Updated December 14, 2018
Cybersecurity: An Introduction
Introduction
When users go online they might work with their bank, get
The past decade has seen a rapid increase in both the utility
their email, conduct business, or get the news by accessing
and risk from networked devices. The very tools Americans
services. But those services don’t exist independently.
use to chat with loved ones and make purchases are the
Those services rely on a common infrastructure of servers
same tools which can be turned against them to deny access
and switches, miles of cabling, wireless spectrum, and
to services, steal their information, or compromise the
routers. That same infrastructure is used by other services
digital system they trust.
too, such as utilities and shipping to ensure products arrive
as intended—or by businesses to develop new products
These tools exist in cyberspace, and the security of that
more efficiently and manage their operations. The entire
environment is a large endeavor involving government, the
infrastructure and all those services that are part of
private sector, international partners, and others.
cyberspace exist to deliver an experience to a user, a
human.
This In Focus provides an overview of cybersecurity for
policymaking purposes, describes issues that cybersecurity
Thus, from a policymaking standpoint cybersecurity can be
affects, and discusses potential actions Congress could take.
considered the security of cyberspace—which includes the
devices, infrastructure, data, and users that make it up. To
The Nature of Cybersecurity
support cybersecurity policymaking, adjacent fields provide
The term “cyber” is frequently attached to a variety of
valuable insight. Education, workforce management,
security issues, underscoring that issues surrounding cyber
investment, entrepreneurship, and research and
management and security are big and complicated.
development are necessary to get a product to market.
Developers, law enforcement, intelligence, incident
To highlight how big it is, consider a single smartphone. An
response, and national defense are necessary to respond
American company may have designed the device, but the
when something goes awry in cyberspace.
device may be built by a different company abroad using
material from yet another country. The phone runs on
Threats
software built by one company but modern operating
The nation faces many threats with an array of capabilities
systems borrow code from other companies. Once a user
and capacities to carry out attacks. Threat actors may target
has the device it will likely be connected to a variety of
the elements of cyberspace (e.g., networks, data, services,
networks such as a home wireless network, a corporate
and users). However, they may also use these elements to
network, and a cellular network. Each of these networks has
attack industry through cyberspace.
its own infrastructure, but also share common Internet
infrastructure. The user will also install applications that
For instance, a hacker operating independently or under a
contain code and use infrastructure by yet another myriad
nation-state’s instruction may target a hospital. The hacker
of companies. Placing users at the center, there are large
may send ransomware to a hospital to extort payment
and intricate systems to create these devices and others to
before the hospital can regain access to its files and devices.
ensure those devices work.
But during that attack the hacker may also install a tool on
the hospital’s network, providing persistent access they will
To highlight how complicated it is, consider that the federal
use to steal data, including patient information and their
government does not have a consensus definition of
transactions. The hacker can use that information to identify
cybersecurity. One entity—the Commission on Enhancing
additional targets. In this scenario the hacker has attacked
National Cybersecurity—defined cybersecurity as
the hospital network, networked medical devices, and
patient data.
The process of protecting information and
information systems by preventing, detecting, and
Each year the Director of National Intelligence (DNI)
responding to unauthorized access, use, disclosure,
delivers the Intelligence Community’s “Worldwide Threat
disruption, modification, or destruction in order to
Assessment” to Congress. For the past few years the
provide confidentiality, integrity, and availability.
Director has addressed “cyber” as the first and most
significant risk in the statement. In 2016, the DNI listed
While this definition may be suitable for system
threats by the risk they pose, starting with the countries of
administrators and other information technology
Russia, China, Iran, and North Korea before describing all
professionals, it does not account for relevant policymaking
manner of non-state actors (such as criminal organizations,
considerations. Essentially, cybersecurity is the security of
lone-wolf(s) and terrorists) in a single group. This order
cyberspace. Therefore, it is equally important to understand
considers the actor’s technical capability, willingness to
cyberspace.
conduct cyber operations, and effectiveness as a threat to
national security.
https://crsreports.congress.gov
Cybersecurity: An Introduction
Policy Areas
between all these parties through agreements, contracts,
Given that cybersecurity is a large and complex issue area,
treaties, or other pacts creates a complex layer of
separating it down to sub-issue areas can help in both
responsibility and accountability for cyberspace.
understanding problems and crafting solutions. Four areas
to consider are information and system security, device
International Relations
security, governance, and international relations.
The Internet is a global network, where a packet of data
originating from one country can move into another at the
Information and System Security
speed of light. The devices that make up the infrastructure
Computer scientists view security through three attributes:
of the Internet have a global supply chain. The software
those devices require to operate are often created by an
Confidentiality: that data is only known to authorized
international workforce. Policies that one country
parties. A data breach is an example of how
establishes may have market effects in another.
confidentiality is compromised, while encryption is a
tool used to ensure confidentiality.
The Internet-of-Things (IOT) highlights the international
nature of cybersecurity. Devices may be built in one
Integrity: that data and systems are not altered without
country to the standards of another where they will be sold.
authorization. Data manipulation is an example of how
But, since they connect to the Internet, they may become
integrity is breached, while data-checking tools, such as
infected with malware from a third country, and be used
hashing, ensure one can verify the integrity of data.
against users in a fourth—all with little user action.
Availability: that data and systems are available to
authorized parties when they choose. Ransomware
Policy Considerations
attacks availability; backups are a tool to support data
In crafting policy options to address cybersecurity issues
availability.
Congress has many opportunities to approach solutions.
Below is a list of possible actions Congress may take for
These three attributes can be examined in the context of
cybersecurity (in alphabetical order).
election infrastructure. If an adversary were to gain access
to a state’s voter rolls and learn sensitive information (such
Conduct Oversight. Congress has direct oversight over the
as a voter’s voting history) that incident would affect
operations of the federal government, including the security
confidentiality. Manipulating a voting machine to record a
of agencies’ information technology and data. Congress
vote that the voter did not intend is an example of an
may choose to call hearings and solicit testimony from non-
integrity attack. Bombarding news organizations and State
governmental organizations to ensure the cybersecurity of
agencies with Internet traffic so votes could not be tallied is
the nation, which includes the security of critical
an example of an availability attack.
infrastructure and consumer data protection.
Related to integrity is the concept of authentication or that
Develop a Program. Congress may choose to establish a
one can verify data is from a trusted source. The Internet
program to address a facet of cybersecurity by authorizing
was built using technologies that assume the trust of its
an agency to do such work and appropriating funds for it.
users, but as the Internet has grown into a global network,
anonymity and data manipulation have proliferated,
Establish Rights. Congress may choose to establish the
complicating the options a user has when determining the
conditions for the use of technology, such as legal
validity of online information.
requirements for data privacy, retention, and use.
Device Security
Incentivize Behavior. Congress may choose to incentivize
Similar to data security, the security of the system (e.g., the
the behavior of manufacturers, developers, vendors, or
application, servers, routers, appliances, devices) can also
consumers either directly (such as through a grant program)
be understood through the lenses of confidentiality,
or indirectly (such as by providing liability protections).
integrity, and availability. For an Internet-connected device
One way Congress may choose to incentivize behavior is
which monitors a building’s energy use, the utility and
through the tax code. Congress could adjust the tax code to
customer will want to ensure data on the device is only
impose a penalty or provide a benefit (e.g., tax credit) for
accessible to them (confidentiality), the device accurately
certain actions an individual or organization makes to
states how much energy is used (integrity), and the device
improve cybersecurity.
is always monitoring usage (availability).
Regulate Industry. Congress may choose to direct an
Governance
industry to adopt standards or best practices, or participate
Many different entities are involved in cybersecurity.
in information sharing.
Government entities with regulatory authority may choose
to exercise that authority by examining an industry’s
Study the Issue. Congress may choose to spur activity by
cybersecurity activities. Manufacturers may choose to adopt
directing agencies to develop a report or strategy.
standards and best practices. Users may be savvy or
oblivious to their cybersecurity risk. Network access and
Chris Jaikaran, Analyst in Cybersecurity Policy
services providers may provide products which mitigate
cybersecurity risk or transfer that risk to another party, such
IF10559
as to an insurer or to a security company. The interaction
https://crsreports.congress.gov
Cybersecurity: An Introduction
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10559 · VERSION 3 · UPDATED