January 21, 2015
Cybersecurity Issues and Challenges
Overview
successful attack with high impact can pose a larger risk
than a common successful attack with low impact.
Information and communications technology (ICT) is
ubiquitous and increasingly integral to almost every facet of
Reducing the risks from cyberattacks usually involves (1)
modern society. ICT devices and components are generally
removing the threat source, e.g., by closing down botnets or
interdependent, and disruption of one may affect many
reducing incentives for cybercriminals; (2) addressing
others. Over the past several years, experts and
vulnerabilities by hardening ICT assets, e.g., by patching
policymakers have expressed increasing concerns about
software and training employees; and (3) lessening impacts
protecting ICT systems from cyberattacks.
by mitigating damage and restoring functions, e.g., by
having back-up resources available for continuity of
The risks associated with any attack depends on three
operations in response to an attack.
factors: threats (who is attacking), vulnerabilities (how they
are attacking), and impacts (what the attack does).
Federal Role
What are the threats? People who perform cyberattacks
The federal role in cybersecurity involves both securing
generally fall into one or more of five categories: criminals
federal systems and assisting in protecting nonfederal
intent on monetary gain from crimes such as theft or
systems. Under current law, all federal agencies have
extortion; spies intent on stealing classified or proprietary
cybersecurity responsibilities relating to their own systems,
information used by government or private entities; nation-
and many have sector-specific responsibilities for CI. More
state warriors who develop capabilities and undertake
than 50 statutes address various aspects of cybersecurity,
cyberattacks in support of a country’s strategic objectives;
and new legislation has been debated since at least the 111th
“hacktivists” who perform cyberattacks for nonmonetary
Congress. However, until the end of the 113th Congress, no
reasons; and terrorists who engage in cyberattacks as a
bills on cybersecurity had been enacted since the Federal
form of non-state or state-sponsored warfare.
Information Security Management Act (FISMA) in 2002.
What are the vulnerabilities? Cybersecurity is in many
Figure 1. Federal Agency Roles in Cybersecurity
ways an arms race between attackers and defenders. ICT
systems are very complex, and attackers are constantly
probing for weaknesses, which can occur at many points.
Defenders can often protect against weaknesses, but three
are particularly challenging: inadvertent or intentional acts
by insiders with access to a system; supply chain
vulnerabilities, which can permit the insertion of malicious
software or hardware during the acquisition process; and
previously unknown, or zero-day, vulnerabilities with no
established fix.
What are the impacts? A successful attack can
compromise the confidentiality, integrity, and availability
of an ICT system and the information it handles. Cybertheft
or cyberespionage can result in exfiltration of financial,
proprietary, or personal information from which the
attacker can benefit, often without the knowledge of the
victim. Denial-of-service attacks can slow or prevent
legitimate users from accessing a system. Botnet malware
can give an attacker command of a system for use in
cyberattacks on other systems. Attacks on industrial control
systems can result in the destruction of the equipment they
control, such as generators, pumps, and centrifuges.
Source: CRS.
Notes: DHS: Department of Homeland Security; DOD: Department
Most cyberattacks have limited impacts, but a successful
of Defense; DOJ: Department of Justice; IC: Intelligence Community;
attack on some components of critical infrastructure (CI)—
NIST: National Institute of Standards and Technology; NSA: National
most of which is held by the private sector—could have
Security Agency; NSS: National Security Systems; OMB: Office of
significant effects on national security, the economy, and
Management and Budget; R&D: Research and development.
the livelihood and safety of individual citizens. Thus, a rare
www.crs.gov | 7-5700
Cybersecurity Issues and Challenges
Figure 1 is a simplified schematic diagram of major agency
Controversies: Adequacy of current penalties and
responsibilities in cybersecurity. In general, NIST develops
authorities, impacts on privacy and civil liberties.
FISMA standards that apply to federal civilian ICT, and
OMB is responsible for overseeing their implementation.
Five bills—addressing FISMA reform, the cybersecurity
DOD is responsible for military cyberdefense and, through
workforce, R&D, and some aspects of CI protection—were
NSA, security of NSS, which handle classified information.
enacted in December 2014.
NSA is also part of the IC. DHS has operational
responsibility for protection of federal civilian systems and
Long-Term Challenges
is the lead agency coordinating federal efforts assisting the
private sector in protecting CI assets under their control.
The executive-branch actions and proposed legislation are
DOJ is the lead agency for enforcement of relevant laws.
largely designed to address several well-established near-
term needs in cybersecurity: preventing cyber-based
What Does the Cybersecurity Executive Order Do? In
disasters and espionage, reducing impacts of successful
February 2013, the White House issued Executive Order
attacks, improving inter- and intrasector collaboration,
13636 and Presidential Policy Directive 21 to address CI
clarifying federal agency roles and responsibilities, and
cybersecurity through voluntary public/private sector
fighting cybercrime. However, those needs exist in the
collaboration and use of existing regulatory authorities.
context of more difficult long-term challenges relating to
Among other things, the documents expanded an existing
design, incentives, consensus, and environment (DICE):
DHS information-sharing program and required NIST to
lead public/private development of a Cybersecurity
Design: Experts often say that effective security needs to be
Framework of standards and best practices for protecting
an integral part of ICT design. Yet, developers have
CI. Released in February 2014, the Framework received
traditionally focused more on features than security, for
positive reviews, but it appears too early to determine the
economic reasons. Also, many future security needs cannot
extent to which it will improve CI cybersecurity.
be predicted, posing a difficult challenge for designers.
Legislative Proposals
Incentives: The structure of economic incentives for
cybersecurity has been called distorted or even perverse.
Since the 111th Congress, more than 200 bills have been
Cybercrime is regarded as cheap, profitable, and
introduced that would address cybersecurity issues. The
comparatively safe for the criminals. In contrast,
main issues addressed by such bills have been
cybersecurity can be expensive, is by its nature imperfect,
and the economic returns on investments are often unsure.
• Information Sharing—easing access of the private
sector to classified threat information and removing
Consensus: Cybersecurity means different things to
barriers to sharing within the private sector and with
different stakeholders, with little common agreement on
the federal government. Controversies: Roles of DHS
meaning, implementation, and risks. Substantial cultural
and the IC, impacts on privacy and civil liberties, and
impediments to consensus also exist, not only between
risks of misuse by the federal government or the
sectors but within sectors and even within organizations.
private sector.
• FISMA Reform—updating the 2002 law to reflect
Environment: Cyberspace has been called the fastest
changes in ICT and the threat landscape.
evolving technology space in human history, both in scale
Controversies: Role of DHS, OMB, and Commerce,
and properties. New and emerging properties and
and flexibility of requirements.
applications—especially social media, mobile computing,
• R&D—updating agency authorizations and strategic
big data, cloud computing, and the Internet of things—
planning requirements. Controversies: Agency roles,
further complicate the evolving threat environment, but
topics for R&D, and levels of funding.
they can also pose potential opportunities for improving
• Workforce—improving the size, skills, and
cybersecurity, for example through the economies of scale
preparation of the federal and private-sector
provided by cloud computing and big data analytics.
cybersecurity workforce. Controversies: Hiring and
retention authorities, occupational classification,
Legislation and executive actions could have significant
recruitment priorities, and roles of DHS, NSA, NSF,
impacts on those challenges. For example, cybersecurity
and NIST.
R&D may affect the design of ICT, cybercrime penalties
• Privately Held CI—improving protection of private-
may influence the structure of incentives, the Framework
sector CI from attacks with major impacts.
may improve consensus about cybersecurity, and federal
Controversies: Roles of DHS and other federal
initiatives in cloud computing and other new components of
agencies, and regulatory vs. voluntary approach.
cyberspace may help shape the evolution of cybersecurity.
• Data-Breach Notification—requiring notification to
See also CRS Issues Before Congress: Cybersecurity at
victims and other responses after data breaches
www.crs.gov.
involving personal or financial information of
individuals. Controversies: Federal vs. state roles and
Eric A. Fischer, efischer@crs.loc.gov, 7-7071
what responses should be required.
• Cybercrime Laws—updating criminal statutes and
law-enforcement authorities relating to cybersecurity.
IF10001
www.crs.gov | 7-5700