.-led joint assessments, each exploring
how to apply a key convention principle to
cyberspace.
The Reliability of Global Undersea Communications Cable
IEEE/EastWest Institute
May 26, 2010
186
This study submits 12 major
Infrastructure (The Rogucci Report)
recommendations to the private sector,
http://www.ieee-rogucci.org/files/
governments and other stakeholders—
The%20ROGUCCI%20Report.pdf
especially the financial sector—for the
purpose of improving the reliability,
robustness, resilience, and security of the
world’s undersea communications cable
infrastructure.
CRS-58
c11173008

.
.

Title Source
Date
Pages
Notes
ITU Toolkit for Cybercrime Legislation
International
February 2010
N/A
This document aims to provide countries with
http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-toolkit-
Telecommunications
sample legislative language and reference
cybercrime-legislation.pdf
Union
material that can assist in the establishment of
harmonized cybercrime laws and procedural
rules.
Note: Highlights compiled by CRS from the reports.
CRS-59
c11173008

.
.

Table 11. Selected Reports: Education/Training/Workforce
Title Source
Date
Pages
Notes
DHS Is Generally Filling Mission-Critical Positions, but
GAO
September 17, 2013
47
More than one in five jobs at a key cybersecurity
Could Better Track Costs of Coordinated Recruiting
component within the Homeland Security Department
Efforts
are vacant, in large part due to steep competition in
http://gao.gov/products/GAO-13-742
recruiting and hiring qualified personnel. National
Protection and Programs Directorate (NPPD) officials
cited challenges in recruiting cyber professionals because
of the length of time taken to conduct security checks to
grant top-secret security clearances as well as low pay in
comparison with the private sector.
Professionalizing the Nation's Cybersecurity Workforce?:
National
September 16 ,2013
66
This report examines workforce requirements for
Criteria for Decision-Making
Academies Press
cybersecurity and the segments and job functions in
http://www.nap.edu/catalog.php?record_id=18446
which professionalization is most needed; the role of
assessment tools, certification, licensing, and other means
for assessing and enhancing professionalization; and
emerging approaches, such as performance-based
measures. It also examines requirements for the federal
(military and civilian) workforce, the private sector, and
state and local government.
Joint Professional Military Education Institutions in an Age
Pell Center
August 2013

The report found that the Joint Professional Military
of Cyber Threat
Education at the six U.S. military graduate schools—a
http://pellcenter.salvereginablogs.com/files/2013/08/JPME-
requirement for becoming a Joint Staff Officer and for
Cyber-Leaders-Final.pdf
promotion to the senior ranks—has not effectively
incorporated cybersecurity into specific courses,
conferences, war gaming exercises, or other forms of
training for military officers. Although these graduate
programs are more advanced on cybersecurity than most
American civilian universities, a preparation gap still
exists.
Pay Under the General Schedule and Recruitment,
Office of Personnel
August 14, 2013
6
OPM outlined changes to the way agencies evaluate and
Relocation, and Retention Incentives
Management
award recruitment, retention and relocation (3R)
http://www.gpo.gov/fdsys/pkg/FR-2013-08-14/pdf/2013-
(OPM)
bonuses—changes that could affect how agencies hire
19641.pdf
and keep employees with essential technology skills. The
new rules take effect September 13.
CRS-60
c11173008

.
.

Title Source
Date
Pages
Notes
U.S.A. Cyber Warrior Scholarship Program
(ISC)2 Foundation
June 21, 2013

The (ISC)2 Foundation and Booz Allen Hamilton
https://www.isc2cares.org/USA-Cyber-Warrior-
and Booz Allen
announced the launch of the U.S.A. Cyber Warrior
Scholarship/default.aspx
Hamilton
Scholarship program, which will provide scholarships to
veterans to obtain specialized certifications in the
cybersecurity field. The scholarships will cover all of the
expenses associated with a certification, such as training,
textbooks, mobile study materials, certification testing,
and the first year of certification maintenance fees.
Global Information Security Workforce Study
(ISC)2 and Frost &
May 7, 2013
28
Federal cyber workers earn an average salary of
https://www.isc2.org/workforcestudy/default.aspx
Sullivan
$106,430, quite a bit less than the average private-sector
salary of $111,376. The lag in federal salaries is likely due
to federal budget restraints and nearly three years of a
continuing resolution.
NCCoE Celebrates National Cybersecurity Excel ence
NIST National
April 15, 2013
N/A
Eleven private organizations agreed to partner with the
Partnerships
Cybersecurity
National Institute of Standards and Technology to share
http://csrc.nist.gov/nccoe/The-Center/News/News.html
Center of
cybersecurity staff and best practices to help better
Excellence
combat cyber threats.
2012 Information Technology Workforce Assessment for
U.S. Department of April 3, 2013
131
The report, which is based on an anonymous survey of
Cybersecurity
Homeland Security
nearly 23,000 cyber workers across 52 departments and
https://cio.gov/wp-content/uploads/downloads/2013/04/
agencies, found that while the majority (49%) of cyber
ITWAC-Summary-Report_04-01-2013.pdf
feds has more than 10 years of service until they reach
retirement eligibility, nearly 33% will be eligible to retire
in the next three years.
National Initiative for Cybersecurity Careers and Studies
U.S. Department of February 21, 2013
N/A
NICCS is an online resource for cybersecurity career,
(NICCS)
Homeland Security
education, and training information. It is a partnership
http://niccs.us-cert.gov/
between DHS, the National Institute of Standards and
Technology, the Office of the Director of National
Intelligence, the Department of Defense, the Department
of Education, the National Science Foundation, and the
Office of Personnel Management.
Michigan Cyber Range
Partnership
November 12, 2012
N/A
Enables individuals and organizations to develop
http://www.merit.edu/cyberrange/
between the state
detection and reaction skills through simulations and
of Michigan, Merit
exercises.
Network, federal
and local
governments,
colleges and
universities, and
the private sector
CRS-61
c11173008

.
.

Title Source
Date
Pages
Notes
CyberSkills Task Force Report
U.S. Department of October 1, 2012
41
DHS’s Task Force on CyberSkills proposes far-reaching
https://www.hsdl.org/hslog/?q=node/7934
Homeland Security
improvements to enable DHS to recruit and retain the
cybersecurity talent it needs.
Cyber Security Test Bed: Summary and Evaluation Results
Institute for
October 2012
89
The Cyber Test Bed project was a case study analysis of
http://sites.duke.edu/ihss/files/2011/12/Cyber-Security-
Homeland Security
how a set of interventions, including threat analysis, best
Test-Bed_Final-Report_Rowe.pdf
Solutions
practices sharing, and executive and staff training events,
over the course of one year, would impact a group of
nine small and mid-size businesses in North Carolina.
Pre- and post-Test Bed interviews were conducted with
company officials to establish a baseline and evaluate the
impact of the Test Bed experience. After the Cyber Test
Bed experience, decision makers at these companies
indicated an increase in their perceptions of the risk of
cyberattacks and an increase in their knowledge of
possible solution.
Information Assurance Scholarship Program
U.S Navy
August 28, 2012
N/A
The Information Assurance Scholarship Program is
http://www.doncio.navy.mil/ContentView.aspx?id=535
designed to increase the number of qualified personnel
entering the information assurance and information
technology fields within the department, Defense officials
said last week. The scholarships also are an attempt to
effectively retain military and civilian cybersecurity and IT
personnel.
Preparing the Pipeline: The U.S. Cyber Workforce for the
National Defense
August 2012
17
This paper addresses methods to close the gaps between
Future
University
demand and the current existing capabilities and capacity
http://handle.dtic.mil/100.2/ADA577318
in the U.S. cyber workforce. A large number of
professionals with not only technical skills, but also an
understanding of cyber policy, law, and other disciplines
will be needed to ensure the continued success of the
U.S. economy, government, and society in the 21st-
century information age. Innovative methods have been
developed by the government, think tanks, and private
sector for closing these gaps, but more needs to be done.
Smart Grid Cybersecurity: Job Performance Model Report
Pacific Northwest
August 1, 2012
178
This report outlines the work done to develop a smart
http://www.pnl.gov/main/publications/external/
National
grid cybersecurity certification. The primary purpose is to
technical_reports/PNNL-21639.pdf
Laboratory
develop a measurement model that may be used to guide
curriculum, assessments, and other development of
technical and operational smart grid cybersecurity
knowledge, skills, and abilities.
CRS-62
c11173008

.
.

Title Source
Date
Pages
Notes
National Centers of Academic Excellence (CAE) in Cyber
National Security
May 29, 2012
N/A
The NSA has launched National Centers of Academic
Operations Program
Agency (NSA)
Excellence (CAE) in Cyber Operations Program; the
http://www.nsa.gov/academia/nat_cae_cyber_ops/
program is intended to be a deeply technical, inter-
index.shtml
disciplinary, higher education program grounded in the
computer science (CS), computer engineering (CE), or
electrical engineering (EE) disciplines, with extensive
opportunities for hands-on applications via labs and
exercises.
Cybersecurity Human Capital: Initiatives Need Better
Government
November 29, 2011
86
To ensure that government-wide cybersecurity
Planning and Coordination
Accountability
workforce initiatives are better coordinated and planned,
http://www.gao.gov/products/GAO-12-8
Office (GAO)
and to better assist federal agencies in defining roles,
responsibilities, skills, and competencies for their
workforce, the Secretary of Commerce, Director of the
Office of Management and Budget, Director of the Office
of Personnel Management, and Secretary of Homeland
Security should col aborate through the NICE initiative to
develop and finalize detailed plans allowing agency
accountability, measurement of progress, and
determination of resources to accomplish agreed-upon
activities.
NICE Cybersecurity Workforce Framework
National Initiative
November 21, 2011
35
The adoption of cloud computing into the federal
http://www.nist.gov/manuscript-publication-search.cfm?
for Cybersecurity
government and its implementation depend upon a
pub_id=909505
Education (NICE)
variety of technical and non-technical factors. A
fundamental reference point, based on the NIST
definition of cloud computing, is needed to describe an
overall framework that can be used government-wide.
This document presents the NIST Cloud Computing
Reference Architecture (RA) and Taxonomy (Tax) that
will accurately communicate the components and
offerings of cloud computing.
2011 State of Cyberethics, Cybersafety and Cybersecurity
National Cyber
May 13, 2011
16
This year’s survey further explores the perceptions and
Curriculum in the U.S. Survey
Security Alliance
practices of U.S. teachers, school administrators and
http://www.staysafeonline.org/sites/default/files/
and Microsoft
technology coordinators in regards to cyberethics,
resource_documents/2011%20National%20K-
cybersafety, and cybersecurity education. This year's
12%20Study%20Final_0.pdf
survey finds that young people still are not receiving
adequate training and that teachers are ill-prepared to
teach the subjects due, in large part, to lack of
professional development.
CRS-63
c11173008

.
.

Title Source
Date
Pages
Notes
Cyber Operations Personnel Report (DOD)
Department of
April 2011
84
This report is focused on FY09 Department of Defense
http://www.nsci-va.org/CyberReferenceLib/2011-04-
Defense
Cyber Operations personnel, with duties and
Cyber%20Ops%20Personnel.pdf
responsibilities as defined in Section 934 of the Fiscal
Year (FY) 2010 National Defense Authorization Act
(NDAA).
Appendix A—Cyber Operations-related Military
Occupations
Appendix B—Commercial Certifications Supporting the
DoD Information Assurance Workforce Improvement
Program
Appendix C—Military Services Training and
Development
Appendix D—Geographic Location of National Centers
of Academic Excellence in Information Assurance
Design of the DETER Security Testbed
University of
January 13, 2011
N/A
The Department of Homeland Security (DHS) will invest
http://www.isi.edu/deter/news/news.php?story=20
Southern California
$16 million over the next five years to expand a
(USC) Information
cybersecurity testbed at the University of Southern
Sciences Institute,
California (USC). The Deterlab testbed provides an
University of
isolated 400-node mini-Internet, in which researchers can
California Berkeley
investigate malware and other security threats without
(UCB), McAfee
danger of infecting the real Internet. It also supports
Research
classroom exercises in computer security for nearly 400
students at 10 universities and col eges.
The Power of People: Building an Integrated National
Project on National November 2010
326
This study was conducted in fulfillment of Section 1054 of
Security Professional System for the 21st Century
Security Reform
the National Defense Authorization Act for Fiscal Year 2010,
http://www.pnsr.org/data/images/
(PNSR)
which required the commissioning of a study by “an
pnsr_the_power_of_people_report.pdf
appropriate independent, nonprofit organization, of a
system for career development and management of
interagency national security professionals.”
Note: Highlights compiled by CRS from the reports.
CRS-64
c11173008

.
.

Table 12. Selected Reports: Research & Development (R&D)
Title Source
Date
Pages
Notes
Cyber Grand Challenge for automated network security-
Defense Advanced
October 23,
N/A
DARPA intends to hold the Cyber Grand Challenge
correcting systems
Research Projects
2013
(CGC)—the first-ever tournament for ful y automatic
http://www.darpa.mil/NewsEvents/Releases/2013/10/
Agency (DARPA)
network defense systems. The challenge will see teams
22.aspx
creating automated systems that would compete against
each other to evaluate software, test for vulnerabilities,
generate security patches, and apply them to protected
computers on a network. The winning team in the CGC
finals would receive a cash prize of $2 million, with
second place earning $1 million, and third place taking
home $750,000.
Cybersecurity Exercise: Quantum Dawn 2
SIFMA
June 28, 2013
N/A
Quantum Dawn 2 is a cybersecurity exercise to test
http://www.sifma.org/services/bcp/cybersecurity-
incident response, resolution and coordination processes
exercise—quantum-dawn-2/
for the financial services sector and the individual
member firms to a street-wide cyberattack.
Proposed Establishment of a Federal y Funded Research
National Institute of
June 21, 2013
3
NIST intends to sponsor a Federal y Funded Research
and Development Center—Second Notice
Standards and
and Development Center (FFRDC) to facilitate public-
http://www.gpo.gov/fdsys/pkg/FR-2013-06-21/pdf/2013-
Technology
private col aboration for accelerating the widespread
14897.pdf
adoption of integrated cybersecurity tools and
technologies. This is the second of three notices that
must be published over a 90-day period to advise the
public of the agency’s intention to sponsor an FFRDC.
Open Trusted Technology Provider Standard (O-TTPS)™,
The Open Group
April 18, 2013
44
Specifically intended to prevent maliciously tainted and
Version 1.0: Mitigating Maliciously Tainted and Counterfeit
counterfeit products from entering the supply chain, this
Products
first release of the O-TTPS codifies best practices across
https://www2.opengroup.org/ogsys/catalog/C139
the entire COTS ICT product lifecycle, including the
design, sourcing, build, fulfillment, distribution,
sustainment, and disposal phases. The O-TTPS wil
enable organizations to implement best practice
requirements and allow all providers, component
suppliers, and integrators to obtain Trusted Technology
Provider status. (Registration required).
CRS-65
c11173008

.
.

Title Source
Date
Pages
Notes
Governor McDonnel Announces Creation of MACH37,
Virginia Secretary of
April 11, 2013
N/A
Virginia Governor Bob McDonnell announced the
America's Premier Market-Centric Cyber Security
Commerce and
creation of MACH37, America's premier market-centric
Accelerator
Trade
cyber security accelerator to be located at the Center
http://www.commerce.virginia.gov/News/viewRelease.cfm?
for Innovative Technology. Initially funded by the
id=1761
Commonwealth of Virginia, the accelerator will leverage
private investments to launch new, high growth cyber
technology companies in Virginia.
The International Cyber-Security Ecosystem (video
Anthony M.
November 6,
N/A
Overview of the various forums/communities and
lecture)
Rutkowski,
2012
methodologies that comprise the security assurance
http://smartech.gatech.edu/handle/1853/45450
Distinguished Senior
ecosystem—often also referred to as the Information
Research Fellow at
Assurance.
the Georgia Institute
of Technology,
Nunn School Center
for International
Strategy Technology
and Policy (CISTP)
20 Critical Security Controls for Effective Cyber Defense:
Center for Strategic
November 2012
89
The Top 20 security controls were agreed upon by a
Consensus Audit Guidelines - version 4.0
& International
consortium. Members of the Consortium include NSA,
http://www.sans.org/critical-security-controls/
Studies
US CERT, DOD JTF-GNO, the Department of Energy
Nuclear Laboratories, Department of State, DOD Cyber
Crime Center plus commercial forensics experts in the
banking and critical infrastructure communities.
National Cybersecurity Center of Excel ence
National Institute of
June 29, 2012
N/A
The National Cybersecurity Center of Excel ence
http://csrc.nist.gov/nccoe/
Standards and
(NCCoE) is a new public-private col aboration to bring
Technology (NIST)
together experts from industry, government and
academia to design, implement, test, and demonstrate
integrated cybersecurity solutions and promote their
widespread adoption.
Information Security Risk Taking
National Science
January 17, 2012
N/A
The NSF is funding research on giving organizations
http://www.nsf.gov/awardsearch/showAward.do?
Foundation (NSF)
information-security risk ratings, similar to credit ratings
AwardNumber=1127185
for individuals.
Anomaly Detection at Multiple Scales (ADAMS)
Defense Advanced
November 9,
74
The design document was produced by Al ure Security
http://info.publicintelligence.net/DARPA-ADAMS.pdf
Research Projects
2011
and sponsored by the Defense Advanced Research
Agency (DARPA)
Projects Agency (DARPA). It describes a system for
preventing leaks by seeding believable disinformation in
military information systems to help identify individuals
attempting to access and disseminate classified
information.
CRS-66
c11173008

.
.

Title Source
Date
Pages
Notes
At the Forefront of Cyber Security Research
NSF
August 11, 2011
N/A
TRUST is a university and industry consortium that
http://www.livescience.com/15423-forefront-cyber-
examines cyber security issues related to health care,
security-research-nsf-bts.html
national infrastructures, law and other issues facing the
general public.
Designing A Digital Future: Federally Funded Research And White House
December 16,
148
The President’s Council of Advisors on Science and
Development In Networking And Information Technology
2010
Technology (PCAST) has made several recommendations
http://www.whitehouse.gov/sites/default/files/microsites/
in a report about the state of the government’s
ostp/pcast-nitrd-report-2010.pdf
Networking and Information Technology Research and
Development (NITRD) Program.
Partnership for Cybersecurity Innovation
White House Office
December 6,
10
The Obama Administration released a Memorandum of
http://www.whitehouse.gov/blog/2010/12/06/partnership-
of Science and
2010
Understanding signed by the National Institute of
cybersecurity-innovation
Technology Policy
Standards and Technology (NIST) of the Department of
Commerce, the Science and Technology Directorate of
the Department of Homeland Security (DHS/S&T), and
the Financial Services Sector Coordinating Council
(FSSCC). The goal of the agreement is to speed the
commercialization of cybersecurity research innovations
that support our nation’s critical infrastructures.
Science of Cyber-Security
Mitre Corp (JASON
November 2010
86
JASON was requested by DOD to examine the theory
http://www.fas.org/irp/agency/dod/jason/cyber.pdf
Program Office)
and practice of cyber-security, and evaluate whether
there are underlying fundamental principles that would
make it possible to adopt a more scientific approach,
identify what is needed in creating a science of cyber-
security, and recommend specific ways in which scientific
methods can be applied.
American Security Challenge
National Security
October 18,
N/A
The objective of the Challenge is to increase the visibility
http://www.americansecuritychallenge.com/
Initiative
2010
of innovative technology and help the commercialization
process so that such technology can reach either the
public or commercial marketplace faster to protect our
citizens and critical assets.
Note: Highlights compiled by CRS from the reports.
CRS-67
c11173008

.
.

Related Resources: Other Websites
This section contains other cybersecurity resources, including U.S. government, international, news sources, and other associations and
institutions.
Table 13. Related Resources: Congressional/Government
Name Source
Notes
Integrated Intelligence Center
Center for Internet Security
A new unit at the Center for Internet Security is focused on
http://www.cisecurity.org/#
merging cyber and physical security to aid governments in
dealing with emerging threats.
Computer Security Resource Center
National Institute of Standards and
Links to NIST resources, publications, and computer security
http://csrc.nist.gov/
Technology (NIST)
groups.
Congressional Cybersecurity Caucus
Led by Representatives Jim Langevin
Provides statistics, news on congressional cyberspace actions,
http://cybercaucus.langevin.house.gov/
and Mike McCaul.
and links to other informational websites.
Cybersecurity and Trustworthiness Projects and Reports
Computer Science and
A list of independent and informed reports on cybersecurity
http://sites.nationalacademies.org/CSTB/CSTB_059144
Telecommunications Board, National
and public policy.
Academy of Sciences
Cybersecurity
White House National Security
Links to White House policy statements, key documents,
http://www.whitehouse.gov/cybersecurity
Council
videos, and blog posts.
Cybersecurity
National Telecommunications &
The Department of Commerce‘s Internet Policy Task Force
http://www.ntia.doc.gov/category/cybersecurity
Information Administration (U.S.
is conducting a comprehensive review of the nexus between
Department of Commerce)
cybersecurity challenges in the commercial sector and
innovation in the Internet economy.
Cybersecurity and Information System Trustworthiness
National Academy of Sciences,
A list of independent and informed reports on cybersecurity
http://sites.nationalacademies.org/CSTB/CSTB_045327#Cybersecurity Computer Science and
and public policy.
Telecommunications Board
President’s National Security Telecommunications Advisory
U.S. Department of Homeland
For over 30 years, the NSTAC has brought together up to 30
Committee (NSTAC)
Security
industry chief executives from major telecommunications
http://www.dhs.gov/nstac
companies, network service providers, information
technology, finance, and aerospace companies. The NSTAC’s
goal is to develop recommendations to the President to
assure vital telecommunications links through any event or
crisis and to help the U.S. government maintain a reliable,
secure, and resilient national communications posture.
CRS-68
c11173008

.
.

Name Source
Notes
Office of Cybersecurity and Communications (CS&C)
U.S. Department of Homeland
As the sector-specific agency for the communications and IT
http://www.dhs.gov/xabout/structure/gc_1185202475883.shtm
Security
sectors, CS&C coordinates national level reporting that is
consistent with the National Response Framework (NRF).
U.S. Cyber Command
U.S. Department of Defense
Links to press releases, fact sheets, speeches,
http://www.defense.gov/home/features/2010/0410_cybersec/
announcements, and videos.
U.S. Cyber-Consequences Unit
U.S. Cyber-Consequences Unit (U.S.-
U.S.-CCU, a nonprofit 501c(3) research institute, provides
http://www.usccu.us/
CCU)
assessments of the strategic and economic consequences of
possible cyber-attacks and cyber-assisted physical attacks. It
also investigates the likelihood of such attacks and examines
the cost-effectiveness of possible counter-measures.
Note: Highlights compiled by CRS from the reports.
CRS-69
c11173008

.
.

Table 14. Related Resources: International Organizations
Name Source Notes
Australian Internet Security Initiative
Australian Communications and Media
The Australian Internet Security Initiative (AISI) is an antibotnet
http://www.acma.gov.au/WEB/STANDARD/pc=PC_310317
Authority
initiative that collects data on botnets in collaboration with Internet
Service Providers (ISPs), and two industry codes of practice.
Cybercrime
Council of Europe
Links to the Convention on Cybercrime treaty, standards, news,
http://www.coe.int/t/DGHL/cooperation/economiccrime/
and related information.
cybercrime/default_en.asp
Cybersecurity Gateway
International Telecommunications
ITU’s Global Cybersecurity Agenda (GCA) is the framework for
http://groups.itu.int/Default.aspx?alias=groups.itu.int/
Union (ITU)
international cooperation with the objective of building synergies
cybersecurity-gateway
and engaging all relevant stakeholders in our collective efforts to
build a more secure and safer information society for all.
Cybercrime Legislation - Country Profiles
Council of Europe
These profiles have been prepared within the framework of the
http://www.coe.int/t/dg1/legalcooperation/economiccrime/
Council of Europe’s Project on Cybercrime in view of sharing
cybercrime/Documents/CountryProfiles/default_en.asp
information on cybercrime legislation and assessing the current
state of implementation of the Convention on Cybercrime under
national legislation.
ENISA: Securing Europe’s Information Society
European Network and Information
ENISA inform businesses and citizens in the European Union on
http://www.enisa.europa.eu/
Security Agency (ENISA)
cybersecurity threats, vulnerabilities, and attacks. (Requires free
registration to access.)
German Anti-Botnet Initiative
Organisation for Economic Co-
This is a private industry initiative which aims to ensure that
http://www.oecd.org/dataoecd/42/50/45509383.pdf
operation and Development (OECD)
customers whose personal computers have become part of a
(English-language summary)
botnet without them being aware of it are informed by their
Internet Service Providers about this situation and at the same time
are given competent support in removing the malware.
International Cyber Security Protection Alliance (ICSPA)
International Cyber Security
A global not-for-profit organization that aims to channel funding,
https://www.icspa.org/about-us/
Protection Alliance (ICSPA)
expertise, and help directly to law enforcement cyber-crime units
around the world.
NATO Cooperative Cyber Defence Centre of Excel ence
North Atlantic Treaty Organization
The Center is an international effort that currently includes Estonia,
(CCD COE)
(NATO)
Latvia, Lithuania, Germany, Hungary, Italy, the Slovak Republic, and
http://www.ccdcoe.org/
Spain as sponsoring nations, to enhance NATO’s cyber-defence
capability.
Note: Highlights compiled by CRS from the reports.
CRS-70
c11173008

.
.
Cybersecurity: Authoritative Reports and Resources, by Topic

Table 15. Related Resources: News
Name Source
Computer Security (Cybersecurity)
New York Times
http://topics.nytimes.com/top/reference/timestopics/subjects/c/
computer_security/index.html
Cybersecurity
NextGov.com
http://www.nextgov.com/cybersecurity/?oref=ng-nav
Cyberwarfare and Cybersecurity
Benton Foundation
http://benton.org/taxonomy/term/1193
Homeland Security
Congressional Quarterly (CQ)
http://homeland.cq.com/hs/news.do
Cybersecurity
Homeland Security News Wire
http://www.homelandsecuritynewswire.com/topics/cybersecurity
Congressional Research Service
71
c11173008

.
.
Cybersecurity: Authoritative Reports and Resources, by Topic

Table 16. Related Resources: Other Associations and Institutions
Name Notes
Cyber Aces Foundation
Offers challenging and realistic cybersecurity competitions,
http://www.cyberaces.org/
training camps, and educational initiatives through which
high school, col ege students, and young professionals
develop the practical skills needed to excel as cybersecurity
practitioners
Cybersecurity from the Center for Strategic &
Links to experts, programs, publications, and multimedia.
International Studies (CSIS)
CSIS is a bipartisan, nonprofit organization whose affiliated
http://csis.org/category/topics/technology/
scholars conduct research and analysis and develop policy
cybersecurity
initiatives that look to the future and anticipate change.
Cyberconflict and Cybersecurity Initiative from the
Focuses on the relationship between cyberwar and the
Council on Foreign Relations
existing laws of war and conflict; how the United States
http://www.cfr.org/projects/world/cyberconflict-and-
should engage other states and international actors in
cybersecurity-initiative/pr1497
pursuit of its interests in cyberspace; how the promotion of
the free flow of information interacts with the pursuit of
cybersecurity; and the private sector’s role in defense,
deterrence, and resilience.
Federal Cyber Service from the Scholarship For
Scholarship For Service (SFS) is designed to increase and
Service (SFS)
strengthen the cadre of federal information assurance
https://www.sfs.opm.gov/
professionals that protect the government’s critical
information infrastructure. This program provides
scholarships that ful y fund the typical costs that students
pay for books, tuition, and room and board while attending
an approved institution of higher learning.
Institute for Information Infrastructure Protection
I3P is a consortium of leading universities, national
(I3P)
laboratories and nonprofit institutions dedicated to
http://www.thei3p.org/
strengthening the cyber infrastructure of the United States.
Internet Security Alliance (ISA)
ISAalliance is a nonprofit collaboration between the
http://www.isalliance.org/
Electronic Industries Alliance (EIA), a federation of trade
associations, and Carnegie Mellon University’s CyLab.
National Association of State Chief Information
NASCIO’s cybersecurity awareness website. The Resource
Officers (NASCIO)
Guide provides examples of state awareness programs and
http://www.nascio.org/advocacy/cybersecurity
initiatives.
National Board of Information Security Examiners
The National Board of Information Security Examiners
(NBISE)
(NBISE) mission is to increase the security of information
http://www.nbise.org/certifications.php
networks, computing systems, and industrial and military
technology by improving the potential and performance of
the cyber security workforce.
National Initiative for Cybersecurity Education (NICE) NICE Attempts to forge a common set of definitions for the
http://csrc.nist.gov/nice/
cybersecurity workforce.
National Security Cyberspace Institute (NSCI)
NSCI provides education, research and analysis services to
http://www.nsci-va.org/whitepapers.htm
government, industry, and academic clients aiming to
increase cyberspace awareness, interest, knowledge, and/or
capabilities.
U.S. Cyber Challenge (USCC)
USCC’s goal is to find 10,000 of America's best and
http://www.uscyberchal enge.org/
brightest to fill the ranks of cybersecurity professionals
where their skills can be of the greatest value to the nation.
Source: Highlights compiled by CRS from the reports of related associations and institutions.
Congressional Research Service
72
c11173008

.
.
Cybersecurity: Authoritative Reports and Resources, by Topic


Author Contact Information

Rita Tehan

Information Research Specialist
rtehan@crs.loc.gov, 7-6739


Key Policy Staff
The following table provides names and contact information for CRS experts on policy issues related to
cybersecurity bills currently being debated in the 113th Congress.

Legislative Issues
Name/Title
Phone
E-mail
Legislation in the 113th Congress
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Critical infrastructure protection
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Chemical industry
Dana Shea
7-6844
dshea@crs.loc.gov
Defense industrial base
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Electricity grid
Richard J. Campbell
7-7905
rcampbell@crs.loc.gov
Financial institutions
N. Eric Weiss
7-6209
eweiss@crs.loc.gov
Industrial control systems
Dana Shea
7-6844
dshea@crs.loc.gov
Cybercrime



Federal laws
Charles Doyle
7-6968
cdoyle@crs.loc.gov
Law enforcement
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Cybersecurity workforce
Wendy Ginsberg
7-3933
wginsberg@crs.loc.gov,
Cyberterrorism
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Cyberwar
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Data breach notification
Gina Stevens
7-2581
gstevens@crs.loc.gov
Economic issues
N. Eric Weiss
7-6209
eweiss@crs.loc.gov
Espionage



Advanced persistent threat
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Economic and industrial
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Legal issues
Brian T. Yeh
7-5182
byeh@crs.loc.gov
State-sponsored
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Federal agency roles
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Chief Information Officers (CIOs)
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Commerce
John F. Sargent, Jr.
7-9147
jsargent@crs.loc.gov
Defense (DOD)
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Executive Office of the President (EOP)
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Congressional Research Service
73
c11173008

.
.
Cybersecurity: Authoritative Reports and Resources, by Topic

Legislative Issues
Name/Title
Phone
E-mail
Homeland Security (DHS)
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Intelligence Community (IC)
John Rollins
7-5529
jrollins@crs.loc.gov
Justice (DOJ)
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
National Security Agency (NSA)
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Science agencies (NIST, NSF, OSTP)
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Treasury and financial agencies
Rena S. Miller
7-0826
rsmiller@crs.loc.gov
Federal Information Security
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Management Act (FISMA)
Federal Internet monitoring
Richard M. Thompson II
7-8449
rthompson@crs.loc.gov
Hacktivism
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Information sharing
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Antitrust laws
Kathleen Ann Ruane
7-9135
kruane@crs.loc.gov
Civil liability
Edward C. Liu
7-9166
eliu@crs.loc.gov
Classified information
John Rollins
7-5529
jrollins@crs.loc.gov
Freedom of Information Act (FOIA)
Gina Stevens
7-2581
gstevens@crs.loc.gov
Privacy and civil liberties
Gina Stevens
7-2581
gstevens@crs.loc.gov
International cooperation



Defense and diplomatic
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Law enforcement
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
National strategy and policy
Eric A. Fischer
7-7071
efischer@crs.loc.gov
National security
John Rollins
7-5529
jrollins@crs.loc.gov
Public/private partnerships
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Supply chain
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Technological issues
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Botnets
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Cloud computing
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Mobile devices
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Research and development (R&D)
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov


Congressional Research Service
74
c11173008