Cybersecurity: A Primer



Updated December 8, 2022
Cybersecurity: A Primer
Introduction
Thus, from a policymaking standpoint cybersecurity can be
The information technology that Americans use to chat with
considered the security of cyberspace—which includes the
loved ones and make purchases are the same that can be
devices, infrastructure, data, and users that make it up. To
turned against them to deny access to services, steal their
support cybersecurity policymaking, adjacent fields also
information, or compromise the digital systems they trust.
need consideration. Education, workforce management,
investment, entrepreneurship, and research and
These tools exist in cyberspace, and the security of that
development are necessary to get a product to market.
environment is a large endeavor involving government, the
Developers, law enforcement, intelligence, incident
private sector, international partners, and others.
response, and national defense are necessary to respond
when something goes awry in cyberspace.
This In Focus provides an overview of cybersecurity for
policymaking purposes, describes issues that cybersecurity
Threats
affects, and discusses potential actions Congress could take.
The nation faces many threats (manmade and not) with an
array of capabilities to carry out attacks. Threat actors may
The Nature of Cybersecurity
directly target the elements of cyberspace (e.g., networks,
The term “cyber” is frequently attached to a variety of
data, services, and users). However, they may also use these
security issues, underscoring that issues surrounding the
elements to attack industry through cyberspace.
management of cyberspace and its security are vast and
complicated.
For instance, a hacker operating independently or under a
nation-state’s instruction may target a hospital system. The
To highlight how complicated it is, consider that the federal
hacker may send ransomware to a hospital to extort
government does not have a single definition of cyberspace
payment before the hospital can regain access to its files
or cybersecurity. The Cyberspace Solarium Commission—
and devices. However, during that attack the hacker may
defined “cyber” as
also install a tool on the hospital’s network, providing
persistent access they will use to steal data, including
Relating to, involving, or characteristic of
patient information or hospital operations material. The
computers, computer networks, information and
hacker can then use that information to identify additional
communications technology (ICT), virtual systems,
targets. In this scenario the hacker has attacked the hospital
or
computer-enabled
control
of
physical
network, networked medical devices, and patient data.
components.
The Director of National Intelligence (DNI) delivers the
While this definition may be suitable for a broad discussion
Intelligence Community’s Worldwide Threat Assessment to
about information technology, it does not account for
Congress. In 2022, the DNI highlighted China, Russia, Iran,
relevant policymaking considerations concerning
North Korea, and Transnational Organized Crime as threat
cybersecurity. Essentially, cybersecurity is the security of
actors of concern in cyberspace. These actors have
cyberspace.
demonstrated a growing capability and capacity for attacks
against U.S. interests.
As an example, consider a single smartphone. An American
company may have designed the device, but the device may
China is the most active actor conducting espionage
be built by a different company abroad using material from
campaigns but with a capability to disrupt infrastructure.
yet another country. The phone runs on software built by
Russia seeks to use disruptions in cyberspace to bolster its
one company but modern operating systems borrow code
military and foreign policy goals. Iran aggressiveness in
from other companies and developers. Once a user has the
using cyber capabilities threatens networks and data. North
device it will likely be connected to a variety of networks
Korea uses cyberspace to spy, steal, and disrupt.
such as a home wireless network, a corporate network, and
Transnational criminal organizations will continue to
a cellular network. Each of these networks has its own
conduct phishing, fraud, and ransomware attacks for their
infrastructure, but also share common internet
own economic gain and under the direction of a nation-
infrastructure. The user will also install applications that
state. The more these adversaries engage in cyberattacks,
contain code and use infrastructure by yet other myriad
the more their expertise and willingness to use their
companies. Imagining users at the center, one can see large
capabilities grow.
and intricate systems on one side and the other to create
these devices and ensure their operation. The entire
In addition to threat actors, users face threats from inherent
infrastructure and all those services that are part of
vulnerabilities in software. The Log4j vulnerability is one
cyberspace exist to deliver an experience to a user, a
such example of widely used code that put many internet
human.
servers at risk of exposing user data.
https://crsreports.congress.gov

Cybersecurity: A Primer
Policy Areas
evolve as government and industry negotiate their shared
Given that cybersecurity is a large and complex issue area,
responsibility for national cybersecurity.
paring it down to sub-issue areas can help in both
understanding problems and crafting solutions. Four areas
International Relations
to consider are information and system security, device
The internet is a global network, where a packet of data
security, governance, and international relations.
originating from one country can move to another at the
speed of light. The devices that make up the infrastructure
Information and System Security
of the internet have a global supply chain. The software
Computer scientists characterize security through three
those devices require to operate are often created by an
attributes:
international workforce. Policies that one country
establishes may have market effects in another.
Confidentiality: that data is only known to authorized
parties. A data breach is an example of how
The Internet-of-Things (IOT) highlights the international
confidentiality is compromised, while encryption is a
nature of cybersecurity. Devices may be built in one
tool used to ensure confidentiality.
country to the standards of another where they will be sold.

But, since they connect to the internet, they may become
Integrity: that data and systems are not altered without
infected with malware from a third country, and be used
authorization. Data manipulation is an example of how
against users in a fourth—all with little to no user action.
integrity is attacked, while data-checking tools, such as
hashing, ensure one can verify the integrity of data.
Policy Considerations
Availability: that data and systems are available to
In crafting policy to address cybersecurity issues Congress
authorized parties when they choose. Ransomware
has many options. Below is a list of possible actions
attacks availability; backups are a tool to support data
Congress may take to strengthen cybersecurity (in
availability.
alphabetical order).
Related to integrity is the concept of authentication or that
Assess Resources. Congress may choose to examine an
users can verify data is from a trusted source. The internet
existing authority to determine if adequate investment to
was built using technologies that assume the trust of its
carry out Congress’s intent has been made and adjust
users, but as the internet has grown into a global network,
investments in that area to align with current expectations.
anonymity and data manipulation have proliferated,
complicating the options a user has when determining the
Conduct Oversight. Congress has direct oversight over the
validity of online information. Inaccurate identifiers also
operations of the federal government, including the security
frustrate companies seeking to verify their users—leading
of agencies’ information technology and data. Congress
many to adopt zero-trust architectures where users are
may choose to call hearings and solicit testimony to ensure
continuously authenticated.
the cybersecurity of the nation, which includes the security
of critical infrastructure and consumer data protection.
Device Security
Similar to information security, the security of the system
Develop a Program. Congress may choose to establish a
(e.g., the application, servers, routers, appliances, devices)
program to address a facet of cybersecurity by authorizing
can also be understood through the lenses of confidentiality,
an agency to do such work and appropriating funds for it.
integrity, and availability. For an internet-connected device
which monitors a building’s energy use, the utility and
Establish Rights. Congress may choose to establish the
customer will want to ensure data on the device is only
conditions for the use of technology, such as legal
accessible to them (confidentiality), the device accurately
requirements for data privacy, retention, and use.
states how much energy is used (integrity), and the device
is always monitoring usage (availability).
Incentivize Behavior. Congress may choose to incentivize
the behavior of manufacturers, developers, vendors, or
Governance
consumers either directly (such as through a grant program)
Many different entities are involved in cybersecurity.
or indirectly (such as by providing liability protections).
Government entities with regulatory authority may choose
One way Congress has incentivized behavior is through
to exercise that authority by scrutinizing an industry’s
grant programs allowing underfunded entities (e.g., state
cybersecurity activities. Manufacturers may choose to adopt
and local governments) a steady capital stream.
standards and best practices. Users may be savvy or
oblivious to their cybersecurity risk. Network access and
Regulate Industry. Congress may choose to direct an
services providers may provide products which mitigate
industry to adopt standards or best practices, or participate
cybersecurity risk or transfer that risk to another party, such
in information sharing.
as to an insurer or to a security company. The interaction
between all these parties through agreements, contracts,
Study the Issue. Congress may choose to spur activity by
treaties, or other pacts creates a complex layer of
directing agencies to develop a report or strategy.
responsibility and accountability for cyberspace. In addition
to formal agreements, there are tacit understandings and
Chris Jaikaran, Specialist in Cybersecurity Policy
expectations of each of these parties which continue to
IF10559
https://crsreports.congress.gov

Cybersecurity: A Primer


Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF10559 · VERSION 5 · UPDATED