Cybersecurity: Authoritative Reports and
Resources, by Topic

Rita Tehan
Information Research Specialist
February 27, 2015
Congressional Research Service
7-5700
www.crs.gov
R42507


Cybersecurity: Authoritative Reports and Resources, by Topic

Summary

This report provides references to analytical reports on cybersecurity from CRS, other
government agencies, trade associations, and interest groups. The reports and related websites are
grouped under the following cybersecurity topics:
• Policy overview
• National Strategy for Trusted Identities in Cyberspace (NSTIC)
• Cloud computing and the Federal Risk and Authorization Management Program
(FedRAMP)
• Critical infrastructure
• Cybercrime, data breaches, and data security
• National security, cyber espionage, and cyberwar (including Stuxnet)
• International efforts
• Education/training/workforce
• Research and development (R&D)
In addition, the report lists selected cybersecurity-related websites for congressional and
government agencies; news; international organizations; and other organizations, associations,
and institutions.

Congressional Research Service

Cybersecurity: Authoritative Reports and Resources, by Topic

Contents
CRS Reports, by Topic .................................................................................................................... 1
Cybersecurity Policy: CRS Reports and Other CRS Products .................................................. 1
Critical Infrastructure: CRS Reports ....................................................................................... 15
Cybercrime and Data Security: CRS Reports and Other CRS Products ................................. 32
Selected Reports, by Federal Agency ............................................................................................ 80
Department of Defense and National Security: CRS Reports and Other CRS Products ......... 95
CRS Product: Cybersecurity Framework .............................................................................. 101
Related Resources: Other Websites ............................................................................................. 119

Tables
Table 1. Cybersecurity Overview .................................................................................................... 2
Table 2. National Strategy for Trusted Identities in Cyberspace (NSTIC) ...................................... 7
Table 3. Cloud Computing, “The Internet of Things,” and FedRAMP .......................................... 9
Table 4. Critical Infrastructure ....................................................................................................... 16
Table 5. Cybercrime, Data Breaches, and Data Security ............................................................... 33
Table 6. National Security, Cyber Espionage, and Cyberwar ........................................................ 43
Table 7. International Efforts ......................................................................................................... 53
Table 8. Education/Training/Workforce ......................................................................................... 68
Table 9. Research and Development (R&D) ................................................................................. 75
Table 10. Government Accountability Office (GAO) .................................................................... 80
Table 11. White House and Office of Management and Budget .................................................... 91
Table 12. Department of Defense (DOD) ...................................................................................... 96
Table 13. National Institute of Standards and Technology (NIST) .............................................. 102
Table 14. Other Federal Agencies ................................................................................................ 106
Table 15. State, Local, and Tribal Governments .......................................................................... 116
Table 16. Related Resources: Congressional and Government ................................................... 119
Table 17. Related Resources: International Organizations .......................................................... 121
Table 18. Related Resources: News ............................................................................................. 122
Table 19. Related Resources: Other Associations and Institutions .............................................. 122

Contacts
Author Contact Information......................................................................................................... 124
Key Policy Staff ........................................................................................................................... 124

Congressional Research Service

Cybersecurity: Authoritative Reports and Resources, by Topic

CRS Reports, by Topic1
This section provides references to analytical reports on cybersecurity from CRS, other
government agencies, think tanks, trade associations, trade press, and technology research firms.
For each topic, CRS reports are listed first, followed by tables with reports from other
organizations.
Cybersecurity Policy: CRS Reports and Other CRS Products
• CRS Report R43831, Cybersecurity Issues and Challenges: In Brief, by Eric A.
Fischer
• CRS Report IF10001, Cybersecurity Issues and Challenges, by Eric A. Fischer
• CRS Report R42114, Federal Laws Relating to Cybersecurity: Overview of
Major Issues, Current Laws, and Proposed Legislation, by Eric A. Fischer
• CRS Report R41941, The Obama Administration’s Cybersecurity Proposal:
Criminal Provisions, by Gina Stevens
• CRS Report R42984, The 2013 Cybersecurity Executive Order: Overview and
Considerations for Congress, by Eric A. Fischer et al.
• CRS Report R40150, A Federal Chief Technology Officer in the Obama
Administration: Options and Issues for Consideration, by John F. Sargent Jr.
• CRS Report R42409, Cybersecurity: Selected Legal Issues, by Edward C. Liu et
al.
• CRS Report R42887, Overview and Issues for Implementation of the Federal
Cloud Computing Initiative: Implications for Federal Information Technology
Reform Management
, by Patricia Moloney Figliola and Eric A. Fischer
• CRS Report R43015, Cloud Computing: Constitutional and Statutory Privacy
Protections, by Richard M. Thompson II
• CRS Legal Sidebar WSLG478, House Intelligence Committee Marks Up
Cybersecurity Bill CISPA, by Richard M. Thompson II
• CRS Legal Sidebar WSLG263, Can the President Deal with Cybersecurity Issues
via Executive Order?, by Vivian S. Chu


1 For information on legislation and hearings in the 112th and 113th Congresses, see CRS Report R43317,
Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan.
Congressional Research Service
1


Table 1. Cybersecurity Overview
Title Source
Date
Pages
Notes
The Emergence of Cybersecurity Law
Indiana University Maurer
February 2015
31
This paper examines cyberlaw as a growing field of legal
School of Law
practice and the roles that lawyers play in helping
companies respond to cybersecurity threats. Drawing on
interviews with lawyers, consultants, and academics
knowledgeable in the intersection of law and
cybersecurity, as well as a survey of lawyers working in
general counsel’s offices, this study examines the broader
context of cybersecurity, the current legal framework for
data security and related issues, and the ways in which
lawyers learn about and involve themselves in
cybersecurity issues.
OMG Cyber! Thirteen Reasons Why Hype
The RUSI Journal
November 4, 2014
8
The article argues that cyber is “hyped out.” Overstating
Makes for Bad Policy
the threat does have benefits (for some); it also comes
with significant costs. The benefits are short-lived and
easy to spot, whereas the costs are long-term and harder
to understand—and they are piling up fast and high.
Indeed, the costs are so high that the debate inches
toward a turning point for all parties involved. The
authors list 13 reasons why cybersecurity hype is
counterproductive.
Ten Strategies of a World-Class Cybersecurity
MITRE Corporation
October 2014
346
Al too often, cybersecurity operations centers (CSOCs)
Operations Center
are set up and operate with a focus on technology
without adequately addressing people and process issues.
The main premise of this book is that a more balanced
approach would be more effective. The book describes
the ten strategies of effective CSOCs—regardless of
their size, offered capabilities, or type of constituency
served cost
CRS-2


Title Source
Date
Pages
Notes
How Do We Know What Information Sharing
RAND Corporation
June 27, 2014
33
Since the terrorist attacks of September 11, 2001, the
Is Really Worth? Exploring Methodologies to
sharing of intelligence and law enforcement information
Measure the Value of Information Sharing and
has been a central part of U.S. domestic security efforts.
Fusion Efforts
Although much of the public debate about such sharing
focuses on addressing the threat of terrorism,
organizations at all levels of government routinely share
varied types of information through multiagency
information systems, collaborative groups, and other
links. Resource constraints have given rise to concerns
about the effectiveness of information sharing and fusion
activities and, therefore, the value of these efforts
relative to the public funds invested in them. Solid
methods for evaluating these efforts are lacking,
however, limiting the ability to make informed policy
decisions. Drawing on a substantial literature review and
synthesis, this report lays out the chal enges of evaluating
information-sharing efforts that frequently seek to
achieve multiple goals simultaneously; reviews past
evaluations of information-sharing programs; and lays out
a path to improve the evaluation of such efforts going
forward.
Defending an Open, Global, Secure, and
Council on Foreign Relations
June 2013
127
The task force recommends that the United States
Resilient Internet
develop a digital policy framework based on four pillars,
the last of which is that U.S.-based industry work rapidly
to establish an industry-led approach to counter current
and future cyberattacks.
Measuring What Matters: Reducing Risk by
Safegov.org, in coordination
March 2013
39
This report recommends that rather than periodical y
Rethinking How We Evaluate Cybersecurity
with the National Academy of
auditing whether an agency’s systems meet the standards
Public Administration
enumerated in the Federal Information Security
Management Act (FISMA) at a static moment in time,
agencies and their inspectors general should keep
running scorecards of “cyber risk indicators” based on
continual inspector general assessments of a federal
organization’s cyber vulnerabilities.
Developing a Framework to Improve Critical
National Institute of Standards
February 12, 2013
5
NIST announced the first step in the development of a
Infrastructure Cybersecurity (Federal Register
and Technology (NIST)
cybersecurity framework, which will be a set of voluntary
Notice; Request for Information)
standards and best practices to guide industry in reducing
cyber risks to the networks and computers that are vital
to the nation’s economy, security, and daily life.
CRS-3


Title Source
Date
Pages
Notes
SEI [Software Engineering Institute] Emerging
Carnegie Mellon University
January 2013
23
This report addresses the endemic problem of functional
Technology Center: Cyber Intelligence
cyber intelligence analysts not effectively communicating
Tradecraft Project
with nontechnical audiences. It also notes organizations’
reluctance to share information within their own entities,
industries, and across economic sectors.
The National Cyber Security Framework
NATO Cooperative Cyber
December 11, 2012
253
This report provides detailed background information
Manual
Defense Center of Excel ence
and in-depth theoretical frameworks to help the reader
understand the various facets of national cybersecurity,
according to different levels of public policy formulation.
The four levels of government—political, strategic,
operational, and tactical/technical—each have their own
perspectives on national cybersecurity, and each is
addressed in individual sections within the manual.
20 Critical Security Controls for Effective
Center for Strategic and
November 2012
89
The top 20 security controls from a public-private
Cyber Defense
International Studies (CSIS)
consortium. Members of the consortium include the
National Security Agency, U.S. Computer Emergency
Readiness Team, Department of Defense (DOD) Joint
Task Force-Global Network Operations, Department of
Energy Nuclear Laboratories, Department of State, and
DOD Cyber Crime Center plus commercial forensics
experts in the banking and critical infrastructure
communities.
Cyber Security Task Force: Public-Private
Bipartisan Policy Center
July 2012
24
Outlines a series of proposals that would enhance
Information Sharing
information sharing. The recommendations have two
major components: (1) mitigating perceived legal
impediments to information sharing, and (2) incentivizing
private sector information sharing by alleviating statutory
and regulatory obstacles.
Cyber-security: The Vexed Question of Global
McAfee and the Security
February 2012
108
This independent report examines the current state of
Rules
Defense Agenda
cyber-preparedness around the world and is based on
survey results from 80 policymakers and cybersecurity
experts in the government, business, and academic
sectors from 27 countries. The countries were ranked
on their state of cyber-preparedness.
CRS-4


Title Source
Date
Pages
Notes
Mission Critical: A Public-Private Strategy for
Business Roundtable
October 11, 2011
28
The report suggests that “[p]ublic policy solutions must
Effective Cybersecurity
recognize the absolute importance of leveraging policy
foundations that support effective global risk
management, in contrast to ‘check-the-box’ compliance
approaches that can undermine security and
cooperation.” The document concludes with specific
policy proposals and activity commitments.
World Cybersecurity Technology Research
Centre for Secure Information
September 12, 2011
14
The Belfast 2011 event attracted international
Summit (Belfast 2011)
Technologies (CSIT)
cybersecurity experts from leading research institutes,
government bodies, and industry who gathered to
discuss current cybersecurity threats, predict future
threats and necessary mitigation techniques, and develop
a col ective strategy for further research.
A Review of Frequently Used Cyber Analogies
National Security Cyberspace
July 22, 2011
7
From the report: “The current cybersecurity crisis can
Institute
be described several ways with numerous metaphors.
Many compare the current crisis with the lawlessness to
that of the Wild West and the out-dated tactics and race
to security with the Cold War. When treated as a
distressed ecosystem, the work of both national and
international agencies to eradicate many infectious
diseases serves as a model as how poor health can be
corrected with proper resources and execution. Before
these issues are discussed, what cyberspace actually is
must be identified.”
America’s Cyber Future: Security and
Center for a New American
May 31, 2011
296
To help U.S. policymakers address the growing danger of
Prosperity in the Information Age
Security
cyber insecurity, this two-volume report features
chapters on cybersecurity strategy, policy, and
technology by some of the world’s leading experts on
international relations, national security, and information
technology.
Resilience of the Internet Interconnection
European Network and
April 11, 2011
238
This study consists of several parts. Part I provides a
Ecosystem
Information Security Agency
summary and recommendations. Part II: State of the Art
(ENISA)
Review offers a detailed description of the Internet’s
routing mechanisms and an analysis of their robustness at
the technical, economic, and policy levels. Part III: Report
on the Consultation reports and summarizes the results
of consultation with a broad range of stakeholders. Part
IV includes the bibliography and appendices.
CRS-5


Title Source
Date
Pages
Notes
Improving our Nation’s Cybersecurity through
Business Software Alliance,
March 8, 2011
26
This paper proposes expanding the existing partnership
the Public-Private Partnership: A White Paper
Center for Democracy and
within the framework of the National Infrastructure
Technology, U.S. Chamber of
Protection Plan. Specifically, it makes a series of
Commerce, Internet Security
recommendations that build upon the conclusions of
Alliance, and Tech America
President Obama’s Cyberspace Policy Review.
Cybersecurity Two Years Later
CSIS Commission on
January 2011
22
From the report: “We thought then [in 2008] that
Cybersecurity for the 44th
securing cyberspace had become a critical challenge for
Presidency
national security, which our nation was not prepared to
meet.... In our view, we are still not prepared.”
Toward Better Usability, Security, and Privacy
National Research Council
September 21, 2010
70
Discusses computer system security and privacy, their
of Information Technology: Report of a
(NRC)
relationship to usability, and research at their
Workshop
intersection. Drawn from remarks made at the NRC’s
July 2009 Workshop on Usability, Security and Privacy of
Computer Systems
as well as reports from the NRC’s
Computer Science and Telecommunications Board on
security and privacy.
National Security Threats in Cyberspace
Joint Workshop of the
September 15, 2009
37
The two-day workshop brought together more than two
National Security Threats in
dozen experts with diverse backgrounds, including
Cyberspace and the National
physicists; telecommunications executives; Silicon Valley
Strategy Forum
entrepreneurs; federal law enforcement, military,
homeland security, and intelligence officials;
congressional staffers; and civil liberties advocates.
Participants engaged in an open-ended discussion of
cyber policy as it relates to national security, under
Chatham House Rules: their comments were for the
public record, but they were not for attribution.
Source: Highlights compiled by the Congressional Research Service (CRS) from the reports.
CRS-6


Table 2. National Strategy for Trusted Identities in Cyberspace (NSTIC)
Title Source
Date
Pages Notes
National Strategy for Trusted Identities in Cyberspace
National
Ongoing
N/A
The NSTIC pilot projects seek to catalyze a marketplace of
(NSTIC)
Institute of
online identity solutions that ensures the envisioned Identity
Standards
Ecosystem is trustworthy and has the confidence of individuals.
and
Using privacy-enhancing architectures in real-world
Technology
environments, the pilots are testing new methods for
(NIST)
identification online for consumers that increase usability,
security, and interoperability to safeguard online transactions.
Identity Ecosystem Framework Steering Group (IDESG)
IDESG
Ongoing
N/A
The NSTIC called for the establishment of a private sector-led
steering group to administer the development and adoption of
the Identity Ecosystem Framework: the IDESG. The IDESG
receives its authority to operate from the active participation of
its membership in accordance with the rules of association that
fol ow. The IDESG has been initiated with the support of the
NIST. Following an initial period, the IDESG will transition to a
self-sustaining organization.
NIST Announces Pilot Grants Competition to Improve
NIST February
12,
N/A
NIST announces a fourth round of grants meant to create
Security and Privacy of Online Identity Verification
2015
market conditions for a post-password world. The agency says
Systems
it anticipates funding several projects with awards of
approximately $1 million to $2 million over two years through
its NSTIC program. Administration officials say the NSTIC end
goal is creation of an “identity ecosystem” that allows
Americans to safely conduct online transactions under a variety
of security and privacy settings.
NIST Awards Grants to Improve Online Security and
NIST September
17, N/A
NIST announced more than $7 mil ion in grants to support the
Privacy
2013
NSTIC. The funding will enable five U.S. organizations to
develop pilot identity protection and verification systems that
offer consumers more privacy, security, and convenience online.
Five Pilot Projects Receive Grants to Promote Online
NIST September
20, N/A
NIST announced more than $9 mil ion in grant awards to
Security and Privacy
2012
support the NSTIC. Five U.S. organizations wil pilot identity
solutions that increase confidence in online transactions,
prevent identity theft, and provide individuals with more control
over how they share their personal information.
CRS-7


Title Source
Date
Pages Notes
Recommendations for Establishing an Identity Ecosystem
NIST February
17,
51
NIST responds to comments received in response to the
Governance Structure
2012
related notice of inquiry (NOI) published in the Federal Register
on June 14, 2011. This report summarizes the responses to the
NOI and provides recommendations and intended government
actions to serve as a catalyst for establishing such a governance
structure. The recommendations result from comments and
suggestions by the NOI respondents as well as best practices
and lessons learned from similarly scoped governance efforts.
Models for a Governance Structure for the National
NIST
June 14, 2011
4
The department seeks public comment on potential models
Strategy for Trusted Identities in Cyberspace
from all stakeholders, including the commercial, academic and
civil society sectors, and consumer and privacy advocates, in the
form of recommendations and key assumptions in the formation
and structure of the steering group.
Administration Releases Strategy to Protect Online
White
April 15, 2011
N/A
Press release on a proposal to administer the processes for
Consumers and Support Innovation and Fact Sheet on
House
policy and standards adoption for the Identity Ecosystem
National Strategy for Trusted Identities in Cyberspace
Framework in accordance with the NSTIC.
National Strategy for Trusted Identities in Cyberspace
White
April 15, 2011
52
The NSTIC aims to make online transactions more trustworthy,
House
thereby giving businesses and consumers more confidence in
conducting business online.
National Strategy for Trusted Identities in Cyberspace:
White
June 25, 2010
39
The NSTIC, which is in response to one of the near-term action
Creating Options for Enhanced Online Security and Privacy
House
items in the President’s Cyberspace Policy Review, calls for the
creation of an online environment, or an identity ecosystem, in
which individuals and organizations can complete online
transactions with confidence, trusting the identities of each
other and of the infrastructure in which transactions occur.
Source: Highlights compiled by CRS from the reports.
CRS-8


Table 3. Cloud Computing, “The Internet of Things,”
and FedRAMP
Title Source
Date
Pages
Notes
About FedRAMP
General Services
Ongoing
N/A
The Federal Risk and Authorization Management
Administration (GSA)
Program (FedRAMP) is a government-wide program
that provides a standardized approach to security
assessment, authorization, and continuous monitoring
for cloud products and services.
FedRAMP High Baseline
GSA
February 3,
N/A
GSA released a draft of security controls it will
2015
require for cloud-computer systems purchased by
federal agencies for “high-impact” uses. High-impact
data will likely consist of health and law-enforcement
data, but not classified information. Cloud computing
vendors seeking to sell to federal agencies currently
must get security accreditation through FedRAMP.
To date, FedRAMP has offered accreditations up to
the “moderate-impact” level. About 80% of federal IT
systems are low- and moderate-impact.
What is The Internet of Things?
O’Reilly Media
January 2015
32
Ubiquitous connectivity is meeting the era of data.
(free; registration required)
Since working with large quantities of data became
dramatically cheaper and easier a few years ago,
everything that touches software has become
instrumented and optimized. Finance, advertising,
retail, logistics, academia, and practically every other
discipline has sought to measure, model, and tweak
its way to efficiency. Software can ingest data from
lots of inputs, interpret it, and then issue commands
in real time.
FedRAMP Forward: 2 Year Priorities
GSA
December 17,
14
The report addresses how the program will develop
2014
over the next two years. GSA is focusing on three
goals for FedRAMP: increased compliance and agency
participation, improved efficiencies, and continued
adaptation.
CRS-9


Title Source
Date
Pages
Notes
The Internet of Things: 2014 OECD Tech Insight Forum
OECD
December 11,
N/A
The Internet of Things extends internet connectivity
2014
beyond traditional machines like computers,
smartphones and tablets to a diverse range of every-
day devices that use embedded technology to
interact with the environment, all via the Internet.
How can this col ected data be used? What new
opportunities will this create for employment and
economic growth? How can societies benefit from
technical developments to health, transport, safety
and security, business and public services? The
OECD Technology Foresight Forum facilitated
discussion on what policies and practices will enable
or inhibit the ability of economies to seize the
benefits of the Internet of Things.
DOD Cloud Computing Strategy Needs Implementation
Department of Defense
December 4,
40
Report states that the DOD chief information officer
Plan and Detailed Waiver Process
(DOD) Inspector General
2014
“did not develop an implementation plan that
assigned roles and responsibilities as well as
associated tasks, resources and milestones,” despite
promises that an implementation plan would directly
follow the cloud strategy’s release.
NSTAC Report to the President on the Internet of
President's National
November 18,
56
The NSTAC unanimously approved a
Things
Security
2014
recommendation that governmental Internet traffic
Telecommunications
could get priority transmission during emergencies.
Advisory Committee
The government already gets emergency priority in
more traditional communications networks like the
‘phone system through programs such as the
Government Emergency Telecommunications Service
— now NSTAC is proposing a GETS for the Internet.
The Department of Energy’s Management of Cloud
Department of Energy
September 1,
20
DOE should do a better job buying, implementing
Computing Activities: Audit Report
(DOE) Inspector General
2014
and managing its cloud computing services. Programs
and sites department-wide have independently spent
more than $30 million on cloud services, the
inspector general report said, but the chief
information officer’s office could not accurately
account for the money.
CRS-10


Title Source
Date
Pages
Notes
Cloud Computing: The Concept, Impacts, and the Role
Organization for Economic
August 19, 2014
240
This report gives a clear overview of cloud
of Government Policy
Co-operation and
computing, presenting the concept, the services it
Development (OECD)
provides, and deployment models. It provides an
overview of how cloud computing changes the way
computing is carried out and evaluates the impacts of
cloud computing (including its benefits and challenges
as well as its economic and environmental impacts).
Finally, the report discusses the policy issues raised
by cloud computing and the role of governments and
other stakeholders in addressing these issues.
Internet of things: the influence of M2M data on the
GigaOm Research
March 4, 2014
21
This report examines the drivers of machine-2-
energy industry
machine (M2M)-data exploitation in the smart-grid
sector and the oil and gas sector, as well as the risks
and opportunities for buyers and suppliers of the
related core technologies and services.
Software Defined Perimeter
Cloud Security Alliance
December 1,
13
The Software Defined Perimeter (SDP) initiative by
2013
the Cloud Security Alliance aims to make “invisible
networks” accessible to a wider range of government
agencies and corporations. The initiative wil foster
development of an architecture for securing the
“Internet of Things” by using the cloud to create
highly secure end-to-end networks between any IP-
addressable entities.
Delivering on the Promise of Big Data and the Cloud
Booz Allen Hamilton
January 9, 2013
7
From the report: “Reference architecture does away
with conventional data and analytics silos,
consolidating all information into a single medium
designed to foster connections called a ‘data lake,’
which reduces complexity and creates efficiencies
that improve data visualization to allow for easier
insights by analysts.”
Cloud Computing: An Overview of the Technology and
House Judiciary
July 25, 2012
156
Overview and discussion of cloud computing issues.
the Issues facing American Innovators
Committee, Subcommittee
on Intellectual Property,
Competition, and the
Internet
CRS-11


Title Source
Date
Pages
Notes
Information Technology Reform: Progress Made but
Government
July 11, 2012
43
GAO recommends that the Secretaries of
Future Cloud Computing Efforts Should be Better
Accountability Office
Agriculture, Health and Human Services, Homeland
Planned
(GAO)
Security, State, and the Treasury, and the
Administrators of the General Services
Administration (GSA) and Small Business
Administration should direct their respective chief
information officers to establish estimated costs,
performance goals, and plans to retire associated
legacy systems for each cloud-based service discussed
in this report, as applicable.
Cloud Computing Strategy
DOD Chief Information
July 2012
44
The DOD Cloud Computing Strategy introduces an
Officer
approach to move the department from the current
state of a duplicative, cumbersome, and costly set of
application silos to an end state that is agile, secure,
and cost-effective and to a service environment that
can rapidly respond to changing mission needs.
A Global Reality: Governmental Access to Data in the
Hogan Lovel s
May 23, 2012
13
This white paper compares the nature and extent of
Cloud—A Comparative Analysis of Ten International
governmental access to data in the cloud in many
Jurisdictions
jurisdictions around the world.
Policy Challenges of Cross-Border Cloud Computing
U.S. International Trade
May 2012
38
This report examines the main policy challenges
Commission
associated with cross-border cloud computing—data
privacy, security, and ensuring the free flow of
information—and the ways countries are addressing
them through domestic policymaking, international
agreements, and other cooperative arrangements.
Cloud Computing Synopsis and Recommendations (SP
National Institute of
May 2012
81
NIST’s guide explains cloud technologies in plain
800-146)
Standards and Technology
terms to federal agencies and provides
(NIST)
recommendations for IT decision makers.
Global Cloud Computing Scorecard a Blueprint for
Business Software Alliance
February 2,
24
This report notes that although many developed
Economic Opportunity
2012
countries have adjusted their laws and regulations to
address cloud computing, the wide differences in
those rules make it difficult for companies to invest in
the technology.
Concept of Operations: FedRAMP
GSA February
7,
47
Implementation of FedRAMP will be in phases. This
2012
document describes all the services that will be
available at initial operating capability, targeted for
June 2012. The concept of operations will be updated
as the program evolves toward sustained operations.
CRS-12


Title Source
Date
Pages
Notes
Federal Risk and Authorization Management Program
Federal Chief Information
January 4, 2012
N/A
FedRAMP has been established to provide a standard
(FedRAMP)
Officers Council
approach to assessing and authorizing (A&A) cloud
computing services and products.
Security Authorization of Information Systems in Cloud
White House/Office of
December 8,
7
FedRAMP wil now be required for all agencies
Computing Environments (FedRAMP)
Management and Budget
2011
purchasing storage, applications, and other remote
(OMB)
services from vendors. The Administration promotes
cloud computing as a means to save money and
accelerate the government’s adoption of new
technologies.
U.S. Government Cloud Computing Technology
NIST December
1,
32
Volume I is aimed at interested parties that wish to
Roadmap, Volume I, Release 1.0 (Draft). High-Priority
2011
gain a general understanding and overview of the
Requirements to Further USG Agency Cloud Computing
background, purpose, context, work, results, and
Adoption (SP 500-293)
next steps of the U.S. Government Cloud Computing
Technology Roadmap initiative.
U.S. Government Cloud Computing Technology
NIST December
1,
85
Volume II is designed as a technical reference for
Roadmap, Volume II, Release 1.0 (Draft), Useful
2011
those actively working on strategic and tactical cloud
Information for Cloud Adopters (SP 500-293)
computing initiatives including, but not limited to,
U.S. government cloud adopters. This volume
integrates and summarizes the work completed to
date and explains how these findings support the
roadmap introduced in Volume I.
Information Security: Additional Guidance Needed to
GAO October
6,
17
Twenty-two of 24 major federal agencies reported
Address Cloud Computing Concerns
2011
that they were either concerned or very concerned
about the potential information security risks
associated with cloud computing. GAO
recommended that the NIST issue guidance specific
to cloud computing security.
Cloud Computing Reference Architecture (SP 500-292)
NIST
September 1,
35
This special publication, which is not an official U.S.
2011
government standard, is designed to provide guidance
to specific communities of practitioners and
researchers.
Guide to Cloud Computing for Policy Makers
Software and Information
July 26, 2011
27
The SAII concludes that “there is no need for cloud-
Industry Association (SAII)
specific legislation or regulations to provide for the
safe and rapid growth of cloud computing, and in fact,
such actions could impede the great potential of
cloud computing.”
CRS-13


Title Source
Date
Pages
Notes
Federal Cloud Computing Strategy
White House
February 13,
43
The strategy outlines how the federal government
2011
can accelerate the safe, secure adoption of cloud
computing and provides agencies with a framework
for migrating to the cloud. It also examines how
agencies can address challenges related to the
adoption of cloud computing, such as privacy,
procurement, standards, and governance.
25 Point Implementation Plan to Reform Federal
White House
December 9,
40
The plan’s goals are to reduce the number of
Information Technology Management
2010
federal y run data centers from 2,100 to
approximately 1,300; rectify or cancel one-third of
troubled IT projects, and require federal agencies to
adopt a “cloud first” strategy in which they will move
at least one system to a hosted environment within a
year.
Source: Highlights compiled by CRS from the reports.
Note:
These reports analyze cybersecurity issues related to the federal government’s adoption of cloud computing storage options.
CRS-14

Cybersecurity: Authoritative Reports and Resources, by Topic

Critical Infrastructure: CRS Reports
• CRS Report R42683, Critical Infrastructure Resilience: The Evolution of Policy and
Programs and Issues for Congress, by John D. Moteff
• CRS Report RL30153, Critical Infrastructures: Background, Policy, and Implementation,
by John D. Moteff
• CRS Report R42660, Pipeline Cybersecurity: Federal Policy, by Paul W. Parfomak
• CRS Report R41536, Keeping America’s Pipelines Safe and Secure: Key Issues for
Congress, by Paul W. Parfomak
• CRS Report R41886, The Smart Grid and Cybersecurity—Regulatory Policy and Issues,
by Richard J. Campbell
• CRS Report R42338, Smart Meter Data: Privacy and Cybersecurity, by Brandon J.
Murrill, Edward C. Liu, and Richard M. Thompson II
• CRS Report RL33586, The Federal Networking and Information Technology Research
and Development Program: Background, Funding, and Activities, by Patricia Moloney
Figliola
• CRS Report 97-868, Internet Domain Names: Background and Policy Issues, by Lennard
G. Kruger
• CRS Report IN10027, Open-Source Software and Cybersecurity: The Heartbleed Bug, by
Eric A. Fischer, Catherine A. Theohary, and John W. Rollins

Congressional Research Service
15


Table 4. Critical Infrastructure
Title Source
Date
Pages
Notes
Cybersecurity for Energy Delivery Systems Program
Department of
Ongoing
N/A
The program assists the energy sector asset owners (electric,
(CEDS)
Energy (DOE),
oil, and gas) by developing cybersecurity solutions for energy
Office of Electricity
delivery systems through integrated planning and a focused
Delivery and
research and development effort. CEDS co-funds projects with
Energy Reliability
industry partners to make advances in cybersecurity capabilities
for energy delivery systems.
Cybersecurity Capability Maturity Model (C2M2)
DOE Office of
Ongoing
N/A
The model was developed by the DOE and industry as a
Electricity Delivery
cybersecurity control evaluation and improvement management
and Energy
tool for energy sector firms. It tel s adherents how to assess and
Reliability
grade adoption of cybersecurity practices.
GridEx North
American
Ongoing
N/A
The objectives of the NERC Grid Security Exercise (GridEx)
Electric Reliability
series are to use simulated scenarios (with no real-world effects)
Corporation
to exercise the current readiness of participating electricity
(NERC)
subsector entities to respond to cyber- or physical security
incidents and provide input for security program improvements
to the bulk power system. GridEx is a biennial international grid
security exercise that uses best practices and other
contributions from the Department of Homeland Security, the
Federal Emergency Management Agency, and the National
Institute of Standards and Technology.
ICBA Data Breach Toolkit
Independent
Ongoing
N/A
ICBA and Visa have teamed up to bring a special
Community
communications toolkit to community banks. This
Bankers of America
comprehensive communications guide gives community banks
the means of communicating with card customers and the media
within 24 hours of a data compromise. Having this contingency
plan in place can make all the difference in a data breach
episode. The toolkit Includes a brochure on communications
best practices following a data breach and customizable template
materials, such as cardholder letters, statement inserts, FAQs,
and media statements.
Tracking & Hacking: Security & Privacy Gaps Put
Senator Edward
February 11,
14
Nearly all modern vehicles have some sort of wireless
American Drivers at Risk
Markey
2015
connection that hackers could potential y use to gain access to
their critical systems. The company’s protections on those
connections are “inconsistent and haphazard” across the
industry. In addition to security weaknesses, the report also
found that many auto companies are collecting detailed location
data from cars and often transmitting it insecurely.
CRS-16


Title Source
Date
Pages
Notes
Senators Alexander, Murray Announce Oversight
Senate Committee
February 6,
N/A
U.S. Senate health committee Chairman Lamar Alexander (R-
Initiative on Security of Health IT
on Labor, Health,
2015
Tenn.) and Ranking Member Patty Murray (D-Wash.) today
Education and
announced a bipartisan initiative focused on examining the
Pensions
security of health information technology and the health
industry’s preparedness for cyber threats. The goal of the
Alexander-Murray initiative is to examine whether Congress can
help ensure the safety of health information technology,
including electronic health records, hospital networks, insurance
records, and network-connected medical devices, like
pacemakers and continuous glucose monitors. Begun last month,
the ongoing staff meetings will include participants from relevant
government oversight agencies, independent cybersecurity
experts, health industry leaders, and others.
Report on Cybersecurity Practices
Financial Industry
February 2015
46
The report presents an approach to cybersecurity grounded in
Regulatory
risk management to address these threats. It identifies principles
Authority
and effective practices for firms to consider, while recognizing
that there is no one-size-fits-all approach to cybersecurity.
Guidance on Maritime Cybersecurity Standards (Federal
U.S. Coast Guard
December 12,
2
From the summary: “The U.S. Coast Guard announces a public
Register Notice of Public Meeting and Request for
2014
meeting to be held in Washington, DC, to receive comments on
Comments)
the development of cybersecurity assessment methods for
vessels and facilities regulated by the Coast Guard. This meeting
will provide an opportunity for the public to comment on
development of security assessment methods that assist vessel
and facility owners and operators identify and address
cybersecurity vulnerabilities that could cause or contribute to a
Transportation Security Incident. The Coast Guard will consider
these public comments in developing relevant guidance, which
may include standards, guidelines, and best practices to protect
maritime critical infrastructure.”
Federal Financial Institutions Examination Council (FFIEC)
FFIEC November
3,

Companies are critically dependent on IT. Financial companies
Cybersecurity Assessment: General Observations
2014
should routinely scan IT networks for vulnerabilities and
anomalous activity and test systems for their potential exposure
to cyberattacks. The study recommends sharing threat data
through such avenues as the Financial Services Information
Sharing and Analysis Center.
CRS-17


Title Source
Date
Pages
Notes
Inquiry into Cyber Intrusions Affecting U.S.
Senate Armed
September 17,
52
Hackers associated with the Chinese government successful y
Transportation Command Contractors
Services
2014
penetrated the computer systems of Transportation Command
Committee
(TRANSCOM) contractors 20 times in the course of a single
year. Chinese hackers tried to get into the systems 50 times.
The congressional committee found that only two of the
intrusions were detected. It also found that officials were
unaware due in large part to unclear requirements and methods
for contractors to report breaches and for government agencies
to share information.
Critical Infrastructure Protection: DHS [Department of
Government
September 15, 82
DHS used 10 different assessment tools and methods from
Homeland Security] Action Needed to Enhance
Accountability
2014
FY2011 through FY2013 to assess critical infrastructure
Integration and Coordination of Vulnerability Assessment
Office (GAO)
vulnerabilities. Four of the 10 assessments did not include
Efforts
cybersecurity. The differences in the assessment tools and
methods mean DHS is not positioned to integrate its findings in
identifying priorities.
Energy Sector Cybersecurity Framework Implementation
DOE Office of
September 12,
N/A
Energy companies need not make a choice between the National
Guidance: Draft For Public Comment and Comment
Electricity Delivery
2014
Institute of Standards and Technology (NIST) cybersecurity
Submission Form
and Energy
framework and the DOE’s C2M2. The NIST framework tells
Reliability
organizations to grade themselves on a four-tier scale based on
their overall cybersecurity program sophistication. C2M2 tells
users to assess cybersecurity control implementation across 10
domains of cybersecurity practices, such as situational
awareness, according to their specific “maturity indicator level.”
Guidelines for Smart Grid Cybersecurity, Smart Grid
NIST September
668
This three-volume report, Guidelines for Smart Grid
Cybersecurity Strategy, Architecture, and High-Level
2014
Cybersecurity, presents an analytical framework that
Requirements (3 volumes)
organizations can use to develop effective cybersecurity
strategies tailored to their particular combinations of smart grid-
related characteristics, risks, and vulnerabilities. Organizations in
the diverse community of smart grid stakeholders—from
utilities to providers of energy management services to
manufacturers of electric vehicles and charging stations—can use
the methods and supporting information presented in this
report as guidance for assessing risk and identifying and applying
appropriate security requirements. This approach recognizes
that the electric grid is changing from a relatively closed system
to a complex, highly interconnected environment. Each
organization’s cybersecurity requirements should evolve as
technology advances and as threats to grid security inevitably
multiply and diversify.
CRS-18


Title Source
Date
Pages
Notes
A Criticism of the Current Security, Privacy and
International
September
8
Unless a different approach is used, the reliant on cryptography
Accountability Issues in Electronic Health Records
Journal of Applied
2014
and password or escrow based system for key management will
Information
impede trust of the electronic health records (EHR) system and
Systems
hence its acceptability. In addition, users with right access should
also be monitored without affecting the clinician workflow. This
paper presents a detailed review of some selected recent
approaches to ensuring security, privacy, and accountability in
EHR and identifies gaps for future research.
Security in the New Mobile Ecosystem (Free registration
Ponemon Institute
August 2014
30
Mobile devices are quickly becoming an integral tool for the
required.)
and Raytheon
workforce, but the security practices and budgets in most
organizations are not keeping pace with the growing number of
devices that must be managed and kept secure.
Critical Infrastructure: Security Preparedness and
Unisys and the
July 2014
34
Unisys and the Ponemon Institute surveyed nearly 600 IT
Maturity
Ponemon Institute
security executives of utility, energy, and manufacturing
organizations. Overall, the report finds organizations are simply
not prepared to deal with advanced cyber threats. Only half of
companies have actually deployed IT security programs and,
according to the survey, the top threat actually stems from
negligent insiders.
Securing the U.S. Electrical Grid: Understanding the
Center for the
July 2014
180
From the report: “While [electrical grid] modernization entails
Threats to the Most Critical of Critical Infrastructure,
Study of the
significant challenges in its own right, it also provides an
While Securing a Changing Grid
Presidency and
opportunity to ‘bake security in’—both in the hardware and
Congress
software controlling these systems and in the business models,
regulatory systems, financial incentives, and insurance structures
that govern the generation, transmission, and distribution of
electric power.… In this report and the aforementioned dozen
recommendations, we have sought to identify the immediate
action that can be taken by the White House, the Congress, and
the private sector to mitigate current threats to the electrical
grid.”
Maritime Critical Infrastructure Protection: DHS Needs
GAO
June 5, 2014
54
GAO’s objective was to identify the extent to which DHS and
to Better Address Port Cybersecurity
other stakeholders have taken steps to address cybersecurity in
the maritime port environment. GAO examined relevant laws
and regulations, analyzed federal cybersecurity-related policies
and plans, observed operations at three U.S. ports selected for
being high-risk ports and leaders in calls by vessel type (e.g.,
container), and interviewed federal and nonfederal officials.
CRS-19


Title Source
Date
Pages
Notes
Executive Leadership of Cybersecurity: What Today’s
FFIEC
May 7, 2014
30
The FFIEC highlighted key focus areas for senior management
CEO Needs To Know About the Threats They Don’t See
and boards of directors of community institutions as they assess
their institutions’ abilities to identify and mitigate cybersecurity
risks.
Sector Risks Snapshots
DHS
May 2014
52
DHS’s snapshots provide an introduction to the diverse array of
critical infrastructure sectors, touching on some of the key
threats and hazards concerning these sectors and highlighting
the common, first-order dependencies and interdependencies
between sectors.
Critical Infrastructure Protection Issues Identified in
Federal Energy
April 24, 2014
N/A
FERC will hold a technical meeting on cybersecurity and
Order No. 791
Regulatory
communications security standards for power generators.
Commission
Among other issues, the meeting will consider possible
(FERC)
disjunctures between FERC’s regulatory standards for grid
reliability and the new voluntary cybersecurity framework for
critical infrastructure that NIST rolled earlier this year.
Notice of Completion of Notification of Cyber-
DHS Programs
April 17, 2014
3
The Secretary of DHS has been directed to identify critical
Dependent Infrastructure and Process for Requesting
Directorate
infrastructure in which a cybersecurity incident could reasonably
Reconsideration of Determinations of Cyber Criticality
result in catastrophic regional or national effects on public health
or safety, economic security, or national security. In addition to
identifying such infrastructure, the Secretary has also been
directed to confidentially notify owners and operators of critical
infrastructure identified and establish a mechanism through
which entities can request reconsideration of that identification,
whether inclusion or exclusion from this list. This notice informs
owners and operators of critical infrastructure that the
confidential notification process is complete and describes the
process for requesting reconsideration.
Cybersecurity Procurement Language for Energy Delivery
DOE Energy
April 2014
46
This guidance suggests procurement strategies and contract
Systems
Sector Control
language to help U.S. energy companies and technology suppliers
Systems Working
build in cybersecurity protections during product design and
Group
manufacturing. It was “developed through a public-private
working group including federal agencies and private industry
leaders.”
CRS-20


Title Source
Date
Pages
Notes
Benchmarking Trends: Interest in Cyber Insurance
Marsh USA
March 31,
4
As cyber incidents increased in frequency and severity in 2013,
Continues to Climb (Requires free registration to access.)
2014
the percentage of companies that purchased cyber insurance
rose by double digits (see figure 1 in the report). Early signs in
2014 indicate that the trend is not just continuing but
accelerating. Recent high-profile data breaches, growing board-
level concern, and the increasing vulnerability of operations to
technology failure appear to be influencing purchasing decisions.
Wireless Emergency Alerts (WEA) Cybersecurity Risk
Carnegie
March 2014
183
From the report: “The Wireless Emergency Alerts (WEA)
Management Strategy for Alert Originators
Mel on/Pittsburgh
service depends on computer systems and networks to convey
Software Institute
potentially life-saving information to the public in a timely
manner. However, like other cyber-enabled services, it is
susceptible to risks that may enable attackers to disseminate
unauthorized alerts or to delay, modify, or destroy valid alerts.
Successful attacks may result in property destruction, financial
loss, injury, or death and may damage WEA credibility to the
extent that users ignore future alerts or disable alerting. This
report describes a four-stage cybersecurity risk management
(CSRM) strategy that alert originators can use throughout WEA
adoption, operations, and sustainment, as well as a set of
governance activities for developing a plan to execute the
CSRM.”
Cybersecurity and the North American Electric Grid:
Bipartisan Policy
February 28,

The Bipartisan Policy Center’s initiative identifies urgent
New Policy Approaches to Address an Evolving Threat
Center
2014
priorities, including strengthening existing protections, enhancing
coordination at all levels, and accelerating the development of
robust protocols for response and recovery in the event of a
successful attack. The initiative developed recommendations in
four policy areas: standards and best practices, information
sharing, response to a cyberattack, and paying for cybersecurity.
The recommendations are targeted to Congress, federal
government agencies, state public utility commissions (PUCs),
and industry.
CRS-21


Title Source
Date
Pages
Notes
Framework for Improving Critical Infrastructure
NIST February
12,
41
The voluntary framework consists of cybersecurity standards
Cybersecurity
2014
that can be customized to various sectors and adapted by both
large and small organizations. Additionally, so that the private
sector may fully adopt this framework, DHS announced the
Critical Infrastructure Cyber Community (C3)—or “C-cubed”—
Voluntary Program. The C3 program gives companies that
provide critical services such as cell phones, email, banking, and
energy and state and local governments direct access to
cybersecurity experts within DHS who have knowledge about
specific threats, ways to counter those threats, and how, over
the long term, to design and build systems that are less
vulnerable to cyber threats.
ITI Recommendations to the Department of Homeland
Information
February 11,
3
ITI released a set of recommendations eying further
Security Regarding its Work Developing a Voluntary
Technology
2014
improvement of the framework, changes that call for DHS to
Program Under Executive Order 163636, “Improving
Industry Council
“de-emphasize the current focus on incentives.” Partly, ITI
Critical Infrastructure Cybersecurity.”
(ITI)
recognizes the cyber order can produce change even in an
environment in which fiscal constraints and congressional
inaction stall carrots for adoption—but a bigger biz argument,
made in its report yesterday, is that ITI and others do not want
incentives if they come at the cost of “compliance-based
programs.”
The Federal Government’s Track Record on
Senate Homeland
February 4,
19
Since 2006, the federal government has spent at least $65 billion
Cybersecurity and Critical Infrastructure
Security and
2014
on securing its computers and networks, according to an
Governmental
estimate by the Congressional Research Service (CRS). NIST,
Affairs Committee
the government’s official body for setting cybersecurity
(Minority Staff)
standards, has produced thousands of pages of precise guidance
on every significant aspect of IT security. And yet agencies—
even agencies with responsibilities for critical infrastructure or
vast repositories of sensitive data—continue to leave themselves
vulnerable, often by failing to take the most basic steps toward
securing their systems and information.
Electricity Subsector Cybersecurity Capability Maturity
Carnegie Mellon
January 23,
39
ES-C2M2 is a White House initiative, led by DOE in partnership
Model (ES-C2M2) (Case Study)
University Software 2014
with the Department of Homeland Security and representatives
Engineering
of electricity subsector asset owners and operators, to manage
Institute
dynamic threats to the electric grid. Its objectives are to
strengthen cybersecurity capabilities, enable consistent
evaluation and benchmarking of cybersecurity capabilities, and
share knowledge and best practices.
CRS-22


Title Source
Date
Pages
Notes
NIPP 2013: Partnering for Critical Infrastructure Security
DHS
2013
57
The National Infrastructure Protection Plan (NIPP) 2013 meets
and Resilience
the requirements of Presidential Policy Directive-21, “Critical
Infrastructure Security and Resilience,” signed in February 2013.
The plan was developed through a col aborative process
involving stakeholders from all 16 critical infrastructure sectors,
all 50 states, and all levels of government and industry. It
provides a clear call to action to leverage partnerships, innovate
for risk management, and focus on outcomes.
World Federation of Exchanges (WFE) Launches Global
WFE December
12,
N/A
The WFE announced the launch of the exchange industry’s first
Cyber Security Committee
2013
cybersecurity committee with a mission to aid in the protection
of the global capital markets. The working group will bring
together representation from a number of exchanges and
clearinghouses across the globe to col aborate on best practices
in global security.
The Critical Infrastructure Gap: U.S. Port Facilities and
Brookings
July 2013
50
The study argues that the level of cybersecurity awareness and
Cyber Vulnerabilities
Institution/ Center
culture in U.S. port facilities is relatively low and that a
for 21st Century
cyberattack at a major U.S. port would quickly cause significant
Security and
damage to the economy.
Intelligence
FFIEC Forms Cybersecurity and Critical Infrastructure
FFIEC
June 6, 2013
2
FFIEC formed a working group to further promote coordination
Working Group
across federal and state banking regulatory agencies on critical
infrastructure and cybersecurity issues.
Electric Grid Vulnerability: Industry Responses Reveal
Representative
May 21, 2013
35
The report found that less than one-quarter of investor-owned
Security Gaps
Edward Markey
utilities and less than one-half of municipally and cooperatively
and Representative
owned utilities fol owed through with voluntary standards issued
Henry Waxman
by the Federal Energy Regulatory Commission after the Stuxnet
worm struck in 2010.
Initial Analysis of Cybersecurity Framework RFI [Request
NIST
May 20, 2013
33
Comments on the chal enges of protecting the nation’s critical
for Information] Responses
infrastructure have identified a handful of issues for the more
than 200 people and organizations that responded to a formal
RFI. NIST has released an initial analysis of 243 responses to the
Feb. 26 RFI. The analysis will form the basis for an upcoming
workshop at Carnegie Mellon University in Pittsburgh as NIST
moves forward on creating a cybersecurity framework for
essential energy, utility, and communications systems.
CRS-23


Title Source
Date
Pages
Notes
Joint Working Group on Improving Cybersecurity and
General Services
May 13, 2013
3
Among other things, Presidential Policy Directive-21requires the
Resilience Through Acquisition, Notice of Request for
Administration
General Services Administration, in consultation with the
Information
Department of Defense and DHS, to jointly provide and support
government-wide contracts for critical infrastructure systems
and ensure that such contracts include audit rights for the
security and resilience of critical infrastructure.
2013 Annual Report
Financial Stability
April 25, 2013
195
Under the Dodd-Frank Act, FSOC must report annual y to
Oversight Council
Congress on a range of issues, including significant financial
(FSOC)
market and regulatory developments and potential emerging
threats to the financial stability of the United States. FSOC’s
recommendations address heightened risk management and
supervisory attention to operational risks, including
cybersecurity and infrastructure.
Version 5 Critical Infrastructure Protection Reliability
FERC
April 24, 2013
18
FERC proposes to approve the Version 5 Critical Infrastructure
Standards (Notice of Proposed Rulemaking)
Protection (CIP) Reliability Standards, CIP-002-5 through CIP-
011-1, submitted by the North American Electric Reliability
Corporation, the commission-certified Electric Reliability
Organization. The proposed reliability standards, which pertain
to the cybersecurity of the bulk electric system, represent an
improvement over the current commission-approved CIP
Reliability Standards as they adopt new cybersecurity controls
and extend the scope of the systems that are protected by the
existing standards.
CRS-24


Title Source
Date
Pages
Notes
Wireless Cybersecurity
Syracuse University April 2013
167
This project dealt with various threats in wireless networks,
New York,
including eavesdropping in a broadcast channel, noncooperative
Department of
eavesdropping in a single-source, single-sink planar network, and
Electrical
primary user emulation attack in a cognitive radio network. The
Engineering and
major contributions were detailed analysis of performance
Computer Science
trade-off in the presence of the eavesdropping threat, a
combined encoding and routing approach that provides provable
security against noncooperating eavesdropping, and a physical
layer approach to counter the primary emulation attack. The
research results under this effort significantly advanced our
understanding on some of the fundamental trade-offs among
various performance metrics in a wireless system. Practically
feasible wireless security measures were also obtained that
could lead to more assured operations in which secured
wireless networks play an indispensable role. This project led to
one PhD dissertation, one pending patent application, two
archival journal papers, and a number of peer-reviewed
conference papers.
Incentives to Adopt Improved Cybersecurity Practices
NIST and the
March 28,
N/A
The Department of Commerce (DOC) is investigating ways to
National
2013
incentivize companies and organizations to improve their
Telecommunication
cybersecurity. To better understand what stakeholders—such as
s and Information
companies, trade associations, academics, and others—believe
Administration
would best serve as incentives, the department has released a
series of questions to gather public comments in a notice of
inquiry.
Cybersecurity: The Nation’s Greatest Threat to Critical
U.S. Army War
March 2013
38
This paper provides a background on what constitutes national
Infrastructure
College
critical infrastructure and critical infrastructure protection;
discusses the immense vulnerabilities, threats, and risks
associated in the protection of critical infrastructure; and
outlines governance and responsibilities of protecting vulnerable
infrastructure. The paper makes recommendations for federal
responsibilities and legislation to direct nation critical
infrastructure efforts to ensure national security, public safety,
and economic stability.
SCADA [Supervisory Control and Data Acquisition] and
SANS Institute
February 1,
19
SANS Institute surveyed professionals who work with SCADA
Process Control Security Survey
2013
and process control systems. Of the nearly 700 respondents,
70% said they consider their SCADA systems to be at high or
severe risk; one-third of them suspected that these systems had
been already been infiltrated.
CRS-25


Title Source
Date
Pages
Notes
Fol ow-up Audit of the Department’s Cyber Security
DOE Inspector
December
25
In 2008, the DOE’s Cyber Security Incident Management
Incident Management Program
General’s Office
2012
Program (DOE/IG-0787, January 2008) reported the department
and National Nuclear Security Administration (NNSA)
established and maintained a number of independent, at least
partially duplicative, cybersecurity incident management
capabilities. Several issues were identified that limited the
efficiency and effectiveness of the department’s cybersecurity
program and adversely affected the ability of law enforcement to
investigate incidents. In response to the findings, management
concurred with the recommendations and indicated that it had
initiated actions to address the issues identified.
Terrorism and the Electric Power Delivery System
National
November
146
Focuses on measures that could make the electric power
Academies of
2012
delivery system less vulnerable to attacks, restore power faster
Science
after an attack, and make critical services less vulnerable when
delivery of conventional electric power has been disrupted.
New FERC Office to Focus on Cyber Security
DOE
September 20,
N/A
FERC announced the creation of the agency’s new Office of
2012
Energy Infrastructure Security, which will work to reduce
threats to the electric grid and other energy facilities. The goal is
for the office to help FERC, and other agencies and private
companies, better identify potential dangers and solutions.
Canvassing the Targeting of Energy Infrastructure: The
Journal of Energy
August 7,
8
The Energy Infrastructure Attack Database (EIAD) is a
Energy Infrastructure Attack Database
Security
2012
noncommercial dataset that structures information on reported
(criminal and political) attacks to energy infrastructure
worldwide by nonstate actors since 1980. In building this
resource, the objective was to develop a product that could be
broadly accessible and connect to existing available resources.
Smart-Grid Security
Center for
August 2012
26
Highlights the significance of and the challenges with securing the
Infrastructure
Smart Grid.
Protection and
Homeland Security,
George Mason
School of Law
Cybersecurity: Challenges in Securing the Electricity Grid GAO
July 17, 2012
25
In a prior report, GAO made recommendations related to
electricity grid modernization efforts, including developing an
approach to monitor compliance with voluntary standards.
These recommendations have not yet been implemented.
CRS-26


Title Source
Date
Pages
Notes
Energy Department Develops Tool with Industry to Help
DOE
June 28, 2012
N/A
The Cybersecurity Self-Evaluation Tool uses best practices
Utilities Strengthen Their Cybersecurity Capabilities
developed for the Electricity Subsector Cybersecurity Capability
Maturity Model Initiative, which involved a series of workshops
with the private sector to draft a maturity model that can be
used throughout the electric sector to better protect the grid.
ICS-CERT Incident Response Summary Report, 2009-
U.S. Industrial
May 9, 2012
17
The number of reported cyberattacks on U.S. critical
2011
Control System
infrastructure increased sharply—from 9 incidents in 2009 to
Cyber Emergency
198 in 2011. Water sector-specific incidents, when added to the
Response Team
incidents that affected several sectors, accounted for more than
(ICS-CERT)
half of all incidents. In more than half of the most serious cases,
implementing best practices such as log-in limitation or a
properly configured firewall would have deterred the attack,
reduced the time it would have taken to detect an attack, and
minimized its impact.
Cybersecurity Risk Management Process (Electricity
DOE Office of
May 2012
96
The guideline describes a risk-management process that is
Subsector)
Electricity Delivery
targeted to the specific needs of electricity sector organizations.
and Energy
Its objective is to build upon existing guidance and requirements
Reliability
to develop a flexible risk-management process tuned to the
diverse missions, equipment, and business needs of the electric
power industry.
ICT Applications for the Smart Grid: Opportunities and
Organization for
January 10,
44
This report discusses “smart” applications of information and
Policy Implications
Economic Co-
2012
communication technologies (ICTs) for more sustainable energy
operation and
production, management, and consumption. The report outlines
Development
policy implications for government ministries dealing with
(OECD)
telecommunications regulation, ICT sector and innovation
promotion, and consumer and competition issues.
The Department’s Management of the Smart Grid
DOE Inspector
January 20,
21
According to the DOE inspector general, the department’s rush
Investment Grant Program
General
2012
to award stimulus grants for projects under the next generation
of the power grid, known as the Smart Grid, resulted in some
firms receiving funds without submitting complete plans for how
to safeguard the grid from cyberattacks.
Critical Infrastructure Protection: Cybersecurity
GAO December
9,
77
According to GAO, given the plethora of guidance available,
Guidance Is Available, but More Can Be Done to
2011
individual entities within the sectors may be challenged in
Promote Its Use
identifying the guidance that is most applicable and effective in
improving their security posture. Improved knowledge of the
available guidance could help both federal and private-sector
decision makers better coordinate their efforts to protect
critical cyber-reliant assets.
CRS-27


Title Source
Date
Pages
Notes
The Future of the Electric Grid
Massachusetts
December 5,
39
Chapter 1 provides an overview of the status of the electric
Institute of
2011
grid, the challenges and opportunities it will face, and major
Technology (MIT)
recommendations. To facilitate selective reading, detailed
descriptions of the contents of each section in Chapters 2–9 are
provided in each chapter’s introduction, and recommendations
are collected and briefly discussed in each chapter’s final section.
(See Chapter 9, “Data Communications, Cybersecurity, and
Information Privacy,” pages 208-234).
FCC’s Plan for Ensuring the Security of
Federal
June 3, 2011
1
FCC Chairman Genachowski’s response to letter from
Telecommunications Networks
Communications
Representative Anna Eshoo dated November 2, 2010, regarding
Commission (FCC)
concerns about the implications of foreign-controlled
telecommunications infrastructure companies providing
equipment to the U.S. market.
Cyber Infrastructure Protection
U.S. Army War
May 9, 2011
324
Part 1 deals with strategic and policy cybersecurity-related
College
issues and discusses the theory of cyberpower, Internet
survivability, large-scale data breaches, and the role of
cyberpower in humanitarian assistance. Part 2 covers social and
legal aspects of cyber infrastructure protection and discusses the
attack dynamics of political and religiously motivated hackers.
Part 3 discusses the technical aspects of cyber infrastructure
protection, including the resilience of data centers, intrusion
detection, and a strong emphasis on Internet protocol (IP)
networks.
In the Dark: Crucial Industries Confront Cyberattacks
McAfee and Center April 21, 2011
28
The study reveals an increase in cyberattacks on critical
for Strategic and
infrastructure such as power grids, oil, gas, and water; it also
International
shows that many of the world’s critical infrastructures lacked
Studies (CSIS)
protection of their computer networks and reveals the cost and
impact of cyberattacks.
Cybersecurity: Continued Attention Needed to Protect
GAO March
16,
17
According to GAO, executive branch agencies have made
Our Nation’s Critical Infrastructure and Federal
2011
progress instituting several government-wide initiatives aimed at
Information Systems
bolstering aspects of federal cybersecurity, such as reducing the
number of federal access points to the Internet, establishing
security configurations for desktop computers, and enhancing
situational awareness of cyber events. Despite these efforts, the
federal government continues to face significant challenges in
protecting the nation’s cyber-reliant critical infrastructure and
federal information systems.
CRS-28


Title Source
Date
Pages
Notes
Federal Energy Regulatory Commission’s Monitoring of
DOE Office of
January 26,
30
NERC developed Critical Infrastructure Protection (CIP)
Power Grid Cyber Security
Inspector General
2011
cybersecurity reliability standards, which were approved by the
FERC in January 2008. Although the commission had taken steps
to ensure CIP cybersecurity standards were developed and
approved, NERC’s testing revealed that such standards did not
always include controls commonly recommended for protecting
critical information systems. In addition, the CIP standards
implementation approach and schedule approved by the
commission were not adequate to ensure that systems-related
risks to the nation’s power grid were mitigated or addressed in
a timely manner.
Electricity Grid Modernization: Progress Being Made on
GAO January
12,
50
From the report: “To reduce the risk that NIST’s smart grid
Cybersecurity Guidelines, but Key Challenges Remain to
2011
cybersecurity guidelines will not be as effective as intended, the
be Addressed
Secretary of Commerce should direct the Director of NIST to
finalize the agency’s plan for updating and maintaining the
cybersecurity guidelines, including ensuring it incorporates (1)
missing key elements identified in this report, and (2) specific
milestones for when efforts are to be completed. Also, as a part
of finalizing the plan, the Secretary of Commerce should direct
the Director of NIST to assess whether any cybersecurity
challenges identified in this report should be addressed in the
guidelines.”
Partnership for Cybersecurity Innovation
White House
December 6,
4
The Obama Administration released a memorandum of
Office of Science
2010
understanding signed by DOC’s NIST, DHS’s Science and
and Technology
Technology Directorate (DHS/S&T), and the Financial Services
Policy
Sector Coordinating Council (FSSCC). The goal of the
agreement is to speed up the commercialization of cybersecurity
research innovations that support the nation’s critical
infrastructures.
WIB Security Standard Released
International
November 10,

The Netherlands-based WIB, an international organization that
Instrument Users
2010
represents global manufacturers in the industrial automation
Association (WIB)
industry, announced the second version of the Process Control
Domain Security Requirements for Vendors
document—the first
international standard that outlines a set of specific
requirements focusing on cybersecurity best practices for
suppliers of industrial automation and control systems.
CRS-29


Title Source
Date
Pages
Notes
Information Security Management System for Microsoft
Microsoft November
15
This study describes the standards Microsoft fol ows to address
Cloud Infrastructure
2010
current and evolving cloud security threats. It also depicts the
internal structures within Microsoft that handle cloud security
and risk management issues.
NIST Finalizes Initial Set of Smart Grid Cyber Security
NIST September
2,
N/A
NIST released a three-volume set of recommendations relevant
Guidelines
2010
to securing the Smart Grid. The guidelines address a variety of
topics, including high-level security requirements, a risk
assessment framework, an evaluation of privacy issues in
residences and recommendations for protecting the evolving
grid from attacks, malicious code, cascading errors, and other
threats.
Critical Infrastructure Protection: Key Private and Public
GAO
July 15, 2010
38
Private-sector stakeholders reported that they expect their
Cyber Expectations Need to Be Consistently Addressed
federal partners to provide usable, timely, and actionable cyber
threat information and alerts; access to sensitive or classified
information; a secure mechanism for sharing information;
security clearances; and a single centralized government
cybersecurity organization to coordinate government efforts.
However, according to private-sector stakeholders, federal
partners are not consistently meeting these expectations.
The Future of Cloud Computing
Pew Research
June 11, 2010
26
Technology experts and stakeholders expect they will “live
Center’s Internet
mostly in the cloud” in 2020 and not on the desktop, working
and American Life
mostly through cyberspace-based applications accessed through
Project
networked devices.
The Reliability of Global Undersea Communications Cable Institute of
May 26, 2010
186
This study submits 12 major recommendations to private-
Infrastructure (The ROGUCCI Report)
Electrical and
sector, government, and other stakeholders—especially the
Electronics
financial sector—for the purpose of improving the reliability,
Engineers and the
robustness, resilience, and security of the world’s undersea
EastWest Institute
communications cable infrastructure.
NSTB Assessments Summary Report: Common Industrial
DOE, Idaho
May 2010
123
This report by the National SCADA Test Bed (NSTB) program
Control System Cyber Security Weaknesses
National
notes that computer networks controlling the electric grid are
Laboratory
plagued with security holes that could allow intruders to
redirect power delivery and steal data. Many of the security
vulnerabilities are strikingly basic and fixable problems.
Explore the reliability and resiliency of commercial
FCC
April 21, 2010
N/A
The FCC launched an inquiry into the ability of existing
broadband communications networks
broadband networks to withstand significant damage or severe
overloads as a result of natural disasters, terrorist attacks,
pandemics, or other major public emergencies, as recommended
in the National Broadband Plan.
CRS-30


Title Source
Date
Pages
Notes
Security Guidance for Critical Areas of Focus in Cloud
Cloud Security
December
76
From the report, “Through our focus on the central issues of
Computing V2.1
Alliance
2009
cloud computing security, we have attempted to bring greater
clarity to an otherwise complicated landscape, which is often
filled with incomplete and oversimplified information. Our focus
... serves to bring context and specificity to the cloud computing
security discussion: enabling us to go beyond gross
generalizations to deliver more insightful and targeted
recommendations.”
21 Steps to Improve Cyber Security of SCADA Networks DOE,
January 1,
10
The President’s Critical Infrastructure Protection Board and
Infrastructure
2007
DOE have developed steps to help any organization improve the
Security and Energy
security of its SCADA networks. The steps are divided into two
Restoration
categories: specific actions to improve implementation and
actions to establish essential underlying management processes
and policies.
Source: Highlights compiled by CRS from the reports.

CRS-31

Cybersecurity: Authoritative Reports and Resources, by Topic

Cybercrime and Data Security: CRS Reports and Other CRS
Products

• CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud
and Abuse Statute and Related Federal Criminal Laws, by Charles Doyle
• CRS Report 94-166, Extraterritorial Application of American Criminal Law, by
Charles Doyle
• CRS Report R42403, Cybersecurity: Cyber Crime Protection Security Act (S.
2111, 112th Congress)—A Legal Analysis, by Charles Doyle
• CRS Report 98-326, Privacy: An Overview of Federal Statutes Governing
Wiretapping and Electronic Eavesdropping, by Gina Stevens and Charles Doyle
• CRS Report RL32706, Spyware: Background and Policy Issues for Congress, by
Patricia Moloney Figliola
• CRS Report CRS Report R41975, Illegal Internet Streaming of Copyrighted
Content: Legislation in the 112th Congress, by Brian T. Yeh
• CRS Report R42112, Online Copyright Infringement and Counterfeiting:
Legislation in the 112th Congress, by Brian T. Yeh
• CRS Report R40599, Identity Theft: Trends and Issues, by Kristin Finklea
• CRS Report R41927, The Interplay of Borders, Turf, Cyberspace, and
Jurisdiction: Issues Confronting U.S. Law Enforcement, by Kristin Finklea
• CRS Report RL34651, Protection of Children Online: Federal and State Laws
Addressing Cyberstalking, Cyberharassment, and Cyberbullying, by Alison M.
Smith
• CRS Report R42547, Cybercrime: Conceptual Issues for Congress and U.S. Law
Enforcement, by Kristin Finklea and Catherine A. Theohary
• CRS Report R43382, Data Security and Credit Card Thefts: CRS Experts, by
Eric A. Fischer
• CRS Legal Sidebar WSLG483, Obstacles to Private Sector Cyber Threat
Information Sharing, by Edward C. Liu and Edward C. Liu
• CRS Legal Sidebar WSLG672, Online Banking Fraud: Liability for
Unauthorized Payment from Business Checking Account, by M. Maureen
Murphy
• CRS Legal Sidebar WSLG831, Federal Securities Laws and Recent Data
Breaches, by Michael V. Seitzinger
• CRS Legal Sidebar WSLG 906, Hackers Cannot Always Be Tried Where Third-
Party Victims Reside, by Charles Doyle
• CRS Legal Sidebar WSLG 959, In the Matter of LabMD: The FTC Must Publicly
Disclose Its Data Security Standards, by Gina Stevens
• CRS Report IN10218, Information Warfare: Cyberattacks on Sony, by Catherine
A. Theohary

Congressional Research Service
32


Table 5. Cybercrime, Data Breaches, and Data Security
Title Source
Date
Pages Notes
ThreatExchange
Facebook
Ongoing

ThreatExchange is a set of application programming interfaces, or
APIs, that let disparate companies trade information about the
latest online attacks. Built atop the Facebook Platform—the
standard set of tools for coding applications atop the company’s
worldwide social network—ThreatExchange is used by Facebook
and a handful of other companies, including Tumblr, Pinterest,
Twitter, and Yahoo. Access to the service is strictly controlled,
but [Facebook] hopes to include other companies as time goes
on.
ThreatWatch
NextGov
Ongoing
N/A
ThreatWatch is a snapshot of the data breaches hitting
organizations and individuals, globally, on a daily basis. It is not an
authoritative list because many compromises are never reported
or even discovered. The information is based on accounts
published by outside news organizations and researchers.
Criminal Underground Economy Series
Trend Micro
Ongoing
N/A
A review of various cybercrime markets around the world.
Digital Attack Map
Arbor Networks
Ongoing
N/A
The map is powered by data fed from 270+ ISP customers
worldwide who have agreed to share network traffic and attack
statistics. The map displays global activity levels in observed attack
traffic, which it col ected anonymously, and does not include any
identifying information about the attackers or victims involved in
any particular attack.
Global Botnet Map
Trend Micro
Ongoing
N/A
Trend Micro continuously monitors malicious network activities
to identify command-and-control (C&C) servers and help increase
protection against botnet attacks. The real-time map indicates the
locations of C&C servers and victimized computers they control
that have been discovered in the previous six hours.
HoneyMap
Honeynet Project
Ongoing
N/A
The HoneyMap displays malicious attacks as they happen. Each red
dot represents an attack on a computer. Yellow dots represent
honeypots or systems set up to record incoming attacks. The
black box on the bottom gives the location of each attack. The
Honeynet Project is an international 501c3 nonprofit security
research organization, dedicated to investigating the latest attacks
and developing open source security tools to improve Internet
security.
The Cyberfeed
Anubis Networks
Ongoing
N/A
This site provides real-time threat intelligence data worldwide.
CRS-33


Title Source
Date
Pages Notes
Regional Threat Assessment: Infection Rates and
Microsoft Security
Ongoing
N/A
This report provides data on infection rates, malicious websites,
Threat Trends by Location Regional Threat
Intelligence Report (SIR)
and threat trends by regional location, worldwide.
Assessment: Infection Rates and Threat Trends by
Location (Note: Select “All Regions” or a specific
country or region to view threat assessment
reports)
2014 Global Threat Intel Report
CrowdStrik
February 6,
N/A
This report summarizes CrowdStrike’s year-long daily scrutiny of
2015
more than 50 groups of cyber threat actors, including 29 different
state sponsored and nationalist adversaries. Key findings explain
how financial malware changed the threat landscape and point of
sale malware became increasingly prevalent. The report also
profiles a number of new and sophisticated adversaries from
China and Russia profiled, including Hurricane Panda, Fancy Bear,
and Berserk Bear.
Unique in the shopping mall: On the
Science Magazine
January 30,
5
MIT scientists showed they can identify an individual with more
reidentifiability of credit card metadata
2015
than 90% accuracy by looking at just four purchases, three if the
price is included—and this is after companies “anonymized" the
transaction records, saying they wiped away names and other
personal details.
Ransomware on the Rise: FBI and Partners
FBI January
20,
N/A
Ransomware scams involve a type of malware that infects
Working to Combat This Cyber Threat
2015
computers and restricts users’ access to their files or threatens
the permanent destruction of their information unless a ransom—
anywhere from hundreds to thousands of dol ars—is paid. The
site offers information on the FBI’s and federal, international, and
private-sector partners’ proactive steps to neutralize some of the
more significant ransomware scams through law enforcement
actions against major botnets.
Addressing the cybersecurity Malicious Insider
Schluderberg, Larry
January 2015
80
The purpose of this research was to investigate who constitutes
threat
(Utica Col ege Master's
MI threats, why and how they initiate attacks, the extent to which
Thesis)
MI activity can be modeled or predicted, and to suggest some risk
mitigation strategies. The results reveal that addressing the
Malicious Insider threat is much more than just a technical issue.
Dealing effectively with the threat involves managing the dynamic
interaction between employees, their work environment and
work associates, the systems with which they interact, and
organizational policies and procedures.
CRS-34


Title Source
Date
Pages Notes
The Underground Hacker Markets are Booming
Del Secure Works
December
16
Researchers examined dozens of underground hacker markets for
with Counterfeit Documents, Premiere Credit
2014
this second annual survey and found that business is booming.
Cards, Hacker Tutorials, and 1000% Satisfaction
Prices have gone down for many items, and the offerings have
Guarantees
expanded. As the report puts it: “Underground hackers are
monetizing every piece of data they can steal or buy and are
continually adding services so other scammers can successfully
carry out online and in-person fraud."
What Happens When You Swipe Your Card?
60 Minutes
November
N/A
From the script for the segment “Swiping Your Card”:
30, 2014
“Sophisticated cyberthieves steal your credit card information.
Common criminals buy it and go on shopping sprees—racking up
billions of dollars in fraudulent purchases. The cost of the fraud is
calculated into the price of every item you buy. When computer
crooks swipe your card number, we all end up paying the price.
2014 is becoming known as the ‘year of the data breach.’"
Continuing Federal Cyber Breaches Warn Against
Heritage Foundation
October 27,
N/A
This is a list of federal government cybersecurity breaches and
Cybersecurity Regulation
2014
failures, most of which occurred during 2013 and 2014. The list is
part of a continuing series published by Heritage that serves as a
long-term compilation of open-source data about federal
cybersecurity breaches dating back to 2004.
2014 Cost of Cybercrime Global Report (Email
Hewlett-Packard
October 8,
30
This 2014 global study of U.S.-based companies, which spanned
registration required.)
Enterprise Security and
2014
seven nations, found that over the course of a year the average
the Ponemon Institute
cost of cybercrime climbed by more than 9% to $12.7 million for
companies in the United States, up from $11.6 million in the 2013
study. The average time to resolve a cyberattack is also rising,
climbing to 45 days from 32 days in 2013.
How Consumers Foot the Bill for Data Breaches
NextGov.com August
7,

More than 600 data breaches occurred in 2013 alone, with an
(infographic)
2014
average organizational cost of more than $5 million. But in the
end, it is the customers who are picking up the tab, from higher
retail costs to credit card reissue fees.
Is Ransomware Poised for Growth?
Symantec
July 14, 2014
N/A
Ransomware usual y masquerades as a virtual “wheel clamp” for
the victim’s computer. For example, pretending to be from the
local law enforcement, it might suggest the victim had been using
the computer for illicit purposes and claim that to unlock his or
her computer the victim would have to pay a fine—often between
$100 and $500. The use of Ransomware escalated in 2013, with a
500% (sixfold) increase in attack numbers between the start and
end of the year.
CRS-35


Title Source
Date
Pages Notes
iDATA: Improving Defences Against Targeted
Centre for the
July 2014
8
The iDATA program consists of a number of projects aimed at
Attack
Protection of National
addressing threats posed by nation-states and state-sponsored
Infrastructure (UK)
actors. iDATA has resulted in several outputs for the
cybersecurity community. This document provides a description
of the iDATA program and a summary of the reports.
Cyber Risks: The Growing Threat
Insurance Information
June 27,
27
Although cyber risks and cybersecurity are widely acknowledged
Institute
2014
to be serious threats, many companies today still do not purchase
cyber risk insurance. Insurers have developed specialist cyber
insurance policies to help businesses and individuals protect
themselves from the cyber threat. Market intelligence suggests
that the types of specialized cyber coverage being offered by
insurers are expanding in response to this fast-growing market
need.
Hackers Wanted: An Examination of the
RAND Corporation
June 24,
110
RAND examined the current status of the labor market for
Cybersecurity Labor Market
2014
cybersecurity professionals—with an emphasis on their being
employed to defend the United States. This effort was in three
parts: first, a review of the literature; second, interviews with
managers and educators of cybersecurity professionals,
supplemented by reportage; and third, an examination of the
economic literature about labor markets. RAND also
disaggregated the broad definition of “cybersecurity professionals”
to unearth skills differentiation as relevant to this study.
Global Cybercrime: The Interplay of Politics and
Centre for International
June 20,
23
This paper explores the recent unsealing of a 31-count indictment
Law
Governance Innovation
2014
against 5 Chinese government officials and a significant cyber
breach perpetrated by Chinese actors against Western oil, energy,
and petrochemical companies. The paper concludes by noting that
increased cooperation between governments is necessary but
unlikely to occur as long as the discourse surrounding cybercrime
remains so heavily politicized and securitized. If governments
coalesced around the notion of trying to prevent the long-term
degradation of trust in the online economy, then they might
profitably advance the dialogue away from mutual suspicion and
toward mutual cooperation.
Net Losses: Estimating the Global Cost of
Center for Strategic and
June 2014
24
This report explores the economic impact of cybercrime,
Cybercrime
International Studies and
including estimation, regional variances, IP theft, opportunity and
McAfee
recovery costs, and the future of cybercrime.
CRS-36


Title Source
Date
Pages Notes
2014 U.S. State of Cybercrime Survey
PricewaterhouseCooper
May 29, 2014
21
The cybersecurity programs of U.S. organizations do not rival the
s, CSO Magazine, the
persistence, tactical skills, and technological prowess of their
CERT Division of the
potential cyber adversaries. This year, three out of four (77%)
Software Engineering
respondents to the survey had detected a security event in the
Institute at Carnegie
past 12 months, and more than one-third (34%) said the number
Mellon University, and
of security incidents detected had increased over the previous
the U.S. Secret Service
year.
Privileged User Abuse and The Insider Threat
Ponemon Institute and
May 21, 2014
32
The report looks at what companies are doing right and the
(Requires free registration to access.)
Raytheon
vulnerabilities that need to be addressed with policies and
technologies. One problematic area is the difficulty in actually
knowing if an action taken by an insider is truly a threat. Sixty-nine
percent of respondents say they do not have enough contextual
information from security tools to make this assessment, and 56%
say security tools yield too many false positives.
Online Advertising and Hidden Hazards to
Senate Permanent
May 15, 2014
47
The report found consumers could expose themselves to malware
Consumer Security and Data Privacy
Subcommittee on
just by visiting a popular website. It noted that the complexity of
Investigations
the industry made it possible for both advertisers and host
websites to defer responsibility and that consumer safeguards
failed to protect against online abuses. The report also warned
that current practices do not create enough incentives for “online
advertising participants” to take preventive measures.
Sharing Cyberthreat Information Under 18 USC §
Department of Justice
May 9, 2014
7
The Department of Justice issued guidance for Internet service
2702(a)(3)
providers to assuage legal concerns about information sharing.
The white paper interprets the Stored Communications Act,
which prohibits providers from voluntarily disclosing customer
information to governmental entities. The white paper says the
law does not prohibit companies from divulging data in the
aggregate, without any specific details about identifiable
customers.
The Rising Strategic Risks of Cyberattacks
McKinsey and Company
May 2014
N/A
Companies are struggling with their capabilities in cyber risk
management. As highly visible breaches occur with increasing
regularity, most technology executives believe they are losing
ground to attackers. Organizations large and small lack the facts to
make effective decisions, and traditional “protect the perimeter”
technology strategies are proving insufficient.
Big Data: Seizing Opportunities, Preserving Values
White House
May 2014
85
Findings include a set of consumer protection recommendations,
such as national data-breach legislation, and a fresh call for
baseline consumer-privacy legislation first recommended in 2012.
CRS-37


Title Source
Date
Pages Notes
The Target Breach, by the Numbers
Krebs on Security
May 6, 2014
N/A
A synthesis of numbers associated with the Target data breach of
December 19, 2013 (e.g., number of records stolen, estimated
dollar cost to credit unions and community banks, amount of
money Target estimates it will spend upgrading payment terminals
to support Chip-and-PIN enabled cards).
Heartbleed’s Impact
Pew Research Center
April 30,
13
The Heartbleed security flaw on one of the most widely used
2014
“secure socket” encryption programs on the Internet had an
impact on a notable share of Internet users. Some 60% of adults
(and 64% of Internet users) said they had heard about the bug.
Some 19% of adults said they had heard a lot about it, and 41%
said they had heard a little about it. However, the Heartbleed
story drew much less intensity and scope of attention than other
big news stories.
Russian Underground Revisited
Trend Micro
April 28,
25
The price of malicious software—designed to enable online bank
2014
fraud, identity theft, and other cybercrimes—is falling dramatically
in some of the Russian-language criminal markets in which it is
sold. Falling prices are a result not of declining demand but rather
of an increasingly sophisticated marketplace. This report outlines
the products and services being sold and what their prices are.
A “Kill Chain” Analysis of the 2013 Target Data
Senate Commerce
March 26,
18
This report analyzes what has been reported to date about the
Breach
Committee
2014
Target data breach, using the intrusion kill chain framework, an
analytical tool introduced by Lockheed Martin security
researchers in 2011 and today widely used by information security
professionals in both the public and private sectors. This analysis
suggests that Target missed a number of opportunities along the
kill chain to stop the attackers and prevent the massive data
breach.
Markets for Cybercrime Tools and Stolen Data
RAND Corporation
March 25,
83
This report, part of a multiphase study on the future security
National Security
2014
environment, describes the fundamental characteristics of the
Research Division and
criminal activities in cyberspace markets and how they have grown
Juniper Networks
into their current state to explain how their existence can harm
the information security environment.
CRS-38


Title Source
Date
Pages Notes
Merchant and Financial Trade Associations
Retail Industry Leaders
February 13,
N/A
Trade associations representing the merchant and financial
Announce Cybersecurity Partnership
Association
2014
services industries announced a new cybersecurity partnership.
The partnership will focus on exploring paths to increased
information sharing, better card security technology, and
maintaining the trust of customers. Discussion regarding the
partnership was initiated by the Retail Industry Leaders
Association and the Financial Services Roundtable, joined by the
American Bankers Association, the American Hotel and Lodging
Association, the Clearing House, the Consumer Bankers
Association, the Food Marketing Institute, the Electronic
Transactions Association, the Independent Community Bankers of
America, the International Council of Shopping Centers, the
National Associations of Convenience Stores, the National
Grocers Association, the National Restaurant Association, and the
National Retail Federation.
FTC Statement Marking the FTC’s 50th Data
Federal Trade
January 31,
2
The FTC announces its 50th data security settlement. What
Security Settlement
Commission (FTC)
2014
started in 2002 with a single case applying established FTC Act
precedent to the area of data security has grown into an
enforcement program that has helped to increase protections for
consumers and encouraged companies to make safeguarding
consumer data a priority.
Worst Practices Guide to Insider Threats: Lessons
American Academy of
January 2014
32
From the report: “Here, we are presenting a kind of ‘worst
from Past Mistakes
Arts and Sciences
practices’ guide of serious mistakes made in the past regarding
insider threats. While each situation is unique, and serious insider
problems are relatively rare, the incidents we describe reflect
issues that exist in many contexts and that every nuclear security
manager should consider. Common organizational practices—such
as prioritizing production over security, failure to share
information across subunits, inadequate rules or inappropriate
waiving of rules, exaggerated faith in group loyalty, and excessive
focus on external threats—can be seen in many past failures to
protect against insider threats.”
ENISA Threat Landscape 2013—Overview of
European Union Agency
December
70
The report is a col ection of top cyber threats that have been
Current and Emerging Cyber-Threats
for Network and
11, 2013
assessed in the reporting period (i.e., within 2013). ENISA has
Information Security
col ected more than 250 reports regarding cyber threats, risks,
(ENISA)
and threat agents. This report is a comprehensive compilation of
the top 15 cyber threats assessed.
CRS-39


Title Source
Date
Pages Notes
Cyber-enabled Competitive Data Theft: A
Brookings Institution
December
18
Economic espionage has existed at least since the industrial
Framework for Modeling Long-Run Cybersecurity
2013
revolution, but the scope of modern cyber-enabled competitive
Consequences
data theft may be unprecedented. In this paper, the authors
present what they believe is the first economic framework and
model to understand the long-run impact of competitive data theft
on an economy by taking into account the actual mechanisms and
pathways by which theft harms the victims.
Trends in Incident Response in 2013
U.S. Industrial Control
October-
14
In 2013, ICS-CERT responded to 256 incidents reported either
System Cyber
December
directly from asset owners or through other trusted partners.
Emergency Response
2013
Most of these incidents were initially detected in business
Team (ICS-CERT)
networks of critical infrastructure organizations that operate
Monitor
industrial control systems. Of the 256 reported incidents, 59%, or
151 incidents, occurred in the energy sector, which exceeded all
incidents reported in other sectors combined.
Illicit Cyber Activity Involving Fraud
Carnegie Mellon
August 8,
28
Technical and behavioral patterns were extracted from 80 fraud
University Software
2013
cases—67 insider and 13 external—that occurred between 2005
Engineering Institute
and the present. These cases were used to develop insights and
risk indicators to help private industry, government, and law
enforcement more effectively prevent, deter, detect, investigate,
and manage malicious insider activity within the banking and
finance sectors.
The Economic Impact of Cybercrime and Cyber
Center for Strategic and
July 22, 2013
20
Losses to the United States (the country in which data is most
Espionage
International Studies
accessible) may reach $100 billion annually. The cost of
cybercrime and cyber espionage to the global economy is some
multiple of this, likely measured in hundreds of billions of dollars.
Cyber-Crime, Securities Markets, and Systemic
World Federation of
July 16, 2013
59
This report explores the nature and extent of cybercrime in
Risk
Exchanges and the
securities markets so far and the potential systemic risk aspects of
International
this threat. It presents the results of a survey to the world’s
Organization of
exchanges on their experiences with cybercrime, cybersecurity
Securities Commissions
practices, and perceptions of the risk.
Towards Trustworthy Social Media and
Wilson Center
May 2013
12
Individuals and organizations interested in using social media and
Crowdsourcing
crowdsourcing currently lack two key sets of information: a
systematic assessment of the vulnerabilities in these technologies
and a comprehensive set of best practices describing how to
address those vulnerabilities. Identifying those vulnerabilities and
developing those best practices are necessary to address a
growing number of cybersecurity incidents ranging from innocent
mistakes to targeted attacks that have claimed lives and cost
millions of dollars.
CRS-40


Title Source
Date
Pages Notes
Remaking American Security: Supply Chain
Alliance for American
May 2013
355
Because the supply chain is global, it makes sense for U.S. officials
Vulnerabilities and National Security Risks Across
Manufacturing
to cooperate with other nations to ward off cyberattacks.
the U.S. Defense Industrial Base
Increased international cooperation to secure the integrity of the
global IT system is a valuable long-term objective.
Comprehensive Study on Cybercrime
United Nations Office
February
320
The study examined the problem of cybercrime from the
on Drugs and Crime
2013
perspective of governments, the private sector, academia, and
international organizations. It presents its results in eight chapters,
covering Internet connectivity and cybercrime; the global
cybercrime picture; cybercrime legislation and frameworks;
criminalization of cybercrime; law enforcement and cybercrime
investigations; electronic evidence and criminal justice;
international cooperation in criminal matters involving cybercrime;
and cybercrime prevention.
HoneyMap - Visualizing Worldwide Attacks in
The Honeynet Project
October 1,
N/A
The HoneyMap shows a real-time visualization of attacks against
Real-Time and Honeynet Map
2012
the Honeynet Project’s sensors deployed around the world.
Does Cybercrime Really Cost $1 Trillion?
ProPublica
August 1,
N/A
In a news release to announce its 2009 report, Unsecured
2012
Economies: Protecting Vital Information, computer security firm
McAfee estimated a $1 trillion global cost for cybercrime. The
number does not appear in the report itself. This estimate is
questioned even by the three independent researchers from
Purdue University whom McAfee credits with analyzing the raw
data from which the estimate was derived. An examination by
ProPublica has found new grounds to question the data and
methods used to generate these numbers, which McAfee and
Symantec say they stand behind.
Information Security: Cyber Threats Facilitate
Government
June 28,
20
This statement discusses (1) cyber threats facing the nation’s
Ability to Commit Economic Espionage
Accountability Office
2012
systems, (2) reported cyber incidents and their impacts, (3)
(GAO)
security controls and other techniques available for reducing risk,
and (4) the responsibilities of key federal entities in support of
protecting Internet protocol.
Measuring the Cost of Cybercrime
11th Annual Workshop
June 25,
N/A
From the report: “For each of the main categories of cybercrime
on the Economics of
2012
we set out what is and is not known of the direct costs, indirect
Information Security
costs and defence costs—both to the UK and to the world as a
whole.”
The Impact of Cybercrime on Businesses
Ponemon Institute
May 2012
21
The study found that targeted attacks on businesses cost
enterprises an average of $214,000. The expenses are associated
with forensic investigations, investments in technology, and brand
recovery costs.
CRS-41


Title Source
Date
Pages Notes
Proactive Policy Measures by Internet Service
Organization for
May 7, 2012
25
This report analyzes initiatives in a number of countries through
Providers against Botnets
Economic Co-operation
which end-users are notified by Internet service providers (ISPs)
and Development
when their computers are identified as being compromised by
(OECD)
malicious software and encouraged to take action to mitigate the
problem.
Developing State Solutions to Business Identity
National Association of
January 2012
23
This white paper is the result of efforts by the 19-member NASS
Theft: Assistance, Prevention and Detection Efforts Secretaries of State
Business Identity Theft Task Force to develop policy guidelines
by Secretary of State Offices
(NASS)
and recommendations for state leaders dealing with identity fraud
cases involving public business records.
Twenty Critical Security Controls for Effective
SANS Institute
October 3,
77
The 20 security measures are intended to focus agencies’ limited
Cyber Defense: Consensus Audit Guidelines
2011
resources on plugging the most common attack vectors.
Revealed: Operation Shady RAT: an Investigation
McAfee August
2,
14
A cyber-espionage operation lasting many years penetrated 72
Of Targeted Intrusions Into 70+ Global
2011
government and other organizations, most of them in the United
Companies, Governments, and Non-Profit
States, and has copied everything from military secrets to
Organizations During the Last 5 Years
industrial designs, according to technology security company
McAfee. (See page 4 for the types of compromised parties, page 5
for the geographic distribution of victim’s country of origin, pages
7-9 for the types of victims, and pages 10-13 for the number of
intrusions for 2007-2010).
The Role of Internet Service Providers in Botnet
OECD
November
31
This working paper considers whether ISPs can be critical control
Mitigation: an Empirical Analysis Based on Spam
12, 2010
points for botnet mitigation, how the number of infected machines
Data
varies across ISPs, and why.
Untangling Attribution: Moving to Accountability in Council on Foreign
July 15, 2010
14
Robert K. Knake’s testimony before the House Committee on
Cyberspace (Testimony)
Relations
Science and Technology on the role of attack attribution in
preventing cyberattacks and how attribution technologies can
affect the anonymity and privacy of Internet users.
Technology, Policy, Law, and Ethics Regarding U.S.
National Research
2009
368
This report explores important characteristics of cyberattacks. It
Acquisition and Use of Cyberattack Capabilities
Council
describes the current international and domestic legal structure as
it might apply to cyberattacks and considers analogies to other
domains of conflict to develop relevant insights.
Source: Highlights compiled by CRS from the reports.
CRS-42


Table 6. National Security, Cyber Espionage, and Cyberwar
Title Source
Date
Pages
Notes
Cyberthreat: Real-Time Map
Kaspersky Labs
Ongoing
N/A
Kaspersky Labs has launched an interactive cyber threat map that
lets viewers see cybersecurity incidents as they occur around the
world in real time. The interactive map includes malicious objects
detected during on-access and on-demand scans, email and web
antivirus detections, and objects identified by vulnerability and
intrusion detection subsystems.
Attributing Cyber Attacks
Thomas Rid and
December
36
“This article argues that attribution is what states make of it. To
Ben Buchanan,
23, 2014
show how, we introduce the Q Model: designed to explain, guide,
Journal of
and improve the making of attribution. Matching an offender to an
Strategic Studies
offence is an exercise in minimizing uncertainty on three levels:
tactically, attribution is an art as well as a science; operationally,
attribution is a nuanced process not a black-and-white problem;
and strategically, attribution is a function of what is at stake
politically. Successful attribution requires a range of skills on all
levels, careful management, time, leadership, stress-testing,
prudent communication, and recognizing limitations and
challenges.”
Operation Cleaver
Cylance
December
86
A sophisticated hacking group with ties to Iran has probed and
2, 2014
infiltrated targets across the United States and 15 other nations
during the past two years in a series of cyberattacks dubbed
“Operation Cleaver.” The Cleaver group has evolved faster than
any previous Iranian campaign, according to the report, which
calls Iran “the new China” and expresses concern that the
group’s surveillance operations could evolve into sophisticated,
destructive attacks.
Legal Issues Related to Cyber
NATO Legal
December
74 The
NATO Legal Gazette contains thematically organized articles
Gazette
2014
usually written by authors who are military or civilian legal
personnel working at NATO or in the governments of NATO
and partner nations. Its purpose is to share articles of significance
for the large NATO legal community and connect legal
professionals of the Alliance. It is not a formal NATO document.
CRS-43


Title Source
Date
Pages
Notes
The National Intelligence Strategy of the United States of
Office of the
September
24
Cyber intelligence is one of four “primary topical missions” the
America 2014
Director of
18, 2014
intelligence community must accomplish. Both state and nonstate
National
actors use digital technologies to achieve goals, such as fomenting
Intelligence
instability or achieving economic and military advantages. They do
so “often faster than our ability to understand the security
implications and mitigate potential risks,” the strategy states. To
become more effective in the cyber arena, the intelligence
community will improve its ability to correctly attribute attacks.
Today’s Rising Terrorist Threat and the Danger to the
The Annenberg
July 22, 2014
48
Members of the panel that studied the 2001 attacks urge
United States: Reflections on the Tenth Anniversary of the Public Policy
Congress to enact cybersecurity legislation, the White House to
9/11 Commission Report
Center and the
communicate the consequences of potential cyberattacks to
Bipartisan Policy
Americans, and leaders to work with allies to define what
Center
constitutes an online attack on another country.
Surviving on a Diet of Poisoned Fruit: Reducing the
Center for a
July 2014
64
In the report, the author examines existing information on
National Security Risks of America’s Cyber Dependencies
New American
technology security weaknesses and provides nine specific
Security
recommendations for the U.S. government and others to cope
with these insecurities.
Baseline Review: ICT-Related Processes and Events,
ICT4Peace
May 1, 2014
50
The report is structured around the fol owing three areas: (1)
Implications for International and Regional Security (2011-
international and regional security (the predominant focus); (2)
2013)
transnational crime and terrorism; and (3) governance, human
rights, and development. These areas are obviously
interdependent, with developments in one area often impacting
another, yet they have traditionally been approached separately
through distinct communities of practice and fora. The report wil
serve as a baseline for future annual reports. It covers the period
spanning from January 2011 to December 2013 and provides
background on earlier events.
CRS-44


Title Source
Date
Pages
Notes
M Trends: Beyond the Breach: 2014 Threat Report
Mandiant
April 2014
28
From the report: “One conclusion is inescapable: the list of
potential targets has increased, and the playing field has grown,
Cyber-threat actors are expanding the uses of computer network
exploitation to fulfill an array of objectives, from the economic to
the political. Threat actors are not only interested in seizing the
corporate crown jewels but are also looking for ways to publicize
their views, cause physical destruction and influence global
decision makers. Private organizations have increasingly become
collateral damage in political conflicts. With no diplomatic
solution in sight, the ability to detect and respond to attacks has
never been more important.”
Emerging Cyber Threats Report 2014
Georgia Institute
January 2014
16
Brief compilation of academic research on losing control of cloud
of Technology
data, insecure but connected devices, attackers adapting to
mobile ecosystems, the high costs of defending against
cyberattacks, and advances in information manipulation.
Cybersecurity and Cyberwar: What Everyone Needs to
Brookings
January 2014
306
Authors Peter W. Singer and Allan Friedman look at
Know
Institution
cybersecurity issues faced by the military, government, businesses,
and individuals and examine what happens when these entities try
to balance security with freedom of speech and the ideals of an
open Internet.
Cyber-enabled Competitive Data Theft: A Framework for
Brookings
December
18
Economic espionage has existed at least since the industrial
Modeling Long-Run Cybersecurity Consequences
Institution
2013
revolution, but the scope of modern cyber-enabled competitive
data theft may be unprecedented. In this paper, the authors
present what they believe is the first economic framework and
model to understand the long-run impact of competitive data
theft on an economy by taking into account the actual
mechanisms and pathways by which theft harms the victims.
To Kill a Centrifuge: A Technical Analysis of What
The Langner
November
36
This document summarizes the most comprehensive research on
Stuxnet’s Creators Tried to Achieve
Group
2013
the Stuxnet malware so far. It combines results from reverse
engineering the attack code with intelligence on the design of the
attacked plant and background information on the attacked
uranium enrichment process. It looks at the attack vectors of the
two different payloads contained in the malware and provides an
analysis of the bigger and much more complex payload that was
designed to damage centrifuge rotors by overpressure. With both
attack vectors viewed in context, conclusions are drawn about
the reasoning behind a radical change of tactics between the
complex earlier attack and the comparatively simple later attack
that tried to manipulate centrifuge rotor speeds.
CRS-45


Title Source
Date
Pages
Notes
2013 Annual Report to Congress
U.S.-China
October 20,
465
In 2013, the commission continued its close examination of
Economic
2013
China’s cyber capabilities. Strong evidence has emerged that the
Commission
Chinese government is directing and executing a large-scale cyber
espionage campaign against the United States, including the U.S.
government and private companies. However, public exposure of
Chinese cyber espionage in 2013 has apparently not changed
China’s attitude about the use of cyber espionage to steal
intellectual property and proprietary information. (See Chapter 2,
Section 2: “China’s Cyber Activities.”)
W32.Duqu: The Precursor to the Next Stuxnet
Symantec
November
N/A
On October 14, 2011, a research lab with strong international
14, 2013
connections alerted Symantec to a sample that appeared to be
very similar to Stuxnet, the malware that wreaked havoc in Iran’s
nuclear centrifuge farms. The lab named the threat Duqu because
it creates files with the file name prefix DQ. The research lab
provided Symantec with samples recovered from computer
systems located in Europe as well as a detailed report with initial
findings, including analysis comparing the threat to Stuxnet.
Offensive Cyber Capabilities at the Operational Level -
Center for
September
20
The specific question this report examines is whether the
The Way Ahead
Strategic and
16, 2013
Defense Department should make a more deliberate effort to
International
explore the potential of offensive cyber tools at levels below that
Studies (CSIS)
of a combatant command.
Cyber Warfare: Is the risk of cyber warfare overrated?
The Economist
August 2,
N/A (Economist Debates adapt the Oxford style of debating to an
2013
online forum. Each side has three chances to persuade readers:
opening, rebuttal, and closing.) From the debate: “Separating hype
from the urgent questions is hard. Amid talk of a ‘digital Pearl
Harbour’ and ‘advanced persistent threats’ it is hard to know
whether we are really ‘losing the war’ against the purveyors and
users of malware and digital weapons.”
The Economic Impact of Cybercrime and Cyber Espionage Center for
July 22, 2013
20
Losses to the United States (the country in which data is most
Strategic and
accessible) may reach $100 billion annually. The cost of
International
cybercrime and cyber espionage to the global economy is some
Studies (CSIS)
multiple of this, likely measured in hundreds of billions of dollars.
CRS-46


Title Source
Date
Pages
Notes
Strategies for Resolving the Cyber Attribution Challenge
Air University,
May 2013
109
Private-sector reports have proven that it is possible to
Maxwell Air
determine the geographic reference of threat actors to varying
Force Base
degrees. Based on these assumptions, nation-states, rather than
individuals, should be held culpable for the malicious actions and
other cyber threats that originate in or transit information
systems within their borders or that are owned by their
registered corporate entities. This work builds on other appealing
arguments for state responsibility in cyberspace.
Role of Counterterrorism Law in Shaping ‘ad Bellum’
International Law April 1,
42
From the report: “The prospect of cyber war has evolved from
Norms for Cyber Warfare
Studies (U.S.
2013
science fiction and over-the-top doomsday depictions on
Naval War
television, films, and in novels to reality and front-page news.…
College)
To date there has been little attention given to the possibility that
international law generally and counterterrorism law in particular
could and should develop a subset of cyber-counterterrorism law
to respond to the inevitability of cyberattacks by terrorists and
the use of cyber weapons by governments against terrorists, and
to supplement existing international law governing cyber war
where the intrusions do not meet the traditional kinetic
thresholds.”
The Tallinn Manual on the International Law Applicable to
Cambridge
March 5,
302
The Tallinn Manual identifies the international law applicable to
Cyber Warfare
University Press/
2013
cyber warfare and sets out 95 “black-letter rules” governing such
NATO
conflicts. An extensive commentary accompanies each rule, which
Cooperative
sets forth the rule’s basis in treaty and customary law, explains
Cyber Defence
how the group of experts interpreted applicable norms in the
Center of
cyber context, and outlines any disagreements within the group
Excel ence
as to the rule’s application. (Note: The manual is not an official
NATO publication but rather an expression of opinions of a
group of independent experts acting solely in their personal
capacities.)
CRS-47


Title Source
Date
Pages
Notes
Cyberterrorism: A Survey of Researchers
Swansea
March 2013
21
This report provides an overview of findings from a project
University
designed to capture current understandings of cyberterrorism
within the research community. The project ran between June
2012 and November 2012, and it employed a questionnaire that
was distributed to more than 600 researchers, authors, and other
experts. Potential respondents were identified using a
combination of methods, including targeted literature reviews,
standing within relevant academic communities, snowballing from
earlier participants or contacts, and the use of two mailing lists. A
total of 118 responses were received from individuals working in
24 countries across 6 continents. Please contact the research
team with any enquiries on the project’s methods and findings
(see p. 21 for contact details).
APT1 [Advanced Persistent Threat 1]: Exposing One of
Mandiant February
19,
76
Mandiant conducted hundreds of investigations on computer
China’s Cyber Espionage Units
2013
security breaches around the world. The details analyzed during
these investigations signal that the groups conducting these
breaches are based primarily in China and that the Chinese
government is aware of them.
Video demo of Chinese hacker activity
Mandiant February
19,
N/A
Five-minute video of APT1 attacker sessions and intrusion
(Click on “APT1 Video” at top right of screen.)
2013
activities.
Responding to Cyber Attacks and the Applicability of
Army War
January 2013
34
This paper identifies how the United States should respond to the
Existing International Law
College
threat of cyber operations against essential government and
private networks. First, it examines the applicability of established
international law to cyber operations. Next, it proposes a method
for categorizing cyber operations across a spectrum synchronized
with established international law. Finally, it discusses actions
already taken by the United States to protect critical government
and private networks and concludes with additional steps the
United States should take to respond to the threat of cyber
operations.
Crisis and Escalation in Cyberspace
RAND
December
200
The report considers how the Air Force should integrate kinetic
Corporation
2012
and nonkinetic operations. Central to this process was careful
consideration of how escalation options and risks should be
treated, which, in turn, demanded a broader consideration across
the entire crisis-management spectrum. Such crises can be
managed by taking steps to reduce the incentives for other states
to step into crisis, controlling the narrative, understanding the
stability parameters of the crises, and trying to manage escalation
if conflicts arise from crises.
CRS-48


Title Source
Date
Pages
Notes
Cyberattacks Among Rivals: 2001-2011 (from the article,
Foreign Affairs
November
N/A
A chart showing cyberattacks by initiator and victim, 2001-2011.
“The Fog of Cyberwar” by Brandon Variano and Ryan
21, 2012
Maness [subscription required])
Emerging Cyber Threats Report 2013
Georgia Institute
November
9
An examination of the cyber challenges of 2013, including new
of Technology
14, 2012
and increasingly sophisticated means to capture and exploit user
data, escalating battles over the control of online information, and
continuous threats to the U.S. supply chain from global sources.
(From the annual Georgia Tech Cyber Security Summit 2012.)
Proactive Defense for Evolving Cyber Threats
Sandia National
November
98
The project applied rigorous predictability-based analytics to two
Labs
2012
central and complementary aspects of the network defense
problem—attack strategies of the adversaries and vulnerabilities
of the defenders’ systems—and used the results to develop a
scientifically grounded, practically implementable methodology for
designing proactive cyber defense systems.
Safeguarding Cyber-Security, Fighting in Cyberspace
International
October 22,
N/A
Looks at the militarization of cybersecurity as a source of global
Relations and
2012
tension and makes the case that cyber warfare is already an
Security
essential feature of many leading states’ strategic calculations,
Network (ISN)
followed by its opposite (i.e., the case that the threat posed by
cyber warfare capabilities is woefully overstated).
Before We Knew It: An Empirical Study of Zero-Day
Symantec
October 16,
12
The paper describes a method for automatical y identifying zero-
Attacks In The Real World
Research Labs
2012
day attacks from field-gathered data that records when benign
and malicious binaries are downloaded on 11 million real hosts
around the world. Searching this data set for malicious files that
exploit known vulnerabilities indicates which files appeared on the
Internet before the corresponding vulnerabilities were disclosed.
Investigative Report on the U.S. National Security Issues
House
October 8,
60
The committee initiated this investigation in November 2011 to
Posed by Chinese Telecommunications Companies
Permanent Select 2012
inquire into the counterintelligence and security threat posed by
Huawei and ZTE
Committee on
Chinese telecommunications companies doing business in the
Intelligence
United States.
Federal Support for and Involvement in State and Local
Senate
October 3,
141
A two-year bipartisan investigation found that U.S. Department of
Fusion Centers
Permanent
2012
Homeland Security efforts to engage state and local intelligence
Subcommittee on
“fusion centers” have not yielded significant useful information to
Investigations
support federal counterterrorism intelligence efforts. In Section
VI, “Fusion Centers Have Been Unable to Meaningfully
Contribute to Federal Counterterrorism Efforts,” Part G, “Fusion
Centers May Have Hindered, Not Aided, Federal
Counterterrorism Efforts,” the report discusses the Russian
“cyberattack” in Illinois.
CRS-49


Title Source
Date
Pages
Notes
Putting the “war” in cyberwar: Metaphor, analogy, and
First Monday
July 2, 2012
N/A
This essay argues that current contradictory tendencies are
cybersecurity discourse in the United States
unproductive and even potential y dangerous. It argues that the
war metaphor and nuclear deterrence analogy are neither natural
nor inevitable and that abandoning them would open up new
possibilities for thinking more productively about the full
spectrum of cybersecurity challenges, including the as-yet
unrealized possibility of cyberwar.
Nodes and Codes: The Reality of Cyber Warfare
U.S. Army School May 17,
62
Explores the reality of cyber warfare through the story of
of Advanced
2012
Stuxnet. Three case studies evaluate cyber policy, discourse, and
Military Studies,
procurement in the United States, Russia, and China before and
Command and
after Stuxnet to illustrate their similar, yet unique, realities of
General Staff
cyber warfare.
United States Counter Terrorism Cyber Law and Policy,
Triangle Institute
March 2012
34
From the report: “The incongruence between national
Enabling or Disabling?
for Security
counterterrorism (CT) cyber policy, law, and strategy degrades
Studies
the abilities of federal CT professionals to interdict transnational
terrorists from within cyberspace. Specifically, national CT cyber
policies that are not completely sourced in domestic or
international law unnecessarily limit the latitude cyber CT
professionals need to effectively counter terrorists through the
use of organic cyber capabilities. To optimize national CT assets
and to stymie the growing threat posed by terrorists’ ever-
expanding use of cyberspace, national decision-makers should
modify current policies to efficiently execute national CT
strategies, albeit within the framework of existing CT cyber-
related statutes.”
A Cyberworm that Knows No Boundaries
RAND
December
55
Stuxnet-like worms pose a serious threat even to infrastructure
Corporation
21, 2011
and computer systems that are not connected to the Internet.
Defending against such attacks is an increasingly complex
prospect.
Department of Defense Cyberspace Policy Report: A
Department of
November
14
From the report: “When warranted, we will respond to hostile
Report to Congress Pursuant to the National Defense
Defense
2011
attacks in cyberspace as we would to any other threat to our
Authorization Act for Fiscal Year 2011, Section 934
country. We reserve the right to use all necessary means -
diplomatic, informational, military and economic - to defend our
nation, our allies, our partners and our interests.”
Cyber War Will Not Take Place
Journal of Strategic October 5,
29
The paper argues that cyber warfare has never taken place, is not
Studies
2011
currently taking place, and is unlikely to take place in the future.
CRS-50


Title Source
Date
Pages
Notes
Foreign Spies Stealing U.S. Economic Secrets in
Office of the
October
31
Because the United States is a leader in the development of new
Cyberspace: Report to Congress on Foreign Economic
National
2011
technologies and a central player in global financial and trade
Col ection and Industrial Espionage, 2009-2011
Counterintelligen
networks, foreign attempts to col ect U.S. technological and
ce Executive
economic information will continue at a high level and will
represent a growing and persistent threat to U.S. economic
security. The nature of the cyber threat will evolve with
continuing technological advances in the global information
environment.
USCYBERCOM [U.S. Cyber Command] and Cyber
Army War
May 12,
32
Examines five aspects of USCYBERCOM: organization, command
Security: Is a Comprehensive Strategy Possible?
College
2011
and control, computer network operations, synchronization, and
resourcing. Identifies areas that currently present significant risk
to USCYBERCOM’s ability to create a strategy that can achieve
success in its cyberspace operations and recommends potential
solutions that can increase the effectiveness of the
USCYBERCOM strategy.
A Four-Day Dive Into Stuxnet’s Heart
Threat Level Blog
December
N/A
From the article: “It is a mark of the extreme oddity of the
(Wired)
27, 2010
Stuxnet computer worm that Microsoft’s Windows vulnerability
team learned of it first from an obscure Belarusian security
company that even they had never heard of.”
Did Stuxnet Take Out 1,000 Centrifuges at the Natanz
Institute for
December
10
This report indicates that commands in the Stuxnet code
Enrichment Plant? A Preliminary Assessment
Science and
22, 2010
intended to increase the frequency of devices targeted by the
International
malware exactly match several frequencies at which rotors in
Security
centrifuges at Iran’s Natanz enrichment plant are designed to
operate optimally or are at risk of breaking down and flying apart.
Stuxnet Analysis
European
October 7,
N/A
A European Union cybersecurity agency warns that the Stuxnet
Network and
2010
malware is a game changer for critical information infrastructure
Information
protection; programmable logic control ers of supervisory
Security Agency
control and data acquisition systems infected with the worm
might be programmed to establish destructive over/under
pressure conditions by running pumps at different frequencies.
Proceedings of a Workshop on Deterring Cyberattacks:
National
October 5,
400
Per request of the Office of the Director of National Intelligence,
Informing Strategies and Developing Options for U.S.
Research Council 2010
the National Research Council undertook a two-phase project
Policy
aimed to foster a broad, multidisciplinary examination of
strategies for deterring cyberattacks on the United States and of
the possible utility of these strategies for the U.S. government.
CRS-51


Title Source
Date
Pages
Notes
Cyber Warfare: Armageddon in a Teacup?
Army Command
December
106
This study examines cyber warfare conducted against Estonia in
and General Staff, 11, 2009
2007, Georgia in 2008, and Israel in 2008. From the report: “In al
Fort
three cases Cyber Warfare did not achieve strategic political
Leavenworth
objectives on its own. Cyber Warfare employed in the three
cases consisted mainly of Denial of Service attacks and website
defacement. These attacks were a significant inconvenience to the
affected nations, but the attacks were not of sufficient scope,
sophistication, or duration to force a concession from the
targeted nation. Cyber Warfare offensive capability does not
outmatch defensive capability to the extent that would allow the
achievement of a strategic political objective through Cyber
Warfare alone. The possibility of strategic-level Cyber Warfare
remains great, but the capability has not been demonstrated at
this time.”
Source: Highlights compiled by CRS from the reports.
CRS-52


Table 7. International Efforts
Title Source
Date
Pages
Notes
European Cybercrime Center (EC3)
Europol
Ongoing
N/A
The European Commission decided to establish a
European Cybercrime Centre (EC3) at Europol. The
center will be the focal point in the EU’s fight against
cybercrime, contributing to faster reactions in the event
of online crimes. It will support EU member states and
institutions in building operational and analytical
capacity for investigations and cooperation with
international partners.
Global Cybersecurity Index
International
Ongoing
N/A
Based on questionnaire responses received by member
Telecommunications Union
states of the International Telecommunications Union, a
first analysis of cybersecurity development in the Arab
region was compiled and one for the Africa region is
under way. The objective is to release a global status of
cybersecurity for 2014.
The Cyber Hub
Booz Allen Hamilton and
Ongoing
N/A
The Cyber Hub’s content was built on several integral
the Economist Intelligence
parts: an index that assesses specific aspects of the
Unit
cyber environment of the G20 countries and a series of
research papers that examine the implications for the
business community.
Cybersecurity Legislation
International
Ongoing
N/A
An integral and challenging component of any national
Telecommunications Union
cybersecurity strategy is the adoption of regionally and
internationally harmonized, appropriate legislation
against the misuse of information and communication
technologies (ICTs) for criminal or other purposes.
Cyber Security Strategy: Progress So Far
Cabinet Office, United
Ongoing
N/A
From the report: “To support the Strategy we put in
Kingdom
place a National Cyber Security Programme (NCSP)
backed by £650 million of funding to 2015. This year we
increased that investment with a further £210 million in
2015 to 2016. This funding will build on existing
projects and also support new investment, enabling the
UK to retain its emerging reputation as a leader in the
field of cyber security.”
CRS-53


Title Source
Date
Pages
Notes
Fact Sheet: US-United Kingdom Cybersecurity
White House
January 16, 2015
N/A
The UK’s Government Communications Headquarters
Cooperation
(GCHQ) and Security Service (MI5) are working with
their U.S. partners—the National Security Agency and
the Federal Bureau of Investigation—to further
strengthen U.S.-UK col aboration on cybersecurity by
establishing a joint cyber cell, with an operating
presence in each country. The cell, which wil al ow staff
from each agency to be co-located, wil focus on
specific cyber defense topics and enable cyber threat
information and data to be shared at pace and at
greater scale.
Managing the Cyber Security Threat
Hoover Institution Working
December 12, 2014
6
From the report: “The cyber threat needs to be
Group on Foreign Policy and
managed through a combination of being realistic and
Grand Strategy
honest about our willingness and capacity to guarantee
security in this area; accepting multilateral arrangements
to protect commerce and critical infrastructure and
leaving traditional forms of intelligence and military
activities unregulated; and allowing private companies
and individuals to use strong encryption or open-source
software without built-in vulnerabilities.”
“Joint Elements” from U.S.-EU Cyber Dialogue
U.S. State Department and
December 5, 2014
N/A
U.S. and EU officials said an inaugural cyber dialogue
European Union (EU)
meeting in Belgium that they had reaffirmed numerous
shared principles, including a commitment to a
multistakeholder Internet governance model and
international cooperation on cybersecurity. In a joint
preliminary statement, the officials also reiterated their
support for a 2013 United Nations Governmental
Group of Experts consensus that international law
applies in cyberspace just as it does on land or at sea
and for the 2012 Budapest Convention, a treaty focused
on international cooperation to fight cybercrime.
Legal Issues Related to Cyber
NATO Legal Gazette
December 2014
74
The NATO Legal Gazette contains thematically organized
articles usually written by authors who are military or
civilian legal personnel working at NATO or in the
governments of NATO and partner nations. Its purpose
is to share articles of significance for the large NATO
legal community and connect legal professionals of the
Alliance. It is not a formal NATO document.
CRS-54


Title Source
Date
Pages
Notes
Cyber defence in the EU: Preparing for cyber
European Parliamentary
October 31, 2014
10
A number of EU member states are among those
warfare?
Research Service
developing their capabilities, and the EU’s own Defence
Agency is also working on projects to augment cyber
defenses in the union. This report includes summaries
of EU member nations and NATO’s national cyber-
defense policies.
Inquiry into Cyber Intrusions Affecting U.S.
Senate Armed Services
September 17, 2014
52
Hackers associated with the Chinese government
Transportation Command Contractors
Committee
successful y penetrated the computer systems of
Transportation Command (TRANSCOM) contractors
20 times in the course of a single year. Chinese hackers
tried to get into the systems 50 times. The
congressional committee found that only two of the
intrusions were detected. It also found the officials
were unaware due in large part to unclear requirements
and methods for contractors to report breaches and
for government agencies to share information.
A Role for Civil Society in Cybersecurity Affairs?
ICT4Peace Foundation
September 3, 2014
26
From the report: “The paper is aimed at civil society
organisations, national governments, international and
regional organisations and other key actors concerned
with ICTs and their impact on international and regional
security. They perform a wide range of functions,
including policy-oriented research, advocacy, [and]
networking. In the Internet/cyber security world, civil
society organisations often work in specific issues areas,
many technical or functional in nature and tied to the
maintenance of the Internet. Civil society does not
include the private sector. Nevertheless, natural
alliances are emerging between certain of the more
tech-oriented civil society organisations (for example,
the Internet Society or the IEEE) and some Tier 1
carriers (i.e., those carriers that have a direct
connection to the Internet and the networks it uses to
deliver voice and data services), and major transnational
vendors and Internet Service Providers (ISPs).”
European Cybersecurity Implementation Series
ISACA
August 26, 2014
N/A
ISACA has released the European Cybersecurity
Implementation Series primarily to provide practical
implementation guidance that is aligned with European
requirements and good practice.
CRS-55


Title Source
Date
Pages
Notes
Consult, Command, Control, Contract: Adding a
Centre for International
August 6, 2014
10
The authors suggest that NATO should implement a
Fourth “C” to NATO’s Cyber Security
Governance Innovation
contracting protocol that delineates appropriate
classifications for the tasks and personnel required for
private cybersecurity contracts. They conclude that
establishing an oversight organization and submitting a
proposal to the International Law Commission to
consider the roles of private security actors would
create greater transparency and accountability for
contracting.
Mapping the Cyber Dragon: China's Conduct of
Defense and Diplomacy
July-September 2014
13
“[A]mong all the major players of the world, one
Terror in the Cyber World
Journal
country which participates in, and practices, all the
above mentioned forms of cyber conflict, not only in
the military sector but also in the civilian sector, is the
People’s Republic of China (PRC). Therefore, for a
broader perspective of global cyber security, it is
imperative to understand the various types of modus
operandi and other methodologies of different groups,
in both military and civilian sectors involved in cyber
conflicts, from China who are creating potential terror
in the cyber domain.”
iDATA: Improving Defences Against Targeted
Centre for the Protection of July 2014
8
The iDATA program consists of a number of projects
Attack
National Infrastructure (UK)
aimed at addressing threats posed by nation-states and
state-sponsored actors. iDATA has resulted in several
outputs for the cybersecurity community. This
document provides a description of the iDATA
program and a summary of the reports.
Cyber-attacks: Effects on UK
Oxford Economics
July 2014
79
The UK Centre for the Protection of National
Infrastructure asked Oxford Economics to carry out a
study of the impact of state-sponsored cyberattacks on
UK firms. The study consists of the elaboration of an
economic framework for cyberattacks, a survey of UK
firms on cyberattacks, an event study on the impact of
cyberattacks on stock-market valuations, and a series of
case studies illustrating the experience of several UK
firms with cyberattacks.
CRS-56


Title Source
Date
Pages
Notes
Global Cybercrime: The Interplay of Politics and
Centre for International
June 20, 2014
23
This paper explores the recent unsealing of a 31-count
Law
Governance Innovation
indictment against five Chinese government officials and
a significant cyber breach perpetrated by Chinese actors
against Western oil, energy, and petrochemical
companies. The paper concludes by noting that
increased cooperation among governments is necessary
but unlikely to occur as long as the discourse
surrounding cybercrime remains so heavily politicized
and securitized. If governments coalesced around the
notion of trying to prevent the long-term degradation
of trust in the online economy, then they might
profitably advance the dialogue away from mutual
suspicion and toward mutual cooperation.
China and International Law in Cyberspace
U.S.-China Economic and
May 7, 2014
11
Despite major differences on cyberspace policy
Security Review
between the United States and China, a recent
Commission
development at the United Nations illustrates basic
areas of agreement. The United States and China were
among 15 countries affirming the applicability of
international law to cyberspace in a 2013 UN report.
The same group will gather in 2014 to address some of
the more challenging and divisive concepts regarding
state responsibility and use of force in cyberspace.
Baseline Review: ICT-Related Processes and
ICT4Peace
May 1, 2014
50
The report is structured around the fol owing three
Events, Implications for International and Regional
areas: (1) international and regional security (the
Security (2011-2013)
predominant focus); (2) transnational crime and
terrorism; and (3) governance, human rights and
development. These areas are obviously
interdependent, with developments in one area often
impacting another, yet they have traditional y been
approached separately through distinct communities of
practice and fora. The report wil serve as a baseline for
future annual reports. It covers the period spanning
from January 2011 to December 2013 and provides
background on earlier events.
CRS-57


Title Source
Date
Pages
Notes
Cyber Maturity in the Asia-Pacific Region 2014
Australian Strategic Policy
April 14, 2014
76
The institute assesses regional digital maturity across
Institute
government, business, society and the military. Australia
comes out ahead of China, Japan, and South Korea
when it comes to overall digital strength in the region
and ranks third behind the United States and China in
cyber warfare. The Asia-Pacific region is increasingly the
focus of cyberattacks, say analysts, including criminal
and state-sponsored hacking and espionage.
U.S.-EU Cyber Cooperation
White House
March 26, 2014
N/A
The new high-level U.S.-EU Cyber Dialogue announced
at the 2014 U.S.-EU Summit will formalize and broaden
cooperation between the United States and the EU on
cyber issues, building on shared commitments and
achievements in key areas.
Legislative Resolution on the Proposal for a
European Parliament
March 13, 2014
N/A
The directive would require companies operating
Directive of the European Parliament and of the
critical infrastructure to maintain a specified minimum
Council Concerning Measures to Ensure a High
level of cybersecurity preparedness and report to
Common Level of Network and Information
national authorities about cyberattacks with a
Security Across the Union
“significant impact” on the security of their networks.
10 Steps to Cyber Security
UK Department. for
February 4, 2014
20
The joint communiqué outlines steps UK regulators and
Business Innovation and
government departments have agreed to undertake to
Skills and the Centre for the
improve the country’s cyber systems and network
Protection of National
defenses. Steps to combat cyberattacks include
Infrastructure
assessing the state of cybersecurity across each sector
and working with industry to address vulnerabilities;
working with industry to increase information flows on
threat vulnerabilities and mitigation strategies;
encouraging companies to join information-sharing
initiatives, such as the Cyber Security Information
Sharing Partnership, a partnership between the UK
government and industry to share information and
intelligence on cybersecurity threats launched in March
2013; and encouraging companies to undertake a self-
assessment pursuant to guidance published by the UK
Department for Business, Innovation, and Skills.
CRS-58


Title Source
Date
Pages
Notes
2013 Joint Report
U.S.-Russia Bilateral
December 27, 2013
40
The report includes updates from each of the BPC’s 21
Presidential Commission
working groups. (See the “Working Group on the
(BPC)
Threats to and in the use of Information
Communications Technologies in the Context of
International Service” section on pages 11-12.) A key
component of the discussion concerned the
implementation of the bilateral confidence building
measures (CBMs) announced by Presidents Obama and
Putin in June 2013. These bilateral CBMs are intended
to promote transparency and reduce the possibility that
an incident related to the use of ICTs could
unintentionally cause instability or escalation.
World Federation of Exchanges (WFE) Launches
WFE
December 12, 2013
N/A
The WFE announced the launch of the exchange
Global Cyber Security Committee
industry’s first cybersecurity committee with a mission
to aid in the protection of the global capital markets.
The working group will bring together representation
from a number of exchanges and clearinghouses across
the globe to collaborate on best practices in global
security.
Handbook on European Data Protection Law
Council of Europe
December 2013
214
This handbook is a first point of reference on both EU
law and the European Convention on Human Rights
(ECHR) on data protection, and it explains how the
field of data protection is regulated under EU law and
the ECHR as well as under the Council of Europe
Convention for the Protection of Individuals with
regard to Automatic Processing of Personal Data
(Convention 108) and other council instruments. Each
chapter presents a single table of the applicable legal
provisions, including important selected case law under
the two separate European legal systems.
CRS-59


Title Source
Date
Pages
Notes
2013 Annual Report to Congress
U.S.-China Economic
October 20, 2013
465
In 2013, the commission continued its close
Commission
examination of China’s cyber capabilities. Strong
evidence has emerged that the Chinese government is
directing and executing a large-scale cyber-espionage
campaign against the United States, including the U.S.
government and private companies. However, public
exposure of this cyber espionage apparently has not
changed China’s attitude about the use of cyber
espionage to steal intellectual property and proprietary
information. (See Chapter 2, Section 2: “China’s Cyber
Activities.”)
Directive of the European Parliament and of the
European Parliament Civil
August 12, 2013
7
The objectives of this directive are (1) to approximate
Council on Attacks Against Information Systems
Liberties Committee
the criminal law of EU member states in the area of
attacks against information systems by establishing
minimum rules concerning the definition of criminal
offenses and the relevant sanctions and (2) to improve
cooperation between competent authorities, including
the police and other specialized law-enforcement
services of the member states, as well as the competent
specialized EU agencies and bodies, such as Eurojust,
Europol and its European Cyber Crime Centre, and the
European Network and Information Security Agency.
Confidence Building Measures and International
ICT4Peace Foundation
June 21, 2013
21
Confidence-building measures can lay the foundation for
Cybersecurity
agreeing on acceptable norms of behavior for states,
and confidence- and trust-building measures can help to
avoid miscalculation and escalation. The report is
divided into four main sections: (1) Transparency,
Compliance, and Verification Measures; (2) Cooperative
Measures; (3) Collaboration and Communication
Mechanisms; and (4) Stability and Restraint Measures. A
final section discusses next steps for diplomatic
confidence-building processes.
FACT SHEET: U.S.-Russian Cooperation on
White House
June 17, 2013
N/A
The United States and the Russian Federation are
Information and Communications Technology
creating a new working group, under the auspices of
Security
the Bilateral Presidential Commission, dedicated to
assessing emerging ICT threats and proposing concrete
joint measures to address them.
CRS-60


Title Source
Date
Pages
Notes
Telecommunications Networks: Addressing
Government Accountability
May 21, 2013
52
From the report: “The federal government has begun
Potential Security Risks of Foreign-Manufactured
Office (GAO)
efforts to address the security of the supply chain for
Equipment
commercial networks.... There are a variety of other
approaches for addressing the potential risks posed by
foreign-manufactured equipment in commercial
communications networks, including those approaches
taken by foreign governments.... While these
approaches are intended to improve supply chain
security of communications networks, they may also
create the potential for trade barriers, additional costs,
and constraints on competition, which the federal
government would have to take into account if it chose
to pursue such approaches.”
The Global Cyber Game: Achieving Strategic
Defence Academy of the
May 8, 2013
127
Provides a systematic way of thinking about cyberpower
Resilience in the Global Knowledge Society
United Kingdom
and its use by a range of global players. The global
cyberpower contest is framed as a global cyber game,
played out on a “Cyber Gameboard”—a framework
that can be used for strategic and tactical thinking about
cyber strategy.
Military and Security Developments Involving the
Department of Defense
May 6, 2013
92
China is using its computer network exploitation
People’s Republic of China 2013 (Annual Report
capability to support intelligence collection against the
to Congress)
U.S. diplomatic, economic, and defense industrial base
sectors that support U.S. national defense programs.
The information targeted could potentially be used to
benefit China’s defense industry; high-technology
industries; policymaker interest in U.S. leadership
thinking on key China issues; and military planners
building a picture of U.S. network defense networks,
logistics, and related military capabilities that could be
exploited during a crisis.
Defence White Paper 2013
Australia Department of
May 3, 2013
148
From the white paper: “The Australian Cyber Security
Defence
Centre will bring together security capabilities from the
Defence Signals Directorate, Defence Intelligence
Organisation, Australian Security Intelligence
Organisation, the Attorney-General’s Department’s
Computer Emergency Response Team Australia,
Australian Federal Police, and the Australian Crime
Commission.”
CRS-61


Title Source
Date
Pages
Notes
Remaking American Security: Supply Chain
Alliance for American
May 2013
355
Because the supply chain is global, it makes sense for
Vulnerabilities and National Security Risks Across
Manufacturing
U.S. officials to cooperate with other nations to ward
the U.S. Defense Industrial Base
off cyberattacks. Increased international cooperation to
secure the integrity of the global IT system is a valuable
long-term objective.
Cyber Security Information Partnership (CISP)
Cabinet Office, United
March 27, 2013
N/A
CISP introduces a secure virtual “col aboration
Kingdom
environment” in which government and industry
partners can exchange information on threats and
vulnerabilities in real time. CISP will be complemented
by a “Fusion Cell,” which will be supported on the
government side by the Security Service, Government
Communications Headquarters and the National Crime
Agency, and industry analysts from a variety of sectors.
The Tallinn Manual on the International Law
Cambridge University Press/ March 5, 2013
302
The Tallinn Manual identifies the international law
Applicable to Cyber Warfare
NATO Cooperative Cyber
applicable to cyber warfare and sets out 95 “black-letter
Defence Center of
rules” governing such conflicts. An extensive
Excel ence
commentary accompanies each rule, which sets forth
each rules’ basis in treaty and customary law, explains
how the group of experts interpreted applicable norms
in the cyber context, and outlines any disagreements
within the group as to each rules’ application. (Note:
The manual is not an official NATO publication, but an
expression of opinions of a group of independent
experts acting solely in their personal capacity.)
APT1 [Advanced Persistent Threat 1]: Exposing
Mandiant
February 19, 2013
76
Mandiant conducted hundreds of investigations on
One of China’s Cyber Espionage Units
computer security breaches around the world. The
details analyzed during these investigations signal that
the groups conducting these breaches are based
primarily in China and that the Chinese government is
aware of them.
Worldwide Threat Assessment of the U.S.
James Clapper, Director of
February 11, 2013
34
Clapper provided an assessment of global threats: U.S.
Intelligence Community (Testimony)
National Intelligence
critical infrastructure, eroding U.S. economic and
national security, information control and Internet
governance, and hacktivists and criminals.
CRS-62


Title Source
Date
Pages
Notes
Linking Cybersecurity Policy and Performance
Microsoft Trustworthy
February 6, 2013
27
Introduces a new methodology for examining how
Computing
socioeconomic factors in a country or region impact
cybersecurity performance. Examines measures such as
use of modern technology, mature processes, user
education, law enforcement, and public policies related
to cyberspace. This methodology can build a model that
will help predict the expected cybersecurity
performance of a given country or region.
Comprehensive Study on Cybercrime
United Nations Office on
February 2013
320
The study examined the problem of cybercrime from
Drugs and Crime
the perspective of governments, the private sector,
academia and international organizations. The results
are presented in eight Chapters, covering Internet
connectivity and cybercrime; the global cybercrime
picture; cybercrime legislation and frameworks;
criminalization of cybercrime; law enforcement and
cybercrime investigations; electronic evidence and
criminal justice; international cooperation in criminal
matters involving cybercrime; and cybercrime
prevention.
Administration Strategy for Mitigating the Theft of White House
February 2013
141
From the report, “First, we will increase our diplomatic
U.S. Trade Secrets
engagement.... Second, we will support industry-led
efforts to develop best practices to protect trade
secrets and encourage companies to share with each
other best practices that can mitigate the risk of trade
secret theft.... Third, DOJ will continue to make the
investigation and prosecution of trade secret theft by
foreign competitors and foreign governments a top
priority.... Fourth, President Obama recently signed two
pieces of legislation that will improve enforcement
against trade secret theft.... Lastly, we will increase
public awareness of the threats and risks to the U.S.
economy posed by trade secret theft.”
The Chinese Defense Economy Takes Off:
University of California
January 25, 2013
87
This col ection of 15 policy briefs explores how China
Sector-by-Sector Assessments and the Role of
Institute on Global Conflict
has made such impressive military technological
Military End-Users
and Cooperation
progress over the past few years, what is in store, and
what are the international security implications. The
briefs are summaries of a series of longer research
papers presented at the third annual Chinese defense
economy conference held by the Study of Innovation
and Technology in China in July 2012.
CRS-63


Title Source
Date
Pages
Notes
Defence and Cyber-Security, vol. 1 - Report,
House of Commons
December 18, 2012
99
From the report: “Given the inevitable inadequacy of
together with formal minutes, oral and written
Defence Committee (UK)
(vol. 1)
the measures available to protect against a constantly
evidence
37
changing and evolving threat ... it is not enough for the
Defence and Cyber-Security, vol. 2 - Additional
(vol. 2) Armed Forces to do their best to prevent an effective
Written Evidence
attack. In its response to this report the Government
should set out details of the contingency plans it has in
place should such an attack occur. If it has none, it
should say so—and urgently create some.”
The Challenge of Cyber Power for Central
Naval Postgraduate School
December 2012
209
From the report: ”The Central African militaries, which
African Countries: Risks and Opportunities
are supposed to be the first line of defense for their
governments’ institutions, are dramatically behind the
times. To address this situation, the governments of
Central Africa need to adopt a col aborative cyber
strategy based on common investment in secure cyber
infrastructures. Such cooperation will help to create a
strong cyber environment conducive of the confidence
and trust necessary for the emergence of a cyber
community of Central African States (C3AS). For
Central African militaries, massive training and
recruiting will be the first move to begin the process of
catching up.”
Cybersecurity: Managing Risks for Greater
Organization for Economic
November 29, 2012
N/A
The OECD launched a broad consultation of al
Opportunities
Co-operation and
stakeholders from member and nonmember countries
Development (OECD)
to review its security guidelines. The review takes into
account newly emerging risks, technologies, and policy
trends around such areas as cloud computing, digital
mobility, the Internet of things, and social networking.
Cybersecurity Policy Making at a Turning Point:
OECD
November 16, 2012
117
This report analyzes the latest generation of national
Analysing a New Generation of National
cybersecurity strategies in 10 OECD countries and
Cybersecurity Strategies for the Internet
identifies commonalities and differences.
Economy
2012 Report to Congress of the U.S.-China
U.S.-China Economic and
November 2012
509
This report responds to the mandate for the
Economic and Security Review Commission, 112th Security Review
commission “to monitor, investigate, and report to
Congress, Second Session, November 2012
Commission
Congress on the national security implications of the
bilateral trade and economic relationship between the
United States and the People’s Republic of China.” See
“China’s Cyber Activities,” Chapter 2, Section 2, pp.
147-169.
CRS-64


Title Source
Date
Pages
Notes
Australia: Telecommunications Data Retention—
Parliamentary Library of
October 24, 2012
32
From the report: “In July 2012, the Commonwealth
an Overview
Australia
Attorney General’s Department released a Discussion
Paper, Equipping Australia against emerging and evolving
threats
, on the proposed national security reforms.... Of
the eighteen primary proposals and the forty-one
individual reforms that they comprise, the suggestion
that carriage service providers (CSPs) be required to
routinely retain certain information associated with
every Australian’s use of the Internet and phone
services for a period of up to two years (‘data
retention’) is the issue that seems to have attracted the
most attention.”
More Than Meets the Eye: Clandestine Funding,
Lawrence Livermore
October 17, 2012
17
This report analyzes how the Chinese leadership views
Cutting-Edge Technology and China’s Cyber
National Laboratory
information technology research and development
Research and Development Program
(R&D) as well as the role cyber R&D plays in China’s
various strategic development plans. It explores the
organizational structure of China’s cyber R&D base and
concludes with a projection of how China might field
new cyber capabilities for intelligence platforms,
advanced weapons systems, and systems designed to
support asymmetric warfare operations.
Investigative Report on the U.S. National Security
House Permanent Select
October 8, 2012
60
The committee initiated this investigation in November
Issues Posed by Chinese Telecommunications
Committee on Intelligence
2011 to inquire into the counterintelligence and
Companies Huawei and ZTE
security threat posed by Chinese telecommunications
companies doing business in the United States.
Bilateral Discussions on Cooperation in
China Institute of
June 2012
N/A
Since 2009, CSIS and CICIR have held six formal
Cybersecurity
Contemporary International
meetings on cybersecurity (accompanied by several
Relations (CICIR) and the
informal discussions), called “Sino-U.S. Cybersecurity
Center for Strategic and
Dialogues.” The meetings have been attended by a
International Studies (CSIS)
broad range of U.S. and Chinese officials and scholars
responsible for cybersecurity issues. The goals of the
discussions have been to reduce misperceptions and to
increase both transparency among both countries’
authorities and understanding regarding how each
country approaches cybersecurity. The meetings also
seek to identify areas of potential cooperation.
CRS-65


Title Source
Date
Pages
Notes
Five Years after Estonia’s Cyber Attacks: Lessons
NATO
May 2012
8
In April 2007 a series of cyberattacks targeted Estonian
Learned for NATO?
information systems and telecommunication networks.
Lasting 22 days, the attacks were directed at a range of
servers (web, email, domain name systems) and routers.
The 2007 attacks did not damage much of the Estonian
IT infrastructure. However, the attacks were a true
wake-up call for NATO, offering a practical
demonstration that cyberattacks could now cripple an
entire nation dependent on IT networks.
United States Counter Terrorism Cyber Law and
Triangle Institute for
March 2012
34
The incongruence between national counterterrorism
Policy, Enabling or Disabling?
Security Studies
(CT) cyber policy, law, and strategy degrades the
abilities of federal CT professionals to interdict
transnational terrorists from within cyberspace.
Specifically, national CT cyber policies that are not
completely sourced in domestic or international law
unnecessarily limit the latitude cyber CT professionals
need to effectively counter terrorists through the use
of organic cyber capabilities. To optimize national CT
assets and stymie the growing threat posed by
terrorists’ ever-expanding use of cyberspace, national
decision makers should modify current policies to
efficiently execute national CT strategies, albeit within
the framework of existing CT cyber-related statutes.
Cyber-security: The Vexed Question of Global
McAfee
February 1, 2012
108
Forty-five percent of legislators and cybersecurity
Rules: An Independent Report on Cyber-
experts representing 27 countries think cybersecurity is
Preparedness Around the World
just as important as border security. The authors
surveyed 80 professionals from business, academia, and
government to gauge worldwide opinions of
cybersecurity.
The UK Cyber Security Strategy: Protecting and
Cabinet Office, United
November 2011
43
This report gives background on the growth of the
promoting the UK in a digital world
Kingdom
networked world and the immense social and economic
benefits it is unlocking. It also describes threats
associated with this networked world, the impacts of
which are already being felt and will grow as reliance on
cyberspace grows. Lastly, the report puts forth the
government’s vision for UK cybersecurity in 2015.
CRS-66


Title Source
Date
Pages
Notes
Foreign Spies Stealing US Economic Secrets in
Office of the National
October 2011
31
According to the report, espionage and theft through
Cyberspace
Counterintelligence
cyberspace are growing threats to the United States’
Executive
security and economic prosperity, and the world’s most
persistent perpetrators happen to also be U.S. allies.
International Strategy for Cyberspace
White House/Office of
May 16, 2011
30
The strategy marks the first time any Administration
Management and Budget
has attempted to set forth in one document the U.S.
government’s vision for cyberspace, including goals for
defense, diplomacy, and international development.
Cyber Dawn: Libya
Cyber Security Forum
May 9, 2011
70
This report uses open-source material to provide an in-
Initiative
depth view of Libyan cyber warfare capabilities and
defenses.
Working Towards Rules for Governing Cyber
EastWest Institute
February 3, 2011
60
According to the report, the authors “led [a group of]
Conflict: Rendering the Geneva and Hague
cyber and traditional security experts through a point-
Conventions in Cyberspace
by-point analysis of the Geneva and Hague
Conventions. Ultimately, the group made five
immediate recommendations for Russian and U.S.-led
joint assessments, each exploring how to apply a key
convention principle to cyberspace.”
The Reliability of Global Undersea
Institute of Electrical and
May 26, 2010
186
This study submits 12 major recommendations to the
Communications Cable Infrastructure (The
Electronics
private sector, governments, and other stakeholders—
ROGUCCI Report)
Engineers/EastWest Institute
especially the financial sector—for the purpose of
improving the reliability, robustness, resilience, and
security of the world’s undersea communications cable
infrastructure.
German Anti-Botnet Initiative
OECD
December 8, 2009
4
This is a private-industry initiative that aims to ensure
that customers whose personal computers have
become part of a botnet without them being aware of it
are informed by their Internet service providers about
this situation and given competent support in removing
the malware.
Source: Highlights compiled by CRS from the reports.
CRS-67


Table 8. Education/Training/Workforce
Title Source
Date
Pages
Notes
NCCoE National Cybersecurity Excel ence
National Institute of
Ongoing
N/A
Established in 2012 through a partnership between NIST,
Partnerships
Standards and Technology
the state of Maryland, and Montgomery County, the
(NIST) National
NCCoE is dedicated to furthering innovation through the
Cybersecurity Center of
rapid identification, integration, and adoption of practical
Excel ence (NCCoE)
cybersecurity solutions. The NCCoE is part of the NIST
Information Technology Laboratory and operates in close
col aboration with the Computer Security Division.
National Initiative for Cybersecurity Careers and
Department of Homeland
Ongoing
N/A
NICCS is an online resource for cybersecurity career,
Studies (NICCS)
Security (DHS)
education, and training information. It is a partnership
between DHS, NIST, the Office of the Director of
National Intelligence, the Department of Defense (DOD),
the Department of Education, the National Science
Foundation, and the Office of Personnel Management
(OPM).
Experimental Research Testbed (DETER)
DHS
Ongoing
N/A
The DETER test-bed is used to test and evaluate
cybersecurity technologies by over 200 organizations
from more than 20 states and 17 countries, including
DHS-funded researchers, the larger cybersecurity
research community, government, industry, academia,
and educational users.
Michigan Cyber Range
Partnership between the
Ongoing
N/A
Enables individuals and organizations to develop
state of Michigan, Merit
detection and reaction skills through simulations and
Network, federal and local
exercises.
governments, colleges and
universities, and the private
sector
Information Assurance Scholarship Program
DOD
Ongoing
N/A
The Information Assurance Scholarship Program is
designed to increase the number of qualified personnel
entering the information assurance and information
technology fields within the department. The scholarships
also are an attempt to effectively retain military and
civilian cybersecurity and IT personnel.
CRS-68


Title Source
Date
Pages
Notes
National Centers of Academic Excellence (CAE)
National Security Agency
Ongoing
N/A
The program is intended to be a deeply technical,
in Cyber Operations Program
(NSA)
interdisciplinary, higher-education program grounded in
the computer science, computer engineering, or
electrical engineering disciplines with extensive
opportunities for hands-on applications via labs and
exercises.
U.S. Dept. of Energy to Offer $25M Grant for
DOE
January 15, 2015
N/A
A $25 million DOE grant over five years for
Cybersecurity
cybersecurity education will establish a Cybersecurity
Workforce Pipeline Consortium within the DOE with
funding from its Minority Serving Institutions Partnerships
Program under its National Nuclear Security
Administration. The participants are historically black
colleges and universities, national labs, and K-12 school
districts.
Hackers Wanted: An Examination of the
RAND Corporation
June 24, 2014.
110
RAND examined the current status of the labor market
Cybersecurity Labor Market
for cybersecurity professionals with an emphasis on their
being employed to defend the United States. This effort
was in three parts: first, a review of the literature;
second, interviews with managers and educators of
cybersecurity professionals, supplemented by reportage;
and third, an examination of the economic literature
about labor markets. RAND also disaggregated the broad
definition of “cybersecurity professionals” to unearth
skills differentiation as relevant to this study.
How Do We Know What Information Sharing Is
RAND Corporation
June 2014
33
Given resource constraints, there are concerns about
Real y Worth? Exploring Methodologies to
the effectiveness of information-sharing and fusion
Measure the Value of Information Sharing and
activities and, therefore, their value relative to the public
Fusion Efforts
funds invested in them. Solid methods for evaluating
these efforts are lacking, however, limiting the ability to
make informed policy decisions. Drawing on a substantial
literature review and synthesis, this report lays out the
challenges of evaluating information-sharing efforts that
frequently seek to achieve multiple goals simultaneously;
reviews past evaluations of information-sharing programs;
and lays out a path to improving the evaluation of such
efforts going forward
CRS-69


Title Source
Date
Pages
Notes
Cybersecurity for Government Contractors
Robert Nichols et al., West
April 2014
28
The briefing paper presents a summary of the key legal
Briefing Papers
issues and evolving compliance obligations that
contractors now face in the federal cybersecurity
landscape. It begins with an overview of the most
prevalent types of cyberattacks and targets as wel as the
federal cybersecurity budget. Next, the paper outlines
the current federal cybersecurity legal requirements
applicable to government contractors, including statutory
and regulatory requirements, the President’s 2013
cybersecurity Executive Order, and the resulting
“cybersecurity framework” issued by NIST in February
2014, as well as highlights further developments expected
this year. Finally, it identifies and discusses the real-world
legal risks that contractors face when confronting
cyberattacks and addresses the availability of possible
liability backstops in the face of such attacks.
DHS Is Generally Filling Mission-Critical Positions, Government Accountability
September 17, 2013
47
One in five jobs at a key cybersecurity component within
but Could Better Track Costs of Coordinated
Office (GAO)
DHS is vacant, in large part due to steep competition in
Recruiting Efforts
recruiting and hiring qualified personnel. National
Protection and Programs Directorate officials cited
chal enges in recruiting cyber professionals because of the
length of time taken to conduct security checks to grant
top-secret security clearances as well as low pay in
comparison with the private sector.
Professionalizing the Nation’s Cybersecurity
National Academies Press
September 16, 2013
66
This report examines workforce requirements for
Workforce?: Criteria for Decision-Making
cybersecurity; the segments and job functions in which
professionalization is most needed; the role of
assessment tools, certification, licensing, and other means
for assessing and enhancing professionalization; and
emerging approaches, such as performance-based
measures. It also examines requirements for the federal
(military and civilian) workforce, the private sector, and
state and local government.
CRS-70


Title Source
Date
Pages
Notes
Joint Professional Military Education Institutions in Francesca Spidalieri (Pell
August 7, 2013
18
The report found that the Joint Professional Military
an Age of Cyber Threat
Center Fellow)
Education at the six U.S. military graduate schools—a
requirement for becoming a joint staff officer and for
promotion to the senior ranks—has not effectively
incorporated cybersecurity into specific courses,
conferences, war-gaming exercises, or other forms of
training for military officers. Although these graduate
programs are more advanced on cybersecurity than most
American civilian universities, a preparation gap still
exists.
Special Cybersecurity Workforce Project (Memo
OPM
July 8, 2013
N/A
OPM is collaborating with the White House Office of
for Heads of Executive Departments and
Science and Technology Policy, the Chief Human Capital
Agencies)
Officers Council, and the Chief Information Officers
Council in implementing a special workforce project that
tasks federal agencies’ cybersecurity, information
technology, and human resources communities to build a
statistical data set of existing and future cybersecurity
positions in the OPM Enterprise Human Resources
Integration data warehouse by the end of FY2014.
U.S.A. Cyber Warrior Scholarship Program
(ISC)2 Foundation and Booz
June 21, 2013

The (ISC)2 Foundation and Booz Allen Hamilton
Allen Hamilton
announced the launch of the U.S.A. Cyber Warrior
Scholarship program, which will provide scholarships to
veterans to obtain specialized certifications in the
cybersecurity field. The scholarships will cover all of the
expenses associated with certification, such as training,
textbooks, mobile study materials, certification testing,
and the first year of certification maintenance fees.
Global Information Security Workforce Study
(ISC)2 Foundation and Frost
May 7, 2013
28
Federal cyber workers earn an average salary of
and Sullivan
$106,430, less than the average private-sector salary of
$111,376. The lag in federal salaries is likely due to
federal budget restraints and nearly three years of a
continuing resolution.
Proposed Establishment of a Federal y Funded
NIST
April 22, 2013
2
To help NCCoE address industry’s needs most efficiently,
Research and Development Center-First Notice
NIST will sponsor its first Federally Funded Research and
Development Center to facilitate public-private
col aboration for accelerating the widespread adoption of
integrated cybersecurity tools and technologies.
CRS-71


Title Source
Date
Pages
Notes
DHS Secretary’s Honors Program: Cyber Student DHS
April 18, 2013
2
The Cyber Student Initiative program will begin at
Initiative
Immigration and Customs Enforcement computer
forensic labs in 36 cities nationwide, where students will
be trained and gain hands-on experience within the
department’s cybersecurity community. The unpaid
volunteer program is only available to community college
students and veterans pursuing a degree in the
cybersecurity field.
2012 Information Technology Workforce
DHS
March 14, 2013
131
The report, which is based on an anonymous survey of
Assessment for Cybersecurity
nearly 23,000 cyber workers across 52 departments and
agencies, found that while the majority (49%) of cyber
feds have more than 10 years of service until they reach
retirement eligibility, nearly 33% will be eligible to retire
in the next three years.
CyberSkills Task Force Report
DHS
October 2012
41
DHS’s task force on CyberSkills proposes far-reaching
improvements to enable the department to recruit and
retain the cybersecurity talent it needs.
Cyber Security Test Bed: Summary and Evaluation Institute for Homeland
October 2012
89
The project was a case-study analysis of how a set of
Results
Security Solutions
interventions, including threat analysis, best-practices
sharing, and executive and staff training events, over the
course of one year would impact a group of nine small
and mid-sized businesses in North Carolina. Pre- and
post-test-bed interviews were conducted with company
officials to establish a baseline and evaluate the impact of
the program. After the test-bed experience, decision
makers at these companies indicated an increase in their
perceptions of the risk of cyberattacks and in their
knowledge of possible solutions.
Preparing the Pipeline: The U.S. Cyber
National Defense University
August 2012
17
This paper addresses methods to close the gaps between
Workforce for the Future
demand and existing capabilities and capacity in the U.S.
cyber workforce. A large number of professionals with
not only technical skills but also an understanding of
cyber policy, law, and other disciplines will be needed to
ensure the continued success of the U.S. economy,
government, and society in the 21st-century information
age. The government, think tanks, and private sector have
developed innovative methods for closing these gaps, but
more needs to be done.
CRS-72


Title Source
Date
Pages
Notes
Smart Grid Cybersecurity: Job Performance
Pacific Northwest National
August 2012
178
This report outlines the work done to develop a Smart-
Model Report
Laboratory
Grid cybersecurity certification. The primary purpose is
to develop a measurement model that may be used to
guide curriculum, assessments, and other development of
technical and operational Smart-Grid cybersecurity
knowledge, skills, and abilities.
Cybersecurity Human Capital: Initiatives Need
GAO
November 29, 2011
86
To ensure that government-wide cybersecurity
Better Planning and Coordination
workforce initiatives are better coordinated and planned,
and to better assist federal agencies in defining roles,
responsibilities, skills, and competencies for their
workforce, the Secretary of Commerce, Director of the
Office of Management and Budget, Director of OPM, and
Secretary of Homeland Security should col aborate
through the National Initiative for Cybersecurity
Education (NICE) initiative to develop and finalize
detailed plans allowing agency accountability,
measurement of progress, and determination of
resources to accomplish agreed-upon activities.
NICE Cybersecurity Workforce Framework
National Initiative for
November 21, 2011
35
The federal government’s adoption and implementation
Cybersecurity Education
of cloud computing depend upon a variety of technical
(NICE)
and nontechnical factors. A fundamental reference point,
based on the NIST definition of cloud computing, is
needed to describe an overall framework that can be
used government-wide. This document presents the
NIST Cloud Computing Reference Architecture and
Taxonomy that will accurately communicate the
components and offerings of cloud computing.
The State of K-12 Cyberethics, Cybersafety and
National Cyber Security
May 2011
16
This survey explores the perceptions and practices of
Cybersecurity Curriculum in the United States
Alliance and Microsoft
U.S. teachers, school administrators, and technology
coordinators in regards to cyberethics, cybersafety, and
cybersecurity education. It finds that young people still
are not receiving adequate training and that teachers are
il -prepared to teach the subjects due, in large part, to
lack of professional development.
CRS-73


Title Source
Date
Pages
Notes
Cyber Operations Personnel Report
DOD
April 2011
84
This report is focused on FY2009 DOD Cyber
Operations personnel, with duties and responsibilities as
defined in Section 934 of the FY2010 National Defense
Authorization Act (NDAA). Its appendices include the
following:
Appendix A—Cyber Operations-Related Military
Occupations
Appendix B—Commercial Certifications Supporting the
DOD Information Assurance Workforce Improvement
Program
Appendix C—Military Services Training and
Development
Appendix D—Geographic Location of National Centers
of Academic Excellence in Information Assurance
The Power of People: Building an Integrated
Project on National Security
November 2010
326
This study was conducted in fulfillment of Section 1054 of
National Security Professional System for the 21st
Reform
the FY2010 NDAA, which required the commissioning of
Century
a study by “an appropriate independent, nonprofit
organization, of a system for career development and
management of interagency national security
professionals.”
Source: Highlights compiled by CRS from the reports.
CRS-74


Table 9. Research and Development (R&D)
Title Source
Date
Pages Notes
Annual Best Scientific Cybersecurity Paper
National Security Agency
Ongoing
N/A
The competition is for scientific papers that show an outstanding
Competition
(NSA)
contribution to cybersecurity science. The competition was
created to stimulate research toward the development of systems
that are resilient to cyberattacks. Entries are judged on scientific
merit, the strength and significance of the work reported, and the
degree to which the papers exemplify how to perform and report
scientific research in cybersecurity.
IEEE Computer Society Center for Secure
Institute of Electrical and
Ongoing
N/A
The Center for Secure Design aims to shift some of the focus in
Design
Electronics Engineers
security from finding bugs to identifying common design flaws in
(IEEE) Cyber Security
the hope that software architects can learn from others' mistakes.
Cyber Consortium
Fortinet and Palo Alto
Ongoing
N/A
The consortium will seek to share intelligence on threats across
Networks
large security vendors and aid a coordinated response to
incidents. No customer data will be shared, only malware
samples. The two companies also extend an open invitation to
other security firms to join them, provided these firms can share
at least 1,000 samples of new malware executables each day.
National Cybersecurity Center of Excel ence
National Institute of
Ongoing
N/A
The NCCoE is a new public-private collaboration to bring
(NCCoE)
Standards and Technology
together experts from industry, government, and academia to
(NIST)
design, implement, test, and demonstrate integrated cybersecurity
solutions and promote their widespread adoption.
Transparent Computing
Defense Advanced
Ongoing
N/A
The Transparent Computing (TC) program is intended to
Research Projects Agency
develop basic technologies that are separable and usable in
(DARPA)
isolation (e.g., within a given software layer or application
environment, such as web middleware) while exploring the best
way to integrate multiple TC technologies in an experimental
prototype.
DHS S&T App Technology Transitions to
Department of Homeland
December 5,
1
DHS announced it would continue funding technology company
Commercial Market
Security (DHS) Science
2014
Kryptowire so the company could further pursue private sector
and Technology
clients. Kryptowire sells software that identifies security
Directorate
vulnerabilities in mobile applications and archives the results.
Hewlett Foundation Announces $45 Million in
Hewlett Foundation
November 18,
N/A
The new programs, established with $45 million in grants from
Grants to MIT, Stanford, UC Berkeley to
2014
the Hewlett Foundation—$15 million to each school—are
Establish Major New Academic Centers for
supported through the foundation’s Cyber Initiative. The
Cybersecurity Policy Research
foundation has now committed $65 million over the next five
years to strengthening the nascent field of cybersecurity, the
largest such commitment to date by a private donor.
CRS-75


Title Source
Date
Pages Notes
Sandia cyber-testing contributes to DHS
DHS and Sandia National
September 10,
N/A
The Transition to Practice (TTP) program helps move federally
Transition to Practice
Laboratories
2014
funded cybersecurity technologies into broader use. The goal is
to generate interest, initiate conversations, and build relationships
and business partnerships that put important cyber technologies,
including some developed at Sandia, into practice.
Policies for Enhancing U.S. Leadership in
National Science
August 20, 2014
N/A
This project focuses on three areas in which U.S. policy could
Cyberspace
Foundation
provide additional leadership in cyberspace—publication of zero-
day exploits; labeling of neutral infrastructure, such as networks
associated with hospitals or religious sites, and shared norms to
protect neutral cyberspaces; and sustainment of Internet
interoperability, which allows Internet users on different
networks to communicate directly without interference. The
findings may benefit national security by giving policymakers a way
of assessing the costs and benefits of publishing exploits or
patches.
Third-Party Security Assurance Information
Payment Card Industry
August 7, 2014
N/A
The PCI Security Standards Council has created guidelines meant
Supplement
(PCI) Security Standards
to help banks and merchants mitigate the risks posed by third
Council
parties that process credit card payment information. The
guidance by the council includes practical recommendations on
how to conduct due diligence and risk assessment when engaging
third-party service providers to help organizations understand the
services provided.
Cybersecurity Laboratory and Cybersecurity
Louisiana Tech University
August 2014
6
The CRL consists of several unique facilities that include
Research Program at the Computer Research
Ruston
virtualization, visualization, networking, micro-aerial vehicle and
Laboratory (CRL)
sensor networks, and field programmable gate array (FPGA)
laboratories.
Big Data and Innovation, Setting The Record
Information Technology
June 16, 2014
13
The paper examines a select group of articles that are often
Straight: De-identification Does Work
and Innovation
referenced in support of the myth that de-identified data sets are
Foundation and the
at risk of re-identifying individuals through linkages with other
Information and Privacy
available data. It examines the ways in which the academic
Commissioner, Ontario,
research referenced has been misconstrued and finds that the
Canada
primary reason for the popularity of these misconceptions is not
factual inaccuracies or errors within the literature but rather a
tendency on the part of commentators to overstate or
exaggerate the risk of re-identification. While the research does
raise important issues concerning the use of proper de-
identification techniques, it does not suggest that de-identification
should be abandoned.
CRS-76


Title Source
Date
Pages Notes
Software Defined Perimeter Working Group
Cloud Security Alliance
December 1,
13
This document explains the software defined perimeter (SDP)
2013
security framework and how it can be deployed to protect
application infrastructure from network-based attacks. The SDP
incorporates security standards from organizations such as NIST
as well as security concepts from organizations such as the
Department of Defense (DOD) into an integrated framework.
Resilience metrics for cyber systems
Seager, Thomas (Arizona
November 2013
6
Despite their national and international importance, resilience
(Free registration required to download.)
State University)
metrics to inform management decisions are still in the early
stages of development. The resilience matrix framework
developed by Linkov et al. is applied to develop and organize
effective resilience metrics for cyber systems. These metrics link
national policy goals to specific system measures such that
resource allocation decisions can be translated into actionable
interventions and investments. The paper proposes a generic
approach and could integrate actual data, technical judgment, and
literature-based measures to assess system resilience across
physical, information, cognitive, and social domains.
DARPA Announces Cyber Grand Chal enge
DARPA
October 23,
N/A
DARPA intends to hold the Cyber Grand Challenge (CGC)—the
2013
first-ever tournament for ful y automatic network defense
systems. The challenge will see teams creating automated systems
that would compete against each other to evaluate software, test
for vulnerabilities, generate security patches, and apply them to
protected computers on a network. The winning team in the
CGC finals would receive a cash prize of $2 million, with second
place earning $1 million and third place taking home $750,000.
Cybersecurity Exercise: Quantum Dawn 2
Securities Industry and
October 21,
N/A
Quantum Dawn 2 is a cybersecurity exercise to test incident
Financial Markets
2013
response, resolution, and coordination processes for the financial
Association (SIFMA)
services sector and the individual member firms to a street-wide
cyberattack.
A Survey of Cyber Ranges and Testbeds
Defence Science And
October 2013
38
This document reviews the state-of-the-art cyber range
Technology Organisation
implementations and related computer network operations
Edinburgh (Australia),
testbeds. It summarizes recently published examples and
Cyber And Electronic
describes their purpose and functionality. The compiled
Warfare Division
information should assist organizations in making an informed
decision when considering a cyber-range capability.
CRS-77


Title Source
Date
Pages Notes
Proposed Establishment of a Federal y Funded
NIST
June 21, 2013
2
NIST intends to sponsor a federal y funded research and
Research and Development Center—Second
development center (FFRDC) to facilitate public-private
Notice
col aboration for accelerating the widespread adoption of
integrated cybersecurity tools and technologies. This is the
second of three notices that must be published over a 90-day
period to advise the public of the agency’s intention to sponsor
an FFRDC.
Governor McDonnel Announces Creation of
Virginia Secretary of
April 11, 2013
N/A
Virginia Governor Bob McDonnell announced the creation of
MACH37, America’s Premier Market-Centric
Commerce and Trade
MACH37, a cybersecurity accelerator to be located at the Center
Cyber Security Accelerator
for Innovative Technology. Initially funded by the Commonwealth
of Virginia, the accelerator will leverage private investments to
launch new, high-growth cyber technology companies in Virginia.
Open Trusted Technology Provider Standard
The Open Group
April 2013
44
Specifically intended to prevent maliciously tainted and
(O-TTPS)™, Version 1.0: Mitigating Maliciously
counterfeit products from entering the supply chain, this first
Tainted and Counterfeit Products
release of the O-TTPS codifies best practices across the entire
(Registration required.)
commercial, off-the-shelf information and communication
technology product life cycle, including the design, sourcing,
building, fulfillment, distribution, sustainment, and disposal phases.
The O-TTPS wil enable organizations to implement best practice
requirements and allow all providers, component suppliers, and
integrators to obtain trusted technology provider status.
The International Cyber-Security Ecosystem
Anthony M. Rutkowski,
November 6,
N/A
Overview of the various forums, communities, and methodologies
(video lecture)
Distinguished Senior
2012
that comprise the security assurance ecosystem—often also
Research Fellow at the
referred to as information assurance.
Georgia Institute of
Technology, Nunn School
Center for International
Strategy Technology and
Policy (CISTP)
20 Critical Security Controls for Effective
Center for Strategic and
November 2012
89
The top 20 security controls were agreed upon by a consortium.
Cyber Defense
International Studies
Members of the consortium include the National Security Agency,
the United States Computer Emergency Readiness Team, DOD’s
Joint Task Force-Global Network Operations, the Department of
Energy Nuclear Laboratories, Department of State, DOD Cyber
Crime Center, and commercial forensics experts in the banking
and critical infrastructure communities.
SBIR Phase II: Information Security Risk Taking
National Science
January 17, 2012
N/A
The NSF is funding research on giving organizations information-
Foundation (NSF)
security risk ratings, similar to credit ratings for individuals.
CRS-78


Title Source
Date
Pages Notes
Anomaly Detection at Multiple Scales
DARPA November
9,
74
The report describes a system for preventing leaks by seeding
(ADAMS)
2011
believable disinformation in military information systems to help
identify individuals attempting to access and disseminate classified
information.
At the Forefront of Cyber Security Research
NSF
August 5, 2011
N/A
The Team for Research in Ubiquitous Secure Technology
(TRUST) is a university and industry consortium that examines
cybersecurity issues related to health care, national
infrastructures, law, and other issues facing the general public.
Designing A Digital Future: Federally Funded
White House
December 2010
148
The President’s Council of Advisors on Science and Technology
Research And Development In Networking
(PCAST) has made several recommendations in a report about
And Information Technology
the state of the government’s Networking and Information
Technology Research and Development (NITRD) Program.
Partnership for Cybersecurity Innovation
White House Office of
December 6,
10
The Obama Administration released a memorandum of
Science and Technology
2010
understanding (see below) signed by NIST, the Science and
Policy
Technology Directorate of the Department of Homeland Security
(DHS/S&T), and the Financial Services Sector Coordinating
Council (FSSCC). The agreement aims to speed the
commercialization of cybersecurity research innovations that
support the nation’s critical infrastructures.
Memorandum of Understanding (MOU)
NIST, DHS, and FSSCC
December 2,
4
The document formalizes the intent of the parties to expedite the
2010
coordinated development and availability of collaborative
research, development, and testing activities for cybersecurity
technologies and processes based upon the financial services
sector’s needs.
Science of Cyber-Security
MITRE Corporation
November 2010
86
The DOD requested that JASON, a team of scientific advisors,
(JASON Program Office)
examine the theory and practice of cybersecurity and evaluate
whether there are underlying fundamental principles that would
make it possible to adopt a more scientific approach. DOD also
asked JASON to identify what is needed to create a science of
cybersecurity and recommend specific ways in which scientific
methods can be applied.
American Security Challenge: Moving
National Security Initiative October 18,
N/A
The objective of the American Security Challenge is to increase
Innovation to Market
2010
the visibility of innovative technology and help the
commercialization process so that such technology can reach
either the public or commercial marketplaces faster to protect
U.S. citizens and critical assets.
Source: Highlights compiled by CRS from the reports.
CRS-79


Selected Reports, by Federal Agency
This section contains selected cybersecurity reports from U.S. government agencies, including the White House, the Office of Management and
Budget (OMB), the Government Accountability Office (GAO), the Department of Defense (DOD), the Department of Homeland Security (DHS),
and the National Institute of Standards and Technology (NIST).
Table 10. Government Accountability Office (GAO)
Title Date
Pages Notes
High Risk List: Ensuring the Security of Federal Information February 11, 2015
N/A
GAO researchers wrote about a vast array of cyberthreats, from advanced
Systems and Cyber Critical Infrastructure and Protecting
persistent threat groups, to insiders, to criminal hackers. If cyber assets are
the Privacy of Personally Identifiable Information
not adequately protected, it “could lead to serious consequences and result in
substantial harm to individuals and to the federal government,” GAO warned.
The government still faces challenges in achieving that goal, however, in
several areas, including putting risk-based cybersecurity programs in place at
federal agencies, securing the global IT supply chain, securing critical
infrastructure, oversight of IT contractors, improving incident response, and
putting security programs in place at smal agencies.
DHS Is Assessing Fusion Center Capabilities and Results,
November 4, 2014
57
Fusion centers play a key role in sharing threat information among all levels of
but Needs to More Accurately Account for Federal
government and the private sector. Federal agencies support these centers by
Funding
providing personnel, funding, and other assistance. GAO was asked to assess
how federal agencies are accounting for ongoing support provided. This
report addresses the extent to which (1) DHS has helped centers assess
capabilities and address gaps, (2) the federal government has defined its
expectations for centers and assessed their contributions to homeland
security, (3) federal agencies have deployed personnel to centers, and (4) DHS
grant reforms have improved accountability for federal funds that support
centers.
Healthcare.gov: Information Security and Privacy Controls
September 18, 2014
17
The specific objectives of this work were to (1) describe the planned
Should Be Enhanced to Address Weaknesses
exchanges of information between the Healthcare.gov website and other
organizations and (2) assess the effectiveness of programs and controls
implemented by the Centers for Medicare and Medicaid Services (CMS) to
protect the security and privacy of the information and IT systems supporting
Healthcare.gov. Although CMS has security and privacy protections in place
for Healthcare.gov and related systems, weaknesses exist that put these
systems and the sensitive personal information they contain at risk.
CRS-80


Title Date
Pages Notes
Healthcare.gov: Actions Needed to Address Weaknesses
September 16, 2014
78
GAO is making six recommendations to implement security and privacy
in Information Security and Privacy Controls
management controls to help ensure that systems and information related to
Healthcare.gov are protected. The Department of Health and Human Services
largely concurred but disagreed in part with GAO’s assessment of the facts for
three recommendations. However, GAO continues to believe its
recommendations are valid.
Critical Infrastructure Protection: DHS Action Needed to
September 15, 2014
82
DHS used 10 different assessment tools and methods from FY2011 through
Enhance Integration and Coordination of Vulnerability
FY2013 to assess critical infrastructure vulnerabilities. Four of these
Assessment Efforts
assessments did not include cybersecurity. The differences in the assessment
tools and methods mean DHS is not positioned to integrate its findings in
identifying priorities.
Information Security: Agencies Need to Improve Oversight September 8, 2014
43
Although the six federal agencies that GAO reviewed (the Departments of
of Contractor Controls
Energy, Homeland Security, State, and Transportation; the Environmental
Protection Agency; and the Office of Personnel Management) generally
established security and privacy requirements and planned for assessments to
determine the effectiveness of contractor implementation of controls, five of
the six agencies were inconsistent in overseeing the execution and review of
those assessments, resulting in security lapses. For example, in one agency,
testing did not discover that background checks of contractor employees
were not conducted.
FDIC Made Progress in Securing Key Financial Systems, but July 17, 2014
30
The Federal Deposit Insurance Corporation (FDIC) has implemented
Weaknesses Remain
numerous information security controls intended to protect its key financial
systems; nevertheless, weaknesses place the confidentiality, integrity, and
availability of financial systems and information at unnecessary risk. During
2013, the corporation implemented 28 of the 39 open GAO
recommendations pertaining to previously reported security weaknesses that
were unaddressed as of December 31, 2012.
Information Security: Additional Oversight Needed to
June 25, 2014
54
The six smal agencies GAO reviewed have made mixed progress in
Improve Programs at Small Agencies
implementing elements of information security and privacy programs as
required by the Federal Information Security Management Act of 2002, the
Privacy Act of 1974, the E-Government Act of 2002, and OMB guidance. In a
separate report for limited official use only, GAO is providing specific details
on the weaknesses in the six selected agencies’ implementation of information
security and privacy requirements.
CRS-81


Title Date
Pages Notes
Maritime Critical Infrastructure Protection: DHS Needs to
June 5, 2014
54
GAO’s objective was to identify the extent to which DHS and other
Better Address Port Cybersecurity
stakeholders have taken steps to address cybersecurity in the maritime port
environment. GAO examined relevant laws and regulations, analyzed federal
cybersecurity-related policies and plans, observed operations at three U.S.
ports selected based on being a high-risk port and a leader in calls by vessel
type (e.g., container), and interviewed federal and nonfederal officials.
Information Security: Agencies Need to Improve Cyber
April 30, 2014
55
Twenty-four major federal agencies did not consistently demonstrate that
Incident Response Practices
they are effectively responding to cyber incidents (defined as security breaches
of computerized systems and information). Based on a statistical sample of
cyber incidents reported in FY2012, GAO projects that these agencies did not
completely document actions taken in response to detected incidents in about
65% of cases.
Information Security: SEC Needs to Improve Controls
April 17, 2014
25
Although the U.S. Securities and Exchange Commission (SEC) had
over Financial Systems and Data
implemented and made progress in strengthening information security
controls, weaknesses limited the effectiveness of these controls in protecting
the confidentiality, integrity, and availability of a key financial system. Until the
SEC mitigates control deficiencies and strengthens the implementation of its
security program, its financial information and systems may be exposed to
unauthorized disclosure, modification, use, and disruption. These weaknesses,
considered collectively, contributed to GAO’s determination that the SEC had
a significant deficiency in internal control over financial reporting for FY2013.
IRS Needs to Address Control Weaknesses That Place
April 8, 2014
29
Until the Internal Revenue Service (IRS) takes additional steps to (1) more
Financial and Taxpayer Data at Risk
effectively implement its testing and monitoring capabilities, (2) ensure that
policies and procedures are updated, and (3) address unresolved and newly
identified control deficiencies, its financial and taxpayer data will remain
vulnerable to inappropriate and undetected use, modification, or disclosure.
These deficiencies, including shortcomings in the information security
program, indicate that IRS had a significant deficiency in its internal control
over its financial reporting systems for FY2013.
Federal Agencies Need to Enhance Responses to Data
April 2, 2014
19
Major federal agencies continue to face challenges in fully implementing all
Breaches
components of agency-wide information security programs, which are
essential for securing agency systems and the information they contain—
including personally identifiable information (PII).
CRS-82


Title Date
Pages Notes
Critical Infrastructure Protection: More Comprehensive
January 27, 2013
41
GAO was asked to review federal coordination with state and local
Planning Would Enhance the Cybersecurity of Public Safety
governments regarding cybersecurity at public safety entities. The objective
Entities’ Emerging Technology
was to determine the extent to which federal agencies coordinated with state
and local governments regarding cybersecurity efforts at emergency
operations centers, public safety answering points, and first responder
organizations involved in handling 911 emergency calls. To do so, GAO
analyzed relevant plans and reports and interviewed officials at five agencies
that were identified based on their roles and responsibilities established in
federal law, policy, and plans as well as at selected industry associations and
state and local governments.
Agency Responses to Breaches of Personally Identifiable
December 9, 2013
67
GAO recommends that “to improve the consistency and effectiveness of
Information Need to Be More Consistent
governmentwide data breach response programs, the Director of OMB
should update its guidance on federal agencies’ responses to a PII-related data
breach to include (1) guidance on notifying affected individuals based on a
determination of the level of risk; (2) criteria for determining whether to offer
assistance, such as credit monitoring to affected individuals; and (3) revised
reporting requirements for PII-related breaches to US-CERT [Computer
Emergency Response Team], including time frames that better reflect the
needs of individual agencies and the government as a whole and consolidated
reporting of incidents that pose limited risk.”
GPS Disruptions: Efforts to Assess Risks to Critical
November 6, 2013
58
GAO was asked to review the effects of global positioning system (GPS)
Infrastructure and Coordinate Agency Actions Should Be
disruptions on the nation’s critical infrastructure. GAO examined (1) the
Enhanced
extent to which DHS has assessed the risks and potential effects of GPS
disruptions on critical infrastructure; (2) the extent to which the Department
of Transportation and DHS have developed backup strategies to mitigate GPS
disruptions; and (3) what strategies, if any, selected critical infrastructure
sectors employ to mitigate GPS disruptions and any remaining challenges.
DHS Is Generally Filling Mission-Critical Positions, but
September 17, 2013
47
One in five jobs at a key cybersecurity component within DHS is vacant, in
Could Better Track Costs of Coordinated Recruiting
large part due to steep competition in recruiting and hiring qualified personnel.
Efforts
National Protection and Programs Directorate (NPPD) officials cited
chal enges in recruiting cyber professionals because of the length of time taken
to conduct security checks to grant top-secret security clearances as well as
low pay in comparison with the private sector.
CRS-83


Title Date
Pages Notes
Telecommunications Networks: Addressing Potential
May 21, 2013
52
From the report: “The federal government has begun efforts to address the
Security Risks of Foreign-Manufactured Equipment
security of the supply chain for commercial networks.... There are a variety of
other approaches for addressing the potential risks posed by foreign-
manufactured equipment in commercial communications networks, including
those approaches taken by foreign governments.... Although these approaches
are intended to improve supply chain security of communications networks,
they may also create the potential for trade barriers, additional costs, and
constraints on competition, which the federal government would have to take
into account if it chose to pursue such approaches.”
Outcome-Based Measures Would Assist DHS in Assessing
April 11, 2013
45
Until DHS and its sector partners develop appropriate outcome-oriented
Effectiveness of Cybersecurity Efforts
metrics, it will be difficult to gauge the effectiveness of efforts to protect the
nation’s core and access communications networks and critical support
components of the Internet from cyber incidents. While no cyber incidents
affecting the nation’s core and access networks have been reported,
communications networks operators can use reporting mechanisms
established by the Federal Communications Commission and DHS to share
information on outages and incidents.
Information Sharing: Agencies Could Better Coordinate to
April 4, 2013
72
Agencies have neither held entities accountable for coordinating nor assessed
Reduce Overlap in Field-Based Activities
opportunities for further enhancing coordination to help reduce the potential
for overlap and achieve efficiencies. The Department of Justice, DHS, and the
Office of National Drug Control Policy—the federal agencies that oversee or
provide support to the five types of field-based entities—acknowledged that it
is important for entities to work together and share information, but these
agencies do not hold the entities accountable for such coordination.
Cybersecurity: A Better Defined and Implemented
March 7, 2013
36
From the report: “[A]lthough federal law assigns the Office of Management
National Strategy Is Needed to Address Persistent
and Budget (OMB) responsibility for oversight of federal government
Challenges
information security, OMB recently transferred several of these
responsibilities to DHS.... [I]t remains unclear how OMB and DHS are to
share oversight of individual departments and agencies. Additional legislation
could clarify these responsibilities.”
2013 High Risk List
February 14, 2013
275
Every two years at the start of a new Congress, GAO cal s attention to
agencies and program areas that are high risk due to their vulnerabilities to
fraud, waste, abuse, and mismanagement or are most in need of
transformation. Cybersecurity programs on the list include: Protecting the
Federal Government’s Information Systems and the Nation’s Cyber Critical
Infrastructures and Ensuring the Effective Protection of Technologies Critical
to U.S. National Security Interests.
CRS-84


Title Date
Pages Notes
Cybersecurity: National Strategy, Roles, and
February 14, 2013
112
GAO recommends that the White House cybersecurity coordinator develop
Responsibilities Need to Be Better Defined and More
an overarching federal cybersecurity strategy that includes all key elements of
Effectively Implemented
the desirable characteristics of a national strategy. Such a strategy would
provide a more effective framework for implementing cybersecurity activities
and better ensure that such activities will lead to progress in cybersecurity.
Information Security: Federal Communications
January 25, 2013
35
From the report: “The FCC did not effectively implement appropriate
Commission Needs to Strengthen Controls over Enhanced
information security controls in the initial components of the Enhanced
Secured Network Project
Secured Network (ESN) project.... Weaknesses identified in the commission’s
deployment of components of the ESN project as of August 2012 resulted in
unnecessary risk that sensitive information could be disclosed, modified, or
obtained without authorization. GAO is making seven recommendations to
the FCC to implement management controls to help ensure that ESN meets
its objective of securing FCC’s systems and information.”
Cybersecurity: Challenges in Securing the Electricity Grid
July 17, 2012
25
In a prior report, GAO made recommendations related to electricity grid
modernization efforts, including developing an approach to monitor
compliance with voluntary standards. These recommendations have not yet
been implemented.
Information Technology Reform: Progress Made but
July 11, 2012
43
To help ensure the success of agencies’ implementation of cloud-based
Future Cloud Computing Efforts Should be Better Planned
solutions, the Secretaries of Agriculture, Health and Human Services,
Homeland Security, State, and the Treasury and the Administrators of the
General Services Administration and the Small Business Administration should
direct their respective chief information officers to establish estimated costs,
performance goals, and plans to retire associated legacy systems for each
cloud-based service discussed in this report, as applicable.
Electronic Warfare: DOD Actions Needed to Strengthen
July 9, 2012
46
DOD’s oversight of electronic warfare capabilities may be further complicated
Management and Oversight
by its evolving relationship with computer network operations, which is also
an information operations-related capability. Without clearly defined roles and
responsibilities and updated guidance regarding oversight responsibilities,
DOD does not have reasonable assurance that its management structures will
provide effective department-wide leadership for electronic warfare activities
and capabilities development and ensure effective and efficient use of its
resources.
Information Security: Cyber Threats Facilitate Ability to
June 28, 2012
20
This statement discusses (1) cyber threats facing the nation’s systems, (2)
Commit Economic Espionage
reported cyber incidents and their impacts, (3) security controls and other
techniques available for reducing risk, and (4) the responsibilities of key federal
entities in support of protecting Internet protocol.
CRS-85


Title Date
Pages Notes
Cybersecurity: Chal enges to Securing the Modernized
February 28, 2012
19
As GAO reported in January 2011, securing Smart Grid systems and networks
Electricity Grid
presents a number of key challenges that require attention by government and
industry. GAO made several recommendations to the Federal Energy
Regulatory Commission aimed at addressing these challenges. The commission
agreed with these recommendations and described steps it is taking to
implement them.
Critical Infrastructure Protection: Cybersecurity Guidance
December 9, 2011
77
Given the plethora of guidance available, individual entities within the sectors
Is Available, but More Can Be Done to Promote Its Use
may be challenged in identifying the guidance that is most applicable and
effective in improving their security posture. Improved knowledge of the
available guidance could help both federal and private sector decision makers
better coordinate their efforts to protect critical cyber-reliant assets.
Cybersecurity Human Capital: Initiatives Need Better
November 29, 2011
86
All the agencies GAO reviewed faced challenges determining the size of their
Planning and Coordination
cybersecurity workforce because of variations in how work is defined and the
lack of an occupational series specific to cybersecurity. With respect to other
workforce planning practices, all agencies had defined roles and responsibilities
for their cybersecurity workforce, but these roles did not always align with
guidelines issued by the federal Chief Information Officers Council (CIOC)
and National Institute of Standards and Technology (NIST).
Federal Chief Information Officers: Opportunities Exist to
October 17, 2011
72
GAO recommends that OMB update its guidance to establish measures of
Improve Role in Information Technology Management
accountability for ensuring that chief information officers’ responsibilities are
fully implemented and to require agencies to establish internal processes for
documenting lessons learned.
Information Security: Additional Guidance Needed to
October 5, 2011
17
In a GAO study, 22 of 24 major federal agencies reported that they were
Address Cloud Computing Concerns
either concerned or very concerned about the potential information security
risks associated with cloud computing. GAO recommended that the NIST
issue guidance specific to cloud computing security.
Information Security: Weaknesses Continue Amid New
October 3, 2011
49
Weaknesses in information security policies and practices at 24 major federal
Federal Efforts to Implement Requirements
agencies continue to place the confidentiality, integrity, and availability of
sensitive information and information systems at risk. Consistent with this
risk, reports of security incidents from federal agencies are on the rise,
increasing by more than 650% over the past 5 years. Each of the 24 agencies
reviewed had weaknesses in information security controls.
Defense Department Cyber Efforts: Definitions, Focal
July 29, 2011
33
This letter discusses DOD’s cyber and information assurance budget for
Point, and Methodology Needed for DOD to Develop
FY2012 and future years’ defense spending. The objectives of this review were
Ful -Spectrum Cyberspace Budget Estimates
to (1) assess the extent to which DOD has prepared an overarching budget
estimate for ful -spectrum cyberspace operations across the department and
(2) identify the challenges DOD has faced in providing such estimates.
CRS-86


Title Date
Pages Notes
Continued Attention Needed to Protect Our Nation’s
July 26, 2011
20
From the report: “A number of significant challenges remain to enhancing the
Critical Infrastructure
security of cyber-reliant critical infrastructures, such as (1) implementing
actions recommended by the President’s cybersecurity policy review; (2)
updating the national strategy for securing the information and
communications infrastructure; (3) reassessing DHS’s planning approach to
critical infrastructure protection; (4) strengthening public-private partnerships,
particularly for information sharing; (5) enhancing the national capability for
cyber warning and analysis; (6) addressing global aspects of cybersecurity and
governance; and (7) securing the modernized electricity grid.”
Defense Department Cyber Efforts: DOD Faces
July 25, 2011
79
GAO recommends that DOD evaluate how it is organized to address
Challenges in Its Cyber Activities
cybersecurity threats; assess the extent to which it has developed joint
doctrine that addresses cyberspace operations; examine how it assigns
command and control responsibilities; and determine how it identifies and acts
to mitigate key capability gaps involving cyberspace operations.
Information Security: State Has Taken Steps to Implement
July 8, 2011
63
The Department of State implemented a custom application called iPost and a
a Continuous Monitoring Application, but Key Chal enges
risk-scoring program that is intended to provide continuous monitoring
Remain
capabilities of information security risk to elements of the departments IT
infrastructure. To improve implementation of iPost at State, the Secretary of
State should direct the chief information officer to develop, document, and
maintain an iPost configuration management and test process.
Cybersecurity: Continued Attention Needed to Protect
March 16, 2011
16
Executive branch agencies have made progress instituting several government-
Our Nation’s Critical Infrastructure and Federal
wide initiatives aimed at bolstering aspects of federal cybersecurity, such as
Information Systems
reducing the number of federal access points to the Internet, establishing
security configurations for desktop computers, and enhancing situational
awareness of cyber events. Despite these efforts, the federal government
continues to face significant challenges in protecting the nation’s cyber-reliant
critical infrastructure and federal information systems.
Electricity Grid Modernization: Progress Being Made on
January 12, 2011
50
GAO identified six key challenges with regard to securing smart grid systems:
Cybersecurity Guidelines, but Key Challenges Remain to
“(1) Aspects of the regulatory environment may make it difficult to ensure
be Addressed
Smart Grid systems’ cybersecurity. (2) Utilities are focusing on regulatory
compliance instead of comprehensive security. (3) The electric industry does
not have an effective mechanism for sharing information on cybersecurity. (4)
Consumers are not adequately informed about the benefits, costs, and risks
associated with Smart Grid systems. (5) There is a lack of security features
being built into certain Smart Grid systems. (6) The electricity industry does
not have metrics for evaluating cybersecurity.”
CRS-87


Title Date
Pages Notes
Information Security: Federal Agencies Have Taken Steps
November 30, 2010
50
Existing government-wide guidelines and oversight efforts do not fully address
to Secure Wireless Networks, but Further Actions Can
agency implementation of leading wireless security practices. Until agencies
Mitigate Risk
take steps to better implement these leading practices and OMB takes steps
to improve government-wide oversight wireless networks will remain at an
increased vulnerability to attack.
Cyberspace Policy: Executive Branch Is Making Progress
October 6, 2010
66
Of the 24 recommendations in the President’s May 2009 cyber policy review
Implementing 2009 Policy Review Recommendations, but
report, 2 have been fully implemented and 22 have been partially
Sustained Leadership Is Needed
implemented. Although these efforts appear to be steps forward, agencies
were largely not able to provide milestones and plans that showed when and
how implementation of the recommendations was to occur.
DHS Efforts to Assess and Promote Resiliency Are
September 23, 2010
46
DHS has not developed an effective way to ensure that critical national
Evolving but Program Management Could Be Strengthened
infrastructure, such as electrical grids and telecommunications networks, can
bounce back from a disaster. DHS has conducted surveys and vulnerability
assessments of critical infrastructure to identify gaps but has not developed a
way to measure whether owners and operators of that infrastructure adopt
measures to reduce risks.
Information Security: Progress Made on Harmonizing
September 15, 2010
38
OMB and NIST established policies and guidance for civilian non-national
Policies and Guidance for National Security and Non-
security systems, and other organizations, including the Committee on
National Security Systems
National Security Systems (CNSS), DOD, and the U.S. intelligence community,
have developed policies and guidance for national security systems. GAO was
asked to assess the progress of federal efforts to harmonize policies and
guidance for these two types of systems.
United States Faces Challenges in Addressing Global
August 2, 2010
53
GAO recommends that the special assistant to the President and
Cybersecurity and Governance
cybersecurity coordinator should make recommendations to appropriate
agencies and interagency coordination committees regarding any necessary
changes to more effectively coordinate and forge a coherent national
approach to cyberspace policy.
Critical Infrastructure Protection: Key Private and Public
July 15, 2010
38
The special assistant to the President and cybersecurity coordinator and the
Cyber Expectations Need to Be Consistently Addressed
Secretary of Homeland Security should take two actions: “(1) use the results
of this report to focus their information-sharing efforts, including their
relevant pilot projects, on the most desired services, including providing timely
and actionable threat and alert information, access to sensitive or classified
information, a secure mechanism for sharing information, and security
clearance and (2) bolster the efforts to build out the National Cybersecurity
and Communications Integration Center as the central focal point for
leveraging and integrating the capabilities of the private sector, civilian
government, law enforcement, the military, and the intelligence community.”
CRS-88


Title Date
Pages Notes
Federal Guidance Needed to Address Control Issues With
July 1, 2010
53
To assist federal agencies in identifying uses for cloud computing and
Implementing Cloud Computing
information security measures to use in implementing cloud computing, the
director of OMB should establish milestones for completing a strategy for
implementing the federal cloud computing initiative.
Continued Attention Is Needed to Protect Federal
June 16, 2010
15
Multiple opportunities exist to improve federal cybersecurity. To address
Information Systems from Evolving Threats
identified deficiencies in agencies’ security controls and shortfalls in their
information security programs, GAO and agency inspectors general have
made hundreds of recommendations over the past several years, many of
which agencies are implementing. In addition, the White House, OMB, and
certain federal agencies have undertaken several government-wide initiatives
intended to enhance information security at federal agencies. Progress has
been made on these initiatives, but they all face challenges that require
sustained attention. GAO has made several recommendations for improving
the implementation and effectiveness of these existing initiatives.
Information Security: Concerted Response Needed to
March 24, 2010
21
Without proper safeguards, federal computer systems are vulnerable to
Resolve Persistent Weaknesses
intrusions by individuals who have malicious intentions and can obtain
sensitive information. The need for a vigilant approach to information security
has been demonstrated by the pervasive and sustained cyberattacks against
the United States; these attacks continue to pose a potential y devastating
impact to systems and the operations and critical infrastructures they support.
Cybersecurity: Continued Attention Is Needed to Protect
March 16, 2010
15
The White House, OMB, and certain federal agencies have undertaken several
Federal Information Systems from Evolving Threats
government-wide initiatives intended to enhance information security at
federal agencies. Although progress has been made on these initiatives, they all
face chal enges that require sustained attention, and GAO has made several
recommendations for improving the implementation and effectiveness of these
initiatives.
Concerted Effort Needed to Consolidate and Secure
April 12, 2010
40
To reduce the threat to federal systems and operations posed by cyberattacks
Internet Connections at Federal Agencies
on the United States, OMB launched, in November 2007, the Trusted Internet
Connections (TIC) initiative, and later, in 2008, DHS’s National Cybersecurity
Protection System (NCPS), operationally known as Einstein, which became
mandatory for federal agencies as part of TIC. To further ensure that federal
agencies have adequate, sufficient, and timely information to successfully meet
the goals and objectives of the TIC and Einstein programs, DHS’s Secretary
should, to better understand whether Einstein alerts are valid, develop
additional performance measures that indicate how agencies respond to alerts.
CRS-89


Title Date
Pages Notes
Cybersecurity: Progress Made But Challenges Remain in
March 5, 2010
64
To address strategic challenges in areas that are not the subject of existing
Defining and Coordinating the Comprehensive National
projects within the Comprehensive National Cybersecurity Initiative but
Initiative
remain key to achieving the initiative’s overall goal of securing federal
information systems, OMB’s director should continue developing a strategic
approach to identity management and authentication, linked to the
implementation of Homeland Security Presidential Directive 12, as initial y
described in the Chief Information Officers Councils (CIOC’s) plan for
implementing federal identity, credential, and access management to provide
greater assurance that only authorized individuals and entities can gain access
to federal information systems.
Continued Efforts Are Needed to Protect Information
November 17, 2009
24
GAO has identified weaknesses in all major categories of information security
Systems from Evolving Threats
controls at federal agencies. For example, in FY2008, weaknesses were
reported in such controls at 23 of 24 major agencies. Specifically, agencies did
not consistently authenticate users to prevent unauthorized access to systems;
apply encryption to protect sensitive data; or log, audit, and monitor security-
relevant events, among other actions.
Efforts to Improve Information sharing Need to Be
August 27, 2003
59
Information on threats, methods, and techniques of terrorists is not routinely
Strengthened
shared, and the information that is shared is not perceived as timely, accurate,
or relevant.
Computer Attacks at Department of Defense Pose
May 1996
48
Defense Information Systems Agency (DISA) estimates indicate that DOD
Increasing Risk
may have been attacked as many as 250,000 times last year. However, the
exact number is not known because, according to DISA, only about 1 in 150
attacks is actually detected and reported. In addition, in testing its systems,
DISA attacks and successfully penetrates DOD systems 65% of the time.
Source: Highlights compiled by CRS from the GAO reports.
CRS-90


Table 11. White House and Office of Management and Budget
Title Date
Pages
Notes
Improving Cybersecurity
Ongoing
N/A
The Office of Management and Budget (OMB) is working with agencies,
inspectors general, chief information officers, and senior agency officials in
charge of privacy, as well as the Government Accountability Office (GAO) and
Congress, to strengthen the federal government’s IT security and privacy
programs. The site provides information on Cross-Agency Priority (CAP)
goals, proposed cybersecurity legislation, CyberStat, continuous monitoring
and remediation, using SmartCards for identity management, and standardizing
security through configuration settings.
White House Summit on Cybersecurity and Consumer
February 13, 2015
N/A
The Summit brings together leaders from across the country who have a
Protection
stake in this issue—industry, tech companies, law enforcement, consumer and
privacy advocates, law professors who specialize in this field, and students—to
collaborate and explore partnerships that will help develop the best ways to
bolster our cybersecurity. Topics include Public-Private Collaboration on
Cybersecurity; Improving Cybersecurity Practices at Consumer-Oriented
Businesses and Organizations; Promoting More Secure Payment Technologies;
Cybersecurity Information Sharing; International Law Enforcement
Cooperation on Cybersecurity; Improving Authentication: Moving Beyond the
Password; and Chief Security Officers’ Perspectives: New Ideas on Technical
Security.
Strengthening our Nation’s Cyber Defenses (Announcing
February 11, 2015
N/A
The White House will establish a new Cyber Threat Intelligence Integration
Plans for a New Cyber Threat Intelligence Integration
Center, or CTIIC, under the auspices of the Director of National Intelligence.
Center)
Currently, no single government entity is responsible for producing
coordinated cyber threat assessments, ensuring that information is shared
rapidly among existing Cyber Centers and other elements within the
government, and supporting the work of operators and policymakers with
timely intelligence about the latest cyber threats and threat actors. The
CTIIC is intended to fill these gaps.
National Security Strategy
February 6, 2015
32
The document states the United States will “defend ourselves, consistent with
U.S. and international law, against cyberattacks and impose costs on malicious
cyber actors, including through prosecution of illegal cyber activity.” The
strategy also praises the NIST framework for cybersecurity and promises to
work with Congress to “pursue a legislative framework that ensures high
[cyber] standards” for critical infrastructure. The government will also work
to develop “global standards for cybersecurity and building international
capacity to disrupt and investigate cyber threats,” the strategy states. The
document also promises to help other nations improve the cybersecurity of
their critical infrastructure and develop laws that punish hackers.
CRS-91


Title Date
Pages
Notes
Fiscal Year 2014-2015 Guidance on Improving Federal
October 3, 2014
17
OMB is making updates to streamline agency reporting of information security
Information Security and Privacy Management Practices
incidents to the Department of Homeland Security’s (DHS’s) U.S. Computer
Emergency Readiness Team (US-CERT) and to improve US-CERT’s ability to
respond effectively to information security incidents. Under the updates,
losses of personally identifiable information caused by non-electronic means
still need to be reported within one hour of a confirmed breach, but they
should be reported to the agency privacy office rather than to US-CERT.
Federal Information Security Management Act, Annual
May 1, 2014
80
The 24 largest federal departments and agencies spent $10.34 billion on
Report to Congress
cybersecurity last fiscal year. The Chief Financial Officers Act agency with the
greatest expenditure was the Department of Defense (DOD), at $7.11 billion,
followed by DHS at $1.11 billion. Federal agencies’ collective request for
cybersecurity spending during FY2015 amounts to about $13 billion, federal
Chief Information Officer Steven VanRoekel told reporters during the March
rol out of the White House spending proposal for the coming fiscal year—
making cybersecurity a rare area of federal information technology spending
growth.
Assessing Cybersecurity Regulations
May 22, 2014
N/A
The White House directed federal agencies to examine their regulatory
authority over private-sector cybersecurity in the February 2013 executive
order that also created the National Institute of Standards and Technology
(NSIT) cybersecurity framework. A review of agency reports concluded that
“existing regulatory requirements, when complemented with strong voluntary
partnerships, are capable of mitigating cyber risks.” No new federal
regulations are needed for improving the cybersecurity of privately held
American critical infrastructure.
Big Data: Seizing Opportunities, Preserving Values
May 2014
85
The findings outline a set of consumer protection recommendations, including
that Congress should pass legislation on “single national data breach
standard.”
State and Local Government Cybersecurity
April 2, 2014
N/A
The White House in March 2014 convened an array of stakeholders, including
government representatives, local-government-focused associations, private-
sector technology companies, and partners from multiple federal agencies at
the State and Local Government Cybersecurity Framework Kickoff Event.
Liberty and Security in a Changing World: Report and
December 12, 2013
308
From the report, “The national security threats facing the United States and
Recommendations of The President’s Review Group on
our allies are numerous and significant, and they will remain so well into the
Intelligence and Communications Technologies
future. These threats include international terrorism, the proliferation of
weapons of mass destruction, and cyber espionage and warfare.... After careful
consideration, we recommend a number of changes to our intelligence
collection activities that will protect [privacy and civil liberties] values without
undermining what we need to do to keep our nation safe.”
CRS-92


Title Date
Pages
Notes
Immediate Opportunities for Strengthening the Nation’s
November 2013
31
This report of the President’s Council of Advisors on Science and Technology
Cybersecurity
(PCAST) recommends the government phase out insecure, outdated
operating systems, such as Windows XP; implement better encryption
technology; and encourage automatic security updates, among other changes.
PCAST also recommends that the government help create cybersecurity best
practices and audit their adoption in regulated industries. For independent
agencies, PCAST proposes writing new rules that require businesses to report
their cyber improvements.
Cross Agency Priority Goal: Cybersecurity, FY2013 Q3
October 2013
24
Executive branch departments and agencies will achieve 95% implementation
Status Report
of the Administration’s priority cybersecurity capabilities by the end of
FY2014. These capabilities include strong authentication, Trusted Internet
Connections (TIC), and continuous monitoring.
Incentives to Support Adoption of the Cybersecurity
August 6, 2013
N/A
From the report, “To promote cybersecurity practices and develop these
Framework
core capabilities, we are working with critical infrastructure owners and
operators to create a Cybersecurity Framework – a set of core practices to
develop capabilities to manage cybersecurity risk.... Over the next few
months, agencies will examine these options in detail to determine which ones
to adopt and how, based substantially on input from critical infrastructure
stakeholders.”
FY2012 Report to Congress on the Implementation of
March 2013
68
More government programs violated data security law standards in 2012 than
the Federal Information Security Management Act of 2002
in the previous year. At the same time, computer security costs have
increased by more than $1 billion. Inadequate training was a large part of the
reason all-around scores for adherence to the Federal Information Security
Management Act of 2002 (FISMA) slipped from 75% in 2011 to 74% in 2012.
Agencies reported that about 88% of personnel with system access privileges
received annual security awareness instruction, down from 99% in 2011.
Meanwhile, personnel expenses accounted for the vast majority—90%—of the
$14.6 billion departments spent on information technology security in 2012.
Administration Strategy for Mitigating the Theft of U.S.
February 20, 2013
141
From the report, “First, we will increase our diplomatic engagement....
Trade Secrets
Second, we will support industry-led efforts to develop best practices to
protect trade secrets and encourage companies to share with each other best
practices that can mitigate the risk of trade secret theft.... Third, DOJ will
continue to make the investigation and prosecution of trade secret theft by
foreign competitors and foreign governments a top priority.... Fourth,
President Obama recently signed two pieces of legislation that will improve
enforcement against trade secret theft.... Lastly, we will increase public
awareness of the threats and risks to the U.S. economy posed by trade secret
theft.”
CRS-93


Title Date
Pages
Notes
National Strategy for Information Sharing and
December 2012
24
Provides guidance for effective development, integration, and implementation
Safeguarding
of policies, processes, standards, and technologies to promote secure and
responsible information sharing.
Col aborative and Cross-Cutting Approaches to
August 1, 2012
N/A
Michael Daniel, White House cybersecurity coordinator, highlights a few
Cybersecurity
recent initiatives in which voluntary, cooperative actions are helping to
improve the nation’s overall cybersecurity.
Trustworthy Cyberspace: Strategic Plan for the Federal
December 2011
36
As a research and development strategy, this plan defines four strategic
Cybersecurity Research and Development Program
thrusts: inducing change, developing scientific foundations, maximizing
research impact, and accelerating transition to practice.
FY2012 Reporting Instructions for the Federal
September 14, 2011
29
Rather than enforcing a static, three-year reauthorization process, agencies
Information Security Management Act and Agency Privacy
are expected to conduct ongoing authorizations of information systems
Management
through the implementation of continuous monitoring programs. Continuous
monitoring programs thus fulfill the three year security reauthorization
requirement, so a separate reauthorization process is not necessary.
Cybersecurity Legislative Proposal (Fact Sheet)
May 12, 2011
N/A
The Administration’s proposal ensures the protection of individuals’ privacy
and civil liberties through a framework designed expressly to address the
challenges of cybersecurity. The Administration’s legislative proposal includes
management, personnel, intrusion-prevention systems, and data centers.
International Strategy for Cyberspace
May 2011
30
The strategy marks the first time any Administration has attempted to set
forth in one document the U.S. government’s vision for cyberspace, including
goals for defense, diplomacy, and international development.
National Strategy for Trusted Identities
April 15, 2011
52
The NSTIC aims to make online transactions more trustworthy, thereby
in Cyberspace (NSTIC)
giving businesses and consumers more confidence in conducting business
online.
Federal Cloud Computing Strategy
February 13, 2011
43
The strategy outlines how the federal government can accelerate the safe,
secure adoption of cloud computing, and provides agencies with a framework
for migrating to the cloud. It also examines how agencies can address
challenges related to the adoption of cloud computing, such as privacy,
procurement, standards, and governance.
25 Point Implementation Plan to Reform Federal
December 9, 2010
40
The plan aims to reduce the number of federal y run data centers from 2,100
Information Technology Management
to approximately 1,300, rectify or cancel one-third of troubled IT projects,
and require federal agencies to adopt a “cloud first” strategy in which they will
move at least one system to a hosted environment within a year.
CRS-94


Title Date
Pages
Notes
Clarifying Cybersecurity Responsibilities and Activities of
July 6, 2010
39
This memorandum outlines and clarifies the respective responsibilities and
the Executive Office of the President and the Department
activities of the Office of Management and Budget (OMB), the Cybersecurity
of Homeland Security
Coordinator, and DHS, in particular with respect to the Federal
Government’s implementation of FISMA.
The National Strategy for Trusted Identities in
June 25, 2010
39
The NSTIC, which is in response to one of the near-term action items in the
Cyberspace: Creating Options for Enhanced Online
President’s Cyberspace Policy Review, calls for the creation of an online
Security and Privacy (Draft)
environment, or an identity ecosystem, where individuals and organizations can
complete online transactions with confidence, trusting the identities of each
other and the identities of the infrastructure in which transactions occur.
Comprehensive National Cybersecurity Initiative (CNCI)
March 2, 2010
5
The CNCI establishes a multipronged approach the federal government is to
take in identifying current and emerging cyber threats, shoring up current and
future telecommunications and cyber vulnerabilities, and responding to or
proactively addressing entities that wish to steal or manipulate protected data
on secure federal systems.
Cyberspace Policy Review: Assuring a Trusted and
May 29, 2009
76
The President directed a 60-day, comprehensive, “clean-slate” review to
Resilient Communications Infrastructure
assess U.S. policies and structures for cybersecurity. The review team of
government cybersecurity experts engaged and received input from a broad
cross-section of industry, academia, the civil liberties and privacy communities,
state governments, international partners, and the legislative and executive
branches. This paper summarizes the review team’s conclusions and outlines
the beginning of the way forward toward a reliable, resilient, trustworthy
digital infrastructure for the future.
Source: Highlights compiled by CRS from the White House reports.
Note: For a list of White House executive orders, see CRS Report R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents, by Rita Tehan.
Department of Defense and National Security: CRS Reports and Other CRS Products
• CRS Report R43848, Cyber Operations in DOD Policy and Plans: Issues for Congress, by Catherine A. Theohary
• CRS Legal Sidebar WSLG399, Legal Barriers to an Expanded Role of the Military in Defending Against Domestic Cyberattacks,
by Andrew Nolan
CRS-95


Table 12. Department of Defense (DOD)
Title Source
Date
Pages Notes
Program Protection and System Security
DOD Systems Engineering
Ongoing
N/A
DOD systems have become increasingly networked, software-
Engineering Initiative
intensive, and dependent on a complicated global supply chain,
which has increased the importance of security as a systems
engineering design consideration. In response to this new
reality, the DOD has established Program Protection/System
Security Engineering as a key discipline to protect technology,
components, and information from compromise through the
cost-effective application of countermeasures to mitigate risks
posed by threats and vulnerabilities. The analysis, decisions, and
plans of acquisition programs are documented in a Program
Protection Plan, which is updated prior to every milestone
decision.
DOT&E FY 2014 Annual Report
DoD Office of the
January 2015
91
A series of live fire tests of the security of the military’s
Director, Operational Test
computer networks this year found many combatant commands
and Evaluation
could be compromised by low-to-middling skilled hackers and
might not be able to “fight through” in the face of enemy
cyberattacks. The assessment echoes previous OT&E annual
assessments, which routinely found that military services and
combatant commands did not have a sufficiently robust security
posture or training to repel sustained cyberattacks during
battle.
A Review of the U.S. Navy Cyber Defense
National Research Council
January 2015
13
The NRC appointed an expert committee to review the U.S.
Capabilities: Abbreviated Version of a
(NRC)
Navy's cyber defense capabilities. The Department of the Navy
Classified Report
has determined that the final report prepared by the committee
is classified in its entirety under Executive Order 13526 and
therefore cannot be made available to the public. A Review of
U.S. Navy Cyber Defense Capabilities is the abbreviated report
and provides background information on the full report and the
committee that prepared it.
DOD Cloud Computing Strategy Needs
DOD Inspector General
December 4, 2014
40
Report states that the DOD chief information officer “did not
Implementation Plan and Detailed Waiver
develop an implementation plan that assigned roles and
Process
responsibilities as well as associated tasks, resources and
milestones,” despite promises that an implementation plan
would directly fol ow the cloud strategy’s release.
CRS-96


Title Source
Date
Pages Notes
State-of-the-Art Resources (SOAR) for
Institute for Defense
July 2014
234
The purpose of this paper is to assist DOD program managers
Software Vulnerability Detection, Test, and
Analyses Report P-5061
and their staffs in making effective software assurance and
Evaluation
software supply chain risk management decisions. The paper
and
also describes some key gaps identified in the course of this
study, including difficulties in finding unknown malicious code,
Appendix E: State-of-the-Art Resources
obtaining quantitative data, analyzing binaries without debug
(SOAR) Matrix (Excel spreadsheet)
symbols, and obtaining assurance of development tools.
Additional challenges were found in the mobile environment.
Risk Management Framework (RMF) for
DOD
March 12, 2014
47
In a change in security policy, DOD has dropped its long-
DOD Information Technology (IT)
standing DOD Information Assurance Certification and
Accreditation Process (DIACAP) and adopted a risk-focused
security approach developed by the National Institute of
Standards and Technology (NIST). The decision, issued in a
DOD instruction memo (8510.01), aligns for the first time the
standards DOD and civilian agencies use to ensure their IT
systems comply with approved information assurance and risk
management controls.
Improving Cybersecurity and Resilience
DOD and the General
January 23, 2014
24
DOD and GSA jointly released a report announcing six planned
through Acquisition
Services Administration
reforms to improve the cybersecurity and resilience of the
(GSA)
Federal Acquisition System. The report provides a path forward
to aligning federal cybersecurity risk management and
acquisition processes. It provides strategic recommendations
for addressing relevant issues, suggests how challenges might be
resolved, and identifies important considerations for the
implementation of the recommendations.
Defense Federal Acquisition Regulation
DOD
November 18, 2013
10
The regulation imposed two new requirements. First, it
Supplement: Safeguarding Unclassified
imposed an obligation on contractors to provide “adequate
Controlled Technical Information
security” to safeguard “unclassified control ed technical
information” (UCTI). Second, it obligated contractors to report
“cyber incidents” that affect UCTI to contracting officers. In
both obligations, UCTI is defined as “technical information with
military or space application that is subject to controls on
access, use, reproduction, modification, performance, display,
release, disclosure, or dissemination.” UCTI should be marked
with a DOD “distribution statement.” This is the first time
DOD has imposed specific requirements for cybersecurity that
are generally applicable to all contractors.
CRS-97


Title Source
Date
Pages Notes
Offensive Cyber Capabilities at the
Center for Strategic and
September 16, 2013
20
The report examines whether DOD should make a more
Operational Level: The Way Ahead
International Studies (CSIS)
deliberate effort to explore the potential of offensive cyber
tools at levels below that of a combatant command.
An Assessment of the Department of Defense U.S. Army War College
September 2013
60
This monograph is organized in three main parts. The first part
Strategy for Operating in Cyberspace
explores the evolution of cyberspace strategy through a series
of government publications leading up to the DoD Strategy for
Operating in Cyberspace. In the second part, the monograph
elaborates on and critiques each strategic initiative in terms of
significance, novelty, and practicality. In the third part, it
critiques the DOD strategy as a whole.
Joint Professional Military Education
Francesca Spidalieri (Pell
August 7, 2013
18
The report found that the Joint Professional Military Education
Institutions in an Age of Cyber Threat
Center Fellow)
at the six U.S. military graduate schools—a requirement for
becoming a joint staff officer and for promotion to the senior
ranks—has not effectively incorporated cybersecurity into
specific courses, conferences, war-gaming exercises, or other
forms of training for military officers. Although these graduate
programs are more advanced on cybersecurity than most
American civilian universities, a preparation gap still exists.
Military and Security Developments Involving
DOD
May 6, 2013
92
China is using its computer network exploitation capability to
the People’s Republic of China 2013 (Annual
support intelligence collection against the U.S. diplomatic,
Report to Congress)
economic, and defense-industrial base sectors that support U.S.
national defense programs. The information targeted could
potential y be used to benefit China’s defense industry, high-
technology industries, policy-maker interest in U.S. leadership
thinking on key China issues, and military planners building a
picture of U.S. network defense networks, logistics, and related
military capabilities that could be exploited during a crisis.
Resilient Military Systems and the Advanced
DOD Science Board
January 2013
146
The report states that, despite numerous Pentagon actions to
Cyber Threat
parry sophisticated attacks by other countries, efforts are
“fragmented” and DOD “is not prepared to defend against this
threat.” The report lays out a scenario in which cyberattacks in
conjunction with conventional warfare damaged the ability of
U.S. forces to respond, creating confusion on the battlefield and
weakening traditional defenses.
CRS-98


Title Source
Date
Pages Notes
FY2012 Annual Report
DOD
January 2013
372
The annual report to Congress by J. Michael Gilmore, director
of Operational Test and Evaluation, assesses the operational
effectiveness of systems being developed for combat. See
“Information Assurance (I/A) and Interoperability (IOP)”
chapter, pages 305-312, for information on network
exploitation and compromise exercises.
Basic Safeguarding of Contractor Information
DOD, GSA, and National
August 24, 2012
4
This regulation, authored by the DOD, GSA, and NASA,
Systems (Proposed Rule)
Aeronautics and Space
“would add a contract clause to address requirements for the
Administration (NASA)
basic safeguarding of contractor information systems that
contain or process information provided by or generated for
the government (other than public information).”
Electronic Warfare: DOD Actions Needed to
Government
July 9, 2012
46
DOD’s oversight of electronic warfare capabilities may be
Strengthen Management and Oversight
Accountability Office
further complicated by its evolving relationship with computer
(GAO)
network operations, which is also an information operations-
related capability. Without clearly defined roles and
responsibilities and updated guidance regarding oversight
responsibilities, DOD does not have reasonable assurance that
its management structures will provide effective department-
wide leadership for electronic warfare activities and capabilities
development and ensure effective and efficient use of its
resources.
Cloud Computing Strategy
DOD, Chief Information
July 2012
44
The DOD Cloud Computing Strategy introduces an approach
Officer
to move the department from the current state of a duplicative,
cumbersome, and costly set of application silos to an end state,
which is an agile, secure, and cost-effective service environment
that can rapidly respond to changing mission needs.
DOD Defense Industrial Base (DIB) Voluntary Federal Register
May 11, 2012
7
DOD interim final rule to establish a voluntary cybersecurity
Cyber Security and Information Assurance
information-sharing program between DOD and eligible DIB
(CS/IA) Activities
companies. The program enhances and supplements DIB
participants’ capabilities to safeguard DOD information that
resides on, or transits, DIB unclassified information.
DOD Information Security Program:
DOD
February 24, 2012
84
Describes the DOD Information Security Program and provides
Overview, Classification, and Declassification
guidance for classification and declassification of DOD
information that requires protection in the interest of national
security.
CRS-99


Title Source
Date
Pages Notes
Cyber Sentries: Preparing Defenders to Win
Air War Col ege
February 7, 2012
38
This paper examines the current impediments to effective
in a Contested Domain
cybersecurity workforce preparation and offers new concepts
to create Cyber Sentries through realistic training, network
authorities tied to certification, and ethical training. These
actions present an opportunity to significantly enhance
workforce quality and allow DOD to operate effectively in the
contested cyber domain in accordance with the vision
established in its Strategy for Cyberspace Operations.
Defense Department Cyber Efforts:
GAO
July 29, 2011
33
This letter discusses DOD’s cyber and information assurance
Definitions, Focal Point, and Methodology
budget for FY2012 and future years’ defense spending. The
Needed for DOD to Develop Ful -Spectrum
objectives of this review were to (1) assess the extent to which
Cyberspace Budget Estimates
DOD has prepared an overarching budget estimate for ful -
spectrum cyberspace operations across the department and (2)
identify the challenges DOD has faced in providing such
estimates.
Legal Reviews of Weapons and Cyber
Secretary of the Air Force
July 27, 2011
7
Report concludes the Air Force must subject cyber capabilities
Capabilities
to legal review for compliance with the Law of Armed Conflict
and other international and domestic laws. The Air Force judge
advocate general must ensure that all cyber capabilities “being
developed, bought, built, modified or otherwise acquired by the
Air Force” undergo legal review—except for cyber capabilities
within a Special Access Program, which must undergo review
by the Air Force general counsel.
Department of Defense Strategy for
DOD
July 2011
19
This is an unclassified summary of DOD’s cybersecurity
Operating in Cyberspace
strategy.
Cyber Operations Personnel Report (DOD)
DOD
April 2011
84
This report focuses on FY2009 Department of Defense Cyber
Operations personnel, with duties and responsibilities as
defined in Section 934 of the Fiscal Year 2010 National Defense
Authorization Act (NDAA). It includes:
Appendix A—Cyber Operations-related Military Occupations
Appendix B—Commercial Certifications Supporting the DOD
Information Assurance Workforce Improvement Program
Appendix C—Military Services Training and Development
Appendix D—Geographic Location of National Centers of
Academic Excellence in Information Assurance
CRS-100


Title Source
Date
Pages Notes
Anomaly Detection at Multiple Scales
Defense Advanced
November 9, 2011
74
The design document was produced by Allure Security and
(ADAMS)
Research Projects Agency
sponsored by DARPA. It describes a system for preventing
(DARPA)
leaks by seeding believable disinformation in military
information systems to help identify individuals attempting to
access and disseminate classified information.
Critical Code: Software Producibility for
National Research Council, October 20, 2010
160
Assesses the nature of the national investment in software
Defense
Committee for Advancing
research and, in particular, considers ways to revitalize the
Software-Intensive Systems
knowledge base needed to design, produce, and employ
Producibility
software-intensive systems for tomorrow’s defense needs.
Defending a New Domain
U.S. Deputy Secretary of
September/October
N/A
In 2008, DOD suffered a significant compromise of its classified
Defense, William J. Lynn
2010
military computer networks. It began when an infected flash
(Foreign Affairs)
drive was inserted into a U.S. military laptop at a base in the
Middle East. This previously classified incident was the most
significant breach of U.S. military computers ever and served as
an important wake-up call.
The QDR in Perspective: Meeting America’s
Quadrennial Defense
July 30, 2010
159
From the report: “The expanding cyber mission also needs to
National Security Needs In the 21st Century
Review
be examined. DOD should be prepared to assist civil
(QDR Final Report)
authorities in defending cyberspace – beyond the department’s
current role.”
Cyberspace Operations: Air Force Doctrine
U.S. Air Force
July 15, 2010
62
This Air Force Doctrine Document (AFDD) establishes
Document 3-12
doctrinal guidance for the employment of U.S. Air Force
operations in, through, and from cyberspace. It is the keystone
of Air Force operational-level doctrine for cyberspace
operations.
DON (Department of the Navy)
U.S. Navy
June 17, 2010
14
To establish policy and assign responsibilities for the
Cybersecurity/Information Assurance
administration of the DON Cybersecurity /Information
Workforce Management, Oversight and
Assurance Workforce Management Oversight and Compliance
Compliance
Program.
Source: Highlights compiled by CRS from the reports.
CRS Product: Cybersecurity Framework
• CRS Report WSLG829, National Institute of Standards and Technology Issues Long-awaited Cybersecurity Framework, by
Andrew Nolan
CRS-101



Table 13. National Institute of Standards and Technology (NIST)
(including the cybersecurity framework)
Title Date
Pages
Notes
Computer Security Division, Computer Security
Ongoing
N/A
Compilation of laws, regulations, and directives from 2000-2007 that govern the
Resource Center
creation and implementation of federal information security practices. These
laws and regulations provide an infrastructure for overseeing implementation of
required practices and charge NIST with developing and issuing standards,
guidelines, and other publications to assist federal agencies in implementing the
Federal Information Security Management Act (FISMA) of 2002 and in managing
cost-effective programs to protect their information and information systems.
Assessing Security and Privacy Controls in Federal
December 12, 2014
487
This is the final draft of the special publication meant to guide federal agencies in
Information Systems and Organizations: Building
assessing their security controls. Special Publication 800-53, Revision 4, puts
Effective Assessment Plans (SP 800-53A, rev. 4)
forth a holistic approach to information security and risk management by
providing organizations with the breadth and depth of security controls
necessary to fundamentally strengthen their information systems and the
environments in which those systems operate, which will contribute to systems
that are more resilient in the face of cyberattacks and other threats. This “Build
It Right” strategy is coupled with a variety of security controls for continuous
monitoring to give organizations near real-time information that is essential for
senior leaders making ongoing risk-based decisions affecting their critical
missions and business functions.
Update on the Cybersecurity Framework
December 5, 2014
8
In a status update, NIST says there is widespread agreement among stakeholders
that it is too early to update the framework. NIST will consider producing
additional guidance for using the framework, including how to apply the little-
understood four-tiered system for gauging organizational cybersecurity program
sophistication. In general, information and training materials that advance
framework use, including illustrative examples, will be an immediate priority for
NIST.
NIST/NCCoE Establishment of a Federally Funded
September 22, 2014
N/A
The MITRE Corporation will run NIST’s cybersecurity Federally Funded
Research and Development Center
Research and Development Center (FFRDC) on a contract worth up to $5
billion over five years. MITRE already operates six individual FFRDCs for
agencies including the Department of Defense (DOD) and the Federal Aviation
Administration. It is also active in cybersecurity, managing the Common
Vulnerabilities and Exposures database, which catalogues software security flaws.
In addition, it developed specifications for the Structured Threat Information
Expression (STIX) and Trusted Automated Exchange of Indicator Information
(TAXII) under contract from the Department of Homeland Security (DHS).
CRS-102


Title Date
Pages
Notes
Guidelines for Smart Grid Cybersecurity, Smart
September 2014
668
This three-volume report, Guidelines for Smart Grid Cybersecurity, presents an
Grid Cybersecurity Strategy, Architecture, and
analytical framework that organizations can use to develop effective
High-Level Requirements
cybersecurity strategies tailored to their particular combinations of smart grid-
related characteristics, risks, and vulnerabilities. Organizations in the diverse
community of smart grid stakeholders—from utilities to providers of energy
management services to manufacturers of electric vehicles and charging
stations—can use the methods and supporting information presented in this
report as guidance for assessing risk and identifying and applying appropriate
security requirements. This approach recognizes that the electric grid is changing
from a relatively closed system to a complex, highly interconnected
environment. Each organization’s cybersecurity requirements should evolve as
technology advances and as threats to grid security inevitably multiply and
diversify.
Systems Security Engineering: An Integrated
May 13, 2014
121
NIST has launched a four-stage process to develop detailed guidelines for
Approach to Building Trustworthy Resilient
“systems security engineering,” adapting a set of widely used international
Systems
standards for systems and software engineering to the specific needs of security
engineering. The agency has released the first set of those guidelines for public
comment in a new draft document.
Guidelines for the Selection, Configuration, and
April 28, 2014
67
TLS is a common method of encrypting web traffic and email that relies on
Use of Transport Layer Security (TLS)
public key encryption. The federal government must upgrade its servers to
Implementations (SP 800-52r1)
handle version 1.1 of TLS and make plans by January 2015 for handling web
traffic encrypted using TLS 1.2. The Internet Engineering Task Force approved
TLS 1.2 in August 2008, but it is only recently that browsers have begun to
support it.
National Cybersecurity Center of Excel ence
March 18, 2014
2
NIST invites organizations to provide products and technical expertise to
(NCCoE) and Electric Power Sector Identity and
support and demonstrate security platforms for identity and access management
Access Management Use Case
for the electric-power sector. This notice is the initial step for the NCCoE in
collaborating with technology companies to address cybersecurity challenges
identified under the energy-sector program. Participation in the use case is open
to all interested organizations.
Framework for Improving Critical Infrastructure
February 12, 2014
41
The voluntary framework consists of cybersecurity standards that can be
Cybersecurity
customized to various sectors and adapted by both large and small organizations.
Additionally, so that the private sector may fully adopt this framework, DHS
announced the Critical Infrastructure Cyber Community (C3)—or “C-cubed”—
voluntary program. The C3 program gives state and local governments and
companies that provide critical services such as cell phones, email, banking, and
energy direct access to cybersecurity experts within DHS who have knowledge
about specific threats, ways to counter those threats, and how, over the long
term, to design and build systems that are less vulnerable to cyber threats.
CRS-103


Title Date
Pages
Notes
Update on the Development of the Cybersecurity
January 15, 2014
3
From the document, “While stakeholders have said they see the value of
Framework
guidance relating to privacy, many comments stated a concern that the
methodology did not reflect consensus private sector practices and therefore
might limit use of the Framework. Many commenters also stated their belief that
privacy considerations should be fully integrated into the Framework Core.”
Proposed Establishment of a Federally Funded
January 10, 2014
2
NIST intends to sponsor a FFRDC to facilitate public-private collaboration for
Research and Development Center
accelerating the widespread adoption of integrated cybersecurity tools and
technologies. NIST published three notices in the Federal Register advising the
public of the agency’s intention to sponsor an FFRDC and requesting comments
from the public. This notice provides NIST’s analysis of the comments related to
its proposed establishment of the FFRDC received in response to those notices.
Designed-in Cyber Security for Cyber-Physical
November 20, 2013
60
NIST and the Cybersecurity Research Alliance held a two-day workshop (April
Systems
4-5, 2013) for industry, government, and academic cybersecurity researchers.
The report’s findings lay out a logical roadmap for designing security into varied
Internet protocol-based systems and platforms increasingly targeted by cyber
attackers.
Cybersecurity Framework
October 22, 2013
47
NIST seeks comments on the preliminary version of the Cybersecurity
Framework. Under Executive Order 13636, NIST is directed to work with
stakeholders to develop such a framework to reduce cyber risks to critical
infrastructure.
A Role-Based Model for Federal Information
October 2013
152
This guidance will assist managers at all levels to understand their responsibilities
Technology/Cybersecurity Training (Draft Special
in providing role-based cybersecurity training,
Publication 800-16 Revision 1)
Guide to Attribute Based Access Control
October 2013
48
Improving information sharing while maintaining control over access to that
Definition and Considerations (Draft SP 800-162)
information is a primary goal of guidance coming from the NIST.
Discussion Draft of the Preliminary Cybersecurity
August 28, 2013
36
The framework provides a common language and mechanism for organizations
Framework
to (1) describe current cybersecurity posture; (2) describe their target state for
cybersecurity; (3) identify and prioritize opportunities for improvement within
the context of risk management; (4) assess progress toward the target state; and
(5) foster communications among internal and external stakeholders.
Proposed Establishment of a Federally Funded
July 16, 2013
2
This is the third of three notices that must be published over a 90-day period to
Research and Development Center-Third Notice
advise the public of the agency’s intention to sponsor an FFRDC.
DRAFT Outline—Preliminary Framework to
July 1, 2013
5
This draft is produced for discussion purposes at workshops and to further
Reduce Cyber Risks to Critical Infrastructure
encourage private-sector input before NIST publishes a preliminary draft
framework to reduce cyber risks to critical infrastructure for public comment in
October.
CRS-104


Title Date
Pages
Notes
Computer Security Incident Coordination (CSIC):
June 28, 2013
3
NIST is seeking information relating to CSIC as part of the research needed to
Providing Timely Cyber Incident Response
write a NIST special publication to help computer security incident response
teams (CSIRTs) coordinate effectively when responding to computer-security
incidents. The NIST special publication will identify technical standards,
methodologies, procedures, and processes that facilitate prompt and effective
response.
Proposed Establishment of a Federally Funded
June 21, 2013
2
NIST intends to sponsor an FFRDC to facilitate public-private col aboration for
Research and Development Center—Second
accelerating the widespread adoption of integrated cybersecurity tools and
Notice
technologies. This is the second of three notices that must be published over a
90-day period to advise the public of the agency’s intention to sponsor an
FFRDC.
Update on the Development of the Cybersecurity
June 18, 2013
3
NIST is seeking input about foundational cybersecurity practices, ideas for how
Framework
to manage needs related to privacy and civil liberties, and outcome-oriented
metrics that leaders can use in evaluating the position and progress of their
organizations’ cybersecurity status. In a few weeks, NIST expects to post an
outline of the preliminary cybersecurity framework, including existing standards
and practices.
Initial Analysis of Cybersecurity Framework RFI
May 15, 2013
34
NIST released an initial analysis of 243 responses to the February 26 request for
Responses
information (RFI). The analysis will form the basis for a workshop at Carnegie
Mellon University in Pittsburgh as NIST moves forward on creating a
cybersecurity framework for essential energy, utility, and communications
systems.
Proposed Establishment of a Federally Funded
April 22, 2013
2
To help the NCCoE address industry’s needs most efficiently, NIST will sponsor
Research and Development Center-First Notice
its first FFRDC to facilitate public-private col aboration for accelerating the
widespread adoption of integrated cybersecurity tools and technologies.
Developing a Framework To Improve Critical
February 26, 2013
5
NIST announced the first step in the development of a cybersecurity framework,
Infrastructure Cybersecurity, Notice; Request for
which will be a set of voluntary standards and best practices to guide industry in
Information
reducing cyber risks to the networks and computers that are vital to the
nation’s economy, security, and daily life.
Memorandum of Understanding (MOU)
December 2, 2010
4
The MOU, signed by NIST, DHS, and the Financial Services Sector Coordinating
Council, formalizes the parties’ intent to expedite the coordinated development
and availability of collaborative research, development, and testing activities for
cybersecurity technologies and processes based upon the financial services
sector’s needs.
Source: Highlights compiled by CRS from the reports.
CRS-105



Table 14. Other Federal Agencies
Title Source
Date
Pages Notes
Office of Cybersecurity and Communications
Department of
Ongoing
N/A
CS&C works to prevent or minimize disruptions to critical
(CS&C)
Homeland Security
information infrastructure to protect the public, the economy,
(DHS)
and government services. CS&C leads efforts to protect the
federal “.gov” domain of civilian government networks and to
collaborate with the private sector—the “.com” domain—to
increase the security of critical networks.
Continuous Diagnostic and Mitigation Program
DHS
Ongoing
N/A
An initiative to deploy continuous monitoring at U.S. federal
government agencies will be done in phases, with the initial
rollout occurring over three years. The initial phase is aimed at
getting federal civilian agencies to employ continuous diagnostic
tools to improve vulnerability management, enforce strong
compliance settings, manage hardware and software assets, and
establish white-listing of approved services and applications.
Cybersecurity Collection
The National
Ongoing
N/A
The prevention of cyberattacks on a nation’s important
Academies Press
computer and communications system and networks is a
problem that looms large. To best prevent such attacks, this
collection explains the importance of increasing the usability of
security technologies, recommends strategies for future
research aimed at countering cyberattacks, and considers how
information technology systems can be used to not only
maximize protection against attacks but also respond to threats.
Cybersecurity Examination Sweep Summary
Securities and Exchange February 3,
7
The SEC published findings from an assessment of more than
Commission (SEC)
2015
100 broker-dealers and investment advisers initiated in April.
More than 90% of broker firms and more than 80% of advisers
had written information security policies, the SEC said, with
most of brokerages and just over half of advisers conducting
audits. But less than one-third of brokerages and one-fifth of
advisers include written policies about responsibilities for client
loss in the event of a cyber incident. And although 84% of
broker-dealers applied risk assessments to their vendors, only
32% of advisers did.
CRS-106


Title Source
Date
Pages Notes
IT Security Suffers from Noncompliance
DHS Inspector General
December 22,
2
DHS has made progress in improving its information security
2014
program, but noncompliance by several DHS component
agencies is undermining that effort. The Office of the Inspector
General raised concerns over a lack of compliance by these
components and urged DHS leadership to strengthen its
oversight and enforcement of existing security policies.
Guidance on Maritime Cybersecurity Standards
U.S. Coast Guard
December 12,
2
From the summary: “The U.S. Coast Guard announces a public
(Federal Register Notice of Public Meeting and
2014
meeting to be held in Washington, DC, to receive comments on
Request for Comments)
the development of cybersecurity assessment methods for
vessels and facilities regulated by the Coast Guard. This meeting
will provide an opportunity for the public to comment on
development of security assessment methods that assist vessel
and facility owners and operators identify and address
cybersecurity vulnerabilities that could cause or contribute to a
Transportation Security Incident. The Coast Guard will consider
these public comments in developing relevant guidance, which
may include standards, guidelines, and best practices to protect
maritime critical infrastructure.”
Federal Incident Reporting Guidelines
United States
October 1,
10
This guidance instructs federal agencies to classify incidents
Computer Emergency
2014
according to their impacts rather than by categories of attack
Readiness Team
methods. It also modifies a 2007 requirement for agencies to
(US-CERT)
report to US-CERT within an hour any incident involving the
loss of personally identifiable information. Rather, agencies
should notify US-CERT of a confirmed cyber incident within one
hour of it reaching the attention of an agency’s security
operations center or IT department. The Office of Management
and Budget said in a concurrently released memo that losses of
personally identifiable information caused by nonelectronic
means still need to be reported within an hour of a confirmed
breach but should be reported to the agency privacy office
rather than US-CERT.
Content of Premarket Submissions for
Food and Drug
October 1,
9
This guidance, first issued as a draft in June 2013, instructs
Management of Cybersecurity in Medical Devices
Administration (FDA)
2014
manufactures to “develop a set of cybersecurity controls.” It
also tells manufactures to consider fol owing the core functions
of the National Institute of Standards and Technology (NIST)
cybersecurity framework, a model for cybersecurity activities:
identify, protect, detect, respond, and recover.
CRS-107


Title Source
Date
Pages Notes
Annual Assessment of the Internal Revenue
Department of
September 30,
45
The report identifies a list of security weaknesses in the systems
Service's Information Technology Program
Treasury Inspector
2014
of the Internal Revenue Service (IRS) that support the
General for Tax
Affordable Care Act. Security control weaknesses identified in
Administration
the audit could affect the IRS's ability to reliably process
electronic reports submitted by insurers and drug companies.
Col aborative Approaches for Medical Device and
FDA September
23,
3
The FDA announced an October 21-22 workshop on
Healthcare Cybersecurity; Public Workshop;
2014
col aborative approaches for medical device and health care
Request for Comments
cybersecurity. The FDA, in col aboration with other
stakeholders within the Department of Health and Human
Services (HHS) and DHS, seeks broad input from the Healthcare
and Public Health (HPH) sector on medical device and health
care cybersecurity. The vision for this public workshop is to
catalyze collaboration among all HPH stakeholders.
Health Insurance Marketplaces Generally
DHS Office of
September 22,
N/A
The websites and databases in some state health insurance
Protected Personally Identifiable Information but
Inspector General
2014
exchanges are still vulnerable to attack, putting personally
Could Improve Certain Information Security
identifiable information at risk. The report examined the website
Controls
and databases of the federal insurance exchange, as well as the
state exchanges for Kentucky and New Mexico.
Energy Sector Cybersecurity Framework
Department of Energy
September 12,
N/A
Energy companies need not choose between the NIST
Implementation Guidance - Draft For Public
(DOE) Office of
2014
cybersecurity framework and the DOE’s Cybersecurity
Comment and Comment Submission Form
Electricity Delivery and
Capability Maturity Model (C2M2). The NIST framework tells
Energy Reliability
organizations to grade themselves on a four-tier scale based on
their overall cybersecurity program sophistication. C2M2
instructs users to assess cybersecurity control implementation
across 10 domains of cybersecurity practices, such as situational
awareness, according to the users’ specific “maturity indicator
level.”
Implementation Status of the Enhanced
DHS Office of
July 2014
23
The National Protection Programs Directorate (NPPD) has
Cybersecurity Services Program
Inspector General
made progress in expanding the Enhanced Cybersecurity
Services program. As of May 2014, 40 critical infrastructure
entities were participating in the program. Additionally, 22
companies had signed memorandums of agreement to join the
program. Although NPPD has made progress, the Enhanced
Cybersecurity Services program has been slow to expand
because of limited outreach and resources. In addition, cyber
threat information sharing relies on NPPD’s manual reviews and
analysis, which has led to inconsistent cyber threat indicator
quality.
CRS-108


Title Source
Date
Pages Notes
At the Nexus of Cybersecurity and Public Policy:
National Academies
May 13, 2014
102
The report is a cal for action to make cybersecurity a public
Some Basic Concepts and Issues
Press
safety priority. For a number of years, the cybersecurity issue
has received increasing public attention; however, most policy
focus has been on the short-term costs of improving systems. In
its explanation of the fundamentals of cybersecurity and the
discussion of potential policy responses, this book will be a
resource for policymakers, cybersecurity and IT professionals,
and anyone who wants to understand threats to cyberspace.
HHS activities to enhance cybersecurity
HHS
May 12, 2014
N/A
Additional oversight on cybersecurity issues from outside of
HHS is not necessary, according to an HHS report on its
existing cyber regulatory policies. “All of the regulatory
programs identified [in the HHS Section 10(a) analysis] operate
within particular segments of the [Healthcare and Public Health]
Sector,” the HHS report concluded. “Expanding any or each of
these authorities solely to address cybersecurity issues would
not be appropriate or recommended.”
Sharing Cyberthreat Information Under 18 USC §
Department of Justice
May 9, 2014
7
The Department of Justice issued guidance for Internet service
2702(a)(3)
providers to assuage legal concerns about information sharing.
The white paper interprets the Stored Communications Act,
which prohibits providers from voluntarily disclosing customer
information to governmental entities. The white paper says that
the law does not prohibit companies from divulging data in the
aggregate, without any specific details about identifiable
customers.
Inadequate Practice and Management Hinder
Department of
April 24, 2014
15
Auditors sent a prolonged stream of deliberately suspicious
Department’s Incident Detection and Response
Commerce Office of
network traffic to five public-facing websites at the department
Inspector General
to assess incident-detection capabilities. Only one bureau—
auditors do not say which—successful y moved to block the
suspicious traffic. Responses at the other bureaus ranged from
no action to ineffective action, even for those that paid for
special security services from vendors.
CRS-109


Title Source
Date
Pages Notes
OCIE Cybersecurity Initiative
Securities and Exchange April 15, 2014
9
The SEC’s Office of Compliance Inspections and Examinations
Commission (SEC)
(OCIE) will be conducting examinations of more than 50
registered broker-dealers and registered investment advisers,
focusing on the fol owing: the entity’s cybersecurity governance;
identification and assessment of cybersecurity risks; protection
of networks and information; risks associated with remote
customer access and funds transfer requests; risks associated
with vendors and other third parties; detection of unauthorized
activity; and experiences with certain cybersecurity threats.
Antitrust Policy Statement on Sharing of
Department of Justice
April 10, 2014
9
Information-sharing about cyber threats can be done lawfully as
Cybersecurity Information
and Federal Trade
long as companies are not discussing competitive information
Commission
such as pricing, the Justice Department and Federal Trade
Commission said in a joint statement. “Companies have told us
that concerns about antitrust liability have been a barrier to
being able to openly share cyber threat information,” said
Deputy Attorney General James Cole. “Antitrust concerns
should not get in the way of sharing cybersecurity information.”
Joint Working Group on Improving Cybersecurity
General Services
March 12, 2014
1
On January 23, 2014, the GSA and DOD posted the final report
and Resilience Through Acquisition
Administration (GSA)
of the Joint Working Group on Improving Cybersecurity and
and Department of
Resilience through Acquisition on the two organizations’
Defense (DOD)
websites. The report makes six recommendations to improve
cybersecurity and resilience in federal acquisitions. An
accompanying request for comments is being published to obtain
stakeholder input on how to implement the report’s
recommendations.
High-Risk Security Vulnerabilities Identified During
HHS Office of
March 2014
20
The report says dozens of high-risk security vulnerabilities found
Reviews of Information Technology General
Inspector General
in information systems at 10 state Medicaid agencies should
Controls at State Medicaid Agencies
serve as a warning to other states about the need to take action
to prevent fraud.
Self-Regulatory Organizations; Chicago Board
SEC February
24,
1
The SEC is soliciting comments on proposed amendments to
Options Exchange, Incorporated; Notice of
2014
the Financial Industry Regulatory Authority’s (FINRA’s)
Withdrawal of Proposed Rule Change Relating to
arbitration codes to ensure that parties’ private information,
Multi-Class Spread Orders
such as Social Security and financial account numbers, are
redacted to include only the last four digits of the number. The
proposed amendments would apply only to documents filed with
FINRA. They would not apply to documents that parties
exchange with each other or submit to the arbitrators at a
hearing on the merits.
CRS-110


Title Source
Date
Pages Notes
SEC to Hold Cybersecurity Roundtable
SEC
February 14,
N/A
The SEC announced it will host a roundtable to discuss
2014
cybersecurity, the issues and challenges cybersecurity raises for
market participants and public companies, and how they are
addressing those concerns. The roundtable was held at the
SEC’s Washington, DC, headquarters on March 26, 2014, and
was open to the public and webcast live on the SEC’s website.
The Critical Infrastructure Cyber Community C³
DHS February
12,
N/A
The C³ Voluntary Program will serve as a point of contact and a
Voluntary Program
2014
customer relationship manager to assist organizations with using
the Cybersecurity Framework and guide interested
organizations and sectors to DHS and other public and private-
sector resources to support use of the framework.
The Federal Government’s Track Record on
Senate Homeland
February 4,
19
Since 2006, the federal government has spent at least $65 billion
Cybersecurity and Critical Infrastructure
Security and
2013
on securing its computers and networks, according to an
Governmental Affairs
estimate by the Congressional Research Service. NIST, the
Committee (Minority
government’s official body for setting cybersecurity standards,
Staff)
has produced thousands of pages of precise guidance on every
significant aspect of IT security. And yet agencies—even agencies
with responsibilities for critical infrastructure or vast
repositories of sensitive data—continue to leave themselves
vulnerable, often by failing to take the most basic steps toward
securing their systems and information.
Improving Cybersecurity and Resilience through
General Services
January 23,
24
The DOD and GSA jointly released a report announcing six
Acquisition
Administration (GSA)
2014
planned reforms to improve the cybersecurity and resilience of
and the Department of
the Federal Acquisition System. The report provides a path
Defense
forward to aligning federal cybersecurity risk management and
acquisition processes. It provides strategic recommendations for
addressing relevant issues, suggests how challenges might be
resolved, and identifies important considerations for the
implementation of the recommendations.
The Department of Energy’s July 2013 Cyber
DOE Inspector General December 2013 28
The report states nearly eight times as many current and former
Security Breach
Energy Department staff members were affected by a July
computer hack than was previously estimated, according to the
agency’s inspector general. In August, DOE estimated that the
hack affected roughly 14,000 current and former staff, leaking
personally identifiable information such as Social Security
numbers, birthdays, and banking information. But the breach
apparently affected more than 104,000 people.
CRS-111


Title Source
Date
Pages Notes
Improving Cybersecurity and Resilience through
GSA and DOD
January 23,
24
DOD and GSA jointly released a report announcing six planned
Acquisition
2014
reforms to improve the cybersecurity and resilience of the
Federal Acquisition System. The report provides a path forward
to aligning federal cybersecurity risk management and acquisition
processes. It provides strategic recommendations for addressing
relevant issues, suggests how challenges might be resolved, and
identifies important considerations for the implementation of
the recommendations.
Evaluation of DHS’ Information Security Program
DHS Inspector General
November 2013 50
The report reiterates that the agency uses outdated security
for Fiscal Year 2013
controls and Internet connections that are not verified as
trustworthy. In addition, the agency does not review its top-
secret information systems for vulnerabilities.
Immediate Opportunities for Strengthening the
President’s Council of
November 2013 31
The report recommends the government phase out insecure,
Nation’s Cybersecurity
Advisors on Science
outdated operating systems, like Windows XP, implement
and Technology
better encryption technology, and encourage automatic security
(PCAST)
updates, among other changes. PCAST also recommends, for
regulated industries, that the government help create
cybersecurity best practices and audit the adoption of these
practices. For independent agencies, the report suggests that
PCAST should write new rules that require businesses to report
their cyber improvements.
Federal Energy Regulatory Commission’s
DOE Office of
October 2013
13
From the report: “To help protect against continuing
Unclassified Cyber Security Program - 2013
Inspector General
cybersecurity threats, the commission estimated that it would
spend approximately $5.8 million during FY2013 to secure its
information technology assets, a 9% increase compared to
FY2012.... As directed by FISMA, the Office of Inspector General
conducted an independent evaluation of the Commission’s
unclassified cybersecurity program to determine whether it
adequately protected data and information systems. This report
presents the results of our evaluation for FY2013.”
CRS-112


Title Source
Date
Pages Notes
DHS’ Efforts to Coordinate the Activities of
DHS Inspector General
October 2013
29
DHS could do a better job sharing information among the five
Federal Cyber Operations Center
federal centers that coordinate cybersecurity work. The
department’s National Cybersecurity and Communications
Integration Center (NCCIC) is tasked with sharing information
about malicious activities on government networks with
cybersecurity offices within DOD, the Federal Bureau of
Investigation (FBI), and federal intelligence agencies. But the DHS
center and the five federal cybersecurity hubs do not all have
the same technology or resources, preventing them from having
shared situational awareness of intrusions or threats and
restricting their ability to coordinate responses. The centers
also have not created a standard set of categories for reporting
incidents.
Special Cybersecurity Workforce Project (Memo
Office of Personnel
July 8, 2013
N/A
The OPM is collaborating with the White House Office of
for Heads of Executive Departments and Agencies) Management (OPM)
Science and Technology Policy, the Chief Human Capital
Officers Council (CHCOC), and the Chief Information Officers
Council (CIOC) in implementing a special workforce project
that tasks federal agencies’ cybersecurity, information
technology, and human resources communities to build a
statistical data set of existing and future cybersecurity positions
in the OPM Enterprise Human Resources Integration (EHRI)
data warehouse by the end of FY2014.
Content of Premarket Submissions for
FDA
June 14, 2013
1
This guidance identifies cybersecurity issues that manufacturers
Management of Cybersecurity in Medical Devices,
should consider in preparing premarket submissions for medical
Notice
devices to maintain information confidentiality, integrity, and
availability.
DHS Can Take Actions to Address Its Additional
DHS
June 2013
26
The National Protection and Programs Directorate (NPPD) was
Cybersecurity Responsibilities
audited to determine whether the Office of Cybersecurity and
Communications had effectively implemented its additional
cybersecurity responsibilities to improve the security posture of
the federal government. Although it has made some progress,
NPPD can make further improvements to address its additional
cybersecurity responsibilities.
Mobile Security Reference Architecture
Federal CIO Council
May 23, 2013
103
Gives agencies guidance in the secure implementation of mobile
and DHS
solutions through their enterprise architectures. The document
provides in-depth reference architecture for mobile computing.
CRS-113


Title Source
Date
Pages Notes
Privacy Impact Assessment for EINSTEIN 3 -
DHS
April 19, 2013
27
DHS will deploy EINSTEIN 3 Accelerated (E3A) to enhance
Accelerated (E3A)
cybersecurity analysis, situational awareness, and security
response. Under the direction of DHS, Internet service
providers will administer intrusion prevention and threat-based
decision-making on network traffic entering and leaving
participating federal civilian executive branch agency networks.
This Privacy Impact Assessment (PIA) is being conducted
because E3A will include analysis of federal network traffic,
which may contain personally identifiable information.
DHS Secretary’s Honors Program: Cyber Student
DHS
April 18, 2013
2
The Cyber Student Initiative program will begin at Immigration
Initiative
and Customs Enforcement computer forensic labs in 36 cities
nationwide, where students will be trained and gain hands-on
experience within the department’s cybersecurity community.
The unpaid volunteer program is only available to community
col ege students and veterans pursuing a degree in the
cybersecurity field.
Regulation Systems Compliance and Integrity
SEC
March 25, 2013
104
The SEC is examining the exposure of stock exchanges,
brokerages, and other Wall Street firms to cyberattacks. The
proposed rule asks whether stock exchanges should be required
to tell members about breaches of critical systems. More than
half of exchanges surveyed globally in 2012 said they had
experienced a cyberattack, and 67% of U.S. exchanges said a
hacker tried to penetrate their systems.
National Level Exercise 2012: Quick Look Report
Federal Emergency
March 2013
22
National Level Exercise (NLE) 2012 was a series of exercise
Management Agency
events that examined the ability of the United States to execute
a coordinated response to a series of significant cyber incidents.
As a part of the National Exercise Program, NLE 2012
emphasized the shared responsibility among all levels of
government, the private sector, and the international community
to secure cyber networks and coordinate responses and
recovery actions. The NLE 2012 series was focused on
examining four major themes: planning and implementation of
the draft National Cyber Incident Response Plan (NCIRP),
coordination among governmental entities, information sharing,
and decision making.
CRS-114


Title Source
Date
Pages Notes
Measuring What Matters: Reducing Risks by
National Academy of
March 2013
39
Rather than periodical y auditing whether an agency’s systems
Rethinking How We Evaluate Cybersecurity
Public Administration
meet the standards enumerated in FISMA at a static moment in
and Safegov.org
time, agencies and their inspectors general should keep running
scorecards of “cyber risk indicators” based on continual
information governance assessments of a federal organization’s
cyber vulnerabilities.
Fol ow-up Audit of the Department’s Cyber
DOE Inspector General December 2012
25
From the report: “In 2008, we reported in The Department’s
Security Incident Management Program
Cyber Security Incident Management Program (DOE/IG-0787,
January 2008) that the Department and NNSA established and
maintained a number of independent, at least partially
duplicative, cyber security incident management capabilities.
Although certain actions had been taken in response to our
prior report, we identified several issues that limited the
efficiency and effectiveness of the Department’s cyber security
incident management program and adversely impacted the ability
of law enforcement to investigate incidents. For instance, we
noted that the Department and NNSA continued to operate
independent, partially duplicative cyber security incident
management capabilities at an annual cost of more than $30
million. The issues identified were due, in part, to the lack of a
unified, Department-wide cyber security incident management
strategy. In response to our finding, management concurred with
the recommendations and indicated that it had initiated actions
to address the issues identified.”
Secure and Trustworthy Cyberspace (SaTC)
National Science
October 4,
N/A
This grant program seeks proposals that address cybersecurity
Program Solicitation
Foundation and the
2012
from three different perspectives: “a Trustworthy Computing
National Science and
Systems perspective (TWC); a Social, Behavioral and Economic
Technology Council
Sciences perspective (SBE); and a Transition to Practice
perspective (TPP).”
Annual Report to Congress 2012: National
Information Sharing
June 30, 2012
188
From the report, “This Report, which PM-ISE is submitting on
Security Through Responsible Information Sharing
Environment
behalf of the President, incorporates input from our mission
partners and uses their initiatives and PM-ISE’s management
activities to provide a cohesive narrative on the state and
progress of terrorism-related responsible information sharing,
including its impact on our collective ability to secure the nation
and our national interests.”
CRS-115


Title Source
Date
Pages Notes
Cybersecurity: CF Disclosure Guidance: Topic No. SEC
October 13,
N/A
This document presents the views of the Division of
2
2011
Corporation Finance regarding “disclosure obligations relating to
cybersecurity risks and cyber incidents.” This guidance is not a
rule, regulation, or statement of the SEC, and the commission
has neither approved nor disapproved its content.
Source: Highlights compiled by CRS from the reports.
Table 15. State, Local, and Tribal Governments
Title Source
Date
Pages Notes
Getting Started for State, Local, Tribal, and
United States
Ongoing
N/A
A list of resources available to state, local, tribal, and territorial
Territorial (SLTT) Governments
Computer Emergency
governments that have been aligned to the five Cybersecurity
Readiness Team (US-
Framework function areas. Some resources and programs align
CERT)
to more than one function area. This page will be updated as
additional resources—from the Department of Homeland
Security (DHS), other federal agencies, and the private sector—
are identified.
NASCIO 2015 Federal Advocacy Priorities
National Association of
January 22, 2015 5
NASCIO states that cybersecurity is its top priority for the
State Chief Information
federal government to address this year—including through
Officers (NASCIO)
coordination with states on combating cyberthreats.
100 Resilient Cities and Microsoft Announce
100 Reslient Cities and
January 15, 2015 N/A
Microsoft will help cities improve their cybersecurity as a new
Partnership to Help Cities Build Cybersecurity
Microsoft
partner to the 100 Resilient Cities project from the Rockefeller
Foundation. The partnership will bring Microsoft aboard 100RC
as a “platform partner,” organizations that offer tools to
promote resiliency to cities worldwide. Microsoft said the
partnership will be an expansion of its CityNext initiative, which
helps cities implement social, mobile, cloud, and data technology
solutions.
State Governments at Risk: Time to Move
Deloitte and Touche
October 2014
32
A majority of elected officials in state governments are confident
Forward: 2014 Deloitte-NASCIO Cybersecurity
and National
in their abilities to defend against cyber threats, but only one-
Study
Association of State
quarter of state chief information security officers (CISOs) feel
Chief Information
the same way, according to a new survey. In the survey of 49
Officers (NASCIO)
state CISOs or their equivalents and 186 other state officials,
barriers to cybersecurity that were cited included low budgets
and difficulty recruiting top talent. Three-quarters of the CISOs
surveyed said lack of sufficient funding is a major barrier to
addressing cyber threats, although almost half said cybersecurity
budgets have increased year over year.
CRS-116


Title Source
Date
Pages Notes
Cybersecurity and Connecticut’s Public Utilities
Connecticut Public
April 14, 2014
31
The document is a plan for Connecticut’s utilities to help
Utilities Regulatory
strengthen defense against possible future threats, such as a
Authority
cyberattack. Connecticut is the first state to present a
cybersecurity strategy in partnership with the utilities sector and
will share it with other states working on similar plans. Among
other findings, the report recommends that Connecticut
commence self-regulated cyber audits and reports and move
toward a third-party audit and assessment system. The report
also makes recommendations regarding local and regional
regulatory roles, emergency drills and training, coordinating with
emergency management officials, and handling confidential
information.
State and Local Government Cybersecurity
White House Blog
April 2, 2014
N/A
The White House in March 2014 convened a broad array of
stakeholders, including government representatives, local-
government-focused associations, private-sector technology
companies, and partners from multiple federal agencies, at the
State and Local Government Cybersecurity Framework Kickoff
Event.
State Cybersecurity Resource Guide: Awareness,
NASCIO
October 2013
64
The guide includes new information from NASCIO’s state
Education and Training Initiatives
members, who provided examples of state awareness programs
and initiatives. This is an additional resource of best-practice
information, together with an interactive state map to allow
users to drill down to the actual resources that states have
developed or are using to promote cyber awareness. It includes
contact information for the CISOs; hyperlinks to state security
and security awareness pages;, and information describing
cybersecurity awareness, training, and education initiatives.
Cybersecurity for State Regulators 2.0 with Sample National Association of
February 2013
31
State commissions tasked with regulating local distribution
Questions for Regulators to Ask Utilities
Regulatory Utility
utilities are slow to respond to emerging cybersecurity risks.
Commissioners
The annual membership directory of state utility regulators lists
hundreds of key staff members of state commissions throughout
the country but not a single staff position had “cybersecurity” in
the title.
CRS-117


Title Source
Date
Pages Notes
Federal Support for and Involvement in State and
U.S. Senate Permanent
October 3,
141
A two-year bipartisan investigation found that DHS efforts to
Local Fusion Centers
Subcommittee on
2012
engage state and local intelligence “fusion centers” has not
Investigations
yielded significant useful information to support federal
counterterrorism intelligence efforts. In Section VI, “Fusion
Centers Have Been Unable to Meaningfully Contribute to
Federal Counterterrorism Efforts,” Part G, “Fusion Centers May
Have Hindered, Not Aided, Federal Counterterrorism Efforts,”
the report discusses the Russian “cyberattack” in Illinois.
Source: Highlights compiled by CRS from the reports.

CRS-118


Related Resources: Other Websites
This section contains other cybersecurity resources, including U.S. government, international,
news sources, and other associations and institutions.
Table 16. Related Resources: Congressional and Government
Name Source
Notes
Integrated Intelligence Center
Center for Internet Security
Serves as a resource for state, local, tribal, and
(IIC)
territorial government partners to engage in a
collaborative information sharing and analysis
environment on cybersecurity issues. Through
this initiative, the IIC provides fusion centers,
homeland security advisors, and law
enforcement entities with access to a broad
range of cybersecurity products, reflecting input
from many sources.
Computer Security Resource
National Institute of
Links to NIST resources, publications, and
Center
Standards and Technology
computer security groups.
(NIST)
Congressional Cybersecurity
Led by Representatives Jim
Provides statistics, news on congressional
Caucus
Langevin and Mike McCaul
cyberspace actions, and links to other
information websites.
Cybersecurity
White House National
Links to White House policy statements, key
Security Council
documents, videos, and blog posts.
Cybersecurity National
Telecommunications
The Department of Commerce’s Internet Policy
and Information
Task Force is conducting a comprehensive
Administration (U.S.
review of the nexus between cybersecurity
Department of Commerce)
challenges in the commercial sector and
innovation in the Internet economy.
Cybersecurity and Information
National Academy of
A list of CSTB’s independent and informed
System Trustworthiness
Sciences, Computer Science
reports on cybersecurity and public policy.

and Telecommunications
Board (CSTB)
Getting Started for State, Local,
United States Computer
The resources are available to state, local, tribal,
Tribal, and Territorial (SLTT)
Emergency Readiness Team
and territorial governments. These resources
Governments
(U.S. CERT)
have been aligned to the five Cybersecurity
Framework function areas. Some resources and
programs align to more than one function area.
This page will be updated as additional
resources—from the Department of Homeland
Security (DHS), other federal agencies, and the
private sector—are identified.
President’s National Security
DHS
NSTAC’s goal is to develop recommendations
Telecommunications Advisory
to the President to assure vital
Committee (NSTAC)
telecommunications links through any event or
crisis and to help the U.S. government maintain
a reliable, secure, and resilient national
communications posture.
CRS-119


Name Source
Notes
Office of Cybersecurity and
DHS
CS&C works to prevent or minimize
Communications (CS&C)
disruptions to critical information infrastructure
in order to protect the public, the economy,
and government services. CS&C leads efforts to
protect the federal “.gov” domain of civilian
government networks and to col aborate with
the private sector—the “.com” domain—to
increase the security of critical networks
Cyber Domain Security and
U.S. Department of Defense
Links to press releases, fact sheets, speeches,
Operations
announcements, and videos.
U.S. Cyber-Consequences Unit
U.S. Cyber-Consequences
U.S.-CCU, a nonprofit 501c(3) research
Unit
institute, provides assessments of the strategic
(U.S.-CCU)
and economic consequences of possible
cyberattacks and cyber-assisted physical attacks.
It also investigates the likelihood of such attacks
and examines the cost-effectiveness of possible
counter-measures.
Source: Highlights compiled by CRS from the reports.
CRS-120


Table 17. Related Resources: International Organizations
Name Source
Notes
Center for Internet Security (Australia)
Australian
The Australian Internet Security Initiative
Communications and
(AISI) is an anti-botnet initiative that collects
Media Authority
data on botnets in col aboration with
Internet service providers and two industry
codes of practice.
Cybercrime
Council of Europe
Links to the Convention on Cybercrime
treaty, standards, news, and related
information.
Cybersecurity Gateway
International
ITU’s Cybersecurity Gateway aims to be a
Telecommunications
collaborative platform, providing and sharing
Union (ITU)
information between partners in civil
society, private sector, governmental, and
international organizations working in
different work areas of cybersecurity
Cybercrime Legislation - Country
Council of Europe
These profiles have been prepared within
Profiles
the framework of the Council of Europe’s
Project on Cybercrime in view of sharing
information on cybercrime legislation and
assessing the current state of
implementation of the Convention on
Cybercrime under national legislation.
ENISA: Securing Europe’s Information
European Network and
ENISA informs businesses and citizens in the
Society
Information Security
European Union about cybersecurity
Agency (ENISA)
threats, vulnerabilities, and attacks.
(Requires free registration to access.)
International Cyber Security Protection
ICSPA
A global not-for-profit organization that aims
Alliance (ICSPA)
to channel funding, expertise, and assistance
directly to law enforcement cybercrime
units around the world.
NATO Cooperative Cyber Defence
North Atlantic Treaty
The center is an international effort that
Centre of Excel ence (CCD COE)
Organization (NATO)
currently includes Estonia, Latvia, Lithuania,
(Tallin, Estonia)
Germany, Hungary, Italy, the Slovak
Republic, and Spain as sponsoring nations to
enhance NATO’s cyberdefense capability.
Source: Highlights compiled by CRS from the reports.
CRS-121


Table 18. Related Resources: News
Source
Name
Computer Security (Cybersecurity)
New York Times
Cybersecurity NextGov.com
Cyberwarfare and Cybersecurity
Benton Foundation
Homeland Security
Congressional Quarterly (CQ)
Cybersecurity
Homeland Security News Wire
Table 19. Related Resources: Other Associations and Institutions
Name Notes
Council on Cybersecurity
The council, based in the Washington, DC, area, is the successor
organization to the National Board of Information Security Examiners
(NBISE), founded in the United States in 2010 to identify and strengthen the
skills needed to improve the performance of the cybersecurity workforce.
The council will also be home to the U.S. Cyber Challenge, formerly a
program of NBISE, which works with the cybersecurity community to bring
accessible, compelling programs that motivate students and professionals to
pursue education, development, and career opportunities in cybersecurity.
Cyber Aces Foundation
Offers challenging and realistic cybersecurity competitions, training camps,
and educational initiatives through which high school and college students
and young professionals develop the practical skills needed to excel as
cybersecurity practitioners.
Cybersecurity from the Center for
Links to experts, programs, publications, and multimedia. CSIS is a bipartisan,
Strategic and International Studies
nonprofit organization whose affiliated scholars conduct research and analysis
(CSIS)
and develop policy initiatives that look to the future and anticipate change.
Cyberconflict and Cybersecurity
Focuses on the relationship between cyberwar and the existing laws of war
Initiative from the Council on
and conflict; how the United States should engage other states and
Foreign Relations
international actors in pursuit of its interests in cyberspace; how the
promotion of the free flow of information interacts with the pursuit of
cybersecurity; and the private sector’s role in defense, deterrence, and
resilience.
Cyber Corps: Scholarship For
SFS is designed to increase and strengthen the cadre of federal information
Service (SFS)
assurance professionals that protect the government’s critical information
infrastructure. This program provides scholarships that ful y fund the typical
costs that students pay for books, tuition, and room and board while
attending an approved institution of higher learning.
Institute for Information
I3P is a consortium of leading universities, national laboratories, and
Infrastructure Protection (I3P)
nonprofit institutions. It assembles multidisciplinary and multi-institutional
research teams able to bring in-depth analysis to complex and pressing
problems. Research outcomes are shared at I3P-sponsored workshops,
professional conferences, and in peer-reviewed journals, as well as via
technology transfer to end-users.
Internet Security Alliance (ISA)
ISA is a nonprofit collaboration between the Electronic Industries Alliance, a
federation of trade associations, and Carnegie Mellon University’s CyLab.
CRS-122


Name Notes
National Association of State Chief
NASCIO provides state chief information officers (CIOs) and state members
Information Officers (NASCIO)
with products and services designed to support the challenging role of the
state CIO, stimulate the exchange of information, and promote the adoption
of IT best practices and innovations. The resource guide provides examples
of state awareness programs and initiatives.
National Initiative for Cybersecurity
The goal of NICE is to establish an operational, sustainable, and continual y
Education (NICE)
improving cybersecurity education program for the nation to use sound
cyber practices that will enhance the nation’s security. The National Institute
of Standards and Technology (NIST) is leading the NICE initiative, including
more than 20 federal departments and agencies, to ensure coordination,
cooperation, focus, public engagement, technology transfer, and sustainability.
National Security Cyberspace
NSCI provides education, research, and analysis services to government,
Institute (NSCI)
industry, and academic clients aiming to increase cyberspace awareness,
interest, knowledge, and capabilities.
U.S. Cyber Challenge (USCC)
USCC’s goal is to find 10,000 of America’s best and brightest to fill the ranks
of cybersecurity professionals where their skills can be of the greatest value
to the nation.
Source: Highlights compiled by CRS from the reports of related associations and institutions.





CRS-123

Cybersecurity: Authoritative Reports and Resources, by Topic

Author Contact Information

Rita Tehan

Information Research Specialist
rtehan@crs.loc.gov, 7-6739

Key Policy Staff

The following table provides names and contact information for CRS experts on policy issues related to
cybersecurity bills currently being debated in the 114th Congress.
Legislative Issues
Name/Title
Phone
Email
Legislation in the 113th Congress
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Critical infrastructure protection
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Chemical industry
Dana Shea
7-6844
dshea@crs.loc.gov
Defense industrial base
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Electricity grid
Richard J. Campbell
7-7905
rcampbell@crs.loc.gov
Financial institutions
N. Eric Weiss
7-6209
eweiss@crs.loc.gov
Industrial control systems
Dana Shea
7-6844
dshea@crs.loc.gov
Cybercrime



Federal laws
Charles Doyle
7-6968
cdoyle@crs.loc.gov
Law enforcement
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Cybersecurity workforce
Wendy Ginsberg
7-3933
wginsberg@crs.loc.gov
Cyberterrorism
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Cyberwar
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Data breach notification
Gina Stevens
7-2581
gstevens@crs.loc.gov
Economic issues
N. Eric Weiss
7-6209
eweiss@crs.loc.gov
Espionage



Advanced persistent threat
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Economic and industrial
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Legal issues
Brian T. Yeh
7-5182
byeh@crs.loc.gov
State-sponsored
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Federal agency roles
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Chief Information Officers (CIOs)
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Commerce
John F. Sargent, Jr.
7-9147
jsargent@crs.loc.gov
Defense (DOD)
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Executive Office of the President (EOP)
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Homeland Security (DHS)
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Intelligence Community (IC)
John Rollins
7-5529
jrollins@crs.loc.gov
Congressional Research Service
124

Cybersecurity: Authoritative Reports and Resources, by Topic

Legislative Issues
Name/Title
Phone
Email
Justice (DOJ)
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
National Security Agency (NSA)
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Science agencies (NIST, NSF, OSTP)
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Treasury and financial agencies
Rena S. Miller
7-0826
rsmiller@crs.loc.gov
Federal Information Security
John D. Moteff
7-1435
jmoteff@crs.loc.gov
Management Act (FISMA)
Federal Internet monitoring
Richard M. Thompson II
7-8449
rthompson@crs.loc.gov
Hacktivism
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
Information sharing
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Antitrust laws
Kathleen Ann Ruane
7-9135
kruane@crs.loc.gov
Civil liability
Edward C. Liu
7-9166
eliu@crs.loc.gov
Classified information
John Rollins
7-5529
jrollins@crs.loc.gov
Freedom of Information Act (FOIA)
Gina Stevens
7-2581
gstevens@crs.loc.gov
Privacy and civil liberties
Gina Stevens
7-2581
gstevens@crs.loc.gov
International cooperation



Defense and diplomatic
Catherine A. Theohary
7-0844
ctheohary@crs.loc.gov
Law enforcement
Kristin M. Finklea
7-6259
kfinklea@crs.loc.gov
National strategy and policy
Eric A. Fischer
7-7071
efischer@crs.loc.gov
National security
John Rollins
7-5529
jrollins@crs.loc.gov
Public/private partnerships
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Supply chain
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Technological issues
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Botnets
Eric A. Fischer
7-7071
efischer@crs.loc.gov
Cloud computing
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Mobile devices
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov
Research and development (R&D)
Patricia Maloney Figliola
7-2508
pfigliola@crs.loc.gov


Congressional Research Service
125