.
.
Cybersecurity: Authoritative Reports and
Resources, by Topic
Rita Tehan
Information Research Specialist
January 8, 2014
Congressional Research Service
7-5700
www.crs.gov
R42507
c11173008
.
.
Cybersecurity: Authoritative Reports and Resources, by Topic
Summary
This report provides references to analytical reports on cybersecurity from CRS, other
government agencies, trade associations, and interest groups. The reports and related websites are
grouped under the following cybersecurity topics:
• policy overview
• National Strategy for Trusted Identities in Cyberspace (NSTIC)
• cloud computing and FedRAMP
• critical infrastructure
• cybercrime, data breaches and data security
• national security, cyber espionage, and cyberwar (including Stuxnet)
• international efforts
• education/training/workforce
• research and development (R&D)
In addition, the report lists selected cybersecurity-related websites for congressional and
government agencies, news, international organizations, and organizations or institutions.
Congressional Research Service
c11173008
.
.
Cybersecurity: Authoritative Reports and Resources, by Topic
Contents
CRS Reports, by Topic .................................................................................................................... 1
CRS Reports and Other CRS Products: Cybersecurity Policy .................................................. 1
CRS Reports: Critical Infrastructure ....................................................................................... 11
CRS Reports and Other CRS Products: Cybercrime and National Security ........................... 21
Selected Reports, by Federal Agency ............................................................................................ 46
Related Resources: Other Websites ............................................................................................... 71
Tables
Table 1. Cybersecurity Overview .................................................................................................... 2
Table 2. National Strategy for Trusted Identities in Cyberspace (NSTIC) ...................................... 6
Table 3. Cloud Computing and FedRAMP ...................................................................................... 8
Table 4. Critical Infrastructure ....................................................................................................... 12
Table 5. Cybercrime, Data Breaches, and Data Security ............................................................... 22
Table 6. National Security, Cyber Espionage, and Cyberwar ........................................................ 25
Table 7. International Efforts ......................................................................................................... 31
Table 8. Education/Training/Workforce ......................................................................................... 40
Table 9. Government Accountability Office (GAO) ...................................................................... 47
Table 10. White House/Office of Management and Budget .......................................................... 54
Table 11. Department of Defense (DOD) ...................................................................................... 58
Table 12. National Institute of Standards and Technology (NIST) ................................................ 62
Table 13. Other Federal Agencies .................................................................................................. 64
Table 14. Research & Development (R&D) .................................................................................. 68
Table 15. Related Resources: Congressional/Government ............................................................ 72
Table 16. Related Resources: International Organizations ............................................................ 74
Table 17. Related Resources: News ............................................................................................... 75
Table 18. Related Resources: Other Associations and Institutions ................................................ 75
Contacts
Author Contact Information........................................................................................................... 77
Key Policy Staff ............................................................................................................................. 77
Congressional Research Service
c11173008
.
.
Cybersecurity: Authoritative Reports and Resources, by Topic
CRS Reports, by Topic1
This section provides references to analytical reports on cybersecurity from CRS, other
government agencies, think tanks, trade associations, trade press, and technology research firms.
For each topic, CRS reports are listed first, followed by tables with reports from other
organizations.
CRS Reports and Other CRS Products: Cybersecurity Policy
• CRS Report R42114, Federal Laws Relating to Cybersecurity: Overview and
Discussion of Proposed Revisions, by Eric A. Fischer
• CRS Report R41941, The Obama Administration’s Cybersecurity Proposal:
Criminal Provisions, by Gina Stevens
• CRS Report R42984, The 2013 Cybersecurity Executive Order: Overview and
Considerations for Congress, by Eric A. Fischer et al.
• CRS Report R40150, A Federal Chief Technology Officer in the Obama
Administration: Options and Issues for Consideration, by John F. Sargent Jr.
• CRS Report R42409, Cybersecurity: Selected Legal Issues, by Edward C. Liu et
al.
• CRS Report R42887, Overview and Issues for Implementation of the Federal
Cloud Computing Initiative: Implications for Federal Information Technology
Reform Management, by Eric A. Fischer and Patricia Moloney Figliola
• CRS Report R43015, Cloud Computing: Constitutional and Statutory Privacy
Protections, by Richard M. Thompson II
• CRS Legal Sidebar, House Intelligence Committee Marks Up Cybersecurity Bill
CISPA, Richard M. Thompson II
• CRS Legal Sidebar, Can the President Deal with Cybersecurity Issues via
Executive Order?, Vivian S. Chu
1 For information on legislation and hearings in the 112th-123th Congresses, and Executive Orders and Presidential
Directives, see CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita
Tehan.
Congressional Research Service
1
c11173008
.
.
Table 1. Cybersecurity Overview
Title Source
Date
Pages
Notes
Defending an Open, Global, Secure, and
Council on Foreign Relations
June 2013
127
The Task Force recommends that the United States
Resilient Internet
develop a digital policy framework based on four pillars,
the last of which is that U.S.-based industry work rapidly
to establish an industry-led approach to counter current
and future cyberattacks.
Measuring What Matters: Reducing Risk by
Safegov.org, in coordination
March 2013
39
Report recommends that rather than periodically
Rethinking How We Evaluate Cybersecurity
with the National Academy of
auditing whether an agency's systems meet the standards
Public Administration
enumerated in Federal Information Security Management
Act (FISMA) at a static moment in time, agencies and
their inspectors general should keep running scorecards
of “cyber risk indicators" based on continual IG
assessments of a federal organization's cyber
vulnerabilities.
Developing a Framework To Improve Critical
National Institute of Standards
February 12, 2013
5
NIST announced the first step in the development of a
Infrastructure Cybersecurity (Federal Register
and Technology (NIST)
Cybersecurity Framework, which will be a set of
Notice; Request for Information)
voluntary standards and best practices to guide industry
in reducing cyber risks to the networks and computers
that are vital to the nation’s economy, security, and daily
life.
SEI Emerging Technology Center: Cyber
Carnegie Mellon University
January 2013
23
This report addresses the endemic problem of functional
Intelligence Tradecraft Project
cyber intelligence analysts not effectively communicating
with non-technical audiences. It also notes organizations’
reluctance to share information within their own entities,
industries, and across economic sectors.
The National Cyber Security Framework
NATO Cooperative Cyber
December 11, 2012
253
Provides detailed background information and in-depth
Manual
Defense Center of Excel ence
theoretical frameworks to help the reader understand
the various facets of National Cyber Security, according
to different levels of public policy formulation. The four
levels of government—political, strategic, operational and
tactical/technical—each have their own perspectives on
National Cyber Security, and each is addressed in
individual sections within the Manual.
CRS-2
c11173008
.
.
Title Source
Date
Pages
Notes
20 Critical Security Controls for Effective
Center for Strategic &
November 2012
89
The top 20 security controls from a public-private
Cyber Defense
International Studies
consortium. Members of the Consortium include NSA,
US CERT, DOD JTF-GNO, the Department of Energy
Nuclear Laboratories, Department of State, DOD Cyber
Crime Center plus commercial forensics experts in the
banking and critical infrastructure communities.
Cyber Security Task Force: Public-Private
Bipartisan Policy Center
July 2012
24
Outlines a series of proposals that would enhance
Information Sharing
information sharing. The recommendations have two
major components: (1) mitigation of perceived legal
impediments to information sharing, and (2) incentivizing
private sector information sharing by alleviating statutory
and regulatory obstacles.
Cyber-security: The Vexed Question of Global
McAfee and the Security
February 2012
108
The report examines the current state of cyber-
Rules: An Independent Report on Cyber-
Defense Agenda
preparedness around the world, and is based on survey
Preparedness Around the World
results from 80 policy-makers and cybersecurity experts
in the government, business, and academic sectors from
27 countries. The countries were ranked on their state
of cyber-preparedness.
Mission Critical: A Public-Private Strategy for
Business Roundtable
October 11, 2011
28
Report suggests, “[p]ublic policy solutions must
Effective Cybersecurity
recognize the absolute importance of leveraging policy
foundations that support effective global risk
management, in contrast to “check-the-box” compliance
approaches that can undermine security and
cooperation.” The document concludes with specific
policy proposals and activity commitments.
World Cybersecurity Technology Research
Centre for Secure Information
September 12, 2011
14
The Belfast 2011 event attracted international cyber
Summit (Belfast 2011)
Technologies (CSIT)
security experts from leading research institutes,
government bodies, and industry who gathered to
discuss current cyber security threats, predict future
threats and the necessary mitigation techniques, and to
develop a collective strategy for next research.
CRS-3
c11173008
.
.
Title Source
Date
Pages
Notes
A Review of Frequently Used Cyber Analogies
National Security Cyberspace
July 22, 2011
7
From the report, “The current cybersecurity crisis can
Institute
be described several ways with numerous metaphors.
Many compare the current crisis with the lawlessness to
that of the Wild West and the out-dated tactics and race
to security with the Cold War. When treated as a
distressed ecosystem, the work of both national and
international agencies to eradicate many infectious
diseases serves as a model as how poor health can be
corrected with proper resources and execution. Before
these issues are discussed, what cyberspace actually is
must be identified.”
America’s Cyber Future: Security and
Center for a New American
May 31, 2011
296
To help U.S. policy makers address the growing danger
Prosperity in the Information Age
Security
of cyber insecurity, this two-volume report features
chapters on cyber security strategy, policy, and
technology by some of the world’s leading experts on
international relations, national security, and information
technology.
Resilience of the Internet Interconnection
European Network and
April 11, 2011
238
Part I: Summary and Recommendations; Part II: State of
Ecosystem
Information Security Agency
the Art Review (a detailed description of the Internet’s
(ENISA)
routing mechanisms and analysis of their robustness at
the technical, economic and policy levels.); Part III:
Report on the Consultation (a broad range of
stakeholders were consulted. This part reports on the
consultation and summarizes the results). Part IV:
Bibliography and Appendices.
Improving our Nation’s Cybersecurity through
Business Software Alliance,
March 8, 2011
26
This paper proposes expanding the existing partnership
the Public-Private Partnership: A White Paper
Center for Democracy &
within the framework of the National Infrastructure
Technology, U.S. Chamber of
Protection Plan. Specifically, it makes a series of
Commerce, Internet Security
recommendations that build upon the conclusions of
Alliance, Tech America
President Obama’s Cyberspace Policy Review.
Cybersecurity Two Years Later
CSIS Commission on
January 2011
22
From the report: “We thought then [in 2008] that
Cybersecurity for the 44th
securing cyberspace had become a critical challenge for
Presidency, Center for
national security, which our nation was not prepared to
Strategic and International
meet.... In our view, we are still not prepared.”
Studies
CRS-4
c11173008
.
.
Title Source
Date
Pages
Notes
Toward Better Usability, Security, and Privacy
National Research Council
September 21, 2010
70
Discusses computer system security and privacy, their
of Information Technology: Report of a
(NRC)
relationship to usability, and research at their
Workshop
intersection. This is drawn from remarks made at the
National Research Council’s July 2009 Workshop on
Usability, Security and Privacy of Computer Systems as well
as reports from the NRC's Computer Science and
Telecommunications Board on security and privacy.
National Security Threats in Cyberspace
Joint Workshop of the
September 15, 2009
37
The two-day workshop brought together more than two
National Security Threats in
dozen experts with diverse backgrounds: physicists;
Cyberspace and the National
telecommunications executives; Silicon Valley
Strategy Forum
entrepreneurs; federal law enforcement, military,
homeland security, and intelligence officials;
congressional staffers; and civil liberties advocates. For
two days they engaged in an open-ended discussion of
cyber policy as it relates to national security, under
Chatham House Rules: their comments were for the
public record, but they were not for attribution.
Note: Highlights compiled by the Congressional Research Service (CRS) from the reports.
CRS-5
c11173008
.
.
Table 2. National Strategy for Trusted Identities in Cyberspace (NSTIC)
Title Source
Date
Pages Notes
Identity Ecosystem Framework (IDESG)
IDESG
Ongoing
N/A
The NSTIC called for the establishment of a private sector-led
steering group to administer the development and adoption of
the Identity Ecosystem Framework: the IDESG. The IDESG
receives its authority to operate from the active participation of
its membership in accordance with the Rules of Association
which follow. The IDESG has been initiated with the support of
NIST. Following an initial period, the IDESG will transition to a
self-sustaining organization.
NIST Awards Grants to Improve Online Security
NIST September
17, N/A
NIST announced more than $7 mil ion in grants to support the
and Privacy
2013
NSTIC. The funding will enable five U.S. organizations to
develop pilot identity protection and verification systems that
offer consumers more privacy, security, and convenience online.
Five Pilot Projects Receive Grants to Promote
NIST September
20, N/A
NIST announced more than $9 mil ion in grant awards to
Online Security and Privacy
2012
support the NSTIC. Five U.S. organizations wil pilot identity
solutions that increase confidence in online transactions,
prevent identity theft, and provide individuals with more control
over how they share their personal information.
Recommendations for Establishing an Identity
NIST February
17, 51
NIST responds to comments received in response to the
Ecosystem Governance Structure
2012
related Notice of Inquiry published in the Federal Register on
June 14, 2011. This report summarizes the responses to the
NOI and provides recommendations and intended government
actions to serve as a catalyst for establishing such a governance
structure. The recommendations result from comments and
suggestions by the NOI respondents as well as best practices
and lessons learned from similarly scoped governance efforts.
Models for a Governance Structure for the
NIST
June 14, 2011
4
The department seeks public comment from all stakeholders,
National Strategy for Trusted Identities in
including the commercial, academic and civil society sectors, and
Cyberspace
consumer and privacy advocates on potential models, in the
form of recommendations and key assumptions in the formation
and structure of the steering group.
Administration Releases Strategy to Protect
White House
April 15, 2011
N/A
Press release on a proposal to administer the processes for
Online Consumers and Support Innovation and
policy and standards adoption for the Identity Ecosystem
Fact Sheet on National Strategy for Trusted
Framework in accordance with the National Strategy for
Identities in Cyberspace
Trusted Identities in Cyberspace (NSTIC).
CRS-6
c11173008
.
.
Title Source
Date
Pages Notes
National Strategy for Trusted Identities in Cyberspac
White House
April 15, 2011
52
The NSTIC aims to make online transactions more trustworthy,
thereby giving businesses and consumers more confidence in
conducting business online.
National Strategy for Trusted Identities in Cyberspac
White House
June 25, 2010
39
The NSTIC, which is in response to one of the near term action
Options for Enhanced Online Security and Privacy (D
items in the President’s Cyberspace Policy Review, calls for the
creation of an online environment, or an Identity Ecosystem,
where individuals and organizations can complete online
transactions with confidence, trusting the identities of each
other and the identities of the infrastructure where transaction
occur.
Note: Highlights compiled by CRS from the reports.
CRS-7
c11173008
.
.
Table 3. Cloud Computing and FedRAMP2
Title Source
Date
Pages
Notes
Delivering on the Promise of Big Data and the Cloud
Booz, Allen, Hamilton
January 9, 2013
7
From the report, “Reference architecture does away
with conventional data and analytics silos,
consolidating all information into a single medium
designed to foster connections cal ed a “data lake,"
which reduces complexity and creates efficiencies
that improve data visualization to allow for easier
insights by analysts.”
Cloud Computing: An Overview of the Technology and
House Judiciary Comm.,
July 25, 2012
156
Overview and discussion of cloud computing issues.
the Issues facing American Innovators
Subcom. on Intellectual
Property, Competition, and
the Internet
Information Technology Reform: Progress Made but
GAO
July 11, 2012
43
GAO recommends that the Secretaries of
Future Cloud Computing Efforts Should be Better
Agriculture, Health and Human Services, Homeland
Planned
Security, State, and the Treasury, and the
Administrators of the General Services
Administration and Small Business Administration
should direct their respective CIO to establish
estimated costs, performance goals, and plans to
retire associated legacy systems for each cloud-based
service discussed in this report, as applicable.
Cloud Computing Strategy
DOD, Chief Information
July 2012
44
The DOD Cloud Computing Strategy introduces an
Officer
approach to move the department from the current
state of a duplicative, cumbersome, and costly set of
application silos to an end state which is an agile,
secure, and cost effective, and a service environment
that can rapidly respond to changing mission needs.
A Global Reality: Governmental Access to Data in the
Hogan Lovel s
May 23, 2012
13
This white paper compares the nature and extent of
Cloud - A Comparative Analysis of Ten International
governmental access to data in the cloud in many
Jurisdictions
jurisdictions around the world.
2 Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization,
and continuous monitoring for cloud products and services.
CRS-8
c11173008
.
.
Title Source
Date
Pages
Notes
Policy Challenges of Cross-Border Cloud Computing
U.S. International Trade
May 2012
38
Report examines the main policy challenges
Commission
associated with cross-border cloud computing—data
privacy, security, and ensuring the free flow of
information—and the ways that countries are
addressing them through domestic policy making,
international agreements, and other cooperative
arrangements.
Cloud Computing Synopsis and Recommendations (SP
NIST
May 2012
81
NIST’s guide explains cloud technologies in “plain
800-146)
terms” to federal agencies and provides
recommendations for IT decision makers.
Global Cloud Computing Scorecard a Blueprint for
Business Software Alliance
February 2,
24
This report notes that while many developed
Economic Opportunity
2012
countries have adjusted their laws and regulations to
address cloud computing, the wide differences in
those rules make it difficult for companies to invest in
the technology.
Concept of Operations: FedRAMP
General Services
February 7,
47
Implementation of the Federal Risk and Authorization
Administration (GSA)
2012
Management Program (FedRAMP) will be in phases.
This document describes all the services that will be
available at initial operating capability—targeted for
June 2012. The Concept of Operations will be
updated as the program evolves toward sustained
operations.
Federal Risk and Authorization Management Program
Federal CIO Council
January 4, 2012
N/A
FedRAMP has been established to provide a standard
(FedRAMP)
approach to Assessing and Authorizing (A&A) cloud
computing services and products.
Security Authorization of Information Systems in Cloud
White House/Office of
December 8,
7
FedRAMP wil now be required for all agencies
Computing Environments (FedRAMP)
Management and Budget
2011
purchasing storage, applications and other remote
(OMB)
services from vendors. The Administration promotes
cloud computing as a means to save money and
accelerate the government’s adoption of new
technologies.
U.S. Government Cloud Computing Technology
NIST December
1,
32
Volume I is aimed at interested parties who wish to
Roadmap, Volume I, Release 1.0 (Draft). High-Priority
2011
gain a general understanding and overview of the
Requirements to Further USG Agency Cloud Computing
background, purpose, context, work, results, and
Adoption (SP 500-293)
next steps of the U.S. Government Cloud Computing
Technology Roadmap initiative.
CRS-9
c11173008
.
.
Title Source
Date
Pages
Notes
U.S. Government Cloud Computing Technology
NIST December
1,
85
Volume II is designed as a technical reference for
Roadmap, Release 1.0 (Draft), Volume II Useful
2011
those actively working on strategic and tactical cloud
Information for Cloud Adopters (SP 500-293)
computing initiatives, including, but not limited to,
U.S. government cloud adopters. Vol. II integrates
and summarizes the work completed to date and
explains how these findings support the roadmap
introduced in Vol. I.
Information Security: Additional Guidance Needed to
GAO October
6,
17
Twenty-two of 24 major federal agencies reported
Address Cloud Computing Concerns
2011
that they were either concerned or very concerned
about the potential information security risks
associated with cloud computing. GAO
recommended that the NIST issue guidance specific
to cloud computing security.
Cloud Computing Reference Architecture (SP 500-292)
NIST
September 1,
35
This “Special Publication," which is not an official U.S.
2011
government standard, is designed to provide guidance
to specific communities of practitioners and
researchers.
Guide to Cloud Computing for Policy Makers
Software and Information
July 26, 2011
27
The SAII concludes “that there is no need for cloud-
Industry Association (SAII)
specific legislation or regulations to provide for the
safe and rapid growth of cloud computing, and in fact,
such actions could impede the great potential of
cloud computing."
Federal Cloud Computing Strategy
White House
February 13,
43
The strategy outlines how the federal government
2011
can accelerate the safe, secure adoption of cloud
computing, and provides agencies with a framework
for migrating to the cloud. It also examines how
agencies can address challenges related to the
adoption of cloud computing, such as privacy,
procurement, standards, and governance.
25 Point Implementation Plan to Reform Federal
White House
December 9,
40
The plan’s goals are to reduce the number of
Information Technology Management
2010
federal y run data centers from 2,100 to
approximately 1,300, rectify or cancel one-third of
troubled IT projects, and require federal agencies to
adopt a “cloud first” strategy in which they will move
at least one system to a hosted environment within a
year.
Notes: These reports analyze cybersecurity issues related to the federal government’s adoption of cloud computing storage options. Highlights compiled by CRS from
the reports.
CRS-10
c11173008
.
.
Cybersecurity: Authoritative Reports and Resources, by Topic
CRS Reports: Critical Infrastructure
• CRS Report R42683, Critical Infrastructure Resilience: The Evolution of Policy and
Programs and Issues for Congress, by John D. Moteff
• CRS Report RL30153, Critical Infrastructures: Background, Policy, and Implementation,
by John D. Moteff
• CRS Report R42660, Pipeline Cybersecurity: Federal Policy, by Paul W. Parfomak
• CRS Report R41536, Keeping America’s Pipelines Safe and Secure: Key Issues for
Congress, by Paul W. Parfomak
• CRS Report R41886, The Smart Grid and Cybersecurity—Regulatory Policy and Issues,
by Richard J. Campbell
• CRS Report R42338, Smart Meter Data: Privacy and Cybersecurity, by Brandon J.
Murrill, Edward C. Liu, and Richard M. Thompson II
• CRS Report RL33586, The Federal Networking and Information Technology Research
and Development Program: Background, Funding, and Activities, by Patricia Moloney
Figliola
CRS Report 97-868, Internet Domain Names: Background and Policy Issues, by Lennard G. Kruger
Congressional Research Service
11
c11173008
.
.
Table 4. Critical Infrastructure
Title Source
Date
Pages
Notes
Cybersecurity for Energy Delivery Systems Program
Department of
ongoing
N/A
The program assists the energy sector asset owners (electric,
(CEDS)
Energy, Office of
oil, and gas) by developing cybersecurity solutions for energy
Electricity
delivery systems through integrated planning and a focused
Delivery &
research and development effort. CEDS co-funds projects with
Energy Reliability
industry partners to make advances in cybersecurity capabilities
for energy delivery systems.
GridEx North
American
ongoing
N/A
The objectives of the NERC Grid Security Exercise (GridEx)
Electric Reliability
series are to use simulated scenarios (with NO real-world
Corporation
effects) to exercise the current readiness of participating
(NERC)
Electricity Sub-sector entities to respond to cyber or physical
security incidents and provide input for security program
improvements to the bulk power system. GridEx is a biennial
international grid security exercise that uses best practices and
other contributions from the Department of Homeland Security,
the Federal Emergency Management Agency, and the National
Institute of Standards and Technology.
World Federation of Exchanges (WFE) Launches Global
World
December 12,
N/A
The WFE announced the launch of the exchange industry’s first
Cyber Security Committee
Federation of
2013
cyber security committee with a mission to aid in the protection
Exchanges
of the global capital markets. The working group will bring
together representation from a number of exchanges and
clearinghouses across the globe, to col aborate on best practices
in global security.
The Critical Infrastructure Gap: U.S. Port Facilities and
Brookings
July 2013
50
The study argues that the level of cyber security awareness and
Cyber Vulnerabilities
Institution/
culture in U.S. port facilities is relatively low and that a
Center for 21st
cyberattack at a major U.S. port would quickly cause significant
Century Security
damage to the economy.
and Intelligence
FFIEC Forms Cybersecurity and Critical Infrastructure
Federal Financial
June 6, 2013
2
FFIEC formed a working group to further promote coordination
Working Group
Institutions
across the federal and state banking regulatory agencies on
Examination
critical infrastructure and cybersecurity issues.
Council (FFIEC)
Electric Grid Vulnerability: Industry Responses Reveal
Rep. Edward
May 21, 2013
35
The report found that less than a quarter of investor-owned
Security Gaps
Markey and Rep.
utilities and less than half of municipal and cooperation-owned
Henry Waxman
utilities followed through with voluntary standards issued by the
Federal Energy Regulatory Commission after the Stuxnet worm
struck in 2010.
CRS-12
c11173008
.
.
Title Source
Date
Pages
Notes
Initial Analysis of Cybersecurity Framework RFI
NIST
May 20, 2013
33
Comments on the chal enges of protecting the nation’s critical
Responses
infrastructure have identified a handful of issues for the more
than 200 people and organizations who responded to a formal
request for information. NIST has released an initial analysis of
243 responses to the Feb. 26 RFI. The analysis will form the
basis for an upcoming workshop at Carnegie Mellon University
in Pittsburgh as NIST moves forward on creating a cybersecurity
framework for essential energy, utility, and communications
systems.
Joint Working Group on Improving Cybersecurity and
General Services
May 13, 2013
3
Among other things, PPD–21 requires the General Services
Resilience Through Acquisition, Notice of Request for
Administration
Administration, in consultation with DOD and DHS, to jointly
Information
provide and support government-wide contracts for critical
infrastructure systems and ensure that such contracts include
audit rights for the security and resilience of critical
infrastructure.
Version 5 Critical Infrastructure Protection Reliability
Federal Energy
April 24, 2013
18
FERC proposes to approve the Version 5 Critical Infrastructure
Standards (Notice of Proposed Rulemaking)
Regulatory
Protection Reliability Standards, CIP-002-5 through CIP-011-1,
Commission
submitted by the North American Electric Reliability
Corporation, the Commission-certified Electric Reliability
Organization. The proposed Reliability Standards, which pertain
to the cyber security of the bulk electric system, represent an
improvement over the current Commission-approved CIP
Reliability Standards as they adopt new cyber security controls
and extend the scope of the systems that are protected by the
CIP Reliability Standards.
CRS-13
c11173008
.
.
Title Source
Date
Pages
Notes
Wireless Cybersecurity
Syracuse
April 2013
167
This project dealt with various threats in wireless networks,
University New
including: eavesdropping in a broadcast channel, non-cooperative
York, Dept. of
eavesdropping in a single-source single-sink planar network, and
Electrical
primary user emulation attack in a cognitive radio network. The
Engineering and
major contributions were: detailed analysis of performance
Computer
trade-off in the presence of the eavesdropping threat; a
Science
combined encoding and routing approach that provides provable
security against non-cooperating eavesdropping; and a physical
layer approach to counter the primary emulation attack. The
research results under this effort significantly advanced our
understanding on some of the fundamental trade-offs among
various performance metrics in a wireless system. Practically
feasible wireless security measures were also obtained that
could lead to more assured operations in which secured
wireless networks play an indispensable role. This project led to
one PhD dissertation, one pending patent application, two
archival journal papers and a number of peer-reviewed
conference papers.
Incentives To Adopt Improved Cybersecurity Practices
NIST and the
March 28, 2013
N/A
The Commerce Department is investigating ways to incentivize
National
companies and organizations to improve their cybersecurity. To
Telecommunica-
better understand what stakeholders – such as companies, trade
tions and
associations, academics and others – believe would best serve as
Information
incentives, the Department has released a series of questions to
Administration
gather public comments in a Notice of Inquiry.
Cybersecurity: The Nation's Greatest Threat to Critical
U.S. Army War
March 2013
38
This paper provides a background of what constitutes national
Infrastructure
College
critical infrastructure and Critical Infrastructure Protection
(CIP); discusses the immense vulnerabilities, threats, and risks
associated in the protection of critical infrastructure; and
outlines governance and responsibilities of protecting vulnerable
infrastructure. The paper makes recommendations for federal
responsibilities and legislation to direct nation critical
infrastructure efforts to ensure national security, public safety,
and economic stability.
SCADA and Process Control Security Survey
SANS Institute
February 1,
19
SANS Institute surveyed professionals who work with SCADA
2013
and process control systems. Of the nearly 700 respondents,
70% said they consider their SCADA systems to be at high or
severe risk; one-third of them suspect that they have been
already been infiltrated.
CRS-14
c11173008
.
.
Title Source
Date
Pages
Notes
Fol ow-up Audit of the Department’s Cyber Security
U.S. Department
December
25
In 2008, the Department's Cyber Security Incident Management
Incident Management Program
of Energy
2012
Program (DOE/IG-0787, January 2008) reported the department
Inspector
and National Nuclear Security Administration (NNSA)
General’s Office
established and maintained a number of independent, at least
partially duplicative, cyber security incident management
capabilities. Several issues were identified that limited the
efficiency and effectiveness of the department's cyber security
incident management program and adversely affected the ability
of law enforcement to investigate incidents. In response to the
finding, management concurred with the recommendations and
indicated that it had initiated actions to address the issues
identified.
Terrorism and the Electric Power Delivery System
National
November 2012
146
Focuses on measures that could make the electric power
Academies of
delivery system less vulnerable to attacks, restore power faster
Science
after an attack, and make critical services less vulnerable when
the delivery of conventional electric power has been disrupted.
New FERC Office to Focus on Cyber Security
U.S. Department
September 20,
N/A
The Federal Energy Regulatory Commission announced the
of Energy
2012
creation of the agency’s new Office of Energy Infrastructure
Security, which will work to reduce threats to the electric grid
and other energy facilities. The goal is for the office to help
FERC, and other agencies and private companies, better identify
potential dangers and solutions.
Canvassing the Targeting of Energy Infrastructure: The
Journal of Energy
August 7, 2012
8
The Energy Infrastructure Attack Database (EIAD) is a non-
Energy Infrastructure Attack Database
Security
commercial dataset that structures information on reported
(criminal and political) attacks to energy infrastructure (EI)
(worldwide) since 1980, by non-state actors. In building this
resource, the objective was to develop a product that could be
broadly accessible and also connect to existing available
resources
Smart-Grid Security
Center for
August 2012
26
Highlights the significance of and the challenges with securing the
Infrastructure
smart grid.
Protection and
Homeland
Security, George
Mason School of
Law
CRS-15
c11173008
.
.
Title Source
Date
Pages
Notes
Cybersecurity: Challenges in Securing the Electricity Grid GAO
July 17, 2012
25
In a prior report, GAO made recommendations related to
electricity grid modernization efforts, including developing an
approach to monitor compliance with voluntary standards.
These recommendations have not yet been implemented.
Energy Department Develops Tool with Industry to Help
U.S. Department
June 28, 2012
N/A
The Cybersecurity Self-Evaluation Tool uses best practices that
Utilities Strengthen Their Cybersecurity Capabilities
of Energy
were developed for the Electricity Subsector Cybersecurity
Capability Maturity Model Initiative, which involved a series of
workshops with the private sector to draft a maturity model
that can be used throughout the electric sector to better
protect the grid.
ICS-CERT Incident Response Summary Report, 2009-
U.S. Industrial
May 9, 2012
17
The number of reported cyberattacks on U.S. critical
2011
Control System
infrastructure increased sharply—from 9 incidents in 2009 to
Cyber Emergency
198 in 2011; water sector-specific incidents, when added to the
Response Team
incidents that affected several sectors, accounted for more than
(ICS-CERT)
half of the incidents; in more than half of the most serious cases,
implementing best practices such as login limitation or properly
configured firewall, would have deterred the attack, reduced the
time it would have taken to detect an attack, and minimize its
impact.
Cybersecurity Risk Management Process (Electricity
Department of
May 2012
96
The guideline describes a risk management process that is
Subsector)
Energy, Office of
targeted to the specific needs of electricity sector organizations.
Electricity
The objective of the guideline is to build upon existing guidance
Delivery &
and requirements to develop a flexible risk management process
Energy Reliability
tuned to the diverse missions, equipment, and business needs of
the electric power industry.
ICT Applications for the Smart Grid: Opportunities and
Organization for
January 10, 2012
44
This report discusses “smart” applications of information and
Policy Implications
Economic Co-
communication technologies (ICTs) for more sustainable energy
operation and
production, management and consumption. The report outlines
Development
policy implications for government ministries dealing with
(OECD)
telecommunications regulation, ICT sector and innovation
promotion, and consumer and competition issues.
The Department’s Management of the Smart Grid
Department of
January 20, 2012
21
According to the Inspector General, DOE's rush to award
Investment Grant Program
Energy (DOE)
stimulus grants for projects under the next generation of the
Inspector
power grid, known as the Smart grid, resulted in some firms
General
receiving funds without submitting complete plans for how to
safeguard the grid from cyberattacks.
CRS-16
c11173008
.
.
Title Source
Date
Pages
Notes
Critical Infrastructure Protection: Cybersecurity
Government
December 9,
77
According to GAO, given the plethora of guidance available,
Guidance Is Available, but More Can Be Done to
Accountability
2011
individual entities within the sectors may be challenged in
Promote Its Use
Office (GAO)
identifying the guidance that is most applicable and effective in
improving their security posture. Improved knowledge of the
available guidance could help both federal and private-sector
decision makers better coordinate their efforts to protect
critical cyber-reliant assets.
The Future of the Electric Grid
Massachusetts
December 5,
39
Chapter 1 provides an overview of the status of the grid, the
Institute of
2011
challenges and opportunities it will face, and major
Technology (MIT)
recommendations. To facilitate selective reading, detailed
descriptions of the contents of each section in Chapters 2–9 are
provided in each chapter’s introduction, and recommendations
are collected and briefly discussed in each chapter's final section.
(See Chapter 9, Data Communications, Cybersecurity, and
Information Privacy, pages 208-234).
FCC‘s Plan for Ensuring the Security of
Federal
June 3, 2011
1
FCC Chairman Genachowski's response to letter from Rep.
Telecommunications Networks
Communications
Anna Eshoo dated November 2, 2010, re: concerns about the
Commission
implications of foreign-controlled telecommunications
(FCC)
infrastructure companies providing equipment to the U.S.
market.
Cyber Infrastructure Protection
U.S. Army War
May 9, 2011
324
Part 1 deals with strategic and policy cybersecurity-related
College
issues and discusses the theory of cyberpower, Internet
survivability, large scale data breaches, and the role of
cyberpower in humanitarian assistance. Part 2 covers social and
legal aspects of cyber infrastructure protection and discusses the
attack dynamics of political and religiously motivated hackers.
Part 3 discusses the technical aspects of cyber infrastructure
protection, including the resilience of data centers, intrusion
detection, and a strong emphasis on Internet protocol (IP)
networks.
In the Dark: Crucial Industries Confront Cyberattacks
McAfee and
April 21, 2011
28
The study reveals an increase in cyberattacks on critical
Center for
infrastructure such as power grids, oil, gas, and water; the study
Strategic and
also shows that that many of the world’s critical infrastructures
International
lacked protection of their computer networks, and reveals the
Studies (CSIS)
cost and impact of cyberattacks
CRS-17
c11173008
.
.
Title Source
Date
Pages
Notes
Cybersecurity: Continued Attention Needed to Protect
Government
March 16, 2011
17
According to GAO, executive branch agencies have made
Our Nation’s Critical Infrastructure and Federal
Accountability
progress instituting several government-wide initiatives that are
Information Systems
Office (GAO)
aimed at bolstering aspects of federal cybersecurity, such as
reducing the number of federal access points to the Internet,
establishing security configurations for desktop computers, and
enhancing situational awareness of cyber events. Despite these
efforts, the federal government continues to face significant
challenges in protecting the nation's cyber-reliant critical
infrastructure and federal information systems.
Federal Energy Regulatory Commission’s Monitoring of
Department of
January 26, 2011
30
NERC developed Critical Infrastructure Protection (CIP) cyber
Power Grid Cyber Security
Energy Office of
security reliability standards which were approved by the FERC
Inspector
in January 2008. Although the Commission had taken steps to
General
ensure CIP cyber security standards were developed and
approved, NERC’s testing revealed that such standards did not
always include controls commonly recommended for protecting
critical information systems. In addition, the CIP standards
implementation approach and schedule approved by the
Commission were not adequate to ensure that systems-related
risks to the nation's power grid were mitigated or addressed in
a timely manner.
Electricity Grid Modernization: Progress Being Made on
Government
January 12, 2011
50
To reduce the risk that NIST’s smart grid cybersecurity
Cybersecurity Guidelines, but Key Challenges Remain to
Accountability
guidelines will not be as effective as intended, the Secretary of
be Addressed
Office (GAO)
Commerce should direct the Director of NIST to finalize the
agency's plan for updating and maintaining the cybersecurity
guidelines, including ensuring it incorporates (1) missing key
elements identified in this report, and (2) specific milestones for
when efforts are to be completed. Also, as a part of finalizing the
plan, the Secretary of Commerce should direct the Director of
NIST to assess whether any cybersecurity challenges identified
in this report should be addressed in the guidelines.
Partnership for Cybersecurity Innovation
White House
December 6,
4
The Obama Administration released a Memorandum of
(Office of Science
2010
Understanding signed by the National Institute of Standards and
& Technology
Technology (NIST) of the Department of Commerce, the
Policy)
Science and Technology Directorate of the Department of
Homeland Security (DHS/S&T), and the Financial Services Sector
Coordinating Council (FSSCC). The goal of the agreement is to
speed up the commercialization of cybersecurity research
innovations that support the nation’s critical infrastructures.
CRS-18
c11173008
.
.
Title Source
Date
Pages
Notes
WIB Security Standard Released
International
November 10,
The Netherlands-based WIB, an international organization that
Instrument Users
2010
represents global manufacturers in the industrial automation
Association
industry, announced the second version of the Process Control
(WIB)
Domain Security Requirements For Vendors document—the
first international standard that outlines a set of specific
requirements focusing on cyber security best practices for
suppliers of industrial automation and control systems.
Information Security Management System for Microsoft
Microsoft
November 2010
15
This study describes the standards Microsoft fol ows to address
Cloud Infrastructure
current and evolving cloud security threats. It also depicts the
internal structures within Microsoft that handle cloud security
and risk management issues.
NIST Finalizes Initial Set of Smart Grid Cyber Security
National Institute
September 2,
N/A
NIST released a three-volume set of recommendations relevant
Guidelines
of Standards and
2010
to securing the Smart Grid. The guidelines address a variety of
Technology
topics, including high-level security requirements, a risk
(NIST)
assessment framework, an evaluation of privacy issues in
residences and recommendations for protecting the evolving
grid from attacks, malicious code, cascading errors, and other
threats.
Critical Infrastructure Protection: Key Private and Public
Government
July 15, 2010
38
Private-sector stakeholders reported that they expect their
Cyber Expectations Need to Be Consistently Addressed
Accountability
federal partners to provide usable, timely, and actionable cyber
Office (GAO)
threat information and alerts; access to sensitive or classified
information; a secure mechanism for sharing information;
security clearances; and a single centralized government
cybersecurity organization to coordinate government efforts.
However, according to private sector stakeholders, federal
partners are not consistently meeting these expectations.
The Future of Cloud Computing
Pew Research
June 11, 2010
26
Technology experts and stakeholders expect they will “live
Center’s Internet
mostly in the cloud” in 2020 and not on the desktop, working
& American Life
mostly through cyberspace-based applications accessed through
Project
networked devices.
The Reliability of Global Undersea Communications Cable IEEE/EastWest
May 26, 2010
186
This study submits 12 major recommendations to private sector,
Infrastructure (The ROGUCCI Report)
Institute
governments and other stakeholders—especially the financial
sector—for the purpose of improving the reliability, robustness,
resilience, and security of the world’s undersea communications
cable infrastructure.
CRS-19
c11173008
.
.
Title Source
Date
Pages
Notes
NSTB Assessments Summary Report: Common Industrial
Department of
May 2010
123
Computer networks controlling the electric grid are plagued
Control System Cyber Security Weaknesses
Energy, Idaho
with security holes that could allow intruders to redirect power
National
delivery and steal data. Many of the security vulnerabilities are
Laboratory
strikingly basic and fixable problems.
Explore the reliability and resiliency of commercial
Federal
April 21, 2010
N/A
The FCC launched an inquiry into the ability of existing
broadband communications networks
Communications
broadband networks to withstand significant damage or severe
Commission
overloads as a result of natural disasters, terrorist attacks,
(FCC)
pandemics or other major public emergencies, as recommended
in the National Broadband Plan.
Security Guidance for Critical Areas of Focus in Cloud
Cloud Security
December 2009
76
From the report, “Through our focus on the central issues of
Computing V2.1
Alliance
cloud computing security, we have attempted to bring greater
clarity to an otherwise complicated landscape, which is often
filled with incomplete and oversimplified information. Our focus
... serves to bring context and specificity to the cloud computing
security discussion: enabling us to go beyond gross
generalizations to deliver more insightful and targeted
recommendations.”
21 Steps to Improve Cyber Security of SCADA Networks U.S. Department
January 1, 2007
10
The President’s Critical Infrastructure Protection Board and the
of Energy,
Department of Energy have developed steps to help any
Infrastructure
organization improve the security of its SCADA networks. The
Security and
steps are divided into two categories: specific actions to improve
Energy
implementation, and actions to establish essential underlying
Restoration
management processes and policies.
Note: Highlights compiled by CRS from the reports.
CRS-20
c11173008
.
.
Cybersecurity: Authoritative Reports and Resources, by Topic
CRS Reports and Other CRS Products: Cybercrime and National Security
• CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and
Abuse Statute and Related Federal Criminal Laws, by Charles Doyle
• CRS Report 94-166, Extraterritorial Application of American Criminal Law, by Charles
Doyle
• CRS Report R42403, Cybersecurity: Cyber Crime Protection Security Act (S. 2111, 112th
Congress)—A Legal Analysis, by Charles Doyle
• CRS Report 98-326, Privacy: An Overview of Federal Statutes Governing Wiretapping
and Electronic Eavesdropping, by Gina Stevens and Charles Doyle
• CRS Report RL32706, Spyware: Background and Policy Issues for Congress, by Patricia
Moloney Figliola
• CRS Report CRS Report R41975, Illegal Internet Streaming of Copyrighted Content:
Legislation in the 112th Congress, by Brian T. Yeh
• CRS Report R42112, Online Copyright Infringement and Counterfeiting: Legislation in
the 112th Congress, by Brian T. Yeh
• CRS Report R40599, Identity Theft: Trends and Issues, by Kristin Finklea
• CRS Report R41927, The Interplay of Borders, Turf, Cyberspace, and Jurisdiction:
Issues Confronting U.S. Law Enforcement, by Kristin Finklea
• CRS Report RL34651, Protection of Children Online: Federal and State Laws
Addressing Cyberstalking, Cyberharassment, and Cyberbullying, by Alison M. Smith
• CRS Report R42547, Cybercrime: Conceptual Issues for Congress and U.S. Law
Enforcement, by Kristin Finklea and Catherine A. Theohary
• CRS Legal Sidebar, Legal Barriers to an Expanded Role of the Military in Defending
Against Domestic Cyberattacks, Andrew Nolan
• CRS Legal Sidebar, Obstacles to Private Sector Cyber Threat Information Sharing,
Edward C. Liu
• CRS Legal Sidebar, Online Banking Fraud: Liability for Unauthorized Payment from
Business Checking Account, M. Maureen Murphy
Congressional Research Service
21
c11173008
.
.
Table 5. Cybercrime, Data Breaches, and Data Security
Title Source
Date
Pages Notes
ThreatWatch
NextGov
Ongoing
N/A
ThreatWatch is a snapshot of the data breaches hitting
organizations and individuals, globally, on a daily basis. It is not an
authoritative list, since many compromises are never reported or
even discovered. The information is based on accounts published
by outside news organizations and researchers.
ENISA Threat Landscape 2013 – Overview of Current and European Union
December
70
The report is a col ection of top cyber-threats that have been
Emerging Cyber-Threats
Agency for
11, 2013
assessed in the reporting period (i.e., within 2013). ENISA has
Network and
col ected over 250 reports regarding cyber-threats, risks, and
Information
threat agents. ETL 2013 is a comprehensive compilation of the top
Security (ENISA)
15 cyber-threats assessed.
Cyber-enabled Competitive Data Theft: A Framework for
Brookings
December
18
Economic espionage has existed at least since the industrial
Modeling Long-Run Cybersecurity Consequences
Institution
2013
revolution, but the scope of modern cyber-enabled competitive
data theft may be unprecedented. With this paper, Friedman,
Mack-Crane, and Hammond present what they believe is the first
economic framework and model to understand the long-run
impact of competitive data theft on an economy by taking into
account the actual mechanisms and pathways by which theft harms
the victims.
The Economic Impact of Cybercrime and Cyber Espionage Center for
July 22, 2013
20
Losses to the United States (the country where data is most
Strategic and
accessible) may reach $100 billion annually. The cost of
International
cybercrime and cyber espionage to the global economy is some
Studies
multiple of this, likely measured in hundreds of billions of dollars.
Cyber-Crime, Securities Markets, and Systemic Risk
World
July 16, 2013
59
This report explores the nature and extent of cyber-crime in
Federation of
securities markets so far; the potential systemic risk aspects of
Exchanges
this threat; and presents the results of a survey to the world’s
(WFE) and the
exchanges on their experiences with cyber-crime, cyber-security
International
practices and perceptions of the risk.
Organization of
Securities
Commissions
(IOSCO)
CRS-22
c11173008
.
.
Title Source
Date
Pages Notes
Towards Trustworthy Social Media and Crowdsourcing
Wilson Center
May 2013
12
Individuals and organizations interested in using social media and
crowdsourcing currently lack two key sets of information: a
systematic assessment of the vulnerabilities in these technologies
and a comprehensive set of best practices describing how to
address those vulnerabilities. Identifying those vulnerabilities and
developing those best practices are necessary to address a
growing number of cybersecurity incidents ranging from innocent
mistakes to targeted attacks that have claimed lives and cost
millions of dollars.
Remaking American Security: Supply Chain Vulnerabilities
Alliance for
May 2013
355
Because the supply chain is global, it makes sense for U.S. officials
& National Security Risks Across the U.S. Defense
American
to cooperate with other nations to ward off cyberattacks.
Industrial Base
Manufacturing
Increased international cooperation to secure the integrity of the
global IT system is a valuable long-term objective.
HoneyMap - Visualizing Worldwide Attacks in Real-Time,
The Honeynet
October 1,
N/A
The HoneyMap shows a real-time visualization of attacks against
and Honeynet Map
Project
2012
the Honeynet Project’s sensors deployed around the world.
Does Cybercrime Really Cost $1 Trillion?
ProPublica
August 1,
N/A
In a news release to announce its 2009 report, “Unsecured
2012
Economies: Protecting Vital Information,” computer security firm
McAfee estimated a trillion dollar global cost for cybercrime. The
number does not appear in the report itself. McAfee’s trillion-
dol ar estimate is questioned even by the three independent
researchers from Purdue University whom McAfee credits with
analyzing the raw data from which the estimate was derived. An
examination of their origins by ProPublica has found new grounds
to question the data and methods used to generate these
numbers, which McAfee and Symantec say they stand behind.
Information Security: Cyber Threats Facilitate Ability to
GAO June
28,
20
This statement discusses (1) cyber threats facing the nation’s
Commit Economic Espionage
2012
systems, (2) reported cyber incidents and their impacts, (3)
security controls and other techniques available for reducing risk,
and (4) the responsibilities of key federal entities in support of
protecting IP.
Measuring the Cost of Cybercrime
11th Annual
June 25,
N/A
From the report, “For each of the main categories of cybercrime
Workshop on
2012
we set out what is and is not known of the direct costs, indirect
the Economics of
costs and defence costs - both to the UK and to the world as a
Information
whole.”
Security
CRS-23
c11173008
.
.
Title Source
Date
Pages Notes
The Impact of Cybercrime on Businesses
Ponemon
May 2012
21
The study found that targeted attacks on businesses cost
Institute
enterprises an average of $214,000. The expenses are associated
with forensic investigations, investments in technology, and brand
recovery costs.
Proactive Policy Measures by Internet Service Providers
Organisation for
May 7, 2012
25
This report analyzes initiatives in a number of countries through
against Botnets
Economic Co-
which end-users are notified by ISPs when their computer is
operation and
identified as being compromised by malicious software and
Development
encouraged to take action to mitigate the problem.
Developing State Solutions to Business Identity Theft:
National
January 2012
23
This white paper is the result of efforts by the 19-member NASS
Assistance, Prevention and Detection Efforts by Secretary
Association of
Business Identity Theft Task Force to develop policy guidelines
of State Offices
Secretaries of
and recommendations for state leaders dealing with identity fraud
State
cases involving public business records.
Twenty Critical Security Controls for Effective Cyber
SANS October
3,
77
The 20 security measures are intended to focus agencies’ limited
Defense: Consensus Audit Guidelines (CAG)
2011
resources on plugging the most common attack vectors.
Revealed: Operation Shady RAT: an Investigation Of
McAfee August
2,
14
A cyber-espionage operation lasting many years penetrated 72
Targeted Intrusions Into 70+ Global Companies,
2011
government and other organizations, most of them in the United
Governments, and Non-Profit Organizations During the
States, and has copied everything from military secrets to
Last 5 Years
industrial designs, according to technology security company
McAfee. (See page 4 for the types of compromised parties, page 5
for the geographic distribution of victim’s country of origin, pages
7-9 for the types of victims, and pages 10-13 for the number of
intrusions for 2007-2010).
The Role of Internet Service Providers in Botnet
Organisation for
November
31
This working paper considers whether ISPs can be critical control
Mitigation: an Empirical Analysis Bases on Spam Data
Economic Co-
12, 2010
points for botnet mitigation, how the number of infected machines
operation and
varies across ISPs, and why.
Development
Untangling Attribution: Moving to Accountability in
Council on
July 15, 2010
14
Robert K. Knake’s testimony before the House Committee on
Cyberspace [Testimony]
Foreign Relations
Science and Technology on the role of attack attribution in
preventing cyberattacks and how attribution technologies can
affect the anonymity and the privacy of Internet users.
Technology, Policy, Law, and Ethics Regarding U.S.
National
2009
368
This report explores important characteristics of cyberattack. It
Acquisition and Use of Cyberattack Capabilities
Research
describes the current international and domestic legal structure as
Council
it might apply to cyberattack, and considers analogies to other
domains of conflict to develop relevant insights.
Note: Highlights compiled by CRS from the reports.
CRS-24
c11173008
.
.
Table 6. National Security, Cyber Espionage, and Cyberwar
Title Source
Date
Pages
Notes
Cyber-enabled Competitive Data Theft: A Framework for
Brookings
December
18
Economic espionage has existed at least since the industrial
Modeling Long-Run Cybersecurity Consequences
Institution
2013
revolution, but the scope of modern cyber-enabled competitive
data theft may be unprecedented. With this paper, Friedman,
Mack-Crane, and Hammond present what they believe is the first
economic framework and model to understand the long-run
impact of competitive data theft on an economy by taking into
account the actual mechanisms and pathways by which theft
harms the victims.
To Kill a Centrifuge: A Technical Analysis of What
The Langner
November
36
This document summarizes the most comprehensive research on
Stuxnet’s Creators Tried to Achieve
Group
2013
the Stuxnet malware so far: It combines results from reverse
engineering the attack code with intelligence on the design of the
attacked plant and background information on the attacked
uranium enrichment process. It looks at the attack vectors of the
two different payloads contained in the malware and especial y
provides an analysis of the bigger and much more complex
payload that was designed to damage centrifuge rotors by
overpressure. With both attack vectors viewed in context,
conclusions are drawn about the reasoning behind a radical
change of tactics between the complex earlier attack and the
comparatively simple later attack that tried to manipulate
centrifuge rotor speeds.
2013 Annual Report to Congress
U.S.-China
October 20,
465
In 2013, the Commission continued its close examination of
Economic
2013
China’s cyber capabilities. Strong evidence has emerged that the
Commission
Chinese government is directing and executing a large-scale cyber
espionage campaign against the United States, including the U.S.
government and private companies. However, the public
exposure of Chinese cyber espionage in 2013 has apparently not
changed China’s attitude about the use of cyber espionage to
steal intellectual property and proprietary information. (See:
Chapter 2, Section 2: “China’s Cyber Activities.”)
CRS-25
c11173008
.
.
Title Source
Date
Pages
Notes
W32.Duqu: The Precursor to the Next Stuxnet
Symantec
November
N/A
On October 14, 2011, a research lab with strong international
14, 2013
connections alerted Symantec to a sample that appeared to be
very similar to Stuxnet, the malware which wreaked havoc in
Iran’s nuclear centrifuge farms last summer. The lab named the
threat “Duqu” because it creates files with the file name prefix
“DQ”. The research lab provided Symantec with samples
recovered from computer systems located in Europe, as well as a
detailed report with their initial findings, including analysis
comparing the threat to Stuxnet.
Offensive Cyber Capabilities at the Operational Level -
Center for
September
20
The specific question this report examines is whether the
The Way Ahead
Strategic &
16, 2013
Defense Department should make a more deliberate effort to
International
explore the potential of offensive cyber tools at levels below that
Studies (CSIS)
of a combatant command.
Cyber-Warfare: Is the risk of cyber-warfare overrated?
The Economist
August 2,
N/A (Economist Debates adapt the Oxford style of debating to an
2013
online forum. Each side has three chances to persuade readers:
opening, rebuttal and closing). “Separating hype from the urgent
questions is hard. Amid talk of a "digital Pearl Harbour" and
"advanced persistent threats" it is hard to know whether we are
really "losing the war" against the purveyors and users of malware
and digital weapons.”
The Economic Impact of Cybercrime and Cyber Espionage Center for
July 22, 2013
20
Losses to the United States (the country where data is most
Strategic and
accessible) may reach $100 billion annually. The cost of
International
cybercrime and cyber espionage to the global economy is some
Studies
multiple of this likely measured in hundreds of billions of dollars.
Role of Counterterrorism Law in Shaping ‘ad Bellum'
International Law April 1,
42
The prospect of cyber war has evolved from science fiction and
Norms for Cyber Warfare
Studies (U.S.
2013
over-the-top doomsday depictions on television, films, and in
Naval War
novels to reality and front-page news… To date there has been
College)
little attention given to the possibility that international law
generally and counterterrorism law in particular could and should
develop a subset of cyber-counterterrorism law to respond to
the inevitability of cyberattacks by terrorists and the use of cyber
weapons by governments against terrorists, and to supplement
existing international law governing cyber war where the
intrusions do not meet the traditional kinetic thresholds.
CRS-26
c11173008
.
.
Title Source
Date
Pages
Notes
The Tallinn Manual on the International Law Applicable to
Cambridge
March 5,
302
The Tallinn Manual identifies the international law applicable to
Cyber Warfare
University Press/
2013
cyber warfare and sets out 95 ‘black-letter rules’ governing such
NATO
conflicts. An extensive commentary accompanies each rule, which
Cooperative
sets forth each rules’ basis in treaty and customary law, explains
Cyber Defence
how the group of experts interpreted applicable norms in the
Center of
cyber context, and outlines any disagreements within the group
Excel ence
as to each rules’ application. (Note: The manual is not an official
NATO publication, but an expression of opinions of a group of
independent experts acting solely in their personal capacity.)
Cyberterrorism: A Survey of Researcherso
Swansea
March 2013
21
This report provides an overview of findings from a project
University
designed to capture current understandings of cyberterrorism
within the research community. The project ran between June
and November 2012, and employed a questionnaire which was
distributed to over 600 researchers, authors and other experts.
Potential respondents were identified using a combination of
methods, including targeted literature reviews, standing within
relevant academic communities, snowballing from earlier
participants or contacts, and the use of two mailing lists. 118
responses were received in total, from individuals working in 24
countries across six continents. Please contact the research team
with any enquiries on the project’s methods and findings (see p.
21 for contact details).
APT1: Exposing One of China’s Cyber Espionage Units
Mandiant
February 19,
76
The details analyzed during hundreds of investigations signal that
2013
the groups conducting these activities (computer security
breaches around the world) are based primarily in China and that
the Chinese government is aware of them.
Video demo of Chinese hacker activity
Mandiant February
19,
N/A
Video of APT1 attacker sessions and intrusion activities (5-minute
(click on “APT1 Video” at top right of screen)
2013
video).
Crisis and Escalation in Cyberspace
RAND Corp.
December
200
The report considers how the Air Force should integrate kinetic
2012
and nonkinetic operations. Central to this process was careful
consideration of how escalation options and risks should be
treated, which, in turn, demanded a broader consideration across
the entire crisis-management spectrum. Such crises can be
managed by taking steps to reduce the incentives for other states
to step into crisis, by controlling the narrative, understanding the
stability parameters of the crises, and trying to manage escalation
if conflicts arise from crises.
CRS-27
c11173008
.
.
Title Source
Date
Pages
Notes
Cyberattacks Among Rivals: 2001-2011 (from the article,
Foreign Affairs
November
N/A
A chart showing cyberattacks by initiator and victim, 2001-2011.
“The Fog of Cyberwar” by Brandon Variano and Ryan
21, 2012
Maness (subscription required)
Emerging Cyber Threats Report 2013
Georgia Institute
November
9
The year ahead will feature new and increasingly sophisticated
of Technology
14, 2012
means to capture and exploit user data, escalating battles over
the control of online information and continuous threats to the
U.S. supply chain from global sources. (From the annual Georgia
Tech Cyber Security Summit 2012).
Proactive Defense for Evolving Cyber Threats
Sandia National
November
98
The project applied rigorous predictability-based analytics to two
Labs
2012
central and complementary aspects of the network defense
problem—attack strategies of the adversaries and vulnerabilities
of the defenders’ systems—and used the results to develop a
scientifically-grounded, practically-implementable methodology for
designing proactive cyber defense systems.
Safeguarding Cyber-Security, Fighting in Cyberspace
International
October 22,
N/A
Looks at the militarization of cyber security as a source of global
Relations and
2012
tension, and makes the case that cyber-warfare is already an
Security
essential feature of many leading states’ strategic calculations,
Network (ISN)
followed by its opposite—i.e., one that believes the threat posed
by cyber-warfare capabilities is woefully overstated.
Before We Knew It: An Empirical Study of Zero-Day
Symantec
October 16,
12
The paper describes a method for automatical y identifying zero-
Attacks In The Real World
Research Labs
2012
day attacks from field-gathered data that records when benign
and malicious binaries are downloaded on 11 million real hosts
around the world. Searching this data set for malicious files that
exploit known vulnerabilities indicates which files appeared on the
Internet before the corresponding vulnerabilities were disclosed.
Investigative Report on the U.S. National Security Issues
House
October 8,
60
The committee initiated this investigation in November 2011 to
Posed by Chinese Telecommunications Companies
Permanent Select 2012
inquire into the counterintelligence and security threat posed by
Huawei and ZTE
Committee on
Chinese telecommunications companies doing business in the
Intelligence
United States.
Federal Support for and Involvement in State and Local
U.S. Senate
October 3,
141
A two-year bipartisan investigation found that U.S. Department of
Fusion Centers
Permanent
2012
Homeland Security efforts to engage state and local intelligence
Subcommittee on
“fusion centers” has not yielded significant useful information to
Investigations
support federal counterterrorism intelligence efforts. In Section
VI, “Fusion Centers Have Been Unable to Meaningfully
Contribute to Federal Counterterrorism Efforts,” Part G, “Fusion
Centers May Have Hindered, Not Aided, Federal
Counterterrorism Efforts,” the report discusses the Russian
“Cyberattack” in Illinois.
CRS-28
c11173008
.
.
Title Source
Date
Pages
Notes
Putting the “war” in cyberwar: Metaphor, analogy, and
First Monday
July 2, 2012
N/A
This essay argues that current contradictory tendencies are
cybersecurity discourse in the United States
unproductive and even potential y dangerous. It argues that the
war metaphor and nuclear deterrence analogy are neither natural
nor inevitable and that abandoning them would open up new
possibilities for thinking more productively about the full
spectrum of cyber security challenges, including the as-yet
unrealized possibility of cyber war.
Nodes and Codes: The Reality of Cyber Warfare
U.S. Army School May 17,
62
Explores the reality of cyber warfare through the story of
of Advanced
2012
Stuxnet. Three case studies evaluate cyber policy, discourse, and
Military Studies,
procurement in the United States, Russia, and China before and
Command and
after Stuxnet to illustrate their similar, yet unique, realities of
General Staff
cyber warfare.
A Cyberworm that Knows No Boundaries
RAND
December
55
Stuxnet-like worms pose a serious threat even to infrastructure
21, 2011
and computer systems that are not connected to the Internet.
However, defending against such attacks is an increasingly
complex prospect.
Department of Defense Cyberspace Policy Report: A
DOD November
14
From the report: “When warranted, we will respond to hostile
Report to Congress Pursuant to the National Defense
2011
attacks in cyberspace as we would to any other threat to our
Authorization Act for Fiscal Year 2011, Section 934
country. We reserve the right to use all necessary means -
diplomatic, informational, military and economic - to defend our
nation, our allies, our partners and our interests.”
Cyber War Will Not Take Place
Journal of
October 5,
29
The paper argues that cyber warfare has never taken place, is not
Strategic Studies
2011
currently taking place, and is unlikely to take place in the future.
USCYBERCOM and Cyber Security: Is a Comprehensive
Army War
May 12,
32
Examine five aspects of USCYBERCOM: organization, command
Strategy Possible?
College
2011
and control, computer network operations (CNO),
synchronization, and resourcing. Identify areas that currently
present significant risk to USCYBERCOM’s ability to create a
strategy that can achieve success in its cyberspace operations.
Recommend potential solutions that can increase the
effectiveness of the USCYBERCOM strategy.
A Four-Day Dive Into Stuxnet’s Heart
Threat Level Blog December
N/A
From the article, “It is a mark of the extreme oddity of the
(Wired)
27, 2010
Stuxnet computer worm that Microsoft’s Windows vulnerability
team learned of it first from an obscure Belarusian security
company that even they had never heard of.”
CRS-29
c11173008
.
.
Title Source
Date
Pages
Notes
Did Stuxnet Take Out 1,000 Centrifuges at the Natanz
Institute for
December
10
This report indicates that commands in the Stuxnet code
Enrichment Plant? Preliminary Assessment
Science and
22, 2010
intended to increase the frequency of devices targeted by the
International
malware exactly match several frequencies at which rotors in
Security
centrifuges at Iran’s Natanz enrichment plant are designed to
operate optimally or are at risk of breaking down and flying apart.
Stuxnet Analysis
European
October 7,
N/A
EU cybersecurity agency warns that the Stuxnet malware is a
Network and
2010
game changer for critical information infrastructure protection;
Information
PLC control ers of SCADA systems infected with the worm
Security Agency
might be programmed to establish destructive over/under
pressure conditions by running pumps at different frequencies.
Proceedings of a Workshop on Deterring Cyberattacks:
National
October 5,
400
Per request of the Office of the Director of National Intelligence,
Informing Strategies and Developing Options for U.S.
Research Council 2010
the National Research Council undertook a two-phase project
Policy
aimed to foster a broad, multidisciplinary examination of
strategies for deterring cyberattacks on the United States and of
the possible utility of these strategies for the U.S. government.
Notes: Highlights compiled by CRS from the reports.
CRS-30
c11173008
.
.
Table 7. International Efforts
Title Source
Date
Pages
Notes
The Cyber Hub
Booz Allen Hamilton and
Ongoing
N/A
The Cyber Hub's content was built on several integral
the Economist Intelligence
parts: an index that assesses specific aspects of the cyber
Unit
environment of the G20 countries, and a series of
research papers that examine the implications for the
business community.
Cybersecurity Legislation
International
Ongoing
N/A
An integral and challenging component of any national
Telecommunications Union
Cybersecurity strategy is the adoption of regionally and
internationally harmonized, appropriate legislation against
the misuse of ICTs for criminal or other purposes.
Cyber Security Strategy: Progress So Far
UK Cabinet Office
Ongoing
N/A
From the report, “To support the Strategy we put in
place a National Cyber Security Programme (NCSP)
backed by £650 million of funding to 2015. This year we
increased that investment with a further £210 million in
2015 to 2016. This funding will build on existing projects
and also support new investment, enabling the UK to
retain its emerging reputation as a leader in the field of
cyber security.”
World Federation of Exchanges (WFE) Launches
World Federation of
December 12, 2013
N/A
The WFE announced the launch of the exchange
Global Cyber Security Committee
Exchanges
industry’s first cyber security committee with a mission
to aid in the protection of the global capital markets. The
working group will bring together representation from a
number of exchanges and clearinghouses across the
globe, to collaborate on best practices in global security.
2013 Annual Report to Congress
U.S.-China Economic
October 20, 2013
465
In 2013, the Commission continued its close examination
Commission
of China’s cyber capabilities. Strong evidence has
emerged that the Chinese government is directing and
executing a large-scale cyber espionage campaign against
the United States, including the U.S. government and
private companies. However, the public exposure of
Chinese cyber espionage in 2013 has apparently not
changed China’s attitude about the use of cyber
espionage to steal intellectual property and proprietary
information. (See: Chapter 2, Section 2: “China’s Cyber
Activities.”)
CRS-31
c11173008
.
.
Title Source
Date
Pages
Notes
Directive of the European Parliament and of the
European Parliament Civil
August 12, 2013
7
The objectives of the Directive are to approximate the
Council on Attacks Against Information Systems
Liberties Committee
criminal law of the Member States in the area of attacks
against information systems by establishing minimum
rules concerning the definition of criminal offences and
the relevant sanctions and to improve cooperation
between competent authorities, including the police and
other specialized law enforcement services of the
Member States, as well as the competent specialized
Union agencies and bodies, such as Eurojust, Europol and
its European Cyber Crime Centre, and the European
Network and Information Security Agency (ENISA).
Confidence Building Measures and International
ICT 4 Peace Foundation
June 21, 2013
21
Confidence building measures can serve to lay the
Cybersecurity
foundation for agreeing on acceptable norms of behavior
for states as well as confidence and trust building
measures to avoid miscalculation and escalation. The
report is divided into four main sections: (1)
Transparency, Compliance, and Verification Measures;
(2) Cooperative Measures; (3) Collaboration and
Communication Mechanisms; and (4) Stability and
Restraint Measures. A final section discusses next steps
for diplomatic CBM processes.
FACT SHEET: U.S.-Russian Cooperation on
White House
June 17, 2013
N/A
The United States and the Russian Federation are
Information and Communications Technology
creating a new working group, under the auspices of the
Security
Bilateral Presidential Commission, dedicated to assessing
emerging ICT threats and proposing concrete joint
measures to address them. This group will begin its
practical activities within the next month.
Telecommunications Networks: Addressing
Government Accountability
May 21, 2013
52
The federal government has begun efforts to address the
Potential Security Risks of Foreign-Manufactured
Office
security of the supply chain for commercial networks...
Equipment
There are a variety of other approaches for addressing
the potential risks posed by foreign-manufactured
equipment in commercial communications networks,
including those approaches taken by foreign
governments... While these approaches are intended to
improve supply chain security of communications
networks, they may also create the potential for trade
barriers, additional costs, and constraints on
competition, which the federal government would have
to take into account if it chose to pursue such
approaches.
CRS-32
c11173008
.
.
Title Source
Date
Pages
Notes
The Global Cyber Game: Achieving Strategic
Defence Academy of the
May 8, 2013
127
Provides a systematic way of thinking about cyberpower
Resilience in the Global Knowledge Society
United Kingdom
and its use by a range of global players. The global
cyberpower contest is framed as a Global Cyber Game,
played out on a ‘Cyber Gameboard'—a framework that
can be used for strategic and tactical thinking about
cyber strategy.
Military and Security Developments Involving the
Department of Defense
May 6, 2013
92
China is using its computer network exploitation
People’s Republic of China 2013 (Annual Report
capability to support intelligence collection against the
to Congress)
U.S. diplomatic, economic, and defense industrial base
sectors that support U.S. national defense programs. The
information targeted could potential y be used to benefit
China’s defense industry, high-technology industries,
policy maker interest in U.S. leadership thinking on key
China issues, and military planners building a picture of
U.S. network defense networks, logistics, and related
military capabilities that could be exploited during a
crisis.
Defence White Paper 2013
Australia Department of
May 3, 2013
148
The Australian Cyber Security Centre will bring together
Defence
security capabilities from the Defence Signals
Directorate, Defence Intelligence Organisation,
Australian Security Intelligence Organisation (ASIO), the
Attorney-General’s Department’s Computer Emergency
Response Team (CERT) Australia, Australian Federal
Police (AFP) and the Australian Crime Commission
(ACC).
Remaking American Security: Supply Chain
Alliance for American
May 2013
355
Because the supply chain is global, it makes sense for U.S.
Vulnerabilities & National Security Risks Across
Manufacturing
officials to cooperate with other nations to ward off
the U.S. Defense Industrial Base
cyberattacks. Increased international cooperation to
secure the integrity of the global IT system is a valuable
long-term objective.
Cyber Security Information Partnership (CISP)
Cabinet Office, United
March 27, 2013
N/A
CISP introduces a secure virtual ‘collaboration
Kingdom
environment’ where government and industry partners
can exchange information on threats and vulnerabilities
in real time. CISP wil be complemented by a ‘Fusion
Cell,’ which will be supported on the government side by
the Security Service, GCHQ and the National Crime
Agency, and by industry analysts from a variety of
sectors.
CRS-33
c11173008
.
.
Title Source
Date
Pages
Notes
The Tallinn Manual on the International Law
Cambridge University Press/ March 5, 2013
302
The Tal inn Manual identifies the international law
Applicable to Cyber Warfare
NATO Cooperative Cyber
applicable to cyber warfare and sets out 95 ‘black-letter
Defence Center of
rules’ governing such conflicts. An extensive commentary
Excel ence
accompanies each rule, which sets forth each rules’ basis
in treaty and customary law, explains how the group of
experts interpreted applicable norms in the cyber
context, and outlines any disagreements within the group
as to each rules’ application. (Note: The manual is not an
official NATO publication, but an expression of opinions
of a group of independent experts acting solely in their
personal capacity.)
APT1: Exposing One of China’s Cyber Espionage
Mandiant
February 19, 2013
76
The details analyzed during hundreds of investigations
Units
signal that the groups conducting these activities
(computer security breaches around the world) are
based primarily in China and that the Chinese
government is aware of them.
Worldwide Threat Assessment of the U.S.
James Clapper, Director of
February 11, 2013
34
Clapper provided an assessment of global threats: U.S.
Intelligence Community (Testimony)
National Intelligence
critical infrastructure, eroding U.S. economic and
national security, information control and Internet
governance, and hactivists and criminals.
Linking Cybersecurity Policy and Performance
Microsoft Trustworthy
February 6, 2013
27
Introduces a new methodology for examining how socio-
Computing
economic factors in a country or region impact
cybersecurity performance. Examines measures such as
use of modern technology, mature processes, user
education, law enforcement and public policies related to
cyberspace. This methodology can build a model that will
help predict the expected cybersecurity performance of
a given country or region.
CRS-34
c11173008
.
.
Title Source
Date
Pages
Notes
Administration Strategy for Mitigating the Theft of White House
February 2013
141
From the report, “First, we will increase our diplomatic
U.S. Trade Secrets
engagement.... Second, we will support industry-led
efforts to develop best practices to protect trade secrets
and encourage companies to share with each other best
practices that can mitigate the risk of trade secret theft....
Third, DOJ will continue to make the investigation and
prosecution of trade secret theft by foreign competitors
and foreign governments a top priority.. . Fourth,
President Obama recently signed two pieces of
legislation that will improve enforcement against trade
secret theft.... Lastly, we will increase public awareness of
the threats and risks to the U.S. economy posed by trade
secret theft.”
The Chinese Defense Economy Takes Off:
UC Institute on Global
January 25, 2013
87
This collection of 15 policy briefs explores how China
Sector-by-Sector Assessments and the Role of
Conflict and Cooperation
has made such impressive military technological progress
Military End-Users
over the past few years, what is in store, and what are
the international security implications. The briefs are
summaries of a series of longer research papers
presented at the third annual Chinese defense economy
conference held by the Study of Innovation and
Technology in China in July 2012.
Defence and Cyber-Security, vol. 1 - Report,
House of Commons
December 18, 2012
99
Given the inevitable inadequacy of the measures available
together with formal minutes, oral and written
Defence Committee (UK)
(vol.
to protect against a constantly changing and evolving
evidence
1)
threat, and given the Minister for the Cabinet Office’s
Defence and Cyber-Security, vol. 2 - Additional
37
comment, it is not enough for the Armed Forces to do
Written Evidence
(vol.
their best to prevent an effective attack. In its response
to this report the Government should set out details of
2)
the contingency plans it has in place should such an
attack occur. If it has none, it should say so—and
urgently create some.
CRS-35
c11173008
.
.
Title Source
Date
Pages
Notes
The Challenge of Cyber Power for Central
Naval Postgraduate School
December 2012
209
From the report,“The Central African militaries, which
African Countries: Risks and Opportunities
are supposed to be the first line of defense for their
governments' institutions, are dramatically behind the
times. To address this situation, the governments of
Central Africa need to adopt a col aborative cyber
strategy based on common investment in secure cyber
infrastructures. Such cooperation will help to create a
strong cyber environment conducive of the confidence
and trust necessary for the emergence of a cyber
community of Central African States (C3AS). For Central
African militaries, massive training and recruiting will be
the first move to begin the process of catching up.”
Cybersecurity: Managing Risks for Greater
Organization for Economic
November 29, 2012
N/A
The OECD launched a broad consultation of al
Opportunities
Co-operation and
stakeholders from member and non-member countries
Development
to review its Security Guidelines. The review takes into
account newly emerging risks, technologies and policy
trends around such areas as cloud computing, digital
mobility, the Internet of things, social networking, etc.
Cybersecurity Policy Making at a Turning Point:
Organization for Economic
November 16, 2012
117
This report analyzes the latest generation of national
Analysing a New Generation of National
Co-operation and
cybersecurity strategies in ten OECD countries and
Cybersecurity Strategies for the Internet
Development
identifies commonalities and differences.
Economy
2012 Report to Congress of the U.S.-China
U.S.-China Economic and
November 2012
509
This report responds to the mandate for the
Economic and Security Review Commission, One
Security Review
Commission “to monitor, investigate, and report to
Hundred Twelfth Congress, Second Session,
Commission
Congress on the national security implications of the
November 2012
bilateral trade and economic relationship between the
United States and the People’s Republic of China.” See
“China's Cyber Activities," Chapter 2, Section 2, pp. 147-
169.
CRS-36
c11173008
.
.
Title Source
Date
Pages
Notes
Australia: Telecommunications Data Retention—
Parliamentary Library of
October 24, 2012
32
In July 2012, the Commonwealth Attorney-General’s
an Overview
Australia
Department released a Discussion Paper, Equipping
Australia against emerging and evolving threats, on the
proposed national security reforms.... Of the 18 primary
proposals and the 41 individual reforms that they
comprise, the suggestion that carriage service providers
(CSPs) be required to routinely retain certain
information associated with every Australian’s use of the
Internet and phone services for a period of up to two
years (‘data retention’) is the issue that seems to have
attracted the most attention.
More Than Meets the Eye: Clandestine Funding,
Lawrence Livermore
October 17, 2012
17
Analyzes how the Chinese leadership views information
Cutting-Edge Technology and China’s Cyber
National Laboratory
technology research and development (R&D), as well as
Research & Development Program
the role cyber R&D plays in China’s various strategic
development plans. Explores the organizational structure
of China’s cyber R&D base. Concludes with a projection
of how China might field new cyber capabilities for
intelligence platforms, advanced weapons systems, and
systems designed to support asymmetric warfare
operations.
Investigative Report on the U.S. National Security
House Permanent Select
October 8, 2012
60
The committee initiated this investigation in November
Issues Posed by Chinese Telecommunications
Committee on Intelligence
2011 to inquire into the counterintelligence and security
Companies Huawei and ZTE
threat posed by Chinese telecommunications companies
doing business in the United States.
Bilateral Discussions on Cooperation in
China Institute of
June 2012
N/A
Since 2009, CSIS and CICIR have held six formal
Cybersecurity
Contemporary International
meetings on cybersecurity (accompanied by several
Relations and the Center for
informal discussions), called “Sino-U.S. Cybersecurity
Strategic and International
Dialogue.” The meetings have been attended by a broad
Studies (CSIS)
range of U.S. and Chinese officials and scholars
responsible for cybersecurity issues. The goals of the
discussions have been to reduce misperceptions and to
increase transparency of both countries’ authorities and
understanding on how each country approaches
cybersecurity, and to identify areas of potential
cooperation.
CRS-37
c11173008
.
.
Title Source
Date
Pages
Notes
Five Years after Estonia’s Cyber Attacks: Lessons
NATO
May 2012
8
In April 2007 a series of cyberattacks targeted Estonian
Learned for NATO?
information systems and telecommunication networks.
Lasting 22 days, the attacks were directed at a range of
servers (web, e-mail, DNS) and routers. The 2007
attacks did not damage much of the Estonian information
technology infrastructure. However, the attacks were a
true wake-up call for NATO, offering a practical
demonstration that cyberattacks could now cripple an
entire nation dependent on IT networks.
Cyber-security: The Vexed Question of Global
McAfee
February 1, 2012
108
Forty-five percent of legislators and cybersecurity
Rules: An Independent Report on Cyber-
experts representing 27 countries think cybersecurity is
Preparedness Around the World
just as important as border security. The authors
surveyed 80 professionals from business, academia and
government to gauge worldwide opinions of
cybersecurity.
The UK Cyber Security Strategy: Protecting and
Cabinet Office (United
November 2011
43
Chapter 1 describes the background to the growth of
promoting the UK in a digital world
Kingdom)
the networked world and the immense social and
economic benefits it is unlocking. Chapter 2 describes
these threats. The impacts are already being felt and will
grow as our reliance on cyberspace grows. Chapter 3
sets out where we want to end up—with the
government’s vision for UK cyber security in 2015.
Foreign Spies Stealing US Economic Secrets in
Office of the National
October 2011
31
According to the report, espionage and theft through
Cyberspace
Counterintelligence
cyberspace are growing threats to the United States’
Executive
security and economic prosperity, and the world’s most
persistent perpetrators happen to also be U.S. allies.
International Strategy for Cyberspace
White House/OMB
May 16, 2011
30
The strategy marks the first time any administration has
attempted to set forth in one document the U.S.
government’s vision for cyberspace, including goals for
defense, diplomacy, and international development.
Cyber Dawn: Libya
Cyber Security Forum
May 9, 2011
70
Project Cyber Dawn: Libya uses open source material to
Initiative
provide an in-depth view of Libyan cyberwarfare
capabilities and defenses.
CRS-38
c11173008
.
.
Title Source
Date
Pages
Notes
Working Towards Rules for Governing Cyber
EastWest Institute
February 3, 2011
60
[The authors] led the cyber and traditional security
Conflict: Rendering the Geneva and Hague
experts through a point-by-point analysis of the Geneva
Conventions in Cyberspace
and Hague Conventions. Ultimately, the group made five
immediate recommendations for Russian and U.S.-led
joint assessments, each exploring how to apply a key
convention principle to cyberspace.
The Reliability of Global Undersea
IEEE/EastWest Institute
May 26, 2010
186
This study submits 12 major recommendations to the
Communications Cable Infrastructure (The
private sector, governments and other stakeholders—
Rogucci Report)
especially the financial sector—for the purpose of
improving the reliability, robustness, resilience, and
security of the world’s undersea communications cable
infrastructure.
German Anti-Botnet Initiative
Organisation for Economic
December 8, 2009
4
This is a private industry initiative which aims to ensure
Co-operation and
that customers whose personal computers have become
Development (OECD)
part of a botnet without them being aware of it are
informed by their Internet Service Providers about this
situation and at the same time are given competent
support in removing the malware.
Note: Highlights compiled by CRS from the reports.
CRS-39
c11173008
.
.
Table 8. Education/Training/Workforce
Title Source
Date
Pages
Notes
NCCoE National Cybersecurity Excel ence
NIST National
Ongoing
N/A
Established in 2012 through a partnership between NIST,
Partnerships
Cybersecurity Center of
the State of Maryland, and Montgomery County, the
Excel ence
NCCoE is dedicated to furthering innovation through the
rapid identification, integration, and adoption of practical
cybersecurity solutions. The NCCoE is part of the NIST
Information Technology Laboratory and operates in close
col aboration with the Computer Security Division.
National Initiative for Cybersecurity Careers and
Department of Homeland
Ongoing
N/A
NICCS is an online resource for cybersecurity career,
Studies (NICCS)
Security
education, and training information. It is a partnership
between DHS, the National Institute of Standards and
Technology, the Office of the Director of National
Intelligence, the Department of Defense, the Department
of Education, the National Science Foundation, and the
Office of Personnel Management.
Experimental Research Testbed (DETER)
Department of Homeland
Ongoing
N/A
The DETER testbed is used to test and evaluate
Security
cybersecurity technologies by over 200 organizations
from more than 20 states and 17 countries, including
DHS-funded researchers, the larger cybersecurity
research community, government, industry, academia,
and educational users.
Michigan Cyber Range
Partnership between the
Ongoing
N/A
Enables individuals and organizations to develop
state of Michigan, Merit
detection and reaction skills through simulations and
Network, federal and local
exercises.
governments, colleges and
universities, and the private
sector
Information Assurance Scholarship Program
Department of Defense
Ongoing
N/A
The Information Assurance Scholarship Program is
designed to increase the number of qualified personnel
entering the information assurance and information
technology fields within the department. The scholarships
also are an attempt to effectively retain military and
civilian cybersecurity and IT personnel.
CRS-40
c11173008
.
.
Title Source
Date
Pages
Notes
National Centers of Academic Excellence (CAE)
National Security Agency
Ongoing
N/A
The NSA has launched National Centers of Academic
in Cyber Operations Program
(NSA)
Excellence (CAE) in Cyber Operations Program; the
program is intended to be a deeply technical, inter-
disciplinary, higher education program grounded in the
computer science (CS), computer engineering (CE), or
electrical engineering (EE) disciplines, with extensive
opportunities for hands-on applications via labs and
exercises.
DHS Is Generally Filling Mission-Critical Positions, GAO
September 17, 2013
47
More than one in five jobs at a key cybersecurity
but Could Better Track Costs of Coordinated
component within the Homeland Security Department
Recruiting Efforts
are vacant, in large part due to steep competition in
recruiting and hiring qualified personnel. National
Protection and Programs Directorate (NPPD) officials
cited challenges in recruiting cyber professionals because
of the length of time taken to conduct security checks to
grant top-secret security clearances as well as low pay in
comparison with the private sector.
Professionalizing the Nation’s Cybersecurity
National Academies Press
September 16, 2013
66
This report examines workforce requirements for
Workforce?: Criteria for Decision-Making
cybersecurity and the segments and job functions in
which professionalization is most needed; the role of
assessment tools, certification, licensing, and other means
for assessing and enhancing professionalization; and
emerging approaches, such as performance-based
measures. It also examines requirements for the federal
(military and civilian) workforce, the private sector, and
state and local government.
Joint Professional Military Education Institutions in Francesca Spidalieri (Pell
August 7, 20123
18
The report found that the Joint Professional Military
an Age of Cyber Threat
Center Fellow)
Education at the six U.S. military graduate schools—a
requirement for becoming a Joint Staff Officer and for
promotion to the senior ranks—has not effectively
incorporated cybersecurity into specific courses,
conferences, war gaming exercises, or other forms of
training for military officers. While these graduate
programs are more advanced on cybersecurity than most
American civilian universities, a preparation gap still
exists.
CRS-41
c11173008
.
.
Title Source
Date
Pages
Notes
Special Cybersecurity Workforce Project (Memo
Office of Personnel
July 8, 2013
N/A
The OPM is collaborating with the White House Office
for Heads of Executive Departments and
Management (OPM)
of Science and Technology Policy, the Chief Human
Agencies)
Capital Officers Council (CHCOC), and the Chief
Information Officers Council (CIOC) in implementing a
special workforce project that tasks federal agencies’
cybersecurity, information technology, and human
resources communities to build a statistical data set of
existing and future cybersecurity positions in the OPM
Enterprise Human Resources Integration (EHRI) data
warehouse by the end of FY2014.
U.S.A. Cyber Warrior Scholarship Program
(ISC)2 Foundation and Booz
June 21, 2013
The (ISC)2 Foundation and Booz Allen Hamilton
Allen Hamilton
announced the launch of the U.S.A. Cyber Warrior
Scholarship program, which will provide scholarships to
veterans to obtain specialized certifications in the
cybersecurity field. The scholarships will cover all of the
expenses associated with a certification, such as training,
textbooks, mobile study materials, certification testing,
and the first year of certification maintenance fees.
Global Information Security Workforce Study
(ISC)2 and Frost & Sullivan
May 7, 2013
28
Federal cyber workers earn an average salary of
$106,430, less than the average private-sector salary of
$111,376. The lag in federal salaries is likely due to
federal budget restraints and nearly three years of a
continuing resolution.
Proposed Establishment of a Federal y Funded
NIST
April 22, 2013
2
To help the National Cybersecurity Center of Excel ence
Research and Development Center-First Notice
(NCCoE) address industry’s needs most efficiently, NIST
will sponsor its first Federally Funded Research and
Development Center (FFRDC) to facilitate public-private
col aboration for accelerating the widespread adoption of
integrated cybersecurity tools and technologies.
DHS Secretary’s Honors Program: Cyber Student Department of Homeland
April 18, 2013
2
The Cyber Student Initiative program will begin at
Initiative
Security
Immigration and Customs Enforcement computer
forensic labs in 36 cities nationwide, where students will
be trained and gain hands-on experience within the
department’s cybersecurity community. The unpaid
volunteer program is only available to community college
students and veterans pursuing a degree in the
cybersecurity field.
CRS-42
c11173008
.
.
Title Source
Date
Pages
Notes
2012 Information Technology Workforce
U.S. Department of
March 14, 2013
131
The report, which is based on an anonymous survey of
Assessment for Cybersecurity
Homeland Security
nearly 23,000 cyber workers across 52 departments and
agencies, found that while the majority (49%) of cyber
feds has more than 10 years of service until they reach
retirement eligibility, nearly 33% will be eligible to retire
in the next three years.
CyberSkills Task Force Report
U.S. Department of
October 2012
41
DHS’s Task Force on CyberSkills proposes far-reaching
Homeland Security
improvements to enable DHS to recruit and retain the
cybersecurity talent it needs.
Cyber Security Test Bed: Summary and Evaluation Institute for Homeland
October 2012
89
The Cyber Test Bed project was a case study analysis of
Results
Security Solutions
how a set of interventions, including threat analysis, best
practices sharing, and executive and staff training events,
over the course of one year, would impact a group of
nine small and mid-size businesses in North Carolina.
Pre- and post-Test Bed interviews were conducted with
company officials to establish a baseline and evaluate the
impact of the Test Bed experience. After the Cyber Test
Bed experience, decision makers at these companies
indicated an increase in their perceptions of the risk of
cyberattacks and an increase in their knowledge of
possible solution.
Preparing the Pipeline: The U.S. Cyber
National Defense University
August 2012
17
This paper addresses methods to close the gaps between
Workforce for the Future
demand and the current existing capabilities and capacity
in the U.S. cyber workforce. A large number of
professionals with not only technical skills, but also an
understanding of cyber policy, law, and other disciplines
will be needed to ensure the continued success of the
U.S. economy, government, and society in the 21st-
century information age. Innovative methods have been
developed by the government, think tanks, and private
sector for closing these gaps, but more needs to be done.
Smart Grid Cybersecurity: Job Performance
Pacific Northwest National
August 2012
178
This report outlines the work done to develop a smart
Model Report
Laboratory
grid cybersecurity certification. The primary purpose is to
develop a measurement model that may be used to guide
curriculum, assessments, and other development of
technical and operational smart grid cybersecurity
knowledge, skills, and abilities.
CRS-43
c11173008
.
.
Title Source
Date
Pages
Notes
Cybersecurity Human Capital: Initiatives Need
Government Accountability
November 29, 2011
86
To ensure that government-wide cybersecurity
Better Planning and Coordination
Office (GAO)
workforce initiatives are better coordinated and planned,
and to better assist federal agencies in defining roles,
responsibilities, skills, and competencies for their
workforce, the Secretary of Commerce, Director of the
Office of Management and Budget, Director of the Office
of Personnel Management, and Secretary of Homeland
Security should col aborate through the National
Initiative for Cybersecurity Education (NICE) Iinitiative to
develop and finalize detailed plans allowing agency
accountability, measurement of progress, and
determination of resources to accomplish agreed-upon
activities.
NICE Cybersecurity Workforce Framework
National Initiative for
November 21, 2011
35
The adoption of cloud computing into the federal
Cybersecurity Education
government and its implementation depend upon a
(NICE)
variety of technical and non-technical factors. A
fundamental reference point, based on the NIST
definition of cloud computing, is needed to describe an
overall framework that can be used government-wide.
This document presents the NIST Cloud Computing
Reference Architecture (RA) and Taxonomy (Tax) that
will accurately communicate the components and
offerings of cloud computing.
The State of K-12 Cyberethics, Cybersafety and
National Cyber Security
May 2011
16
This year’s survey further explores the perceptions and
Cybersecurity Curriculum in the United States
Alliance and Microsoft
practices of U.S. teachers, school administrators and
technology coordinators in regards to cyberethics,
cybersafety, and cybersecurity education. The survey
finds that young people still are not receiving adequate
training and that teachers are ill-prepared to teach the
subjects due, in large part, to lack of professional
development.
CRS-44
c11173008
.
.
Title Source
Date
Pages
Notes
Cyber Operations Personnel Report
Department of Defense
April 2011
84
This report is focused on FY09 Department of Defense
Cyber Operations personnel, with duties and
responsibilities as defined in Section 934 of the Fiscal
Year (FY) 2010 National Defense Authorization Act
(NDAA).
Appendix A—Cyber Operations-related Military
Occupations
Appendix B—Commercial Certifications Supporting the
DoD Information Assurance Workforce Improvement
Program
Appendix C—Military Services Training and
Development
Appendix D—Geographic Location of National Centers
of Academic Excellence in Information Assurance
The Power of People: Building an Integrated
Project on National Security
November 2010
326
This study was conducted in fulfillment of Section 1054 of
National Security Professional System for the 21st
Reform (PNSR)
the National Defense Authorization Act for Fiscal Year 2010,
Century
which required the commissioning of a study by “an
appropriate independent, nonprofit organization, of a
system for career development and management of
interagency national security professionals.”
Note: Highlights compiled by CRS from the reports.
CRS-45
c11173008
.
.
Cybersecurity: Authoritative Reports and Resources, by Topic
Selected Reports, by Federal Agency
This section contains selected cybersecurity reports from U.S. government agencies, including the White
House, the Office of Management and Budget (OMB), the Government Accountability Office (GAO), the
Department of Defense (DOD), the National Institute of Standards and Technology (NIST), and others.
Congressional Research Service
46
c11173008
.
.
Table 9. Government Accountability Office (GAO)
Title Date
Pages Notes
GPS Disruptions: Efforts to Assess Risks to Critical
November 6, 2013
58
GAO was asked to review the effects of GPS disruptions on the nation’s
Infrastructure and Coordinate Agency Actions Should Be
critical infrastructure. GAO examined (1) the extent to which DHS has
Enhanced
assessed the risks and potential effects of GPS disruptions on critical
infrastructure, (2) the extent to which DOT [Department of Transportation]
and DHS have developed backup strategies to mitigate GPS disruptions, and
(3) what strategies, if any, selected critical infrastructure sectors employ to
mitigate GPS disruptions and any remaining challenges.
DHS Is Generally Filling Mission-Critical Positions, but
September 17, 2013
47
One in five jobs at a key cybersecurity component within DHS is vacant, in
Could Better Track Costs of Coordinated Recruiting
large part due to steep competition in recruiting and hiring qualified personnel.
Efforts
National Protection and Programs Directorate (NPPD) officials cited
chal enges in recruiting cyber professionals because of the length of time taken
to conduct security checks to grant top-secret security clearances as well as
low pay in comparison with the private sector.
Telecommunications Networks: Addressing Potential
May 21, 2013
52
The federal government has begun efforts to address the security of the
Security Risks of Foreign-Manufactured Equipment
supply chain for commercial networks... There are a variety of other
approaches for addressing the potential risks posed by foreign-manufactured
equipment in commercial communications networks, including those
approaches taken by foreign governments... Although these approaches are
intended to improve supply chain security of communications networks, they
may also create the potential for trade barriers, additional costs, and
constraints on competition, which the federal government would have to take
into account if it chose to pursue such approaches.
Outcome-Based Measures Would Assist DHS in Assessing
April 11, 2013
45
Until the Department of Homeland Security and its sector partners develop
Effectiveness of Cybersecurity Efforts
appropriate outcome-oriented metrics, it wil be difficult to gauge the
effectiveness of efforts to protect the nation’s core and access
communications networks and critical support components of the Internet
from cyber incidents. While no cyber incidents have been reported affecting
the nation’s core and access networks, communications networks operators
can use reporting mechanisms established by FCC and DHS to share
information on outages and incidents.
CRS-47
c11173008
.
.
Title Date
Pages Notes
Information Sharing: Agencies Could Better Coordinate to
April 4, 2013
72
Agencies have neither held entities accountable for coordinating nor assessed
Reduce Overlap in Field-Based Activities
opportunities for further enhancing coordination to help reduce the potential
for overlap and achieve efficiencies. The Departments of Justice (DOJ) and
Homeland Security (DHS), and the Office of National Drug Control Policy
(ONDCP)—the federal agencies that oversee or provide support to the five
types of field-based entities—acknowledged that entities working together and
sharing information is important, but they do not hold the entities accountable
for such coordination.
Cybersecurity: A Better Defined and Implemented
March 7, 2013
36
“[A]lthough federal law assigns the Office of Management and Budget (OMB)
National Strategy Is Needed to Address Persistent
responsibility for oversight of federal government information security, OMB
Challenges
recently transferred several of these responsibilities to DHS.... [I]t remains
unclear how OMB and DHS are to share oversight of individual departments
and agencies. Additional legislation could clarify these responsibilities.”
2013 High Risk List
February 14, 2013
275
Every two years at the start of a new Congress, GAO cal s attention to
agencies and program areas that are high risk due to their vulnerabilities to
fraud, waste, abuse, and mismanagement, or are most in need of
transformation. Cybersecurity programs on the list include: Protecting the
Federal Government’s Information Systems and the Nation's Cyber Critical
Infrastructures and Ensuring the Effective Protection of Technologies Critical to U.S.
National Security Interests.
Cybersecurity: National Strategy, Roles, and
February 14, 2013
112
GAO recommends that the White House Cybersecurity Coordinator develop
Responsibilities Need to Be Better Defined and More
an overarching federal cybersecurity strategy that includes all key elements of
Effectively Implemented
the desirable characteristics of a national strategy. Such a strategy would
provide a more effective framework for implementing cybersecurity activities
and better ensure that such activities will lead to progress in cybersecurity.
Information Security: Federal Communications
January 25, 2013
35
“The FCC did not effectively implement appropriate information security
Commission Needs to Strengthen Controls over Enhanced
controls in the initial components of the Enhanced Secured Network (ESN)
Secured Network Project
project.... Weaknesses identified in the commission’s deployment of
components of the ESN project as of August 2012 resulted in unnecessary risk
that sensitive information could be disclosed, modified, or obtained without
authorization. GAO is making seven recommendations to the FCC to
implement management controls to help ensure that ESN meets its objective
of securing FCC's systems and information.”
Cybersecurity: Challenges in Securing the Electricity Grid
July 17, 2012
25
In a prior report, GAO has made recommendations related to electricity grid
modernization efforts, including developing an approach to monitor
compliance with voluntary standards. These recommendations have not yet
been implemented.
CRS-48
c11173008
.
.
Title Date
Pages Notes
Information Technology Reform: Progress Made but
July 11, 2012
43
To help ensure the success of agencies’ implementation of cloud-based
Future Cloud Computing Efforts Should be Better Planned
solutions, the Secretaries of Agriculture, Health and Human Services,
Homeland Security, State, and the Treasury, and the Administrators of the
General Services Administration and Small Business Administration should
direct their respective chief information officer (CIO) to establish estimated
costs, performance goals, and plans to retire associated legacy systems for
each cloud-based service discussed in this report, as applicable.
Electronic Warfare: DOD Actions Needed to Strengthen
July 9, 2012
46
DOD’s oversight of electronic warfare capabilities may be further complicated
Management and Oversight
by its evolving relationship with computer network operations, which is also
an information operations-related capability. Without clearly defined roles and
responsibilities and updated guidance regarding oversight responsibilities,
DOD does not have reasonable assurance that its management structures will
provide effective department-wide leadership for electronic warfare activities
and capabilities development and ensure effective and efficient use of its
resources.
Information Security: Cyber Threats Facilitate Ability to
June 28, 2012
20
This statement discusses (1) cyber threats facing the nation’s systems, (2)
Commit Economic Espionage
reported cyber incidents and their impacts, (3) security controls and other
techniques available for reducing risk, and (4) the responsibilities of key federal
entities in support of protecting IP.
Cybersecurity: Chal enges to Securing the Modernized
February 28, 2012
19
As GAO reported in January 2011, securing smart grid systems and networks
Electricity Grid
presented a number of key challenges that required attention by government
and industry. GAO made several recommendations to the Federal Energy
Regulatory Commission (FERC) aimed at addressing these challenges. The
commission agreed with these recommendations and described steps it is
taking to implement them.
Critical Infrastructure Protection: Cybersecurity Guidance
December 9, 2011
77
Given the plethora of guidance available, individual entities within the sectors
Is Available, but More Can Be Done to Promote Its Use
may be challenged in identifying the guidance that is most applicable and
effective in improving their security posture. Improved knowledge of the
guidance that is available could help both federal and private sector decision
makers better coordinate their efforts to protect critical cyber-reliant assets.
Cybersecurity Human Capital: Initiatives Need Better
November 29, 2011
86
All the agencies GAO reviewed faced challenges determining the size of their
Planning and Coordination
cybersecurity workforce because of variations in how work is defined and the
lack of an occupational series specific to cybersecurity. With respect to other
workforce planning practices, all agencies had defined roles and responsibilities
for their cybersecurity workforce, but these roles did not always align with
guidelines issued by the federal Chief Information Officers Council (CIOC)
and National Institute of Standards and Technology (NIST).
CRS-49
c11173008
.
.
Title Date
Pages Notes
Federal Chief Information Officers: Opportunities Exist to
October 17, 2011
72
GAO is recommending that OMB update its guidance to establish measures of
Improve Role in Information Technology Management
accountability for ensuring that CIOs’ responsibilities are fully implemented
and require agencies to establish internal processes for documenting lessons
learned.
Information Security: Additional Guidance Needed to
October 5, 2011
17
Twenty-two of 24 major federal agencies reported that they were either
Address Cloud Computing Concerns
concerned or very concerned about the potential information security risks
associated with cloud computing. GAO recommended that the NIST issue
guidance specific to cloud computing security.
Information Security: Weaknesses Continue Amid New
October 3, 2011
49
Weaknesses in information security policies and practices at 24 major federal
Federal Efforts to Implement Requirements
agencies continue to place the confidentiality, integrity, and availability of
sensitive information and information systems at risk. Consistent with this
risk, reports of security incidents from federal agencies are on the rise,
increasing over 650% over the past 5 years. Each of the 24 agencies reviewed
had weaknesses in information security controls.
Federal Chief Information Officers: Opportunities Exist to
October 17, 2011
72
GAO is recommending that the Office of Management and Budget (OMB)
Improve Role in Information Technology Management
update its guidance to establish measures of accountability for ensuring that
CIOs’ responsibilities are fully implemented and require agencies to establish
internal processes for documenting lessons learned.
Defense Department Cyber Efforts: Definitions, Focal
July 29, 2011
33
This letter discusses the Department of Defense’s cyber and information
Point, and Methodology Needed for DOD to Develop
assurance budget for FY2012 and future years defense spending. The
Ful -Spectrum Cyberspace Budget Estimates
objectives of this review were to (1) assess the extent to which DOD has
prepared an overarching budget estimate for ful -spectrum cyberspace
operations across the department and (2) identify the challenges DOD has
faced in providing such estimates.
Continued Attention Needed to Protect Our Nation’s
July 26, 2011
20
A number of significant challenges remain to enhancing the security of cyber-
Critical Infrastructure
reliant critical infrastructures, such as (1) implementing actions recommended
by the President's cybersecurity policy review; (2) updating the national
strategy for securing the information and communications infrastructure;
(3) reassessing DHS's planning approach to critical infrastructure protection;
(4) strengthening public-private partnerships, particularly for information
sharing; (5) enhancing the national capability for cyber warning and analysis;
(6) addressing global aspects of cybersecurity and governance; and (7) securing
the modernized electricity grid.
Defense Department Cyber Efforts: DOD Faces
July 25, 2011
79
GAO recommends that DOD evaluate how it is organized to address
Challenges in Its Cyber Activities
cybersecurity threats; assess the extent to which it has developed joint
doctrine that addresses cyberspace operations; examine how it assigned
command and control responsibilities; and determine how it identifies and acts
to mitigate key capability gaps involving cyberspace operations.
CRS-50
c11173008
.
.
Title Date
Pages Notes
Information Security: State Has Taken Steps to Implement
July 8, 2011
63
The Department of State implemented a custom application called iPost and a
a Continuous Monitoring Application, but Key Chal enges
risk scoring program that is intended to provide continuous monitoring
Remain
capabilities of information security risk to elements of its information
technology (IT) infrastructure. To improve implementation of iPost at State,
the Secretary of State should direct the Chief Information Officer to develop,
document, and maintain an iPost configuration management and test process.
Cybersecurity: Continued Attention Needed to Protect
March 16, 2011
16
Executive branch agencies have made progress instituting several government-
Our Nation’s Critical Infrastructure and Federal
wide initiatives aimed at bolstering aspects of federal cybersecurity, such as
Information Systems
reducing the number of federal access points to the Internet, establishing
security configurations for desktop computers, and enhancing situational
awareness of cyber events. Despite these efforts, the federal government
continues to face significant challenges in protecting the nation's cyber-reliant
critical infrastructure and federal information systems.
Electricity Grid Modernization: Progress Being Made on
January 12, 2011
50
GAO identified six key challenges: (1) Aspects of the regulatory environment
Cybersecurity Guidelines, but Key Challenges Remain to
may make it difficult to ensure smart grid systems’ cybersecurity. (2) Utilities
be Addressed
are focusing on regulatory compliance instead of comprehensive security. (3)
The electric industry does not have an effective mechanism for sharing
information on cybersecurity. (4) Consumers are not adequately informed
about the benefits, costs, and risks associated with smart grid systems. (5)
There is a lack of security features being built into certain smart grid systems.
(6) The electricity industry does not have metrics for evaluating cybersecurity.
Information Security: Federal Agencies Have Taken Steps
November 30, 2010
50
Existing government-wide guidelines and oversight efforts do not fully address
to Secure Wireless Networks, but Further Actions Can
agency implementation of leading wireless security practices. Until agencies
Mitigate Risk
take steps to better implement these leading practices, and OMB takes steps
to improve government-wide oversight, wireless networks will remain at an
increased vulnerability to attack.
Cyberspace Policy: Executive Branch Is Making Progress
October 6, 2010
66
Of the 24 recommendations in the President’s May 2009 cyber policy review
Implementing 2009 Policy Review Recommendations, but
report, 2 have been fully implemented, and 22 have been partial y
Sustained Leadership Is Needed
implemented. While these efforts appear to be steps forward, agencies were
largely not able to provide milestones and plans that showed when and how
implementation of the recommendations was to occur.
DHS Efforts to Assess and Promote Resiliency Are
September 23, 2010
46
The Department of Homeland Security (DHS) has not developed an effective
Evolving but Program Management Could Be Strengthened
way to ensure that critical national infrastructure, such as electrical grids and
telecommunications networks, can bounce back from a disaster. DHS has
conducted surveys and vulnerability assessments of critical infrastructure to
identify gaps, but has not developed a way to measure whether owners and
operators of that infrastructure adopt measures to reduce risks.
CRS-51
c11173008
.
.
Title Date
Pages Notes
Information Security: Progress Made on Harmonizing
September 15, 2010
38
OMB and NIST established policies and guidance for civilian non-national
Policies and Guidance for National Security and Non-
security systems, while other organizations, including the Committee on
National Security Systems
National Security Systems (CNSS), DOD, and the U.S. intelligence community,
have developed policies and guidance for national security systems. GAO was
asked to assess the progress of federal efforts to harmonize policies and
guidance for these two types of systems.
United States Faces Challenges in Addressing Global
August 2, 2010
53
GAO recommends that the Special Assistant to the President and
Cybersecurity and Governance
Cybersecurity Coordinator should make recommendations to appropriate
agencies and interagency coordination committees regarding any necessary
changes to more effectively coordinate and forge a coherent national
approach to cyberspace policy.
Critical Infrastructure Protection: Key Private and Public
July 15, 2010
38
The Special Assistant to the President and Cybersecurity Coordinator and the
Cyber Expectations Need to Be Consistently Addressed
Secretary of Homeland Security should take two actions: (1) use the results of
this report to focus their information-sharing efforts, including their relevant
pilot projects, on the most desired services, including providing timely and
actionable threat and alert information, access to sensitive or classified
information, a secure mechanism for sharing information, and security
clearance and (2) bolster the efforts to build out the National Cybersecurity
and Communications Integration Center as the central focal point for
leveraging and integrating the capabilities of the private sector, civilian
government, law enforcement, the military, and the intelligence community.
Federal Guidance Needed to Address Control Issues With
July 1, 2010
53
To assist federal agencies in identifying uses for cloud computing and
Implementing Cloud Computing
information security measures to use in implementing cloud computing, the
Director of OMB should establish milestones for completing a strategy for
implementing the federal cloud computing initiative.
Continued Attention Is Needed to Protect Federal
June 16, 2010
15
Multiple opportunities exist to improve federal cybersecurity. To address
Information Systems from Evolving Threats
identified deficiencies in agencies’ security controls and shortfalls in their
information security programs, GAO and agency inspectors general have
made hundreds of recommendations over the past several years, many of
which agencies are implementing. In addition, the White House, OMB, and
certain federal agencies have undertaken several government-wide initiatives
intended to enhance information security at federal agencies. While progress
has been made on these initiatives, they all face challenges that require
sustained attention, and GAO has made several recommendations for
improving the implementation and effectiveness of these initiatives.
CRS-52
c11173008
.
.
Title Date
Pages Notes
Information Security: Concerted Response Needed to
March 24, 2010
21
Without proper safeguards, federal computer systems are vulnerable to
Resolve Persistent Weaknesses
intrusions by individuals who have malicious intentions and can obtain
sensitive information. The need for a vigilant approach to information security
has been demonstrated by the pervasive and sustained cyberattacks against
the United States; these attacks continue to pose a potential y devastating
impact to systems and the operations and critical infrastructures they support.
Cybersecurity: Continued Attention Is Needed to Protect
March 16, 2010
15
The White House, the Office of Management and Budget, and certain federal
Federal Information Systems from Evolving Threats
agencies have undertaken several government-wide initiatives intended to
enhance information security at federal agencies. While progress has been
made on these initiatives, they all face challenges that require sustained
attention, and GAO has made several recommendations for improving the
implementation and effectiveness of these initiatives.
Concerted Effort Needed to Consolidate and Secure
April 12, 2010
40
To reduce the threat to federal systems and operations posed by cyberattacks
Internet Connections at Federal Agencies
on the United States, OMB launched, in November 2007, the Trusted Internet
Connections (TIC) initiative, and later, in 2008, DHS’s National Cybersecurity
Protection System (NCPS), operationally known as Einstein, which became
mandatory for federal agencies as part of TIC. To further ensure that federal
agencies have adequate, sufficient, and timely information to successfully meet
the goals and objectives of the TIC and Einstein programs, DHS’s Secretary
should, to better understand whether Einstein alerts are valid, develop
additional performance measures that indicate how agencies respond to alerts.
Cybersecurity: Progress Made But Challenges Remain in
March 5, 2010
64
To address strategic challenges in areas that are not the subject of existing
Defining and Coordinating the Comprehensive National
projects within CNCI but remain key to achieving the initiative’s overall goal
Initiative
of securing federal information systems, OMB’s Director should continue
developing a strategic approach to identity management and authentication,
linked to HSPD-12 implementation, as initial y described in the CIOC's plan
for implementing federal identity, credential, and access management, so as to
provide greater assurance that only authorized individuals and entities can gain
access to federal information systems.
Continued Efforts Are Needed to Protect Information
November 17, 2009
24
GAO has identified weaknesses in all major categories of information security
Systems from Evolving Threats
controls at federal agencies. For example, in FY2008, weaknesses were
reported in such controls at 23 of 24 major agencies. Specifically, agencies did
not consistently authenticate users to prevent unauthorized access to systems;
apply encryption to protect sensitive data; and log, audit, and monitor
security-relevant events, among other actions.
Efforts to Improve Information sharing Need to Be
August 27, 2003
59
Information on threats, methods, and techniques of terrorists is not routinely
Strengthened
shared; and the information that is shared is not perceived as timely, accurate,
or relevant.
Source: Highlights compiled by CRS from the GAO reports.
CRS-53
c11173008
.
.
Table 10. White House/Office of Management and Budget3
Title Date
Pages
Notes
Improving Cybersecurity
Ongoing
N/A
OMB is working with agencies, Inspectors General, Chief Information
Officers, senior agency officials in charge of privacy, as well as GAO and
Congress, to strengthen the federal government's IT security and privacy
programs. The site provides information on Cross-Agency Priority (CAP)
goals, proposed cybersecurity legislation, CyberStat, continuous monitoring
and remediation, using SmartCards for identity management, and standardizing
security through configuration settings.
Liberty and Security in a Changing World: Report and
December 12, 2013
308
From the report, “The national security threats facing the United States and
Recommendations of The President’s Review Group on
our allies are numerous and significant, and they will remain so well into the
Intelligence and Communications Technologies
future. These threats include international terrorism, the proliferation of
weapons of mass destruction, and cyber espionage and warfare... After careful
consideration, we recommend a number of changes to our intelligence
collection activities that will protect [privacy and civil liberties] values without
undermining what we need to do to keep our nation safe.”
Immediate Opportunities for Strengthening the Nation’s
Cybersecurity
November 2013
31
This is a report of the President’s Council of Advisors on Science and
Technology (PCAST). The report recommends the government phase out
insecure, outdated operating systems, like Windows XP, implement better
encryption technology, and encourage automatic security updates, among
other changes. PCAST also recommends, for regulated industries, that the
government help create cybersecurity best practices and audit their
adoption—and for independent agencies, PCAST write new rules that require
businesses to report their cyber improvements.
Cross Agency Priority Goal: Cybersecurity, FY2013 Q3
October 2013
24
Executive branch departments and agencies will achieve 95% implementation
Status Report
of the Administration’s priority cybersecurity capabilities by the end of
FY2014. These capabilities include strong authentication, Trusted Internet
Connections (TIC), and Continuous Monitoring.
Incentives to Support Adoption of the Cybersecurity
August 6, 2013
N/A
From the report, “To promote cybersecurity practices and develop these
Framework
core capabilities, we are working with critical infrastructure owners and
operators to create a Cybersecurity Framework – a set of core practices to
develop capabilities to manage cybersecurity risk... Over the next few months,
agencies will examine these options in detail to determine which ones to
adopt and how, based substantially on input from critical infrastructure
stakeholders.”
3 For a list of White House executive orders, see CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan.
CRS-54
c11173008
.
.
Title Date
Pages
Notes
FY 2012 Report to Congress on the Implementation of
March 2013
68
More government programs violated data security law standards in 2012 than
the Federal Information Security Management Act of 2002
in the previous year, and at the same time, computer security costs have
increased by more than $1 billion. Inadequate training was a large part of the
reason al -around FISMA adherence scores slipped from 75% in 2011 to 74%
in 2012. Agencies reported that about 88% of personnel with system access
privileges received annual security awareness instruction, down from 99% in
2011. Meanwhile, personnel expenses accounted for the vast majority—
90%—of the $14.6 billion departments spent on information technology
security in 2012.
Administration Strategy for Mitigating the Theft of U.S.
February 20, 2013
141
From the report, “First, we will increase our diplomatic engagement....
Trade Secrets
Second, we will support industry-led efforts to develop best practices to
protect trade secrets and encourage companies to share with each other best
practices that can mitigate the risk of trade secret theft.... Third, DOJ will
continue to make the investigation and prosecution of trade secret theft by
foreign competitors and foreign governments a top priority.... Fourth,
President Obama recently signed two pieces of legislation that will improve
enforcement against trade secret theft.... Lastly, we will increase public
awareness of the threats and risks to the U.S. economy posed by trade secret
theft.”
National Strategy for Information Sharing and
December 2012
24
Provides guidance for effective development, integration, and implementation
Safeguarding
of policies, processes, standards, and technologies to promote secure and
responsible information sharing.
Col aborative and Cross-Cutting Approaches to
August 1, 2012
N/A
Michael Daniel, White House Cybersecurity Coordinator, highlights a few
Cybersecurity
recent initiatives where voluntary, cooperative actions are helping to improve
the nation’s overall cybersecurity.
Trustworthy Cyberspace: Strategic Plan for the Federal
December 2011
36
As a research and development strategy, this plan defines four strategic
Cybersecurity Research and Development Program
thrusts: Inducing Change; Developing Scientific Foundations; Maximizing
Research Impact; and Accelerating Transition to Practice.
FY 2012 Reporting Instructions for the Federal
September 14, 2011
29
Rather than enforcing a static, three-year reauthorization process, agencies
Information Security Management Act and Agency Privacy
are expected to conduct ongoing authorizations of information systems
Management
through the implementation of continuous monitoring programs. Continuous
monitoring programs thus fulfill the three year security reauthorization
requirement, so a separate re-authorization process is not necessary.
Cybersecurity Legislative Proposal (Fact Sheet)
May 12, 2011
N/A
The Administration’s proposal ensures the protection of individuals' privacy
and civil liberties through a framework designed expressly to address the
challenges of cybersecurity. The Administration's legislative proposal includes:
Management, Personnel, Intrusion Prevention Systems, and Data Centers.
CRS-55
c11173008
.
.
Title Date
Pages
Notes
International Strategy for Cyberspace
May 2011
30
The strategy marks the first time any administration has attempted to set
forth in one document the U.S. government’s vision for cyberspace, including
goals for defense, diplomacy, and international development.
National Strategy for Trusted Identities
April 15, 2011
52
The NSTIC aims to make online transactions more trustworthy, thereby
in Cyberspace (NSTIC)
giving businesses and consumers more confidence in conducting business
online.
Federal Cloud Computing Strategy
February 13, 2011
43
The strategy outlines how the federal government can accelerate the safe,
secure adoption of cloud computing, and provides agencies with a framework
for migrating to the cloud. It also examines how agencies can address
challenges related to the adoption of cloud computing, such as privacy,
procurement, standards, and governance.
25 Point Implementation Plan to Reform Federal
December 9, 2010
40
The plan’s goals are to reduce the number of federal y run data centers from
Information Technology Management
2,100 to approximately 1,300, rectify or cancel one-third of troubled IT
projects, and require federal agencies to adopt a “cloud first” strategy in
which they will move at least one system to a hosted environment within a
year.
Clarifying Cybersecurity Responsibilities and Activities of
July 6, 2010
39
This memorandum outlines and clarifies the respective responsibilities and
the Executive Office of the President and the Department
activities of the Office of Management and Budget (OMB), the Cybersecurity
of Homeland Security
Coordinator, and DHS, in particular with respect to the Federal
Government’s implementation of the Federal Information Security
Management Act of 2002 (FISMA).
The National Strategy for Trusted Identities in
June 25, 2010
39
The NSTIC, which is in response to one of the near-term action items in the
Cyberspace: Creating Options for Enhanced Online
President’s Cyberspace Policy Review, calls for the creation of an online
Security and Privacy (Draft)
environment, or an Identity Ecosystem, where individuals and organizations
can complete online transactions with confidence, trusting the identities of
each other and the identities of the infrastructure where transaction occur.
Comprehensive National Cybersecurity Initiative (CNCI)
March 2, 2010
5
The CNCI establishes a multi-pronged approach the federal government is to
take in identifying current and emerging cyber threats, shoring up current and
future telecommunications and cyber vulnerabilities, and responding to or
proactively addressing entities that wish to steal or manipulate protected data
on secure federal systems.
CRS-56
c11173008
.
.
Title Date
Pages
Notes
Cyberspace Policy Review: Assuring a Trusted and
May 29, 2009
76
The President directed a 60-day, comprehensive, “clean-slate” review to
Resilient Communications Infrastructure
assess U.S. policies and structures for cybersecurity. The review team of
government cybersecurity experts engaged and received input from a broad
cross-section of industry, academia, the civil liberties and privacy communities,
state governments, international partners, and the legislative and executive
branches. This paper summarizes the review team’s conclusions and outlines
the beginning of the way forward toward a reliable, resilient, trustworthy
digital infrastructure for the future.
Source: Highlights compiled by CRS from the White House reports.
CRS-57
c11173008
.
.
Table 11. Department of Defense (DOD)
Title Source
Date
Pages Notes
Offensive Cyber Capabilities at the
Center for Strategic &
September 16, 2013
20
The specific question this report examines is whether the
Operational Level - The Way Ahead
International Studies (CSIS)
Defense Department should make a more deliberate effort to
explore the potential of offensive cyber tools at levels below
that of a combatant command.
An Assessment of the Department of Defense U.S. Army War College
September 2013
60
This monograph is organized in three main parts. The first part
Strategy for Operating in Cyberspace
explores the evolution of cyberspace strategy through a series
of government publications leading up to the DoD Strategy for
Operating in Cyberspace. In the second part, each strategic
initiative is elaborated and critiqued in terms of significance,
novelty, and practicality. In the third part, the monograph
critiques the DoD Strategy as a whole.
Joint Professional Military Education
Francesca Spidalieri (Pell
August 7, 20123
18
The report found that the Joint Professional Military Education
Institutions in an Age of Cyber Threat
Center Fellow)
at the six U.S. military graduate schools—a requirement for
becoming a Joint Staff Officer and for promotion to the senior
ranks—has not effectively incorporated cybersecurity into
specific courses, conferences, war gaming exercises, or other
forms of training for military officers. While these graduate
programs are more advanced on cybersecurity than most
American civilian universities, a preparation gap still exists.
Military and Security Developments Involving
Department of Defense
May 6, 2013
92
China is using its computer network exploitation capability to
the People’s Republic of China 2013 (Annual
support intelligence collection against the U.S. diplomatic,
Report to Congress)
economic, and defense industrial base sectors that support U.S.
national defense programs. The information targeted could
potential y be used to benefit China’s defense industry, high-
technology industries, policy maker interest in U.S. leadership
thinking on key China issues, and military planners building a
picture of U.S. network defense networks, logistics, and related
military capabilities that could be exploited during a crisis.
Resilient Military Systems and the Advanced
Department of Defense
January 2013
146
The report states that, despite numerous Pentagon actions to
Cyber Threat
Science Board
parry sophisticated attacks by other countries, efforts are
“fragmented” and the Defense Department “is not prepared to
defend against this threat.” The report lays out a scenario in
which cyberattacks in conjunction with conventional warfare
damaged the ability of U.S. forces to respond, creating
confusion on the battlefield and weakening traditional defenses.
CRS-58
c11173008
.
.
Title Source
Date
Pages Notes
FY 2012 Annual Report
Department of Defense
January 2013
372
Annual report to Congress by J. Michael Gilmore, director of
Operational Test and Evaluation. Assesses the operational
effectiveness of systems being developed for combat. See
“Information Assurance (I/A) and Interoperability (IOP)”
chapter, pages 305-312, for information on network
exploitation and compromise exercises.
Basic Safeguarding of Contractor Information
Department of Defense
August 24, 2012
4
This regulation authored by the DOD, General Services
Systems (Proposed Rule)
(DoD), General Services
Administration (GSA), and National Aeronautics and Space
Administration (GSA), and
Administration (NASA) “would add a contract clause to
National Aeronautics and
address requirements for the basic safeguarding of contractor
Space Administration
information systems that contain or process information
(NASA)
provided by or generated for the government (other than
public information).”
Electronic Warfare: DOD Actions Needed to
GAO
July 9, 2012
46
DOD’s oversight of electronic warfare capabilities may be
Strengthen Management and Oversight
further complicated by its evolving relationship with computer
network operations, which is also an information operations-
related capability. Without clearly defined roles and
responsibilities and updated guidance regarding oversight
responsibilities, DOD does not have reasonable assurance that
its management structures will provide effective department-
wide leadership for electronic warfare activities and capabilities
development and ensure effective and efficient use of its
resources.
Cloud Computing Strategy
DOD, Chief Information
July 2012
44
The DOD Cloud Computing Strategy introduces an approach
Officer
to move the department from the current state of a duplicative,
cumbersome, and costly set of application silos to an end state,
which is an agile, secure, and cost effective service environment
that can rapidly respond to changing mission needs.
DOD Defense Industrial Base (DIB) Voluntary Federal Register
May 11, 2012
7
DOD interim final rule to establish a voluntary cyber security
Cyber Security and Information Assurance
information sharing program between DOD and eligible DIB
(CS/IA) Activities
companies. The program enhances and supplements DIB
participants’ capabilities to safeguard DOD information that
resides on, or transits, DIB unclassified information.
DOD Information Security Program:
DOD
February 24, 2012
84
Describes the DOD Information Security Program, and
Overview, Classification, and Declassification
provides guidance for classification and declassification of DOD
information that requires protection in the interest of the
national security.
CRS-59
c11173008
.
.
Title Source
Date
Pages Notes
Cyber Sentries: Preparing Defenders to Win
Air War Col ege
February 7, 2012
38
This paper examines the current impediments to effective
in a Contested Domain
cybersecurity workforce preparation and offers new concepts
to create Cyber Sentries through realistic training, network
authorities tied to certification, and ethical training. These
actions present an opportunity to significantly enhance
workforce quality and allow the Department to operate
effectively in the contested cyber domain in accordance with
the vision established in its Strategy for Cyberspace Operations
Defense Department Cyber Efforts:
Government
July 29, 2011
33
This letter discusses DOD’s cyber and information assurance
Definitions, Focal Point, and Methodology
Accountability Office
budget for fiscal year 2012 and future years defense spending.
Needed for DOD to Develop Ful -Spectrum
(GAO)
The objectives of this review were to (1) assess the extent to
Cyberspace Budget Estimates
which DOD has prepared an overarching budget estimate for
full-spectrum cyberspace operations across the department;
and (2) identify the challenges DOD has faced in providing such
estimates.
Legal Reviews of Weapons and Cyber
Secretary of the Air Force
July 27, 2011
7
Report concludes the Air Force must subject cyber capabilities
Capabilities
to legal review for compliance with the Law of Armed Conflict
and other international and domestic laws. The Air Force judge
advocate general must ensure that all cyber capabilities “being
developed, bought, built, modified or otherwise acquired by the
Air Force" must undergo legal review—except for cyber
capabilities within a Special Access Program, which must
undergo review by the Air Force general counsel.
Department of Defense Strategy for
DOD
July 2011
19
This is an unclassified summary of DOD’s cyber-security
Operating in Cyberspace
strategy.
Cyber Operations Personnel Report (DOD)
DOD
April 2011
84
This report focuses on FY2009 Department of Defense Cyber
Operations personnel, with duties and responsibilities as
defined in Section 934 of the Fiscal Year 2010 National Defense
Authorization Act (NDAA).
Appendix A—Cyber Operations-related Military Occupations
Appendix B—Commercial Certifications Supporting the DOD
Information Assurance Workforce Improvement Program
Appendix C—Military Services Training and Development
Appendix D—Geographic Location of National Centers of
Academic Excellence in Information Assurance
CRS-60
c11173008
.
.
Title Source
Date
Pages Notes
Anomaly Detection at Multiple Scales
Defense Advanced
November 9, 2011
74
The design document was produced by Allure Security and
(ADAMS)
Research Projects Agency
sponsored by the Defense Advanced Research Projects Agency
(DARPA)
(DARPA). It describes a system for preventing leaks by seeding
believable disinformation in military information systems to help
identify individuals attempting to access and disseminate
classified information.
Critical Code: Software Producibility for
National Research Council, October 20, 2010
160
Assesses the nature of the national investment in software
Defense
Committee for Advancing
research and, in particular, considers ways to revitalize the
Software-Intensive Systems
knowledge base needed to design, produce, and employ
Producibility
software-intensive systems for tomorrow’s defense needs.
Defending a New Domain
U.S. Deputy Secretary of
September/October
N/A
In 2008, the U.S. Department of Defense suffered a significant
Defense, William J. Lynn
2010
compromise of its classified military computer networks. It
(Foreign Affairs)
began when an infected flash drive was inserted into a U.S.
military laptop at a base in the Middle East. This previously
classified incident was the most significant breach of U.S.
military computers ever, and served as an important wake-up
call.
The QDR in Perspective: Meeting America’s
Quadrennial Defense
July 30, 2010
159
From the report: “The expanding cyber mission also needs to
National Security Needs In the 21st Century
Review
be examined. The Department of Defense should be prepared
(QDR Final Report)
to assist civil authorities in defending cyberspace – beyond the
Department’s current role."
Cyberspace Operations: Air Force Doctrine
U.S. Air Force
July 15, 2010
62
This Air Force Doctrine Document (AFDD) establishes
Document 3-12
doctrinal guidance for the employment of U.S. Air Force
operations in, through, and from cyberspace. It is the keystone
of Air Force operational-level doctrine for cyberspace
operations.
DON (Department of the Navy)
U.S. Navy
June 17, 2010
14
To establish policy and assign responsibilities for the
Cybersecurity/Information Assurance
administration of the Department of the Navy (DON)
Workforce Management, Oversight and
Cybersecurity (CS)/Information Assurance Workforce (IAWF)
Compliance
Management Oversight and Compliance Program.
Note: Highlights compiled by CRS from the reports.
CRS-61
c11173008
.
.
Table 12. National Institute of Standards and Technology (NIST)
Including the Cybersecurity Framework
Title Date
Pages
Notes
Designed-in Cyber Security for Cyber-Physical
November 20, 2013
60
NIST and the Cybersecurity Research Alliance held a two-day workshop (April
Systems
4-5, 2013) for industry, government and academic cyber security researchers.
The report’s findings lay out a logical roadmap for designing security into varied
IP-based systems and platforms increasingly targeted by cyber attackers.
Cybersecurity Framework
October 22, 2013
47
NIST seeks comments on the preliminary version of the Cybersecurity
Framework (“preliminary Framework"). Under Executive Order 13636, NIST is
directed to work with stakeholders to develop a framework to reduce cyber
risks to critical infrastructure.
A Role-Based Model for Federal Information
October 2013
152
This guidance will assist managers at all level to understand their responsibilities
Technology/Cybersecurity Training (Draft Special
in providing role-based cybersecurity training,
Publication 800-16 Revision 1)
Guide to Attribute Based Access Control
October 2013
48
Improving information sharing while maintaining control over access to that
Definition and Considerations (Draft SP 800-162)
information is a primary goal of guidance coming from the NIST.
Discussion Draft of the Preliminary Cybersecurity
August 28, 2013
36
The Framework provides a common language and mechanism for organizations
Framework
to: 1) describe current cybersecurity posture; 2) describe their target state for
cybersecurity; 3) identify and prioritize opportunities for improvement within
the context of risk management; 4) assess progress toward the target state; 5)
foster communications among internal and external stakeholders.
DRAFT Outline—Preliminary Framework to
July 1, 2013
5
This draft is produced for discussion purposes at the upcoming workshops and
Reduce Cyber Risks to Critical Infrastructure
to further encourage private-sector input before NIST publishes a preliminary
Draft Framework to Reduce Cyber Risks to Critical Infrastructure (“the Framework”)
for public comment in October.
Computer Security Incident Coordination (CSIC):
June 28, 2013
3
NIST is seeking information relating to Computer Security Incident
Providing Timely Cyber Incident Response
Coordination (CSIC) as part of the research needed to write a NIST Special
Publication (SP) to help Computer Security Incident Response Teams (CSIRTs)
coordinate effectively when responding to computer-security incidents. The
NIST SP wil identify technical standards, methodologies, procedures, and
processes that facilitate prompt and effective response.
Proposed Establishment of a Federally Funded
June 21, 2013
2
NIST intends to sponsor a Federal y Funded Research and Development Center
Research and Development Center—Second
(FFRDC) to facilitate public-private col aboration for accelerating the widespread
Notice
adoption of integrated cybersecurity tools and technologies. This is the second
of three notices that must be published over a 90-day period to advise the public
of the agency’s intention to sponsor an FFRDC.
CRS-62
c11173008
.
.
Title Date
Pages
Notes
Update on the Development of the Cybersecurity
June 18, 2013
3
NIST is seeking input about foundational cybersecurity practices, ideas for how
Framework
to manage privacy and civil liberties needs, and outcome-oriented metrics that
leaders can use in evaluating the position and progress of their organizations’
cybersecurity status. In a few weeks, NIST expects to post an outline of the
preliminary cybersecurity framework, including existing standards and practices.
Initial Analysis of Cybersecurity Framework RFI
May 15, 2013
34
NIST released an initial analysis of 243 responses to the Feb. 26 RFI. The analysis
Responses
will form the basis for an upcoming workshop at Carnegie Mellon University in
Pittsburgh as NIST moves forward on creating a cybersecurity framework for
essential energy, utility and communications systems.
Proposed Establishment of a Federally Funded
April 22, 2013
2
To help the National Cybersecurity Center of Excellence (NCCoE) address
Research and Development Center-First Notice
industry’s needs most efficiently, NIST will sponsor its first Federally Funded
Research and Development Center (FFRDC) to facilitate public-private
col aboration for accelerating the widespread adoption of integrated
cybersecurity tools and technologies.
Security and Privacy Controls for Federal
April 2013
457
Special Publication 800-53, Revision 4, provides a more holistic approach to
Information Systems (SP 800-53, Rev. 4)
information security and risk management by providing organizations with the
breadth and depth of security controls necessary to fundamental y strengthen
their information systems and the environments in which those systems
operate—contributing to systems that are more resilient in the face of
cyberattacks and other threats. This “Build It Right" strategy is coupled with a
variety of security controls for "Continuous Monitoring" to give organizations
near real-time information that is essential for senior leaders making ongoing
risk-based decisions affecting their critical missions and business functions.
Developing a Framework To Improve Critical
February 26, 2013
5
NIST announced the first step in the development of a Cybersecurity
Infrastructure Cybersecurity, Notice; Request for
Framework, which will be a set of voluntary standards and best practices to
Information
guide industry in reducing cyber risks to the networks and computers that are
vital to the nation’s economy, security, and daily life.
Memorandum of Understanding (MOU)
December 2, 2010
4
The MOU, signed by NIST, DHS, and the Financial Services Sector Coordinating
Council (FSSCC), formalizes the intent of the parties to expedite the
coordinated development and availability of collaborative research, development,
and testing activities for cybersecurity technologies and processes based upon
the financial services sector’s needs.
Note: Highlights compiled by CRS from the reports.
CRS-63
c11173008
.
.
Table 13. Other Federal Agencies
Title Source
Date
Pages Notes
Continuous Diagnostic and Mitigation Program
DHS
Ongoing
N/A
An initiative to deploy continuous monitoring at U.S. federal
government agencies will be done in phases, with the initial
rollout occurring over three years. The initial phase is aimed at
getting federal civilian agencies to employ continuous diagnostic
tools to improve vulnerability management, enforce strong
compliance settings, manage hardware and software assets and
establish white-listing of approved services and applications.
The Department of Energy’s July 2013 Cyber
DOE Inspector General December 2013 28
The report states nearly eight times as many current and former
Security Breach
Energy Department staff members were affected by a July
computer hack than was previously estimated, according to the
agency’s inspector general. In August, DOE estimated that the
hack affected roughly 14,000 current and former staff, leaking
personally identifiable information such as Social Security
numbers, birthdays, and banking information. But the breach
apparently affected more than 104,000 people.
Evaluation of DHS’ Information Security Program
DHS Inspector General
November 2013 50
The report reiterates that the agency uses outdated security
for Fiscal Year 2013
controls and Internet connections that are not verified as
trustworthy, as well as for not reviewing its “top secret”
information systems for vulnerabilities.
Immediate Opportunities for Strengthening the
November 2013 31
The report recommends the government phase out insecure,
Nation’s Cybersecurity
President’s Council of
Advisors on Science
outdated operating systems, like Windows XP, implement
and Technology
better encryption technology, and encourage automatic security
(PCAST)
updates, among other changes. PCAST also recommends, for
regulated industries, that the government help create
cybersecurity best practices and audit their adoption—and for
independent agencies, PCAST write new rules that require
businesses to report their cyber improvements.
Federal Energy Regulatory Commission’s
Department of Energy
October 2013
13
To help protect against continuing cyber security threats, the
Unclassified Cyber Security Program - 2013
Office of Inspector
Commission estimated that it would spend approximately $5.8
General
million during Fiscal Year (FY) 2013 to secure its information
technology assets, a 9 percent increase compared to FY 2012...
As directed by FISMA, the Office of Inspector General
conducted an independent evaluation of the Commission's
unclassified cyber security program to determine whether it
adequately protected data and information systems. This report
presents the results of our evaluation for FY 2013.
CRS-64
c11173008
.
.
Title Source
Date
Pages Notes
DHS' Efforts to Coordinate the Activities of
DHS Inspector General
October 2013
29
DHS could do a better job sharing information among the five
Federal Cyber Operations Center
federal centers that coordinate cybersecurity work. The
department’s National Cybersecurity and Communications
Integration Center, or the NCCIC, is tasked with sharing
information about malicious activities on government networks
with cybersecurity offices within the Defense Department, the
FBI and federal intelligence agencies. But the DHS center and the
five federal cybersecurity hubs do not all have the same
technology or resources, preventing them from having shared
situational awareness of intrusions or threats and restricting
their ability to coordinate response. The centers also have not
created a standard set of categories for reporting incidents,
Special Cybersecurity Workforce Project (Memo
Office of Personnel
July 8, 2013
N/A
The OPM is collaborating with the White House Office of
for Heads of Executive Departments and Agencies) Management (OPM)
Science and Technology Policy, the Chief Human Capital
Officers Council (CHCOC), and the Chief Information Officers
Council (CIOC) in implementing a special workforce project
that tasks federal agencies’ cybersecurity, information
technology, and human resources communities to build a
statistical data set of existing and future cybersecurity positions
in the OPM Enterprise Human Resources Integration (EHRI)
data warehouse by the end of FY2014.
Content of Premarket Submissions for
Food and Drug
June 14, 2013
1
This guidance identifies cybersecurity issues that manufacturers
Management of Cybersecurity in Medical Devices,
Administration (FDA)
should consider in preparing premarket submissions for medical
Notice
devices in order to maintain information confidentiality,
integrity, and availability.
DHS Can Take Actions to Address Its Additional
Department of
June 2013
26
The National Protection and Programs Directorate (NPPD) was
Cybersecurity Responsibilities
Homeland Security
audited to determine whether the Office of Cybersecurity and
Communications had effectively implemented its additional
cybersecurity responsibilities to improve the security posture of
the federal government. Although actions have been taken,
NPPD can make further improvements to address its additional
cybersecurity responsibilities.
Mobile Security Reference Architecture
Federal CIO Council
May 23, 2013
103
Gives agencies guidance in the secure implementation of mobile
and the Department of
solutions through their enterprise architectures. The document
Homeland Security
provides in-depth reference architecture for mobile computing.
(DHS)
CRS-65
c11173008
.
.
Title Source
Date
Pages Notes
Privacy Impact Assessment for EINSTEIN 3 -
Department of
April 19, 2013
27
DHS will deploy EINSTEIN 3 Accelerated (E3A) to enhance
Accelerated (E3A)
Homeland Security
cybersecurity analysis, situational awareness, and security
response. Under the direction of DHS, ISPs will administer
intrusion prevention and threat-based decision-making on
network traffic entering and leaving participating federal civilian
Executive Branch agency networks. This Privacy Impact
Assessment (PIA) is being conducted because E3A will include
analysis of federal network traffic, which may contain personally
identifiable information (PII).
DHS Secretary’s Honors Program: Cyber Student
Department of
April 18, 2013
2
The Cyber Student Initiative program will begin at Immigration
Initiative
Homeland Security
and Customs Enforcement computer forensic labs in 36 cities
nationwide, where students will be trained and will gain hands-
on experience within the department’s cybersecurity
community. The unpaid volunteer program is only available to
community col ege students and veterans pursuing a degree in
the cybersecurity field.
National Level Exercise 2012: Quick Look Report
Federal Emergency
March 2013
22
National Level Exercise (NLE) 2012 was a series of exercise
Management Agency
events that examined the ability of the United States to execute
a coordinated response to a series of significant cyber incidents.
As a part of the National Exercise Program, NLE 2012
emphasized the shared responsibility among all levels of
government, the private sector, and the international community
to secure cyber networks and coordinate response and
recovery actions. The NLE 2012 series was focused on
examining four major themes: planning and implementation of
the draft National Cyber Incident Response Plan (NCIRP),
coordination among governmental entities, information sharing,
and decision making.
Measuring What Matters: Reducing Risks by
National Academy of
March 2013
39
Rather than periodical y auditing whether an agency‘s systems
Rethinking How We Evaluate Cybersecurity
Public Administration
meet the standards enumerated in Federal Information Security
and Safegov.org
Management Act (FISMA) at a static moment in time, agencies
and their inspectors general should keep running scorecards of
“cyber risk indicators" based on continual IG assessments of a
federal organization's cyber vulnerabilities.
CRS-66
c11173008
.
.
Title Source
Date
Pages Notes
Fol ow-up Audit of the Department’s Cyber
Department of Energy
December 2012
25
“In 2008, we reported in The Department's Cyber Security
Security Incident Management Program
Inspector General
Incident Management Program (DOE/IG-0787, January 2008)
that the Department and NNSA established and maintained a
number of independent, at least partially duplicative, cyber
security incident management capabilities. Although certain
actions had been taken in response to our prior report, we
identified several issues that limited the efficiency and
effectiveness of the Department's cyber security incident
management program and adversely impacted the ability of law
enforcement to investigate incidents. For instance, we noted
that the Department and NNSA continued to operate
independent, partially duplicative cyber security incident
management capabilities at an annual cost of more than $30
million. The issues identified were due, in part, to the lack of a
unified, Department-wide cyber security incident management
strategy. In response to our finding, management concurred with
the recommendations and indicated that it had initiated actions
to address the issues identified.”
Secure and Trustworthy Cyberspace (SaTC)
National Science
October 4,
N/A
This grant program seeks proposals that address Cybersecurity
Program Solicitation
Foundation and the
2012
from a Trustworthy Computing Systems perspective (TWC); a
National Science and
Social, Behavioral and Economic Sciences perspective (SBE); and
Technology Council
a Transition to Practice perspective (TPP).
(NSTC)
Annual Report to Congress 2012: National
Information Sharing
June 30, 2012
188
From the report, “This Report, which PM-ISE is submitting on
Security Through Responsible Information Sharing
Environment (ISE)
behalf of the President, incorporates input from our mission
partners and uses their initiatives and PM-ISE’s management
activities to provide a cohesive narrative on the state and
progress of terrorism-related responsible information sharing,
including its impact on our collective ability to secure the nation
and our national interests.”
Cybersecurity: CF Disclosure Guidance: Topic No.
Securities and Exchange October 13,
N/A
The statements in this CF Disclosure Guidance represent the
2
Commission
2011
views of the Division of Corporation Finance. This guidance is
not a rule, regulation, or statement of the Securities and
Exchange Commission. Further, the Commission has neither
approved nor disapproved its content.
Note: Highlights compiled by CRS from the reports.
CRS-67
c11173008
.
.
Table 14. Research & Development (R&D)
Title Source
Date
Pages
Notes
National Cybersecurity Center of Excel ence
National Institute of
Ongoing
N/A
The National Cybersecurity Center of Excellence (NCCoE) is a
(NCCoE)
Standards and
new public-private col aboration to bring together experts from
Technology (NIST)
industry, government and academia to design, implement, test,
and demonstrate integrated cybersecurity solutions and
promote their widespread adoption.
DARPA Announces Cyber Grand Chal enge
Defense Advanced
October 23,
N/A
DARPA intends to hold the Cyber Grand Challenge (CGC)—
Research Projects
2013
the first-ever tournament for ful y automatic network defense
Agency (DARPA)
systems. The Challenge will see teams creating automated
systems that would compete against each other to evaluate
software, test for vulnerabilities, generate security patches, and
apply them to protected computers on a network. The winning
team in the CGC finals would receive a cash prize of $2 million,
with second place earning $1 million and third place taking home
$750,000.
Resilience metrics for cyber systems
Seager, Thomas
November
6
Despite the national and international importance, resilience
(free registration required to download)
(Arizona State
2013
metrics to inform management decisions are still in the early
University)
stages of development. We apply the resilience matrix
framework developed by Linkov et al. to develop and organize
effective resilience metrics for cyber systems. These metrics link
national policy goals to specific system measures, such that
resource allocation decisions can be translated into actionable
interventions and investments. This paper proposes a generic
approach and could integrate actual data, technical judgment,
and literature-based measures to assess system resilience across
physical, information, cognitive, and social domains.
Cybersecurity Exercise: Quantum Dawn 2
SIFMA
October 21,
N/A
Quantum Dawn 2 is a cybersecurity exercise to test incident
2013
response, resolution, and coordination processes for the
financial services sector and the individual member firms to a
street-wide cyberattack.
Proposed Establishment of a Federal y Funded
National Institute of
June 21, 2013
2
NIST intends to sponsor a Federal y Funded Research and
Research and Development Center—Second
Standards and
Development Center (FFRDC) to facilitate public-private
Notice
Technology
col aboration for accelerating the widespread adoption of
integrated cybersecurity tools and technologies. This is the
second of three notices that must be published over a 90-day
period to advise the public of the agency’s intention to sponsor
an FFRDC.
CRS-68
c11173008
.
.
Title Source
Date
Pages
Notes
Governor McDonnel Announces Creation of
Virginia Secretary of
April 11, 2013
N/A
Virginia Governor Bob McDonnell announced the creation of
MACH37, America’s Premier Market-Centric
Commerce and Trade
MACH37, a cyber security accelerator to be located at the
Cyber Security Accelerator
Center for Innovative Technology. Initially funded by the
Commonwealth of Virginia, the accelerator will leverage private
investments to launch new, high growth cyber technology
companies in Virginia.
Open Trusted Technology Provider Standard (O-
The Open Group
April 2013
44
Specifically intended to prevent maliciously tainted and
TTPS)™, Version 1.0: Mitigating Maliciously
counterfeit products from entering the supply chain, this first
Tainted and Counterfeit Products
release of the O-TTPS codifies best practices across the entire
COTS ICT product lifecycle, including the design, sourcing,
build, fulfillment, distribution, sustainment, and disposal phases.
The O-TTPS wil enable organizations to implement best
practice requirements and al ow al providers, component
suppliers, and integrators to obtain Trusted Technology
Provider status. (Registration required).
The International Cyber-Security Ecosystem (video Anthony M. Rutkowski,
November 6,
N/A
Overview of the various forums/communities and
lecture)
Distinguished Senior
2012
methodologies that comprise the security assurance
Research Fellow at the
ecosystem—often also referred to as Information Assurance.
Georgia Institute of
Technology, Nunn
School Center for
International Strategy
Technology and Policy
(CISTP)
20 Critical Security Controls for Effective Cyber
Center for Strategic &
November
89
The Top 20 security controls were agreed upon by a
Defense
International Studies
2012
consortium. Members of the Consortium include NSA, US
CERT, DOD JTF-GNO, the Department of Energy Nuclear
Laboratories, Department of State, DOD Cyber Crime Center
plus commercial forensics experts in the banking and critical
infrastructure communities.
SBIR Phase II: Information Security Risk Taking
National Science
January 17,
N/A
The NSF is funding research on giving organizations information-
Foundation (NSF)
2012
security risk ratings, similar to credit ratings for individuals.
Anomaly Detection at Multiple Scales (ADAMS)
Defense Advanced
November 9,
74
The report describes a system for preventing leaks by seeding
Research Projects
2011
believable disinformation in military information systems to help
Agency (DARPA)
identify individuals attempting to access and disseminate
classified information.
CRS-69
c11173008
.
.
Title Source
Date
Pages
Notes
At the Forefront of Cyber Security Research
NSF
August 5, 2011
N/A
TRUST is a university and industry consortium that examines
cyber security issues related to health care, national
infrastructures, law and other issues facing the general public.
Designing A Digital Future: Federally Funded
White House
December
148
The President’s Council of Advisors on Science and Technology
Research And Development In Networking And
2010
(PCAST) has made several recommendations in a report about
Information Technology
the state of the government’s Networking and Information
Technology Research and Development (NITRD) Program.
Partnership for Cybersecurity Innovation
White House Office of
December 6,
10
The Obama Administration released a Memorandum of
Science and Technology
2010
Understanding (below) signed by the National Institute of
Policy
Standards and Technology (NIST) of the Department of
Commerce, the Science and Technology Directorate of the
Department of Homeland Security (DHS/S&T), and the Financial
Services Sector Coordinating Council (FSSCC). The goal of the
agreement is to speed the commercialization of cybersecurity
research innovations that support our nation’s critical
infrastructures.
Memorandum of Understanding (MOU)
NIST, DHS, and
December 2,
4
The document formalizes the intent of the parties to expedite
Financial Services
2010
the coordinated development and availability of col aborative
Sector Coordinating
research, development, and testing activities for cybersecurity
Council
technologies and processes based upon the financial services
sector’s needs.
Science of Cyber-Security
Mitre Corp (JASON
November
86
JASON was requested by DOD to examine the theory and
Program Office)
2010
practice of cyber-security, and evaluate whether there are
underlying fundamental principles that would make it possible to
adopt a more scientific approach, identify what is needed in
creating a science of cyber-security, and recommend specific
ways in which scientific methods can be applied.
American Security Chal enge: Moving Innovation to National Security
October 18,
N/A
The objective of the Challenge is to increase the visibility of
Market
Initiative
2010
innovative technology and help the commercialization process
so that such technology can reach either the public or
commercial marketplace faster to protect our citizens and
critical assets.
Note: Highlights compiled by CRS from the reports.
CRS-70
c11173008
.
.
Cybersecurity: Authoritative Reports and Resources, by Topic
Related Resources: Other Websites
This section contains other cybersecurity resources, including U.S. government, international,
news sources, and other associations and institutions.
Congressional Research Service
71
c11173008
.
.
Table 15. Related Resources: Congressional/Government
Name Source
Notes
Integrated Intelligence Center (IIC)
Center for Internet Security
Serves as a resource for state, local, tribal, and territorial government
partners to engage in a collaborative information sharing and analysis
environment on cybersecurity issues. Through this initiative the IIC
provides fusion centers, homeland security advisors, and law
enforcement entities with access to a broad range of cybersecurity
products, reflecting input from many sources.
Computer Security Resource Center
National Institute of Standards and
Links to NIST resources, publications, and computer security groups.
Technology (NIST)
Congressional Cybersecurity Caucus
Led by Representatives Jim Langevin and
Provides statistics, news on congressional cyberspace actions, and links
Mike McCaul.
to other information websites.
Cybersecurity
White House National Security Council
Links to White House policy statements, key documents, videos, and
blog posts.
Cybersecurity
National Telecommunications & Information
The Department of Commerce‘s Internet Policy Task Force is
Administration (U.S. Department of
conducting a comprehensive review of the nexus between cybersecurity
Commerce)
challenges in the commercial sector and innovation in the Internet
economy.
Cybersecurity and Information System
National Academy of Sciences, Computer
A list of CSTB’s independent and informed reports on cybersecurity and
Trustworthiness
Science and Telecommunications Board
public policy.
President’s National Security
U.S. Department of Homeland Security
NSTAC’s goal is to develop recommendations to the President to
Telecommunications Advisory Committee
assure vital telecommunications links through any event or crisis and to
(NSTAC)
help the U.S. government maintain a reliable, secure, and resilient
national communications posture.
CRS-72
c11173008
.
.
Name Source
Notes
Office of Cybersecurity and Communications
U.S. Department of Homeland Security
CS&C works to prevent or minimize disruptions to critical information
(CS&C)
infrastructure in order to protect the public, the economy, and
government services. CS&C leads efforts to protect the federal “.gov”
domain of civilian government networks and to col aborate with the
private sector—the “.com” domain—to increase the security of critical
networks
Cyber Domain Security and Operations
U.S. Department of Defense
Links to press releases, fact sheets, speeches, announcements, and
videos.
U.S. Cyber-Consequences Unit
U.S. Cyber-Consequences Unit (U.S.-CCU)
U.S.-CCU, a nonprofit 501c(3) research institute, provides assessments
of the strategic and economic consequences of possible cyber-attacks
and cyber-assisted physical attacks. It also investigates the likelihood of
such attacks and examines the cost-effectiveness of possible counter-
measures.
Note: Highlights compiled by CRS from the reports.
CRS-73
c11173008
.
.
Table 16. Related Resources: International Organizations
Name Source
Notes
Center for Internet Security (Australia)
Australian Communications and Media The Australian Internet Security Initiative (AISI) is an antibotnet
Authority
initiative that collects data on botnets in collaboration with
Internet Service Providers (ISPs), and two industry codes of
practice.
Cybercrime
Council of Europe
Links to the Convention on Cybercrime treaty, standards, news,
and related information.
Cybersecurity Gateway
International Telecommunications
ITU’s Cybersecurity Gateway aims to be a collaborative platform,
Union (ITU)
providing and sharing information between partners in civil society,
private sector, governmental and international organizations
working in different work areas of cybersecurity
Cybercrime Legislation - Country Profiles
Council of Europe
These profiles have been prepared within the framework of the
Council of Europe’s Project on Cybercrime in view of sharing
information on cybercrime legislation and assessing the current
state of implementation of the Convention on Cybercrime under
national legislation.
ENISA: Securing Europe’s Information Society
European Network and Information
ENISA inform businesses and citizens in the European Union on
Security Agency (ENISA)
cybersecurity threats, vulnerabilities, and attacks. (Requires free
registration to access.)
International Cyber Security Protection Alliance (ICSPA)
International Cyber Security
A global not-for-profit organization that aims to channel funding,
Protection Alliance (ICSPA)
expertise, and help directly to law enforcement cyber-crime units
around the world.
NATO Cooperative Cyber Defence Centre of Excel ence
North Atlantic Treaty Organization
The Centre is an international effort that currently includes
(CCD COE) (Tallin, Estonia)
(NATO)
Estonia, Latvia, Lithuania, Germany, Hungary, Italy, the Slovak
Republic, and Spain as sponsoring nations, to enhance NATO’s
cyber-defence capability.
Note: Highlights compiled by CRS from the reports.
CRS-74
c11173008
.
.
Table 17. Related Resources: News
Name Source
Computer Security (Cybersecurity)
New York Times
Cybersecurity NextGov.com
Cyberwarfare and Cybersecurity
Benton Foundation
Homeland Security
Congressional Quarterly (CQ)
Cybersecurity
Homeland Security News Wire
Table 18. Related Resources: Other Associations and Institutions
Name
Notes
Council on Cybersecurity
The Council, based in the Washington, DC, area, is the successor organization to the National Board of
Information Security Examiners (NBISE), founded in the United States in 2010 to identify and strengthen the skills
needed to improve the performance of the cybersecurity workforce. The Council will also be home to the U.S.
Cyber Challenge, (formerly a program of NBISE), that works with the cybersecurity community to bring accessible,
compelling programs that motivate students and professionals to pursue education, development, and career
opportunities in cybersecurity.
Cyber Aces Foundation
Offers challenging and realistic cybersecurity competitions, training camps, and educational initiatives through
which high school, college students, and young professionals develop the practical skills needed to excel as
cybersecurity practitioners.
Cybersecurity from the Center for Strategic &
Links to experts, programs, publications, and multimedia. CSIS is a bipartisan, nonprofit organization whose
International Studies (CSIS)
affiliated scholars conduct research and analysis and develop policy initiatives that look to the future and anticipate
change.
Cyberconflict and Cybersecurity Initiative from the
Focuses on the relationship between cyberwar and the existing laws of war and conflict; how the United States
Council on Foreign Relations
should engage other states and international actors in pursuit of its interests in cyberspace; how the promotion of
the free flow of information interacts with the pursuit of cybersecurity; and the private sector’s role in defense,
deterrence, and resilience.
CRS-75
c11173008
.
.
Name
Notes
Cyber Corps: Scholarship For Service (SFS)
Scholarship For Service (SFS) is designed to increase and strengthen the cadre of federal information assurance
professionals that protect the government’s critical information infrastructure. This program provides scholarships
that ful y fund the typical costs that students pay for books, tuition, and room and board while attending an
approved institution of higher learning.
Institute for Information Infrastructure Protection (I3P)
I3P is a consortium of leading universities, national laboratories and nonprofit institutions. I3P assembles multi-
disciplinary and multi-institutional research teams able to bring in-depth analysis to complex and pressing problems.
Research outcomes are shared at I3P-sponsored workshops, professional conferences and in peer-reviewed
journals, as well as via technology transfer to end-users.
Internet Security Alliance (ISA)
ISAalliance is a nonprofit collaboration between the Electronic Industries Alliance (EIA), a federation of trade
associations, and Carnegie Mellon University’s CyLab.
National Association of State Chief Information Officers NASCIO provides state CIOs and state members with products and services designed to support the challenging
(NASCIO)
role of the state CIO, stimulate the exchange of information and promote the adoption of IT best practices and
innovations. The Resource Guide provides examples of state awareness programs and initiatives.
National Initiative for Cybersecurity Education (NICE)
The goal of NICE is to establish an operational, sustainable and continually improving cybersecurity education
program for the nation to use sound cyber practices that will enhance the nation’s security. NIST is leading the
NICE initiative, including more than 20 federal departments and agencies, to ensure coordination, cooperation,
focus, public engagement, technology transfer, and sustainability.
National Security Cyberspace Institute (NSCI)
NSCI provides education, research and analysis services to government, industry, and academic clients aiming to
increase cyberspace awareness, interest, knowledge, and/or capabilities.
U.S. Cyber Challenge (USCC)
USCC’s goal is to find 10,000 of America's best and brightest to fill the ranks of cybersecurity professionals where
their skills can be of the greatest value to the nation.
Source: Highlights compiled by CRS from the reports of related associations and institutions.
CRS-76
c11173008
.
.
Cybersecurity: Authoritative Reports and Resources, by Topic
Author Contact Information
Rita Tehan
Information Research Specialist
rtehan@crs.loc.gov, 7-6739
Key Policy Staff
The following table provides names and contact information for CRS experts on policy issues related to
cybersecurity bills currently being debated in the 113th Congress.
Legislative Issues
Name/Title
Phone
E-mail
Legislation in the 113th Congress
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Critical infrastructure protection
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Chemical industry
Dana Shea
7-6844
dshea@crs.loc.gov
Defense industrial base
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Electricity grid
Richard J. Campbell
7-7905
rcampbell@crs.loc.gov
Financial institutions
N. Eric Weiss
7-6209
eweiss@crs.loc.gov
Industrial control systems
Dana Shea
7-6844
dshea@crs.loc.gov
Cybercrime
Federal laws
Charles Doyle
7-6968
cdoyle@crs.loc.gov
Law enforcement
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Cybersecurity workforce
Wendy Ginsberg
7-3933
wginsberg@crs.loc.gov,
Cyberterrorism
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Cyberwar
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Data breach notification
Gina Stevens
7-2581
gstevens@crs.loc.gov
Economic issues
N. Eric Weiss
7-6209
eweiss@crs.loc.gov
Espionage
Advanced persistent threat
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Economic and industrial
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Legal issues
Brian T. Yeh
7-5182
byeh@crs.loc.gov
State-sponsored
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Federal agency roles
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Chief Information Officers (CIOs)
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Commerce
John F. Sargent, Jr.
7-9147
jsargent@crs.loc.gov
Defense (DOD)
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Executive Office of the President (EOP)
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Congressional Research Service
77
c11173008
.
.
Cybersecurity: Authoritative Reports and Resources, by Topic
Legislative Issues
Name/Title
Phone
E-mail
Homeland Security (DHS)
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Intelligence Community (IC)
John Rollins
7-5529
jrollins@crs.loc.gov
Justice (DOJ)
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
National Security Agency (NSA)
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Science agencies (NIST, NSF, OSTP)
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Treasury and financial agencies
Rena S. Miller
7-0826
rsmiller@crs.loc.gov
Federal Information Security
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Management Act (FISMA)
Federal Internet monitoring
Richard M. Thompson II
7-8449
rthompson@crs.loc.gov
Hacktivism
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Information sharing
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Antitrust laws
Kathleen Ann Ruane
7-9135
kruane@crs.loc.gov
Civil liability
Edward C. Liu
7-9166
eliu@crs.loc.gov
Classified information
John Rollins
7-5529
jrollins@crs.loc.gov
Freedom of Information Act (FOIA)
Gina Stevens
7-2581
gstevens@crs.loc.gov
Privacy and civil liberties
Gina Stevens
7-2581
gstevens@crs.loc.gov
International cooperation
Defense and diplomatic
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Law enforcement
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
National strategy and policy
Eric A. Fischer
7-7071
efischer@crs.loc.gov
National security
John Rollins
7-5529
jrollins@crs.loc.gov
Public/private partnerships
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Supply chain
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Technological issues
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Botnets
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Cloud computing
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Mobile devices
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Research and development (R&D)
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Congressional Research Service
78
c11173008