Cybersecurity

link to page 1



Updated March 23, 2015
Cybersecurity
Overview
attack with high impact can pose a larger risk than a
Information and communications technology (ICT) has
common successful attack with low impact.
evolved greatly over the last half-century. ICT devices and
components now form a highly interdependent system of
Reducing the risks from cyberattacks usually involves (1)
networks, infrastructure, and resident data—known as
removing the threat source, e.g., by closing down botnets or
cyberspace—that has become ubiquitous and increasingly
reducing incentives for cybercriminals; (2) addressing
integral to almost every facet of modern society. Experts
vulnerabilities by hardening ICT assets, e.g., by patching
and policymakers are increasingly concerned about
software and training employees; and (3) lessening impacts
cybersecurity—protecting cyberspace from attack by
by mitigating damage and restoring functions, e.g., by
criminals and other adversaries.
having back-up resources available for continuity of
operations in response to an attack.
The risks associated with any attack depend on three
factors: threats (who is attacking), vulnerabilities (how they
Federal Role
are attacking), and impacts (what the attack does).
The federal role in cybersecurity involves both securing
federal systems and assisting in protecting nonfederal
What are the threats? People who perform cyberattacks
cyberspace. All federal agencies are responsible for
include criminals intent on monetary gain from crimes such
protecting their own systems, and many have sector-
as theft or extortion; spies intent on stealing information
specific responsibilities for CI. More than 50 statutes
used by government or private entities; nation-state
address various aspects of cybersecurity, and additional
warriors who develop capabilities and undertake
legislation has been proposed.
cyberattacks to support strategic objectives; “hacktivists”
who perform cyberattacks for nonmonetary reasons; and
Figure 1. Federal Agency Roles in Cybersecurity
terrorists who engage in cyberattacks as a form of non-state
or state-sponsored warfare.
What are the vulnerabilities? Cybersecurity is an arms
race between attackers and defenders. Attackers are
constantly probing ICT systems for weaknesses. Defenders
can often protect against them, but three are particularly
challenging: inadvertent or intentional acts by insiders with
access to a system; supply chain vulnerabilities, which can
permit the insertion of malicious software or hardware
during the acquisition process; and previously unknown, or
zero-day
, vulnerabilities with no established fix.
What are the impacts? A successful attack can
compromise the confidentiality, integrity, and availability
of an ICT system and the information it handles. Cybertheft
or cyberespionage can result in exfiltration of financial,
proprietary, or personal information from which the
attacker can benefit. Denial-of-service attacks can slow or
prevent legitimate users from accessing a system. Botnet
malware can give an attacker command of a system for use
in cyberattacks on other systems. Attacks on industrial

control systems can result in the destruction of the
Source: CRS.
equipment they control, such as generators, pumps, and
Notes: DHS: Department of Homeland Security; DOD: Department
centrifuges.
of Defense; DOJ: Department of Justice; FISMA: the Federal
Information Security Management Act; IC: Intelligence Community;
Most cyberattacks have limited impacts, but a successful
NIST: National Institute of Standards and Technology; NSA: National
attack on some components of critical infrastructure (CI)—
Security Agency; NSS: National Security Systems; OMB: Office of
most of which are held by the private sector, such as the
Management and Budget; R&D: Research and development.
electric grid and major financial institutions—could have
significant effects on national security, the economy, and
Figure 1 is a simplified schematic diagram of major agency
the livelihood and safety of individuals. A rare successful
responsibilities in cybersecurity. In general, NIST develops
https://crsreports.congress.gov

Cybersecurity
FISMA standards that apply to federal civilian ICT, and
information of individuals. Controversies: Federal vs.
OMB is responsible for overseeing their implementation.
state roles; what protections and responses should be
DHS has operational responsibility for protection of federal
required.
civilian systems and is the lead agency coordinating federal
Cybercrime Laws—updating criminal statutes and law-
efforts assisting the private sector in protecting CI assets
enforcement authorities relating to cybersecurity.
under their control. DOJ is the lead agency for enforcement
Controversies: Adequacy of current penalties and
of relevant laws.
authorities; federal vs. state roles; clarifying scope of
current criminal liability, including impacts on civil
DOD, which accounts for more than 70% of all federal
liberties.
spending on cybersecurity, is responsible for military
cyberspace operations, defense support of civil authorities
Long-Term Challenges
when requested, and, through NSA, security of NSS. NSA
Current proposals are largely designed to address near-term
is also part of the IC. The director of the NSA also leads the
needs in cybersecurity. However, those needs exist in the
U.S. Cyber Command, whose main mission areas are
context of more difficult long-term challenges relating to
defending the DOD information networks, providing
design, incentives, consensus, and environment (DICE):
support to combatant commanders for execution of their
global missions, and strengthening the nation’s ability to
Design: Experts often say that effective security needs to be
withstand and respond to cyberattack. DOD has the
an integral part of ICT design. Yet, developers have
authority to conduct cyberspace activities in support of
traditionally focused more on features than security, for
military operations pursuant to a congressionally authorized
economic reasons. Also, many future security needs cannot
use of force outside of the United States, or to defend
be predicted, posing a difficult challenge for designers.
against a cyberattack on a DOD asset.
Incentives: The structure of economic incentives for
What does the cybersecurity framework do? In February
cybersecurity has been called distorted or even perverse.
2013, the White House issued Executive Order 13636 to
Cybercrime is regarded as cheap, profitable, and
address CI cybersecurity. Among other things, the order
comparatively safe for the criminals. In contrast,
required NIST to lead public/private development of a
cybersecurity can be expensive, is by its nature imperfect,
Cybersecurity Framework of standards and best practices
and the economic returns on investments are often unsure.
for protecting CI. Released in February 2014, the
Framework received positive reviews, but it appears too
Consensus: Cybersecurity means different things to
early to determine the extent to which it will improve CI
different stakeholders, with little common agreement on
cybersecurity.
meaning, implementation, and risks. Substantial cultural
impediments to consensus also exist, not only between
Legislative Issues
sectors but within sectors and even within organizations.
Since the 111th Congress, more than 200 bills have been
introduced that would address cybersecurity issues. Five
Environment: Cyberspace has been called the fastest
were enacted at the end of the 113th Congress. They
evolving technology space in human history, both in scale
addressed
and properties. New and emerging properties and
applications—especially social media, mobile computing,
FISMA Reform—updating the act to reflect changes in
big data, cloud computing, and the Internet of things—
ICT and the threat landscape.
further complicate the evolving threat environment, but
Workforce—improving the size, skills, and preparation
they can also pose potential opportunities for improving
of the DHS cybersecurity workforce.
cybersecurity, for example through the economies of scale
R&D—updating agency authorizations and strategic
provided by cloud computing and big data analytics.
planning requirements.
Program Authorization—providing specific statutory
Legislation and executive actions could have significant
authorization for ongoing activities of NIST (relating to
impacts on those challenges. For example, R&D may affect
the Framework, education, and awareness); the National
ICT design, cybercrime penalties may influence the
Science Foundation (Scholarship-for-Service program);
structure of incentives, the Framework may improve
and DHS (the National Cybersecurity and
consensus about cybersecurity, and federal initiatives in
Communications Integration Center [NCCIC]).
cloud computing and other new components of cyberspace
In the 114th Congress, debate has centered on three issues:
may help shape the evolution of cybersecurity. See also
CRS Issues Before Congress: Cybersecurity at
Information Sharing—easing access of the private
www.crs.gov.
sector to threat information and removing barriers to
sharing within the private sector and with the federal
Eric A. Fischer, Senior Specialist in Science and
government. Controversies: Roles of DHS, DOD, and
Technology
the IC; impacts on privacy and civil liberties; risks of
Catherine A. Theohary, Specialist in National Security
misuse by the federal government or the private sector;
Policy and Information Operations
effects of proposed liability protections.
Data-Breach Notification—requiring protective
IF10159
measures and notification to customers and other parties
after data breaches involving personal or financial
https://crsreports.congress.gov

Cybersecurity


Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF10159 · VERSION 2 · UPDATED