Updated December 15, 2020
Cybersecurity: A Primer
Introduction
When users go online they might work with their bank, get
There is a continued increase in both the utility and risk
their email, conduct business, or get the news by accessing
from networked devices. The very tools Americans use to
services. But those services don’t exist independently.
chat with loved ones and make purchases are the same tools
Those services rely on a common infrastructure of servers
which can be turned against them to deny access to
and switches, miles of cabling, wireless spectrum, and
services, steal their information, or compromise the digital
routers. That same infrastructure is used by other services
system they trust.
too, such as utilities and shipping to ensure products arrive
as intended—or by businesses to develop new products
These tools exist in cyberspace, and the security of that
more efficiently and manage their operations. The entire
environment is a large endeavor involving government, the
infrastructure and all those services that are part of
private sector, international partners, and others.
cyberspace exist to deliver an experience to a user, a
human.
This In Focus provides an overview of cybersecurity for
policymaking purposes, describes issues that cybersecurity
Thus, from a policymaking standpoint cybersecurity can be
affects, and discusses potential actions Congress could take.
considered the security of cyberspace—which includes the
devices, infrastructure, data, and users that make it up. To
The Nature of Cybersecurity
support cybersecurity policymaking, adjacent fields also
The term “cyber” is frequently attached to a variety of
need consideration. Education, workforce management,
security issues, underscoring that issues surrounding the
investment, entrepreneurship, and research and
management of cyberspace and its security are big and
development are necessary to get a product to market.
complicated.
Developers, law enforcement, intelligence, incident
response, and national defense are necessary to respond
As an example, consider a single smartphone. An American
when something goes awry in cyberspace.
company may have designed the device, but the device may
be built by a different company abroad using material from
Threats
yet another country. The phone runs on software built by
The nation faces many threats with an array of capabilities
one company but modern operating systems borrow code
and capacities to carry out attacks. Threat actors may
from other companies and developers. Once a user has the
directly target the elements of cyberspace (e.g., networks,
device it will likely be connected to a variety of networks
data, services, and users). However, they may also use these
such as a home wireless network, a corporate network, and
elements to attack industry through cyberspace.
a cellular network. Each of these networks has its own
infrastructure, but also share common internet
For instance, a hacker operating independently or under a
infrastructure. The user will also install applications that
nation-state’s instruction may target a hospital system. The
contain code and use infrastructure by yet other myriad
hacker may send ransomware to a hospital to extort
companies. Imagining users at the center, one can see large
payment before the hospital can regain access to its files
and intricate systems on one side and the other to create
and devices. However, during that attack the hacker may
these devices and ensure those devices work.
also install a tool on the hospital’s network, providing
persistent access they will use to steal data, including
To highlight how complicated it is, consider that the federal
patient information or hospital operations material. The
government does not have a single definition of cyberspace
hacker can then use that information to identify additional
or cybersecurity. Recently, the Cyberspace Solarium
targets. In this scenario the hacker has attacked the hospital
Commission—defined “cyber” as
network, networked medical devices, and patient data.
Relating to, involving, or characteristic of
The Director of National Intelligence (DNI) delivers the
computers, computer networks, information and
Intelligence Community’s Worldwide Threat Assessment to
communications technology (ICT), virtual systems,
Congress. For the past few years the Director has addressed
or
computer-enabled
control
of
physical
“cyber” as the first and most significant risk in the
components.
assessment. In 2019, the DNI listed threats by the risk they
pose, starting with the countries of Russia, China, Iran, and
While this definition may be suitable for a broad discussion
North Korea:
about information technology, it does not account for
relevant policymaking considerations concerning
As the world becomes increasingly interconnected,
cybersecurity. Essentially, cybersecurity is the security of
we expect these actors, and others, to rely more and
cyberspace.
more on cyber capabilities when seeking to gain
https://crsreports.congress.gov
Cybersecurity: A Primer
political, economic, and military advantages over
treaties, or other pacts creates a complex layer of
the United States and its allies and partners.
responsibility and accountability for cyberspace.
This ordering of countries considers the actor’s technical
International Relations
capability, willingness to conduct cyber operations, and
The internet is a global network, where a packet of data
effectiveness as a threat to national security.
originating from one country can move to another at the
Policy Areas
speed of light. The devices that make up the infrastructure
of the internet have a global supply chain. The software
Given that cybersecurity is a large and complex issue area,
those devices require to operate are often created by an
separating it down to sub-issue areas can help in both
international workforce. Policies that one country
understanding problems and crafting solutions. Four areas
establishes may have market effects in another.
to consider are information and system security, device
security, governance, and international relations.
The Internet-of-Things (IOT) highlights the international
nature of cybersecurity. Devices may be built in one
Information and System Security
country to the standards of another where they will be sold.
Computer scientists characterize security through three
But, since they connect to the internet, they may become
attributes:
infected with malware from a third country, and be used
against users in a fourth—all with little to no user action.
Confidentiality: that data is only known to authorized
parties. A data breach is an example of how
Policy Considerations
confidentiality is compromised, while encryption is a
In crafting policy to address cybersecurity issues Congress
tool used to ensure confidentiality.
has many options. Below is a list of possible actions
Integrity: that data and systems are not altered without
Congress may take to strengthen cybersecurity (in
authorization. Data manipulation is an example of how
alphabetical order).
integrity is breached, while data-checking tools, such as
hashing, ensure one can verify the integrity of data.
Conduct Oversight. Congress has direct oversight over the
operations of the federal government, including the security
Availability: that data and systems are available to
of agencies’ information technology and data. Congress
authorized parties when they choose. Ransomware
may choose to call hearings and solicit testimony from non-
attacks availability; backups are a tool to support data
governmental organizations to ensure the cybersecurity of
availability.
the nation, which includes the security of critical
infrastructure and consumer data protection.
Related to integrity is the concept of authentication or that
users can verify data is from a trusted source. The internet
Develop a Program. Congress may choose to establish a
was built using technologies that assume the trust of its
program to address a facet of cybersecurity by authorizing
users, but as the internet has grown into a global network,
an agency to do such work and appropriating funds for it.
anonymity and data manipulation have proliferated,
complicating the options a user has when determining the
Establish Rights. Congress may choose to establish the
validity of online information.
conditions for the use of technology, such as legal
requirements for data privacy, retention, and use.
Device Security
Similar to information security, the security of the system
Incentivize Behavior. Congress may choose to incentivize
(e.g., the application, servers, routers, appliances, devices)
the behavior of manufacturers, developers, vendors, or
can also be understood through the lenses of confidentiality,
consumers either directly (such as through a grant program)
integrity, and availability. For an internet-connected device
or indirectly (such as by providing liability protections).
which monitors a building’s energy use, the utility and
One way Congress may choose to incentivize behavior is
customer will want to ensure data on the device is only
through the tax code. Congress could adjust the tax code to
accessible to them (confidentiality), the device accurately
impose a penalty or provide a benefit (e.g., tax credit) for
states how much energy is used (integrity), and the device
certain actions an individual or organization makes to
is always monitoring usage (availability).
improve cybersecurity.
Governance
Regulate Industry. Congress may choose to direct an
Many different entities are involved in cybersecurity.
industry to adopt standards or best practices, or participate
Government entities with regulatory authority may choose
in information sharing.
to exercise that authority by scrutinizing an industry’s
cybersecurity activities. Manufacturers may choose to adopt
Study the Issue. Congress may choose to spur activity by
standards and best practices. Users may be savvy or
directing agencies to develop a report or strategy.
oblivious to their cybersecurity risk. Network access and
services providers may provide products which mitigate
Chris Jaikaran, Analyst in Cybersecurity Policy
cybersecurity risk or transfer that risk to another party, such
as to an insurer or to a security company. The interaction
IF10559
between all these parties through agreements, contracts,
https://crsreports.congress.gov
Cybersecurity: A Primer
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10559 · VERSION 4 · UPDATED