Cybersecurity: Authoritative Reports and
Resources, by Topic

Rita Tehan
Information Research Specialist
May 30, 2014
Congressional Research Service
7-5700
www.crs.gov
R42507


Cybersecurity: Authoritative Reports and Resources, by Topic

Summary
This report provides references to analytical reports on cybersecurity from CRS, other
government agencies, trade associations, and interest groups. The reports and related websites are
grouped under the following cybersecurity topics:
• policy overview
• National Strategy for Trusted Identities in Cyberspace (NSTIC)
• cloud computing and FedRAMP
• critical infrastructure
• cybercrime, data breaches, and data security
• national security, cyber espionage, and cyberwar (including Stuxnet)
• international efforts
• education/training/workforce
• research and development (R&D)
In addition, the report lists selected cybersecurity-related websites for congressional and
government agencies, news, international organizations, and organizations or institutions.

Congressional Research Service

Cybersecurity: Authoritative Reports and Resources, by Topic

Contents
CRS Reports, by Topic .................................................................................................................... 1
CRS Reports and Other CRS Products: Cybersecurity Policy .................................................. 1
CRS Reports: Critical Infrastructure ....................................................................................... 12
CRS Reports and Other CRS Products: Cybercrime and National Security ........................... 24
Selected Reports, by Federal Agency ............................................................................................ 61
CRS Product: Cybersecurity Framework ................................................................................ 79
Related Resources: Other Websites ............................................................................................... 92

Tables
Table 1. Cybersecurity Overview .................................................................................................... 2
Table 2. National Strategy for Trusted Identities in Cyberspace (NSTIC) ...................................... 6
Table 3. Cloud Computing and FedRAMP ...................................................................................... 8
Table 4. Critical Infrastructure ....................................................................................................... 13
Table 5. Cybercrime, Data Breaches, and Data Security ............................................................... 25
Table 6. National Security, Cyber Espionage, and Cyberwar ........................................................ 31
Table 7. International Efforts ......................................................................................................... 39
Table 8. Education/Training/Workforce ......................................................................................... 51
Table 9. Research & Development (R&D) .................................................................................... 57
Table 10. Government Accountability Office (GAO) .................................................................... 61
Table 11. White House/Office of Management and Budget .......................................................... 70
Table 12. Department of Defense (DOD) ...................................................................................... 74
Table 13. National Institute of Standards and Technology (NIST) ................................................ 79
Table 14. Other Federal Agencies .................................................................................................. 82
Table 15. State, Local and Tribal Governments ............................................................................. 90
Table 16. Related Resources: Congressional/Government ............................................................ 93
Table 17. Related Resources: International Organizations ............................................................ 95
Table 18. Related Resources: News ............................................................................................... 96
Table 19. Related Resources: Other Associations and Institutions ................................................ 96

Contacts
Author Contact Information........................................................................................................... 99
Key Policy Staff ............................................................................................................................. 99

Congressional Research Service

Cybersecurity: Authoritative Reports and Resources, by Topic

CRS Reports, by Topic1
This section provides references to analytical reports on cybersecurity from CRS, other
government agencies, think tanks, trade associations, trade press, and technology research firms.
For each topic, CRS reports are listed first, followed by tables with reports from other
organizations.
CRS Reports and Other CRS Products: Cybersecurity Policy
• CRS Report R42114, Federal Laws Relating to Cybersecurity: Overview and
Discussion of Proposed Revisions, by Eric A. Fischer
• CRS Report R41941, The Obama Administration’s Cybersecurity Proposal:
Criminal Provisions, by Gina Stevens
• CRS Report R42984, The 2013 Cybersecurity Executive Order: Overview and
Considerations for Congress, by Eric A. Fischer et al.
• CRS Report R40150, A Federal Chief Technology Officer in the Obama
Administration: Options and Issues for Consideration, by John F. Sargent Jr.
• CRS Report R42409, Cybersecurity: Selected Legal Issues, by Edward C. Liu et
al.
• CRS Report R42887, Overview and Issues for Implementation of the Federal
Cloud Computing Initiative: Implications for Federal Information Technology
Reform Management
, by Patricia Moloney Figliola and Eric A. Fischer
• CRS Report R43015, Cloud Computing: Constitutional and Statutory Privacy
Protections, by Richard M. Thompson II
• CRS Legal Sidebar WSLG478, House Intelligence Committee Marks Up
Cybersecurity Bill CISPA, by Richard M. Thompson II
• CRS Legal Sidebar WSLG263, Can the President Deal with Cybersecurity Issues
via Executive Order?, by Vivian S. Chu


1 For information on legislation and hearings in the 112th-123th Congresses, and Executive Orders and Presidential
Directives, see CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita
Tehan.
Congressional Research Service
1


Table 1. Cybersecurity Overview
Title Source
Date
Pages
Notes
Defending an Open, Global, Secure, and
Council on Foreign Relations
June 2013
127
The Task Force recommends that the United States
Resilient Internet
develop a digital policy framework based on four pillars,
the last of which is that U.S.-based industry work rapidly
to establish an industry-led approach to counter current
and future cyberattacks.
Measuring What Matters: Reducing Risk by
Safegov.org, in coordination
March 2013
39
Report recommends that rather than periodically
Rethinking How We Evaluate Cybersecurity
with the National Academy of
auditing whether an agency's systems meet the standards
Public Administration
enumerated in Federal Information Security Management
Act (FISMA) at a static moment in time, agencies and
their inspectors general should keep running scorecards
of “cyber risk indicators" based on continual IG
assessments of a federal organization's cyber
vulnerabilities.
Developing a Framework To Improve Critical
National Institute of Standards
February 12, 2013
5
NIST announced the first step in the development of a
Infrastructure Cybersecurity (Federal Register
and Technology (NIST)
Cybersecurity Framework, which will be a set of
Notice; Request for Information)
voluntary standards and best practices to guide industry
in reducing cyber risks to the networks and computers
that are vital to the nation’s economy, security, and daily
life.
SEI Emerging Technology Center: Cyber
Carnegie Mellon University
January 2013
23
This report addresses the endemic problem of functional
Intelligence Tradecraft Project
cyber intelligence analysts not effectively communicating
with non-technical audiences. It also notes organizations’
reluctance to share information within their own entities,
industries, and across economic sectors.
The National Cyber Security Framework
NATO Cooperative Cyber
December 11, 2012
253
Provides detailed background information and in-depth
Manual
Defense Center of Excel ence
theoretical frameworks to help the reader understand
the various facets of National Cyber Security, according
to different levels of public policy formulation. The four
levels of government—political, strategic, operational and
tactical/technical—each have their own perspectives on
National Cyber Security, and each is addressed in
individual sections within the Manual.
CRS-2


Title Source
Date
Pages
Notes
20 Critical Security Controls for Effective
Center for Strategic &
November 2012
89
The top 20 security controls from a public-private
Cyber Defense
International Studies
consortium. Members of the Consortium include NSA,
US CERT, DOD JTF-GNO, the Department of Energy
Nuclear Laboratories, Department of State, DOD Cyber
Crime Center plus commercial forensics experts in the
banking and critical infrastructure communities.
Cyber Security Task Force: Public-Private
Bipartisan Policy Center
July 2012
24
Outlines a series of proposals that would enhance
Information Sharing
information sharing. The recommendations have two
major components: (1) mitigation of perceived legal
impediments to information sharing, and (2) incentivizing
private sector information sharing by alleviating statutory
and regulatory obstacles.
Cyber-security: The Vexed Question of Global
McAfee and the Security
February 2012
108
The report examines the current state of cyber-
Rules: An Independent Report on Cyber-
Defense Agenda
preparedness around the world, and is based on survey
Preparedness Around the World
results from 80 policy-makers and cybersecurity experts
in the government, business, and academic sectors from
27 countries. The countries were ranked on their state
of cyber-preparedness.
Mission Critical: A Public-Private Strategy for
Business Roundtable
October 11, 2011
28
Report suggests, “[p]ublic policy solutions must
Effective Cybersecurity
recognize the absolute importance of leveraging policy
foundations that support effective global risk
management, in contrast to “check-the-box” compliance
approaches that can undermine security and
cooperation.” The document concludes with specific
policy proposals and activity commitments.
World Cybersecurity Technology Research
Centre for Secure Information
September 12, 2011
14
The Belfast 2011 event attracted international
Summit (Belfast 2011)
Technologies (CSIT)
cybersecurity experts from leading research institutes,
government bodies, and industry who gathered to
discuss current cybersecurity threats, predict future
threats and the necessary mitigation techniques, and to
develop a collective strategy for next research.
CRS-3


Title Source
Date
Pages
Notes
A Review of Frequently Used Cyber Analogies
National Security Cyberspace
July 22, 2011
7
From the report, “The current cybersecurity crisis can
Institute
be described several ways with numerous metaphors.
Many compare the current crisis with the lawlessness to
that of the Wild West and the out-dated tactics and race
to security with the Cold War. When treated as a
distressed ecosystem, the work of both national and
international agencies to eradicate many infectious
diseases serves as a model as how poor health can be
corrected with proper resources and execution. Before
these issues are discussed, what cyberspace actually is
must be identified.”
America’s Cyber Future: Security and
Center for a New American
May 31, 2011
296
To help U.S. policy makers address the growing danger
Prosperity in the Information Age
Security
of cyber insecurity, this two-volume report features
chapters on cybersecurity strategy, policy, and
technology by some of the world’s leading experts on
international relations, national security, and information
technology.
Resilience of the Internet Interconnection
European Network and
April 11, 2011
238
Part I: Summary and Recommendations; Part II: State of
Ecosystem
Information Security Agency
the Art Review (a detailed description of the Internet’s
(ENISA)
routing mechanisms and analysis of their robustness at
the technical, economic and policy levels.); Part III:
Report on the Consultation (a broad range of
stakeholders were consulted. This part reports on the
consultation and summarizes the results). Part IV:
Bibliography and Appendices.
Improving our Nation’s Cybersecurity through
Business Software Alliance,
March 8, 2011
26
This paper proposes expanding the existing partnership
the Public-Private Partnership: A White Paper
Center for Democracy &
within the framework of the National Infrastructure
Technology, U.S. Chamber of
Protection Plan. Specifically, it makes a series of
Commerce, Internet Security
recommendations that build upon the conclusions of
Alliance, Tech America
President Obama’s Cyberspace Policy Review.
Cybersecurity Two Years Later
CSIS Commission on
January 2011
22
From the report: “We thought then [in 2008] that
Cybersecurity for the 44th
securing cyberspace had become a critical challenge for
Presidency, Center for
national security, which our nation was not prepared to
Strategic and International
meet.... In our view, we are still not prepared.”
Studies
CRS-4


Title Source
Date
Pages
Notes
Toward Better Usability, Security, and Privacy
National Research Council
September 21, 2010
70
Discusses computer system security and privacy, their
of Information Technology: Report of a
(NRC)
relationship to usability, and research at their
Workshop
intersection. This is drawn from remarks made at the
National Research Council’s July 2009 Workshop on
Usability, Security and Privacy of Computer Systems
as well
as reports from the NRC's Computer Science and
Telecommunications Board on security and privacy.
National Security Threats in Cyberspace
Joint Workshop of the
September 15, 2009
37
The two-day workshop brought together more than two
National Security Threats in
dozen experts with diverse backgrounds: physicists;
Cyberspace and the National
telecommunications executives; Silicon Valley
Strategy Forum
entrepreneurs; federal law enforcement, military,
homeland security, and intelligence officials;
congressional staffers; and civil liberties advocates. For
two days they engaged in an open-ended discussion of
cyber policy as it relates to national security, under
Chatham House Rules: their comments were for the
public record, but they were not for attribution.
Note: Highlights compiled by the Congressional Research Service (CRS) from the reports.

CRS-5


Table 2. National Strategy for Trusted Identities in Cyberspace (NSTIC)
Title Source
Date
Pages Notes
Identity Ecosystem Framework (IDESG)
IDESG
Ongoing
N/A
The NSTIC called for the establishment of a private sector-led
steering group to administer the development and adoption of
the Identity Ecosystem Framework: the IDESG. The IDESG
receives its authority to operate from the active participation of
its membership in accordance with the Rules of Association
which follow. The IDESG has been initiated with the support of
NIST. Following an initial period, the IDESG will transition to a
self-sustaining organization.
NIST Awards Grants to Improve Online Security
NIST September
17, N/A
NIST announced more than $7 mil ion in grants to support the
and Privacy
2013
NSTIC. The funding will enable five U.S. organizations to
develop pilot identity protection and verification systems that
offer consumers more privacy, security, and convenience online.
Five Pilot Projects Receive Grants to Promote
NIST September
20, N/A
NIST announced more than $9 mil ion in grant awards to
Online Security and Privacy
2012
support the NSTIC. Five U.S. organizations wil pilot identity
solutions that increase confidence in online transactions,
prevent identity theft, and provide individuals with more control
over how they share their personal information.
Recommendations for Establishing an Identity
NIST February
17, 51
NIST responds to comments received in response to the
Ecosystem Governance Structure
2012
related Notice of Inquiry published in the Federal Register on
June 14, 2011. This report summarizes the responses to the
NOI and provides recommendations and intended government
actions to serve as a catalyst for establishing such a governance
structure. The recommendations result from comments and
suggestions by the NOI respondents as well as best practices
and lessons learned from similarly scoped governance efforts.
Models for a Governance Structure for the
NIST
June 14, 2011
4
The department seeks public comment from all stakeholders,
National Strategy for Trusted Identities in
including the commercial, academic and civil society sectors, and
Cyberspace
consumer and privacy advocates on potential models, in the
form of recommendations and key assumptions in the formation
and structure of the steering group.
Administration Releases Strategy to Protect
White House
April 15, 2011
N/A
Press release on a proposal to administer the processes for
Online Consumers and Support Innovation and
policy and standards adoption for the Identity Ecosystem
Fact Sheet on National Strategy for Trusted
Framework in accordance with the National Strategy for
Identities in Cyberspace
Trusted Identities in Cyberspace (NSTIC).
CRS-6


Title Source
Date
Pages Notes
National Strategy for Trusted Identities in Cyberspac
White House
April 15, 2011
52
The NSTIC aims to make online transactions more trustworthy,
thereby giving businesses and consumers more confidence in
conducting business online.
National Strategy for Trusted Identities in Cyberspac
White House
June 25, 2010
39
The NSTIC, which is in response to one of the near term action
Options for Enhanced Online Security and Privacy (D
items in the President’s Cyberspace Policy Review, calls for the
creation of an online environment, or an Identity Ecosystem,
where individuals and organizations can complete online
transactions with confidence, trusting the identities of each
other and the identities of the infrastructure where transaction
occur.
Note: Highlights compiled by CRS from the reports.


CRS-7


Table 3. Cloud Computing and FedRAMP2
Title Source
Date
Pages
Notes
About FedRAMP
General Services
Ongoing
N/A
FedRAMP is a government-wide program that
Administration
provides a standardized approach to security
assessment, authorization, and continuous monitoring
for cloud products and services.
Software Defined Perimeter
Cloud Security Alliance
December 1,
13
The Software Defined Perimeter (SDP) initiative by
2013
the Cloud Security Alliance aims to make “invisible
networks” accessible to a wider range of government
agencies and corporations. The initiative wil foster
development of an architecture for securing the
Internet of Things by using the cloud to create highly
secure end-to-end networks between any IP-
addressable entities.
Delivering on the Promise of Big Data and the Cloud
Booz, Allen, Hamilton
January 9, 2013
7
From the report, “Reference architecture does away
with conventional data and analytics silos,
consolidating all information into a single medium
designed to foster connections cal ed a “data lake,"
which reduces complexity and creates efficiencies
that improve data visualization to allow for easier
insights by analysts.”
Cloud Computing: An Overview of the Technology and
House Judiciary Comm.,
July 25, 2012
156
Overview and discussion of cloud computing issues.
the Issues facing American Innovators
Subcom. on Intellectual
Property, Competition, and
the Internet
Information Technology Reform: Progress Made but
GAO
July 11, 2012
43
GAO recommends that the Secretaries of
Future Cloud Computing Efforts Should be Better
Agriculture, Health and Human Services, Homeland
Planned
Security, State, and the Treasury, and the
Administrators of the General Services
Administration and Small Business Administration
should direct their respective CIO to establish
estimated costs, performance goals, and plans to
retire associated legacy systems for each cloud-based
service discussed in this report, as applicable.

2 Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization,
and continuous monitoring for cloud products and services.
CRS-8


Title Source
Date
Pages
Notes
Cloud Computing Strategy
DOD, Chief Information
July 2012
44
The DOD Cloud Computing Strategy introduces an
Officer
approach to move the department from the current
state of a duplicative, cumbersome, and costly set of
application silos to an end state which is an agile,
secure, and cost effective, and a service environment
that can rapidly respond to changing mission needs.
A Global Reality: Governmental Access to Data in the
Hogan Lovel s
May 23, 2012
13
This white paper compares the nature and extent of
Cloud—A Comparative Analysis of Ten International
governmental access to data in the cloud in many
Jurisdictions
jurisdictions around the world.
Policy Challenges of Cross-Border Cloud Computing
U.S. International Trade
May 2012
38
Report examines the main policy challenges
Commission
associated with cross-border cloud computing—data
privacy, security, and ensuring the free flow of
information—and the ways that countries are
addressing them through domestic policymaking,
international agreements, and other cooperative
arrangements.
Cloud Computing Synopsis and Recommendations (SP
NIST
May 2012
81
NIST’s guide explains cloud technologies in “plain
800-146)
terms” to federal agencies and provides
recommendations for IT decision makers.
Global Cloud Computing Scorecard a Blueprint for
Business Software Alliance
February 2,
24
This report notes that while many developed
Economic Opportunity
2012
countries have adjusted their laws and regulations to
address cloud computing, the wide differences in
those rules make it difficult for companies to invest in
the technology.
Concept of Operations: FedRAMP
General Services
February 7,
47
Implementation of the Federal Risk and Authorization
Administration (GSA)
2012
Management Program (FedRAMP) will be in phases.
This document describes all the services that will be
available at initial operating capability—targeted for
June 2012. The Concept of Operations will be
updated as the program evolves toward sustained
operations.
Federal Risk and Authorization Management Program
Federal CIO Council
January 4, 2012
N/A
FedRAMP has been established to provide a standard
(FedRAMP)
approach to Assessing and Authorizing (A&A) cloud
computing services and products.
CRS-9


Title Source
Date
Pages
Notes
Security Authorization of Information Systems in Cloud
White House/Office of
December 8,
7
FedRAMP wil now be required for all agencies
Computing Environments (FedRAMP)
Management and Budget
2011
purchasing storage, applications and other remote
(OMB)
services from vendors. The Administration promotes
cloud computing as a means to save money and
accelerate the government’s adoption of new
technologies.
U.S. Government Cloud Computing Technology
NIST December
1,
32
Volume I is aimed at interested parties who wish to
Roadmap, Volume I, Release 1.0 (Draft). High-Priority
2011
gain a general understanding and overview of the
Requirements to Further USG Agency Cloud Computing
background, purpose, context, work, results, and
Adoption (SP 500-293)
next steps of the U.S. Government Cloud Computing
Technology Roadmap initiative.
U.S. Government Cloud Computing Technology
NIST December
1,
85
Volume II is designed as a technical reference for
Roadmap, Release 1.0 (Draft), Volume II Useful
2011
those actively working on strategic and tactical cloud
Information for Cloud Adopters (SP 500-293)
computing initiatives, including, but not limited to,
U.S. government cloud adopters. Vol. II integrates
and summarizes the work completed to date and
explains how these findings support the roadmap
introduced in Vol. I.
Information Security: Additional Guidance Needed to
GAO October
6,
17
Twenty-two of 24 major federal agencies reported
Address Cloud Computing Concerns
2011
that they were either concerned or very concerned
about the potential information security risks
associated with cloud computing. GAO
recommended that the NIST issue guidance specific
to cloud computing security.
Cloud Computing Reference Architecture (SP 500-292)
NIST
September 1,
35
This “Special Publication," which is not an official U.S.
2011
government standard, is designed to provide guidance
to specific communities of practitioners and
researchers.
Guide to Cloud Computing for Policy Makers
Software and Information
July 26, 2011
27
The SAII concludes “that there is no need for cloud-
Industry Association (SAII)
specific legislation or regulations to provide for the
safe and rapid growth of cloud computing, and in fact,
such actions could impede the great potential of
cloud computing."
CRS-10


Title Source
Date
Pages
Notes
Federal Cloud Computing Strategy
White House
February 13,
43
The strategy outlines how the federal government
2011
can accelerate the safe, secure adoption of cloud
computing, and provides agencies with a framework
for migrating to the cloud. It also examines how
agencies can address challenges related to the
adoption of cloud computing, such as privacy,
procurement, standards, and governance.
25 Point Implementation Plan to Reform Federal
White House
December 9,
40
The plan’s goals are to reduce the number of
Information Technology Management
2010
federal y run data centers from 2,100 to
approximately 1,300, rectify or cancel one-third of
troubled IT projects, and require federal agencies to
adopt a “cloud first” strategy in which they will move
at least one system to a hosted environment within a
year.
Notes: These reports analyze cybersecurity issues related to the federal government’s adoption of cloud computing storage options. Highlights compiled by CRS from
the reports.
CRS-11

Cybersecurity: Authoritative Reports and Resources, by Topic

CRS Reports: Critical Infrastructure
• CRS Report R42683, Critical Infrastructure Resilience: The Evolution of Policy and
Programs and Issues for Congress, by John D. Moteff
• CRS Report RL30153, Critical Infrastructures: Background, Policy, and Implementation,
by John D. Moteff
• CRS Report R42660, Pipeline Cybersecurity: Federal Policy, by Paul W. Parfomak
• CRS Report R41536, Keeping America’s Pipelines Safe and Secure: Key Issues for
Congress, by Paul W. Parfomak
• CRS Report R41886, The Smart Grid and Cybersecurity—Regulatory Policy and Issues,
by Richard J. Campbell
• CRS Report R42338, Smart Meter Data: Privacy and Cybersecurity, by Brandon J.
Murrill, Edward C. Liu, and Richard M. Thompson II
• CRS Report RL33586, The Federal Networking and Information Technology Research
and Development Program: Background, Funding, and Activities, by Patricia Moloney
Figliola
• CRS Report 97-868, Internet Domain Names: Background and Policy Issues, by Lennard
G. Kruger
• CRS Report IN10027, Open-Source Software and Cybersecurity: The Heartbleed Bug, by
Eric A. Fischer, Catherine A. Theohary, and John W. Rollins

Congressional Research Service
12


Table 4. Critical Infrastructure
Title Source
Date
Pages
Notes
Cybersecurity for Energy Delivery Systems Program
Department of
ongoing
N/A
The program assists the energy sector asset owners (electric,
(CEDS)
Energy, Office of
oil, and gas) by developing cybersecurity solutions for energy
Electricity
delivery systems through integrated planning and a focused
Delivery &
research and development effort. CEDS co-funds projects with
Energy Reliability
industry partners to make advances in cybersecurity capabilities
for energy delivery systems.
GridEx North
American
ongoing
N/A
The objectives of the NERC Grid Security Exercise (GridEx)
Electric Reliability
series are to use simulated scenarios (with NO real-world
Corporation
effects) to exercise the current readiness of participating
(NERC)
Electricity Sub-sector entities to respond to cyber or physical
security incidents and provide input for security program
improvements to the bulk power system. GridEx is a biennial
international grid security exercise that uses best practices and
other contributions from the Department of Homeland Security,
the Federal Emergency Management Agency, and the National
Institute of Standards and Technology.
Critical Infrastructure Protection Issues Identified in
Federal Energy
April 24, 2014
N/A
FERC will hold a technical meeting on cybersecurity and
Order No. 791
Regulatory
communications security standards for power generators.
Commission
Among other issues, the meeting will consider possible
disjunctures between FERC’s regulatory standards for grid
reliability, and the new voluntary cybersecurity framework for
critical infrastructure that was rolled out by the National
Institute of Standards and Technology (NIST) earlier this year.
Notice of Completion of Notification of Cyber-
DHS Programs
April 17, 2014
3
The Secretary of DHS has been directed to identify critical
Dependent Infrastructure and Process for Requesting
Directorate
infrastructure where a cybersecurity incident could reasonably
Reconsideration of Determinations of Cyber Criticality
result in catastrophic regional or national effects on public health
or safety, economic security, or national security. In addition to
identifying such infrastructure, the Secretary has also been
directed to confidentially notify owners and operators of critical
infrastructure identified and establish a mechanism through
which entities can request reconsideration of that identification,
whether inclusion or exclusion from this list. This notice informs
owners and operators of critical infrastructure that the
confidential notification process is complete and describes the
process for requesting reconsideration.
CRS-13


Title Source
Date
Pages
Notes
Cybersecurity Procurement Language for Energy Delivery
DOE Energy
April 2014
46
The guidance suggests procurement strategies and contract
Systems
Sector Control
language to help U.S. energy companies and technology suppliers
Systems Working
“build in cybersecurity protections during product design and
Group
manufacturing. The guidance was “developed through a public-
private working group including federal agencies and private
industry leaders."
Cybersecurity and the North American Electric Grid:
Bipartisan Policy
February 28,

BPC’s initiative identifies urgent priorities, including
New Policy Approaches to Address an Evolving Threat
Center
2014
strengthening existing protections, enhancing coordination at all

levels, and accelerating the development of robust protocols for
response and recovery in the event of a successful attack. The
initiative developed recommendations in four policy areas:
standards and best practices, information sharing, response to a
cyberattack, and paying for cybersecurity. The recommendations
are targeted to Congress, federal government agencies, state
public utility commissions (PUCs), and industry.
Framework for Improving Critical Infrastructure
NIST February
12,
41
The voluntary framework consists of cybersecurity standards
Cybersecurity
2014
that can be customized to various sectors and adapted by both
large and small organizations. Additionally, so that the private
sector may fully adopt this Framework, the Department of
Homeland Security announced the Critical Infrastructure Cyber
Community (C3)—or “C-cubed"—Voluntary Program. The C3
program gives companies that provide critical services like cel
phones, email, banking, energy, and state and local governments,
direct access to cybersecurity experts within DHS who have
knowledge about specific threats, ways to counter those threats,
and how, over the long term, to design and build systems that
are less vulnerable to cyber threats.
ITI Recommendations to the Department of Homeland
Information
February 11,
3
ITI released a set of recommendations eying further
Security Regarding its Work Developing a Voluntary
Technology
2014
improvement of the framework, changes that call for DHS to
Program Under Executive Ordcer 163636, “Improving
Industry Council
"de-emphasize the current focus on incentives." Partly, ITI
Critical Infrastructure Cybersecurity.”
recognizes the cyber order can produce change even in an
environment in which fiscal constraints and congressional
inaction stall carrots for adoption—but a bigger biz argument,
made in its report yesterday, is that ITI and others do not want
incentives if they come at the cost of "compliance-based
programs."
CRS-14


Title Source
Date
Pages
Notes
The Federal Government’s Track Record on
Sen. Homeland
February 4,
19
Since 2006, the federal government has spent at least $65 billion
Cybersecurity and Critical Infrastructure
Security and
2014
on securing its computers and networks, according to an
Governmental
estimate by the Congressional Research Service (CRS). The
Affairs
National Institute of Standards and Technology (NIST), the
Committee
government’s official body for setting cybersecurity standards,
(Minority Staff)
has produced thousands of pages of precise guidance on every
significant aspect of IT security. And yet agencies—even agencies
with responsibilities for critical infrastructure, or vast
repositories of sensitive data—continue to leave themselves
vulnerable, often by failing to take the most basic steps toward
securing their systems and information.
NIPP 2013: Partnering for Critical Infrastructure Security
Department of
2013
57
NIPP 2013 meets the requirements of Presidential Policy
and Resilience
Homeland
Directive-21: Critical Infrastructure Security and Resilience,
Security
signed in February 2013. The Plan was developed through a
collaborative process involving stakeholders from all 16 critical
infrastructure sectors, all 50 states, and from all levels of
government and industry. It provides a clear call to action to
leverage partnerships, innovate for risk management, and focus
on outcomes.
World Federation of Exchanges (WFE) Launches Global
World
December 12,
N/A
The WFE announced the launch of the exchange industry’s first
Cyber Security Committee
Federation of
2013
cybersecurity committee with a mission to aid in the protection
Exchanges
of the global capital markets. The working group will bring
together representation from a number of exchanges and
clearinghouses across the globe, to col aborate on best practices
in global security.
The Critical Infrastructure Gap: U.S. Port Facilities and
Brookings
July 2013
50
The study argues that the level of cybersecurity awareness and
Cyber Vulnerabilities
Institution/
culture in U.S. port facilities is relatively low and that a
Center for 21st
cyberattack at a major U.S. port would quickly cause significant
Century Security
damage to the economy.
and Intelligence
FFIEC Forms Cybersecurity and Critical Infrastructure
Federal Financial
June 6, 2013
2
FFIEC formed a working group to further promote coordination
Working Group
Institutions
across the federal and state banking regulatory agencies on
Examination
critical infrastructure and cybersecurity issues.
Council (FFIEC)
Electric Grid Vulnerability: Industry Responses Reveal
Rep. Edward
May 21, 2013
35
The report found that less than a quarter of investor-owned
Security Gaps
Markey and Rep.
utilities and less than half of municipal and cooperation-owned
Henry Waxman
utilities fol owed through with voluntary standards issued by the
Federal Energy Regulatory Commission after the Stuxnet worm
struck in 2010.
CRS-15


Title Source
Date
Pages
Notes
Initial Analysis of Cybersecurity Framework RFI
NIST
May 20, 2013
33
Comments on the chal enges of protecting the nation’s critical
Responses
infrastructure have identified a handful of issues for the more
than 200 people and organizations who responded to a formal
request for information. NIST has released an initial analysis of
243 responses to the Feb. 26 RFI. The analysis will form the
basis for an upcoming workshop at Carnegie Mellon University
in Pittsburgh as NIST moves forward on creating a cybersecurity
framework for essential energy, utility, and communications
systems.
Joint Working Group on Improving Cybersecurity and
General Services
May 13, 2013
3
Among other things, PPD–21 requires the General Services
Resilience Through Acquisition, Notice of Request for
Administration
Administration, in consultation with DOD and DHS, to jointly
Information
provide and support government-wide contracts for critical
infrastructure systems and ensure that such contracts include
audit rights for the security and resilience of critical
infrastructure.
2013 Annual Report
Financial Stability
April 25, 2013
195
Under the Dodd-Frank Act, the Council must report annually to
Oversight
Congress on a range of issues, including significant financial
Council (FSOC)
market and regulatory developments, and potential emerging
threats to the financial stability of the United States.The
Council’s recommendations address heightened risk
management and supervisory attention to operational risks,
including cybersecurity and infrastructure.
Version 5 Critical Infrastructure Protection Reliability
Federal Energy
April 24, 2013
18
FERC proposes to approve the Version 5 Critical Infrastructure
Standards (Notice of Proposed Rulemaking)
Regulatory
Protection Reliability Standards, CIP-002-5 through CIP-011-1,
Commission
submitted by the North American Electric Reliability
Corporation, the commission-certified Electric Reliability
Organization. The proposed Reliability Standards, which pertain
to the cybersecurity of the bulk electric system, represent an
improvement over the current commission-approved CIP
Reliability Standards as they adopt new cybersecurity controls
and extend the scope of the systems that are protected by the
CIP Reliability Standards.
CRS-16


Title Source
Date
Pages
Notes
Wireless Cybersecurity
Syracuse
April 2013
167
This project dealt with various threats in wireless networks,
University New
including: eavesdropping in a broadcast channel, non-cooperative
York, Dept. of
eavesdropping in a single-source single-sink planar network, and
Electrical
primary user emulation attack in a cognitive radio network. The
Engineering and
major contributions were: detailed analysis of performance
Computer
trade-off in the presence of the eavesdropping threat; a
Science
combined encoding and routing approach that provides provable
security against non-cooperating eavesdropping; and a physical
layer approach to counter the primary emulation attack. The
research results under this effort significantly advanced our
understanding on some of the fundamental trade-offs among
various performance metrics in a wireless system. Practically
feasible wireless security measures were also obtained that
could lead to more assured operations in which secured
wireless networks play an indispensable role. This project led to
one PhD dissertation, one pending patent application, two
archival journal papers and a number of peer-reviewed
conference papers.
Incentives To Adopt Improved Cybersecurity Practices
NIST and the
March 28, 2013
N/A
The Department of Commerce (DOC) is investigating ways to
National
incentivize companies and organizations to improve their
Telecommunica-
cybersecurity. To better understand what stakeholders—such as
tions and
companies, trade associations, academics and others—believe
Information
would best serve as incentives, the department has released a
Administration
series of questions to gather public comments in a Notice of
Inquiry.
Cybersecurity: The Nation’s Greatest Threat to Critical
U.S. Army War
March 2013
38
This paper provides a background of what constitutes national
Infrastructure
College
critical infrastructure and Critical Infrastructure Protection
(CIP); discusses the immense vulnerabilities, threats, and risks
associated in the protection of critical infrastructure; and
outlines governance and responsibilities of protecting vulnerable
infrastructure. The paper makes recommendations for federal
responsibilities and legislation to direct nation critical
infrastructure efforts to ensure national security, public safety,
and economic stability.
SCADA and Process Control Security Survey
SANS Institute
February 1,
19
SANS Institute surveyed professionals who work with SCADA
2013
and process control systems. Of the nearly 700 respondents,
70% said they consider their SCADA systems to be at high or
severe risk; one-third of them suspect that they have been
already been infiltrated.
CRS-17


Title Source
Date
Pages
Notes
Fol ow-up Audit of the Department’s Cyber Security
U.S. Department
December 2012
25
In 2008, the Department's Cyber Security Incident Management
Incident Management Program
of Energy
Program (DOE/IG-0787, January 2008) reported the department
Inspector
and National Nuclear Security Administration (NNSA)
General’s Office
established and maintained a number of independent, at least
partially duplicative, cybersecurity incident management
capabilities. Several issues were identified that limited the
efficiency and effectiveness of the department's cybersecurity
incident management program and adversely affected the ability
of law enforcement to investigate incidents. In response to the
finding, management concurred with the recommendations and
indicated that it had initiated actions to address the issues
identified.
Terrorism and the Electric Power Delivery System
National
November 2012
146
Focuses on measures that could make the electric power
Academies of
delivery system less vulnerable to attacks, restore power faster
Science
after an attack, and make critical services less vulnerable when
the delivery of conventional electric power has been disrupted.
New FERC Office to Focus on Cyber Security
U.S. Department
September 20,
N/A
The Federal Energy Regulatory Commission (FERC) announced
of Energy
2012
the creation of the agency’s new Office of Energy Infrastructure
Security, which will work to reduce threats to the electric grid
and other energy facilities. The goal is for the office to help
FERC, and other agencies and private companies, better identify
potential dangers and solutions.
Canvassing the Targeting of Energy Infrastructure: The
Journal of Energy
August 7, 2012
8
The Energy Infrastructure Attack Database (EIAD) is a non-
Energy Infrastructure Attack Database
Security
commercial dataset that structures information on reported
(criminal and political) attacks to energy infrastructure (EI)
(worldwide) since 1980, by non-state actors. In building this
resource, the objective was to develop a product that could be
broadly accessible and also connect to existing available
resources.
Smart-Grid Security
Center for
August 2012
26
Highlights the significance of and the challenges with securing the
Infrastructure
smart grid.
Protection and
Homeland
Security, George
Mason School of
Law
CRS-18


Title Source
Date
Pages
Notes
Cybersecurity: Challenges in Securing the Electricity Grid GAO
July 17, 2012
25
In a prior report, GAO made recommendations related to
electricity grid modernization efforts, including developing an
approach to monitor compliance with voluntary standards.
These recommendations have not yet been implemented.
Energy Department Develops Tool with Industry to Help
U.S. Department
June 28, 2012
N/A
The Cybersecurity Self-Evaluation Tool uses best practices that
Utilities Strengthen Their Cybersecurity Capabilities
of Energy
were developed for the Electricity Subsector Cybersecurity
Capability Maturity Model Initiative, which involved a series of
workshops with the private sector to draft a maturity model
that can be used throughout the electric sector to better
protect the grid.
ICS-CERT Incident Response Summary Report, 2009-
U.S. Industrial
May 9, 2012
17
The number of reported cyberattacks on U.S. critical
2011
Control System
infrastructure increased sharply—from 9 incidents in 2009 to
Cyber Emergency
198 in 2011; water sector-specific incidents, when added to the
Response Team
incidents that affected several sectors, accounted for more than
(ICS-CERT)
half of the incidents; in more than half of the most serious cases,
implementing best practices such as login limitation or properly
configured firewall, would have deterred the attack, reduced the
time it would have taken to detect an attack, and minimize its
impact.
Cybersecurity Risk Management Process (Electricity
Department of
May 2012
96
The guideline describes a risk management process that is
Subsector)
Energy, Office of
targeted to the specific needs of electricity sector organizations.
Electricity
The objective of the guideline is to build upon existing guidance
Delivery &
and requirements to develop a flexible risk management process
Energy Reliability
tuned to the diverse missions, equipment, and business needs of
the electric power industry.
ICT Applications for the Smart Grid: Opportunities and
Organization for
January 10, 2012
44
This report discusses “smart” applications of information and
Policy Implications
Economic Co-
communication technologies (ICTs) for more sustainable energy
operation and
production, management and consumption. The report outlines
Development
policy implications for government ministries dealing with
(OECD)
telecommunications regulation, ICT sector and innovation
promotion, and consumer and competition issues.
The Department’s Management of the Smart Grid
Department of
January 20, 2012
21
According to the Inspector General, DOE's rush to award
Investment Grant Program
Energy (DOE)
stimulus grants for projects under the next generation of the
Inspector
power grid, known as the Smart grid, resulted in some firms
General
receiving funds without submitting complete plans for how to
safeguard the grid from cyberattacks.
CRS-19


Title Source
Date
Pages
Notes
Critical Infrastructure Protection: Cybersecurity
Government
December 9,
77
According to GAO, given the plethora of guidance available,
Guidance Is Available, but More Can Be Done to
Accountability
2011
individual entities within the sectors may be challenged in
Promote Its Use
Office (GAO)
identifying the guidance that is most applicable and effective in
improving their security posture. Improved knowledge of the
available guidance could help both federal and private-sector
decision makers better coordinate their efforts to protect
critical cyber-reliant assets.
The Future of the Electric Grid
Massachusetts
December 5,
39
Chapter 1 provides an overview of the status of the grid, the
Institute of
2011
challenges and opportunities it will face, and major
Technology (MIT)
recommendations. To facilitate selective reading, detailed
descriptions of the contents of each section in Chapters 2–9 are
provided in each chapter’s introduction, and recommendations
are collected and briefly discussed in each chapter's final section.
(See Chapter 9, Data Communications, Cybersecurity, and
Information Privacy, pages 208-234).
FCC‘s Plan for Ensuring the Security of
Federal
June 3, 2011
1
FCC Chairman Genachowski's response to letter from Rep.
Telecommunications Networks
Communications
Anna Eshoo dated November 2, 2010, re: concerns about the
Commission
implications of foreign-controlled telecommunications
(FCC)
infrastructure companies providing equipment to the U.S.
market.
Cyber Infrastructure Protection
U.S. Army War
May 9, 2011
324
Part 1 deals with strategic and policy cybersecurity-related
College
issues and discusses the theory of cyberpower, Internet
survivability, large scale data breaches, and the role of
cyberpower in humanitarian assistance. Part 2 covers social and
legal aspects of cyber infrastructure protection and discusses the
attack dynamics of political and religiously motivated hackers.
Part 3 discusses the technical aspects of cyber infrastructure
protection, including the resilience of data centers, intrusion
detection, and a strong emphasis on Internet protocol (IP)
networks.
In the Dark: Crucial Industries Confront Cyberattacks
McAfee and
April 21, 2011
28
The study reveals an increase in cyberattacks on critical
Center for
infrastructure such as power grids, oil, gas, and water; the study
Strategic and
also shows that that many of the world’s critical infrastructures
International
lacked protection of their computer networks, and reveals the
Studies (CSIS)
cost and impact of cyberattacks.
CRS-20


Title Source
Date
Pages
Notes
Cybersecurity: Continued Attention Needed to Protect
Government
March 16, 2011
17
According to GAO, executive branch agencies have made
Our Nation’s Critical Infrastructure and Federal
Accountability
progress instituting several government-wide initiatives that are
Information Systems
Office (GAO)
aimed at bolstering aspects of federal cybersecurity, such as
reducing the number of federal access points to the Internet,
establishing security configurations for desktop computers, and
enhancing situational awareness of cyber events. Despite these
efforts, the federal government continues to face significant
challenges in protecting the nation's cyber-reliant critical
infrastructure and federal information systems.
Federal Energy Regulatory Commission’s Monitoring of
Department of
January 26, 2011
30
NERC developed Critical Infrastructure Protection (CIP)
Power Grid Cyber Security
Energy Office of
cybersecurity reliability standards which were approved by the
Inspector
FERC in January 2008. Although the commission had taken steps
General
to ensure CIP cybersecurity standards were developed and
approved, NERC’s testing revealed that such standards did not
always include controls commonly recommended for protecting
critical information systems. In addition, the CIP standards
implementation approach and schedule approved by the
commission were not adequate to ensure that systems-related
risks to the nation's power grid were mitigated or addressed in
a timely manner.
Electricity Grid Modernization: Progress Being Made on
Government
January 12, 2011
50
“To reduce the risk that NIST’s smart grid cybersecurity
Cybersecurity Guidelines, but Key Challenges Remain to
Accountability
guidelines will not be as effective as intended, the Secretary of
be Addressed
Office (GAO)
Commerce should direct the Director of NIST to finalize the
agency's plan for updating and maintaining the cybersecurity
guidelines, including ensuring it incorporates (1) missing key
elements identified in this report, and (2) specific milestones for
when efforts are to be completed. Also, as a part of finalizing the
plan, the Secretary of Commerce should direct the Director of
NIST to assess whether any cybersecurity challenges identified
in this report should be addressed in the guidelines.”
Partnership for Cybersecurity Innovation
White House
December 6,
4
The Obama Administration released a Memorandum of
(Office of Science
2010
Understanding signed by DOC’s NIST, DHS’s Science and
& Technology
Technology Directorate (DHS/S&T), and the Financial Services
Policy)
Sector Coordinating Council (FSSCC). The goal of the
agreement is to speed up the commercialization of cybersecurity
research innovations that support the nation’s critical
infrastructures.
CRS-21


Title Source
Date
Pages
Notes
WIB Security Standard Released
International
November 10,

The Netherlands-based WIB, an international organization that
Instrument Users
2010
represents global manufacturers in the industrial automation
Association
industry, announced the second version of the Process Control
(WIB)
Domain Security Requirements For Vendors document—the
first international standard that outlines a set of specific
requirements focusing on cybersecurity best practices for
suppliers of industrial automation and control systems.
Information Security Management System for Microsoft
Microsoft
November 2010
15
This study describes the standards Microsoft fol ows to address
Cloud Infrastructure
current and evolving cloud security threats. It also depicts the
internal structures within Microsoft that handle cloud security
and risk management issues.
NIST Finalizes Initial Set of Smart Grid Cyber Security
National Institute
September 2,
N/A
NIST released a three-volume set of recommendations relevant
Guidelines
of Standards and
2010
to securing the Smart Grid. The guidelines address a variety of
Technology
topics, including high-level security requirements, a risk
(NIST)
assessment framework, an evaluation of privacy issues in
residences and recommendations for protecting the evolving
grid from attacks, malicious code, cascading errors, and other
threats.
Critical Infrastructure Protection: Key Private and Public
Government
July 15, 2010
38
Private-sector stakeholders reported that they expect their
Cyber Expectations Need to Be Consistently Addressed
Accountability
federal partners to provide usable, timely, and actionable cyber
Office (GAO)
threat information and alerts; access to sensitive or classified
information; a secure mechanism for sharing information;
security clearances; and a single centralized government
cybersecurity organization to coordinate government efforts.
However, according to private sector stakeholders, federal
partners are not consistently meeting these expectations.
The Future of Cloud Computing
Pew Research
June 11, 2010
26
Technology experts and stakeholders expect they will “live
Center’s Internet
mostly in the cloud” in 2020 and not on the desktop, working
& American Life
mostly through cyberspace-based applications accessed through
Project
networked devices.
The Reliability of Global Undersea Communications Cable IEEE/EastWest
May 26, 2010
186
This study submits 12 major recommendations to private sector,
Infrastructure (The ROGUCCI Report)
Institute
governments and other stakeholders—especially the financial
sector—for the purpose of improving the reliability, robustness,
resilience, and security of the world’s undersea communications
cable infrastructure.
CRS-22


Title Source
Date
Pages
Notes
NSTB Assessments Summary Report: Common Industrial
Department of
May 2010
123
Computer networks controlling the electric grid are plagued
Control System Cyber Security Weaknesses
Energy, Idaho
with security holes that could allow intruders to redirect power
National
delivery and steal data. Many of the security vulnerabilities are
Laboratory
strikingly basic and fixable problems.
Explore the reliability and resiliency of commercial
Federal
April 21, 2010
N/A
The FCC launched an inquiry into the ability of existing
broadband communications networks
Communications
broadband networks to withstand significant damage or severe
Commission
overloads as a result of natural disasters, terrorist attacks,
(FCC)
pandemics or other major public emergencies, as recommended
in the National Broadband Plan.
Security Guidance for Critical Areas of Focus in Cloud
Cloud Security
December 2009
76
From the report, “Through our focus on the central issues of
Computing V2.1
Alliance
cloud computing security, we have attempted to bring greater
clarity to an otherwise complicated landscape, which is often
filled with incomplete and oversimplified information. Our focus
... serves to bring context and specificity to the cloud computing
security discussion: enabling us to go beyond gross
generalizations to deliver more insightful and targeted
recommendations.”
21 Steps to Improve Cyber Security of SCADA Networks U.S. Department
January 1, 2007
10
The President’s Critical Infrastructure Protection Board and the
of Energy,
Department of Energy have developed steps to help any
Infrastructure
organization improve the security of its SCADA networks. The
Security and
steps are divided into two categories: specific actions to improve
Energy
implementation, and actions to establish essential underlying
Restoration
management processes and policies.
Note: Highlights compiled by CRS from the reports.

CRS-23

Cybersecurity: Authoritative Reports and Resources, by Topic

CRS Reports and Other CRS Products: Cybercrime and National Security
• CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and
Abuse Statute and Related Federal Criminal Laws, by Charles Doyle
• CRS Report 94-166, Extraterritorial Application of American Criminal Law, by Charles
Doyle
• CRS Report R42403, Cybersecurity: Cyber Crime Protection Security Act (S. 2111, 112th
Congress)—A Legal Analysis, by Charles Doyle
• CRS Report 98-326, Privacy: An Overview of Federal Statutes Governing Wiretapping
and Electronic Eavesdropping, by Gina Stevens and Charles Doyle
• CRS Report RL32706, Spyware: Background and Policy Issues for Congress, by Patricia
Moloney Figliola
• CRS Report CRS Report R41975, Illegal Internet Streaming of Copyrighted Content:
Legislation in the 112th Congress, by Brian T. Yeh
• CRS Report R42112, Online Copyright Infringement and Counterfeiting: Legislation in
the 112th Congress, by Brian T. Yeh
• CRS Report R40599, Identity Theft: Trends and Issues, by Kristin Finklea
• CRS Report R41927, The Interplay of Borders, Turf, Cyberspace, and Jurisdiction:
Issues Confronting U.S. Law Enforcement, by Kristin Finklea
• CRS Report RL34651, Protection of Children Online: Federal and State Laws
Addressing Cyberstalking, Cyberharassment, and Cyberbullying, by Alison M. Smith
• CRS Report R42547, Cybercrime: Conceptual Issues for Congress and U.S. Law
Enforcement, by Kristin Finklea and Catherine A. Theohary
• CRS Report R43382, Data Security and Credit Card Thefts: CRS Experts, by Eric A.
Fischer
• CRS Legal Sidebar WSLG399, Legal Barriers to an Expanded Role of the Military in
Defending Against Domestic Cyberattacks, by Andrew Nolan
• CRS Legal Sidebar WSLG483, Obstacles to Private Sector Cyber Threat Information
Sharing, by Edward C. Liu and Edward C. Liu
• CRS Legal Sidebar WSLG672, Online Banking Fraud: Liability for Unauthorized
Payment from Business Checking Account, by M. Maureen Murphy
• CRS Legal Sidebar WSLG831, Federal Securities Laws and Recent Data Breaches, by
Michael V. Seitzinger

Congressional Research Service
24


Table 5. Cybercrime, Data Breaches, and Data Security
Title Source
Date
Pages Notes
ThreatWatch
NextGov
Ongoing
N/A
ThreatWatch is a snapshot of the data breaches hitting
organizations and individuals, globally, on a daily basis. It is not an
authoritative list, since many compromises are never reported or
even discovered. The information is based on accounts published
by outside news organizations and researchers.
Criminal Underground Economy Series
Trend Micro
Ongoing
N/A
A review of various cybercrime markets around the world.
2014 U.S. State of Cybercrime Survey
PwC, CSO Magazine,
May 29, 2014
21
The cybersecurity programs of U.S. organizations do not rival the
the CERT Division of
persistence, tactical skills, and technological prowess of their
the Software
potential cyber adversaries. This year, three in four (77%)
Engineering Institute at
respondents to the survey detected a security event in the past 12
Carnegie Mellon
months, and more than a third (34%) said the number of security
University, and the U.S.
incidents detected increased over the previous year.
Secret Service
Privileged User Abuse & The Insider Threat
Ponemon Institute and
May 21, 2014
32
The report looks at what companies are doing right and the
(Requires free registration to access.)
Raytheon
vulnerabilities that need to be addressed with policies and
technologies. One area that is a big problem is the difficulty in
actually knowing if an action taken by an insider is truly a threat.
Sixty-nine percent of respondents say they don’t have enough
contextual information from security tools to make this
assessment and 56% say security tools yield too many false
positives.
Online Advertising and Hidden Hazards to
Senate Permanent
May 15, 2014
47
The report found consumers could expose themselves to malware
Consumer Security and Data Privacy
Subcommittee on
just by visiting a popular website. It noted that the complexity of
Investigations
the industry made it possible for both advertisers and host
websites to defer responsibility and that consumer safeguards
failed to protect against online abuses. The report also warned
that current practices do not create enough incentives for “online
advertising participants” to take preventive measures.
Sharing Cyberthreat Information Under 18 USC §
Department of Justice
May 9, 2014
7
The Department of Justice issued guidance for Internet service
2702(a)(3)
providers to assuage legal concerns about information sharing.
The white paper interprets the Stored Communications Act,
which prohibits providers from voluntarily disclosing customer
information to governmental entities. The whitepaper says that
the law does not prohibit companies from divulging data in the
aggregate, without any specific details about identifiable
customers.
CRS-25


Title Source
Date
Pages Notes
The Rising Strategic Risks of Cyberattacks
McKinsey & Company
May 2014
N/A
Companies are struggling with their capabilities in cyberrisk
management. As highly visible breaches occur with growing
regularity, most technology executives believe that they are losing
ground to attackers. Organizations large and small lack the facts to
make effective decisions, and traditional “protect the perimeter”
technology strategies are proving insufficient.
Big Data: Seizing Opportunities, Preserving Values
White House
May 2014
85
The findings include a set of consumer protection
recommendations, such as national data-breach legislation, and a
fresh call for baseline consumer-privacy legislation first
recommended in 2012.
The Target Breach, by the Numbers
Krebs on Security
May 6, 2014
N/A
A synthesis of numbers associated with the Target data breach of
December 19, 2013 (e.g., number of records stolen, estimated
dollar cost to credit unions and community banks, amount of
money Target estimates it will spend upgrading payment terminals
to support Chip-and-PIN enabled cards).
Heartbleed’s Impact
Pew Research Center
April 30,
13
The Heartbleed security flaw on one of the most widely used
2014
“secure socket” encryption programs on the Internet had an
impact on a notable share of Internet users. Some 60% of adults
(and 64% of Internet users) said they had heard about the bug.
Some 19% of adults said they had heard “a lot” about it and 41%
said they had heard “a little” about it. By comparison, though, the
Heartbleed story drew much less intensity and scope of attention
than other big news stories.
Russian Underground Revisited
Trend Micro
April 28,
25
The price of malicious software—designed to enable online bank
2014
fraud, identity theft and other cybercrimes—is falling
“dramatically” in some of the Russian-language criminal markets in
which it is sold. Falling prices are not a result of declining demand,
but rather shows the result of an increasingly sophisticated
marketplace. This report outlines the products and services being
sold and what their prices are.
A “Kill Chain” Analysis of the 2013 Target Data
Senate Commerce
March 26,
18
This report analyzes what has been reported to date about the
Breach
Committee
2014
Target data breach, using the “intrusion kill chain” framework, an
analytical tool introduced by Lockheed Martin security
researchers in 2011, and today widely used by information
security professionals in both the public and the private sectors.
This analysis suggests that Target missed a number of
opportunities along the kill chain to stop the attackers and
prevent the massive data breach.
CRS-26


Title Source
Date
Pages Notes
Markets for Cybercrime Tools and Stolen Data
RAND Corp. National
March 25,
83
This report, part of a multiphase study on the future security
Security Research
2014
environment, describes the fundamental characteristics of the
Division and Juniper
criminal activities in cyberspace markets and how they have grown
Networks
into their current state to explain how their existence can harm
the information security environment.
Merchant and Financial Trade Associations
Retail Industry Leaders
February 13,
N/A
Trade associations representing the merchant and financial
Announce Cybersecurity Partnership
Association
2014
services industries announced a new cybersecurity partnership.
The partnership will focus on exploring paths to increased
information sharing, better card security technology, and
maintaining the trust of customers. Discussion regarding the
partnership was initiated by the Retail Industry Leaders
Association (RILA) and the Financial Services Roundtable (FSR),
joined by the American Bankers Association (ABA), the American
Hotel & Lodging Association (AH&LA), The Clearing House
(TCH), the Consumer Bankers Association (CBA), the Food
Marketing Institute (FMI), the Electronic Transactions Association
(ETA), the Independent Community Bankers of America (ICBA),
the International Council of Shopping Centers (ICSC), the
National Associations of Convenience Stores (NACS), the
National Grocers Association (NGA), the National Restaurant
Association (NRA), and the National Retail Federation (NRF).
FTC Statement Marking the FTC’s 50th Data
Federal Trade
January 31,
2
The FTC announces its 50th data security settlement. What
Security Settlement
Commission
2014
started in 2002 with a single case applying established FTC Act
precedent to the area of data security has grown into an
enforcement program that has helped to increase protections for
consumers and has encouraged companies to make safeguarding
consumer data a priority.
Worst Practices Guide to Insider Threats: Lessons
American Academy of
January 2014
32
From the report: “Here, we are presenting a kind of 'worst
from Past Mistakes
Arts & Sciences
practices' guide of serious mistakes made in the past regarding
insider threats. While each situation is unique, and serious insider
problems are relatively rare, the incidents we describe reflect
issues that exist in many contexts and that every nuclear security
manager should consider. Common organizational practices—such
as prioritizing production over security, failure to share
information across subunits, inadequate rules or inappropriate
waiving of rules, exaggerated faith in group loyalty, and excessive
focus on external threats—can be seen in many past failures to
protect against insider threats."
CRS-27


Title Source
Date
Pages Notes
ENISA Threat Landscape 2013 – Overview of
European Union Agency
December
70
The report is a col ection of top cyber-threats that have been
Current and Emerging Cyber-Threats
for Network and
11, 2013
assessed in the reporting period (i.e., within 2013). ENISA has
Information Security
col ected over 250 reports regarding cyber-threats, risks, and
(ENISA)
threat agents. ETL 2013 is a comprehensive compilation of the top
15 cyber-threats assessed.
Cyber-enabled Competitive Data Theft: A
Brookings Institution
December
18
Economic espionage has existed at least since the industrial
Framework for Modeling Long-Run Cybersecurity
2013
revolution, but the scope of modern cyber-enabled competitive
Consequences
data theft may be unprecedented. With this paper, Friedman,
Mack-Crane, and Hammond present what they believe is the first
economic framework and model to understand the long-run
impact of competitive data theft on an economy by taking into
account the actual mechanisms and pathways by which theft harms
the victims.
Trends in Incident Response in 2013
ICS-CERT Monitor
October-
14
In 2013, ICS-CERT responded to 256 incidents reported either
December
directly from asset owners or through other trusted partners.
2013
The majority of these incidents were initially detected in business
networks of critical infrastructure organizations that operate
industrial control systems (ICS). Of the 256 reported incidents,
59%, or 151 incidents, occurred in the energy sector, which
exceeded all incidents reported in other sectors combined.
Illicit Cyber Activity Involving Fraud
Carnegie Mellon
August 8,
28
Technical and behavioral patterns were extracted from 80 fraud
University Software
2013
cases—67 insider and 13 external—that occurred between 2005
Engineering Institute
and the present. These cases were used to develop insights and
risk indicators to help private industry, government, and law
enforcement more effectively prevent, deter, detect, investigate,
and manage malicious insider activity within the banking and
finance sector.
The Economic Impact of Cybercrime and Cyber
Center for Strategic and
July 22, 2013
20
Losses to the United States (the country where data is most
Espionage
International Studies
accessible) may reach $100 billion annually. The cost of
cybercrime and cyber espionage to the global economy is some
multiple of this, likely measured in hundreds of billions of dollars.
Cyber-Crime, Securities Markets, and Systemic
World Federation of
July 16, 2013
59
This report explores the nature and extent of cyber-crime in
Risk
Exchanges (WFE) and
securities markets so far; the potential systemic risk aspects of
the International
this threat; and presents the results of a survey to the world’s
Organization of
exchanges on their experiences with cyber-crime, cyber-security
Securities Commissions
practices and perceptions of the risk.
(IOSCO)
CRS-28


Title Source
Date
Pages Notes
Towards Trustworthy Social Media and
Wilson Center
May 2013
12
Individuals and organizations interested in using social media and
Crowdsourcing
crowdsourcing currently lack two key sets of information: a
systematic assessment of the vulnerabilities in these technologies
and a comprehensive set of best practices describing how to
address those vulnerabilities. Identifying those vulnerabilities and
developing those best practices are necessary to address a
growing number of cybersecurity incidents ranging from innocent
mistakes to targeted attacks that have claimed lives and cost
millions of dollars.
Remaking American Security: Supply Chain
Alliance for American
May 2013
355
Because the supply chain is global, it makes sense for U.S. officials
Vulnerabilities & National Security Risks Across
Manufacturing
to cooperate with other nations to ward off cyberattacks.
the U.S. Defense Industrial Base
Increased international cooperation to secure the integrity of the
global IT system is a valuable long-term objective.
Comprehensive Study on Cybercrime
United Nations Office
February
320
The Study examined the problem of cybercrime from the
on Drugs and Crime
2013
perspective of governments, the private sector, academia and
(UNODC)
international organizations. The results are presented in eight
Chapters, covering Internet connectivity and cybercrime; the
global cybercrime picture; cybercrime legislation and frameworks;
criminalization of cybercrime; law enforcement and cybercrime
investigations; electronic evidence and criminal justice;
international cooperation in criminal matters involving cybercrime;
and cybercrime prevention.
HoneyMap - Visualizing Worldwide Attacks in
The Honeynet Project
October 1,
N/A
The HoneyMap shows a real-time visualization of attacks against
Real-Time, and Honeynet Map
2012
the Honeynet Project’s sensors deployed around the world.
Does Cybercrime Really Cost $1 Trillion?
ProPublica
August 1,
N/A
In a news release to announce its 2009 report, “Unsecured
2012
Economies: Protecting Vital Information,” computer security firm
McAfee estimated a trillion dollar global cost for cybercrime. The
number does not appear in the report itself. McAfee’s trillion-
dol ar estimate is questioned even by the three independent
researchers from Purdue University whom McAfee credits with
analyzing the raw data from which the estimate was derived. An
examination of their origins by ProPublica has found new grounds
to question the data and methods used to generate these
numbers, which McAfee and Symantec say they stand behind.
Information Security: Cyber Threats Facilitate
GAO June
28,
20
This statement discusses (1) cyber threats facing the nation’s
Ability to Commit Economic Espionage
2012
systems, (2) reported cyber incidents and their impacts, (3)
security controls and other techniques available for reducing risk,
and (4) the responsibilities of key federal entities in support of
protecting IP.
CRS-29


Title Source
Date
Pages Notes
Measuring the Cost of Cybercrime
11th Annual Workshop
June 25,
N/A
From the report, “For each of the main categories of cybercrime
on the Economics of
2012
we set out what is and is not known of the direct costs, indirect
Information Security
costs and defence costs - both to the UK and to the world as a
whole.”
The Impact of Cybercrime on Businesses
Ponemon Institute
May 2012
21
The study found that targeted attacks on businesses cost
enterprises an average of $214,000. The expenses are associated
with forensic investigations, investments in technology, and brand
recovery costs.
Proactive Policy Measures by Internet Service
Organisation for
May 7, 2012
25
This report analyzes initiatives in a number of countries through
Providers against Botnets
Economic Co-operation
which end-users are notified by ISPs when their computer is
and Development
identified as being compromised by malicious software and
encouraged to take action to mitigate the problem.
Developing State Solutions to Business Identity
National Association of
January 2012
23
This white paper is the result of efforts by the 19-member NASS
Theft: Assistance, Prevention and Detection Efforts Secretaries of State
Business Identity Theft Task Force to develop policy guidelines
by Secretary of State Offices
and recommendations for state leaders dealing with identity fraud
cases involving public business records.
Twenty Critical Security Controls for Effective
SANS October
3,
77
The 20 security measures are intended to focus agencies’ limited
Cyber Defense: Consensus Audit Guidelines
2011
resources on plugging the most common attack vectors.
(CAG)
Revealed: Operation Shady RAT: an Investigation
McAfee August
2,
14
A cyber-espionage operation lasting many years penetrated 72
Of Targeted Intrusions Into 70+ Global
2011
government and other organizations, most of them in the United
Companies, Governments, and Non-Profit
States, and has copied everything from military secrets to
Organizations During the Last 5 Years
industrial designs, according to technology security company
McAfee. (See page 4 for the types of compromised parties, page 5
for the geographic distribution of victim’s country of origin, pages
7-9 for the types of victims, and pages 10-13 for the number of
intrusions for 2007-2010).
The Role of Internet Service Providers in Botnet
Organisation for
November
31
This working paper considers whether ISPs can be critical control
Mitigation: an Empirical Analysis Bases on Spam
Economic Co-operation
12, 2010
points for botnet mitigation, how the number of infected machines
Data
and Development
varies across ISPs, and why.
Untangling Attribution: Moving to Accountability in Council on Foreign
July 15, 2010
14
Robert K. Knake’s testimony before the House Committee on
Cyberspace [Testimony]
Relations
Science and Technology on the role of attack attribution in
preventing cyberattacks and how attribution technologies can
affect the anonymity and the privacy of Internet users.
CRS-30


Title Source
Date
Pages Notes
Technology, Policy, Law, and Ethics Regarding U.S.
National Research
2009
368
This report explores important characteristics of cyberattack. It
Acquisition and Use of Cyberattack Capabilities
Council
describes the current international and domestic legal structure as
it might apply to cyberattack, and considers analogies to other
domains of conflict to develop relevant insights.
Note: Highlights compiled by CRS from the reports.

Table 6. National Security, Cyber Espionage, and Cyberwar
Title Source
Date
Pages
Notes
Cyberthreat: Real-Time Map
Kaspersky Labs
Ongoing
N/A
Kaspersky Labs has launched an interactive cyberthreat map that
lets viewers see cybersecurity incidents as they occur around the
world in real time. The interactive map includes malicious objects
detected during on-access and on-demand scans, email and web
antivirus detections, and objects identified by vulnerability and
intrusion detection sub-systems.
Baseline Review: ICT-Related Processes & Events,
ICT4Peace
May 1, 2014
50
The report is structured around the fol owing three areas: (1)
Implications for International and Regional Security (2011-
international and regional security (the predominant focus); (2)
2013)
transnational crime and terrorism; and (3) governance, human
rights and development. These areas are obviously
interdependent, with developments in one area often impacting
another, yet they have traditionally been approached separately
through distinct communities of practice and fora. The report wil
serve as a baseline for future annual reports with this specific one
covering the period spanning January 2011 to December 2013
(while also providing background on earlier events).
CRS-31


Title Source
Date
Pages
Notes
M Trends: Beyond the Breach: 2014 Threat Report
Mandiant
April 2014
28
From the report, “One conclusion is inescapable: the list of
potential targets has increased, and the playing field has grown,
Cyber-threat actors are expanding the uses of computer network
exploitation to fulfill an array of objectives, from the economic to
the political. Threat actors are not only interested in seizing the
corporate crown jewels but are also looking for ways to publicize
their views, cause physical destruction and influence global
decision makers. Private organizations have increasingly become
collateral damage in political conflicts. With no diplomatic
solution in sight, the ability to detect and respond to attacks has
never been more important.”
Emerging Cyber Threats Report 2014
Georgia Institute
January 2014
16
Brief compilation of academic research on Losing Control of
of Technology
Cloud Data, Insecure but Connected Devices, Attackers Adapt to
Mobile Ecosystems, Costs of Defending Against Cyber Attacks
Remain High, Information Manipulation Advances.
Cybersecurity and Cyberwar: What Everyone Needs to
Singer, Peter W.
January 2014
306
The book looks at cybersecurity issues faced by the military,
Know
and Allan
government, businesses and individuals, and what happens when
Friedman
they try to balance security with freedom of speech and the ideals
(Brookings
of an open Internet.
Institution)
Cyber-enabled Competitive Data Theft: A Framework for
Brookings
December
18
Economic espionage has existed at least since the industrial
Modeling Long-Run Cybersecurity Consequences
Institution
2013
revolution, but the scope of modern cyber-enabled competitive
data theft may be unprecedented. With this paper, Friedman,
Mack-Crane, and Hammond present what they believe is the first
economic framework and model to understand the long-run
impact of competitive data theft on an economy by taking into
account the actual mechanisms and pathways by which theft
harms the victims.
CRS-32


Title Source
Date
Pages
Notes
To Kill a Centrifuge: A Technical Analysis of What
The Langner
November
36
This document summarizes the most comprehensive research on
Stuxnet’s Creators Tried to Achieve
Group
2013
the Stuxnet malware so far: It combines results from reverse
engineering the attack code with intelligence on the design of the
attacked plant and background information on the attacked
uranium enrichment process. It looks at the attack vectors of the
two different payloads contained in the malware and especial y
provides an analysis of the bigger and much more complex
payload that was designed to damage centrifuge rotors by
overpressure. With both attack vectors viewed in context,
conclusions are drawn about the reasoning behind a radical
change of tactics between the complex earlier attack and the
comparatively simple later attack that tried to manipulate
centrifuge rotor speeds.
2013 Annual Report to Congress
U.S.-China
October 20,
465
In 2013, the commission continued its close examination of
Economic
2013
China’s cyber capabilities. Strong evidence has emerged that the
Commission
Chinese government is directing and executing a large-scale cyber
espionage campaign against the United States, including the U.S.
government and private companies. However, the public
exposure of Chinese cyber espionage in 2013 has apparently not
changed China’s attitude about the use of cyber espionage to
steal intellectual property and proprietary information. (See:
Chapter 2, Section 2: “China’s Cyber Activities.”)
W32.Duqu: The Precursor to the Next Stuxnet
Symantec
November
N/A
On October 14, 2011, a research lab with strong international
14, 2013
connections alerted Symantec to a sample that appeared to be
very similar to Stuxnet, the malware which wreaked havoc in
Iran’s nuclear centrifuge farms last summer. The lab named the
threat “Duqu” because it creates files with the file name prefix
“DQ”. The research lab provided Symantec with samples
recovered from computer systems located in Europe, as well as a
detailed report with their initial findings, including analysis
comparing the threat to Stuxnet.
Offensive Cyber Capabilities at the Operational Level -
Center for
September
20
The specific question this report examines is whether the
The Way Ahead
Strategic &
16, 2013
Defense Department should make a more deliberate effort to
International
explore the potential of offensive cyber tools at levels below that
Studies (CSIS)
of a combatant command.
CRS-33


Title Source
Date
Pages
Notes
Cyber-Warfare: Is the risk of cyber-warfare overrated?
The Economist
August 2,
N/A (Economist Debates adapt the Oxford style of debating to an
2013
online forum. Each side has three chances to persuade readers:
opening, rebuttal and closing.) “Separating hype from the urgent
questions is hard. Amid talk of a "digital Pearl Harbour" and
"advanced persistent threats" it is hard to know whether we are
really "losing the war" against the purveyors and users of malware
and digital weapons.”
The Economic Impact of Cybercrime and Cyber Espionage Center for
July 22, 2013
20
Losses to the United States (the country where data is most
Strategic and
accessible) may reach $100 billion annually. The cost of
International
cybercrime and cyber espionage to the global economy is some
Studies
multiple of this likely measured in hundreds of billions of dollars.
Role of Counterterrorism Law in Shaping ‘ad Bellum'
International Law April 1,
42
The prospect of cyber war has evolved from science fiction and
Norms for Cyber Warfare
Studies (U.S.
2013
over-the-top doomsday depictions on television, films, and in
Naval War
novels to reality and front-page news… To date there has been
College)
little attention given to the possibility that international law
generally and counterterrorism law in particular could and should
develop a subset of cyber-counterterrorism law to respond to
the inevitability of cyberattacks by terrorists and the use of cyber
weapons by governments against terrorists, and to supplement
existing international law governing cyber war where the
intrusions do not meet the traditional kinetic thresholds.
The Tallinn Manual on the International Law Applicable to
Cambridge
March 5,
302
The Tallinn Manual identifies the international law applicable to
Cyber Warfare
University Press/
2013
cyber warfare and sets out 95 ‘black-letter rules’ governing such
NATO
conflicts. An extensive commentary accompanies each rule, which
Cooperative
sets forth each rules’ basis in treaty and customary law, explains
Cyber Defence
how the group of experts interpreted applicable norms in the
Center of
cyber context, and outlines any disagreements within the group
Excel ence
as to each rules’ application. (Note: The manual is not an official
NATO publication, but an expression of opinions of a group of
independent experts acting solely in their personal capacity.)
CRS-34


Title Source
Date
Pages
Notes
Cyberterrorism: A Survey of Researchers
Swansea
March 2013
21
This report provides an overview of findings from a project
University
designed to capture current understandings of cyberterrorism
within the research community. The project ran between June
and November 2012, and employed a questionnaire which was
distributed to over 600 researchers, authors and other experts.
Potential respondents were identified using a combination of
methods, including targeted literature reviews, standing within
relevant academic communities, snowballing from earlier
participants or contacts, and the use of two mailing lists. 118
responses were received in total, from individuals working in 24
countries across six continents. Please contact the research team
with any enquiries on the project’s methods and findings (see p.
21 for contact details).
APT1: Exposing One of China’s Cyber Espionage Units
Mandiant
February 19,
76
The details analyzed during hundreds of investigations signal that
2013
the groups conducting these activities (computer security
breaches around the world) are based primarily in China and that
the Chinese government is aware of them.
Video demo of Chinese hacker activity
Mandiant February
19,
N/A
Video of APT1 attacker sessions and intrusion activities (5-minute
(click on “APT1 Video” at top right of screen)
2013
video).
Crisis and Escalation in Cyberspace
RAND Corp.
December
200
The report considers how the Air Force should integrate kinetic
2012
and nonkinetic operations. Central to this process was careful
consideration of how escalation options and risks should be
treated, which, in turn, demanded a broader consideration across
the entire crisis-management spectrum. Such crises can be
managed by taking steps to reduce the incentives for other states
to step into crisis, by controlling the narrative, understanding the
stability parameters of the crises, and trying to manage escalation
if conflicts arise from crises.
Cyberattacks Among Rivals: 2001-2011 (from the article,
Foreign Affairs
November
N/A
A chart showing cyberattacks by initiator and victim, 2001-2011.
“The Fog of Cyberwar” by Brandon Variano and Ryan
21, 2012
Maness (subscription required)
Emerging Cyber Threats Report 2013
Georgia Institute
November
9
The year ahead will feature new and increasingly sophisticated
of Technology
14, 2012
means to capture and exploit user data, escalating battles over
the control of online information and continuous threats to the
U.S. supply chain from global sources. (From the annual Georgia
Tech Cyber Security Summit 2012.)
CRS-35


Title Source
Date
Pages
Notes
Proactive Defense for Evolving Cyber Threats
Sandia National
November
98
The project applied rigorous predictability-based analytics to two
Labs
2012
central and complementary aspects of the network defense
problem—attack strategies of the adversaries and vulnerabilities
of the defenders’ systems—and used the results to develop a
scientifically-grounded, practically-implementable methodology for
designing proactive cyber defense systems.
Safeguarding Cyber-Security, Fighting in Cyberspace
International
October 22,
N/A
Looks at the militarization of cybersecurity as a source of global
Relations and
2012
tension, and makes the case that cyber-warfare is already an
Security
essential feature of many leading states’ strategic calculations,
Network (ISN)
followed by its opposite—i.e., one that believes the threat posed
by cyber-warfare capabilities is woefully overstated.
Before We Knew It: An Empirical Study of Zero-Day
Symantec
October 16,
12
The paper describes a method for automatical y identifying zero-
Attacks In The Real World
Research Labs
2012
day attacks from field-gathered data that records when benign
and malicious binaries are downloaded on 11 million real hosts
around the world. Searching this data set for malicious files that
exploit known vulnerabilities indicates which files appeared on the
Internet before the corresponding vulnerabilities were disclosed.
Investigative Report on the U.S. National Security Issues
House
October 8,
60
The committee initiated this investigation in November 2011 to
Posed by Chinese Telecommunications Companies
Permanent Select 2012
inquire into the counterintelligence and security threat posed by
Huawei and ZTE
Committee on
Chinese telecommunications companies doing business in the
Intelligence
United States.
Federal Support for and Involvement in State and Local
U.S. Senate
October 3,
141
A two-year bipartisan investigation found that U.S. Department of
Fusion Centers
Permanent
2012
Homeland Security efforts to engage state and local intelligence
Subcommittee on
“fusion centers” has not yielded significant useful information to
Investigations
support federal counterterrorism intelligence efforts. In Section
VI, “Fusion Centers Have Been Unable to Meaningfully
Contribute to Federal Counterterrorism Efforts,” Part G, “Fusion
Centers May Have Hindered, Not Aided, Federal
Counterterrorism Efforts,” the report discusses the Russian
“Cyberattack” in Illinois.
Putting the “war” in cyberwar: Metaphor, analogy, and
First Monday
July 2, 2012
N/A
This essay argues that current contradictory tendencies are
cybersecurity discourse in the United States
unproductive and even potential y dangerous. It argues that the
war metaphor and nuclear deterrence analogy are neither natural
nor inevitable and that abandoning them would open up new
possibilities for thinking more productively about the full
spectrum of cybersecurity challenges, including the as-yet
unrealized possibility of cyber war.
CRS-36


Title Source
Date
Pages
Notes
Nodes and Codes: The Reality of Cyber Warfare
U.S. Army School May 17,
62
Explores the reality of cyber warfare through the story of
of Advanced
2012
Stuxnet. Three case studies evaluate cyber policy, discourse, and
Military Studies,
procurement in the United States, Russia, and China before and
Command and
after Stuxnet to illustrate their similar, yet unique, realities of
General Staff
cyber warfare.
United States Counter Terrorism Cyber Law and Policy,
Triangle Institute
March 2012
34
The incongruence between national counterterrorism (CT) cyber
Enabling or Disabling?
for Security
policy, law, and strategy degrades the abilities of federal CT
Studies
professionals to interdict transnational terrorists from within
cyberspace. Specifically, national CT cyber policies that are not
completely sourced in domestic or international law unnecessarily
limit the latitude cyber CT professionals need to effectively
counter terrorists through the use of organic cyber capabilities.
To optimize national CT assets and to stymie the growing threat
posed by terrorists’ ever-expanding use of cyberspace, national
decision-makers should modify current policies to efficiently
execute national CT strategies, albeit within the framework of
existing CT cyber-related statutes.
A Cyberworm that Knows No Boundaries
RAND
December
55
Stuxnet-like worms pose a serious threat even to infrastructure
21, 2011
and computer systems that are not connected to the Internet.
However, defending against such attacks is an increasingly
complex prospect.
Department of Defense Cyberspace Policy Report: A
DOD November
14
From the report: “When warranted, we will respond to hostile
Report to Congress Pursuant to the National Defense
2011
attacks in cyberspace as we would to any other threat to our
Authorization Act for Fiscal Year 2011, Section 934
country. We reserve the right to use all necessary means -
diplomatic, informational, military and economic - to defend our
nation, our allies, our partners and our interests.”
Cyber War Will Not Take Place
Journal of
October 5,
29
The paper argues that cyber warfare has never taken place, is not
Strategic Studies
2011
currently taking place, and is unlikely to take place in the future.
Foreign Spies Stealing U.S. Economic Secrets in
Office of the
October
31
Because the United States is a leader in the development of new
Cyberspace: Report to Congress on Foreign Economic
National
2011
technologies and a central player in global financial and trade
Col ection and Industrial Espionage, 2009-2011
Counterintelligen
networks, foreign attempts to col ect U.S. technological and
ce Executive
economic information will continue at a high level and will
represent a growing and persistent threat to U.S. economic
security. The nature of the cyber threat will evolve with
continuing technological advances in the global information
environment.
CRS-37


Title Source
Date
Pages
Notes
USCYBERCOM and Cyber Security: Is a Comprehensive
Army War
May 12,
32
Examine five aspects of USCYBERCOM: organization, command
Strategy Possible?
College
2011
and control, computer network operations (CNO),
synchronization, and resourcing. Identify areas that currently
present significant risk to USCYBERCOM’s ability to create a
strategy that can achieve success in its cyberspace operations.
Recommend potential solutions that can increase the
effectiveness of the USCYBERCOM strategy.
A Four-Day Dive Into Stuxnet’s Heart
Threat Level Blog December
N/A
From the article, “It is a mark of the extreme oddity of the
(Wired)
27, 2010
Stuxnet computer worm that Microsoft’s Windows vulnerability
team learned of it first from an obscure Belarusian security
company that even they had never heard of.”
Did Stuxnet Take Out 1,000 Centrifuges at the Natanz
Institute for
December
10
This report indicates that commands in the Stuxnet code
Enrichment Plant? Preliminary Assessment
Science and
22, 2010
intended to increase the frequency of devices targeted by the
International
malware exactly match several frequencies at which rotors in
Security
centrifuges at Iran’s Natanz enrichment plant are designed to
operate optimally or are at risk of breaking down and flying apart.
Stuxnet Analysis
European
October 7,
N/A
EU cybersecurity agency warns that the Stuxnet malware is a
Network and
2010
game changer for critical information infrastructure protection;
Information
PLC control ers of SCADA systems infected with the worm
Security Agency
might be programmed to establish destructive over/under
pressure conditions by running pumps at different frequencies.
Proceedings of a Workshop on Deterring Cyberattacks:
National
October 5,
400
Per request of the Office of the Director of National Intelligence,
Informing Strategies and Developing Options for U.S.
Research Council 2010
the National Research Council undertook a two-phase project
Policy
aimed to foster a broad, multidisciplinary examination of
strategies for deterring cyberattacks on the United States and of
the possible utility of these strategies for the U.S. government.
Notes: Highlights compiled by CRS from the reports.
CRS-38


Table 7. International Efforts
Title Source
Date
Pages
Notes
Global Cybersecurity Index
International
Ongoing
N/A
Based on questionnaire responses received by ITU
Telecommunications Union
Member States, a first analysis of cybersecurity
development in the Arab region was compiled and one
for the Africa region is under way. The objective is to
release a global status of cybersecurity for 2014.
The Cyber Hub
Booz Allen Hamilton and
Ongoing
N/A
The Cyber Hub's content was built on several integral
the Economist Intelligence
parts: an index that assesses specific aspects of the cyber
Unit
environment of the G20 countries, and a series of
research papers that examine the implications for the
business community.
Cybersecurity Legislation
International
Ongoing
N/A
An integral and challenging component of any national
Telecommunications Union
Cybersecurity strategy is the adoption of regionally and
international y harmonized, appropriate legislation against
the misuse of ICTs for criminal or other purposes.
Cyber Security Strategy: Progress So Far
UK Cabinet Office
Ongoing
N/A
From the report, “To support the Strategy we put in
place a National Cyber Security Programme (NCSP)
backed by £650 million of funding to 2015. This year we
increased that investment with a further £210 million in
2015 to 2016. This funding will build on existing projects
and also support new investment, enabling the UK to
retain its emerging reputation as a leader in the field of
cyber security.”
China and International Law in Cyberspace
U.S.-China Economic and
May 7, 2014
11
Despite major differences on cyberspace policy between
Security Review
the United States and China, a recent development at
Commission
the United Nations illustrates basic areas of agreement.
The United States and China were among 15 countries
affirming the applicability of international law to
cyberspace in a 2013 UN report. The same group will
gather in 2014 to address some of the more chal enging
and divisive concepts regarding state responsibility and
use of force in cyberspace.
CRS-39


Title Source
Date
Pages
Notes
Baseline Review: ICT-Related Processes & Events, ICT4Peace
May 1, 2014
50
The report is structured around the fol owing three
Implications for International and Regional
areas: (1) international and regional security (the
Security (2011-2013)
predominant focus); (2) transnational crime and
terrorism; and (3) governance, human rights and
development. These areas are obviously interdependent,
with developments in one area often impacting another,
yet they have traditionally been approached separately
through distinct communities of practice and fora. The
report will serve as a baseline for future annual reports
with this specific one covering the period spanning
January 2011 to December 2013 (while also providing
background on earlier events).
Cyber maturity in the Asia-Pacific Region 2014
Australian Strategic Policy
April 14, 2014
76
The Institute assesses regional digital maturity across
Institute (ASPI)
government, business, society and the military. Australia
comes out ahead of China, Japan and South Korea when
it comes to overall digital strength in the region and it
ranks third behind the United States and China in cyber
warfare. Asia-Pacific is increasingly the focus of
cyberattacks, say analysts, including criminal and state-
sponsored hacking and espionage.
U.S.-EU Cyber Cooperation
White House
March 26, 2014
N/A
The new high-level U.S.-EU Cyber Dialogue announced
at the 2014 U.S.-EU Summit will formalize and broaden
our cooperation on cyber issues, building on shared
commitments and achievements in key areas.
Legislative resolution on the proposal for a
European Parliament
March 13, 2014
N/A
The directive would require companies operating critical
directive of the European Parliament and of the
infrastructure to maintain a specified minimum level of
Council concerning measures to ensure a high
cybersecurity preparedness and report to national
common level of network and information
authorities about cyberattacks with a “significant impact”
security across the Union
on the security of their networks.
CRS-40


Title Source
Date
Pages
Notes
10 Steps to Cyber Security
UK Dept. for Business
February 4, 2014
20
The joint communiqué outlines steps UK regulators and
Innovation & Skills (BIS) and
government departments have agreed to undertake to
the Centre for the
improve the country's cyber systems and networks
Protection of National
defenses. The steps to combat cyberattacks include
Infrastructure (CPNI)
assessing the state of cybersecurity across each sector
and working with industry to address vulnerabilities;
working with industry to increase information flows on
threat vulnerabilities and mitigation strategies;
encouraging companies to join information sharing
initiatives, such as the Cyber Security Information Sharing
Partnership, a partnership between the U.K. government
and industry to share information and intelligence on
cybersecurity threats launched in March 2013; and
encouraging companies to undertake a self-assessment
pursuant to guidance published by the U.K. Department
for Business, Innovation and Skills.
2013 Joint Report
U.S.-Russia Bilateral
December 27, 2013
40
The report includes updates from each of the BPC’s 21
Presidential Commission
working groups. See the Working Group on the Threats
(BPC)
to and in the use of Information Communications
Technologies in the Context of International Service
section on pages 11-12. A key component of the
discussion concerned the implementation of the bilateral
confidence building measures (CBMs) announced by
Presidents Obama and Putin in June 2013. These bilateral
CBMs are intended to promote transparency and reduce
the possibility that an incident related to the use of ICTs
could unintentionally cause instability or escalation.
World Federation of Exchanges (WFE) Launches
World Federation of
December 12, 2013
N/A
The WFE announced the launch of the exchange
Global Cyber Security Committee
Exchanges
industry’s first cybersecurity committee with a mission to
aid in the protection of the global capital markets. The
working group will bring together representation from a
number of exchanges and clearinghouses across the
globe, to collaborate on best practices in global security.
CRS-41


Title Source
Date
Pages
Notes
Handbook on European Data Protection Law
Council of Europe
December 2013
214
This handbook is a first point of reference on both EU
law and the European Convention on Human Rights
(ECHR) on data protection, and it explains how this field
is regulated under EU law and under the ECHR as wel as
the CoE Convention for the Protection of Individuals
with regard to Automatic Processing of Personal Data
(Convention 108) and other CoE instruments. Each
chapter first presents a single table of the applicable legal
provisions, including important selected case law under
the two separate European legal systems.
2013 Annual Report to Congress
U.S.-China Economic
October 20, 2013
465
In 2013, the commission continued its close examination
Commission
of China’s cyber capabilities. Strong evidence has
emerged that the Chinese government is directing and
executing a large-scale cyber espionage campaign against
the United States, including the U.S. government and
private companies. However, the public exposure of
Chinese cyber espionage in 2013 has apparently not
changed China’s attitude about the use of cyber
espionage to steal intellectual property and proprietary
information. (See: Chapter 2, Section 2: “China’s Cyber
Activities.”)
Directive of the European Parliament and of the
European Parliament Civil
August 12, 2013
7
The objectives of the Directive are to approximate the
Council on Attacks Against Information Systems
Liberties Committee
criminal law of the Member States in the area of attacks
against information systems by establishing minimum
rules concerning the definition of criminal offences and
the relevant sanctions and to improve cooperation
between competent authorities, including the police and
other specialized law enforcement services of the
Member States, as well as the competent specialized
Union agencies and bodies, such as Eurojust, Europol and
its European Cyber Crime Centre, and the European
Network and Information Security Agency (ENISA).
CRS-42


Title Source
Date
Pages
Notes
Confidence Building Measures and International
ICT 4 Peace Foundation
June 21, 2013
21
Confidence building measures can serve to lay the
Cybersecurity
foundation for agreeing on acceptable norms of behavior
for states as well as confidence and trust building
measures to avoid miscalculation and escalation. The
report is divided into four main sections: (1)
Transparency, Compliance, and Verification Measures;
(2) Cooperative Measures; (3) Collaboration and
Communication Mechanisms; and (4) Stability and
Restraint Measures. A final section discusses next steps
for diplomatic CBM processes.
FACT SHEET: U.S.-Russian Cooperation on
White House
June 17, 2013
N/A
The United States and the Russian Federation are
Information and Communications Technology
creating a new working group, under the auspices of the
Security
Bilateral Presidential Commission, dedicated to assessing
emerging ICT threats and proposing concrete joint
measures to address them.
Telecommunications Networks: Addressing
Government Accountability
May 21, 2013
52
The federal government has begun efforts to address the
Potential Security Risks of Foreign-Manufactured
Office
security of the supply chain for commercial networks...
Equipment
There are a variety of other approaches for addressing
the potential risks posed by foreign-manufactured
equipment in commercial communications networks,
including those approaches taken by foreign
governments... While these approaches are intended to
improve supply chain security of communications
networks, they may also create the potential for trade
barriers, additional costs, and constraints on
competition, which the federal government would have
to take into account if it chose to pursue such
approaches.
The Global Cyber Game: Achieving Strategic
Defence Academy of the
May 8, 2013
127
Provides a systematic way of thinking about cyberpower
Resilience in the Global Knowledge Society
United Kingdom
and its use by a range of global players. The global
cyberpower contest is framed as a Global Cyber Game,
played out on a ‘Cyber Gameboard'—a framework that
can be used for strategic and tactical thinking about
cyber strategy.
CRS-43


Title Source
Date
Pages
Notes
Military and Security Developments Involving the
Department of Defense
May 6, 2013
92
China is using its computer network exploitation
People’s Republic of China 2013 (Annual Report
capability to support intelligence collection against the
to Congress)
U.S. diplomatic, economic, and defense industrial base
sectors that support U.S. national defense programs. The
information targeted could potential y be used to benefit
China’s defense industry, high-technology industries,
policy maker interest in U.S. leadership thinking on key
China issues, and military planners building a picture of
U.S. network defense networks, logistics, and related
military capabilities that could be exploited during a
crisis.
Defence White Paper 2013
Australia Department of
May 3, 2013
148
The Australian Cyber Security Centre will bring together
Defence
security capabilities from the Defence Signals
Directorate, Defence Intelligence Organisation,
Australian Security Intelligence Organisation (ASIO), the
Attorney-General’s Department’s Computer Emergency
Response Team (CERT) Australia, Australian Federal
Police (AFP) and the Australian Crime Commission
(ACC).
Remaking American Security: Supply Chain
Alliance for American
May 2013
355
Because the supply chain is global, it makes sense for U.S.
Vulnerabilities & National Security Risks Across
Manufacturing
officials to cooperate with other nations to ward off
the U.S. Defense Industrial Base
cyberattacks. Increased international cooperation to
secure the integrity of the global IT system is a valuable
long-term objective.
Cyber Security Information Partnership (CISP)
Cabinet Office, United
March 27, 2013
N/A
CISP introduces a secure virtual ‘collaboration
Kingdom
environment’ where government and industry partners
can exchange information on threats and vulnerabilities
in real time. CISP wil be complemented by a ‘Fusion
Cell,’ which will be supported on the government side by
the Security Service, GCHQ and the National Crime
Agency, and by industry analysts from a variety of
sectors.
CRS-44


Title Source
Date
Pages
Notes
The Tallinn Manual on the International Law
Cambridge University Press/ March 5, 2013
302
The Tal inn Manual identifies the international law
Applicable to Cyber Warfare
NATO Cooperative Cyber
applicable to cyber warfare and sets out 95 ‘black-letter
Defence Center of
rules’ governing such conflicts. An extensive commentary
Excel ence
accompanies each rule, which sets forth each rules’ basis
in treaty and customary law, explains how the group of
experts interpreted applicable norms in the cyber
context, and outlines any disagreements within the group
as to each rules’ application. (Note: The manual is not an
official NATO publication, but an expression of opinions
of a group of independent experts acting solely in their
personal capacity.)
APT1: Exposing One of China’s Cyber Espionage
Mandiant
February 19, 2013
76
The details analyzed during hundreds of investigations
Units
signal that the groups conducting these activities
(computer security breaches around the world) are
based primarily in China and that the Chinese
government is aware of them.
Worldwide Threat Assessment of the U.S.
James Clapper, Director of
February 11, 2013
34
Clapper provided an assessment of global threats: U.S.
Intelligence Community (Testimony)
National Intelligence
critical infrastructure, eroding U.S. economic and
national security, information control and Internet
governance, and hactivists and criminals.
Linking Cybersecurity Policy and Performance
Microsoft Trustworthy
February 6, 2013
27
Introduces a new methodology for examining how socio-
Computing
economic factors in a country or region impact
cybersecurity performance. Examines measures such as
use of modern technology, mature processes, user
education, law enforcement and public policies related to
cyberspace. This methodology can build a model that will
help predict the expected cybersecurity performance of
a given country or region.
Comprehensive Study on Cybercrime
United Nations Office on
February 2013
320
The study examined the problem of cybercrime from the
Drugs and Crime
perspective of governments, the private sector, academia
(UNODC)
and international organizations. The results are
presented in eight Chapters, covering Internet
connectivity and cybercrime; the global cybercrime
picture; cybercrime legislation and frameworks;
criminalization of cybercrime; law enforcement and
cybercrime investigations; electronic evidence and
criminal justice; international cooperation in criminal
matters involving cybercrime; and cybercrime
prevention.
CRS-45


Title Source
Date
Pages
Notes
Administration Strategy for Mitigating the Theft of White House
February 2013
141
From the report, “First, we will increase our diplomatic
U.S. Trade Secrets
engagement.... Second, we will support industry-led
efforts to develop best practices to protect trade secrets
and encourage companies to share with each other best
practices that can mitigate the risk of trade secret theft....
Third, DOJ will continue to make the investigation and
prosecution of trade secret theft by foreign competitors
and foreign governments a top priority.. . Fourth,
President Obama recently signed two pieces of
legislation that will improve enforcement against trade
secret theft.... Lastly, we will increase public awareness of
the threats and risks to the U.S. economy posed by trade
secret theft.”
The Chinese Defense Economy Takes Off:
UC Institute on Global
January 25, 2013
87
This collection of 15 policy briefs explores how China
Sector-by-Sector Assessments and the Role of
Conflict and Cooperation
has made such impressive military technological progress
Military End-Users
over the past few years, what is in store, and what are
the international security implications. The briefs are
summaries of a series of longer research papers
presented at the third annual Chinese defense economy
conference held by the Study of Innovation and
Technology in China in July 2012.
Defence and Cyber-Security, vol. 1 - Report,
House of Commons
December 18, 2012
99
Given the inevitable inadequacy of the measures available
together with formal minutes, oral and written
Defence Committee (UK)
(vol.
to protect against a constantly changing and evolving
evidence
1)
threat, and given the Minister for the Cabinet Office’s
Defence and Cyber-Security, vol. 2 - Additional
37
comment, it is not enough for the Armed Forces to do
Written Evidence
(vol.
their best to prevent an effective attack. In its response
2)
to this report the Government should set out details of
the contingency plans it has in place should such an
attack occur. If it has none, it should say so—and
urgently create some.
CRS-46


Title Source
Date
Pages
Notes
The Challenge of Cyber Power for Central
Naval Postgraduate School
December 2012
209
From the report,“The Central African militaries, which
African Countries: Risks and Opportunities
are supposed to be the first line of defense for their
governments' institutions, are dramatically behind the
times. To address this situation, the governments of
Central Africa need to adopt a col aborative cyber
strategy based on common investment in secure cyber
infrastructures. Such cooperation will help to create a
strong cyber environment conducive of the confidence
and trust necessary for the emergence of a cyber
community of Central African States (C3AS). For Central
African militaries, massive training and recruiting will be
the first move to begin the process of catching up.”
Cybersecurity: Managing Risks for Greater
Organization for Economic
November 29, 2012
N/A
The OECD launched a broad consultation of al
Opportunities
Co-operation and
stakeholders from member and non-member countries
Development
to review its Security Guidelines. The review takes into
account newly emerging risks, technologies and policy
trends around such areas as cloud computing, digital
mobility, the Internet of things, social networking, etc.
Cybersecurity Policy Making at a Turning Point:
Organization for Economic
November 16, 2012
117
This report analyzes the latest generation of national
Analysing a New Generation of National
Co-operation and
cybersecurity strategies in ten OECD countries and
Cybersecurity Strategies for the Internet
Development
identifies commonalities and differences.
Economy
2012 Report to Congress of the U.S.-China
U.S.-China Economic and
November 2012
509
This report responds to the mandate for the commission
Economic and Security Review Commission, One
Security Review
“to monitor, investigate, and report to Congress on the
Hundred Twelfth Congress, Second Session,
Commission
national security implications of the bilateral trade and
November 2012
economic relationship between the United States and the
People’s Republic of China.” See “China's Cyber
Activities," Chapter 2, Section 2, pp. 147-169.
Australia: Telecommunications Data Retention—
Parliamentary Library of
October 24, 2012
32
In July 2012, the Commonwealth Attorney-General’s
an Overview
Australia
Department released a Discussion Paper, Equipping
Australia against emerging and evolving threats, on the
proposed national security reforms.... Of the 18 primary
proposals and the 41 individual reforms that they
comprise, the suggestion that carriage service providers
(CSPs) be required to routinely retain certain
information associated with every Australian’s use of the
Internet and phone services for a period of up to two
years (‘data retention’) is the issue that seems to have
attracted the most attention.
CRS-47


Title Source
Date
Pages
Notes
More Than Meets the Eye: Clandestine Funding,
Lawrence Livermore
October 17, 2012
17
Analyzes how the Chinese leadership views information
Cutting-Edge Technology and China’s Cyber
National Laboratory
technology research and development (R&D), as well as
Research & Development Program
the role cyber R&D plays in China’s various strategic
development plans. Explores the organizational structure
of China’s cyber R&D base. Concludes with a projection
of how China might field new cyber capabilities for
intelligence platforms, advanced weapons systems, and
systems designed to support asymmetric warfare
operations.
Investigative Report on the U.S. National Security
House Permanent Select
October 8, 2012
60
The committee initiated this investigation in November
Issues Posed by Chinese Telecommunications
Committee on Intelligence
2011 to inquire into the counterintelligence and security
Companies Huawei and ZTE
threat posed by Chinese telecommunications companies
doing business in the United States.
Bilateral Discussions on Cooperation in
China Institute of
June 2012
N/A
Since 2009, CSIS and CICIR have held six formal
Cybersecurity
Contemporary International
meetings on cybersecurity (accompanied by several
Relations and the Center for
informal discussions), called “Sino-U.S. Cybersecurity
Strategic and International
Dialogue.” The meetings have been attended by a broad
Studies (CSIS)
range of U.S. and Chinese officials and scholars
responsible for cybersecurity issues. The goals of the
discussions have been to reduce misperceptions and to
increase transparency of both countries’ authorities and
understanding on how each country approaches
cybersecurity, and to identify areas of potential
cooperation.
Five Years after Estonia’s Cyber Attacks: Lessons
NATO
May 2012
8
In April 2007 a series of cyberattacks targeted Estonian
Learned for NATO?
information systems and telecommunication networks.
Lasting 22 days, the attacks were directed at a range of
servers (web, email, DNS) and routers. The 2007 attacks
did not damage much of the Estonian information
technology infrastructure. However, the attacks were a
true wake-up call for NATO, offering a practical
demonstration that cyberattacks could now cripple an
entire nation dependent on IT networks.
CRS-48


Title Source
Date
Pages
Notes
United States Counter Terrorism Cyber Law and
Triangle Institute for
March 2012
34
The incongruence between national counterterrorism
Policy, Enabling or Disabling?
Security Studies
(CT) cyber policy, law, and strategy degrades the abilities
of federal CT professionals to interdict transnational
terrorists from within cyberspace. Specifically, national
CT cyber policies that are not completely sourced in
domestic or international law unnecessarily limit the
latitude cyber CT professionals need to effectively
counter terrorists through the use of organic cyber
capabilities. To optimize national CT assets and to stymie
the growing threat posed by terrorists' ever-expanding
use of cyberspace, national decision-makers should
modify current policies to efficiently execute national CT
strategies, albeit within the framework of existing CT
cyber-related statutes.
Cyber-security: The Vexed Question of Global
McAfee
February 1, 2012
108
Forty-five percent of legislators and cybersecurity
Rules: An Independent Report on Cyber-
experts representing 27 countries think cybersecurity is
Preparedness Around the World
just as important as border security. The authors
surveyed 80 professionals from business, academia and
government to gauge worldwide opinions of
cybersecurity.
The UK Cyber Security Strategy: Protecting and
Cabinet Office (United
November 2011
43
Chapter 1 describes the background to the growth of
promoting the UK in a digital world
Kingdom)
the networked world and the immense social and
economic benefits it is unlocking. Chapter 2 describes
these threats. The impacts are already being felt and will
grow as our reliance on cyberspace grows. Chapter 3
sets out where we want to end up—with the
government’s vision for UK cybersecurity in 2015.
Foreign Spies Stealing US Economic Secrets in
Office of the National
October 2011
31
According to the report, espionage and theft through
Cyberspace
Counterintelligence
cyberspace are growing threats to the United States’
Executive
security and economic prosperity, and the world’s most
persistent perpetrators happen to also be U.S. allies.
International Strategy for Cyberspace
White House/OMB
May 16, 2011
30
The strategy marks the first time any Administration has
attempted to set forth in one document the U.S.
government’s vision for cyberspace, including goals for
defense, diplomacy, and international development.
Cyber Dawn: Libya
Cyber Security Forum
May 9, 2011
70
Project Cyber Dawn: Libya uses open source material to
Initiative
provide an in-depth view of Libyan cyberwarfare
capabilities and defenses.
CRS-49


Title Source
Date
Pages
Notes
Working Towards Rules for Governing Cyber
EastWest Institute
February 3, 2011
60
[The authors] led the cyber and traditional security
Conflict: Rendering the Geneva and Hague
experts through a point-by-point analysis of the Geneva
Conventions in Cyberspace
and Hague Conventions. Ultimately, the group made five
immediate recommendations for Russian and U.S.-led
joint assessments, each exploring how to apply a key
convention principle to cyberspace.
The Reliability of Global Undersea
IEEE/EastWest Institute
May 26, 2010
186
This study submits 12 major recommendations to the
Communications Cable Infrastructure (The
private sector, governments and other stakeholders—
Rogucci Report)
especially the financial sector—for the purpose of
improving the reliability, robustness, resilience, and
security of the world’s undersea communications cable
infrastructure.
German Anti-Botnet Initiative
Organisation for Economic
December 8, 2009
4
This is a private industry initiative which aims to ensure
Co-operation and
that customers whose personal computers have become
Development (OECD)
part of a botnet without them being aware of it are
informed by their Internet Service Providers about this
situation and at the same time are given competent
support in removing the malware.
Note: Highlights compiled by CRS from the reports.
CRS-50


Table 8. Education/Training/Workforce
Title Source
Date
Pages
Notes
NCCoE National Cybersecurity Excel ence
NIST National
Ongoing
N/A
Established in 2012 through a partnership between NIST,
Partnerships
Cybersecurity Center of
the state of Maryland, and Montgomery County, the
Excel ence
NCCoE is dedicated to furthering innovation through the
rapid identification, integration, and adoption of practical
cybersecurity solutions. The NCCoE is part of the NIST
Information Technology Laboratory and operates in close
col aboration with the Computer Security Division.
National Initiative for Cybersecurity Careers and
Department of Homeland
Ongoing
N/A
NICCS is an online resource for cybersecurity career,
Studies (NICCS)
Security
education, and training information. It is a partnership
between DHS, the National Institute of Standards and
Technology, the Office of the Director of National
Intelligence, the Department of Defense, the Department
of Education, the National Science Foundation, and the
Office of Personnel Management.
Experimental Research Testbed (DETER)
Department of Homeland
Ongoing
N/A
The DETER testbed is used to test and evaluate
Security
cybersecurity technologies by over 200 organizations
from more than 20 states and 17 countries, including
DHS-funded researchers, the larger cybersecurity
research community, government, industry, academia,
and educational users.
Michigan Cyber Range
Partnership between the
Ongoing
N/A
Enables individuals and organizations to develop
state of Michigan, Merit
detection and reaction skills through simulations and
Network, federal and local
exercises.
governments, colleges and
universities, and the private
sector
Information Assurance Scholarship Program
Department of Defense
Ongoing
N/A
The Information Assurance Scholarship Program is
designed to increase the number of qualified personnel
entering the information assurance and information
technology fields within the department. The scholarships
also are an attempt to effectively retain military and
civilian cybersecurity and IT personnel.
CRS-51


Title Source
Date
Pages
Notes
National Centers of Academic Excellence (CAE)
National Security Agency
Ongoing
N/A
The NSA has launched National Centers of Academic
in Cyber Operations Program
(NSA)
Excellence (CAE) in Cyber Operations Program; the
program is intended to be a deeply technical, inter-
disciplinary, higher education program grounded in the
computer science (CS), computer engineering (CE), or
electrical engineering (EE) disciplines, with extensive
opportunities for hands-on applications via labs and
exercises.
DHS Is Generally Filling Mission-Critical Positions, GAO
September 17, 2013
47
More than one in five jobs at a key cybersecurity
but Could Better Track Costs of Coordinated
component within the Homeland Security Department
Recruiting Efforts
are vacant, in large part due to steep competition in
recruiting and hiring qualified personnel. National
Protection and Programs Directorate (NPPD) officials
cited challenges in recruiting cyber professionals because
of the length of time taken to conduct security checks to
grant top-secret security clearances as well as low pay in
comparison with the private sector.
Professionalizing the Nation’s Cybersecurity
National Academies Press
September 16, 2013
66
This report examines workforce requirements for
Workforce?: Criteria for Decision-Making
cybersecurity and the segments and job functions in
which professionalization is most needed; the role of
assessment tools, certification, licensing, and other means
for assessing and enhancing professionalization; and
emerging approaches, such as performance-based
measures. It also examines requirements for the federal
(military and civilian) workforce, the private sector, and
state and local government.
Joint Professional Military Education Institutions in Francesca Spidalieri (Pell
August 7, 2013
18
The report found that the Joint Professional Military
an Age of Cyber Threat
Center Fellow)
Education at the six U.S. military graduate schools—a
requirement for becoming a Joint Staff Officer and for
promotion to the senior ranks—has not effectively
incorporated cybersecurity into specific courses,
conferences, war gaming exercises, or other forms of
training for military officers. While these graduate
programs are more advanced on cybersecurity than most
American civilian universities, a preparation gap still
exists.
CRS-52


Title Source
Date
Pages
Notes
Special Cybersecurity Workforce Project (Memo
Office of Personnel
July 8, 2013
N/A
The OPM is collaborating with the White House Office
for Heads of Executive Departments and
Management (OPM)
of Science and Technology Policy, the Chief Human
Agencies)
Capital Officers Council (CHCOC), and the Chief
Information Officers Council (CIOC) in implementing a
special workforce project that tasks federal agencies’
cybersecurity, information technology, and human
resources communities to build a statistical data set of
existing and future cybersecurity positions in the OPM
Enterprise Human Resources Integration (EHRI) data
warehouse by the end of FY2014.
U.S.A. Cyber Warrior Scholarship Program
(ISC)2 Foundation and Booz
June 21, 2013

The (ISC)2 Foundation and Booz Allen Hamilton
Allen Hamilton
announced the launch of the U.S.A. Cyber Warrior
Scholarship program, which will provide scholarships to
veterans to obtain specialized certifications in the
cybersecurity field. The scholarships will cover all of the
expenses associated with a certification, such as training,
textbooks, mobile study materials, certification testing,
and the first year of certification maintenance fees.
Global Information Security Workforce Study
(ISC)2 and Frost & Sullivan
May 7, 2013
28
Federal cyber workers earn an average salary of
$106,430, less than the average private-sector salary of
$111,376. The lag in federal salaries is likely due to
federal budget restraints and nearly three years of a
continuing resolution.
Proposed Establishment of a Federal y Funded
NIST
April 22, 2013
2
To help the National Cybersecurity Center of Excel ence
Research and Development Center-First Notice
(NCCoE) address industry’s needs most efficiently, NIST
will sponsor its first Federally Funded Research and
Development Center (FFRDC) to facilitate public-private
col aboration for accelerating the widespread adoption of
integrated cybersecurity tools and technologies.
DHS Secretary’s Honors Program: Cyber Student Department of Homeland
April 18, 2013
2
The Cyber Student Initiative program will begin at
Initiative
Security
Immigration and Customs Enforcement computer
forensic labs in 36 cities nationwide, where students will
be trained and gain hands-on experience within the
department’s cybersecurity community. The unpaid
volunteer program is only available to community college
students and veterans pursuing a degree in the
cybersecurity field.
CRS-53


Title Source
Date
Pages
Notes
2012 Information Technology Workforce
U.S. Department of
March 14, 2013
131
The report, which is based on an anonymous survey of
Assessment for Cybersecurity
Homeland Security
nearly 23,000 cyber workers across 52 departments and
agencies, found that while the majority (49%) of cyber
feds has more than 10 years of service until they reach
retirement eligibility, nearly 33% will be eligible to retire
in the next three years.
CyberSkills Task Force Report
U.S. Department of
October 2012
41
DHS’s Task Force on CyberSkills proposes far-reaching
Homeland Security
improvements to enable DHS to recruit and retain the
cybersecurity talent it needs.
Cyber Security Test Bed: Summary and Evaluation Institute for Homeland
October 2012
89
The Cyber Test Bed project was a case study analysis of
Results
Security Solutions
how a set of interventions, including threat analysis, best
practices sharing, and executive and staff training events,
over the course of one year, would impact a group of
nine small and mid-size businesses in North Carolina.
Pre- and post-Test Bed interviews were conducted with
company officials to establish a baseline and evaluate the
impact of the Test Bed experience. After the Cyber Test
Bed experience, decision makers at these companies
indicated an increase in their perceptions of the risk of
cyberattacks and an increase in their knowledge of
possible solution.
Preparing the Pipeline: The U.S. Cyber
National Defense University
August 2012
17
This paper addresses methods to close the gaps between
Workforce for the Future
demand and the current existing capabilities and capacity
in the U.S. cyber workforce. A large number of
professionals with not only technical skills, but also an
understanding of cyber policy, law, and other disciplines
will be needed to ensure the continued success of the
U.S. economy, government, and society in the 21st-
century information age. Innovative methods have been
developed by the government, think tanks, and private
sector for closing these gaps, but more needs to be done.
Smart Grid Cybersecurity: Job Performance
Pacific Northwest National
August 2012
178
This report outlines the work done to develop a smart
Model Report
Laboratory
grid cybersecurity certification. The primary purpose is to
develop a measurement model that may be used to guide
curriculum, assessments, and other development of
technical and operational smart grid cybersecurity
knowledge, skills, and abilities.
CRS-54


Title Source
Date
Pages
Notes
Cybersecurity Human Capital: Initiatives Need
Government Accountability
November 29, 2011
86
To ensure that government-wide cybersecurity
Better Planning and Coordination
Office (GAO)
workforce initiatives are better coordinated and planned,
and to better assist federal agencies in defining roles,
responsibilities, skills, and competencies for their
workforce, the Secretary of Commerce, Director of the
Office of Management and Budget, Director of the Office
of Personnel Management, and Secretary of Homeland
Security should col aborate through the National
Initiative for Cybersecurity Education (NICE) Iinitiative to
develop and finalize detailed plans allowing agency
accountability, measurement of progress, and
determination of resources to accomplish agreed-upon
activities.
NICE Cybersecurity Workforce Framework
National Initiative for
November 21, 2011
35
The adoption of cloud computing into the federal
Cybersecurity Education
government and its implementation depend upon a
(NICE)
variety of technical and non-technical factors. A
fundamental reference point, based on the NIST
definition of cloud computing, is needed to describe an
overall framework that can be used government-wide.
This document presents the NIST Cloud Computing
Reference Architecture (RA) and Taxonomy (Tax) that
will accurately communicate the components and
offerings of cloud computing.
The State of K-12 Cyberethics, Cybersafety and
National Cyber Security
May 2011
16
This year’s survey further explores the perceptions and
Cybersecurity Curriculum in the United States
Alliance and Microsoft
practices of U.S. teachers, school administrators and
technology coordinators in regards to cyberethics,
cybersafety, and cybersecurity education. The survey
finds that young people still are not receiving adequate
training and that teachers are ill-prepared to teach the
subjects due, in large part, to lack of professional
development.
CRS-55


Title Source
Date
Pages
Notes
Cyber Operations Personnel Report
Department of Defense
April 2011
84
This report is focused on FY2009 Department of
Defense Cyber Operations personnel, with duties and
responsibilities as defined in Section 934 of the Fiscal
Year (FY) 2010 National Defense Authorization Act
(NDAA).
Appendix A—Cyber Operations-related Military
Occupations
Appendix B—Commercial Certifications Supporting the
DOD Information Assurance Workforce Improvement
Program
Appendix C—Military Services Training and
Development
Appendix D—Geographic Location of National Centers
of Academic Excellence in Information Assurance
The Power of People: Building an Integrated
Project on National Security
November 2010
326
This study was conducted in fulfillment of Section 1054 of
National Security Professional System for the 21st
Reform (PNSR)
the National Defense Authorization Act for Fiscal Year 2010,
Century
which required the commissioning of a study by “an
appropriate independent, nonprofit organization, of a
system for career development and management of
interagency national security professionals.”
Note: Highlights compiled by CRS from the reports.
CRS-56


Table 9. Research & Development (R&D)
Title Source
Date
Pages
Notes
Cyber Consortium
Fortinet and Palo Alto
Ongoing
N/A
The consortium will seek to share intelligence on threats across
Networks
large security vendors and aid a coordinated response to
incidents. No customer data will be shared, only malware
samples. The pair of companies also extend an open invitation to
other security firms to join them, provided they can share at
least 1,000 samples of new malware executables each day.
National Cybersecurity Center of Excel ence
National Institute of
Ongoing
N/A
The National Cybersecurity Center of Excellence (NCCoE) is a
(NCCoE)
Standards and
new public-private col aboration to bring together experts from
Technology (NIST)
industry, government and academia to design, implement, test,
and demonstrate integrated cybersecurity solutions and
promote their widespread adoption.
Software Defined Perimeter Working Group
Cloud Security Alliance
December 1,
13
This document explains the software defined perimeter (SDP)
2013
security framework and how it can be deployed to protect
application infrastructure from network-based attacks. The SDP
incorporates security standards from organizations such as NIST
as well as security concepts from organizations such as DOD
into an integrated framework.
DARPA Announces Cyber Grand Chal enge
Defense Advanced
October 23,
N/A
DARPA intends to hold the Cyber Grand Challenge (CGC)—
Research Projects
2013
the first-ever tournament for ful y automatic network defense
Agency (DARPA)
systems. The Challenge will see teams creating automated
systems that would compete against each other to evaluate
software, test for vulnerabilities, generate security patches, and
apply them to protected computers on a network. The winning
team in the CGC finals would receive a cash prize of $2 million,
with second place earning $1 million and third place taking home
$750,000.
Resilience metrics for cyber systems
Seager, Thomas
November
6
Despite the national and international importance, resilience
(free registration required to download)
(Arizona State
2013
metrics to inform management decisions are still in the early
University)
stages of development. The resilience matrix framework
developed by Linkov et al. is applied to develop and organize
effective resilience metrics for cyber systems. These metrics link
national policy goals to specific system measures, such that
resource allocation decisions can be translated into actionable
interventions and investments. The paper proposes a generic
approach and could integrate actual data, technical judgment,
and literature-based measures to assess system resilience across
physical, information, cognitive, and social domains.
CRS-57


Title Source
Date
Pages
Notes
Cybersecurity Exercise: Quantum Dawn 2
SIFMA
October 21,
N/A
Quantum Dawn 2 is a cybersecurity exercise to test incident
2013
response, resolution, and coordination processes for the
financial services sector and the individual member firms to a
street-wide cyberattack.
Proposed Establishment of a Federal y Funded
National Institute of
June 21, 2013
2
NIST intends to sponsor an FFRDC to facilitate public-private
Research and Development Center—Second
Standards and
col aboration for accelerating the widespread adoption of
Notice
Technology
integrated cybersecurity tools and technologies. This is the
second of three notices that must be published over a 90-day
period to advise the public of the agency’s intention to sponsor
an FFRDC.
Governor McDonnel Announces Creation of
Virginia Secretary of
April 11, 2013
N/A
Virginia Governor Bob McDonnell announced the creation of
MACH37, America’s Premier Market-Centric
Commerce and Trade
MACH37, a cybersecurity accelerator to be located at the
Cyber Security Accelerator
Center for Innovative Technology. Initially funded by the
Commonwealth of Virginia, the accelerator will leverage private
investments to launch new, high growth cyber technology
companies in Virginia.
Open Trusted Technology Provider Standard (O-
The Open Group
April 2013
44
Specifically intended to prevent maliciously tainted and
TTPS)™, Version 1.0: Mitigating Maliciously
counterfeit products from entering the supply chain, this first
Tainted and Counterfeit Products
release of the O-TTPS codifies best practices across the entire
COTS ICT product lifecycle, including the design, sourcing,
build, fulfillment, distribution, sustainment, and disposal phases.
The O-TTPS wil enable organizations to implement best
practice requirements and al ow al providers, component
suppliers, and integrators to obtain Trusted Technology
Provider status. (Registration required.)
The International Cyber-Security Ecosystem (video Anthony M. Rutkowski,
November 6,
N/A
Overview of the various forums/communities and
lecture)
Distinguished Senior
2012
methodologies that comprise the security assurance
Research Fellow at the
ecosystem—often also referred to as Information Assurance.
Georgia Institute of
Technology, Nunn
School Center for
International Strategy
Technology and Policy
(CISTP)
CRS-58


Title Source
Date
Pages
Notes
20 Critical Security Controls for Effective Cyber
Center for Strategic &
November
89
The Top 20 security controls were agreed upon by a
Defense
International Studies
2012
consortium. Members of the Consortium include NSA, US
CERT, DOD JTF-GNO, the Department of Energy Nuclear
Laboratories, Department of State, DOD Cyber Crime Center
plus commercial forensics experts in the banking and critical
infrastructure communities.
SBIR Phase II: Information Security Risk Taking
National Science
January 17,
N/A
The NSF is funding research on giving organizations information-
Foundation (NSF)
2012
security risk ratings, similar to credit ratings for individuals.
Anomaly Detection at Multiple Scales (ADAMS)
Defense Advanced
November 9,
74
The report describes a system for preventing leaks by seeding
Research Projects
2011
believable disinformation in military information systems to help
Agency (DARPA)
identify individuals attempting to access and disseminate
classified information.
At the Forefront of Cyber Security Research
NSF
August 5, 2011
N/A
TRUST is a university and industry consortium that examines
cybersecurity issues related to health care, national
infrastructures, law and other issues facing the general public.
Designing A Digital Future: Federally Funded
White House
December
148
The President’s Council of Advisors on Science and Technology
Research And Development In Networking And
2010
(PCAST) has made several recommendations in a report about
Information Technology
the state of the government’s Networking and Information
Technology Research and Development (NITRD) Program.
Partnership for Cybersecurity Innovation
White House Office of
December 6,
10
The Obama Administration released a Memorandum of
Science and Technology
2010
Understanding (below) signed by the National Institute of
Policy
Standards and Technology of the Department of Commerce, the
Science and Technology Directorate of the Department of
Homeland Security (DHS/S&T), and the Financial Services Sector
Coordinating Council (FSSCC). The goal of the agreement is to
speed the commercialization of cybersecurity research
innovations that support our nation’s critical infrastructures.
Memorandum of Understanding (MOU)
NIST, DHS, and
December 2,
4
The document formalizes the intent of the parties to expedite
Financial Services
2010
the coordinated development and availability of col aborative
Sector Coordinating
research, development, and testing activities for cybersecurity
Council
technologies and processes based upon the financial services
sector’s needs.
Science of Cyber-Security
Mitre Corp (JASON
November
86
JASON was requested by DOD to examine the theory and
Program Office)
2010
practice of cyber-security, and evaluate whether there are
underlying fundamental principles that would make it possible to
adopt a more scientific approach, identify what is needed in
creating a science of cyber-security, and recommend specific
ways in which scientific methods can be applied.
CRS-59


Title Source
Date
Pages
Notes
American Security Chal enge: Moving Innovation to National Security
October 18,
N/A
The objective of the Challenge is to increase the visibility of
Market
Initiative
2010
innovative technology and help the commercialization process
so that such technology can reach either the public or
commercial marketplace faster to protect our citizens and
critical assets.
Note: Highlights compiled by CRS from the reports.
CRS-60


Selected Reports, by Federal Agency
This section contains selected cybersecurity reports from U.S. government agencies, including the White House, the Office of Management and
Budget (OMB), the Government Accountability Office (GAO), the Department of Defense (DOD), the National Institute of Standards and
Technology (NIST), and others.

Table 10. Government Accountability Office (GAO)
Title Date
Pages Notes
Information Security: Agencies Need to Improve Cyber
April 30, 2014
55
Twenty-four major federal agencies did not consistently demonstrate that
Incident Response Practices
they are effectively responding to cyber incidents (a security breach of a
computerized system and information). Based on a statistical sample of cyber
incidents reported in fiscal year 2012, GAO projects that these agencies did
not completely document actions taken in response to detected incidents in
about 65% of cases.
Information Security: SEC Needs to Improve Controls
April 17, 2014
25
Although the SEC had implemented and made progress in strengthening
over Financial Systems and Data
information security controls, weaknesses limited their effectiveness in
protecting the confidentiality, integrity, and availability of a key financial
system. Until SEC mitigates control deficiencies and strengthens the
implementation of its security program, its financial information and systems
may be exposed to unauthorized disclosure, modification, use, and disruption.
These weaknesses, considered col ectively, contributed to GAO’s
determination that SEC had a significant deficiency in internal control over
financial reporting for FY2013.
IRS Needs to Address Control Weaknesses That Place
April 8, 2014
29
Until the IRS takes additional steps to (1) more effectively implement its
Financial and Taxpayer Data at Risk
testing and monitoring capabilities, (2) ensure that policies and procedures are
updated, and (3) address unresolved and newly identified control deficiencies,
its financial and taxpayer data will remain vulnerable to inappropriate and
undetected use, modification, or disclosure. These deficiencies, including
shortcomings in the information security program, were the basis of our
determination that IRS had a significant deficiency in its internal control over
its financial reporting systems for FY2013.
Federal Agencies Need to Enhance Responses to Data
April 2, 2014
19
Major federal agencies continue to face challenges in fully implementing all
Breaches
components of an agency-wide information security program, which is
essential for securing agency systems and the information they contain—
including personally identifiable information (PII).
CRS-61


Title Date
Pages Notes
Critical Infrastructure Protection: More Comprehensive
January 27, 2013
41
GAO was asked to review federal coordination with state and local
Planning Would Enhance the Cybersecurity of Public Safety
governments regarding cybersecurity at public safety entities. The objective
Entities’ Emerging Technology
was to determine the extent to which federal agencies coordinated with state
and local governments regarding cybersecurity efforts at emergency
operations centers, public safety answering points, and first responder
organizations involved in handling 911 emergency calls. To do so, GAO
analyzed relevant plans and reports and interviewed officials at (1) five
agencies that were identified based on their roles and responsibilities
established in federal law, policy, and plans and (2) selected industry
associations and state and local governments.
Agency Responses to Breaches of Personally Identifiable
December 9, 2013
67
GAO recommends, “Recommendation: To improve the consistency and
Information Need to Be More Consistent
effectiveness of governmentwide data breach response programs, the
Director of OMB should update its guidance on federal agencies’ responses to
a PII-related data breach to include (1) guidance on notifying affected
individuals based on a determination of the level of risk; (2) criteria for
determining whether to offer assistance, such as credit monitoring to affected
individuals; and (3) revised reporting requirements for PII-related breaches to
US-CERT, including time frames that better reflect the needs of individual
agencies and the government as a whole and consolidated reporting of
incidents that pose limited risk.”
GPS Disruptions: Efforts to Assess Risks to Critical
November 6, 2013
58
GAO was asked to review the effects of GPS disruptions on the nation’s
Infrastructure and Coordinate Agency Actions Should Be
critical infrastructure. GAO examined (1) the extent to which DHS has
Enhanced
assessed the risks and potential effects of GPS disruptions on critical
infrastructure, (2) the extent to which DOT [Department of Transportation]
and DHS have developed backup strategies to mitigate GPS disruptions, and
(3) what strategies, if any, selected critical infrastructure sectors employ to
mitigate GPS disruptions and any remaining challenges.
DHS Is Generally Filling Mission-Critical Positions, but
September 17, 2013
47
One in five jobs at a key cybersecurity component within DHS is vacant, in
Could Better Track Costs of Coordinated Recruiting
large part due to steep competition in recruiting and hiring qualified personnel.
Efforts
National Protection and Programs Directorate (NPPD) officials cited
chal enges in recruiting cyber professionals because of the length of time taken
to conduct security checks to grant top-secret security clearances as well as
low pay in comparison with the private sector.
CRS-62


Title Date
Pages Notes
Telecommunications Networks: Addressing Potential
May 21, 2013
52
The federal government has begun efforts to address the security of the
Security Risks of Foreign-Manufactured Equipment
supply chain for commercial networks... There are a variety of other
approaches for addressing the potential risks posed by foreign-manufactured
equipment in commercial communications networks, including those
approaches taken by foreign governments... Although these approaches are
intended to improve supply chain security of communications networks, they
may also create the potential for trade barriers, additional costs, and
constraints on competition, which the federal government would have to take
into account if it chose to pursue such approaches.
Outcome-Based Measures Would Assist DHS in Assessing
April 11, 2013
45
Until the Department of Homeland Security and its sector partners develop
Effectiveness of Cybersecurity Efforts
appropriate outcome-oriented metrics, it wil be difficult to gauge the
effectiveness of efforts to protect the nation’s core and access
communications networks and critical support components of the Internet
from cyber incidents. While no cyber incidents have been reported affecting
the nation’s core and access networks, communications networks operators
can use reporting mechanisms established by FCC and DHS to share
information on outages and incidents.
Information Sharing: Agencies Could Better Coordinate to
April 4, 2013
72
Agencies have neither held entities accountable for coordinating nor assessed
Reduce Overlap in Field-Based Activities
opportunities for further enhancing coordination to help reduce the potential
for overlap and achieve efficiencies. The Departments of Justice (DOJ) and
DHS, and the Office of National Drug Control Policy (ONDCP)—the federal
agencies that oversee or provide support to the five types of field-based
entities—acknowledged that entities working together and sharing information
is important, but they do not hold the entities accountable for such
coordination.
Cybersecurity: A Better Defined and Implemented
March 7, 2013
36
“[A]lthough federal law assigns the Office of Management and Budget (OMB)
National Strategy Is Needed to Address Persistent
responsibility for oversight of federal government information security, OMB
Challenges
recently transferred several of these responsibilities to DHS.... [I]t remains
unclear how OMB and DHS are to share oversight of individual departments
and agencies. Additional legislation could clarify these responsibilities.”
2013 High Risk List
February 14, 2013
275
Every two years at the start of a new Congress, GAO cal s attention to
agencies and program areas that are high risk due to their vulnerabilities to
fraud, waste, abuse, and mismanagement, or are most in need of
transformation. Cybersecurity programs on the list include: Protecting the
Federal Government’s Information Systems
and the Nation's Cyber Critical
Infrastructures
and Ensuring the Effective Protection of Technologies Critical to U.S.
National Security Interests
.
CRS-63


Title Date
Pages Notes
Cybersecurity: National Strategy, Roles, and
February 14, 2013
112
GAO recommends that the White House Cybersecurity Coordinator develop
Responsibilities Need to Be Better Defined and More
an overarching federal cybersecurity strategy that includes all key elements of
Effectively Implemented
the desirable characteristics of a national strategy. Such a strategy would
provide a more effective framework for implementing cybersecurity activities
and better ensure that such activities will lead to progress in cybersecurity.
Information Security: Federal Communications
January 25, 2013
35
“The FCC did not effectively implement appropriate information security
Commission Needs to Strengthen Controls over Enhanced
controls in the initial components of the Enhanced Secured Network (ESN)
Secured Network Project
project.... Weaknesses identified in the commission’s deployment of
components of the ESN project as of August 2012 resulted in unnecessary risk
that sensitive information could be disclosed, modified, or obtained without
authorization. GAO is making seven recommendations to the FCC to
implement management controls to help ensure that ESN meets its objective
of securing FCC's systems and information.”
Cybersecurity: Challenges in Securing the Electricity Grid
July 17, 2012
25
In a prior report, GAO has made recommendations related to electricity grid
modernization efforts, including developing an approach to monitor
compliance with voluntary standards. These recommendations have not yet
been implemented.
Information Technology Reform: Progress Made but
July 11, 2012
43
To help ensure the success of agencies’ implementation of cloud-based
Future Cloud Computing Efforts Should be Better Planned
solutions, the Secretaries of Agriculture, Health and Human Services,
Homeland Security, State, and the Treasury, and the Administrators of the
General Services Administration and Small Business Administration should
direct their respective chief information officer (CIO) to establish estimated
costs, performance goals, and plans to retire associated legacy systems for
each cloud-based service discussed in this report, as applicable.
Electronic Warfare: DOD Actions Needed to Strengthen
July 9, 2012
46
DOD’s oversight of electronic warfare capabilities may be further complicated
Management and Oversight
by its evolving relationship with computer network operations, which is also
an information operations-related capability. Without clearly defined roles and
responsibilities and updated guidance regarding oversight responsibilities,
DOD does not have reasonable assurance that its management structures will
provide effective department-wide leadership for electronic warfare activities
and capabilities development and ensure effective and efficient use of its
resources.
Information Security: Cyber Threats Facilitate Ability to
June 28, 2012
20
This statement discusses (1) cyber threats facing the nation’s systems, (2)
Commit Economic Espionage
reported cyber incidents and their impacts, (3) security controls and other
techniques available for reducing risk, and (4) the responsibilities of key federal
entities in support of protecting IP.
CRS-64


Title Date
Pages Notes
Cybersecurity: Chal enges to Securing the Modernized
February 28, 2012
19
As GAO reported in January 2011, securing smart grid systems and networks
Electricity Grid
presented a number of key challenges that required attention by government
and industry. GAO made several recommendations to the Federal Energy
Regulatory Commission (FERC) aimed at addressing these challenges. The
commission agreed with these recommendations and described steps it is
taking to implement them.
Critical Infrastructure Protection: Cybersecurity Guidance
December 9, 2011
77
Given the plethora of guidance available, individual entities within the sectors
Is Available, but More Can Be Done to Promote Its Use
may be challenged in identifying the guidance that is most applicable and
effective in improving their security posture. Improved knowledge of the
guidance that is available could help both federal and private sector decision
makers better coordinate their efforts to protect critical cyber-reliant assets.
Cybersecurity Human Capital: Initiatives Need Better
November 29, 2011
86
All the agencies GAO reviewed faced challenges determining the size of their
Planning and Coordination
cybersecurity workforce because of variations in how work is defined and the
lack of an occupational series specific to cybersecurity. With respect to other
workforce planning practices, all agencies had defined roles and responsibilities
for their cybersecurity workforce, but these roles did not always align with
guidelines issued by the federal Chief Information Officers Council (CIOC)
and National Institute of Standards and Technology (NIST).
Federal Chief Information Officers: Opportunities Exist to
October 17, 2011
72
GAO is recommending that OMB update its guidance to establish measures of
Improve Role in Information Technology Management
accountability for ensuring that CIOs’ responsibilities are fully implemented
and require agencies to establish internal processes for documenting lessons
learned.
Information Security: Additional Guidance Needed to
October 5, 2011
17
Twenty-two of 24 major federal agencies reported that they were either
Address Cloud Computing Concerns
concerned or very concerned about the potential information security risks
associated with cloud computing. GAO recommended that the NIST issue
guidance specific to cloud computing security.
Information Security: Weaknesses Continue Amid New
October 3, 2011
49
Weaknesses in information security policies and practices at 24 major federal
Federal Efforts to Implement Requirements
agencies continue to place the confidentiality, integrity, and availability of
sensitive information and information systems at risk. Consistent with this
risk, reports of security incidents from federal agencies are on the rise,
increasing over 650% over the past 5 years. Each of the 24 agencies reviewed
had weaknesses in information security controls.
Federal Chief Information Officers: Opportunities Exist to
October 17, 2011
72
GAO is recommending that the Office of Management and Budget (OMB)
Improve Role in Information Technology Management
update its guidance to establish measures of accountability for ensuring that
CIOs’ responsibilities are fully implemented and require agencies to establish
internal processes for documenting lessons learned.
CRS-65


Title Date
Pages Notes
Defense Department Cyber Efforts: Definitions, Focal
July 29, 2011
33
This letter discusses the Department of Defense’s cyber and information
Point, and Methodology Needed for DOD to Develop
assurance budget for FY2012 and future years defense spending. The
Ful -Spectrum Cyberspace Budget Estimates
objectives of this review were to (1) assess the extent to which DOD has
prepared an overarching budget estimate for ful -spectrum cyberspace
operations across the department and (2) identify the challenges DOD has
faced in providing such estimates.
Continued Attention Needed to Protect Our Nation’s
July 26, 2011
20
A number of significant challenges remain to enhancing the security of cyber-
Critical Infrastructure
reliant critical infrastructures, such as (1) implementing actions recommended
by the President's cybersecurity policy review; (2) updating the national
strategy for securing the information and communications infrastructure;
(3) reassessing DHS's planning approach to critical infrastructure protection;
(4) strengthening public-private partnerships, particularly for information
sharing; (5) enhancing the national capability for cyber warning and analysis;
(6) addressing global aspects of cybersecurity and governance; and (7) securing
the modernized electricity grid.
Defense Department Cyber Efforts: DOD Faces
July 25, 2011
79
GAO recommends that DOD evaluate how it is organized to address
Challenges in Its Cyber Activities
cybersecurity threats; assess the extent to which it has developed joint
doctrine that addresses cyberspace operations; examine how it assigned
command and control responsibilities; and determine how it identifies and acts
to mitigate key capability gaps involving cyberspace operations.
Information Security: State Has Taken Steps to Implement
July 8, 2011
63
The Department of State implemented a custom application called iPost and a
a Continuous Monitoring Application, but Key Chal enges
risk scoring program that is intended to provide continuous monitoring
Remain
capabilities of information security risk to elements of its information
technology (IT) infrastructure. To improve implementation of iPost at State,
the Secretary of State should direct the Chief Information Officer to develop,
document, and maintain an iPost configuration management and test process.
Cybersecurity: Continued Attention Needed to Protect
March 16, 2011
16
Executive branch agencies have made progress instituting several government-
Our Nation’s Critical Infrastructure and Federal
wide initiatives aimed at bolstering aspects of federal cybersecurity, such as
Information Systems
reducing the number of federal access points to the Internet, establishing
security configurations for desktop computers, and enhancing situational
awareness of cyber events. Despite these efforts, the federal government
continues to face significant challenges in protecting the nation's cyber-reliant
critical infrastructure and federal information systems.
CRS-66


Title Date
Pages Notes
Electricity Grid Modernization: Progress Being Made on
January 12, 2011
50
GAO identified six key challenges: (1) Aspects of the regulatory environment
Cybersecurity Guidelines, but Key Challenges Remain to
may make it difficult to ensure smart grid systems’ cybersecurity. (2) Utilities
be Addressed
are focusing on regulatory compliance instead of comprehensive security. (3)
The electric industry does not have an effective mechanism for sharing
information on cybersecurity. (4) Consumers are not adequately informed
about the benefits, costs, and risks associated with smart grid systems. (5)
There is a lack of security features being built into certain smart grid systems.
(6) The electricity industry does not have metrics for evaluating cybersecurity.
Information Security: Federal Agencies Have Taken Steps
November 30, 2010
50
Existing government-wide guidelines and oversight efforts do not fully address
to Secure Wireless Networks, but Further Actions Can
agency implementation of leading wireless security practices. Until agencies
Mitigate Risk
take steps to better implement these leading practices, and OMB takes steps
to improve government-wide oversight, wireless networks will remain at an
increased vulnerability to attack.
Cyberspace Policy: Executive Branch Is Making Progress
October 6, 2010
66
Of the 24 recommendations in the President’s May 2009 cyber policy review
Implementing 2009 Policy Review Recommendations, but
report, 2 have been fully implemented, and 22 have been partial y
Sustained Leadership Is Needed
implemented. While these efforts appear to be steps forward, agencies were
largely not able to provide milestones and plans that showed when and how
implementation of the recommendations was to occur.
DHS Efforts to Assess and Promote Resiliency Are
September 23, 2010
46
The Department of Homeland Security (DHS) has not developed an effective
Evolving but Program Management Could Be Strengthened
way to ensure that critical national infrastructure, such as electrical grids and
telecommunications networks, can bounce back from a disaster. DHS has
conducted surveys and vulnerability assessments of critical infrastructure to
identify gaps, but has not developed a way to measure whether owners and
operators of that infrastructure adopt measures to reduce risks.
Information Security: Progress Made on Harmonizing
September 15, 2010
38
OMB and NIST established policies and guidance for civilian non-national
Policies and Guidance for National Security and Non-
security systems, while other organizations, including the Committee on
National Security Systems
National Security Systems (CNSS), DOD, and the U.S. intelligence community,
have developed policies and guidance for national security systems. GAO was
asked to assess the progress of federal efforts to harmonize policies and
guidance for these two types of systems.
United States Faces Challenges in Addressing Global
August 2, 2010
53
GAO recommends that the Special Assistant to the President and
Cybersecurity and Governance
Cybersecurity Coordinator should make recommendations to appropriate
agencies and interagency coordination committees regarding any necessary
changes to more effectively coordinate and forge a coherent national
approach to cyberspace policy.
CRS-67


Title Date
Pages Notes
Critical Infrastructure Protection: Key Private and Public
July 15, 2010
38
The Special Assistant to the President and Cybersecurity Coordinator and the
Cyber Expectations Need to Be Consistently Addressed
Secretary of Homeland Security should take two actions: (1) use the results of
this report to focus their information-sharing efforts, including their relevant
pilot projects, on the most desired services, including providing timely and
actionable threat and alert information, access to sensitive or classified
information, a secure mechanism for sharing information, and security
clearance and (2) bolster the efforts to build out the National Cybersecurity
and Communications Integration Center as the central focal point for
leveraging and integrating the capabilities of the private sector, civilian
government, law enforcement, the military, and the intelligence community.
Federal Guidance Needed to Address Control Issues With
July 1, 2010
53
To assist federal agencies in identifying uses for cloud computing and
Implementing Cloud Computing
information security measures to use in implementing cloud computing, the
Director of OMB should establish milestones for completing a strategy for
implementing the federal cloud computing initiative.
Continued Attention Is Needed to Protect Federal
June 16, 2010
15
Multiple opportunities exist to improve federal cybersecurity. To address
Information Systems from Evolving Threats
identified deficiencies in agencies’ security controls and shortfalls in their
information security programs, GAO and agency inspectors general have
made hundreds of recommendations over the past several years, many of
which agencies are implementing. In addition, the White House, OMB, and
certain federal agencies have undertaken several government-wide initiatives
intended to enhance information security at federal agencies. While progress
has been made on these initiatives, they all face challenges that require
sustained attention, and GAO has made several recommendations for
improving the implementation and effectiveness of these initiatives.
Information Security: Concerted Response Needed to
March 24, 2010
21
Without proper safeguards, federal computer systems are vulnerable to
Resolve Persistent Weaknesses
intrusions by individuals who have malicious intentions and can obtain
sensitive information. The need for a vigilant approach to information security
has been demonstrated by the pervasive and sustained cyberattacks against
the United States; these attacks continue to pose a potential y devastating
impact to systems and the operations and critical infrastructures they support.
Cybersecurity: Continued Attention Is Needed to Protect
March 16, 2010
15
The White House, the Office of Management and Budget, and certain federal
Federal Information Systems from Evolving Threats
agencies have undertaken several government-wide initiatives intended to
enhance information security at federal agencies. While progress has been
made on these initiatives, they all face challenges that require sustained
attention, and GAO has made several recommendations for improving the
implementation and effectiveness of these initiatives.
CRS-68


Title Date
Pages Notes
Concerted Effort Needed to Consolidate and Secure
April 12, 2010
40
To reduce the threat to federal systems and operations posed by cyberattacks
Internet Connections at Federal Agencies
on the United States, OMB launched, in November 2007, the Trusted Internet
Connections (TIC) initiative, and later, in 2008, DHS’s National Cybersecurity
Protection System (NCPS), operationally known as Einstein, which became
mandatory for federal agencies as part of TIC. To further ensure that federal
agencies have adequate, sufficient, and timely information to successfully meet
the goals and objectives of the TIC and Einstein programs, DHS’s Secretary
should, to better understand whether Einstein alerts are valid, develop
additional performance measures that indicate how agencies respond to alerts.
Cybersecurity: Progress Made But Challenges Remain in
March 5, 2010
64
To address strategic challenges in areas that are not the subject of existing
Defining and Coordinating the Comprehensive National
projects within CNCI but remain key to achieving the initiative’s overall goal
Initiative
of securing federal information systems, OMB’s Director should continue
developing a strategic approach to identity management and authentication,
linked to HSPD-12 implementation, as initial y described in the CIOC's plan
for implementing federal identity, credential, and access management, so as to
provide greater assurance that only authorized individuals and entities can gain
access to federal information systems.
Continued Efforts Are Needed to Protect Information
November 17, 2009
24
GAO has identified weaknesses in all major categories of information security
Systems from Evolving Threats
controls at federal agencies. For example, in FY2008, weaknesses were
reported in such controls at 23 of 24 major agencies. Specifically, agencies did
not consistently authenticate users to prevent unauthorized access to systems;
apply encryption to protect sensitive data; and log, audit, and monitor
security-relevant events, among other actions.
Efforts to Improve Information sharing Need to Be
August 27, 2003
59
Information on threats, methods, and techniques of terrorists is not routinely
Strengthened
shared; and the information that is shared is not perceived as timely, accurate,
or relevant.
Source: Highlights compiled by CRS from the GAO reports.
CRS-69


Table 11. White House/Office of Management and Budget3
Title Date
Pages
Notes
Improving Cybersecurity
Ongoing
N/A
OMB is working with agencies, Inspectors General, Chief Information
Officers, senior agency officials in charge of privacy, as well as GAO and
Congress, to strengthen the federal government's IT security and privacy
programs. The site provides information on Cross-Agency Priority (CAP)
goals, proposed cybersecurity legislation, CyberStat, continuous monitoring
and remediation, using SmartCards for identity management, and standardizing
security through configuration settings.
Federal Information Security Management Act, Annual
May 1, 2014
80
The 24 largest federal departments and agencies spent $10.34 billion on
Report to Congress
cybersecurity last fiscal year. The CFO Act agency with the greatest
expenditure was Defense, at $7.11 billion, fol owed by Homeland Security at
$1.11 billion. Federal agencies’ collective request for cybersecurity spending
during FY2015 amounts to about $13 billion, federal CIO Steven VanRoekel
told reporters during the March rol out of the White House spending
proposal for the coming fiscal year—making cybersecurity a rare area of
federal information technology spending growth.
Assessing Cybersecurity Regulations
May 22, 2014
N/A
The White House directed federal agencies to examine their regulatory
authority over private-sector cybersecurity in the February 2013 executive
order that also created the NSIT cybersecurity framework. A review of
agency reports concluded that “existing regulatory requirements, when
complemented with strong voluntary partnerships, are capable of mitigating
cyber risks.” No new federal regulations are needed for improving the
cybersecurity of privately held American critical infrastructure.
Big Data: Seizing Opportunities, Preserving Values
May 2014
85
The findings outline a set of consumer protection recommendations, including
that Congress should pass legislation on “single national data breach
standard.”
State and Local Government Cybersecurity
April 2, 2014
N/A
The White House in March 2014 convened a broad array of stakeholders,
including government representatives, local-government-focused associations,
private-sector technology companies, and partners from multiple federal
agencies at the State and Local Government Cybersecurity Framework
Kickoff Event.

3 For a list of White House executive orders, see CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan.
CRS-70


Title Date
Pages
Notes
Liberty and Security in a Changing World: Report and
December 12, 2013
308
From the report, “The national security threats facing the United States and
Recommendations of The President’s Review Group on
our allies are numerous and significant, and they will remain so well into the
Intelligence and Communications Technologies
future. These threats include international terrorism, the proliferation of
weapons of mass destruction, and cyber espionage and warfare... After careful
consideration, we recommend a number of changes to our intelligence
collection activities that will protect [privacy and civil liberties] values without
undermining what we need to do to keep our nation safe.”
Immediate Opportunities for Strengthening the Nation’s
November 2013
31
This is a report of the President’s Council of Advisors on Science and
Cybersecurity
Technology (PCAST). The report recommends the government phase out
insecure, outdated operating systems, like Windows XP, implement better
encryption technology, and encourage automatic security updates, among
other changes. PCAST also recommends, for regulated industries, that the
government help create cybersecurity best practices and audit their
adoption—and for independent agencies, PCAST write new rules that require
businesses to report their cyber improvements.
Cross Agency Priority Goal: Cybersecurity, FY2013 Q3
October 2013
24
Executive branch departments and agencies will achieve 95% implementation
Status Report
of the Administration’s priority cybersecurity capabilities by the end of
FY2014. These capabilities include strong authentication, Trusted Internet
Connections (TIC), and Continuous Monitoring.
Incentives to Support Adoption of the Cybersecurity
August 6, 2013
N/A
From the report, “To promote cybersecurity practices and develop these
Framework
core capabilities, we are working with critical infrastructure owners and
operators to create a Cybersecurity Framework – a set of core practices to
develop capabilities to manage cybersecurity risk... Over the next few months,
agencies will examine these options in detail to determine which ones to
adopt and how, based substantially on input from critical infrastructure
stakeholders.”
FY2012 Report to Congress on the Implementation of
March 2013
68
More government programs violated data security law standards in 2012 than
the Federal Information Security Management Act of 2002
in the previous year, and at the same time, computer security costs have
increased by more than $1 billion. Inadequate training was a large part of the
reason al -around FISMA adherence scores slipped from 75% in 2011 to 74%
in 2012. Agencies reported that about 88% of personnel with system access
privileges received annual security awareness instruction, down from 99% in
2011. Meanwhile, personnel expenses accounted for the vast majority—
90%—of the $14.6 billion departments spent on information technology
security in 2012.
CRS-71


Title Date
Pages
Notes
Administration Strategy for Mitigating the Theft of U.S.
February 20, 2013
141
From the report, “First, we will increase our diplomatic engagement....
Trade Secrets
Second, we will support industry-led efforts to develop best practices to
protect trade secrets and encourage companies to share with each other best
practices that can mitigate the risk of trade secret theft.... Third, DOJ will
continue to make the investigation and prosecution of trade secret theft by
foreign competitors and foreign governments a top priority.... Fourth,
President Obama recently signed two pieces of legislation that will improve
enforcement against trade secret theft.... Lastly, we will increase public
awareness of the threats and risks to the U.S. economy posed by trade secret
theft.”
National Strategy for Information Sharing and
December 2012
24
Provides guidance for effective development, integration, and implementation
Safeguarding
of policies, processes, standards, and technologies to promote secure and
responsible information sharing.
Col aborative and Cross-Cutting Approaches to
August 1, 2012
N/A
Michael Daniel, White House Cybersecurity Coordinator, highlights a few
Cybersecurity
recent initiatives where voluntary, cooperative actions are helping to improve
the nation’s overall cybersecurity.
Trustworthy Cyberspace: Strategic Plan for the Federal
December 2011
36
As a research and development strategy, this plan defines four strategic
Cybersecurity Research and Development Program
thrusts: Inducing Change, Developing Scientific Foundations, Maximizing
Research Impact, and Accelerating Transition to Practice.
FY2012 Reporting Instructions for the Federal
September 14, 2011
29
Rather than enforcing a static, three-year reauthorization process, agencies
Information Security Management Act and Agency Privacy
are expected to conduct ongoing authorizations of information systems
Management
through the implementation of continuous monitoring programs. Continuous
monitoring programs thus fulfill the three year security reauthorization
requirement, so a separate re-authorization process is not necessary.
Cybersecurity Legislative Proposal (Fact Sheet)
May 12, 2011
N/A
The Administration’s proposal ensures the protection of individuals' privacy
and civil liberties through a framework designed expressly to address the
challenges of cybersecurity. The Administration's legislative proposal includes
management, personnel, intrusion prevention systems, and data centers.
International Strategy for Cyberspace
May 2011
30
The strategy marks the first time any Administration has attempted to set
forth in one document the U.S. government’s vision for cyberspace, including
goals for defense, diplomacy, and international development.
National Strategy for Trusted Identities
April 15, 2011
52
The NSTIC aims to make online transactions more trustworthy, thereby
in Cyberspace (NSTIC)
giving businesses and consumers more confidence in conducting business
online.
CRS-72


Title Date
Pages
Notes
Federal Cloud Computing Strategy
February 13, 2011
43
The strategy outlines how the federal government can accelerate the safe,
secure adoption of cloud computing, and provides agencies with a framework
for migrating to the cloud. It also examines how agencies can address
challenges related to the adoption of cloud computing, such as privacy,
procurement, standards, and governance.
25 Point Implementation Plan to Reform Federal
December 9, 2010
40
The plan’s goals are to reduce the number of federal y run data centers from
Information Technology Management
2,100 to approximately 1,300, rectify or cancel one-third of troubled IT
projects, and require federal agencies to adopt a “cloud first” strategy in
which they will move at least one system to a hosted environment within a
year.
Clarifying Cybersecurity Responsibilities and Activities of
July 6, 2010
39
This memorandum outlines and clarifies the respective responsibilities and
the Executive Office of the President and the Department
activities of the Office of Management and Budget (OMB), the Cybersecurity
of Homeland Security
Coordinator, and DHS, in particular with respect to the Federal
Government’s implementation of the Federal Information Security
Management Act of 2002 (FISMA).
The National Strategy for Trusted Identities in
June 25, 2010
39
The NSTIC, which is in response to one of the near-term action items in the
Cyberspace: Creating Options for Enhanced Online
President’s Cyberspace Policy Review, calls for the creation of an online
Security and Privacy (Draft)
environment, or an Identity Ecosystem, where individuals and organizations
can complete online transactions with confidence, trusting the identities of
each other and the identities of the infrastructure where transaction occur.
Comprehensive National Cybersecurity Initiative (CNCI)
March 2, 2010
5
The CNCI establishes a multi-pronged approach the federal government is to
take in identifying current and emerging cyber threats, shoring up current and
future telecommunications and cyber vulnerabilities, and responding to or
proactively addressing entities that wish to steal or manipulate protected data
on secure federal systems.
Cyberspace Policy Review: Assuring a Trusted and
May 29, 2009
76
The President directed a 60-day, comprehensive, “clean-slate” review to
Resilient Communications Infrastructure
assess U.S. policies and structures for cybersecurity. The review team of
government cybersecurity experts engaged and received input from a broad
cross-section of industry, academia, the civil liberties and privacy communities,
state governments, international partners, and the legislative and executive
branches. This paper summarizes the review team’s conclusions and outlines
the beginning of the way forward toward a reliable, resilient, trustworthy
digital infrastructure for the future.
Source: Highlights compiled by CRS from the White House reports.
CRS-73


Table 12. Department of Defense (DOD)
Title Source
Date
Pages Notes
Risk Management Framework (RMF) for DoD
Department of Defense
March 12, 2014
47
In a change in security policy, DOD has dropped its long-
Information Technology (IT)
standing DOD Information Assurance Certification and
Accreditation Process (DIACAP) and adopted a risk-focused
security approach developed by the National Institute of
Standards and Technology (NIST). The decision, issued in a
DOD Instruction memo (8510.01), aligns for the first time the
standards the Defense Department and civilian agencies use to
ensure their IT systems comply with approved information
assurance and risk management controls.
Improving Cybersecurity and Resilience
Department of Defense
January 23, 2014
24
The DOD and GSA jointly released a report announcing six
through Acquisition
and the General Services
planned reforms to improve the cybersecurity and resilience of
Administration (GSA)
the Federal Acquisition System. The report provides a path
forward to aligning federal cybersecurity risk management and
acquisition processes. It provides strategic recommendations
for addressing relevant issues, suggests how challenges might be
resolved, and identifies important considerations for the
implementation of the recommendations.
Defense Federal Acquisition Regulation
DOD
November 18, 2013
10
The final rule imposed two new requirements. First, the rule
Supplement: Safeguarding Unclassified
imposed an obligation on contractors to provide “adequate
Controlled Technical Information
security” to safeguard “unclassified control ed technical
information” (UCTI). Second, contractors are obligated to
report “cyber incidents” that affect UCTI to contracting
officers. In both obligations, UCTI is defined as “technical
information with military or space application that is subject to
controls on access, use, reproduction, modification,
performance, display, release, disclosure, or dissemination.”
UCTI should be marked with a DOD “distribution statement.”
This is the first time that the DOD has imposed specific
requirements for cybersecurity that are generally applicable to
all contractors.
Offensive Cyber Capabilities at the
Center for Strategic &
September 16, 2013
20
The specific question this report examines is whether the
Operational Level - The Way Ahead
International Studies (CSIS)
Defense Department should make a more deliberate effort to
explore the potential of offensive cyber tools at levels below
that of a combatant command.
CRS-74


Title Source
Date
Pages Notes
An Assessment of the Department of Defense U.S. Army War College
September 2013
60
This monograph is organized in three main parts. The first part
Strategy for Operating in Cyberspace
explores the evolution of cyberspace strategy through a series
of government publications leading up to the DoD Strategy for
Operating in Cyberspace
. In the second part, each strategic
initiative is elaborated and critiqued in terms of significance,
novelty, and practicality. In the third part, the monograph
critiques the DOD Strategy as a whole.
Joint Professional Military Education
Francesca Spidalieri (Pell
August 7, 2013
18
The report found that the Joint Professional Military Education
Institutions in an Age of Cyber Threat
Center Fellow)
at the six U.S. military graduate schools—a requirement for
becoming a Joint staff officer and for promotion to the senior
ranks—has not effectively incorporated cybersecurity into
specific courses, conferences, war gaming exercises, or other
forms of training for military officers. While these graduate
programs are more advanced on cybersecurity than most
American civilian universities, a preparation gap still exists.
Military and Security Developments Involving
DOD
May 6, 2013
92
China is using its computer network exploitation capability to
the People’s Republic of China 2013 (Annual
support intelligence collection against the U.S. diplomatic,
Report to Congress)
economic, and defense industrial base sectors that support U.S.
national defense programs. The information targeted could
potential y be used to benefit China’s defense industry, high-
technology industries, policy maker interest in U.S. leadership
thinking on key China issues, and military planners building a
picture of U.S. network defense networks, logistics, and related
military capabilities that could be exploited during a crisis.
Resilient Military Systems and the Advanced
DOD Science Board
January 2013
146
The report states that, despite numerous Pentagon actions to
Cyber Threat
parry sophisticated attacks by other countries, efforts are
“fragmented” and the Defense Department “is not prepared to
defend against this threat.” The report lays out a scenario in
which cyberattacks in conjunction with conventional warfare
damaged the ability of U.S. forces to respond, creating
confusion on the battlefield and weakening traditional defenses.
FY2012 Annual Report
DOD
January 2013
372
Annual report to Congress by J. Michael Gilmore, director of
Operational Test and Evaluation. Assesses the operational
effectiveness of systems being developed for combat. See
“Information Assurance (I/A) and Interoperability (IOP)”
chapter, pages 305-312, for information on network
exploitation and compromise exercises.
CRS-75


Title Source
Date
Pages Notes
Basic Safeguarding of Contractor Information
DOD, GSA, and National
August 24, 2012
4
This regulation authored by the DOD, GSA, and NASA “would
Systems (Proposed Rule)
Aeronautics and Space
add a contract clause to address requirements for the basic
Administration (NASA)
safeguarding of contractor information systems that contain or
process information provided by or generated for the
government (other than public information).”
Electronic Warfare: DOD Actions Needed to
GAO
July 9, 2012
46
DOD’s oversight of electronic warfare capabilities may be
Strengthen Management and Oversight
further complicated by its evolving relationship with computer
network operations, which is also an information operations-
related capability. Without clearly defined roles and
responsibilities and updated guidance regarding oversight
responsibilities, DOD does not have reasonable assurance that
its management structures will provide effective department-
wide leadership for electronic warfare activities and capabilities
development and ensure effective and efficient use of its
resources.
Cloud Computing Strategy
DOD, Chief Information
July 2012
44
The DOD Cloud Computing Strategy introduces an approach
Officer
to move the department from the current state of a duplicative,
cumbersome, and costly set of application silos to an end state,
which is an agile, secure, and cost effective service environment
that can rapidly respond to changing mission needs.
DOD Defense Industrial Base (DIB) Voluntary Federal Register
May 11, 2012
7
DOD interim final rule to establish a voluntary cybersecurity
Cyber Security and Information Assurance
information sharing program between DOD and eligible DIB
(CS/IA) Activities
companies. The program enhances and supplements DIB
participants’ capabilities to safeguard DOD information that
resides on, or transits, DIB unclassified information.
DOD Information Security Program:
DOD
February 24, 2012
84
Describes the DOD Information Security Program, and
Overview, Classification, and Declassification
provides guidance for classification and declassification of DOD
information that requires protection in the interest of the
national security.
Cyber Sentries: Preparing Defenders to Win
Air War Col ege
February 7, 2012
38
This paper examines the current impediments to effective
in a Contested Domain
cybersecurity workforce preparation and offers new concepts
to create Cyber Sentries through realistic training, network
authorities tied to certification, and ethical training. These
actions present an opportunity to significantly enhance
workforce quality and allow the department to operate
effectively in the contested cyber domain in accordance with
the vision established in its Strategy for Cyberspace Operations.
CRS-76


Title Source
Date
Pages Notes
Defense Department Cyber Efforts:
GAO
July 29, 2011
33
This letter discusses DOD’s cyber and information assurance
Definitions, Focal Point, and Methodology
budget for FY2012 and future years defense spending. The
Needed for DOD to Develop Ful -Spectrum
objectives of this review were to (1) assess the extent to which
Cyberspace Budget Estimates
DOD has prepared an overarching budget estimate for ful -
spectrum cyberspace operations across the department and (2)
identify the challenges DOD has faced in providing such
estimates.
Legal Reviews of Weapons and Cyber
Secretary of the Air Force
July 27, 2011
7
Report concludes the Air Force must subject cyber capabilities
Capabilities
to legal review for compliance with the Law of Armed Conflict
and other international and domestic laws. The Air Force judge
advocate general must ensure that all cyber capabilities “being
developed, bought, built, modified or otherwise acquired by the
Air Force" must undergo legal review—except for cyber
capabilities within a Special Access Program, which must
undergo review by the Air Force general counsel.
Department of Defense Strategy for
DOD
July 2011
19
This is an unclassified summary of DOD’s cyber-security
Operating in Cyberspace
strategy.
Cyber Operations Personnel Report (DOD)
DOD
April 2011
84
This report focuses on FY2009 Department of Defense Cyber
Operations personnel, with duties and responsibilities as
defined in Section 934 of the Fiscal Year 2010 National Defense
Authorization Act (NDAA).
Appendix A—Cyber Operations-related Military Occupations
Appendix B—Commercial Certifications Supporting the DOD
Information Assurance Workforce Improvement Program
Appendix C—Military Services Training and Development
Appendix D—Geographic Location of National Centers of
Academic Excellence in Information Assurance
Anomaly Detection at Multiple Scales
Defense Advanced
November 9, 2011
74
The design document was produced by Allure Security and
(ADAMS)
Research Projects Agency
sponsored by the Defense Advanced Research Projects Agency
(DARPA)
(DARPA). It describes a system for preventing leaks by seeding
believable disinformation in military information systems to help
identify individuals attempting to access and disseminate
classified information.
Critical Code: Software Producibility for
National Research Council, October 20, 2010
160
Assesses the nature of the national investment in software
Defense
Committee for Advancing
research and, in particular, considers ways to revitalize the
Software-Intensive Systems
knowledge base needed to design, produce, and employ
Producibility
software-intensive systems for tomorrow’s defense needs.
CRS-77


Title Source
Date
Pages Notes
Defending a New Domain
U.S. Deputy Secretary of
September/October
N/A
In 2008, DOD suffered a significant compromise of its classified
Defense, William J. Lynn
2010
military computer networks. It began when an infected flash
(Foreign Affairs)
drive was inserted into a U.S. military laptop at a base in the
Middle East. This previously classified incident was the most
significant breach of U.S. military computers ever, and served as
an important wake-up call.
The QDR in Perspective: Meeting America’s
Quadrennial Defense
July 30, 2010
159
From the report: “The expanding cyber mission also needs to
National Security Needs In the 21st Century
Review
be examined. DOD should be prepared to assist civil
(QDR Final Report)
authorities in defending cyberspace – beyond the department’s
current role."
Cyberspace Operations: Air Force Doctrine
U.S. Air Force
July 15, 2010
62
This Air Force Doctrine Document (AFDD) establishes
Document 3-12
doctrinal guidance for the employment of U.S. Air Force
operations in, through, and from cyberspace. It is the keystone
of Air Force operational-level doctrine for cyberspace
operations.
DON (Department of the Navy)
U.S. Navy
June 17, 2010
14
To establish policy and assign responsibilities for the
Cybersecurity/Information Assurance
administration of the Department of the Navy (DON)
Workforce Management, Oversight and
Cybersecurity (CS)/Information Assurance Workforce (IAWF)
Compliance
Management Oversight and Compliance Program.
Note: Highlights compiled by CRS from the reports.

CRS-78


CRS Product: Cybersecurity Framework
• CRS Report WSLG829, National Institute of Standards and Technology Issues Long-awaited Cybersecurity Framework, by
Andrew Nolan
Table 13. National Institute of Standards and Technology (NIST)
Including the Cybersecurity Framework
Title Date
Pages
Notes
Computer Security Division, Computer Security
Ongoing
N/A
Compilation of laws, regulations, and directives from 2000-2007 that govern the
Resource Center
creation and implementation of federal information security practices. These
laws and regulations provide an infrastructure for overseeing implementation of
required practices, and charge NIST with developing and issuing standards,
guidelines, and other publications to assist federal agencies in implementing the
Federal Information Security Management Act (FISMA) of 2002 and in managing
cost-effective programs to protect their information and information systems.
Guidelines for the Selection, Configuration, and
April 28, 2014
67
The federal government must upgrade its servers to handle version 1.1 of
Use of Transport Layer Security (TLS)
Transportation Layer Security and make plans by January 2015 for handling Web
Implementations (SP 800-52r1)
traffic encrypted using TLS 1.2. TLS is a common method of encrypting Web
traffic and email that relies on public key encryption. The Internet Engineering
Task Force approved TLS 1.2 in August 2008, but it’s only recently that
browsers have begun to support it.
National Cybersecurity Center of Excel ence
March 18, 2014
2
NIST invites organizations to provide products and technical expertise to
(NCCoE) and Electric Power Sector Identity and
support and demonstrate security platforms for identity and access management
Access Management Use Case
for the electric power sector. This notice is the initial step for the National
Cybersecurity Center of Excellence (NCCoE) in collaborating with technology
companies to address cybersecurity challenges identified under the Energy
Sector program. Participation in the use case is open to all interested
organizations.
Framework for Improving Critical Infrastructure
February 12, 2014
41
The voluntary framework consists of cybersecurity standards that can be
Cybersecurity
customized to various sectors and adapted by both large and small organizations.
Additionally, so that the private sector may fully adopt this Framework, the
Department of Homeland Security announced the Critical Infrastructure Cyber
Community (C3)—or “C-cubed"—Voluntary Program. The C3 program gives
companies that provide critical services like cell phones, email, banking, energy,
and state and local governments, direct access to cybersecurity experts within
DHS who have knowledge about specific threats, ways to counter those threats,
and how, over the long term, to design and build systems that are less
vulnerable to cyber threats.
CRS-79


Title Date
Pages
Notes
Update on the Development of the Cybersecurity
January 15, 2014
3
From the document, “While stakeholders have said they see the value of
Framework
guidance relating to privacy, many comments stated a concern that the
methodology did not reflect consensus private sector practices and therefore
might limit use of the Framework. Many commenters also stated their belief that
privacy considerations should be fully integrated into the Framework Core.”
Proposed Establishment of a Federally Funded
January 10, 2014
2
NIST intends to sponsor a Federal y Funded Research and Development Center
Research and Development Center
(FFRDC) to facilitate public-private col aboration for accelerating the widespread
adoption of integrated cybersecurity tools and technologies. NIST published
three notices in the Federal Register advising the public of the agency's intention
to sponsor an FFRDC and requesting comments from the public. This notice
provides NIST's analysis of the comments related to NIST's proposed
establishment of the FFRDC received in response to those notices.
Designed-in Cyber Security for Cyber-Physical
November 20, 2013
60
NIST and the Cybersecurity Research Alliance held a two-day workshop (April
Systems
4-5, 2013) for industry, government, and academic cybersecurity researchers.
The report’s findings lay out a logical roadmap for designing security into varied
IP-based systems and platforms increasingly targeted by cyber attackers.
Cybersecurity Framework
October 22, 2013
47
NIST seeks comments on the preliminary version of the Cybersecurity
Framework (“preliminary Framework"). Under Executive Order 13636, NIST is
directed to work with stakeholders to develop a framework to reduce cyber
risks to critical infrastructure.
A Role-Based Model for Federal Information
October 2013
152
This guidance will assist managers at all level to understand their responsibilities
Technology/Cybersecurity Training (Draft Special
in providing role-based cybersecurity training,
Publication 800-16 Revision 1)
Guide to Attribute Based Access Control
October 2013
48
Improving information sharing while maintaining control over access to that
Definition and Considerations (Draft SP 800-162)
information is a primary goal of guidance coming from the NIST.
Discussion Draft of the Preliminary Cybersecurity
August 28, 2013
36
The Framework provides a common language and mechanism for organizations
Framework
to (1) describe current cybersecurity posture; (2) describe their target state for
cybersecurity; (3) identify and prioritize opportunities for improvement within
the context of risk management; (4) assess progress toward the target state; (5)
foster communications among internal and external stakeholders.
Proposed Establishment of a Federally Funded
July 16, 2013
2
This is the third of three notices that must be published over a 90-day period to
Research and Development Center-Third Notice
advise the public of the agency’s intention to sponsor an FFRDC.
DRAFT Outline—Preliminary Framework to
July 1, 2013
5
This draft is produced for discussion purposes at the upcoming workshops and
Reduce Cyber Risks to Critical Infrastructure
to further encourage private-sector input before NIST publishes a preliminary
Draft Framework to Reduce Cyber Risks to Critical Infrastructure (“the Framework”)
for public comment in October.
CRS-80


Title Date
Pages
Notes
Computer Security Incident Coordination (CSIC):
June 28, 2013
3
NIST is seeking information relating to Computer Security Incident
Providing Timely Cyber Incident Response
Coordination (CSIC) as part of the research needed to write a NIST Special
Publication (SP) to help Computer Security Incident Response Teams (CSIRTs)
coordinate effectively when responding to computer-security incidents. The
NIST SP wil identify technical standards, methodologies, procedures, and
processes that facilitate prompt and effective response.
Proposed Establishment of a Federally Funded
June 21, 2013
2
NIST intends to sponsor an FFRDC to facilitate public-private col aboration for
Research and Development Center—Second
accelerating the widespread adoption of integrated cybersecurity tools and
Notice
technologies. This is the second of three notices that must be published over a
90-day period to advise the public of the agency’s intention to sponsor an
FFRDC.
Update on the Development of the Cybersecurity
June 18, 2013
3
NIST is seeking input about foundational cybersecurity practices, ideas for how
Framework
to manage privacy and civil liberties needs, and outcome-oriented metrics that
leaders can use in evaluating the position and progress of their organizations’
cybersecurity status. In a few weeks, NIST expects to post an outline of the
preliminary cybersecurity framework, including existing standards and practices.
Initial Analysis of Cybersecurity Framework RFI
May 15, 2013
34
NIST released an initial analysis of 243 responses to the Feb. 26 RFI. The analysis
Responses
will form the basis for an upcoming workshop at Carnegie Mellon University in
Pittsburgh as NIST moves forward on creating a cybersecurity framework for
essential energy, utility and communications systems.
Proposed Establishment of a Federally Funded
April 22, 2013
2
To help the National Cybersecurity Center of Excellence (NCCoE) address
Research and Development Center-First Notice
industry’s needs most efficiently, NIST will sponsor its first FFRDC to facilitate
public-private col aboration for accelerating the widespread adoption of
integrated cybersecurity tools and technologies.
Security and Privacy Controls for Federal
April 2013
457
Special Publication 800-53, Revision 4, provides a more holistic approach to
Information Systems (SP 800-53, Rev. 4)
information security and risk management by providing organizations with the
breadth and depth of security controls necessary to fundamental y strengthen
their information systems and the environments in which those systems
operate—contributing to systems that are more resilient in the face of
cyberattacks and other threats. This “Build It Right" strategy is coupled with a
variety of security controls for "Continuous Monitoring" to give organizations
near real-time information that is essential for senior leaders making ongoing
risk-based decisions affecting their critical missions and business functions.
Developing a Framework To Improve Critical
February 26, 2013
5
NIST announced the first step in the development of a Cybersecurity
Infrastructure Cybersecurity, Notice; Request for
Framework, which will be a set of voluntary standards and best practices to
Information
guide industry in reducing cyber risks to the networks and computers that are
vital to the nation’s economy, security, and daily life.
CRS-81


Title Date
Pages
Notes
Memorandum of Understanding (MOU)
December 2, 2010
4
The MOU, signed by NIST, DHS, and the Financial Services Sector Coordinating
Council (FSSCC), formalizes the intent of the parties to expedite the
coordinated development and availability of collaborative research, development,
and testing activities for cybersecurity technologies and processes based upon
the financial services sector’s needs.
Note: Highlights compiled by CRS from the reports.
Table 14. Other Federal Agencies
Title Source
Date
Pages Notes
Office of Cybersecurity and Communications
DHS Ongoing
N/A
CS&C
works
to prevent or minimize disruptions to critical
(CS&C)
information infrastructure in order to protect the public, the
economy, and government services. CS&C leads efforts to
protect the federal “.gov” domain of civilian government
networks and to col aborate with the private sector—the
“.com” domain—to increase the security of critical networks.
Continuous Diagnostic and Mitigation Program
DHS
Ongoing
N/A
An initiative to deploy continuous monitoring at U.S. federal
government agencies will be done in phases, with the initial
rollout occurring over three years. The initial phase is aimed at
getting federal civilian agencies to employ continuous diagnostic
tools to improve vulnerability management, enforce strong
compliance settings, manage hardware and software assets and
establish white-listing of approved services and applications.
Cybersecurity Collection
The National
Ongoing
N/A
The prevention of cyberattacks on a nation's important
Academies Press
computer and communications system and networks is a
problem that looms large. In order to best prevent such attacks,
this collection explains the importance of increasing the usability
of security technologies, recommends strategies for future
research aimed at countering cyberattacks, and considers how
information technology systems can be used to not only
maximize protection against attacks, but also respond to threats.
CRS-82


Title Source
Date
Pages Notes
At the Nexus of Cybersecurity and Public Policy:
National Academies
May 13, 2014
102
The report is a cal for action to make cybersecurity a public
Some Basic Concepts and Issues
Press
safety priority. For a number of years, the cybersecurity issue
has received increasing public attention; however, most policy
focus has been on the short-term costs of improving systems. In
its explanation of the fundamentals of cybersecurity and the
discussion of potential policy responses, this book will be a
resource for policy makers, cybersecurity and IT professionals,
and anyone who wants to understand threats to cyberspace.
HHS activities to enhance cybersecurity
Department of Health
May 12, 2014
N/A
Additional oversight on cybersecurity issues from outside of
and Human Services
HHS is not necessary, according to an HHS report on its
existing cyber regulatory policies. “All of the regulatory
programs identified [in the HHS Section 10(a) analysis] operate
within particular segments of the [Healthcare and Public Health]
Sector,” the HHS report concluded. “Expanding any or each of
these authorities solely to address cybersecurity issues would
not be appropriate or recommended.”
Sharing Cyberthreat Information Under 18 USC §
Department of Justice
May 9, 2014
7
The Department of Justice issued guidance for Internet service
2702(a)(3)
providers to assuage legal concerns about information sharing.
The white paper interprets the Stored Communications Act,
which prohibits providers from voluntarily disclosing customer
information to governmental entities. The whitepaper says that
the law does not prohibit companies from divulging data in the
aggregate, without any specific details about identifiable
customers.
Inadequate Practice and Management Hinder
Department of
April 24, 2014
15
Auditors sent a prolonged stream of deliberately suspicious
Department’s Incident Detection and Response
Commerce Office of
network traffic to five public-facing websites at the
Inspector General
department—to assess incident detection capabilities. Only one
bureau—auditors do not say which—successfully moved to
block the suspicious traffic. Responses at the other bureaus
ranged from no action to ineffective action, even for those that
paid for special security services from vendors.
CRS-83


Title Source
Date
Pages Notes
OCIE Cybersecurity Initiative
SEC
April 15, 2014
9
The SEC’s Office of Compliance Inspections and Examinations
(OCIE) will be conducting examinations of more than 50
registered broker-dealers and registered investment advisers,
focusing on the fol owing: the entity’s cybersecurity governance,
identification and assessment of cybersecurity risks, protection
of networks and information, risks associated with remote
customer access and funds transfer requests, risks associated
with vendors and other third parties, detection of unauthorized
activity, and experiences with certain cybersecurity threats.
Antitrust Policy Statement on Sharing of
Department of Justice
April 10, 2014
9
Information-sharing about cyberthreats can be done lawfully as
Cybersecurity Information
and Federal Trade
long as companies aren’t discussing competitive information such
Commission
as pricing, the Justice Department and Federal Trade
Commission said in a joint statement. “Companies have told us
that concerns about antitrust liability have been a barrier to
being able to openly share cyberthreat information,” said Deputy
Attorney General James Cole. “Antitrust concerns should not
get in the way of sharing cybersecurity information.”
Joint Working Group on Improving Cybersecurity
General Services
March 12, 2014
1
On January 23, 2014, the GSA and DOD posted the Final
and Resilience Through Acquisition
Administration and
Report of the Joint Working Group on Improving Cybersecurity
Department of Defense
and Resilience through Acquisition on the DOD and GSA
websites. The report makes six recommendations to improve
cybersecurity and resilience in federal acquisitions. This Request
for Comments is being published to obtain stakeholder input on
how to implement the report’s recommendations.
High-Risk Security Vulnerabilities Identified During
Department of Health
March 2014
20
The report says dozens of high-risk security vulnerabilities found
Reviews of Information Technology General
and Human Services,
in information systems at 10 state Medicaid agencies should
Controls at State Medicaid Agencies
Office of Inspector
serve as a warning to other states about the need to take action
General
to prevent fraud.
Self-Regulatory Organizations; Chicago Board
Securities and Exchange February 24,
1
The SEC is soliciting comments on proposed amendments to
Options Exchange, Incorporated; Notice of
Commission
2014
the Financial Industry Regulatory Authority’s (FINRA’s)
Withdrawal of Proposed Rule Change Relating to
arbitration codes to ensure that parties' private information,
Multi-Class Spread Orders
such as Social Security and financial account numbers, are
redacted to include only the last four digits of the number. The
proposed amendments would apply only to documents filed with
FINRA. They would not apply to documents that parties
exchange with each other or submit to the arbitrators at a
hearing on the merits.
CRS-84


Title Source
Date
Pages Notes
SEC to Hold Cybersecurity Roundtable
Securities and Exchange February 14,
N/A
The SEC announced that it will host a roundtable to discuss
Commission
2014
cybersecurity, the issues and challenges it raises for market
participants and public companies, and how they are addressing
those concerns. The roundtable will be held at the SEC’s
Washington, DC, headquarters on March 26 and will be open to
the public and webcast live on the SEC’s website. Information on
the agenda and participants will be published in the coming
weeks.
The Critical Infrastructure Cyber Community C³
DHS February
12,
N/A
The C³ Voluntary Program will serve as a point of contact and
Voluntary Program
2014
customer relationship manager to assist organizations with
Framework use and guide interested organizations and sectors
to DHS and other public and private-sector resources to
support use of the Cybersecurity Framework.
The Federal Government’s Track Record on
Sen. Homeland Security February 4,
19
Since 2006, the federal government has spent at least $65 billion
Cybersecurity and Critical Infrastructure
and Governmental
2013
on securing its computers and networks, according to an
Affairs Committee
estimate by the Congressional Research Service. NIST, the
(Minority Staff)
government’s official body for setting cybersecurity standards,
has produced thousands of pages of precise guidance on every
significant aspect of IT security. And yet agencies—even agencies
with responsibilities for critical infrastructure, or vast
repositories of sensitive data—continue to leave themselves
vulnerable, often by failing to take the most basic steps towards
securing their systems and information.
Improving Cybersecurity and Resilience through
General Services
January 23,
24
The DOD and GSA jointly released a report announcing six
Acquisition
Administration (GSA)
2014
planned reforms to improve the cybersecurity and resilience of
and the Department of
the Federal Acquisition System. The report provides a path
Defense
forward to aligning federal cybersecurity risk management and
acquisition processes. It provides strategic recommendations for
addressing relevant issues, suggests how challenges might be
resolved, and identifies important considerations for the
implementation of the recommendations.
The Department of Energy’s July 2013 Cyber
DOE Inspector General December 2013 28
The report states nearly eight times as many current and former
Security Breach
Energy Department staff members were affected by a July
computer hack than was previously estimated, according to the
agency’s inspector general. In August, DOE estimated that the
hack affected roughly 14,000 current and former staff, leaking
personally identifiable information such as Social Security
numbers, birthdays, and banking information. But the breach
apparently affected more than 104,000 people.
CRS-85


Title Source
Date
Pages Notes
Improving Cybersecurity and Resilience through
General Services
January 23,
24
The DOD and GSA jointly released a report announcing six
Acquisition
Administration and
2014
planned reforms to improve the cybersecurity and resilience of
Department of Defense
the Federal Acquisition System. The report provides a path
forward to aligning federal cybersecurity risk management and
acquisition processes. It provides strategic recommendations for
addressing relevant issues, suggests how challenges might be
resolved, and identifies important considerations for the
implementation of the recommendations.
Evaluation of DHS’ Information Security Program
DHS Inspector General
November 2013 50
The report reiterates that the agency uses outdated security
for Fiscal Year 2013
controls and Internet connections that are not verified as
trustworthy, as well as for not reviewing its “top secret”
information systems for vulnerabilities.
Immediate Opportunities for Strengthening the
President’s Council of
November 2013 31
The report recommends the government phase out insecure,
Nation’s Cybersecurity
Advisors on Science
outdated operating systems, like Windows XP, implement
and Technology
better encryption technology, and encourage automatic security
(PCAST)
updates, among other changes. PCAST also recommends, for
regulated industries, that the government help create
cybersecurity best practices and audit their adoption—and for
independent agencies, PCAST write new rules that require
businesses to report their cyber improvements.
Federal Energy Regulatory Commission’s
Department of Energy
October 2013
13
To help protect against continuing cybersecurity threats, the
Unclassified Cyber Security Program - 2013
Office of Inspector
commission estimated that it would spend approximately $5.8
General
mil ion during FY2013 to secure its information technology
assets, a 9% increase compared to FY2012... As directed by
FISMA, the Office of Inspector General conducted an
independent evaluation of the Commission's unclassified
cybersecurity program to determine whether it adequately
protected data and information systems. This report presents
the results of our evaluation for FY2013.
CRS-86


Title Source
Date
Pages Notes
DHS’ Efforts to Coordinate the Activities of
DHS Inspector General
October 2013
29
DHS could do a better job sharing information among the five
Federal Cyber Operations Center
federal centers that coordinate cybersecurity work. The
department’s National Cybersecurity and Communications
Integration Center, or the NCCIC, is tasked with sharing
information about malicious activities on government networks
with cybersecurity offices within the Defense Department, the
FBI and federal intelligence agencies. But the DHS center and the
five federal cybersecurity hubs do not all have the same
technology or resources, preventing them from having shared
situational awareness of intrusions or threats and restricting
their ability to coordinate response. The centers also have not
created a standard set of categories for reporting incidents.
Special Cybersecurity Workforce Project (Memo
Office of Personnel
July 8, 2013
N/A
The OPM is collaborating with the White House Office of
for Heads of Executive Departments and Agencies) Management (OPM)
Science and Technology Policy, the Chief Human Capital
Officers Council (CHCOC), and the Chief Information Officers
Council (CIOC) in implementing a special workforce project
that tasks federal agencies’ cybersecurity, information
technology, and human resources communities to build a
statistical data set of existing and future cybersecurity positions
in the OPM Enterprise Human Resources Integration (EHRI)
data warehouse by the end of FY2014.
Content of Premarket Submissions for
Food and Drug
June 14, 2013
1
This guidance identifies cybersecurity issues that manufacturers
Management of Cybersecurity in Medical Devices,
Administration (FDA)
should consider in preparing premarket submissions for medical
Notice
devices to maintain information confidentiality, integrity, and
availability.
DHS Can Take Actions to Address Its Additional
Department of
June 2013
26
The National Protection and Programs Directorate (NPPD) was
Cybersecurity Responsibilities
Homeland Security
audited to determine whether the Office of Cybersecurity and
Communications had effectively implemented its additional
cybersecurity responsibilities to improve the security posture of
the federal government. Although actions have been taken,
NPPD can make further improvements to address its additional
cybersecurity responsibilities.
Mobile Security Reference Architecture
Federal CIO Council
May 23, 2013
103
Gives agencies guidance in the secure implementation of mobile
and the Department of
solutions through their enterprise architectures. The document
Homeland Security
provides in-depth reference architecture for mobile computing.
(DHS)
CRS-87


Title Source
Date
Pages Notes
Privacy Impact Assessment for EINSTEIN 3 -
Department of
April 19, 2013
27
DHS will deploy EINSTEIN 3 Accelerated (E3A) to enhance
Accelerated (E3A)
Homeland Security
cybersecurity analysis, situational awareness, and security
response. Under the direction of DHS, ISPs will administer
intrusion prevention and threat-based decision-making on
network traffic entering and leaving participating federal civilian
Executive Branch agency networks. This Privacy Impact
Assessment (PIA) is being conducted because E3A will include
analysis of federal network traffic, which may contain personally
identifiable information (PII).
DHS Secretary’s Honors Program: Cyber Student
Department of
April 18, 2013
2
The Cyber Student Initiative program will begin at Immigration
Initiative
Homeland Security
and Customs Enforcement computer forensic labs in 36 cities
nationwide, where students will be trained and will gain hands-
on experience within the department’s cybersecurity
community. The unpaid volunteer program is only available to
community col ege students and veterans pursuing a degree in
the cybersecurity field.
Regulation Systems Compliance and Integrity
Securities and Exchange March 25, 2013
104
The SEC is examining the exposure of stock exchanges,
Commission
brokerages, and other Wall Street firms to cyberattacks. The
proposed rule asks whether stock exchanges should be required
to tell members about breaches of critical systems. More than
half of exchanges surveyed globally in 2012 said they
experienced a cyberattack, while 67% of U.S. exchanges said a
hacker tried to penetrate their systems.
National Level Exercise 2012: Quick Look Report
Federal Emergency
March 2013
22
National Level Exercise (NLE) 2012 was a series of exercise
Management Agency
events that examined the ability of the United States to execute
a coordinated response to a series of significant cyber incidents.
As a part of the National Exercise Program, NLE 2012
emphasized the shared responsibility among all levels of
government, the private sector, and the international community
to secure cyber networks and coordinate response and
recovery actions. The NLE 2012 series was focused on
examining four major themes: planning and implementation of
the draft National Cyber Incident Response Plan (NCIRP),
coordination among governmental entities, information sharing,
and decision making.
CRS-88


Title Source
Date
Pages Notes
Measuring What Matters: Reducing Risks by
National Academy of
March 2013
39
Rather than periodical y auditing whether an agency‘s systems
Rethinking How We Evaluate Cybersecurity
Public Administration
meet the standards enumerated in Federal Information Security
and Safegov.org
Management Act (FISMA) at a static moment in time, agencies
and their inspectors general should keep running scorecards of
“cyber risk indicators" based on continual IG assessments of a
federal organization's cyber vulnerabilities.
Fol ow-up Audit of the Department’s Cyber
Department of Energy
December 2012
25
“In 2008, we reported in The Department's Cyber Security
Security Incident Management Program
Inspector General
Incident Management Program (DOE/IG-0787, January 2008)
that the Department and NNSA established and maintained a
number of independent, at least partially duplicative, cyber
security incident management capabilities. Although certain
actions had been taken in response to our prior report, we
identified several issues that limited the efficiency and
effectiveness of the Department's cyber security incident
management program and adversely impacted the ability of law
enforcement to investigate incidents. For instance, we noted
that the Department and NNSA continued to operate
independent, partially duplicative cyber security incident
management capabilities at an annual cost of more than $30
million. The issues identified were due, in part, to the lack of a
unified, Department-wide cyber security incident management
strategy. In response to our finding, management concurred with
the recommendations and indicated that it had initiated actions
to address the issues identified.”
Secure and Trustworthy Cyberspace (SaTC)
National Science
October 4,
N/A
This grant program seeks proposals that address Cybersecurity
Program Solicitation
Foundation and the
2012
from a Trustworthy Computing Systems perspective (TWC); a
National Science and
Social, Behavioral and Economic Sciences perspective (SBE); and
Technology Council
a Transition to Practice perspective (TPP).
(NSTC)
Annual Report to Congress 2012: National
Information Sharing
June 30, 2012
188
From the report, “This Report, which PM-ISE is submitting on
Security Through Responsible Information Sharing
Environment (ISE)
behalf of the President, incorporates input from our mission
partners and uses their initiatives and PM-ISE’s management
activities to provide a cohesive narrative on the state and
progress of terrorism-related responsible information sharing,
including its impact on our collective ability to secure the nation
and our national interests.”
CRS-89


Title Source
Date
Pages Notes
Cybersecurity: CF Disclosure Guidance: Topic No. Securities and Exchange October 13,
N/A
The statements in this CF Disclosure Guidance represent the
2
Commission
2011
views of the Division of Corporation Finance. This guidance is
not a rule, regulation, or statement of the Securities and
Exchange Commission. Further, the commission has neither
approved nor disapproved its content.
Note: Highlights compiled by CRS from the reports.

Table 15. State, Local and Tribal Governments

Title Source
Date
Pages Notes
Getting Started for State, Local, Tribal, and
US-CERT
Ongoing
N/A
The resources listed are available to state, local, tribal, and
Territorial (SLTT) Governments
territorial governments. These resources have been aligned to
the five Cybersecurity Framework Function Areas. Some
resources and programs align to more than one Function Area.
This page will be updated as additional resources—from DHS,
other federal agencies, and the private sector—are identified.
Cybersecurity and Connecticut’s Public Utilities
Connecticut Public
April 14, 2014
31
The document is a plan for Connecticut’s utilities to help
Utilities Regulatory
strengthen defense against possible future threats, such as a
Authority
cyberattack. Connecticut is the first state to present a
cybersecurity strategy in partnership with the utilities, and will
share it with other states working on similar plans. Among other
findings, the report recommends that Connecticut commence
self-regulated cyber audits and reports, and move toward a
third-party audit and assessment system. The report also makes
recommendations regarding local and regional regulatory roles,
emergency drills and training, coordinating with emergency
management officials, and handling confidential information.
State and Local Government Cybersecurity
White House Blog
April 2, 2014
N/A
The White House in March 2014 convened a broad array of
stakeholders including government representatives, local-
government-focused associations, private-sector technology
companies, and partners from multiple federal agencies at the
State and Local Government Cybersecurity Framework Kickoff
Event.
CRS-90


Title Source
Date
Pages Notes
Cybersecurity for State Regulators 2.0 with Sample National Association of
February 2013
31
State commissions tasked with regulating local distribution
Questions for Regulators to Ask Utilities
Regulatory Utility
utilities are slow to respond to emerging cybersecurity risks.
Commissioners
The annual membership directory of state utility regulators lists
hundreds of key staff members of state commissions throughout
the country, but not a single staff position had “cybersecurity” in
the title.
Federal Support for and Involvement in State and
U.S. Senate Permanent
October 3,
141
A two-year bipartisan investigation found that U.S. Department
Local Fusion Centers
Subcommittee on
2012
of Homeland Security efforts to engage state and local
Investigations
intelligence “fusion centers” has not yielded significant useful
information to support federal counterterrorism intelligence
efforts. In Section VI, “Fusion Centers Have Been Unable to
Meaningfully Contribute to Federal Counterterrorism Efforts,”
Part G, “Fusion Centers May Have Hindered, Not Aided,
Federal Counterterrorism Efforts,” the report discusses the
Russian “Cyberattack” in Illinois.










Notes: Highlights compiled by CRS from the reports.

CRS-91

Cybersecurity: Authoritative Reports and Resources, by Topic

Related Resources: Other Websites
This section contains other cybersecurity resources, including U.S. government, international,
news sources, and other associations and institutions.

Congressional Research Service
92


Table 16. Related Resources: Congressional/Government
Name Source
Notes
Integrated Intelligence Center (IIC)
Center for Internet Security
Serves as a resource for state, local, tribal, and territorial government
partners to engage in a collaborative information sharing and analysis
environment on cybersecurity issues. Through this initiative the IIC
provides fusion centers, homeland security advisors, and law
enforcement entities with access to a broad range of cybersecurity
products, reflecting input from many sources.
Computer Security Resource Center
National Institute of Standards and
Links to NIST resources, publications, and computer security groups.
Technology (NIST)
Congressional Cybersecurity Caucus
Led by Representatives Jim Langevin and
Provides statistics, news on congressional cyberspace actions, and links
Mike McCaul.
to other information websites.
Cybersecurity
White House National Security Council
Links to White House policy statements, key documents, videos, and
blog posts.
Cybersecurity
National Telecommunications & Information
The Department of Commerce‘s Internet Policy Task Force is
Administration (U.S. Department of
conducting a comprehensive review of the nexus between cybersecurity
Commerce)
challenges in the commercial sector and innovation in the Internet
economy.
Cybersecurity and Information System
National Academy of Sciences, Computer
A list of CSTB’s independent and informed reports on cybersecurity and
Trustworthiness
Science and Telecommunications Board
public policy.

Getting Started for State, Local, Tribal, and
U.S. CERT
The resources are available to state, local, tribal, and territorial
Territorial (SLTT) Governments
governments. These resources have been aligned to the five
Cybersecurity Framework Function Areas. Some resources and
programs align to more than one Function Area. This page will be
updated as additional resources—from DHS, other federal agencies, and
the private sector—are identified.
President’s National Security
U.S. Department of Homeland Security
NSTAC’s goal is to develop recommendations to the President to
Telecommunications Advisory Committee
assure vital telecommunications links through any event or crisis and to
(NSTAC)
help the U.S. government maintain a reliable, secure, and resilient
national communications posture.
CRS-93


Name Source
Notes
Office of Cybersecurity and Communications
U.S. Department of Homeland Security
CS&C works to prevent or minimize disruptions to critical information
(CS&C)
infrastructure in order to protect the public, the economy, and
government services. CS&C leads efforts to protect the federal “.gov”
domain of civilian government networks and to col aborate with the
private sector—the “.com” domain—to increase the security of critical
networks
Cyber Domain Security and Operations
U.S. Department of Defense
Links to press releases, fact sheets, speeches, announcements, and
videos.
U.S. Cyber-Consequences Unit
U.S. Cyber-Consequences Unit (U.S.-CCU)
U.S.-CCU, a nonprofit 501c(3) research institute, provides assessments
of the strategic and economic consequences of possible cyber-attacks
and cyber-assisted physical attacks. It also investigates the likelihood of
such attacks and examines the cost-effectiveness of possible counter-
measures.
Note: Highlights compiled by CRS from the reports.
CRS-94


Table 17. Related Resources: International Organizations
Name Source
Notes
Center for Internet Security (Australia)
Australian Communications and Media The Australian Internet Security Initiative (AISI) is an antibotnet
Authority
initiative that collects data on botnets in collaboration with
Internet Service Providers (ISPs), and two industry codes of
practice.
Cybercrime
Council of Europe
Links to the Convention on Cybercrime treaty, standards, news,
and related information.
Cybersecurity Gateway
International Telecommunications
ITU’s Cybersecurity Gateway aims to be a collaborative platform,
Union (ITU)
providing and sharing information between partners in civil society,
private sector, governmental and international organizations
working in different work areas of cybersecurity
Cybercrime Legislation - Country Profiles
Council of Europe
These profiles have been prepared within the framework of the
Council of Europe’s Project on Cybercrime in view of sharing
information on cybercrime legislation and assessing the current
state of implementation of the Convention on Cybercrime under
national legislation.
ENISA: Securing Europe’s Information Society
European Network and Information
ENISA inform businesses and citizens in the European Union on
Security Agency (ENISA)
cybersecurity threats, vulnerabilities, and attacks. (Requires free
registration to access.)
International Cyber Security Protection Alliance (ICSPA)
International Cyber Security
A global not-for-profit organization that aims to channel funding,
Protection Alliance (ICSPA)
expertise, and help directly to law enforcement cyber-crime units
around the world.
NATO Cooperative Cyber Defence Centre of Excel ence
North Atlantic Treaty Organization
The Centre is an international effort that currently includes
(CCD COE) (Tallin, Estonia)
(NATO)
Estonia, Latvia, Lithuania, Germany, Hungary, Italy, the Slovak
Republic, and Spain as sponsoring nations, to enhance NATO’s
cyber-defence capability.
Note: Highlights compiled by CRS from the reports.
CRS-95


Table 18. Related Resources: News
Name Source
Computer Security (Cybersecurity)
New York Times
Cybersecurity NextGov.com
Cyberwarfare and Cybersecurity
Benton Foundation
Homeland Security
Congressional Quarterly (CQ)
Cybersecurity
Homeland Security News Wire

Table 19. Related Resources: Other Associations and Institutions
Name
Notes
Council on Cybersecurity
The Council, based in the Washington, DC, area, is the successor organization to the National Board of
Information Security Examiners (NBISE), founded in the United States in 2010 to identify and strengthen the skills
needed to improve the performance of the cybersecurity workforce. The Council will also be home to the U.S.
Cyber Challenge, (formerly a program of NBISE), that works with the cybersecurity community to bring accessible,
compelling programs that motivate students and professionals to pursue education, development, and career
opportunities in cybersecurity.
Cyber Aces Foundation
Offers challenging and realistic cybersecurity competitions, training camps, and educational initiatives through
which high school, college students, and young professionals develop the practical skills needed to excel as
cybersecurity practitioners.
Cybersecurity from the Center for Strategic &
Links to experts, programs, publications, and multimedia. CSIS is a bipartisan, nonprofit organization whose
International Studies (CSIS)
affiliated scholars conduct research and analysis and develop policy initiatives that look to the future and anticipate
change.
Cyberconflict and Cybersecurity Initiative from the
Focuses on the relationship between cyberwar and the existing laws of war and conflict; how the United States
Council on Foreign Relations
should engage other states and international actors in pursuit of its interests in cyberspace; how the promotion of
the free flow of information interacts with the pursuit of cybersecurity; and the private sector’s role in defense,
deterrence, and resilience.
CRS-96


Name
Notes
Cyber Corps: Scholarship For Service (SFS)
Scholarship For Service (SFS) is designed to increase and strengthen the cadre of federal information assurance
professionals that protect the government’s critical information infrastructure. This program provides scholarships
that ful y fund the typical costs that students pay for books, tuition, and room and board while attending an
approved institution of higher learning.
Institute for Information Infrastructure Protection (I3P)
I3P is a consortium of leading universities, national laboratories and nonprofit institutions. I3P assembles multi-
disciplinary and multi-institutional research teams able to bring in-depth analysis to complex and pressing problems.
Research outcomes are shared at I3P-sponsored workshops, professional conferences and in peer-reviewed
journals, as well as via technology transfer to end-users.
Internet Security Alliance (ISA)
ISAalliance is a nonprofit collaboration between the Electronic Industries Alliance (EIA), a federation of trade
associations, and Carnegie Mellon University’s CyLab.
National Association of State Chief Information Officers NASCIO provides state CIOs and state members with products and services designed to support the challenging
(NASCIO)
role of the state CIO, stimulate the exchange of information and promote the adoption of IT best practices and
innovations. The Resource Guide provides examples of state awareness programs and initiatives.
National Initiative for Cybersecurity Education (NICE)
The goal of NICE is to establish an operational, sustainable and continually improving cybersecurity education
program for the nation to use sound cyber practices that will enhance the nation’s security. NIST is leading the
NICE initiative, including more than 20 federal departments and agencies, to ensure coordination, cooperation,
focus, public engagement, technology transfer, and sustainability.
National Security Cyberspace Institute (NSCI)
NSCI provides education, research and analysis services to government, industry, and academic clients aiming to
increase cyberspace awareness, interest, knowledge, and/or capabilities.
U.S. Cyber Challenge (USCC)
USCC’s goal is to find 10,000 of America's best and brightest to fill the ranks of cybersecurity professionals where
their skills can be of the greatest value to the nation.
Source: Highlights compiled by CRS from the reports of related associations and institutions.







CRS-97






CRS-98

Cybersecurity: Authoritative Reports and Resources, by Topic

Author Contact Information

Rita Tehan

Information Research Specialist
rtehan@crs.loc.gov, 7-6739

Key Policy Staff
The following table provides names and contact information for CRS experts on policy issues related to
cybersecurity bills currently being debated in the 113th Congress.

Legislative Issues
Name/Title
Phone
Email
Legislation in the 113th Congress
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Critical infrastructure protection
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Chemical industry
Dana Shea
7-6844
dshea@crs.loc.gov
Defense industrial base
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Electricity grid
Richard J. Campbell
7-7905
rcampbell@crs.loc.gov
Financial institutions
N. Eric Weiss
7-6209
eweiss@crs.loc.gov
Industrial control systems
Dana Shea
7-6844
dshea@crs.loc.gov
Cybercrime



Federal laws
Charles Doyle
7-6968
cdoyle@crs.loc.gov
Law enforcement
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Cybersecurity workforce
Wendy Ginsberg
7-3933
wginsberg@crs.loc.gov
Cyberterrorism
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Cyberwar
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Data breach notification
Gina Stevens
7-2581
gstevens@crs.loc.gov
Economic issues
N. Eric Weiss
7-6209
eweiss@crs.loc.gov
Espionage



Advanced persistent threat
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Economic and industrial
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Legal issues
Brian T. Yeh
7-5182
byeh@crs.loc.gov
State-sponsored
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Federal agency roles
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Chief Information Officers (CIOs)
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Commerce
John F. Sargent, Jr.
7-9147
jsargent@crs.loc.gov
Defense (DOD)
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Executive Office of the President (EOP)
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Homeland Security (DHS)
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Intelligence Community (IC)
John Rollins
7-5529
jrollins@crs.loc.gov
Congressional Research Service
99

Cybersecurity: Authoritative Reports and Resources, by Topic

Legislative Issues
Name/Title
Phone
Email
Justice (DOJ)
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
National Security Agency (NSA)
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Science agencies (NIST, NSF, OSTP)
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Treasury and financial agencies
Rena S. Miller
7-0826
rsmiller@crs.loc.gov
Federal Information Security
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Management Act (FISMA)
Federal Internet monitoring
Richard M. Thompson II
7-8449
rthompson@crs.loc.gov
Hacktivism
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Information sharing
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Antitrust laws
Kathleen Ann Ruane
7-9135
kruane@crs.loc.gov
Civil liability
Edward C. Liu
7-9166
eliu@crs.loc.gov
Classified information
John Rollins
7-5529
jrollins@crs.loc.gov
Freedom of Information Act (FOIA)
Gina Stevens
7-2581
gstevens@crs.loc.gov
Privacy and civil liberties
Gina Stevens
7-2581
gstevens@crs.loc.gov
International cooperation



Defense and diplomatic
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Law enforcement
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
National strategy and policy
Eric A. Fischer
7-7071
efischer@crs.loc.gov
National security
John Rollins
7-5529
jrollins@crs.loc.gov
Public/private partnerships
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Supply chain
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Technological issues
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Botnets
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Cloud computing
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Mobile devices
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Research and development (R&D)
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov


Congressional Research Service
100