Cybersecurity Issues and Challenges

November 6, 2014 IF00053




November 6, 2014
Cybersecurity Issues and Challenges
the livelihood and safety of individual citizens. Thus, a rare
Overview
attack with high impact can pose a much larger risk than a
common attack with low impact.
Information and communications technology (ICT) is
ubiquitous and increasingly integral to almost every facet of
Reducing the risks from cyberattacks usually involves (1)
modern society. ICT devices and components are generally
removing the threat source, e.g., by closing down botnets or
interdependent, and disruption of one may affect many
reducing incentives for cybercriminals; (2) addressing
others. Over the past several years, experts and
vulnerabilities by hardening ICT assets, e.g., by patching
policymakers have expressed increasing concerns about
software and training employees; and (3) lessening impacts
protecting ICT systems from cyberattacks.
by mitigating damage and restoring functions, e.g., by
having back-up resources available for continuity of
The risks associated with any attack depends on three
operations in response to an attack.
factors: threats (who is attacking), vulnerabilities (how they
are attacking), and impacts (what the attack does).
Federal Role
What are the threats? People who perform cyberattacks
The federal role in cybersecurity involves both securing
generally fall into one or more of five categories: criminals
federal systems and assisting in protecting nonfederal
intent on monetary gain from crimes such as theft or
systems. Under current law, all federal agencies have
extortion; spies intent on stealing classified or proprietary
cybersecurity responsibilities relating to their own systems,
information used by government or private entities; nation-
and many have sector-specific responsibilities for CI. More
state warriors who develop capabilities and undertake
than 50 statutes address various aspects of cybersecurity,
cyberattacks in support of a country’s strategic objectives;
and new legislation has been debated since the 111th
“hacktivists” who perform cyberattacks for nonmonetary
Congress. However, no major cybersecurity bills have been
reasons; and terrorists who engage in cyberattacks as a
enacted since the Federal Information Security
form of non-state or state-sponsored warfare.
Management Act (FISMA) in 2002.
What are the vulnerabilities? Cybersecurity is in many
Figure 1. Federal Agency Roles in Cybersecurity
ways an arms race between attackers and defenders. ICT
systems are very complex, and attackers are constantly
probing for weaknesses, which can occur at many points.
Defenders can often protect against weaknesses, but three
are particularly challenging: inadvertent or intentional acts
by insiders with access to a system; supply chain
vulnerabilities, which can permit the insertion of malicious
software or hardware during the acquisition process; and
previously unknown, or zero-day, vulnerabilities with no
established fix.
What are the impacts? A successful attack can
compromise the confidentiality, integrity, and availability
of an ICT system and the information it handles. Cybertheft
or cyberespionage can result in exfiltration of financial,
proprietary, or personal information from which the
attacker can benefit, often without the knowledge of the
victim. Denial-of-service attacks can slow or prevent
legitimate users from accessing a system. Botnet malware
can give an attacker command of a system for use in
cyberattacks on other systems. Attacks on industrial control
systems can result in the destruction of the equipment they

control, such as generators, pumps, and centrifuges.
Source: CRS.
Notes: DHS: Department of Homeland Security; DOD: Department
Most cyberattacks have limited impacts, but a successful
of Defense; DOJ: Department of Justice; IC: Intel igence Community;
attack on some components of critical infrastructure (CI)—
NIST: National Institute of Standards and Technology; NSA: National
most of which is held by the private sector—could have
Security Agency; NSS: National Security Systems; OMB: Office of
significant effects on national security, the economy, and
Management and Budget; R&D: Research and development.
www.crs.gov | 7-5700
Cybersecurity Issues and Challenges
Figure 1 is a simplified schematic diagram of major agency
individuals. Controversies: Federal vs. state roles and
responsibilities in cybersecurity. In general, NIST develops
what responses should be required.
FISMA standards that apply to federal civilian ICT, and
Cybercrime Laws—updating criminal statutes and
OMB is responsible for overseeing their implementation.
law-enforcement authorities relating to cybersecurity.
DOD is responsible for military cyberdefense and, through
Controversies: Adequacy of current penalties and
NSA, security of NSS, which handle classified information.
authorities, impacts on privacy and civil liberties.
NSA is also part of the IC. DHS has operational
responsibility for protection of civilian systems and is the
Long-Term Challenges
lead agency for assisting the private sector in protecting CI
assets under their control. DOJ is the lead agency for
The executive-branch actions and proposed legislation are
enforcement of relevant laws.
largely designed to address several well-established near-
term needs in cybersecurity: preventing cyber-based
What Does the Cybersecurity Executive Order Do? In
disasters and espionage, reducing impacts of successful
February 2013, the White House issued Executive Order
attacks, improving inter- and intrasector collaboration,
13636 and Presidential Policy Directive 21 to address CI
clarifying federal agency roles and responsibilities, and
cybersecurity through voluntary public/private sector
fighting cybercrime. However, those needs exist in the
collaboration and use of existing regulatory authorities.
context of more difficult long-term challenges relating to
Among other things, the documents expanded an existing
design, incentives, consensus, and environment (DICE):
DHS information-sharing program and required NIST to
lead public/private development of a Cybersecurity
Design: Experts often say that effective security needs to be
Framework of standards and best practices for protecting
an integral part of ICT design. Yet, developers have
CI. Released in February 2014, the Framework has received
traditionally focused more on features than security, for
generally positive reviews, but it appears too early to
economic reasons. Also, many future security needs cannot
determine the extent to which it will improve CI
be predicted, posing a difficult challenge for designers.
cybersecurity.
Incentives: The structure of economic incentives for
Legislative Proposals
cybersecurity has been called distorted or even perverse.
Cybercrime is regarded as cheap, profitable, and
Beginning in the 111th Congress, many bills have been
comparatively safe for the criminals. Cybersecurity, in
introduced that would address cybersecurity issues. Several
contrast, can be expensive, is by its nature imperfect, and
have passed the House, both in the 112th and 113th
the economic returns on investments are often unsure.
Congresses, and one passed the Senate, but none had passed
both chambers as of October 2014. The main issues
Consensus: Cybersecurity means different things to
addressed by the bills are
different stakeholders, with little common agreement on
meaning, implementation, and risks. Substantial cultural
Information Sharing—easing access of the private
impediments to consensus also exist, not only between
sector to classified threat information and removing
sectors but within sectors and even within organizations.
barriers to sharing within the private sector and with
the federal government. Controversies: Roles of DHS
Environment: Cyberspace has been called the fastest
and the IC, impacts on privacy and civil liberties, and
evolving technology space in human history, both in scale
risks of misuse by the federal government or the
and properties. New and emerging properties and
private sector.
applications—especially social media, mobile computing,
FISMA Reform—updating the 2002 law to reflect
big data, cloud computing, and the Internet of things—
changes in ICT and the threat landscape.
further complicate the evolving threat environment, but
Controversies: Role of DHS, OMB, and Commerce,
they can also pose potential opportunities for improving
and flexibility of requirements.
cybersecurity, for example through the economies of scale
R&D—updating agency authorizations and strategic
provided by cloud computing and big data analytics.
planning requirements. Controversies: Agency roles,
topics for R&D, and levels of funding.
Legislation and executive actions could have significant
Workforce—improving the size, skills, and
impacts on those challenges. For example, cybersecurity
preparation of the federal and private-sector
R&D may affect the design of ICT, cybercrime penalties
cybersecurity workforce. Controversies: Hiring and
may influence the structure of incentives, the Framework
retention authorities, occupational classification,
may improve consensus about cybersecurity, and federal
recruitment priorities, and roles of DHS, NSA, NSF,
initiatives in cloud computing and other new components of
and NIST.
cyberspace may help shape the evolution of cybersecurity.
Privately Held CI—improving protection of private-
sector CI from attacks with major impacts.
For additional selected CRS reports relevant to
Controversies: Roles of DHS and other federal
cybersecurity and a list of experts, see CRS Issues Before
agencies, and regulatory vs. voluntary approach.
Congress: Cybersecurity at www.crs.gov.
Data-Breach Notification—requiring notification to
victims and other responses after data breaches
Eric A. Fischer, efischer@crs.loc.gov, 7-7071
involving personal or financial information of
IF00053
www.crs.gov | 7-5700