Cybersecurity Issues and Challenges
link to page 1 
Updated January 10, 2017
Cybersecurity Issues and Challenges
Overview
successful attack with high impact can pose a larger risk
Information and communications technology (ICT) is
than a common successful attack with low impact.
ubiquitous and continually evolving. It is increasingly
integral to modern society. ICT devices and components
Reducing the risks from cyberattacks usually involves (1)
form a highly interdependent system of networks,
removing the threat source, e.g., by closing down botnets or
infrastructure, and resident data known as cyberspace.
reducing incentives for cybercriminals; (2) addressing
vulnerabilities by hardening ICT assets, e.g., by patching
The process of protecting cyberspace from attacks by
software and training employees; and (3) lessening impacts
criminals and other adversaries is called cybersecurity. The
by mitigating damage and restoring functions, e.g., by
risks associated with any such attack depend on three
having back-up resources available for continuity of
factors: threats (who is attacking), vulnerabilities (what
operations in response to an attack.
weaknesses they are attacking), and impacts (how the attack
affects the victims).
Federal Role
The federal role in cybersecurity involves both securing
What are the threats? People who perform cyberattacks
federal systems and assisting in protecting nonfederal
generally fall into one or more of five categories: criminals
systems. All federal agencies are responsible for protecting
intent on monetary gain from crimes such as theft or
their own systems, and many have sector-specific
extortion; spies involved in espionage—stealing classified
responsibilities for CI. More than 50 statutes address
or proprietary information used by government or private
various aspects of cybersecurity, and several new laws were
entities; nation-state adversaries who develop capabilities
enacted in the 113th and 114th Congresses.
and undertake cyberattacks in support of a country’s
strategic objectives; “hacktivists” who perform
Figure 1. Federal Agency Roles in Cybersecurity
cyberattacks for nonmonetary reasons; and terrorists who
engage in cyberattacks as a form of non-state or state-
sponsored warfare.
What are the vulnerabilities? Attackers and defenders are
engaged in a cybersecurity arms race. Attackers constantly
probe ICT systems for weaknesses. Defenders can often
protect against them, but three are particularly challenging:
inadvertent or intentional acts by insiders with access to a
system; supply chain vulnerabilities, which can permit the
insertion of malicious software or hardware during
development or acquisition; and previously unknown, or
zero-day, vulnerabilities with no established fix.
What are the impacts? A successful attack can
compromise the confidentiality, integrity, and availability
of an ICT system, the information it handles, and things to
which it is connected. Cybertheft or cyberespionage can
result in exfiltration of financial, proprietary, or personal
information from which the attacker can benefit, often
without the knowledge of the victim. Denial-of-service
attacks can slow or prevent legitimate users from accessing
a system. Botnet malware can give an attacker command of
Source: CRS.
a network of “zombie” computers or devices for use in
Notes: DHS: Department of Homeland Security; DOD: Department
cyberattacks on other systems. Attacks on industrial control
of Defense; DOJ: Department of Justice; FISMA: the Federal
systems can result in the destruction of the equipment they
Information Security Modernization Act; IC: Intelligence Community;
control, such as generators, pumps, and centrifuges.
NIST: National Institute of Standards and Technology; NSA: National
Security Agency; NSS: National Security Systems; OMB: Office of
Most cyberattacks have limited impacts, but a successful
Management and Budget; R&D: Research and development.
attack on some components of critical infrastructure (CI)—
most of which is held by the private sector—could have
Figure 1 is a simplified schematic diagram of major agency
significant effects on national security, the economy, and
responsibilities in cybersecurity. In general, NIST develops
the livelihood and safety of individual citizens. Thus, a rare
FISMA standards that apply to federal civilian ICT, and
https://crsreports.congress.gov
Cybersecurity Issues and Challenges
OMB is responsible for overseeing their implementation.
Streamline, clarify, and strengthen the organization of
DHS has operational responsibility for protecting federal
the federal government with respect to cybersecurity,
civilian systems and is the lead agency coordinating federal
and strengthen the capabilities of key agencies.
efforts to help private entities protect CI assets under their
Strengthen and build on public-private partnerships to
control. DOJ is the lead agency for enforcement of relevant
improve cybersecurity.
laws. DOD is responsible for military cyberspace
Clarify the role of active defense and research on
operations, defensive support of civil authorities when
vulnerabilities by the private sector.
requested, and, through NSA, security of NSS. NSA is also
part of the IC. One continuing area of controversy with
Long-Term Challenges
respect to agency missions is what role DOD should play in
The legislation and executive-branch actions discussed
the protection of civilian ICT.
above are largely designed to address several well-
established near-term needs in cybersecurity: preventing
Legislative Actions
cyber-based disasters and espionage, reducing impacts of
Since the 111th Congress, more than 200 bills have been
successful attacks, improving inter- and intrasector
introduced that would address cybersecurity issues. Several
collaboration, clarifying federal agency roles and
were enacted in the 113th and 114th Congresses. Among the
responsibilities, and fighting cybercrime. However, those
issues they addressed are the following:
needs exist in the context of more difficult long-term
challenges relating to design, incentives, consensus, and
Federal Information Systems—updating FISMA to
environment (DICE):
reflect changes in the ICT environment and giving DHS
additional authorities to protect federal systems.
Design: Experts often say that effective security needs to be
Information Sharing—facilitating public- and private-
an integral part of ICT design. Yet, developers have
sector sharing of information on cyberthreats and
traditionally focused more on features than security, for
defensive measures and permitting private-sector
economic reasons. Also, many future security needs cannot
entities to monitor and operate defenses on their
be predicted, posing a difficult challenge for designers.
information systems.
Program Authorization—providing specific statutory
Incentives: The structure of economic incentives for
authorization for ongoing activities of NIST (relating to
cybersecurity has been called distorted or even perverse.
a framework for CI cybersecurity, education, and
Cybercrime is regarded as cheap, profitable, and
awareness); the National Science Foundation
comparatively safe for the criminals. In contrast,
(Scholarship-for-Service program); and DHS (the
cybersecurity can be expensive, is by its nature imperfect,
National Cybersecurity and Communications Integration
and the economic returns on investments are often unsure.
Center [NCCIC] and the intrusion-protection system
known as EINSTEIN).
Consensus: Cybersecurity means different things to
R&D—updating agency authorizations and strategic
different stakeholders, with little common agreement on
planning requirements.
meaning, implementation, and risks. Substantial cultural
Workforce—improving the size, skills, and preparation
impediments to consensus also exist, not only between
of the DHS cybersecurity workforce and requiring an
sectors but within sectors and even within organizations.
employment-code structure for federal cybersecurity
personnel.
Environment: Cyberspace has been called the fastest
evolving technology space in human history, both in scale
The Obama Administration also took several actions
and properties. New and emerging properties and
relating to the above issues and on others, notably in
applications—especially social media, mobile computing,
response to attacks believed to have involved nation-state
big data, cloud computing, and the IoT—further complicate
adversaries. That administration also proposed a revolving
the evolving threat environment, but they can also pose
fund for modernizing federal ICT and established a
potential opportunities for improving cybersecurity, for
commission on improving cybersecurity. That and other
example through the economies of scale provided by cloud
task forces have made recommendations for Congress and
computing and big data analytics.
the incoming administration, including the following:
Legislation and executive actions could have significant
Improve international cybersecurity strategies and build
impacts on those challenges. For example, cybersecurity
stronger international agreements.
R&D may affect the design of ICT, cybercrime penalties
Expand deterrence and take a more assertive approach
may influence the structure of incentives, the NIST
against cybercrime, including measures to raise the costs
cybersecurity framework may improve consensus about
of cyberattack.
cybersecurity, and federal initiatives in cloud computing
Improve the usability and affordability of cybersecurity
and other new components of cyberspace may help shape
in products and services for consumers and businesses.
the evolution of cybersecurity. See also CRS Report
Enact federal legislation on data-breach notification and
R43831, Cybersecurity Issues and Challenges: In Brief.
take other steps to protect data and privacy.
Address vulnerabilities posed by the Internet of Things
Eric A. Fischer,
(IoT)—the rapidly growing global network of devices
connected in cyberspace.
IF10001
https://crsreports.congress.gov
Cybersecurity Issues and Challenges
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10001 · VERSION 9 · UPDATED
Updated January 10, 2017
Cybersecurity Issues and Challenges
Overview
successful attack with high impact can pose a larger risk
Information and communications technology (ICT) is
than a common successful attack with low impact.
ubiquitous and continually evolving. It is increasingly
integral to modern society. ICT devices and components
Reducing the risks from cyberattacks usually involves (1)
form a highly interdependent system of networks,
removing the threat source, e.g., by closing down botnets or
infrastructure, and resident data known as cyberspace.
reducing incentives for cybercriminals; (2) addressing
vulnerabilities by hardening ICT assets, e.g., by patching
The process of protecting cyberspace from attacks by
software and training employees; and (3) lessening impacts
criminals and other adversaries is called cybersecurity. The
by mitigating damage and restoring functions, e.g., by
risks associated with any such attack depend on three
having back-up resources available for continuity of
factors: threats (who is attacking), vulnerabilities (what
operations in response to an attack.
weaknesses they are attacking), and impacts (how the attack
affects the victims).
Federal Role
The federal role in cybersecurity involves both securing
What are the threats? People who perform cyberattacks
federal systems and assisting in protecting nonfederal
generally fall into one or more of five categories: criminals
systems. All federal agencies are responsible for protecting
intent on monetary gain from crimes such as theft or
their own systems, and many have sector-specific
extortion; spies involved in espionage—stealing classified
responsibilities for CI. More than 50 statutes address
or proprietary information used by government or private
various aspects of cybersecurity, and several new laws were
entities; nation-state adversaries who develop capabilities
enacted in the 113th and 114th Congresses.
and undertake cyberattacks in support of a country’s
strategic objectives; “hacktivists” who perform
Figure 1. Federal Agency Roles in Cybersecurity
cyberattacks for nonmonetary reasons; and terrorists who
engage in cyberattacks as a form of non-state or state-
sponsored warfare.
What are the vulnerabilities? Attackers and defenders are
engaged in a cybersecurity arms race. Attackers constantly
probe ICT systems for weaknesses. Defenders can often
protect against them, but three are particularly challenging:
inadvertent or intentional acts by insiders with access to a
system; supply chain vulnerabilities, which can permit the
insertion of malicious software or hardware during
development or acquisition; and previously unknown, or
zero-day, vulnerabilities with no established fix.
What are the impacts? A successful attack can
compromise the confidentiality, integrity, and availability
of an ICT system, the information it handles, and things to
which it is connected. Cybertheft or cyberespionage can
result in exfiltration of financial, proprietary, or personal
information from which the attacker can benefit, often
without the knowledge of the victim. Denial-of-service
attacks can slow or prevent legitimate users from accessing
a system. Botnet malware can give an attacker command of
Source: CRS.
a network of “zombie” computers or devices for use in
Notes: DHS: Department of Homeland Security; DOD: Department
cyberattacks on other systems. Attacks on industrial control
of Defense; DOJ: Department of Justice; FISMA: the Federal
systems can result in the destruction of the equipment they
Information Security Modernization Act; IC: Intelligence Community;
control, such as generators, pumps, and centrifuges.
NIST: National Institute of Standards and Technology; NSA: National
Security Agency; NSS: National Security Systems; OMB: Office of
Most cyberattacks have limited impacts, but a successful
Management and Budget; R&D: Research and development.
attack on some components of critical infrastructure (CI)—
most of which is held by the private sector—could have
Figure 1 is a simplified schematic diagram of major agency
significant effects on national security, the economy, and
responsibilities in cybersecurity. In general, NIST develops
the livelihood and safety of individual citizens. Thus, a rare
FISMA standards that apply to federal civilian ICT, and
https://crsreports.congress.gov
Cybersecurity Issues and Challenges
OMB is responsible for overseeing their implementation.
Streamline, clarify, and strengthen the organization of
DHS has operational responsibility for protecting federal
the federal government with respect to cybersecurity,
civilian systems and is the lead agency coordinating federal
and strengthen the capabilities of key agencies.
efforts to help private entities protect CI assets under their
Strengthen and build on public-private partnerships to
control. DOJ is the lead agency for enforcement of relevant
improve cybersecurity.
laws. DOD is responsible for military cyberspace
Clarify the role of active defense and research on
operations, defensive support of civil authorities when
vulnerabilities by the private sector.
requested, and, through NSA, security of NSS. NSA is also
part of the IC. One continuing area of controversy with
Long-Term Challenges
respect to agency missions is what role DOD should play in
The legislation and executive-branch actions discussed
the protection of civilian ICT.
above are largely designed to address several well-
established near-term needs in cybersecurity: preventing
Legislative Actions
cyber-based disasters and espionage, reducing impacts of
Since the 111th Congress, more than 200 bills have been
successful attacks, improving inter- and intrasector
introduced that would address cybersecurity issues. Several
collaboration, clarifying federal agency roles and
were enacted in the 113th and 114th Congresses. Among the
responsibilities, and fighting cybercrime. However, those
issues they addressed are the following:
needs exist in the context of more difficult long-term
challenges relating to design, incentives, consensus, and
Federal Information Systems—updating FISMA to
environment (DICE):
reflect changes in the ICT environment and giving DHS
additional authorities to protect federal systems.
Design: Experts often say that effective security needs to be
Information Sharing—facilitating public- and private-
an integral part of ICT design. Yet, developers have
sector sharing of information on cyberthreats and
traditionally focused more on features than security, for
defensive measures and permitting private-sector
economic reasons. Also, many future security needs cannot
entities to monitor and operate defenses on their
be predicted, posing a difficult challenge for designers.
information systems.
Program Authorization—providing specific statutory
Incentives: The structure of economic incentives for
authorization for ongoing activities of NIST (relating to
cybersecurity has been called distorted or even perverse.
a framework for CI cybersecurity, education, and
Cybercrime is regarded as cheap, profitable, and
awareness); the National Science Foundation
comparatively safe for the criminals. In contrast,
(Scholarship-for-Service program); and DHS (the
cybersecurity can be expensive, is by its nature imperfect,
National Cybersecurity and Communications Integration
and the economic returns on investments are often unsure.
Center [NCCIC] and the intrusion-protection system
known as EINSTEIN).
Consensus: Cybersecurity means different things to
R&D—updating agency authorizations and strategic
different stakeholders, with little common agreement on
planning requirements.
meaning, implementation, and risks. Substantial cultural
Workforce—improving the size, skills, and preparation
impediments to consensus also exist, not only between
of the DHS cybersecurity workforce and requiring an
sectors but within sectors and even within organizations.
employment-code structure for federal cybersecurity
personnel.
Environment: Cyberspace has been called the fastest
evolving technology space in human history, both in scale
The Obama Administration also took several actions
and properties. New and emerging properties and
relating to the above issues and on others, notably in
applications—especially social media, mobile computing,
response to attacks believed to have involved nation-state
big data, cloud computing, and the IoT—further complicate
adversaries. That administration also proposed a revolving
the evolving threat environment, but they can also pose
fund for modernizing federal ICT and established a
potential opportunities for improving cybersecurity, for
commission on improving cybersecurity. That and other
example through the economies of scale provided by cloud
task forces have made recommendations for Congress and
computing and big data analytics.
the incoming administration, including the following:
Legislation and executive actions could have significant
Improve international cybersecurity strategies and build
impacts on those challenges. For example, cybersecurity
stronger international agreements.
R&D may affect the design of ICT, cybercrime penalties
Expand deterrence and take a more assertive approach
may influence the structure of incentives, the NIST
against cybercrime, including measures to raise the costs
cybersecurity framework may improve consensus about
of cyberattack.
cybersecurity, and federal initiatives in cloud computing
Improve the usability and affordability of cybersecurity
and other new components of cyberspace may help shape
in products and services for consumers and businesses.
the evolution of cybersecurity. See also CRS Report
Enact federal legislation on data-breach notification and
R43831, Cybersecurity Issues and Challenges: In Brief.
take other steps to protect data and privacy.
Address vulnerabilities posed by the Internet of Things
Eric A. Fischer,
(IoT)—the rapidly growing global network of devices
connected in cyberspace.
IF10001
https://crsreports.congress.gov
Cybersecurity Issues and Challenges
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10001 · VERSION 9 · UPDATED